Stateful inspection

annu86 · ‎07-23-2003

hello guys

I am having a issue.

There are three machine in my network with Public ip address.

This three machines should be able to access my database server on the internet, even this database servers should be able to access my three machines.

This three machines need browsing access as well, but no other machine should be able to connect to them other than those three database servers.

To summarize,

I want all the connections originated from my three machines for internet to get through

i want all those three database server initiated connection to get through. nothing else than that

i guess, extended acces-list is not the solution,

reflexive, may or may not make sense, because i will be having a heavy traffic and to be honest not sure about RACL's performance in heavy load

Shall i go for IOS firewall services and use Stateful Inspection?

Natting, not very interested in this. but if no other solution exist then i have to go for this.

Thanks a lot for your time in reading and replying if you have any solutions.

rais · ‎07-23-2003

If you can go for IOS firewall, then that would be a securer solution than reflex, extended ACLs.

At extended ACL level, you can use 'established' to let traffic, requested by your servers, in.

Thanks.

annu86 · ‎07-24-2003

Established keyword to the best of my understanding is not for that.

Its used to save existing established connection while applying the accesss-list

Excuse me, if i am wrong.

tomredmond · ‎07-24-2003

If I am understanding you correctly, why not have the public ip address on one sub net and have a seperate subnet for all other machines and if the machines on the "public access subnet" need access to the other internal machines give them a second ip address i.e. dual home them. Then you only allow traffic on the public subnet on to the internet.