I am attemping to use two Firewall Enterprise appliances as routers to connect two nearly identical networks, with identical subnets. These networks are not connected to the internet and normally would not be connected at all, but I have need to pass traffic between a server on one LAN and a server on the other. What I am attempting to do is roughly summarized in the following diagram:
SRVA in the South needs to be able to pass TCP traffic on a specific port to SRVA in the North. Both Servers have the same IP address and subnet mask (they would not normally be connected).
Is this possible with these devices, and, if so, how can I use the McAfee Firewall Enterprise Administration console to set this up? I appreciate any assistance.
Unless someone else is able to come up with something creative, I personally can't see how this is going to work.
Getting traffic to pass from one side of a routed connection to another involves two key pieces of information - the fact that the target address is not part of the source network and the location of the gateway to use to pass the traffic across.
I have encountered this on numerous occasions and the biggest problem I always see is if the target IP address is part of the name IP subnet as the source machine it will assume the target machine lives on the same physical network. In your example the situation is further complicated by the fact that the server machines in "North" and "South" have exactly the same IP address. So, for example, if and application on "Server A-North" tries to communicate with 10.2.1.90, that's pretty much telling it to communicate with itself. It won't know any different.
The only guaranteed way of making this work is to renumber one of the two sites. Then the routing will work.
You can usually find this kind of situation on VPN networks, where remote sites overlaps IP addressing on another site or central site. The solution to this problem is use NAT to "change" the IP addressing of the remote site.
Then with that VPN issue in mind I'm wondering if NAT can be applied to the problem posted here.
Yes. This is exactly what I'm trying to do with the exception of VPN. I won't need VPN here. I'm trying to set up NAT to effect the translations.
So far, I have one Sidewinder in each rack. Port 2 on both appliances are connected. On South I have assigned the Interface for Port 1-2 to 172.16.0.1 and assigned it the external zone.
On North, I have assigned the interface 1-2 to 172.16.0.2 and the external zone.
What I need to do now is to set up the rules on each side so that I can effect the translations. I assume I will need to create endpoints at each end (172.16.0.10 for South and 172.16.0.11 for North??) and assign redirection to the 10.2.1.90 on South to the .10 endpoint and 11 to the the same IP on North. I'm just trying to figure out what all I have to do in the Admin Console to make this happen.
This might all be OBE in the end, because there is some talk now of just putting a dedicated NIC in each server just for this communication.
10.2.1.90-North must use 172.16.0.11 as the destination IP address for 10.2.1.90-South.
10.2.1.90-South must use 172.16.0.10 as the destination IP address for 10.2.1.90-North.
North access control rules:
Source: 10.2.1.90, internal
Dest: 172.16.0.11, external
In (used if South initiates the connection):
Source: 172.16.0.11, external
Dest: 172.16.0.10, external
The same rules would be on the South firewall, except with different IPs.
The South firewall must have 172.16.0.11 as an Alias IP address on the external (to answer an ARP for that IP)
The North firewall must have a route saying "Destination: 172.16.0.11, Gateway: 172.16.0.2".
Then you need to do the same on the other firewall (add an alias on one firewall or a route on the other).Message was edited by: sliedl on 4/4/14 12:14:49 PM CDT