03-31-2006 08:41 AM - edited 03-03-2019 02:35 AM
Hi everybody,
Ive a few questions about firewall (ASA) designing but I think it might concern withLAN switching and routing. Attached is my connection diagram.
1. Can I use L3 switch as default gateway for PC and add 2 default static routes to both firewalls on it? Does it have any problem about route back packets?
2. Which switch layer should I use on the upper side of firewalls? How does it different?
3. How about inbound traffic from the Internet? Can it pass through both firewalls such as round robin?
Please advice.
Thanks for advance,
Nitass
03-31-2006 08:56 AM
Hi Nitass,
So you posting a question after a long time!!
Ok lets move to answers...
1) You can definetely use L3 switch as a default gateway for PC and add 2 default static route to both firewall on it. It will move to both the firewalls. No it should not have any problem in reverse route cause you have to define 2 static route one on each firewall pointing back to L3 switch logical interface.
Make sure how you connect the firewall to the layer 3 switch. You have to define a specific vlan for your firewall and cofogure any free physical port with that vlan and then configure one more layer 3 logical interface with same subnet ip address which you have defined on inside interface of the firewall.
2) You should use layer 2 switch on upper side of the firewall because it will be a very simple network topology then because the outside interface of both the firewall and router lan interface I hope are in same subnet so it makes no point to have layer 3 switch between the firewall outside interface and router lan interface .
3) Talking about the inbound traffic from internet you have to define 2 static route on your router also with same admin distance pointing to the outside interface ip of both the firewall.
HTH, if yes please rate the post.
Ankur
03-31-2006 09:26 AM
Hi Ankur,
Many thanks for your reply. :-)
I understood both firewall are running the same configuration except interface IP addresses such as static or dynamic NAT. So I am suspected about the route back packet of outbound traffics. Could you please explain me more on this issue?
Is this issue also not applying to the inbound traffic?
Thanks a lot,
Nitass
03-31-2006 09:38 AM
Hi Nitass,
Lets take an example. PC A waan a go to internet will hits its gateway and will reach out via both the firewall because l3 switch has 2 default route for both the firewall.
Firewall 1 lets say nat with 192.168.10.x source and firewall 2 lets say nat with 192.168.10.x source.
Firewall will send the traffic to the router and from there it will reach internet and then comes the reply back to the router and router will have 2 static route pointing back to pix outide interface of the firewall.
ip route 192.168.10.x 255.255.255.0
ip route 192.168.10.x 255.255.255.0
Now it will reach the respective firewalls and as I said you will configure static route on your 2 firewalls to point the traffic back to l3 switch.
Now lets say you do not nat with 2 different ip and nat the source ip on both the firewall with same ip lets say 192.168.10.10 so when it comes back from the internet to the router then you will need to configure on your firewall 2 static route pointing to outside interface of both the firewall.
ip route 192.168.10.10 255.255.255.0
ip route 192.168.10.10 255.255.255.0
HTH, if yes please rate the post.
Ankur
03-31-2006 09:56 AM
Hi ankurbhasin,
Thanks for your kindly reply.
>"PC A waan a go to internet will hits its gateway
>and will reach out via both the firewall because l3
>switch has 2 default route for both the firewall."
Does it route to both firewalls? Not a round robin?
>"Now it will reach the respective firewalls"
Does it mean one firewall discards it and another one routes it to sender PC?
Thanks a lot,
Nitass
03-31-2006 10:04 AM
Hi Nitass,
Does it route to both firewalls? Not a round robin?
You will have 2 default route on l3 switch pointing to both the firwalls inside interface ip address so it will load balcnce equally on both the firewall.
Does it mean one firewall discards it and another one routes it to sender PC?
No none of the firewall will discard the traffic , as soon as the firewall receive the traffic from router, firewall will be having static route pointing back to the l3 switch.
Time for me to go to sleep.If you have any doubts further on this and no one replies I will surely get back to you on this tomorrow morning.
HTH, if yes please rate the post.
Ankur
03-31-2006 10:23 AM
Hi Ankur,
Thanks a lot for your help.
Is it possible to have the request and reply packet that goes out and come back through different firewall? Suppose the packet goes out through firewall A but the reply packet might come back through firewall B. Is it possible? Can it work?
And does this issue apply to inbound traffic from the Internet to any server?
Thanks a lot,
Nitass
03-31-2006 08:31 PM
Hi Nitass,
Good Morning in India!!
To answer that part can you confirm when you are doing NAT on your both the firewalls are you natting with same source ip on both the firewalls or you are just having diffrent ip as source nat when the packtes move out from both the firewall to the internet router.
Cause if you are natting with same ip address then for return traffic from router you have to define 2 static route with same ip where the next hop will be 2 firewalls in that ase traffic may move out from firewall A and can turn back from firewall B but incase you are having source nat at both the firewall with 2 different ip then he static route on router will point those source ip pointing to the outside interface of firewall and traffic which moves out via firewall A will come back by fiewall A only.
HTH, if yes please rate the post.
Ankur
03-31-2006 09:12 PM
Morning Ankur,
This is very hot day here.
Thanks for your reply. What you mean if both firewalls are doing NAT with same source address, the problem may occur in case request and reply packet doesnt take the same firewall route. And it doesnt have any problem if its doing NAT with different source address. Am I correct?
And how about inbound traffic from the Internet to servers? In case both firewalls are doing NAT same destination public IP to private IP address. Does it have similar problem as above?
Thanks a lot,
Nitass
03-31-2006 10:53 PM
Hi Nitass,
Yes you got my point now. If both the firewall are doing NAT with same source ip address , request and reply packets may take different routes which can result in problem as firewall which had not sent the reqest out and if receives the reply may drop the packet.
Talking about your second statement I am not very sure as how the router will route your packets and how you configure your PIX as I am not very good in security.
AFAIK if it is a PIX firewall , you can configure both the firewall as active and they will also synch the statefull translations so it should not matter which firewall sends a request an which firewall receives the request.
HTH, if yes please rate the post.
Ankur
04-01-2006 08:33 AM
Hi Ankur,
Sorry for late reply. I went outside today.
As you mentioned above, "AFAIK if it is a PIX firewall, you can configure both the firewall as active and they will also synch the statefull translations so it should not matter which firewall sends a request an which firewall receives the request." Does it mean it doesnt have any problem even if the request and reply packet routes through different PIX firewall?
Thanks a lot,
Nitass
04-03-2006 07:11 AM
Hi Nitass,
Yes you are right.
ASA firewall supports asymmetric routing which means it doesnt have any problem even if the request and reply packet routes through different ASA box.
Talking about PIX this feature is supported from release 7.0 onwards and in active/active failover.
Check this link
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_1/conf_gd/failover.htm
HTH, if yes please rate the post.
Ankur
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: