We are in the process of testing out a load balancing/redundancy setup using the GSS4480 and a CSS11506. Right now the CSS is setup with RFC 1918 addressing and we NAT out to the internet using a Checkpoint firewall. If I setup my VIP answer file to poll the 1918 address of the CSS, then that will be the answer that is given out when a client requests a name lookup which won't work. There has to be a way to configure this or then all diagrams I have seen are using internet routable name spaces. Looking at the docs and playing with the GUI I don't see any way of configuring it to use RFC 1918 addressing behind the firewall and still give out internet routable domain names. The docs show's the GSS and CSS being behind firewalls. I guess I am just missing something. Can the CSS be configured to link the RFC1918 address to a public address for KAP-AP purposes? Also is there any issues with NATing to RFC 1918 addresses for the health probes to other GSS's. We would like the health probes to go out over the internet not over our back end. Thanks
The firewall is a checkpoint so there is no isssue with NATing the DNS response. The question here is how do I give out a internet routable address say 126.96.36.199 from the GSS when the VIP of the CSS is 10.10.10.10?? When I set up the shared keepalives to be the IP address of the load balancer(CSS)this is the IP address(10.10.10.10) that is used as a answer to the client request. Since this is not routable on the internet the DNS query won't work. The only way I can see making this work is to put the GSS in front of the firewall and it would query the NATed internet address of the VIP(188.8.131.52). Then this address would be used as a answer. The only issue I see here is does the KAL-AP by VIP need to go to the actual address of the VIP on the CSS(10.10.10.10) or would the NATed VIP work? Most of the diagrams I have seen are showing the GSS and the CSS in back of the firewall. Are they using internet routable addressing here?? Thanks.
sorry but I don't see why the DNS query won't work just because this is 10.x.x.x address.
I understand you have this
client --- FW ---- GSS ---- CSS
The query for www.yourcompany.com will come to the GSS, and the response will be 10.10.10.10.
The FW, should look into the DNS payload and replace 10.10.10.10 with a public address 184.108.40.206.
Everything will then work fine.
Once again, the Pix firewall will do this.
You can move the GSS in front of the FW (this is just not very secure since you expose your GSS box to possible attacks).
The response to the Internet will contain the public address.
The KAL to the public address will be translated to the private address. This is no problem.
However, internal users will have the same DNS problem.
I am not the firewall guy here and need to do a little reasearch on the PIX to see how that works. Is there any links on this. Is this something special the PIX does or is it just standard NATing. I need to see if the Checkpoint will do this otherwise we will have to put the GSS on the internet which of course is not secure. I will look into the PIX, but if you can direct me to a doc on that it would be helpful. If it does change the DNS payload then it will work. Thanks!
Is this DNS doctoring? I found this link:
I haven't seen that before.
That's a new one to me. Now I need the Checkpoint box to do the same thing ;) If not and I put the GSS outside the firewall and look at the NATed VIP from the CSS, will KAL-AP have trouble with that since the CSS will be reporting that 10.10.10.10 is ok while I am querying the shared keepalive at the NAted address of 220.127.116.11. HMMM
you can use TAG instead of ip address if the GSS is in front of the firewall.
See the below from the documentation :
If you chose a KAL-AP keepalive type, from the KAL Type drop-down list, choose the format of the KAL-AP keepalive query that you will be sending.
The choices are:
KAL-AP By TagEmbeds a unique alphanumeric tag in the KAL-AP request. The tag value is used to match the correct VIP on the SLB, avoiding confusion that can be caused when probing for the status of a VIP on an SLB that is located behind a firewall using network Address Translation (NAT) or that is applying multiple content rules to incoming
Sweet! Another solution would be to use some PIX boxes just for DNS but I don't think that would be cost effective. As far a the KAL-AP by tag:
Enter a unique alphanumeric value in the Tag field. This is used as a "key" by the Content Services Switch or the Content Switching Module to match the KAL-AP request with the appropriate VIP. Does this key need to have a matching key on the CSS? Thanks for all the help so far.
on the CSS, you first need to configure app-udp in global config mode, then under the content rule you define the TAG/key with the command:
I think we're close to the solution now :-)
It looks like app-udp is on by default. as far as the tag: On the GSS, I would go into the shared keepalives and specify the NATed VIP of our CSS. Then configure KAL-AP by TAG and use the tag "TESTTAG" . Then under the content rule define this tag:
vip address 10.10.10.10
add service USSvr1
add service USSvr2
add dns TESTTAG
Sound about right?
Did you find a similar feature to the PIX DNS Doctor on the Checkpoint? I have a very simaler problem and need to NAT the data portion of a DNS responce through a Checkpoint FW.