Hello, Would like to know the meaning of below service chain configuration. The situation is that I encountered an issue where we run a packet capture end-to-end but from the 3rd party(cloud security provider) side I'm seeing that somehow the packets from the branch get translated since the public IP I saw in 3rd party capture is IP from the Data center.
The setup is that from the branch site we are forwarding the HTTP/HTTPS traffic to 3rd party sec. provider.
from my assumption, this is the traffic flow for web/https ? https://ibb.co/2ZYmrxn
a. Hub - vEdge Configuration vpn 10 service FW address 192.17.1.254 (Forti firewall) service netsvc1 interface gre1 b. vSmart Configuration site-list CUST_SID site-id 123 policy site-list CUST_SID control-policy CUST-CP-Out out data-policy CUST_DATA-POLICY from-service cflowd-template CF_AP control-policy CUST-CP-Out sequence 60 match route site-list CUST_SID (site-id 123) ! action accept set service FW tloc-list MY-TLOC-LIST tloc-list MY-TLOC-LIST tloc 10.78.250.196 color mpls encap ipsec preference 100 tloc 10.78.250.197 color mpls encap ipsec preference 50 tloc 10.78.251.132 color mpls encap ipsec preference 200 tloc 10.78.251.133 color mpls encap ipsec preference 150 tloc 10.78.251.133 color metro-ethernet encap ipsec preference 150 tloc 10.78.251.133 color biz-internet encap ipsec preference 150 tloc 10.78.251.133 color public-internet encap ipsec preference 150 data-policy CUST_DATA-POLICY sequence 100 match source-ip 0.0.0.0/0 destination-port 443 80 ! action accept count 100 cflowd set service netsvc1 local cflowd-template CF_AP flow-inactive-timeout 120 collector vpn 10 address 10.10.48.54 port 2055 transport transport_udp source-interface loopback10 c. Branch - vEdge vpn 10 service netsvc1 interface gre1
QUESTION:
1, Based on the above diagram, is that the correct flow. From the branch site it will be forwarded to the hub then to the firewall?
2. How Hub and Firewall handle the reply/return traffic back to branch site then to the target destination? Since the source IP address already translated to public IP, is it going to based on src/dst ip or TLOC etc?
3. In terms of the return traffic from the actual target destination, What will happen those it go to Brand -> hub -> FW(nat back to private ip) -> hub to branch -> Client? What is the correct process.
4. AS you can see we also have a service netsvc1? What is the purpose of this? Are we going to use this first?
5. What show command , test that can be preformed to validate the flow?
Thanks for you inputs, kinda confuse here.
No comments:
Post a Comment