Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Andrey_Korobko
Contributor

Identity awareness does not work, routing problem. What are the options for solving the problem?

Jump to solution

We plan to use authentication on the FW-B for Internet access and Mobile Access connections

Description of the problem

FW-B uses an external IP (2.2.2.2) address for requests (Identity Avareaness) to DC-1. DC-1 sends a response in the wrong direction, according to routing

Identity.jpg

Is it possible to configure the FW-B so that it sends requests (Identity Avareaness) using its local IP address as the source interface?

0 Kudos
1 Solution

Accepted Solutions
Andrey_Korobko
Contributor

You could do a hide NAT on the traffic from FW-B when it passes through FW-A to go to the DC-1 

View solution in original post

0 Kudos
8 Replies
the_rock
Champion
Champion

What do you see if you issue ip route get and then IP of the DC1? just run ip r g 192.168.0.1 on expert mode of firewall B. 

0 Kudos
Andrey_Korobko
Contributor

192.168.0.1 via 2.2.2.1 dev eth1 src 2.2.2.2

0 Kudos
the_rock
Champion
Champion

Well, if you want it to take different path, just change the route to reflect different interface. It seems at this point its using 2.2.2.2 interface IP with gateway of 2.2.2.1.

0 Kudos
Andrey_Korobko
Contributor

I don’t understand, you can learn more?

0 Kudos
the_rock
Champion
Champion

What Im saying is, it does not sound logical to use external interface to access something internal from the firewall itself. Just change it to reflect internal interface of the firewall, as long as topology is right.

0 Kudos
Andrey_Korobko
Contributor

Yes, it is not logical, I agree. How to change it to reflect internal interface of the firewall?

0 Kudos
the_rock
Champion
Champion

From web UI or clish. Just change it via web UI in the browser, it takes 15 seconds literally.

0 Kudos
Andrey_Korobko
Contributor

You could do a hide NAT on the traffic from FW-B when it passes through FW-A to go to the DC-1 

View solution in original post

0 Kudos