Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Inter-work between WAAS and Microsoft Firewall/VPN device?

I'm going to implement WAE (274, 474, 574, and 674) in inline mode at remote locations where the WAN devices are a server running Microsoft Firewall and VPN software. The Microsoft server functions as WAN firewall device and also VPN termination device.

Remote site:   LAN switch ---- WAE (inline) ---- Microsoft Server (WAN firewall & VPN) ---- WAN cloud

Should I enable directed mode on the WAE? In using DM, the Microsoft Firewall will see the connection as a UDP instead of TCP. In that case, do I still need to disable Microsoft firewall's TCP options removal and enable it to allow shifted TCP sequence number?

Another question: how to configure Microsoft firewall so that it does not removal TCP options and also allow shifted TCP sequence numbers?

Thanks a lot

Gary

5 REPLIES

Re: Inter-work between WAAS and Microsoft Firewall/VPN device?

Gary,

For your scenario if you can configure the Microsoft firewall to allow TCP options for TFO auto-discovery then you can enable directed mode.  If you are using directed mode then there is no need to disable sequence number checking on the firewall.

As for the specific configuration on the Microsoft firewall I'd suggest you consult the documentation that came with your Microsoft software. 

Cheers,

Mike Korenbaum

Cisco WAAS PDI Help Desk

http://www.cisco.com/go/pdihelpdesk

New Member

Re: Inter-work between WAAS and Microsoft Firewall/VPN device?

Thanks Michael:

Just want to confirm: what I need to do is to enable TCP options on the Microsoft firewall and enable WAE into Directed Mode. Correct?

If I just use DM on WAE without making any change on the firewall, would the firewall see the connection as just UDP or still check into TCP fields?

Thanks

Gary

Re: Inter-work between WAAS and Microsoft Firewall/VPN device?

Gary,

Yes you just need to configuring your firewall to allow TCP options (specifically option 33 (0x21 in HEX)), then configure the WAEs for directed mode.

The firewall will see a TCP 3-way handshake at first so the two WAEs can auto discover each other and negotiate a UDP directed mode tunnel.

Once the auto discovery phase is complete traffic traffic sent over the WAN side of the connection will be encapsulated in the UDP 4050 tunnel (so your firewall must allow this traffic through as well).

Please see the configuration guide section on directed mode here which explains in more detail, and let me know if you have other questions.

http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v421/configuration/guide/network.html#wpxref53362

Cheers,

Mike

New Member

Re: Inter-work between WAAS and Microsoft Firewall/VPN device?

Thanks Mike:

In the Cisco config document, it says "When using directed mode with inline mode, you must configure the Cisco WAE Inline Network Adapter with routable IP addresses on its interfaces or traffic is black holed".

Is the interface here referred to "interface inlinegroup"? I would guess most people configure IP address on the GigE interface for management rather than the inlinegroup interface.

Thanks again

Gary

Re: Inter-work between WAAS and Microsoft Firewall/VPN device?

Yes they are referring to the inlinegroup interface.

Ex.

interface InlineGroup 1/1

ip address 14.110.3.84 255.255.255.240

no autosense

bandwidth 100

full-duplex

exit

Cheers,
Mike

368
Views
0
Helpful
5
Replies
CreatePlease login to create content