Showing results for 
Show  only  | Search instead for 
Did you mean: 

Using Firewall Enterprise to connect LANs


I am attemping to use two Firewall Enterprise appliances as routers to connect two nearly identical networks, with identical subnets.  These networks are not connected to the internet and normally would not be connected at all, but I have need to pass traffic between a server on one LAN and a server on the other.   What I am attempting to do is roughly summarized in the following diagram:


SRVA in the South needs to be able to pass TCP traffic on a specific port to SRVA in the North.  Both Servers have the same IP address and subnet mask (they would not normally be connected).

Is this possible with these devices, and, if so, how can I use the McAfee Firewall Enterprise Administration console to set this up?  I appreciate any assistance.

4 Replies
Level 14
Report Inappropriate Content
Message 2 of 5

Re: Using Firewall Enterprise to connect LANs

Unless someone else is able to come up with something creative, I personally can't see how this is going to work.

Getting traffic to pass from one side of a routed connection to another involves two key pieces of information - the fact that the target address is not part of the source network and the location of the gateway to use to pass the traffic across.

I have encountered this on numerous occasions and the biggest problem I always see is if the target IP address is part of the name IP subnet as the source machine it will assume the target machine lives on the same physical network. In your example the situation is further complicated by the fact that the server machines in "North" and "South" have exactly the same IP address. So, for example, if and application on "Server A-North" tries to communicate with, that's pretty much telling it to communicate with itself. It won't know any different.

The only guaranteed way of making this work is to renumber one of the two sites. Then the routing will work.



Re: Using Firewall Enterprise to connect LANs

Hello Phil,

You can usually find this kind of situation on VPN networks, where remote sites overlaps IP addressing on another site or central site. The solution to this problem is use NAT to "change" the IP addressing of the remote site.

Then with that VPN issue in mind I'm wondering if NAT can be applied to the problem posted here.



Re: Using Firewall Enterprise to connect LANs

Yes.  This is exactly what I'm trying to do with the exception of VPN.  I won't need VPN here.  I'm trying to set up NAT to effect the translations.

So far, I have one Sidewinder in each rack.  Port 2 on both appliances are connected.  On South I have assigned the Interface for Port 1-2 to and assigned it the external zone.

On North, I have assigned the interface 1-2 to and the external zone.

What I need to do now is to set up the rules on each side so that I can effect the translations.  I assume I will need to create endpoints at each end ( for South and for North??) and assign redirection to the on South to the .10 endpoint and 11 to the the same IP on North.  I'm just trying to figure out what all I have to do in the Admin Console to make this happen.

This might all be OBE in the end, because there is some talk now of just putting a dedicated NIC in each server just for this communication.

Level 14
Report Inappropriate Content
Message 5 of 5

Re: Using Firewall Enterprise to connect LANs must use as the destination IP address for must use as the destination IP address for

North access control rules:


Source:, internal

Dest:, external


Redir: None

In (used if South initiates the connection):

Source:, external

Dest:, external


NAT: None

The same rules would be on the South firewall, except with different IPs.

The South firewall must have as an Alias IP address on the external (to answer an ARP for that IP)


The North firewall must have a route saying "Destination:, Gateway:".

Then you need to do the same on the other firewall (add an alias on one firewall or a route on the other).

Message was edited by: sliedl on 4/4/14 12:14:49 PM CDT
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community