Is it possible to use the CSS inside a PIX DMZ?

cocolema · ‎12-14-2001

I have a client with the following current config:

Internet

||

router

||

switch

||

PIX===DMZ

||

switch

||

router

||

LAN

My questions are:

a) Can I place a CSS 11000 series in the PIX DMZ, even though the PIX is natting those addresses?

b) If so, can do I need to use a different network from the DMZ network for the boxes connecting to the CSS?

c) If I connect the CSS to the PIX and there are boxes on that switch, will they be "controlled" by the CSS as if they were plugged directly into it?

Thank you,

Cosby

wukunpeng · ‎12-22-2001

The common design:

Internet

|

router

|

Content-Switch

| | |

PIX PIX PIX

| | |

Content-Switch

|

LAN

But because of PIX not support VRRP,so PIXs can not support stateful-failover when their load balancing.

If you have DMZ,I suggest you plug all PIXs FE to the 3nd CSS, CSS use VIP to NAT the server ip.

See the below topology

Internet

|

router

|

Content-Switch

| | | VIP

PIX PIX PIX--content------server-farm

|| || | |

||___||___|____|

| | |

Content-Switch

|

LAN

troark · ‎03-13-2002

I'm a bit confused by the recommended topology diagram. Specifically by the use of the lines and brackets. It looks like you suggest 3 CSSes surrounding one DMZ?

I don't find any documentation that indicates such a requirement for topology. Could you recommend any to support your recommendation?