cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
498
Views
5
Helpful
3
Replies

CSS Deployment Best Option

Daniel.Szydelko
Level 1
Level 1

Hello All,

I'm searching for best deployment scenario in such situation:

I have a 2 x Firewall ASA, both with 5 DMZs. In 3 of them I have HTTPS servers.

What I want to do:

- do SSL offloading by using 2 x CSS11501 with integrated SSL module

- I cannot move servers to one DMZ network segment

- I cannot change addressing scheme for network segments with HTTPS servers

I thought about inline deployment with bridge mode, but I'm not sure if it'll works as I want/need. So my questions are:

1. Are there any restrictions for using bridge mode with SSL offloading ?

2. I don't want situation where servers from different server-side vlans, can communicate each other through CSS. They should communicate through firewall. Is it possible with CSS and what should I use to guarantee it? or it's done by default like on L2 vlan-enabled switch ?

3. Could I use ASR for Active-Backup scenario ? (I think no due to lack of configured Interface Redundancy - am I right ?)

4. In bridge mode as I undestand is needed to use one pair vlans (client-side / server-side) for each serwer farm (or DMZ like in my example) ?

5. What about STP considerations in bridge mode, any problems ?

Topology for one branch(I think it should look like):

FW --- Switch L2 --- Servers

vlan1 || vlan2

CSS

Any other advices will be appreciated.

Many thanks & Regards,

Daniel.

3 Replies 3

Gilles Dufour
Cisco Employee
Cisco Employee

Daniel,

unfortunately, bridge mode won't help in your scenario. The CSS will route between the vlans - ALWAYS. So server-2-server communication can't be avoided.

ASR does not work for SSL terminated connection [bridge more or not].

You could put the CSS in front of the firewalls. The risk is that it is going to be under possible attacks. But it makes the design eaier - will all your restrictions.

You could also put the CSS in a DMZ and use client nat to guarantee the response going back to the CSS. But you then lose stats about real client ip address.

Because of all the restrictions you will end up with a design not very satisfying. It is better to make a few modifications to the current design to guarantee that the future will be better. Like moving all the servers into a single DMZ and readdressing those.

You can use private ip addresses for the servers as they will be fronted by the CSS that can perform nat if needed.

Gilles.

Gilles,

Thank you for your response.

I thought about using CSS in front of FW in one-arm mode, hoverever I cannot perform any client nat due to decrypted HTTP traffic need to be inspected by external IPS system.

Writing about ASR I thought about HTTP traffic.

So best for me is also put CSS in router mode in one separate DMZ, but I'm not sure that it could be possible in environment which doesn't suits for pure loadbalancing scheme (CSS will perform only SSL offloading with balancing 1:1 VIP to service ratio).

Thanks & Regards,

Daniel.

Hi,

I've one more question. Even If it'll be possible to move all servers to single DMZ, could I use bridge mode instead router mode, regarding fact that both CSS will work in VIP Redundancy with ASR for HTTP traffic and doing SSL termination ?

Any obstacles to do that ?

Thanks & Regards,

Daniel.

Review Cisco Networking for a $25 gift card