RE: [FW1] Packet lost somewhere , Pls help.

[Daniel Hitchcock <DHitchcock@FW1-NOSPAMbreakwatersecurity.com>]

You shouldn't need any additional hardware.  As long as you have enough free addresses on your server (DMZ) network to assign an additional address to each firewall for each server on that network, you'll be fine (i.e. you'll need three DMZ addresses per server).

 

For example, say your server is 10.10.10.2.  You could proxy ARP 10.10.10.102 to FWA and 10.10.10.202 to FWB.  Then, just make the NAT rule on each firewall NAT both the source and destination of inbound requests accordingly.  In this example, the NAT rule on FWA would be as follows:

 

Original:

-Source: Any

-Destination: 143.x.x. 20

-Service: Any

Translated packet:

-Source: 10.10.10.102 (hide)

-Destination: 10.10.10.2

-Service: Original

 

See also http://www.phoneboy.com/faq/0322.html for his description of this resolution.

 

Also bear in mind that you'll need some sort of round-robin DNS (A or NS records) to utilize both of these.  Radware's Linkproof is ideal for this, but this will work okay if budget doesn't allow for a device like Linkproof.

 

HTH

Dan Hitchcock
CCNA, CCSE, MCSE
Security Analyst
Breakwater Security Associates

dhitchcock (at) breakwatersecurity (dot) com
http://www.breakwatersecurity.com

-----Original Message-----
From: gunjan [mailto:gmathur@chat4help.com]
Sent: Friday, April 20, 2001 4:42 AM
To: Daniel Hitchcock
Subject: Re: [FW1] Packet lost somewhere , Pls help.

Hi,

Thanks for your help. As u suggested that we can do NATting in both way, Can u tell me wether we can do this on FW-1 or we have to put another gateway inbetween the DMZ and FW m/c.

 

Thanks

 

 

----- Original Message -----

From: Daniel Hitchcock

To: 'gunjan'

Sent: Thursday, April 19, 2001 3:13 AM

Subject: RE: [FW1] Packet lost somewhere , Pls help.

The easiest solution to this would be to get rid of one of your firewalls, stick another NIC in your remaining firewall, and run both of your internet connections into this firewall.  Your internal and DMZ machines would then have only a single default gateway to send to, and it wouldn't matter which internet connection.

 

You wouldn't get very good load balancing that way, though, so you'd need a device like RadWare's Linkproof to balance the devices (it is very cool - check it out at www.radware.com).

 

Another option would be NAT both the source and the destination of incoming packets, such that your internal servers could tell which firewall the packet came from.  This would take a bit of trickery with NAT rules and ARP, but would work, and might be less work that merging your firewalls.

 

HTH

 

Dan Hitchcock
CCNA, CCSE, MCSE
Security Analyst
Breakwater Security Associates

dhitchcock (at) breakwatersecurity (dot) com
http://www.breakwatersecurity.com

-----Original Message-----
From: gunjan [mailto:gmathur@chat4help.com]
Sent: Tuesday, April 17, 2001 8:49 PM
To: fw-1-mailinglist@beethoven.us.checkpoint.com
Subject: [FW1] Packet lost somewhere , Pls help.

 

Hi Guru's

 

I'm implementing 2 ISP and 1 DMZ. (I can't use BGP)

My structure is like this.

 

 

ISP1-------FW-A---------|DMZ

ISP2-------FW-B---------|DMZ

 

ISP1: details

 

216.x.x.1 Router

216.x.x.18 FW-A external interface

10.10.10.1 FW-A DMZ interface

 

ISP2: details

 

143.x.x.1 Router

143.x.x.18 FW-B external interface

10.10.10.101 FW-B DMZ interface

 

 

DMZ details:

10.10.10.2   Web server

10.10.10.3    Application server

10.10.10.4   Application server

 

Both IP od Application servers are on same machine (dual homed), this server has two interface cards with different IP's

 

DMZ interfaces of both FW's are connected on one switch.

Both WAN connections are termination on one router.

Doing NATting on FW's.

both FW's are pointing to same systems in DMZ

 

Natting tables seems like this

216.x.x. 20 ------ 10.10.10.2

216.x.x. 21 ------ 10.10.10.3

 

143.x.x. 20 ------ 10.10.10.2

143.x.x. 21 ------ 10.10.10.4

 

Default routes on Application server:

default from 10.10.10.1 through FW-A

 

 

My Problem is like this:

 

 

When I try to reache 216.x.x.21 from network is reaches, BUT if I try to reache 143.x.x.21 then it wont.

I presume that when request enter in 143.x.x.21 from FW-B(10.10.10.4 interface) and reply comes from DEFAULT route (which is FW-A, 10.10.10.3 interface)and that entry in not in FW-A so packet lost here.

 

If I try to reache any interface from any FW then it shows me everything ok because they are in closed loop.

 

How I can solve this problem.

 

Is there any way through I can instruct the system that if request comes from interface1 then reply should goes back from the same insted of picking up default route and primary inetrface gateway address.

 

 

Thanks.