Shawn,
You are talking about two separate features of the IOS. TCP state information for a zone based firewall, if needed for HA, is maintain by HA firewall feature. So if you want to make sure that the router is maintaining TCP session information you need to configured as stateful firewall. A completely separate feature from HA NAT. Just as stateful IPSec is another separate feature. According to the feature navigator HA Firewall and HA IPsec are only supported on the 3800 and 1805 series ISR routers. I have had a TAC guy tell me that the feature navigator is incorrect and that the all ISR support it with the use of a AIM-VPN module but I have been unable thus far to get it working. So. there is the long winded answer to your question. Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: <mailto:[email protected]> [email protected] Join our free online support and peer group communities: <http://www.IPexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: [email protected] [mailto:[email protected]] On Behalf Of Shawn H Mesiatowsky Sent: Thursday, May 07, 2009 5:30 PM To: [email protected] Subject: [OSL | CCIE_Security] IOS NAT redundancy and zone based firewalls Just a question, when using the high availability feature of an ASA, this synchronizes the state of a tcp connection. With the HA of IOS NAT, this only synchronizes the translation table. If a session is already in progress, and your primary router dies, the connection would switch over to the backup router via dynamic routing (when not using HSRP). Does the zone based firewall require an initial connection? I don't think it does because the IOS firewall does not maintain a state table like the ASA does. So when a failure happens, and you have zone based firewalls also configured, does this allow the previously created session (created on the now defunct primary router) to flow though the backup IOS firewall?
