traffic through a firewall

Unanswered Question
Nov 27th, 2007

We're configuring a firewall with 3 interfaces - inside, DMZ & outside and are trying to figure out what is the typical traffic flow for a firewall..Does the packet that enters from the outside, first goes out the DMZ interface, where the destination public address gets NATed to the private, then comes back to the firewall and goes out the inside interface?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Collin Clark Tue, 11/27/2007 - 12:10

Your NAT translations determine where traffic goes. Here's some examples:

static (inside,outside) [public ip] netmask

Here traffic destined to [public ip] would be translated to the inside address of 192.168.10.

Now lets send traffic to the dmz.

static (dmz,outside) [public ip] netmask

Finally we may need a dmz server to access an inside server. Again we create a NAT to allow that. Really we want to route instead of NAT, thats why both IPs are the same.

static (inside,dmz) netmask

HTH and please rate.

ryandibble Tue, 11/27/2007 - 15:24

The traffic flow depends on the ultimate destination of the packet. If a packet from the outside world is destined for a host that is on a network connected to the DMZ interface, the packet flows in through the outside interface, then through the DMZ interface and on to its eventual destination. Likewise, if an inbound packet is destined for a host that is on a network connected to the inside interface, then the packet will come in via the outside interface and then progress through the inside interface, and then on to the host.

This traffic flow is similar, but in reverse, for outbound packets. When a host on the internal LAN (usually connected to the firewall via the inside interface) needs to connect to resources on the outside, the traffic flows in through the inside interface first, then through the outside interface on its way out to the Internet.

One thing that you may want to note is that the scenario you gave above will not work on a Cisco PIX/ASA because traffic generally cannot flow out of the same interface on which it came in. This makes it impossible for traffic to go out the DMZ interface then return to the firewall through that same DMZ interface.

Something else that may help you out is that unlike Cisco IOS access lists, access lists on the PIX can only be applied to traffic headed inbound (towards the firewall) on each interface.

ryandibble Tue, 11/27/2007 - 15:31

A quick blurb on when NAT takes place, since you mentioned it:

In the example you gave above, the packet would come in through the outside interface, have NAT applied to the destination address (if applicable), then head out via either the DMZ or inside interface, depending on which interface is ultimately connected to the destination host.

axfalk Tue, 11/27/2007 - 19:10

Rayn, Collin, thanks for your helpful responses. The servers on the inside (172.21.x.x/16) that are the eventual destination are behind a load balancer. The DMZ ( only a couple of reverse proxies. I would think that for an inbound packet, that comes from the outside destined for one of the servers on the inside, the VIP address must be in the address space. However, once the packet reaches the reverse proxies and gets NATed to the 172.21 addrress space, how will this packet get routed back to the inside, since, as Ryan pointed out, the packet can't reenter the DMZ int that it just came in on...

Thanks again...

Collin Clark Wed, 11/28/2007 - 06:25

Ryan is correct about 'hairpin routing' however that does not come into play here. One of our DMZ's is setup almost the same. For our DMZ traffic to get inside, we have to go through another firewall. In your case you'll just need additional routing in your load balancers and firewalls. Remember that the incoming connection is terminated at the r-proxy. The r-proxy then makes a new TCP connection to the inside server.

ryandibble Wed, 11/28/2007 - 06:26

I need a little clarification here. Are the reverse proxy and load balancing services being performed by the same device, or separate systems?

axfalk Wed, 11/28/2007 - 07:35

Separate systems...The reverse proxies are UNIX devices and the load balancer is F5...


ryandibble Wed, 11/28/2007 - 08:02

Hmm, I posted this once, but it doesn't look like it went through. Just ignore if this is a repeat.

Here's how I see things working:

A packet from a client heads inbound through the outside interface, destined for a public IP address. The PIX NATs the public IP address to the 10.10.10.x address of the reverse proxy, and the packet is forwarded on to the reverse proxy on the DMZ. At this point, as Collin noted, the reverse proxy initiates a new connection from the DMZ to the VIP at 172.21.x.x through the inside interface.

The PIX allows the traffic because you actually have two different connections taking place through the DMZ - one between the client on the outside and the reverse proxy, and one between the reverse proxy and the VIP on the inside.


This Discussion