[c-nsp] pix and css 11501

doug schmidt douglas.j.schmidt at gmail.com
Wed Aug 15 11:51:45 EDT 2007 

On 8/15/07, jason.plank at comcast.net <jason.plank at comcast.net> wrote:
> It is not rare to have the loadbalancing device on inside, in fact it's pretty common. What is weird to me that the server subnet is on the PIX AND behind the CSS. That makes very little sense. I would create a subnet different than the DMZ subnet for behind the CSS. He needs to make sure the "real servers" default gateway is the CSS and not the pix.
> --

Currently, we have other sites which the real servers are on the
inside network along with the css's. these real servers have default
gateway of the css. Since being on the same network, static routes
need to be maintained for real servers
to talk to each other that are on the same network. static route  on
real servers says to talk to that host send traffic to css. Its
getting a bit messy as the number of real servers continue to grow.

I was looking to get away from maintaining these static routes and
figured to put these new servers on a new subnet. there was an
available interface in pix so this is where Im trying it out from. It
seems like I would need a translation on the css, as Tony had
mentioned in his reply?

here are the configs currently.

pix
(static for css ip)
static (inside,dmz) 3.3.3.10 3.3.3.10 netmask 255.255.255.255 0 0

(static for public to real server1)
static (dmz,outside) 2.2.2.168 10.10.10.2 netmask 255.255.255.255 0 0

(static for public to real server2)
static (dmz,outside) 2.2.2.167 10.10.10.3 netmask 255.255.255.255 0 0

(static for public to css vip)
static (inside,outside) 2.2.2.169 3.3.3.3 netmask 255.255.255.255 0 0

(access-list bound outside int in)
access-list incoming permit tcp any host 2.2.2.169 eq www
access-list incoming permit tcp any host 2.2.2.168 eq www
access-list incoming permit tcp any host 2.2.2.167 eq www

(access-list bound dmz int in)
access-list dmz permit ip host 10.10.10.2 host 3.3.3.10
access-list dmz permit ip host 10.10.10.3 host 3.3.3.10

css
  content BLADE-TEST
    vip address 3.3.3.3
    redundant-index 105
    protocol tcp
    port 80
    url "/*"
    add service BLADE-TEST-WN1
    add service BLADE-TEST-WN2
    active

service BLADE-TEST-WN1
  redundant-index 103
  keepalive type http
  ip address 10.10.10.2
  active

service BLADE-TEST-WN2
  redundant-index 104
  keepalive type http
  ip address 10.10.10.3
  active

~doug

More information about the cisco-nsp mailing list