CSS Inbound and outbound confirmation

aiyappa · ‎06-18-2006

Hi Gilles

If I NAT the private IP addresses of my backend servers to a public IP address for the servers to access the internet. Can I use the same VIP address for the clients on the internet to access the servers? I suppose that this is possible. Could you please confirm?

Also would I need to configure separate source groups for this?

Thank you

Regards,

Sanjith

Gilles Dufour · ‎06-20-2006

If you nat server connection going out, you can do this with a single public [vip] ip address.

The CSS will do port nating.

However, if you want to be able to open a connection to the servers directly from the internet, you need a 1-to-2 mapping between private and public address.

In this case, why not just configure the servers directly with a public ip ???

Otherwise, you will have to configure a group and a content rule for each server public ip.

Gilles

aiyappa · ‎06-25-2006

Thanks Gilles

So this means that I may use the VIP address for the clients to contact the servers and also for the servers to initiate a connection to the internet. However the Natting will be done port based. So I understand that I may just add the VIP address under the Group command and I should have the port based Natting. Is this right? If yes then will the natting be done for both the UDP and TCP traffic and ICMP packets?

Also you have mentioned that to open a connection to the servers directly from the internet, you need a 1-to-2 mapping between private and public address. How can I do this? Could you please provide me with a sample configuration which I may refer to. I am sorry if I am asking for too much but any help from you would be of the greatest use.

Thank you again

Regards

Sanjith

Gilles Dufour · ‎06-26-2006

Sanjith,

I can confirm the first part.

You can use the same vip in a content rule and in a group.

The group applies to all traffic, so TCP, UDP and ICMP will be nated with the same group.

For the 2nd part, client to server, I made a typo.

I meant to say, 1-to-1 mapping.

So, for each server you will need to configure a content and a group each time with a different VIP.

So for 2 servers, you will get something like this

owner XYZ

content SRV-1

vip x.x.x.x1

add service SRV1

active

!

content SRV-2

vip x.x.x.x2

add service SRV2

active

!

group SRV-1

vip x.x.x.x1

add service SRV1

active

!

group SRV-2

vip x.x.x.x2

add service SRV2

active

As you can see this is a very tedious process.

So, why not just use the public addresses on the server directly ????

Or, as you probably have a firewall, why not do the nating on the firewall ???

These would be much better solution if you need direct access to the server.

Don't forget that nating is not a security feature !!! You can't consider your network safe because you are nating.

Gilles.

aiyappa · ‎06-26-2006

Thank you so much for your response.

With respect to only the server initiating connections to the internet will the following work.

service ftp

ip address X.X.X.X

protocol tcp

keepalive type tcp

keepalive port 21

port 21

keepalive frequency 255

active

owner test

content test_FTP

add service ftp

protocol tcp

port 21

vip address X.X.X.1

active

group clients-group

vip address X.X.X.1

active

or do I have to add the services in the client group also.

Thank you again.

Regards

Sanjith

Gilles Dufour · ‎06-26-2006

Sanjith,

you need to add the service under the group just like you did for the content rule.

Gilles.