stateful firewall with stateless NAT or PAT rule

Unanswered Question
Dec 11th, 2009


First off I am an applications person, so sorry for the newbie question which is out of my area. 

We have a database on a private nerwork separated from our public app server by a cisco asa 7.0 firewall.  The firewall does a lot of stateful stuff besides this.  It NATs the database or PATs a port (sometimes one, sometimes the other depending on the database).  Anyways, we have had infrequent intermittent problems where the database driver from the app server sends a FIN, and the database doesnt respond, and the firewall kills the half closed connection, but the app server tries to use it again and it causes a failure (firewall doesnt let it through).

Im just curious, I know this isnt ideal, but it is possible to keep the firewall working the way it is now for everything else (stateful), and just allow this PAT or even NAT to be stateless?  If so, how would that be setup?  Bascially what I am interested in is if the app server source address sends any traffic on the right port that it be forwarded to the database no matter what the firewall thinks about the TCP traffic... stateless.  And it needs to failover correctly to the backup firewall if something happens.  I would assume a stateless connection (if its possible) wouldnt have to worry about failover since everything is let through on the IP/port combinations.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion