Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Rohit_Gandas
Participant
Jump to solution

Traffic flow in between C to S via Firewall. How?

Hello All,

Please refer to attached image and solve my query.

Traffic has to go from CLIENT to SERVER. The condition is. It has to go through FIREWALL.

How that would be accomplished?

How traffic will go from client to server via firewall?

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Looks like I get to dig out an old FAQ once again.

I actually feature this exact FAQ in my Migrate to R80.x talks as a Troy McClure slide Smiley Happy

The below is adapted from: Can't Talk to Translated IP from Internal Net 

To force traffic through the Security Gateway, you need to:

  • Block direct communication between the two from the router
  • Direct the client to use an IP that routes the traffic to the Security Gateway (we'll pick 1.1.1.3 in this example)
  • Create a "double NAT" rule, which will ensure the firewall stays between the two hosts.

Original SrcOriginal DstOriginal SvcXlated SrcXlated DstXlated Svc
10.0.0.11.1.1.3Any172.16.1.1(H)192.168.1.1Original


All traffic coming from 10.0.0.1 that is destined for 1.1.1.3 will get hidden behind 172.16.1.1 (the internal IP address of the firewall) and have a destination of 192.168.1.1 (the real IP of the server).
The side effect of this is that for each connection to your "internal" server using the external IP address, you will see the network connection traverse your internal network twice:

  • Once between the "server" and the Firewall
  • Once between the firewall and the "client"

I haven't actually tried this in years, so it's possible this won't work.

But, if it's going to work, this is how you'd do it.

View solution in original post

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

Looks like I get to dig out an old FAQ once again.

I actually feature this exact FAQ in my Migrate to R80.x talks as a Troy McClure slide Smiley Happy

The below is adapted from: Can't Talk to Translated IP from Internal Net 

To force traffic through the Security Gateway, you need to:

  • Block direct communication between the two from the router
  • Direct the client to use an IP that routes the traffic to the Security Gateway (we'll pick 1.1.1.3 in this example)
  • Create a "double NAT" rule, which will ensure the firewall stays between the two hosts.

Original SrcOriginal DstOriginal SvcXlated SrcXlated DstXlated Svc
10.0.0.11.1.1.3Any172.16.1.1(H)192.168.1.1Original


All traffic coming from 10.0.0.1 that is destined for 1.1.1.3 will get hidden behind 172.16.1.1 (the internal IP address of the firewall) and have a destination of 192.168.1.1 (the real IP of the server).
The side effect of this is that for each connection to your "internal" server using the external IP address, you will see the network connection traverse your internal network twice:

  • Once between the "server" and the Firewall
  • Once between the firewall and the "client"

I haven't actually tried this in years, so it's possible this won't work.

But, if it's going to work, this is how you'd do it.

0 Kudos
Maarten_Sjouw
Champion
Champion

Another way is to use VRF's on the router splitting the traffic and using a trunk between router and Firewall. Or directly connect either of the 2 or both networks directly to the Firewall and forget the router altogether.

Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events