Are these firewalls standalone or clustered? That will make a huge
difference. I'm assuming they are clustered since you are using a HA
link. FYI, the HA links on netscreens do not forward user data, they
only forward heartbeats, state information and runtime objects. In other
words, the HA link isn't a redundant data path.
If your firewalls are in fact clustered, you won't have an asymmetric
routing problem.
Chris Schock
CDHS Telecommunications Network Group
chris.schock@xxxxxxxxxxx
>>> "Sam Fok" 11/08/06 9:45 AM >>>
Dear all,
About the forwarding topology:
Route A Router B
| |
| |
| |
External Switch 1 ----------------------External Switch 2
| |
| |
| |
Firewall 1 ------------ha--------------------Firewall 2
| |
| |
| |
Internal Switch 1 ----------------------Internal Switch 2
| |
| |
| |
Core Switch 1 ----------------------Core Switch 2
The firewalls are Netscreen 204.
When a pack enter from Router A to Ext Switch 1 to Firewall 1 to
Int.Sw1 to
C.Switch1, then to a host behind Core Switch.
If the host's default gateway is pointing to C.Switch 2, then the
return
path would be:
'C. Sw2 to Int.Sw2 to Firewall 2 to Ext. Sw2 to Router 2'.
However, the Firewall is stateful that would drop the packet in
Firewall 2
as there is no entry in the state table, right?
My questoin is, would Firewall 2 forward the packet back to Firewall 1
through 'Ext. Switch' or 'Int. Switch' for the symmetric operation?
I know that if there is a Dual HA link between the Firewalls, the
packet can
forward back, but how about if there is no 2nd HA link.
thanks.
Br,
Sam
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=115450&t=115448
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
