RE: [FW1] Packet lost somewhere , Pls help.

[Daniel Hitchcock]

You shouldn't need any additional hardware.  As long as you have enough free addresses on your server (DMZ) network to assign an additional address to each firewall for each server on that network, you'll be fine (i.e. you'll need three DMZ addresses per server).   For example, say your server is 10.10.10.2.  You could proxy ARP 10.10.10.102 to FWA and 10.10.10.202 to FWB.  Then, just make the NAT rule on each firewall NAT both the source and destination of inbound requests accordingly.  In this example, the NAT rule on FWA would be as follows:   Original: -Source: Any -Destination: 143.x.x. 20 -Service: Any Translated packet: -Source: 10.10.10.102 (hide) -Destination: 10.10.10.2 -Service: Original   See also http://www.phoneboy.com/faq/0322.html for his description of this resolution.   Also bear in mind that you'll need some sort of round-robin DNS (A or NS records) to utilize both of these.  Radware's Linkproof is ideal for this, but this will work okay if budget doesn't allow for a device like Linkproof.   HTH Dan Hitchcock CCNA, CCSE, MCSE Security Analyst Breakwater Security Associates 206.770.0700 x147 dhitchcock (at) breakwatersecurity (dot) com http://www.breakwatersecurity.com -----Original Message----- From: gunjan [mailto:[EMAIL PROTECTED]] Sent: Friday, April 20, 2001 4:42 AM To: Daniel Hitchcock Subject: Re: [FW1] Packet lost somewhere , Pls help. Hi, Thanks for your help. As u suggested that we can do NATting in both way, Can u tell me wether we can do this on FW-1 or we have to put another gateway inbetween the DMZ and FW m/c.   Thanks     ----- Original Message ----- From: Daniel Hitchcock To: 'gunjan' Sent: Thursday, April 19, 2001 3:13 AM Subject: RE: [FW1] Packet lost somewhere , Pls help. The easiest solution to this would be to get rid of one of your firewalls, stick another NIC in your remaining firewall, and run both of your internet connections into this firewall.  Your internal and DMZ machines would then have only a single default gateway to send to, and it wouldn't matter which internet connection.   You wouldn't get very good load balancing that way, though, so you'd need a device like RadWare's Linkproof to balance the devices (it is very cool - check it out at www.radware.com).   Another option would be NAT both the source and the destination of incoming packets, such that your internal servers could tell which firewall the packet came from.  This would take a bit of trickery with NAT rules and ARP, but would work, and might be less work that merging your firewalls.   HTH   Dan Hitchcock CCNA, CCSE, MCSE Security Analyst Breakwater Security Associates 206.770.0700 x147 dhitchcock (at) breakwatersecurity (dot) com http://www.breakwatersecurity.com -----Original Message----- From: gunjan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 17, 2001 8:49 PM To: [EMAIL PROTECTED] Subject: [FW1] Packet lost somewhere , Pls help.   Hi Guru's   I'm implementing 2 ISP and 1 DMZ. (I can't use BGP) My structure is like this.     ISP1-------FW-A---------|DMZ ISP2-------FW-B---------|DMZ   ISP1: details   216.x.x.1 Router 216.x.x.18 FW-A external interface 10.10.10.1 FW-A DMZ interface   ISP2: details   143.x.x.1 Router 143.x.x.18 FW-B external interface 10.10.10.101 FW-B DMZ interface     DMZ details: 10.10.10.2   Web server 10.10.10.3    Application server 10.10.10.4   Application server   Both IP od Application servers are on same machine (dual homed), this server has two interface cards with different IP's   DMZ interfaces of both FW's are connected on one switch. Both WAN connections are termination on one router. Doing NATting on FW's. both FW's are pointing to same systems in DMZ   Natting tables seems like this 216.x.x. 20 ------ 10.10.10.2 216.x.x. 21 ------ 10.10.10.3   143.x.x. 20 ------ 10.10.10.2 143.x.x. 21 ------ 10.10.10.4   Default routes on Application server: default from 10.10.10.1 through FW-A     My Problem is like this:     When I try to reache 216.x.x.21 from network is reaches, BUT if I try to reache 143.x.x.21 then it wont. I presume that when request enter in 143.x.x.21 from FW-B(10.10.10.4 interface) and reply comes from DEFAULT route (which is FW-A, 10.10.10.3 interface)and that entry in not in FW-A so packet lost here.   If I try to reache any interface from any FW then it shows me everything ok because they are in closed loop.   How I can solve this problem.   Is there any way through I can instruct the system that if request comes from interface1 then reply should goes back from the same insted of picking up default route and primary inetrface gateway address.     Thanks.