Asymmetric Traffic Flow in a Firewall Environment

In Figure 17-2, there are two FWSMs (for firewalls) added in both the Catalyst 6500 chassis. The asymmetric traffic flow is from 10.1.1.0 subnet to host 11.1.1.100.

Figure 17-2 FWSM and Asymmetric Routing

Return Path of Packet 1

Based on the policy, the packet leaves the security domain.

Figure 17-2 FWSM and Asymmetric Routing

Based on the policy, the packet leaves the security domain.

Return Path of Packet 1

When the packet reaches the FWSM 2, the FWSM 2 checks the state information for communication between the two security domains. FWSM 2 does not have state information for the flow and does not allow the packet to pass.

The source for the flow is in the inside security domain, and the destination is in the outside security domain. The Flow 1 depicts the flow of the packet from source to destination. The FWSM 1 forms a state translation when the packets traverse the firewall. The flow is from a higher security domain (inside) to a lower security domain (outside). The host 11.1.1.100 receives the communication and transmits back to the source 10.1.1.100 (in 10.1.1.0 subnet). In the return path, the R1 routes the packet to R3. Note that the packet should have been forwarded to R2 to pass through FWSM 1. The packet flows from R3 to FWSM 2. FWSM 2 looks for state translation entry for this flow and because no state translation entry exists, the packet is dropped.

This example shows how asymmetric routing can cause problems in a firewall environment when a packet traverses from one security domain to another security domain. The next section covers options to overcome asymmetric routing in a firewall environment.

Was this article helpful?

0 0

Post a comment