02-27-2011 03:57 AM - edited 03-11-2019 12:57 PM
Hi to everyone,
Does anyone know if the FWSM v 4.1.3 is capable to forward return packets to the MAC address that sent them to it first?
Thank you very much
giorgio
Solved! Go to Solution.
02-27-2011 06:48 AM
Not really; it does keep track of sessions at layer 4 (e.g. TCP sessions) but not at layer 2.
I'm not aware of any such feature on the FWSM that will be able to meet your requirement
Regards
Farrukh
02-27-2011 05:41 AM
Hello Giorgio
Your question is not clear; please elaborate........ are you try to do a hair-pinning setup ?
Regards
Farrukh
02-27-2011 06:16 AM
Hi Farrukh,
thank you for interesting.
I try to explain my problem with an example:
I have an enviroment with three transparent proxy servers (named P1,P2 and P3), that access to internet using a virtual firewall FWSM v 4.1.3.
For packets not precessed by proxies but only "routed" by proxies, I'd need that the FWSM is capable to forward the return packet to the proxies that sent the first packet to the FWSM.
Example:
Host A wants to go to internet using randomly one of three transparent proxies. Let's say that the proxy named P1 has been chosen.
The proxy P1 is not capable to process the traffic of the Host A so it routes the traffic to its next hop (the FWSM virtual firewall).
The traffic routed by the proxy P1 has the source IP of the Host A, because the proxy P1 has not been able to process it.
At this point the FWSM receives the traffic of the Host A from the proxy P1 and it let the traffic to go to internet.
When The FWSM receives from internet the traffic in response to the Host A, I'd nees that the FWSM forwards this traffic to the proxy P1 without insert any static route entry on the FWSM.
In the blue coat proxy servers this feature is called "return to sender". The blue coat keeps track of the MAC address that sent to it a packet and the response will be sent to the same MAC address.
Is there a feature like this in the FWSM v 4.1.3?
Thank you again for any answer
giorgio
02-27-2011 06:27 AM
I'm afraid the following statement in your post is not correct:
"When The FWSM receives from internet the traffic in response to the Host A, I'd nees that the FWSM forwards this traffic to the proxy P1 without insert any static route entry on the FWSM."
If the source-IP of the packet was not changed by the Proxy (P1) it means the destination IP of the return packet from the Internet will be the same i.e. the IP address of Host-A and not the proxy; FWSM will simple do an ARP table lookup and send it back to to Host'A MAC ID.
If you want the return packet to go to the proxy P1 why don't you let that proxy modify the source IP in the orginal packet?
Regards
Farrukh
02-27-2011 06:44 AM
Ok it's right, I think I made the wrong question.
So I try again:
Does FWSM keep track about the MAC address that forward to it a packet?
Does FWSM use this "track" to make routing decisions?
I hope was clear"
Thank you again!
giorgio
02-27-2011 06:48 AM
Not really; it does keep track of sessions at layer 4 (e.g. TCP sessions) but not at layer 2.
I'm not aware of any such feature on the FWSM that will be able to meet your requirement
Regards
Farrukh
02-27-2011 07:20 AM
Ok. that's I need to know.
thank you very much!
Anyway try to read this link, maybe it can expain better than I did.
http://forums.bluecoat.com/viewtopic.php?f=1&t=2034
Bye and thank you again!
giorgio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide