How does FIrewall work in this situation

cisconoobie · ‎08-02-2006

I have 2 WAN Routers in HSRP, one for T1 and the other for T3.

They both connect to a Switch, the switch connects to 2 different Firewalls on the same segment.

Firewall 55.32.22.11

Firewall 55.32.22.12

If I have Nat Policies setup on both Firewalls, which Firewall will the Router know to go to ?

I'm just wondering how do communication works and how this would work ?

Patrick Laidlaw · ‎08-02-2006

Hello,

Well it kind of depends on your configurations. Are your firewalls setup to be redundant? What kind of routes do you have on your routers? Do your firewalls have different nat policies or are they trying to do nat for the same ip addresses. Are the nat policies using ip address located on the lan with the hsrp address or are they natting using other ip's that requires the routers to route to the appropriate firewall.

If you post your configs for your routers and firewalls Of course scrub them for sensitive information substituting anything public. The CCO group will try to explain it.

Patrick Laidlaw

Please rate any posts that were helpful.

grant.maynard · ‎08-03-2006

If a firewall has a NAT setup for a particular public IP address, then it will respond to ARP from either router for that IP.

So this setup is fine provided you have no address overlap between firewalls. If you do have overlap then it becames a race and completely unpredictable.

mmorris11 · ‎08-03-2006

The best thing to do is to configure the firewalls as a failover pair. That way the router(s) just see the two firewalls as one device.

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a008054c507.html

pls rate!