02-26-2008 01:15 PM
I have a question regarding Content switch 11506 configuration. I am doing implementation in ISP environment. the senario/diagram is attached with it.
I briefly describe the scenario to you.
They have core router/switch 6509. On 6509 there is VLAN on which content switch 11506 is connecting. Behind the content switch we have two bluecoat proxy working as proxy server and more HTTP server.
I have allowed access from outside interface (CSS VLAN circuit ID 20) to all servers place behind the CSS. Users from out side are able to ping bluecoat server and able to access http sites on server placed in the same VLAN circuit ID 1.
But the issue is, when anybody (bluecoat proxy servers or HTTP server) from inside VLAN Circuit ID 1 tries to access any thing placed on outside of CSS or try to access internet then traffic does not pass across the CSS and CSS does not allow traffic to go across.
I also have configured the ACL on both the inside & outside circuits to allow every thing from any source to any destination. But still unable to access anything place outside CSS.
acl 7
clause 15 permit any any destination any
apply circuit-(VLAN1)
apply circuit-(VLAN20)
acl enable
But still not working. Somebody told me about about Source group to NAT source IP. What is this?? Please this is live environment. I need the urgent help from any one of you. I have to resolve this issue as soon as possible. I will really appreciate the help.
Ansar
02-26-2008 04:20 PM
A source group is a collection of local servers that initiate flows from within the local web farm.When you configure a source group, a CSS provides network address translation (NAT) of source IP addresses.
Please see the following example:
group outgoingS1S2
vip address 17.16.1.2
add service server1
add service server2
active
The above group will NAT the outbound connection from server1 & server2 to public IP 17.16.1.2.
Syed
02-26-2008 09:24 PM
Thanks Syed for your quick reply.
Do i also need to configure the ACL on CSS for allowing the ourgoing traffic for servers. OR just this "group outgoingS1S2" config will enough for initiating outgoing traffic from the Servers.
Thanks.
Ansar
02-27-2008 04:05 PM
ACL is not needed for source groups.
In certain situations ACL+groups give you more control.For example if you just want to source nat traffic sourced from a specific set of subnets then you can use group with ACLs.
Syed
02-27-2008 04:32 PM
Ansar,
A source group or "group" is what you need to configure on the CSS in order for the backend servers to initiate a connection outbound on the CSS. It would be helpful if you could email me directly a piece of your config. Specifically I would need the "service" section in terms of which servers need outbound access as well as the content rules you have configured and the ACL section to confirm you are not blocking anything.
As an example.
If you had
service pete
ip address 1.1.1.1
active
content pete
add service pete
protocol tcp
port 80
vip address 2.2.2.2
active
group pete_out
vip address 2.2.2.2
add service pete
active
So what happens is when the service makes an outbound connection, the source ip address is now the vip address. When the return packet comes back, the CSS recognizes it and gets it back to the backend server.
You can also apply a source group via an acl as another option.
Regards
Pete..
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: