[c-nsp] pix and css 11501
jason.plank at comcast.net
jason.plank at comcast.net
Wed Aug 15 08:38:24 EDT 2007
It is not rare to have the loadbalancing device on inside, in fact it's pretty common. What is weird to me that the server subnet is on the PIX AND behind the CSS. That makes very little sense. I would create a subnet different than the DMZ subnet for behind the CSS. He needs to make sure the "real servers" default gateway is the CSS and not the pix.
--
Regards,
Jason Plank
CCIE #16560
e: jason.plank at comcast.net
-------------- Original message ----------------------
From: "Tony Smith" <omega7 at gmail.com>
> Because traffic is coming from 1.1.1.1 to 2.2.2.2 (the static on the
> pix). It is then being destination nat'ed to the inside interface to
> 4.4.4.4 (the CSS VIP.) The CSS is then destination nat'ing it to the
> server 3.3.3.1 (which is off the dmz interface.) This last leg is
> from inside:1.1.1.1 to dmz:3.3.3.1.
>
> First off, why would you have your CSS on the inside and your servers
> in the DMZ?
> Secondly, is it necessary to NAT twice--once on the firewall and again
> on the CSS?
>
> I don't see how this can work without source nat'ting on the CSS. The
> firewall is going to see packets source from 1.1.1.1 on the outside
> interface and then see packets source from that ip again on the inside
> interface.
>
> In a one firewall setup, I have either seen the load balancer put
> outside the firewall, or the load balancer and the servers off the
> same firewall interface and create separate vlans on the switch for
> the VIPs and the servers.
>
> -tony
>
>
> On 8/14/07, jason.plank at comcast.net <jason.plank at comcast.net> wrote:
> > Why is your firewall seeing traffinc from 3.3.3.1. All traffic should be
> presented to your firewall as 4.4.4.4, unless your source nat is screwed up or
> unless the default gateway for your DMZ host is pointing to an interface on the
> firewall and not the actual CSS.
> >
> > --
> > Regards,
> >
> > Jason Plank
> > CCIE #16560
> > e: jason.plank at comcast.net
> >
> > -------------- Original message ----------------------
> > From: "doug schmidt" <douglas.j.schmidt at gmail.com>
> > > hi all,
> > > Im trying to setup a new load balanced site. Its been a long day, and
> > > not sure if Im missing something.
> > > dmz is new network on pix, other load balanced sites are working under
> > > different setup.
> > >
> > > Basically, I have client web request coming from 1.1.1.1
> > > web site public ip is 2.2.2.2
> > > pix maps 2.2.2.2 to css vip 4.4.4.4
> > >
> > > pix
> > > 2.2.2.x - outside
> > > 3.3.3.x - dmz
> > > 4.4.4.x - inside
> > >
> > > css vip 4.4.4.4
> > > server1 - 3.3.3.1
> > > server2 - 3.3.3.2
> > >
> > > this is the message I get from pix when going to the site;
> > > 305006: regular translation creation failed for tcp src
> > > inside:1.1.1.1/3260 dst dmz:3.3.3.1/80
> > >
> > > thanks.
> > > ~doug
> > > _______________________________________________
> > > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list