CSS configuration for ping to external side

gpangallo · ‎04-17-2008

Hi all,

Do anyone can help me?

We have to send pings from our servers to external world and to perform it I configure on CSS a clause in inside VLAN to permit any icmp traffic. I also configure a clause to permit traffic from inside to outside on destination port 7 for the tcp protocol.

Moreover I configured on these clauses the sourcegroup to perform natting.

I receive echo after send a traceroute to VIP address configured but I didn't receive anything when I send a traceroute to the CSS default gateway (FW). I see only the default IP address of servers (internal CSS IP address) on the output.

This is correct if the destination is unreachable or did I forget anything on CSS?

Thank you.

Best regards.

Giuseppe

ebreniz · ‎04-23-2008

A source group or "group" is what you need to configure on the CSS in order for the backend servers to initiate a connection outbound on the CSS. It would be helpful if you could email me directly a piece of your config. Specifically I would need the "service" section in terms of which servers need outbound access as well as the content rules you have configured and the ACL section to confirm you are not blocking anything.

As an example.

If you had

service pete

ip address 1.1.1.1

active

content pete

add service pete

protocol tcp

port 80

vip address 2.2.2.2

active

group pete_out

vip address 2.2.2.2

add service pete

active

So what happens is when the service makes an outbound connection, the source ip address is now the vip address. When the return packet comes back, the CSS recognizes it and gets it back to the backend server.

You can also apply a source group via an acl as another option.

limtohsoon · ‎05-22-2008

Hi Edgar,

I have a similar scenario. I have a pair of CSS 11501 configured for VIP and Virtual Interface Redundancy.

The servers are using private IP addressing. They need to initiate connection to outside world. So I need to NAT their source IP addresses to public addresses.

Is your config example all I need to configure? Does it work for VIP and Virtual Interface Redundancy, as in my case? Do I need to configure ACL?

Thank you.

B.Rgds,

Lim TS

Gilles Dufour · ‎05-22-2008

the config example is all you need.

ACL are required only if you want to do conditional nating - in other words only if you want to nat for some specific destination and not nat for others.

Gilles.

limtohsoon · ‎05-22-2008

Hi Gilles,

My pair of CSS 11501 has the following VIP and source group:

owner MyOwner

content web-server

add service www-server1

vip address 202.186.13.146

protocol tcp

port 80

redundant-index 1

active

group TEST

vip address 202.186.13.146

add service www-server1

active

Master CSS

----------

CSS11501# sh group

Group: TEST - Active (202.186.13.146 Master)

Session Redundancy: Disabled

Backup CSS

----------

CSS11501# sh gr

Group: TEST - Active (202.186.13.146 Backup)

Session Redundancy: Disabled

I have tried configuring the group TEST with a random vip address, e.g. 202.186.13.171, and it still works. Servers can initiate connection to outside with their source IP address NATed to 202.186.13.171. But when I did "sh group", I noticed something like "not redundant". What does it mean and what's the implication?

To recap, the pair of CSS is configured for VIP and Virtual Interface Redundancy.

Please shed some light.

Thank you.

B.Rgds,

Lim TS