Re: One CSS LB two firewalls, DMZ, return path?

bjames · ‎06-21-2003

Hi,

I have a client wanting to setup their (only)CSS to load balance two firewalls on the public side, servers in the DMZ, and return path through the firewalls. I recommended they keep the CSS off the public side, but they want the external FWLB. My question is, is it as simple as setting up another VLAN for the CSS on the public side then VIPing the FW addresses?

I saw the docs on FWLB, but it states you cannot use NAT, how is security accomplished through the firewalls then?

Thanks in advance,

Bob James

clayton-price · ‎06-23-2003

I typically don't assign public IP's on my Internet facing firewalls. The public addresses reside on a device behind the firewall. Then you simply configure your rules to allow access to the public IP's as needed. In my opinion this is more secure than having public IP's and NAT on your firewalls.

I use two LB's to load balance firewalls. I'm not sure it would work with only one?

bjames · ‎06-23-2003

Hi,

I don't quite understand what you are saying? What is the purpose of the firewall (or firewalls) if traffic is just allowed to flow through them? No NAT, or packet filtering?

How can this be more secure than a very standard practice?

Thanks in advance,

clayton-price · ‎06-24-2003

You can do packet filtering without NAT.