I am hoping someone can help me figure this out. We have an internal client which needs to be accessed from the Internet through our PIX Firewall. The client has an internal IP address in the range of 192.168.x.x (static), we also have an external address configured to forward to the internal client at 192.168.x.x. My problem is we have redundant firewalls, so we basically have two paths in, but internally, our router may send the traffic back out one of the firewalls if it does not know where the traffic was initiated from or only sees an internet source IP, sending it to not necessarily the firewall it came in through.
This causes the packets to be dropped. Is there a way to configure the firewall so that when it forwards the packets the packet has tcp information about which firewall the packet traversed, this way the router on the inside knows to send it back to the same firewall.
Hopefully this does not sound too confusing.
So both your pix firewalls are active ? ie. not in active/standby mode.
Not sure i fully understand your topology but you could NAT the incoming Internet addresses to the inside interface address of the pix and then the router would forward the traffic back to the pix it came in on eg.
access-list natin permit ip any host
nat (outside) 1 access-list natin outside
global (inside) 1 interface
I should have been clearer with the topology, but here is a quick explanation, we have in total 4 firewalls, two active, two standby, each set (active/standby) has an its own link to the internet. One set goes out Sprint, another set out Telcove. When clients access the internet they go by way of proxy appliances which utilize the two ways out to the internet. On the way in however, I want to make sure the request to an externally accessible server stays to the specific firewall the traffic came in on.
I am going to try what you mentioned.
OK, I'm still having an issue, maybe this will help: Let's say the firewall internal interface is 192.168.5.10, and the internal client is 192.168.1.40 and the external address to access the internal client is 18.104.22.168. (Just picking random numbers which I can map to my real addresses and make sense of things.)
So you also know, I use the ASDM (5.1(1)) on the PIX firewalls (7.2(1).
I get what you are saying I am just not sure how to translate it to what I need or maybe I have but it's still not working. I am attaching a simple image which depicts what the configuration looks like. We have two sets of redundant firewalls, that's a set of 4 firewalls in Active / Standby. Each set has access to the internet via a separate ISP, but they share the same network address space. Technically an inbound request to a DMZ server can come in through either of the two firewalls; I just need to ensure the connection is successful. Keep in mind that clients access the internet through the same set of firewalls so NAT'ing already occurs on the way out. Any help is truly appreciated.
Sincere apologies for not getting back sooner. Somehow i missed your replies.
Could you clarify exactly what you need. Do you want to ensure inbound connections always go back out the same firewall ?
If so you say you tried the solution i posted, what happened ?
Here is what happens; at least from what I can tell when I watch the logs.
I can see the incoming connection traversing the 22.214.171.124 firewall and going to the server, using the simple image I attached it would hit the server at 192.168.10.150, on the way out it may go out the second set of firewalls (126.96.36.199); at which point the firewall drops the packets because it has no such connection.
Now I did not show this in the image (because I forgot about it), but there is a router sitting between the firewalls and the server and client subnets. I know for a fact the network engineer set a route which states that if the router does not know what to do with the traffic to send it to the secondary set of firewalls, in this case 188.8.131.52. So far that makes sense to me, I have seen the request come in the secondary firewall (184.108.40.206) hit the server and go back out the same firewall. However, if the traffic comes in the first firewall set (220.127.116.11) then the packets are dropped on the way out, I need it to go back out the same way it came in.
If I can get this to work I would be golden. I have only been working with Cisco PIX Firewalls for about a year, our original Firewall admin was, let's say retired for specific reasons. In any case I was assigned the task of learning the environment and while I have learned a lot, I am still no where near where I would like to be so please accept my apologies for my lack of knowledge.
Thanks again for your assistance.
So did you try the solution i posted earlier ie. NAT the incoming source IP address to the inside address of the pix so that it automatically gets sent back that way ie.
connection comes in through 18.104.22.168 and the source address from the Internet is translated to 22.214.171.124. So when the 192.168.10.150 server sends the packet back to the internal router that router should forward it back to the 126.96.36.199 pix because that is the source address.
See, I don't think that's happening, maybe I do not have it setup correctly.
The external address to access the server is 188.8.131.52. If the server is on the inside interface (acl_IN) and the external address is configured on the outside interface and has an ACL entry to allow any incoming traffic over http (acl_OUT), what would I need to setup to allow the firewall interface to be used so that traffic would go back out the same firewall.
I am only asking for details since at this point, I can't make heads or tails of anything, and I think I am getting myself more confused by the minute.
Thanks again, sincerely.
"what would I need to setup to allow the firewall interface to be used so that traffic would go back out the same firewall."
What i posted earlier. Could you tell me what the inside interface address of the 184.108.40.206 firewall is ?
No need to apologise, NetPro is here to help people :-)