Author Topic: Firewalls  (Read 10583 times)

Wanos

  • Team Wanos
  • Administrator
  • Full Member
  • *****
  • Posts: 56
    • View Profile
Firewalls
« on: March 17, 2014, 10:06:48 AM »
When a firewall is used in the WAN in-between two Wanos appliances, it needs to permit IPComp (IP Proto 108) traffic and TCP option 76.
GRE Encapsulation is also available.

UDP Encapsulation is often the simplest method to work around firewalls, but introduce additional overhead.
« Last Edit: March 25, 2015, 01:58:11 PM by ahenning »
Note: Forum posts may be outdated. Please see the latest documentation at wanos.co/docs

ahenning

  • Team Wanos
  • Administrator
  • Full Member
  • *****
  • Posts: 629
    • View Profile
Re: Firewalls
« Reply #1 on: August 28, 2014, 08:06:31 PM »
Wanos as a WAN accelerator is deployed in WAN environments where typically a Firewall might also be found.

In this case the topology would be similar to:
         Site 1 Switch
                  |
             Wanos 1
                  |
        ASA/PIX Firewall 1
                  |
               WAN
                  |
        ASA/PIX Firewall 2
                  |
             Wanos 2
                  |
            Site 2 Switch
 
Wanos uses the TCP option 76 only in SYN and SYN-ACK packets of each TCP connection. This is used for autodiscovery.

Since the Cisco ASA/PIX is a firewall after all, the device might require a specific configuration to permit TCP option 76 for Wanos auto discovery to be operational. This is only needed if the firewall is in the path between Wanos devices.

The following sample configuration can be use on Cisco ASA/PIX version 7.0 or above:

access-list TCP_Option_76 extended permit tcp any any log
tcp-map TCP_Option_76_Tmap
tcp-options range 76 76 allow
class-map TCP_Option_76_Cmap
match access-list TCP_Option_76
policy-map global_policy
class TCP_Option_76_Cmap
set connection advanced-options TCP_Option_76_Tmap


*Note, please post a sample config if you use a different firewall and had to configure a similar policy.
« Last Edit: August 28, 2014, 08:16:13 PM by ahenning »
CCIE RS, CCIE SP, Mnet&sys

Note: Forum posts may be outdated. Please see the latest documentation at wanos.co/docs

ahenning

  • Team Wanos
  • Administrator
  • Full Member
  • *****
  • Posts: 629
    • View Profile
Re: Firewalls
« Reply #2 on: September 25, 2014, 10:02:43 PM »
As a last resort the UDP Encap can be enabled by setting the UDP encapsulation in the gui.
Notes:
All sites requires the option setting.
Additional overhead and processing is introduced.
« Last Edit: March 10, 2015, 12:40:54 AM by ahenning »
CCIE RS, CCIE SP, Mnet&sys

Note: Forum posts may be outdated. Please see the latest documentation at wanos.co/docs

ahenning

  • Team Wanos
  • Administrator
  • Full Member
  • *****
  • Posts: 629
    • View Profile
Re: Firewalls
« Reply #3 on: September 26, 2014, 09:34:21 AM »
UDP Encap is useful when the users are not in control of the firewalls, e.g. a managed service.

E.g.
Firewall or Sat modem that strip TCP Options e.g Option 76, Window scaling and Selective ACKs.
Firewall that can't NAT/PAT proto 108.

UDPEncap gives them a last resort option when they can't implement the recommended/required firewall changes.
« Last Edit: April 18, 2015, 11:20:48 AM by ahenning »
CCIE RS, CCIE SP, Mnet&sys

Note: Forum posts may be outdated. Please see the latest documentation at wanos.co/docs

ahenning

  • Team Wanos
  • Administrator
  • Full Member
  • *****
  • Posts: 629
    • View Profile
Re: Firewalls
« Reply #4 on: November 12, 2014, 04:19:43 PM »
Quote verbatim:
Examples of environments where the auto-discovery process does not work are as follows:
Traffic traversing the WAN passes through a satellite or other device that strips off TCP options, including those used by auto-discovery.
Traffic traversing the WAN goes through a device that proxies TCP connections and uses its own TCP connection to transport the traffic. For example, some satellite-based WANs use built-in TCP proxies in their satellite uplinks.
« Last Edit: April 18, 2015, 11:24:27 AM by ahenning »
CCIE RS, CCIE SP, Mnet&sys

Note: Forum posts may be outdated. Please see the latest documentation at wanos.co/docs

ahenning

  • Team Wanos
  • Administrator
  • Full Member
  • *****
  • Posts: 629
    • View Profile
Re: Firewalls
« Reply #5 on: November 26, 2014, 05:30:51 PM »
Another explanation on Firewalls in the network:

Normally there are no issue with Firewalls on the LAN side of the Wanos device, except if it encrypts or encapsulates the traffic e.g. IPsec or GRE tunnel.

Things to know about Firewalls:
  • When the Firewalls are doing encryption like an IPsec VPN, then the Wanos device needs to be on the user LAN side to optimize the traffic before its encrypted. In other words when the Firewall is between the Wanos appliance and the user LAN, this is fine as long as the Firewall is not encrypting or encapsulating traffic.
  • When the Firewall is on the WAN side and the filter rules are very strict, some configuration may be required to allow the Wanos optimized traffic through. This is normally TCP Option 76 and IP Proto 108.
  • When the Firewall is on the WAN side and NATting traffic, UDP Encapsulation on the Wanos devices may be required.
CCIE RS, CCIE SP, Mnet&sys

Note: Forum posts may be outdated. Please see the latest documentation at wanos.co/docs