• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 181
  • Last Modified:

Asymmetric Routing (Firewall)

Is it possible to have asymmetric routing from a stateful firewall?  The firewall will keep the connections in the state table, but it not the way its routed?
0
PeraHoman
Asked:
PeraHoman
3 Solutions
 
Predrag JovicNetwork EngineerCommented:
It is not possible if you perform natting on firewall. How will device that receive packets know where is located source of the traffic since there is no NAT table?
Typically for asymmetric routing you need two connected firewalls.
Asymmetric Routing and Firewalls
0
 
PeraHomanAuthor Commented:
Natting is done on the FW.  I was just wondering if this was possible.  

We see hits on our FW logs about traffic leaving our FW destined our Vendors public server, but there are no hits on return traffic from the Vendors server back to our FW.
0
 
SIM50Commented:
It's not possible for dynamic NAT but possible for static NAT. Unlike dynamic, where entries are created in xlate table for the current traffic going through, static NAT entries are added upon the configuration and work for any direction. So if you would have two ASA's with the same static NAT and ACLs and configured tcp state bypass, it would be possible for asymmetric routing to happen.
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now