How to NAT

dellarocca · ‎06-04-2004

Hello,

I have a problem running this configuration:

PC (10.1.1.1) must connect to http service on 10.1.1.100

CSS1 and 2 are performing balancing between FW1 and 2 (Nokia check point)

CSS2 performs http balancing between SRV1 and 2 with VIP 192.168.2.100

CSS1 has a content rule to NAT 10.1.1.100 with 192.168.2.100.

When traffic goes from PC to CSS1 seems that XOR (to choose the FW path) between 10.1.1.1 and 10.1.1.100.

When the traffic comes back to CSS2 it seems that the XOR is between 192.168.2.100 and 10.1.1.1.

The result is that there should be asymmetric traffic through the firewalls with conseguent drop.

If I remove a FW everithing works fine.

Also works fine in PC connects to 192.168.2.100 (without using NAT on CSS1).

Am I wrong somewhere? Network diagram follows.

|PC|

|

-------------------------10.1.1.0/24

|

|CSS1|

|

--------------------------192.168.1.0/24

| |

|FW1| |FW2|

| |

-------------------------- 192.168.2.0/24

|

|CSS2|

|

---------------------------192.168.3.0/24

| |

|SRV1| |SRV2|

Gilles Dufour · ‎06-04-2004

if I understand correctly you have a vip on CSS1 with a service that point at a vip on CSS2 ?

The problem is that when the destination is a service, the CSS will only use 1 of the available route - no loadbalancing.

So your traffic from CSS1 to CSS2 will always use the same firewall. The response will be loadbalanced.

In conclusion you can't use vip on the CSS1.

Gilles.

dellarocca · ‎06-04-2004

Hello Gilles,

so you mean that CSS1 cannot perform any NAT? (PC cannot reach services on 10.1.1.100?)

Documentation say that if you want to NAT in a FWLB architecture you must use Content Rule.

Best regards,

Gaetano.

Gilles Dufour · ‎06-04-2004

you can nat on CSS2 - not CSS1.

Gilles.