I could not find any documents on statefull zone based firewalls. I have even read the digital shortcut for ZBF. That was actually my point. If there is no statefull firewall, but there is HA NAT, this would be pretty useless, as the majority of times you have NAT, you also need a firewall. I know there would be some circumstances where you would only need NAT, but this would not be the case the majority of the time. Do you have any examples, or links for documents for statefull ZBF? Thanks for your help.
And since you mentioned it, is HA IPSEC tested? IPSEC with HSRP is pretty straight forward. I was just worried about statefull vpn. From: Tyson Scott [mailto:[email protected]] Sent: Thursday, May 07, 2009 8:38 PM To: 'Shawn H Mesiatowsky'; [email protected] Subject: RE: [OSL | CCIE_Security] IOS NAT redundancy and zone based firewalls Shawn, You are talking about two separate features of the IOS. TCP state information for a zone based firewall, if needed for HA, is maintain by HA firewall feature. So if you want to make sure that the router is maintaining TCP session information you need to configured as stateful firewall. A completely separate feature from HA NAT. Just as stateful IPSec is another separate feature. According to the feature navigator HA Firewall and HA IPsec are only supported on the 3800 and 1805 series ISR routers. I have had a TAC guy tell me that the feature navigator is incorrect and that the all ISR support it with the use of a AIM-VPN module but I have been unable thus far to get it working. So. there is the long winded answer to your question. Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.IPexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: [email protected] [mailto:[email protected]] On Behalf Of Shawn H Mesiatowsky Sent: Thursday, May 07, 2009 5:30 PM To: [email protected] Subject: [OSL | CCIE_Security] IOS NAT redundancy and zone based firewalls Just a question, when using the high availability feature of an ASA, this synchronizes the state of a tcp connection. With the HA of IOS NAT, this only synchronizes the translation table. If a session is already in progress, and your primary router dies, the connection would switch over to the backup router via dynamic routing (when not using HSRP). Does the zone based firewall require an initial connection? I don't think it does because the IOS firewall does not maintain a state table like the ASA does. So when a failure happens, and you have zone based firewalls also configured, does this allow the previously created session (created on the now defunct primary router) to flow though the backup IOS firewall?
