Solved: NAT and Servers behind CSS 11501

a.edens · ‎07-25-2005

All,

Please forgive my asking this question again. I was injured shortly after asking the last time and out of work for a long period of time.

My problem stems from needing to allow my web servers to initiate traffic to the outside world from behind our CSS boxes.

The web servers sit behind a pair of CSS 11501 content switches in Active-Passive ASR with fate sharing. We are only interested at this time with load balancing HTTP and HTTPS.

Everything works inbound no problem.

What I need to do is setup some type of NAT for my 3 web servers to initiate HTTP/HTTPS for patches, send SMTP from the web apps, and initiate HTTPS for credit card validation.

I have setup NAT on PIX units and routers no problem, but I seem to be unable to do it on these boxes. :(

In reality something as simple as a PAT translation on the outside of the CSS boxes should be sufficient.

Is this possible with our setup? Does anyone have some code examples?

Thanks in advance.

Addresses changed to protect the innocent:

Load Balancer 1:

!*************************** GLOBAL ***************************

bridge spanning-tree disabled

sntp server 1.1.1.41 version 1

snmp community noway read-only

snmp community noway read-write

app session 1.1.1.252

app

logging subsystem netman level info-6

dns primary 2.2.2.41

dns secondary 2.2.2.42

ip route 0.0.0.0 0.0.0.0 1.1.1.1 1

!************************* INTERFACE *************************

interface e1

phy 100Mbits-FD

description "Connect to Primary DMZ 1 3550 Switch"

interface e2

bridge vlan 2

phy 100Mbits-FD

description "Connected to Primary LB Server Switch"

interface e8

description "Inter Switch Communication (ISC) Port"

isc-port-one

!************************** CIRCUIT **************************

circuit VLAN1

description "DMZ 1 Subnet (1.1.1.x/24)"

ip address 1.1.1.251 255.255.255.0

ip virtual-router 1 priority 254 preempt

ip redundant-interface 1 1.1.1.250

ip redundant-vip 1 1.1.1.161

ip redundant-vip 1 1.1.1.162

ip redundant-vip 1 1.1.1.70

ip redundant-vip 1 1.1.1.71

ip redundant-vip 1 1.1.1.72

ip critical-service 1 upstream_downstream

circuit VLAN2

description "Load Balanced Servers Subnet"

ip address 2.2.2.2 255.255.255.0

ip virtual-router 2 priority 254 preempt

ip redundant-interface 2 2.2.2.1

ip critical-service 2 upstream_downstream

Various Services, Owners and Content

Load Balancer 2:

!*************************** GLOBAL ***************************

bridge spanning-tree disabled

sntp server 1.1.1.41 version 1

snmp community noway read-only

snmp community noway read-write

app session 1.1.1.251

app

logging subsystem netman level info-6

dns primary 2.2.2.41

dns secondary 2.2.2.42

ip route 0.0.0.0 0.0.0.0 1.1.1.1 1

!************************* INTERFACE *************************

interface e1

phy 100Mbits-FD

description "Connect to Secondary DMZ 1 3550 Switch"

interface e2

bridge vlan 2

phy 100Mbits-FD

description "Connected to Secondary LB Server Switch"

interface e8

description "Inter Switch Communication (ISC) Port"

isc-port-one

!************************** CIRCUIT **************************

circuit VLAN1

description "DMZ 1 Subnet (1.1.1.x/24)"

ip address 1.1.1.252 255.255.255.0

ip virtual-router 1

ip redundant-interface 1 1.1.1.250

ip redundant-vip 1 1.1.1.161

ip redundant-vip 1 1.1.1.162

ip redundant-vip 1 1.1.1.70

ip redundant-vip 1 1.1.1.71

ip redundant-vip 1 1.1.1.72

ip critical-service 1 upstream_downstream

circuit VLAN2

description "Load Balanced Servers Subnet"

ip address 2.2.2.3 255.255.255.0

ip virtual-router 2

ip redundant-interface 2 2.2.2.1

ip critical-service 2 upstream_downstream

Various Services, Owners and Content.

Gilles Dufour · ‎07-26-2005

All the nating is done with a "group" set of commands.

It works somehow like the owner/content config.

ie:

group Mygroup

vip x.x.x.x [outside address]

add service

add service ...

active

more info at

http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_command_reference_chapter09186a008028fe44.html

If you are already using a group for these servers to nat client ip address on inbound, then the config above won't work and a more complex one is required.

Let me know if it is needed.

Thanks,

Gilles.

View solution in original post

Gilles Dufour · ‎07-26-2005

All the nating is done with a "group" set of commands.

It works somehow like the owner/content config.

ie:

group Mygroup

vip x.x.x.x [outside address]

add service

add service ...

active

more info at

http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_command_reference_chapter09186a008028fe44.html

If you are already using a group for these servers to nat client ip address on inbound, then the config above won't work and a more complex one is required.

Let me know if it is needed.

Thanks,

Gilles.

a.edens · ‎07-26-2005

Gilles,

Thanks again for the help. I am not "knowingly" using any client NAT in my current config. :-)

I am definetly not using any groups.

I have the CSS boxes connected to our DMZ network (Circuit VLAN 1 - Public addresses) and to a second "server" network behind the CSS (Circuit VLAN 2 - Private addresses).

I will try the solution you recommended above and see what happens.

Thanks

a.edens · ‎07-26-2005

Gilles,

I added the following commands, and things seem to be working.

To circuit VLAN1

ip redundant-vip 1 1.1.1.80

!*************************** GROUP ***************************

group natout

vip address 1.1.1.80

add service nat_web_servers

active

service nat_web_servers

ip address 192.168.1.10 range 3

active

I do have a question about the above service commands.

I have 3 servers behind the CSS. Let's call them 192.168.1.10, 192.168.1.11 and 192.168.1.12. Am I correct in my thinking that adding range 3 then allows a match on all 3 of those servers and the CSS will then PAT these servers from the VIP address assigned to the group?

Otherwise, I think you have resolved this problem for us. Thank you.

Gilles Dufour · ‎07-26-2005

hummm... I'm surprised you can use a range for the service and assign to a group where there is no range.

The regular way to do it is normally to create a service for each one of your server and you add all the services under the same group.

Regards,

Gilles.

a.edens · ‎07-26-2005

Gilles,

I ran a test, set the range to 2 and then tried all of the servers again. The first two worked, the third failed.

Then I set it up the way you recommended. :)

Thanks and take care.