Solved: Traffic Flow between Transparent and Routed FW.

mahesh18 · ‎06-07-2013

Hi Everyone,

Need to confirm here the traffic flow between 2 FW.

Say we have Core Switch 1 it is learning route to subnet 172.x.x.x via interface x of Routed FW.

Routed FW learns Route to Destination subnet 172.x.x.x via its interface Y.

Now Interface Y connects to interface Y of Transparent FW.

Transparent FW has interface Z which has destination subnet 172.x.x.x.

So in short we can say that if someone need to reach the Destination subnet 172..x.x.x and its default gateway is core switch then traffic will follow the

above path to reach the subnet 172.x.x.x??

Regards

Mahesh

Julio Carvajal · ‎06-07-2013

Hello Mahesh,

Well,

The Transparent Firewall cannot route so I would say that

The interface Y of the Router FW and both interfaces on the transparent firewall on the 172.16.x.x..

That would make sense but you cannot route to a subnet via a transparent firewall IP address.

The transparent firewall does not have a routing table to route traffic across itself.

Regards

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎06-07-2013

Hello Mahesh,

If the FW Y interface and Transparent Firewall is on the 172.x subnet ( the destination you are trying to go you are going to be fine),

Is this the case?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎06-07-2013

Hello

Exactly, the packet will be forward to the LAN, then the devices in between FW transparent and switches will send the traffic to the right ports,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎06-07-2013

Hello Mahesh,

Well,

The Transparent Firewall cannot route so I would say that

The interface Y of the Router FW and both interfaces on the transparent firewall on the 172.16.x.x..

That would make sense but you cannot route to a subnet via a transparent firewall IP address.

The transparent firewall does not have a routing table to route traffic across itself.

Regards

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎06-07-2013

Hi julio,

you are correct as transparent FW is just layer 2 and both interfaces Y and Z have same IP address.

So in order to move packet from interface Y to Z transparent FW uses arp table to get the mac of device connected to interface Z of transparent FW?

Regards

Mahesh

Julio Carvajal · ‎06-07-2013

Hello Mahesh,

If the FW Y interface and Transparent Firewall is on the 172.x subnet ( the destination you are trying to go you are going to be fine),

Is this the case?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎06-07-2013

Hi Julio,

Yes Dest subnet and Y interface of Transparent FW are on same subnet.

So FW just forward the packet to device by looking at mac address table right?

Regards

Mahesh

Julio Carvajal · ‎06-07-2013

Hello

Exactly, the packet will be forward to the LAN, then the devices in between FW transparent and switches will send the traffic to the right ports,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC