Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
385 Views 2 Replies Latest reply: Jul 5, 2013 9:44 AM by gooru4speed RSS
gooru4speed Apprentice 130 posts since
Jul 4, 2009
Currently Being Moderated

Jul 4, 2013 6:57 PM

some concerns with MFE default route definitions

Hi!

please let me hear your experiences about this matter: in Cisco ASA you can have for example two default routes to Internet using two ISP's links with different "distance" and when the primary route becomes unavailable the secondary takes place. Current ASA's configuration has a NAT definition with public IP address belonging to the secondary link that is exclusively used for a web service, today everything goes fine incoming request and replies from web server are going over the secondary link. Now I need to replicate that configuration in the MFE then I defined the NAT in the same way as ASA's configuration  and when I tried to add an additional default route in the MFE in the form "destination 0.0.0.0 mask 0.0.0.0" the system rejects that with an error message. I read about the failover route in Static Routing definitions but my concern is if the MFE firewall will consider the failover link as available even when the primary route is still "alive".

 

Do you have any experience like this?

 

Thanks very much in advance for your opinions and suggestions.

 

JR

  • PhilM Champion 528 posts since
    Jan 7, 2010

    JR -

     

    What you are describing sounds to me to be very much like policy-based or protocol-based routing (depending on your familiarity with the term), where routes are created based either on source criteria or protocol criteria. This would allow you to route traffic for your web server, or maybe all of your SMTP mail traffic, via a secondary WAN/Internet connection instead of the default gateway.

     

    This is something where the MFE product is sadly lacking. You can only create static routes based on destination network critera. This works if all of your SMTP traffic is, for example, sent via an external smart host. You can create a static route for that smart host and set the gateway to point to your secondary internet router. But, for static routing, that's about it.

     

    MFE's implemtation of a secondary defatult gateway is for basic link failover. The secondary default gateway only comes into the equation if the probe tests for the primary link show it to be down. Even then, as far as I am aware, it doesn't automatically fail back when the primary link becomes available again - you must instigate a manual failover event (presumably by disconnecting the second WAN router) for traffic to be sent back out via the primary default gateway.

     

    -Phil.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points