cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Allow asynchronous routing

Hi,

I'm in the process of migrating an ASA Cluster to R80. Everything is fine but one thing. In the deployment there are certain dual-homed machines that do not route packets properly back through the firewall and packets would be dropped by the new Check Point installation with "packet out of state". These machines cannot be "fixed".

On the ASA you can create a service policy to ignore such traffic with src/dst selectors for tcp traffic. On the Check Point all I know is that there is a switch to essentially turn off state inspection completely, which I obviously don't want to do.

So my question is, can I somehow allow traffic between a pair of hosts/network, if the packets are "out of state" but at the same time still enforce the default packet state inspection?

Thank you

Christoph

3 Replies

Re: Allow asynchronous routing

Hello,

In some situations, it could work to simply NAT the traffic behind the IP address of the Firewall (The Firewall IP address that is on the same network, as the destination server). This will ensure that the server responds back to the same Firewall interface.

Admin
Admin

Re: Allow asynchronous routing

This might also be an option: SmartView Tracker shows multiple logs for dropped 'TCP out of state' packets 

That said I think using NAT might be a better solution to ensure symmetric flows.

0 Kudos

Re: Allow asynchronous routing

The only problem you run into is anti-spoofing, taken that the server is responding on the IP it was addressed on.

So let's say we have a server on eth3 with IP 10.10.10.10 and the same server is connected to eth4 with IP 20.20.20.20 and you connect from a client to 10.10.10.10 and the default on that server is the IP of eth4, just make sure you allow 10.10.10.* also well in the anti spoofing on eth4.

Same for eth3 make sure to allow 10.10.10.* and 20.20.20.* in the anti spoofing. 

As long as you do not setup the rulebase as a zone based policy the FW does not really care on which interface the traffic enters. Just take care of anti-spoofing to allow it.

Regards, Maarten