[c-nsp] pix and css 11501

Tony Smith omega7 at gmail.com
Wed Aug 15 00:58:10 EDT 2007 

Because traffic is coming from 1.1.1.1 to 2.2.2.2 (the static on the
pix).  It is then being destination nat'ed to the inside interface to
4.4.4.4 (the CSS VIP.)  The CSS is then destination nat'ing it to the
server 3.3.3.1 (which is off the dmz interface.)  This last leg is
from inside:1.1.1.1 to dmz:3.3.3.1.

First off, why would you have your CSS on the inside and your servers
in the DMZ?
Secondly, is it necessary to NAT twice--once on the firewall and again
on the CSS?

I don't see how this can work without source nat'ting on the CSS.  The
firewall is going to see packets source from 1.1.1.1 on the outside
interface and then see packets source from that ip again on the inside
interface.

In a one firewall setup, I have either seen the load balancer put
outside the firewall, or the load balancer and the servers off the
same firewall interface and create separate vlans on the switch for
the VIPs and the servers.

-tony


On 8/14/07, jason.plank at comcast.net <jason.plank at comcast.net> wrote:
> Why is your firewall seeing traffinc from 3.3.3.1. All traffic should be presented to your firewall as 4.4.4.4, unless your source nat is screwed up or unless the default gateway for your DMZ host is pointing to an interface on the firewall and not the actual CSS.
>
> --
> Regards,
>
> Jason Plank
> CCIE #16560
> e: jason.plank at comcast.net
>
>  -------------- Original message ----------------------
> From: "doug schmidt" <douglas.j.schmidt at gmail.com>
> > hi all,
> > Im trying to setup a new load balanced site. Its been a long day, and
> > not sure if Im missing something.
> > dmz is new network on pix, other load balanced sites are working under
> > different setup.
> >
> > Basically, I have client web request coming from 1.1.1.1
> > web site public ip is 2.2.2.2
> > pix maps 2.2.2.2 to css vip 4.4.4.4
> >
> > pix
> > 2.2.2.x - outside
> > 3.3.3.x - dmz
> > 4.4.4.x - inside
> >
> > css vip 4.4.4.4
> > server1 - 3.3.3.1
> > server2 - 3.3.3.2
> >
> > this is the message I get from pix when going to the site;
> > 305006: regular translation creation failed for tcp src
> > inside:1.1.1.1/3260 dst dmz:3.3.3.1/80
> >
> > thanks.
> > ~doug
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list