Technical data
Configuring FWLB for NAT Firewalls
May 31, 2012 © 2012 Brocade Communications Systems, Inc. 7 - 15
Preventing Load Balancing of the NAT Addresses
When you configure ServerIrons for load balancing traffic across NAT firewalls, you must disable load balancing
on the NAT addresses themselves. You can use either of the following methods to do so. Each method is equally
valid and only one of the methods is required. You need to use one of these methods only on the ServerIron
connected to the external network, not the ServerIron on the internal side of the network.
• Configure the NAT addresses as firewall addresses, but do not configure paths for the addresses. (This is
shown below in the “Extra Firewall Method” section.)
• Configure IP access policies (filters) to deny load balancing for traffic addressed to the NAT addresses. (This
is shown below in the “Access Policy Method” section.)
NOTE: In FWLB configurations, the IP policies do not block traffic altogether. They deny load balancing for
the traffic. Thus, the ServerIron does not load balance packets addressed to the NAT addresses, but instead
sends the traffic only to the firewall that originally sent the traffic.
USING THE CLI
Use either of the following methods to disable load balancing for the NAT addresses.
Extra Firewall Method
To disable load balancing for the NAT addresses by adding firewalls for the addresses, enter commands such as
the following.
NOTE: Do not configure paths for the firewalls.
SI-ActiveA(config)# server fw-name fw1NAT 192.168.3.1
SI-ActiveA(config-rs-fw1NAT)# exit
SI-ActiveA(config)# server fw-name fw2NAT 192.168.2.3
SI-ActiveA(config-rs-fw2NAT)# exit
Access Policy Method
To disable load balancing for the NAT addresses using IP access policies, enter commands such as the following.
SI-ActiveA(config)# ip filter 1 deny any 192.168.3.1 255.255.255.255
SI-ActiveA(config)# ip filter 2 deny any 192.168.3.2 255.255.255.255
SI-ActiveA(config)# ip filter 1024 permit any any
The first two commands configure policies to deny load balancing for the two NAT addresses. The third command
allows all other traffic to be load balanced.
NOTE: The third policy, which permits all traffic, is required because once you define an access policy, the
default action for packets that do not match a policy is to deny them. Thus, if you configure only the first two
policies and not the third one, you actually disable load balancing altogether by denying the load balancing for all
packets.
Configuration Example for IronClad FWLB with Layer 3
NAT Firewalls
This section shows the CLI commands for implementing the configuration shown in Figure 7.2 on page 7-9. The
only additional step required is to ensure that the ServerIron connected to the external network does not load
balance return traffic to the addresses the firewalls use for NAT. For example, ServerIron A in Figure 7.2 on
page 7-9 must be configured so that it does not load balance return traffic to 192.168.2.10/24 or 192.168.2.3/24.