Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
880
Views
0
Helpful
3
Replies

WAAS through two domains

bclough
Level 1
Level 1

‎05-17-2011 03:00 PM

Is it possible to prevent WAE devices from optimizing traffic from end to end and instead having it optimized twice for the same connections?

I am trying to set up an optimized Secure FTP connection between one of our offices and their client. However, we have a firewall in the middle that will not allow the optimized traffic through because the optimization changes the session data for the connection which the firewall discards. The solution to this that I am trying to implement utilized two separate WAAS domains, one on our internal network side of the firewall, and the other outside the firewall.

Unfortunately it appears that the WAE's on both ends try to optimize between each other, and disregard the WAE's in the middle, which doesn't work due to the firewall. The attached drawing shows how I would like it to work, and how it is actually working.

The only way I can think of to make this work would be to strip the TCP options off at the firewall, but the firewall in place cannot do it. The optimization does work individually on each segment, but I would rather not have our user copy the file twice to complete the transfer.

If it matters the WAE's are all running 4.1.3f.

Bruce Clough

Network Engineer

NSTec

Preview file
21 KB
0 Helpful
3 Replies 3

Michael Korenbaum
Level 4
Level 4

‎05-17-2011 04:20 PM

Bruce,

If you have Cisco ASA or PIX running version 7.2.3 or later you can enable the inspect waas feature which will allow WAAS optimized flows to pass through.

If you are using a third party firewall you should use directed-mode.  More information on directed-mode can be found here.

http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v413/configuration/guide/network.html#wpxref53362

Another good document for WAAS interaction with firewalls can be found here:

https://www.myciscocommunity.com/docs/DOC-1470

Regards,

Mike Korenbaum

Cisco Data Center PDI Help Desk

http://www.cisco.com/go/pdihelpdesk

0 Helpful

bclough
Level 1
Level 1
In response to Michael Korenbaum

‎05-18-2011 07:45 AM

The firewall is not a Cisco product and has no WAAS capabilities.

Directed mode does not work either because the internal network is using private addresses and the firewall does NAT. With directed mode the traffic from the internal network shows gets sent to the remote WAE without being NAT'd and then there is no way to route the traffic back.

Any other ideas?

--Bruce

0 Helpful

bclough
Level 1
Level 1
In response to bclough

‎05-18-2011 08:50 AM

I had another thought, but don't know if it will work.

Newer versions of the WAAS software than I am currently running (currently 4.1.5f), such as 4.3.3, will allow me to prevent two WAE's from becoming peers.

If I join all the WAE's to the same CM, and then prevent the systems that are outside the firewall to become peers with those inside the firewall will they optimize the traffic twice for the same connection as I desire, or will it only optimize it inside of the firewall and leave the traffic outside the firewll unoptimized?

--Bruce

0 Helpful
Customers Also Viewed These Support Documents