I have a pix 515 that has a router for its GW on the inside and outside interfaces, however it connects through a 6509 doing L3 routing. My problem is recently we have had the need to introduce eigrp into the network and whenever I start it up on our routers certain applications that traverse the firewall dont connect properly. There is L3 / ping connectivity, but the app doesnt run. As soon as I remove routing from the routers it works fine. Is there a command on the PIX that I can use to listen to dynamic route traffic, or am I missing something here.
our network has an edge internet router going directly into the FW. The FW then has 3 interfaces going into vlans on the 6509 (dmz's) and 1 interface going into a hub router for other branches P2P T1's. I think mthe problem lies somewhere betweeb the 6509 and Hub router.
I feel,If your traffic works fine when routing protocol is not there, means the PIX is doing its job properly. When you enable routing protocol then the traffic must be following different paths. e.g different path for incoming and outgoing directions. Please check for asymetric routing.
Yep - if IP connectivity is good end-to-end (since ping works ok), then it does appear to be asymmetric routing.
The PIX may be missing parts of the application conversation because (for example), the initial TCP SYN from the client passes through the PIX, the SYN ACK from the server travels a different path back to the client ie. not via the PIX, so the firewall can't update the state of the TCP session, and thus, the final ACK in the TCP setup from the client to the server, passing along the path to the firewall, is discarded because the PIX sees it as an out-of-state packet.
The process may repeat until the application gives up.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...