From Wanos Wiki
Revision as of 10:38, 9 February 2017 by Lew (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Document migrated. An updated Firewall Troubleshooting Guide can be found in the Wanos Documentation site

Wanos with Firewall

Normally there are no issue with Firewalls on the LAN side of the Wanos device except, if it encrypts or encapsulates the traffic e.g. IPsec or GRE tunnel.

Things to know about Firewalls:

  1. When the Firewalls are doing encryption like an IPsec VPN, then the Wanos device needs to be on the user LAN side to optimize the traffic before it's encrypted. In other words, when the Firewall is between the Wanos appliance and the user LAN, this is fine as long as the Firewall is not encrypting or encapsulating traffic.
  2. When the Firewall is on the WAN side and the filter rules are very strict, some configuration may be required to allow the Wanos optimized traffic through. This is normally TCP Option 76 and IPCOMP (IP Proto 108).
  3. When the Firewall is on the WAN side and NATting traffic, UDP Encapsulation on the Wanos devices may be required.

Wanos as a WAN accelerator is deployed in WAN environments where typically a Firewall might also be found.

In this case the topology would be similar to: 

         Site 1 Switch
                  |
             Wanos 1
                  |
        ASA/PIX Firewall 1
                  |
               WAN
                  |
        ASA/PIX Firewall 2 
                  |
             Wanos 2
                  |
            Site 2 Switch

Wanos uses the TCP option 76 only in SYN and SYN-ACK packets of each TCP connection. This is used for autodiscovery.

Since the Cisco ASA/PIX is a firewall after all, the device might require a specific configuration to permit TCP option 76 for Wanos auto discovery to be operational. This is only needed if the firewall is in the path between Wanos devices.

The following sample configuration can be use on Cisco ASA/PIX version 7.0 or above: 

access-list TCP_Option_76 extended permit tcp any any log
tcp-map TCP_Option_76_Tmap
tcp-options range 76 76 allow
class-map TCP_Option_76_Cmap
match access-list TCP_Option_76
policy-map global_policy
class TCP_Option_76_Cmap
set connection advanced-options TCP_Option_76_Tmap

Please post a sample config, in the [forums ], if you use a different firewall and had to configure a similar policy.

UDP Encapsulation is useful when users are not in control of the Firewalls. It gives them a last resort option when they can't implement the recommended/required firewall changes.

Examples:

  • Firewall or SAT modem that strip TCP Options e.g Option 76, Window scaling and Selective ACKs.
  • Firewall that can't NAT/PAT proto 108.

    Examples of environments where the auto-discovery process does not work are as follows:
  • Traffic traversing the WAN passes through a satellite or other device that strips off TCP options, including those used by auto-discovery.
  • Traffic traversing the WAN goes through a device that proxies TCP connections and uses its own TCP connection to transport the traffic. For example, some satellite-based WANs use built-in TCP proxies in their satellite uplinks.

    UDP Encapsulation can be enabled by setting the UDP encapsulation in the Wanos web UI.

    Notes when enabling UDP encapsulation:
    1. All sites requires this option configured.
    2. Additional overhead and processing is introduced.
    • Retrieved from "http://wanos.co/wiki/index.php?title=Firewall&oldid=713"