Filter
Top Products
Chapter 23 Firewall
ISG50 User’s Guide
360
23.2 The Firewall Screen
Asymmetrical Routes
If an alternate gateway on the LAN has an IP address in the same subnet as the ISG50’s LAN IP
address, return traffic may not go through the ISG50. This is called an asymmetrical or “triangle”
route. This causes the ISG50 to reset the connection, as the connection has not been
acknowledged.
You can have the ISG50 permit the use of asymmetrical route topology on the network (not reset
the connection). However, allowing asymmetrical routes may let traffic from the WAN go directly to
the LAN without passing through the ISG50. A better solution is to use virtual interfaces to put the
ISG50 and the backup gateway on separate subnets. Virtual interfaces allow you to partition your
network into logical sections over the same interface. See the chapter about interfaces for more
information.
By putting LAN 1 and the alternate gateway (A in the figure) in different subnets, all returning
network traffic must pass through the ISG50 to the LAN. The following steps and figure describe
such a scenario.
1 A computer on the LAN1 initiates a connection by sending a SYN packet to a receiving server on the
WAN.
2 The ISG50 reroutes the packet to gateway A, which is in Subnet 2.
3 The reply from the WAN goes to the ISG50.
4 The ISG50 then sends it to the computer on the LAN1 in Subnet 1.
Figure 241 Using Virtual Interfaces to Avoid Asymmetrical Routes
23.2.1 Configuring the Firewall Screen
Click Configuration > Firewall to open the Firewall screen. Use this screen to enable or disable
the firewall and asymmetrical routes, set a maximum number of sessions per host, and display the
configured firewall rules. Specify from which zone packets come and to which zone packets travel to
display only the rules specific to the selected direction. Note the following.
LAN1
ISG