Non-Transparent Routing Firewalls - Avaya P330 User Manual

Non-Transparent Routing Firewalls

Avaya P330 Load Balancing Manager User Guide
The load balancer enables you to route packets to a DMZ. A DMZ is a
portion of the client's network, apart from the client's LAN, where
remote access is allowed. After creating a DMZ, a third load balancer is
installed to route packets to the DMZ. The following figure illustrates
transparent FWLB with a DMZ.
Figure 1-3. Transparent FWLB With DMZ
Non-transparent routing firewalls are firewalls that support dynamic
NAT.
For non-transparent FWLB, the load balancer receives an outgoing
packet, makes a load balancing decision, and forwards the packet to a
firewall. The firewall keeps a bank of IP addresses and replaces the
source IP address of the outgoing packet with a unique, arbitrary IP
address from the bank. The firewall then forwards the packet to an edge
router which routes it to the correct destination on the WAN.
For incoming packets, the unique NAT address is used as a destination IP
address to access the same firewall. The firewall performs reverse NAT by
replacing the NAT destination address with the actual destination
address (the client IP address), and then forwards the packet to the load
balancer, which routes the packet to its destination. No load balancing is
performed on incoming packets.
For non-transparent FWLB, only one load balancer is required. The
device is positioned on the LAN (internal) side of the firewalls. Since the
firewalls perform NAT, a load balancer is not needed between the WAN
and the firewalls.
6