I have a badly design application (which can't be changed) which broadcasts snmp-trap packets from the client device to try and find the application server. This works fine on my current network where i have (DMZ with clients) Cat6500 MSFC - Checkpoint Firewall - Cat6500 MSFC (Internal with App Server) where i use IP helpers to forward the SNMP UDP packets. However we are re-designing the network so instead of the above (expensive) topology we will simply have (DMZ) FWSM (Internal) MSFC (so all on a single 6500). So i need to forward 162/udp broadcast 255.255.255.255 through the FWSM to the Internal network.
The only way i can think of is doing the following but am unsure if it will work:
So the client sends a broadcast to 255.255.255.255 the FWSM which is the client's gateway permits the traffic and NATs the destination from 255.255.255.255 to the actual IP address of the server. Would this work or is there a better way of forwarding UDP broadcasts through and FWSM?
Note. I don't have the FWSM to try the above configuration hence why i'm asking before i procure it
Thanks for the response and clarification Although i believe multicast routing is possible in routed mode.
So plan B, i use a pair of cisco ASA5520 to replace the Checkpoint firewalls and use VRFs to seperate the DMZ and Internal network which means i can use ip helper-addresses on both the DMZ and Internal network as they will have their own routing table and the switch is the VLAN gateway not the firewall.
I was looking forward to using the FWSM, so maybe in future releases they could have something similar to IP helper-address to forward traffic (other than DHCP relay). I understand the security implications but sometimes this type of functionality is required.
Site to Site IPSec VPN with Dynamic IP Endpoint is typically used when we have a branch sites which obtains a dynamic public IP from the Internet ISP. For example an ADSL connection.One important note is that Site-to-Site VPN with Dynamic remote routers P...
On R1, configure a key ring that defines the peer R3:Address: 184.108.40.206Local and remote pre-shared key: cisco R1(config)#crypto ikev2 keyring KRR1(config-ikev2-keyring)# peer R3R1(config-ikev2-keyring-peer)# address 220.127.116.11R1(config-ikev2-keyring-pee...
This document shows how to use the Port Radius NAS PORT Id Attribute in a compound condition to control access with 802.1X.A user jdoe is allowed to access the network only through the physical port FastEthernet 0/1 of the switch and the user jwhite is al...
This document provides a configuration example of Security Assertion Markup Language (SAML) Authentication on FTD managed over FDM. The configuration allows Anyconnect users to establish a VPN session authenticating with a SAML Identity Serv...
DMVPN Dual Hub Dual Cloud Pros and ConsProsNo single point of failureQuick failover if routing protocols are tunedLoad balancing is easyTraffic engineering is easyEasy to work with multiple ISPsConsNeed 2 tunnels per spokeConfiguration is more complicated...