There are a few ways around this issue:
1) Find out if your router/firewall vendor has high availability built
in, or is available as an add on - this will synchronize your state tables
between multiple firewalls (Checkpoint FW-1 (unix only) has this, as do
others).
2) Add either router(s) or WAN switch(es)in front of your firewalls to
handle the communication with the ISP's.
3) Add an interface to each firewall/router that connects to the other.
Adjust your routing so that FW A traffic has to routes to the
Internet - one through ISP A (preferred) and one through FW B.
Do the reverse for FW B.
Write a rule at the top of your ruleset to automatically forward all
packets that are destined for the other unit to be passed on without any
checking or translation.
You may also want to look at BGP (which was designed for multi-homed
connections to the Internet) to solve your routing issues.
Just my two cents...
Brian.
--
Brian Bruce
Technical Architect
IGW
email: [EMAIL PROTECTED]
Phone: +599 9 737 4788
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 16, 2000 1:41 PM
To: [EMAIL PROTECTED]
Subject: Fwd:Re[2]: 2 ISP's and 2 Firewall's, effect on NAT
Mark,
>>> Does the other site have direct connectivity to the site where the 'old'
ISP link is?
Yes it does. They are in their own routing domain at the moment. It's all
cisco
IGRP/EIGRP but their own domain nontheless.
>>> 1) Change the routing table on the links between sites - they should
only
carry traffic destined for the other site.
We are doing this. Since they are in their own routing domain we do static
routes between the sites for any necessary cross-site traffic. In particular
we
want to have our router management guy's be able to access the border router
that is on the external side of the second FW. This is what brought up my
question about how do I NAT these router guys so that they can manage the
router. It would seem they would NAT to an address that is valid and
reachable
through my first FW (that's how the NAT rules are at the moment) but they
would
exit the network through my new FW (because that's where our static route
sent
them). The return packets would come try to come back into my network
through my
first FW. However, since they exited via the other FW no state would be
available and it would drop them. Is this making sense?
>>> 2) Make sure that the default gateway for machines at each site are the
routers for that site's ISP link.
Understood. However, it was pitched to us that we could use the second ISP
link
for a fallback in case of a failure of one of the two sites. We believe this
is
possible by simple changing the default gateway at the site whose ISP link
or
firewall failed. I've been told by the router guy's that this is possible
and it
"should" work just fine. Which brought to my mind the question about
NAT'ing.
>>> 3) Set up seperate NAT rules for each firewall. We've got two side by
side,
and are using a lot of hiding translation. We're actually using two
seperate rulebases, which is a pain to keep synchronized, but it works
beautifully.
We do hiding mostly. However we do have some hosts that we do static for
inbound
connections. This combined with our desire to be able to fallback to the
other
link if one fails brings up the sticky issue of NAT.
A. Assume HOST A has a static NAT rule defined on FW A.
B. I install that same NAT rule on FW B.
C. I have a failure on the ISP link connecting FW A to the Internet.
D. We change our routing to allow traffic that used to exit via FW A to flow
out
through FW B.
E. The NAT rule translates HOST A into an address that is only reachable
back
through FW A, which is down.
Now what do I do? I'm thinking I have to manually define NAT rules for every
host on every FW. Is that correct? HOST A would get a static address on FW A
that is valid on FW A, and get another, different address on FW B that is
valid
on FW B. True?
I'm thinking of doing separate rulebases as well. But the question is can
you
have a separate NAT base. I don't think you can, so if I've got to manage a
single nasty NATbase I might as well keep the rulebases combined as well. Oh
yeah, we have a single management station. You might have two which would
make
this a non-issue for you.
Hope to hear from you,
______________________________________________________________
Greg Winkler
Systems Manager, IT&S
Huntsman Corporation
Internet Mail: [EMAIL PROTECTED]
Voice: (713) 235-6018
Fax: (713) 235-6890
____________________Reply Separator____________________
Subject: Re: 2 ISP's and 2 Firewall's, effect on NAT
Author: [EMAIL PROTECTED]
Date: 3/15/00 4:06 PM
--On Wednesday, March 15, 2000, 2:54 PM -0600 [EMAIL PROTECTED]
wrote:
> We will soon have another ISP connection to the Internet. Behind this new
> ISP we will have another firewall. Both the new ISP link and FW will be
> located in another site. The new our new ISP connection has it's own IP
> address range which is of course different from that on our existing ISP.
>
> We have invalid addresses internally. I'm hiding our invalid addresses
> behind an unused valid address (our hiding address). With one firewall
> it's pretty simple and the automatic NAT rules work fine. I was wondering
> what I need to do to get the NAT rules set up for the second FW.
>
> If I leave the existing NAT rules in place and install them on all
> gateways wouldn't I be creating a circular traffic pattern for packets
> that leave our network via the second firewall? It would seem that they
> would get NAT'd to the other firewall's hiding address. The packets would
> leave via FW B and return via FW A. I don't think it will work because FW
> A wouldn't have state info. to allow the return packets. What do I do?
>
> I'm new to firewalling and this seems a complicated topic so excuse me if
> this makes little sense.
Does the other site have direct connectivity to the site where the 'old'
ISP link is? If so, you need to do a few things to make sure that you don't
break things.
1) Change the routing table on the links between sites - they should only
carry traffic destined for the other site.
2) Make sure that the default gateway for machines at each site are the
routers for that site's ISP link.
3) Set up seperate NAT rules for each firewall. We've got two side by side,
and are using a lot of hiding translation. We're actually using two
seperate rulebases, which is a pain to keep synchronized, but it works
beautifully.
Please let me know if I've raised more questions.
-Mark
--
Mark Halsall [EMAIL PROTECTED]
Internet Specialist, Hamilton/Clermont Cooperative Association
(513) 931-7120, x20
Personal email should go to <mailto:[EMAIL PROTECTED]>.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
