0

In need of some help with understanding/resolving a routing challenge we're faced with – here is the scenario/assumptions:

  • A web application is running which is hosted in 2 physical locations, Locations A and B
  • Traffic either enters through Firewall A in Location A or, Firewall B in Location B depending on the DNS settings
  • Each Location has Webservers, say Webserver A in Location A and Webserver B in Location B
  • The two locations are interconnected and VLANs run between both locations
  • Webserver A and Webserver B are therefore on the same VLAN and in the same subnet
  • Webserver A and Webserver B run load balancing such that both are actively processing traffic received through the whichever firewall is active
  • Webserver A and B can only have one default gateway, this is set to be Location specific e.g. Webserver A’s default Gateway is Firewall A

The firewalls are Cisco ASA’s, the Web Servers W2003.

The problem I am faced with is that traffic for the web application received on Webserver A may have been received through Firewall B, but with the Default Gateway set to Firewall A, my understanding is that in simple terms the response will never make it back in those circumstances.

If that understanding is correct, what sort of routing techniques could be employed to ensure that the traffic goes back out through the door it came through?

Chris
  • 164
  • 2
  • 9
  • This sounds like your question from yesterday. Did my suggestion not ultimately work? – joeqwerty Feb 08 '12 at 12:41
  • Not sure, and I really need help on this - the problem here (I think) is that they will all be web users with random IP addresses so the route commands wouldn't work as you would only know the IP of what they were accessing, and not where they came from? – Chris Feb 08 '12 at 13:16

1 Answers1

1

Source NAT is the easiest option, unfortunately. In this instance the ASA will translate incoming connections to appear as if they come from its local interface. The web server will respond to this local traffic. This will give you full symmetry on your return routes. If you're tracking traffic in the log on the web server you'll need to key on something other than source IP's - or possibly correlate the firewall logs with the web logs. This is somewhat painful but will (and does) scale.

Depending on which ASA you have you could also potentially run them as an active-active pair. In this scenario they'd share state and take care of any asymmetry. This will require an L2 link between the firewalls and, assuming the two sites have different DMZ spaces, the presence of the same external segment on both firewalls. Depending on how you have your routing configured this could be pretty involved and may also fall outside the realm of official support. If you can make this solution work it's going to be for two sites.

rnxrx
  • 8,143
  • 3
  • 22
  • 31