Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
996
Views
0
Helpful
5
Replies

What is the solution that can route the return traffic through FW2?

Go to solution
goldpartner
Level 1
Level 1

‎11-02-2023 08:59 PM

                                       default route -->            eBGP           eBGP            <-- default route
Internet---------FW1-------------------R2---------R1---------R5-------------------FW2-----------Internet
           202.100.0.1                                        |                                        |                                        61.100.0.1
           Static NAT                                           |eBGP                               |eBGP                                Static NAT
           for web server                                     |                eBGP               |                                         for web server
                                                                      R3--------------------R4
                                                                    /
                                                                  /
                                                         web server
                                                         192.168.1.1

As showed in the map, between the routers of R1-R5 is eBGP. FW1 and FW2 are stateful firewalls. FW1 advertises a default route to R2 and FW2 advertises a default route to R5 and that is the only route advertised from the firewalls. There is a web server (192.168.1.1) farm connected to R3. There is static NAT on FW1 and FW2 for the web server so some user can access the web server from the internet. For some reason, a user hits the public IP (61.100.1.1) on FW2 to access the web server via the path FW2->R5->R4->R3->webserver. Since the firewalls are stateful firewalls the return traffic has to go via FW2 back to the user. What is the solution to route the traffic through FW2? (No PBR is allowed.)

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎11-03-2023 10:02 AM

Hello @goldpartner ,

The web server should serve on two different TCP ports , it should be two instances of web server one on port 80 and one on port 8080 for example.

port 80 to be used when accessed from FW1 and port 8080 when accessed from FW2.

static NAT on FW1 and FW2 should be configured taking in account the above.

The R3 router should use PBR to send traffic with source 192.168.1.1 TCP source port 80 to R4 next-hop and traffic with source 192.168.1.1 TCP source port 8080 to next-hop R2.

Edit:

you would like to do this without using PBR ...

use VRFs and you need to use two NICs on the web server one towards VRF FW1 and one towards VRF FW2.

I apologize for the question: but this scenario looks like not feasible are you studying for some certification ?

Hope to help

Giuseppe

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎11-03-2023 10:02 AM

Hello @goldpartner ,

The web server should serve on two different TCP ports , it should be two instances of web server one on port 80 and one on port 8080 for example.

port 80 to be used when accessed from FW1 and port 8080 when accessed from FW2.

static NAT on FW1 and FW2 should be configured taking in account the above.

The R3 router should use PBR to send traffic with source 192.168.1.1 TCP source port 80 to R4 next-hop and traffic with source 192.168.1.1 TCP source port 8080 to next-hop R2.

Edit:

you would like to do this without using PBR ...

use VRFs and you need to use two NICs on the web server one towards VRF FW1 and one towards VRF FW2.

I apologize for the question: but this scenario looks like not feasible are you studying for some certification ?

Hope to help

Giuseppe

 

0 Helpful

Go to solution
goldpartner
Level 1
Level 1
In response to Giuseppe Larosa

‎11-04-2023 09:20 AM

Thanks for your solution which I think is a feasible option. 

Not studying for some certification but it is only an artificial scenario I discussed with my teammate.

Is it possible that you can provide more details about your second potential solution?

0 Helpful

Go to solution
paul driver
VIP
VIP

‎11-04-2023 03:14 AM

Hello

@goldpartner wrote:

For some reason, a user hits the public IP (61.100.1.1) on FW2 to access the web server via the path FW2->R5->R4->R3->webserver. Since the firewalls are stateful firewalls the return traffic has to go via FW2 back to the user.

What is the solution to route the traffic through FW2? (No PBR is allowed.)

From R3 perspective, it is mutlihomed with R2/R4 and based on your OP it suggests multipath isnt viable for the two default routes from FW1/2, also based on bgp path selection the FW1 default is being preferred?

If you wish for return path to route via R4/R5/FW2 PBR would be an viable option as it could be also implemented as conditional but you mention this is not possible, can you elaborate as to why?



Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
goldpartner
Level 1
Level 1
In response to paul driver

‎11-04-2023 09:23 AM

also based on bgp path selection the FW1 default is being preferred?

--Correct

If you wish for return path to route via R4/R5/FW2 PBR would be an viable option as it could be also implemented as conditional but you mention this is not possible, can you elaborate as to why?

--It is only not allowed to see if there is other solution technically.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎11-04-2023 03:53 AM

R3 have two path (two eBGP paths) for default route ?
if Yes then you need to use some eBGP attributes to make path prefer than other.

0 Helpful
Customers Also Viewed These Support Documents