Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Access to Internal Client with Redundant Firewalls

I am hoping someone can help me figure this out. We have an internal client which needs to be accessed from the Internet through our PIX Firewall. The client has an internal IP address in the range of 192.168.x.x (static), we also have an external address configured to forward to the internal client at 192.168.x.x. My problem is we have redundant firewalls, so we basically have two paths in, but internally, our router may send the traffic back out one of the firewalls if it does not know where the traffic was initiated from or only sees an internet source IP, sending it to not necessarily the firewall it came in through.

This causes the packets to be dropped. Is there a way to configure the firewall so that when it forwards the packets the packet has tcp information about which firewall the packet traversed, this way the router on the inside knows to send it back to the same firewall.

Hopefully this does not sound too confusing.

10 REPLIES
Hall of Fame Super Blue

Re: Access to Internal Client with Redundant Firewalls

So both your pix firewalls are active ? ie. not in active/standby mode.

Not sure i fully understand your topology but you could NAT the incoming Internet addresses to the inside interface address of the pix and then the router would forward the traffic back to the pix it came in on eg.

access-list natin permit ip any host

nat (outside) 1 access-list natin outside

global (inside) 1 interface

Jon

New Member

Re: Access to Internal Client with Redundant Firewalls

I should have been clearer with the topology, but here is a quick explanation, we have in total 4 firewalls, two active, two standby, each set (active/standby) has an its own link to the internet. One set goes out Sprint, another set out Telcove. When clients access the internet they go by way of proxy appliances which utilize the two ways out to the internet. On the way in however, I want to make sure the request to an externally accessible server stays to the specific firewall the traffic came in on.

I am going to try what you mentioned.

Thanks.

New Member

Re: Access to Internal Client with Redundant Firewalls

OK, I'm still having an issue, maybe this will help: Let's say the firewall internal interface is 192.168.5.10, and the internal client is 192.168.1.40 and the external address to access the internal client is 199.166.122.150. (Just picking random numbers which I can map to my real addresses and make sense of things.)

So you also know, I use the ASDM (5.1(1)) on the PIX firewalls (7.2(1).

Thanks.

New Member

Re: Access to Internal Client with Redundant Firewalls

I get what you are saying I am just not sure how to translate it to what I need or maybe I have but it's still not working. I am attaching a simple image which depicts what the configuration looks like. We have two sets of redundant firewalls, that's a set of 4 firewalls in Active / Standby. Each set has access to the internet via a separate ISP, but they share the same network address space. Technically an inbound request to a DMZ server can come in through either of the two firewalls; I just need to ensure the connection is successful. Keep in mind that clients access the internet through the same set of firewalls so NAT'ing already occurs on the way out. Any help is truly appreciated.

Thanks again.

Hall of Fame Super Blue

Re: Access to Internal Client with Redundant Firewalls

Roberto

Sincere apologies for not getting back sooner. Somehow i missed your replies.

Could you clarify exactly what you need. Do you want to ensure inbound connections always go back out the same firewall ?

If so you say you tried the solution i posted, what happened ?

Jon

New Member

Re: Access to Internal Client with Redundant Firewalls

Here is what happens; at least from what I can tell when I watch the logs.

I can see the incoming connection traversing the 199.99.99.15 firewall and going to the server, using the simple image I attached it would hit the server at 192.168.10.150, on the way out it may go out the second set of firewalls (199.99.99.20); at which point the firewall drops the packets because it has no such connection.

Now I did not show this in the image (because I forgot about it), but there is a router sitting between the firewalls and the server and client subnets. I know for a fact the network engineer set a route which states that if the router does not know what to do with the traffic to send it to the secondary set of firewalls, in this case 199.99.99.20. So far that makes sense to me, I have seen the request come in the secondary firewall (199.99.99.20) hit the server and go back out the same firewall. However, if the traffic comes in the first firewall set (199.99.99.15) then the packets are dropped on the way out, I need it to go back out the same way it came in.

If I can get this to work I would be golden. I have only been working with Cisco PIX Firewalls for about a year, our original Firewall admin was, let's say retired for specific reasons. In any case I was assigned the task of learning the environment and while I have learned a lot, I am still no where near where I would like to be so please accept my apologies for my lack of knowledge.

Thanks again for your assistance.

Hall of Fame Super Blue

Re: Access to Internal Client with Redundant Firewalls

Roberto

So did you try the solution i posted earlier ie. NAT the incoming source IP address to the inside address of the pix so that it automatically gets sent back that way ie.

connection comes in through 199.99.99.15 and the source address from the Internet is translated to 199.99.99.15. So when the 192.168.10.150 server sends the packet back to the internal router that router should forward it back to the 199.99.99.15 pix because that is the source address.

Jon

New Member

Re: Access to Internal Client with Redundant Firewalls

See, I don't think that's happening, maybe I do not have it setup correctly.

The external address to access the server is 199.99.99.150. If the server is on the inside interface (acl_IN) and the external address is configured on the outside interface and has an ACL entry to allow any incoming traffic over http (acl_OUT), what would I need to setup to allow the firewall interface to be used so that traffic would go back out the same firewall.

I am only asking for details since at this point, I can't make heads or tails of anything, and I think I am getting myself more confused by the minute.

Thanks again, sincerely.

Hall of Fame Super Blue

Re: Access to Internal Client with Redundant Firewalls

"what would I need to setup to allow the firewall interface to be used so that traffic would go back out the same firewall."

What i posted earlier. Could you tell me what the inside interface address of the 199.99.99.15 firewall is ?

No need to apologise, NetPro is here to help people :-)

Jon

New Member

Re: Access to Internal Client with Redundant Firewalls

The inside interface address is 192.168.3.10.

I sometimes beat myself up when I can't figure something out.

123
Views
0
Helpful
10
Replies