CSS 11501 Routing

mattstanyontall · ‎12-10-2010

Hi everyone

I am trying to configure an 11501 (config below), and am having problems with the NAT side. So, the config is working fine, except for systems on the same subnet as the server.

So, I have added a group, with a VIP on the server subnet, and this is being NATed, however, the problem I am having is with routing.

So, from a client on the server subnet, the flow is:

Client -> PIX -> VIP on CSS e1 -> NAT -> CSS e5 -> Server (this is working fine)

the return flow though, is the problem:

Server -> CSS e5 -> Client

As interface e5 in on the server subnet, the CSS is routing the traffic back this way, however, this doesn't work. What I need is for the CSS to return the traffic via the default gateway.

So, I have just changed the subnet on the CSS to 255.255.255.128 (as all addresses, web server, interface, VIP etc, are between xxx.xxx.xxx.1 and .101), and then moved the client to xxx.xxx.xxx.250. This works fine.

I can't change the subnet as a fix, so is there something else I can do?

The web server isn't using the CSS as the default gateway, but even if it does, this is still the same.

PLEASE HELP ME :-)

PS If I can't get this working very very soon, then I will have to use Windows Load-balancing instead - so you can see the urgency!!!

Thanks in advanced, and kind regards

Matt

!*************************** GLOBAL ***************************
ip route 0.0.0.0 0.0.0.0 192.168.0.161 1

!************************* INTERFACE *************************
interface e1
bridge vlan 160
description "DMZ4_Network"
phy 100Mbits-FD

interface e5
bridge vlan 10
description "PROD_Network"

!************************** CIRCUIT **************************
circuit VLAN160
description "DMZ4_Network"

ip address 192.168.0.164 255.255.255.240
    ip virtual-router 160 priority 101 preempt
    ip redundant-vip 160 192.168.0.170
    ip critical-service 160 srv_SERVER1

circuit VLAN10
description "PROD_Network"

ip address 192.168.1.3 255.255.255.0
    ip virtual-router 10 priority 101 preempt
    ip redundant-interface 10 192.168.1.9
    ip critical-service 10 srv_SERVER1

!************************** SERVICE **************************
service srv_SERVER1
ip address 192.168.1.101
keepalive type none
active

!*************************** OWNER ***************************
owner own_OWNER1

content con_CONTENT1
    add service service srv_SERVER1
    balance aca
    advanced-balance sticky-srcip
    vip address 192.168.0.170
    protocol tcp
    active

!*************************** GROUP ***************************
group grp_GROUP1
add destination service srv_SERVER1
vip address 192.168.1.8
active

Gilles Dufour · ‎12-10-2010

Matt,

this won't work unfortunately.

I don't even see how you can make this design with any other vendor.

Routing is something very generic..a Directly connected interface will always be prefered to a default gateway.

Can't you isolate the servers from the clients ?

Keep the server vlan only for servers ?

Gilles.

mattstanyontall · ‎12-10-2010

I can't really do this, as all out servers sit in this sunbet, and they will need to access these services (it's a CAS array for Exchange, and they will require access to relay SMTP).

I just don't see the best way to do this. As I say everything is fine for the actual clients on the outside, but additional servers do need access to this cluster.

Any other suggestions to make this work. If I can change something in the design, then I'm more than happy to do that!

mattstanyontall · ‎12-10-2010

So - thanks for this - you did point me in the right direction. I have changed the internal routing, and this is now working fine.

Thanks very much.