[164846] in North American Network Operators' Group
Re: which firewall product?
daemon@ATHENA.MIT.EDU (William Herrin)
Mon Aug 5 15:20:17 2013
In-Reply-To: <CAF1hVJPGg4QY6T3o787O2WxYf70cmN5dJ8MYwG8fvhLhcYWHzg@mail.gmail.com>
From: William Herrin <bill@herrin.us>
Date: Mon, 5 Aug 2013 15:19:25 -0400
To: Jason Pack <jpack@sevone.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mon, Aug 5, 2013 at 8:48 AM, Jason Pack <jpack@sevone.com> wrote:
> I'm pretty sure you can do this with any modern firewall... An ASA5505 is
> always a good bet.
>
> You'd just have to route the IPIP packets to a hairpin interface on the
> firewall, then create a policy that handles packets coming inbound from the
> hairpin. Policies for handling traffic with that as the source interface
> would be able to filter based on layer-3 info as normal.
Hi Jason,
Hairpinning. So, set a router in there with a policy set on the
inbound ipip tunnel to forward all traffic out an ethernet to the ASA.
Then once I get it back on another ethernet from the ASA, use another
policy route to push it all to an outbound tunnel interface.
I hadn't considered that. Yikes, I'm not sure I want to. :)
Thanks,
Bill Herrin
--
William D. Herrin ................ herrin@dirtside.com bill@herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
