Re: how to access internet/outside network from servers VLAN thr

ansar.aziz · ‎02-26-2008

I have a question regarding Content switch 11506 configuration. I am doing implementation in ISP environment. the senario/diagram is attached with it.

I briefly describe the scenario to you.

They have core router/switch 6509. On 6509 there is VLAN on which content switch 11506 is connecting. Behind the content switch we have two bluecoat proxy working as proxy server and more HTTP server.

I have allowed access from outside interface (CSS VLAN circuit ID 20) to all servers place behind the CSS. Users from out side are able to ping bluecoat server and able to access http sites on server placed in the same VLAN circuit ID 1.

But the issue is, when anybody (bluecoat proxy servers or HTTP server) from inside VLAN Circuit ID 1 tries to access any thing placed on outside of CSS or try to access internet then traffic does not pass across the CSS and CSS does not allow traffic to go across.

I also have configured the ACL on both the inside & outside circuits to allow every thing from any source to any destination. But still unable to access anything place outside CSS.

acl 7

clause 15 permit any any destination any

apply circuit-(VLAN1)

apply circuit-(VLAN20)

acl enable

But still not working. Somebody told me about about Source group to NAT source IP. What is this?? Please this is live environment. I need the urgent help from any one of you. I have to resolve this issue as soon as possible. I will really appreciate the help.

Ansar

Syed Iftekhar Ahmed · ‎02-26-2008

A source group is a collection of local servers that initiate flows from within the local web farm.When you configure a source group, a CSS provides network address translation (NAT) of source IP addresses.

Please see the following example:

group outgoingS1S2

vip address 17.16.1.2

add service server1

add service server2

active

The above group will NAT the outbound connection from server1 & server2 to public IP 17.16.1.2.

Syed

ansar.aziz · ‎02-26-2008

Thanks Syed for your quick reply.

Do i also need to configure the ACL on CSS for allowing the ourgoing traffic for servers. OR just this "group outgoingS1S2" config will enough for initiating outgoing traffic from the Servers.

Thanks.

Ansar

Syed Iftekhar Ahmed · ‎02-27-2008

ACL is not needed for source groups.

In certain situations ACL+groups give you more control.For example if you just want to source nat traffic sourced from a specific set of subnets then you can use group with ACLs.

Syed

pknoops · ‎02-27-2008

Ansar,

A source group or "group" is what you need to configure on the CSS in order for the backend servers to initiate a connection outbound on the CSS. It would be helpful if you could email me directly a piece of your config. Specifically I would need the "service" section in terms of which servers need outbound access as well as the content rules you have configured and the ACL section to confirm you are not blocking anything.

As an example.

If you had

service pete

ip address 1.1.1.1

active

content pete

add service pete

protocol tcp

port 80

vip address 2.2.2.2

active

group pete_out

vip address 2.2.2.2

add service pete

active

So what happens is when the service makes an outbound connection, the source ip address is now the vip address. When the return packet comes back, the CSS recognizes it and gets it back to the backend server.

You can also apply a source group via an acl as another option.

Regards

Pete..

pknoops@cisco.com

how to access internet/outside network from servers VLAN through CSS 11506.