Dear group
i'm working on a mpls vpn hub and spoke topology with a FW behind the hub. The idea is to separate up and downstream traffic with two vrfs (up and down). This part is working so far, I simulated it with gns3 and used a router to simulate the routing of the FW.
I use the following topology:
--up------|
CE4--down----PE2(Spoke)-------PE1(Hub)---vrf up-->-----|___
|| | |FW |
CE5--up------- | ------vrf down--<---|___|
--down------|
setup refers to Presentation BRKIPM-2102 (Networkers Barcelona)
I set it up with real routers and an asa to verify the design including FW. The mpls stuff works but there is a (design) problem with the communication between the hub and the FW. All traffic arrives through the interface connected to vrf "up" at the FW. All traffic flowing downstream is pointed out of the interface "vrf down" at the FW. This works with stateless protocolls like icmp. As soon as I use TCP the FW complains (and blocks).
Message: "The security appliance discarded a TCP packet that has no associated connection in the security appliance connection table"
The FW does not like TCP traffic coming in on a different interface than going out for the same IP. Is there a workaround for this problem?
I know that I could build the hub and spoke topoly with only one VRF/Subnet betwen the Hub and the FW but then it is not possible to selectively allow spoke to spoke communication if necessary.
Daniel
-- GMX FreeDSL Komplettanschluss mit DSL 6.000 Flatrate und Telefonanschluss f|r nur 17,95 Euro/mtl.!* http://portal.gmx.net/de/go/dsl02 Blogs and organic groups at http://www.ccie.netReceived on Mon Jun 15 2009 - 16:08:36 ART
This archive was generated by hypermail 2.2.0 : Wed Jul 01 2009 - 20:02:37 ART