Re: Question about firewalling for asymmetric routing

skytosky · ‎11-01-2005

Hi, there. I'm Daniel KY SEO.

I have a question about firewalling for asymmetric routing.

Our client have a asymmetric routing topology like attached PPT file. We recommended that our client change the routing information of server.

But, they rejected our proposal because of several complicated issues. And they

also said that “This topology is possible

on Juniper(Netscreen) and Nokia firewall.

Why not Cisco PIX?”.

Is there any options on PIX in order to

resolve these issues? I wanna know any

options on PIX. What should I do?

Isn’t anyone know the issues?

Help me!!! Please.

Best Regards,

From Korea, republic of.

sachinraja · ‎11-02-2005

Hello,

Right now, with Version 7.0, you can have two PIX firewalls connected together and work in an ACtive-Active mode, thus allowing asymmetric routing on the network. Without this, am afraid it is not possible. A single firewall will not support asymmetric routing. You can probably bypass the firewall for such traffic.

Hope this helps.. rate replies if found useful...

Raj

skytosky · ‎11-02-2005

Thanks for your reply. But, Ack+Syn packets which the server send client don't pass the firewall like tha attached file. So it is different from A-A mode issue.

How can I bypass the firewall for such traffic?

Let me know about your thinking in detail.

Regards,

Daniel

yongl · ‎11-14-2005

Hi Daniel,

The key problem you are facing is PIX firewall cannot maintain connection states due to asymmetric routing. However, you can change your firewall to transparent mode (available in version 7.0) and move all the L3 services(e.g routing, NAT) from existing firewall to another L3 equipment (e.g router).