We look after a GB-1000 (actually a HA pair) with two external interfaces and two separate leased lines to two separate ISPs.
The external interfaces are on subnets A.A.A.0/24 and B.B.B.0/28. There are servers published on addresses - for example - A.A.A.1; A.A.A.2 and B.B.B.1; B.B.B.2. In general, the servers on subnet A replicate those on subnet B; but there are some which are not replicated. External users may choose servers on either subnet. This provides for an informal degree of load balancing in respect of incoming traffic. So for example a request for server A.A.A.1 is routed via ISP A and arrives at the A.A.A.1 alias on the firewall and is passed to the internal server. The reply to this request comes back to the firewall, and is directed to the firewall's default gateway. The packet has source address A.A.A.1. If the firewall's default gateway is set to point to ISP on the B.B.B.0 subnet the traffic actually returns to the user via ISP B. If one leased line is out of action the other is used as the default. In this way all the services can be maintained by one leased line. We now find that ISP B is rejecting packets that come from any address other than those on its own B.B.B.0/28 subnet. This is as a result of a Cisco security advice - to quote: "We modified our ACL's due to the Cisco Advisory recently sent out and within that applied a recommended outbound ACL in which we only permit traffic out to the internet from our allocated RIPE assigned ip space. Any traffic not coming from our RIPE allocated ip space will not be allowed." Is there any way to configure the GB 1000 so that all packets leaving an external interface carry the source address of that interface, rather than any other external interface? Graham ------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://www.mail-archive.com/[EMAIL PROTECTED]
