Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
908
Views
0
Helpful
6
Replies

FWSM v 4.1.3 Forwarding packets to sender MAC address

Go to solution
Giorgio Romano
Level 1
Level 1

‎02-27-2011 03:57 AM - edited ‎03-11-2019 12:57 PM

Hi to everyone,

Does anyone know if the FWSM v 4.1.3 is capable to forward return packets to the MAC address that sent them to it first?

Thank you very much

giorgio

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to Giorgio Romano

‎02-27-2011 06:48 AM

Not really; it does keep track of sessions at layer 4 (e.g. TCP sessions) but not at layer 2.

I'm not aware of any such feature on the FWSM that will be able to meet your requirement

Regards

Farrukh

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni

‎02-27-2011 05:41 AM

Hello Giorgio

Your question is not clear;  please elaborate........ are you try to do a hair-pinning setup ?

Regards

Farrukh

0 Helpful

Go to solution
Giorgio Romano
Level 1
Level 1
In response to Farrukh Haroon

‎02-27-2011 06:16 AM

Hi Farrukh,

thank you for interesting.

I try to explain my problem with an example:

I have an enviroment with three transparent proxy servers (named P1,P2 and P3), that access to internet using a virtual firewall FWSM v 4.1.3.

For packets not precessed by proxies but only "routed" by proxies, I'd need that the FWSM is capable to forward the return packet to the proxies that sent the first packet to the FWSM.

Example:

Host A wants to go to internet using randomly one of three transparent proxies. Let's say that the proxy named P1 has been chosen.

The proxy P1 is not capable to process the traffic of the Host A so it routes the traffic to its next hop (the FWSM virtual firewall).

The traffic routed by the proxy P1 has the source IP of the Host A, because the proxy P1 has not been able to process it.

At this point the FWSM receives the traffic of the Host A from the proxy P1 and it let the traffic to go to internet.

When The FWSM receives from internet the traffic in response to the Host A, I'd nees that the FWSM forwards this traffic to the proxy P1 without insert any static route entry on the FWSM.

In the blue coat proxy servers this feature is called "return to sender". The blue coat keeps track of the MAC address that sent to it a packet and the response will be sent to the same MAC address.

Is there a feature like this in the FWSM v 4.1.3?

Thank you again for any answer

  giorgio

0 Helpful

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to Giorgio Romano

‎02-27-2011 06:27 AM

I'm afraid the following statement in your post is not correct:

"When The FWSM receives from internet the traffic in response to the Host  A, I'd nees that the FWSM forwards this traffic to the proxy P1 without  insert any static route entry on the FWSM."

If the source-IP of the packet was not changed by the Proxy (P1) it means the destination IP of the return packet from the Internet will be the same i.e. the IP address of Host-A and not the proxy;  FWSM will simple do an ARP table lookup and send it back to to Host'A MAC ID.

If you want the return packet to go to the proxy P1 why don't you let that proxy modify the source IP in the orginal packet?

Regards

Farrukh

0 Helpful

Go to solution
Giorgio Romano
Level 1
Level 1
In response to Farrukh Haroon

‎02-27-2011 06:44 AM

Ok it's right, I think I made the wrong question.

So I try again:

Does FWSM keep track about the MAC address that forward to it a packet?

Does FWSM use this "track" to make routing decisions?

I hope was clear"

Thank you again!

  giorgio

0 Helpful

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to Giorgio Romano

‎02-27-2011 06:48 AM

Not really; it does keep track of sessions at layer 4 (e.g. TCP sessions) but not at layer 2.

I'm not aware of any such feature on the FWSM that will be able to meet your requirement

Regards

Farrukh

0 Helpful

Go to solution
Giorgio Romano
Level 1
Level 1
In response to Farrukh Haroon

‎02-27-2011 07:20 AM

Ok. that's I need to know.

thank you very much!

Anyway try to read this link, maybe it can expain better than I did.

http://forums.bluecoat.com/viewtopic.php?f=1&t=2034

Bye and thank you again!

  giorgio

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card