Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
720
Views
0
Helpful
3
Replies

IIS Logs display CSS11501 IP address instead of external source IP address.

twinfield
Level 1
Level 1

‎11-20-2006 03:37 PM

(FW)---(CSS11501)---(SERVERS)

Basic configuration, everything on VLAN1. Servers in web farm are logging attacks, etc. Source IP address all show the CSS instead of the originating IP address coming from the outside.

What do I need to add/change to allow servers to see the actual IPs from the outside?

Labels:
0 Helpful
3 Replies 3

Gilles Dufour
Cisco Employee
Cisco Employee

‎11-21-2006 01:26 AM

is the CSS really inline between FW and servers ?

or is more like a one-armed scenario

FW----+------- CSS

.......|

..... servers

If you look in your config you must have the following commands :

group

vip x.x.x.x

add destination server

...

active

This is what tells the CSS to do client.

It is required if you do not have the servers behing the CSS or if you did not make the CSS the default gateway for the servers.

The CSS is a stateful device like a firewall and it requires to see all the packets of a connection - both ways.

The client nat that you have, is the simplest solution to implement but the drawback is that the server only see 1 client - the CSS.

So, up to you to adjust your design to guarantee that the server response goes back to the CSS without client nat.

Gilles.

0 Helpful

twinfield
Level 1
Level 1
In response to Gilles Dufour

‎11-21-2006 09:52 AM

Yes, inline configuration. FW connects to L2 switch crossed over to CSS, Servers are connected to CSS ports directly. However the servers Default Gateway is the FW not the CSS, that is what I believe I need to change in order for it to work, is that correct, or is there something else?

Example:

circuit VLAN1

ip address x.x.x.x x.x.x.x

owner xyz

address "xyz"

content rule.100.https

protocol tcp

port 443

url "/*"

add service serv.1.https weight 1

add service serv.2.https weight 2

add service serv.3.https weight 3

vip address x.x.x.100

application ssl

advanced-balance ssl

sticky-mask 255.255.255.0

sticky-inact-timeout 15

dnsbalance roundrobin

balance srcip

active

group source.100

vip address x.x.x.100

add destination service serv.1.https

add destination service serv.2.https

add destination service serv.3.https

active

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to twinfield

‎11-21-2006 11:18 PM

if the servers are really inline and all traffic needs to go accross the CSS to reach the firewall, you can safely "suspend" the group and everything should work.

No need to change the default-gateway on the servers.

Gilles.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card