Hi Ankur,

Many thanks for your reply. :-)

I understood both firewall are running the same configuration except interface IP addresses such as static or dynamic NAT. So I am suspected about the route back packet of outbound traffics. Could you please explain me more on this issue?

Is this issue also not applying to the inbound traffic?

Thanks a lot,

Nitass

Hi Nitass,

Lets take an example. PC A waan a go to internet will hits its gateway and will reach out via both the firewall because l3 switch has 2 default route for both the firewall.

Firewall 1 lets say nat with 192.168.10.x source and firewall 2 lets say nat with 192.168.10.x source.

Firewall will send the traffic to the router and from there it will reach internet and then comes the reply back to the router and router will have 2 static route pointing back to pix outide interface of the firewall.

ip route 192.168.10.x 255.255.255.0

ip route 192.168.10.x 255.255.255.0

Now it will reach the respective firewalls and as I said you will configure static route on your 2 firewalls to point the traffic back to l3 switch.

Now lets say you do not nat with 2 different ip and nat the source ip on both the firewall with same ip lets say 192.168.10.10 so when it comes back from the internet to the router then you will need to configure on your firewall 2 static route pointing to outside interface of both the firewall.

ip route 192.168.10.10 255.255.255.0

ip route 192.168.10.10 255.255.255.0

HTH, if yes please rate the post.

Ankur

Hi ankurbhasin,

Thanks for your kindly reply.

>"PC A waan a go to internet will hits its gateway

>and will reach out via both the firewall because l3

>switch has 2 default route for both the firewall."

Does it route to both firewalls? Not a round robin?

>"Now it will reach the respective firewalls"

Does it mean one firewall discards it and another one routes it to sender PC?

Thanks a lot,

Nitass

Hi Nitass,

Does it route to both firewalls? Not a round robin?

You will have 2 default route on l3 switch pointing to both the firwalls inside interface ip address so it will load balcnce equally on both the firewall.

Does it mean one firewall discards it and another one routes it to sender PC?

No none of the firewall will discard the traffic , as soon as the firewall receive the traffic from router, firewall will be having static route pointing back to the l3 switch.

Time for me to go to sleep.If you have any doubts further on this and no one replies I will surely get back to you on this tomorrow morning.

HTH, if yes please rate the post.

Ankur

Hi Ankur,

Thanks a lot for your help.

Is it possible to have the request and reply packet that goes out and come back through different firewall? Suppose the packet goes out through firewall A but the reply packet might come back through firewall B. Is it possible? Can it work?

And does this issue apply to inbound traffic from the Internet to any server?

Thanks a lot,

Nitass

Hi Nitass,

Good Morning in India!!

To answer that part can you confirm when you are doing NAT on your both the firewalls are you natting with same source ip on both the firewalls or you are just having diffrent ip as source nat when the packtes move out from both the firewall to the internet router.

Cause if you are natting with same ip address then for return traffic from router you have to define 2 static route with same ip where the next hop will be 2 firewalls in that ase traffic may move out from firewall A and can turn back from firewall B but incase you are having source nat at both the firewall with 2 different ip then he static route on router will point those source ip pointing to the outside interface of firewall and traffic which moves out via firewall A will come back by fiewall A only.

HTH, if yes please rate the post.

Ankur

Morning Ankur,

This is very hot day here.

Thanks for your reply. What you mean if both firewalls are doing NAT with same source address, the problem may occur in case request and reply packet doesn’t take the same firewall route. And it doesn’t have any problem if it’s doing NAT with different source address. Am I correct?

And how about inbound traffic from the Internet to servers? In case both firewalls are doing NAT same destination public IP to private IP address. Does it have similar problem as above?

Thanks a lot,

Nitass

Hi Nitass,

Yes you got my point now. If both the firewall are doing NAT with same source ip address , request and reply packets may take different routes which can result in problem as firewall which had not sent the reqest out and if receives the reply may drop the packet.

Talking about your second statement I am not very sure as how the router will route your packets and how you configure your PIX as I am not very good in security.

AFAIK if it is a PIX firewall , you can configure both the firewall as active and they will also synch the statefull translations so it should not matter which firewall sends a request an which firewall receives the request.

HTH, if yes please rate the post.

Ankur

Hi Ankur,

Sorry for late reply. I went outside today.

As you mentioned above, "AFAIK if it is a PIX firewall, you can configure both the firewall as active and they will also synch the statefull translations so it should not matter which firewall sends a request an which firewall receives the request." Does it mean it doesn’t have any problem even if the request and reply packet routes through different PIX firewall?

Thanks a lot,

Nitass

Hi Nitass,

Yes you are right.

ASA firewall supports asymmetric routing which means it doesn’t have any problem even if the request and reply packet routes through different ASA box.

Talking about PIX this feature is supported from release 7.0 onwards and in active/active failover.

Check this link

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_1/conf_gd/failover.htm

HTH, if yes please rate the post.

Ankur