- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: Identity awareness does not work, routing prob...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Identity awareness does not work, routing problem. What are the options for solving the problem?
We plan to use authentication on the FW-B for Internet access and Mobile Access connections
Description of the problem
FW-B uses an external IP (2.2.2.2) address for requests (Identity Avareaness) to DC-1. DC-1 sends a response in the wrong direction, according to routing
Is it possible to configure the FW-B so that it sends requests (Identity Avareaness) using its local IP address as the source interface?
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could do a hide NAT on the traffic from FW-B when it passes through FW-A to go to the DC-1
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you see if you issue ip route get and then IP of the DC1? just run ip r g 192.168.0.1 on expert mode of firewall B.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
192.168.0.1 via 2.2.2.1 dev eth1 src 2.2.2.2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, if you want it to take different path, just change the route to reflect different interface. It seems at this point its using 2.2.2.2 interface IP with gateway of 2.2.2.1.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don’t understand, you can learn more?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What Im saying is, it does not sound logical to use external interface to access something internal from the firewall itself. Just change it to reflect internal interface of the firewall, as long as topology is right.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it is not logical, I agree. How to change it to reflect internal interface of the firewall?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From web UI or clish. Just change it via web UI in the browser, it takes 15 seconds literally.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could do a hide NAT on the traffic from FW-B when it passes through FW-A to go to the DC-1
