[c-nsp] Cisco IOS firewall and Juniper WAN Optimization

Brian Stiff (bstiff) bstiff at cisco.com
Wed Oct 1 17:36:58 EDT 2008 

Hi Rick-

I reviewed enough of your mail to see that you understand the issues
with interoperability between the WXC and IOS Firewall.  There is a
(somewhat) similar issue with interoperability between Cisco WAAS and
IOS FW, but there's fix in the Zone Firewall (specific releases; I can
provide details if necessary) for WAAS interop with IOS FW.

Long story short, there's nothing you can do to make this work if you
inspect the traffic that gets handled by the WAN optimizer.  Your
observation is correct that the issue's basis is in the firewall's
expectations for state behavior.  There's no way to circumvent the IOS
Firewall state machine (without disabling IOS Firewall); thus, there's
no workaround.  There is no plan for a functional change to address this
issue, but the notion sounds intriguing.  

Regards,
Brian

Brian Stiff
720.562.6462
IOS Firewall
Technical Marketing Eng.
Security Technology Group
http://www.cisco.com/go/iosfw

Date: Wed, 1 Oct 2008 09:44:02 -0500
From: "Rick Martin" <rick.martin at arkansas.gov>
Subject: [c-nsp] Cisco IOS firewall and Juniper WAN Optimization
To: <cisco-nsp at puck.nether.net>
Message-ID:
	<BADE6198EE4757408B3B970CCF6552551DBB2AD1 at EVS01.sas.arkgov.net>
Content-Type: text/plain;	charset="us-ascii"

 

 Has anybody been successful in implementing Juniper WXC in an all Cisco
environment utilizing IOS firewall at the remote site? We are in the
evaluation process of various wan optimization appliances, have run
Cisco's WAAS but did not really have success with them, we will give
them another shot based on what we have learned with the Juniper.

 

 The Juniper WXC will create a GRE tunnel from core appliance to remote
appliance and send traffic that meets the optimization criteria down
that tunnel, some of the non interesting traffic arrives at the campus
router naturally - that is - not via the tunnel on the T1 interface
(Serial 1/0.1) . This effectively breaks the IOS firewall since some of
the traffic originating beyond the core destined to the demo site LAN
range is sent down the tunnel. Easy fix for that seems to be apply
firewall ACL to the interface the Juniper WXC is connected to...if it
were that simple I would not be logging this post J

 

 We currently have the Juniper WXC on  Ethernet 0/0.11 with the campus
LAN on E0/0.10. We have tried both WCCP and PBR to direct traffic to the
WXC. We have tested configuration of the IOS firewall IP Inspect
statement on both the 0/0.11 and 0/0.10 interfaces. We have tried our
outside ACL (inbound) on both the serial interface and the 0/0.11
interface. 

 

 We have no trouble getting the optimization to function with either PBR
or WCCP to redirect traffic from LAN interface to WXC, but we have not
yet found the correct combination of IP Inspect and ACL application to
keep the LAN protected from the outside. The main problem appears to be
with the stateful nature of the firewall (IP Inspect). It appears that
the dynamic ACL is applied to either the Serial (WAN) interface or the
WXC (0/0.11) interface but not both. If a flow originates on the LAN the
IP inspect appears to open traffic on the serial interface, when it
shows up on the WXC interface the ACL blocks it - if the ACL is not on
applied the WXC interface the traffic flows as expected - but the LAN is
unprotected. 

 

 Installing the WXC in line is not an option as all traffic would then
bypass the IOS firewall rules. We also have an issue with NAT in this
configuration. 

 

 Any ideas or suggestions would be greatly appreciated. Juniper seems to
be stumped. 

 

Thanks

Rick Martin

Network Engineer

State of Arkansas, Department of Information Systems

More information about the cisco-nsp mailing list