Dennis,
If you are homed to two different you should run BGP to accomplish load
balancing and redundancy. The diagram would look like this:
Internet Internet
| |
| |
ISP1 ISP2
| |
| |
CSU\DSU1 CSU\DSU2 (This may also be integrated into the T1 card in
some routers.)
| |
| |
| |
| |
BGP Edge Router (Filtering ACLs for Spoofing, Source Routing, RFC
1918 addresses, and NO IP Directed Broadcast, ie Cisco 72xx)
|
FW1/FW2------+----------+---------+ DMZ (Redundant PIX
firewalls with Fail over cable and Stateful fail over enabled) or (Nokia FW1
cluster)
| | | |
| | | |
| | | |
| WWW DNS SMTP
|
|
|---------------------------------------------------------------------------
-------------------------------------------------------------------------|
Internal Network
In the above diagram you are homed to dual ISPs for upstream redundancy.
While both providers are active BGP will allow you to share the bandwidth as
well as allow for route pruning should one of your ISPs go down. I am not an
expert on BGP (nor have I set it up myself yet) but I have seen many others
configs and feel the benefits would far outweigh the hassle of setting it up
in your case. In this configuration you can use either private addresses in
your DMZ and NAT from the inside into the DMZ and then use
statics/conduits(PIX) or rules(FW1) to allow traffic from the outside. This
requires two NAT pools of private addresses, and one with the routable
external addresses. If you are using PIXen the second unit waits in standby
until a failure of the primary unit. For the Nokia's I think they will run
simultaneously and perform load balancing between the devices. If you are
running two T1s a PIX 520 with a memory upgrade should easily handle the
traffic. If you are using PIX the "Active" address is your default gateway.
If you are running the Nokia's I believe they run VRRP (very similar to
Cisco's HSRP) to create your default gateway address and then handle fail
over and load balancing behind the scenes. I have not had as much experience
with the Nokia's but for an installation such as this I feel either platform
would perform adequately well. HTH.
Ken Claussen
[EMAIL PROTECTED]
"The Mind is a terrible thing to Waste!"
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Dennis Dai
Sent: Sunday, February 25, 2001 1:35 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: Dual firewall question (revisited, long)
Sorry for the lengthy message and cross-posting to ipfilter list. Please
bear with me :-)
OK, let me re-phrase my situation in more details...
Consider the following (I omit routers in between):
Internet Internet
| |
| |
ISP1 ISP2
| |
| |
FW1 FW2
| |
| |
---+----+------+------+-----+---
| | |
| | |
WWW DNS SMTP
Let's assume:
C Client's IP address
FW1-E FW1's external IP address
FW1-I FW1's internal IP address (private)
FW2-E FW2's external IP address
FW2-I FW2's internal IP address (private)
W Web server's IP address (private)
Both FWs are using ipfilter with rdr rules.
WWW's default GW is set to FW1-I.
Let's look at the traditional way (without ISP2 and FW2):
1. When client sends a request to the web server, it goes like C ->
FW1-E
2. When packet hits FW1, FW1 does rdr, then after the firewall the
packet becomes C -> W.
3. Then the web server sends back a reply, it goes like W -> C.
4. Because there's no specific route to C, the packet goes to the
defautl GW which is FW1-I.
5. When FW1 gets the packet, it checks against its nat table and realize
that this is the result of a previous connection from C, then FW1
rewrite the packet header so it becomes FW1-E -> C when the packet
leaves FW1.
Now, I want to add a redundant link to the Internet (ISP2 and FW2). So I
advertise www.mycompany.com as FW1-E and FW2-E in a round robin manner
in my DNS so half of the client will hit FW2-E when they send the
request to www.mycompany.com. Here is what happens when someone hits
FW2-E:
1. C -> FW2-E
2. FW2 doing rdr => C -> W
3. W -> C
4. it goes to FW1 because that is the default GW
5. *FW1 rewrite the packet to FW1-E -> C
6. C is confused: I sent C -> FW2-E but why I get FW1-E -> C ???
[*] I'm not sure whether FW1 will rewrite the packet because it didn't
see SYN, FW2 saw it. NAT implies state, right?
OK, we can add more than one default route on the web server, but they
must be of different metrics and they are tried from low to high (am I
right on this?). So as long as both our FWs are up, the packet will go
to the lowest metric, which is FW1-I.
The solution suggested by Ben Nagy is to add another NAT to FW2 to
rewrite C's source IP as well. Assuming we add the other NAT box _after_
FW2 (I couldn't add it in front of FW2, it didn't work out):
Internet--FW2--NAT--WWW
Assume:
NAT-F NAT box's FW2 side IP
NAT-I NAT box's WWW side IP
on FW2, I do "route add WWW NAT-F"
on NAT, I do "route add default FW2-I"
So the whole thing becomes:
1. C -> FW2-E
2. FW2 doing rdr: C -> W then passes the packet to NAT box
3. NAT box doing NAT: C -> W becomes NAT-I -> W
4. W -> NAT-I
5. because WWW knows where NAT-I is, so the packet gets back to NAT
6. NAT translate back: W -> C
7. FW2 translate back: FW2-E -> C
So in theory, this should work, though I've never tried it in the real
world. The problem with this setup is that we have to add another NAT
box in between, thus adds complexity and one more point of failure. And
the NAT box is only doing one thing - address rewriting, which is a
waste of resource.
What I like to see is whether we can combine FW2 and NAT:
1. C -> FW2-E
2. FW2 doing rdr *and map*: C -> FW2-E becomes FW2-I -> W
3. W -> FW2-I
4. FW2 rewrite back: W -> FW2-I becomes FW2-E -> C
Note that step 2 above is not bimap. I think Darren introduced new
syntax in 3.4.x to allow:
rdr ifX from ip1/m1 to ip2/m2 port = xx -> ip3 port xx
If it can be writen as:
rdr ifX from ip1/m1 to ip2/m2 port = xx -> from ip3/m3 to ip4/m4 port xx
that would be great!!! But that is not supported, is it???
Why we want to do this? Because we need a redundant link to the Internet
and don't have the budget to go with BGP peering.
Sorry again for the long message, hope you guys have the patience to
read through the whole thing.
TIA,
Dennis
PS. Mouss suggested to use an ALG. But we are kind of reluctant to go
this way because:
1. We have to open up ports on the firewall.
2. For socks proxy you need socksified client, right? For web cache
proxy like squid it should be OK for web access but what about other
services like DNS and SMTP?
----- Original Message -----
From: "Dennis Dai" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, February 23, 2001 5:27 PM
Subject: Dual firewall question (revisited)
> Last October there was a thead talking about dual firewall
> configuration:
>
>
http://www.geocrawler.com/mail/thread.php3?subject=Dual+firewall+questio
n&li
st=90
>
> (link may be wrapped)
>
> The question was how you are going to serve web pages when you have 2
> ISPs and thus 2 firewalls (web server is behind the 2 firewalls). So
> far, the solutions are:
>
> 1. use ALG on firewall (from mouss)
> 2. put another NAT box in front of the firewall to translate the
source
> IP from the client (from Ben)
>
> My questions are:
>
> - For the first solution, will the ALG breaks SSL server and client
> authentication (via server and client certs)? If not, what ALG is
> suitable for this kind of task? SOCKS4/5, FWTK come into mind.
>
> - For the second solution, is it possible to combine the NAT and
> firewall box into one (assuming I'm going to use ipfilter in both
> boxes)? My analysis is not likely (without some serious hacking into
the
> code, which I'm not really good at). :-(
>
>
> Thanks in advance for any input.
>
> Dennis
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
