CSS source nat problem

cardahanli · ‎02-23-2008

I have a CSS11501 that is used for SSL offloading https traffic and redirect the traffic on the backend on port 80 to a webserver through a cisco ASA. The CSS is currently placed in a DMZ on a ASA and the webserver is placed on another DMZ. The CSS is configured to do full proxy at this moment. What I want to do is to make the CSS act as a transparent proxy so the source IP addresses are visible on the webserver. Is there a way to achieve this without changing the design, so the firewall and CSS can remain in different DMZ's?

Gilles Dufour · ‎02-24-2008

the problem is not the CSS but really the design.

If you configure the CSS to act transparently, the server will try to respon to the client directly.

If the CSS can't intercept the response, the client will receive a SYN/ACK from the server while expecting a SYN/ACK from the VIP.

So, the only way to have the CSS works transparently is to guarantee that the response from the server will go through the CSS.

3 solutions

- client nat and therefore you break transparency

- move the CSS in front of the servers

- use policy routing to intercept the server traffic and redirect it to the CSS.

You have option#1.

Option #3 is not possible with firewall, so you are left with option #2.

Gilles.

cardahanli · ‎02-29-2008

Dear Gilles,

Thank you very much for the information. I have another question regarding the CSS. Is it possible to implement the following:

Our client wants to activate two servers in the live environment but all traffic should come to the primary server, when this is not available then it should go to the secondary en if this one is also not available it should go to a "sorry server". Can you briefly explain how to do this? Can I achieve this by assigning a high weight to the primary server?

Thanks for the info,

Kind Regards,

Cuneyt