How to setup Firewall - Need Help

Unanswered Question
Nov 2nd, 2007

I have 2 connections to the internet via BGP. I need to place firewalls for border security. I need to use the FWSM modules on the 6506 that are also acting as my dual core.

These firewalls will also do NAT. My problem is with load-balancing. I want to be able to load balance & provide redundancy over the firewalls but dont know what my options are.

If I inject default routes into my OSPF on the BGP routers, my core will have 2 default routes and traffic will pass over both firewalls. I believe that if return traffic takes a different path the return firewall will not have session or xlate information and will drop the traffic. Ok so I can use "tcp bypass" to fix the session problem, but what about the xlate when using PAT?

What is the best design strategy when implementing 2 firewalls and load-balancing them in this fashion.

Attached is my network setup. I can subnet IPs if needed to, etc.

Please help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
amritpatek Wed, 11/07/2007 - 13:11

Firewall load balancing is supported when both are configured in Active/Active Failover mode where both are actively handling incoming traffic. The Active/Active Failover is only available when the firewall's are configured in multiple context mode and the they are not VPN endpoints. The multiple context mode means dividing a firewall into multiple virtual firewalls (contexts). Each context works independently as an individual firewall and has its own configuration. Then the user can load balance these contexts (virtual firewalls) to be active on either of the physical firewalls. In other cases the only option is to use a router in front of the firewall for load balancing.


This Discussion