Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
306
Views
0
Helpful
1
Replies

CSS - Design and access to resources

krebs
Level 1
Level 1

‎08-31-2004 04:10 AM

Many thanks to everyone for these boards. I've been able to work through lot of my issues by reading the posts.

We have a new implementation going in with Tivoli to handle Single Sign On as well as security. Need to clarify a few things:

My Infrastructure is as follows:

----Internet--- Database Servers, LDAP

/ __________\______/ _____/

/ / \ /

Pri Pix------- Secondary Pix

/ \

L2 Switch----------L2 Switch

/ \

CSS 01 ---- ASR ---- CSS 02

/ \

L2 Switch----------L2 Switch

/ \ \ \

Tivoli01 Web01 Tivoli02 Web02

1) I was going to NAT the Public address for the Tivoli servers in the Firewall and then NAT again at the CSS. Main reason was so that access to the Tivoli Servers from the Internal LDAP and Policy Servers could be routed with Internal Address space. Everything has to pass through the Firewall and CSS - completely isolated segment.

2) How do I get administrators from the inside network to the Web Servers? Should they be able to get to the real address that is configured on the server? or, do I have to set up a circuit and NAT them through? I'm referring to admin access for VNC.

I've read a little about groups, but not sure how they apply or if that is correct method.

3) Follow-up to above... The Tivoli servers will need to communicate with resources that sit behind a different interface of the Firewall. What is the best method to allow the Tivoli servers through the CSS and FW to get to their resources? Should I set up more content rules? groups?

Appreciate the help, Thanks...

Labels:
0 Helpful
1 Reply 1

Gilles Dufour
Cisco Employee
Cisco Employee

‎09-02-2004 01:27 AM

1/ no comment - this is classic design.

2/ they should be able to access the real ip address of each server. No need for nating or group or whatever.

Groups are used to nat client ip address when connection to a vip address or server ip address when initiating a connection to the outside.

In your case, you don't need it.

3/ You don't need anything special normally.

It's a design question.

Are the resources accessible from the server directly ? [ is the firewall allowing this traffic ?]

Do they expect connection from a specific ip address ?

The CSS is just a L3 switch if you do not configure anything. So it will simply route in and out.

You only need fancy config if you have fancy requirements.

Regards,

Gilles.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card