[c-nsp] FWSM 3.1 and Servers with redundant cards
varaillon
j.varaillon at cosmoline.com
Wed Aug 29 08:55:52 EDT 2007
Hi,
For redundancy reasons, we have a server with two network cards.
Each card belongs to a subnet and each subnet to a different DMZ.
The server has two default routes with different metrics, where the prefered
default route is in the DMZ_1.
+--------+-card_1--192.168.1.1/24----DMZ_1--+--------+
| SERVER | | FWSM |---OUTSIDE
+--------+-card_2--192.168.2.1/24----DMZ_2--+--------+
The problem is that when we telnet from the outside to the ip destination
192.168.2.1, the server replies using the ip source 192.168.1.1.
So the FWSM blocs, as it should, the SYN/ACK from the server:
%FWSM-6-302013:
Built inbound TCP connection 146242008855220280
for OUTSIDE:10.10.10.140/9244 (10.10.10.140/9244)
to DMZ_2:192.168.2.1/23 (192.168.2.1/23)
%FWSM-6-106015:
Deny TCP (no connection)
from 192.168.2.1/23 to 10.10.10.140/9244
flags SYN ACK on interface DMZ_1
Given that we have one FWSM (so no exchange of states), is there anyway to
overcome that issue from the FWSM?
Would it help to bring each DMZ in its own context?
Any comment will be welcomed.
Thank you.
Christophe
More information about the cisco-nsp
mailing list