Asymmetric Routing is a problem faced most commonly by routed networks of the Layer-3 type. The common scenario is that the path taken by a packet to reach from source to destination is not taken on the path back to the source, that creates mix-up in the packet communications lines. Although this problem of Asymmetric routing is not major, it does cause major issues when the routed path uses Network Address Translation (NAT) or firewalls.
State information in firewalls is built when the flow of packets occurs to a domain with low security from a domain with higher security. The firewall acts as the exit point for the traverse between one security domain and the other. If when taking the return path, the packet encounters another firewall through which it has to pass through, it will not be allowed to move from the lower to higher security domain as there is no state information included in the firewall on the return path. The first firewall consists of the state information.
How to find solutions to the issues of Firewalls through Asymmetric Routing:-
Listed below are two design options to support the asymmetric route taken by packets in firewalls:-
- 1) Making a symmetric route flow through the firewall
The firewall infrastructure has to be optimized for the symmetric flow of traffic. In these situations, a single firewall will be used for the flow of the packet from one security domain to the other. Failover configurations or Firewall Redundancies are used to obtain redundancy for the flow.
- 2) Supporting the feature of asymmetric routing
The CISCO FWSM 3.x and ASA 7.x code releases both support the Asymmetric Routing feature (ASR) and in active/standby and active/active modes can be used for leveraging in the firewalls. Asymmetric routing issues are avoided by aligning the firewalls with the Layer-3 network.
The asymmetric routing feature can be leveraged through the use of firewalls in the designs maintained in the data centre, and dual routing paths can be utilized for the same roles of security in an active/active context in multiple context transparent firewalls.
Packets passing through firewalls have always been subject to issues of Asymmetric routing through designs of routing. The previous design philosophy is challenged through the support of symmetric routing in firewalls. The traffic that passes through a firewall infrastructure can be afforded greater scalability and redundancy to leverage support on the asymmetric routing system with all its new features.
Koenig Solutions offers a number of solutions through its experienced IT department to those facing asymmetric routing issues on a daily basis. CISCO based educational courses such as the CCNP voice training, CCNP boot camp, CCNP security course and many more are provided by its inhouse specialists, and the details of these courses, timings and schedules can be viewed on http://www.koenig-solutions.com/ to get a complete picture of the working of these courses and their practical applications. Which of these courses do you think will be most likely to become your go to guides to deal with Aymmetric Routing? Tell us in the comments below!