[c-nsp] Cisco IOS firewall and Juniper WAN Optimization

Rick Martin rick.martin at arkansas.gov
Wed Oct 1 10:44:02 EDT 2008 

 

 Has anybody been successful in implementing Juniper WXC in an all Cisco
environment utilizing IOS firewall at the remote site? We are in the
evaluation process of various wan optimization appliances, have run
Cisco's WAAS but did not really have success with them, we will give
them another shot based on what we have learned with the Juniper.

 

 The Juniper WXC will create a GRE tunnel from core appliance to remote
appliance and send traffic that meets the optimization criteria down
that tunnel, some of the non interesting traffic arrives at the campus
router naturally - that is - not via the tunnel on the T1 interface
(Serial 1/0.1) . This effectively breaks the IOS firewall since some of
the traffic originating beyond the core destined to the demo site LAN
range is sent down the tunnel. Easy fix for that seems to be apply
firewall ACL to the interface the Juniper WXC is connected to...if it
were that simple I would not be logging this post J

 

 We currently have the Juniper WXC on  Ethernet 0/0.11 with the campus
LAN on E0/0.10. We have tried both WCCP and PBR to direct traffic to the
WXC. We have tested configuration of the IOS firewall IP Inspect
statement on both the 0/0.11 and 0/0.10 interfaces. We have tried our
outside ACL (inbound) on both the serial interface and the 0/0.11
interface. 

 

 We have no trouble getting the optimization to function with either PBR
or WCCP to redirect traffic from LAN interface to WXC, but we have not
yet found the correct combination of IP Inspect and ACL application to
keep the LAN protected from the outside. The main problem appears to be
with the stateful nature of the firewall (IP Inspect). It appears that
the dynamic ACL is applied to either the Serial (WAN) interface or the
WXC (0/0.11) interface but not both. If a flow originates on the LAN the
IP inspect appears to open traffic on the serial interface, when it
shows up on the WXC interface the ACL blocks it - if the ACL is not on
applied the WXC interface the traffic flows as expected - but the LAN is
unprotected. 

 

 Installing the WXC in line is not an option as all traffic would then
bypass the IOS firewall rules. We also have an issue with NAT in this
configuration. 

 

 Any ideas or suggestions would be greatly appreciated. Juniper seems to
be stumped. 

 

Thanks

Rick Martin

Network Engineer

State of Arkansas, Department of Information Systems

More information about the cisco-nsp mailing list