Re: Proxy Firewall Cluster on inside Interface

Iske · ‎04-30-2004

Hi !

We have a Proxy firewall Cluster on the inside Interface of the PIX.

FW1 172.16.0.1

FW2 172.16.0.2

Cluster Address 172.16.0.25

What i would like to do now, is to have the pix translate all the traffic from 172.16.0.1 to xxx.xxx.xxx.114 and also from 172.16.0.2 to xxx.xxx.xxx.114.

Is this possible and how do i do this ?

Another Problem is, if Connections are made from outside to the Cluster ip of 172.16.0.25 the Response is coming either from 172.16.0.1 or 172.16.0.2 and the pix has no xlate for that and will deny the traffic i think.

Thanks for your help.

uli

ehirsel · ‎04-30-2004

You are correct in stating that the pix will block incoming requests to a inside device that does not have a static associated with it and the traffic does not match an acl entry (ace).

How does your firewall cluster work? When it sends out a packet, the ip source address should be the cluster, correct? If so, then you only need one static: static (in, out) y.y.y.y 172.16.0.25 netmask 255.255.255.255.

Otherwise you can do a nat, a global, and a static like this:

nat (in) 15 172.16.0.1 255.255.255.255

nat (in) 15 172.16.0.2 255.255.255.255

global (out) 15 y.y.y.a

static (in, out) y.y.y.b 172.16.0.25 netmask 255.255.255.255

to get both units to use the same outside address, and use another outside address to refer to the cluster ip.