nanog mailing list archives
Re: which firewall product?
From: William Herrin <bill () herrin us>
Date: Mon, 5 Aug 2013 15:19:25 -0400
On Mon, Aug 5, 2013 at 8:48 AM, Jason Pack <jpack () sevone com> wrote:
I'm pretty sure you can do this with any modern firewall... An ASA5505 is always a good bet. You'd just have to route the IPIP packets to a hairpin interface on the firewall, then create a policy that handles packets coming inbound from the hairpin. Policies for handling traffic with that as the source interface would be able to filter based on layer-3 info as normal.
Hi Jason, Hairpinning. So, set a router in there with a policy set on the inbound ipip tunnel to forward all traffic out an ethernet to the ASA. Then once I get it back on another ethernet from the ASA, use another policy route to push it all to an outbound tunnel interface. I hadn't considered that. Yikes, I'm not sure I want to. :) Thanks, Bill Herrin -- William D. Herrin ................ herrin () dirtside com bill () herrin us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Current thread:
- Re: which firewall product? Kenny Kant (Aug 05)
- Re: which firewall product? Jason Pack (Aug 05)
- Re: which firewall product? William Herrin (Aug 05)
- Re: which firewall product? Jason Pack (Aug 05)