cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1013
Views
10
Helpful
3
Replies

IPSec and Static route

MrBeginner
Spotlight
Spotlight

Hi ,

Please give me favor to ask about IPSec return traffic and WAF traffic.

  1. I have IPSec network and my branch site have two ipsec tunnel. Tunnel0 is primary  point to HUB1 and tunnel 1 is secondary tunnel point to HUB2. I played static route in firewall.if  i want to go traffic as below and i change static next hop ip is HUB2 in firewall,some my traffic cannot reachable to my branch.Let me know why ?

IPSEC.png

 

I also want to know about WAF.

Please see below diagram and let me is should be or not.I want to forward http/https traffic only to WAF and the return traffic to firewall directly.The other kind of traffic incoming and outgoing traffic aslo pass through firewall.

WAF.png

 

 

 

 

3 Replies 3

Hi,
1. Why do you want to route traffic like that? It would be better to either use 1 hub active and the other for failover. Alternatively use a routing protocol and use both hubs in active/active.

2. You can explicitly route http/https traffic to the WAF e.g using wccp. In that instance all traffic routed from the WAF will egress using the WAF's outside interface and therefore return traffic be routed back to the WAF. For the traffic you don't route via the WAF would go directly to the firewall.

HTH

Hi ,

1. i just want to know traffic can go like no.1 or not. Just want to know if i run like that diagram what will happen .I didn't use that method.I am running one is active and one is fail-over.

 

2.Can i use BPR and Normal route together in one firewall ? I mean i push http/https traffic to WAF by using BPR.Normal traffic will use main routing table.My FW support BPR also.is it possible ? And i forgot to add the router in previous diagram.Please see below diagram is correct diagram.All return traffic are managed by this router.The next hop for alll return traffic is FW interface.If the route is asymmetrical,my FW will drop my return traffic ?

 

3.Let me know where is best practice location for WAF ? In-front of the firewall or behind or firewall ? 

WAF2.png

Hi,
1. You could use a static route, however if the first Hub failed the static route would remain in place and blackhole the traffic (unless you combine with IP SLA/Tracking). Hence why using a routing protocol would be bettter.
2. Depends on your firewall, yes you can use PBR to redirect traffic to WAF and use the static default route for next hop for all other traffic. I don't see why traffic would be asymetrical, traffic sourced from WAF would be routed back to WAF.
3. The WSA Design guide here. places the device inside the LAN, but no reason why you couldn't put it in a DMZ - no need to use 2 interfaces and act as a router.

 

HTH