Natpools on CSM and SSL module

aanelso1 · ‎01-10-2008

Can the natpool IP addresses be the same for both the CSM and SSL module.

Additional information....we are load balancing across two SSL modules and CSM's are in active/passive mode in two seperate Catalyst 6509's. There is 8GB Etherchannel connecting them, running HSRP.

We have a web crawler/search engine that needs to get to a secure site. This server resides on serverside of CSM along side web servers.

We have CSM running in router mode with Secure mode for SSL module.

Clientside VLAN218 calls come in and are redirect to 443, then come back to CSM and are routed to SSL module on secure VLAN4. The clear text comes back from VLAN4 to CSM and is routed on Serverside VLAN200. If request comes in from VLAN200 there is additional rule. If I use nat client with a natpool (different serverfarm)and send traffic unencrytped works fine. If I send to SSL module first, it does not. I think that traffic needs to be nat'd.

I currently to not have natpool configured for SSL module(s).

Gilles Dufour · ‎01-11-2008

you can't have the same natpool on different boxes. It would be like configuring the same interface ip address on 2 devices. You get collision and lots of problems.

I'm not sure why it does not work when going directly to your ssl module.

You'll need the share the config and capture a trace between csm and sslm first.

Gilles.

aanelso1 · ‎01-11-2008

I do not have a sniffer trace at this time...but here is the configurations requested.

Please note that the requests work when I do not introduce SSL from the server side calls, which are load balanced to a serverfarm with clientside natpool.

This is why I was wondering if I would need a natpool on the SSL module (based on content coming from serverside VLAN 200).

Also, must note that the subnets on both side have subnet mask of 23 (510 useable addresses each).

CSM

serverfarm SERVERFARM3

nat server

no nat client

real name SERVER3A

inservice

real name SERVER3B

inservice

real name SERVER3C

inservice

real name SERVER3D

inservice

probe TCP-80

!

serverfarm SERVERFARM3-SRV

nat server

nat client SERVERSIDE1

predictor leastconns

real name SERVER3A

inservice

real name SERVER3B

inservice

real name SERVER3C

inservice

real name SERVER3D

inservice

probe TCP-80

!

vserver BIZNESS-P

virtual 158.139.219.27 tcp www

vlan 218

serverfarm R-BIZNESS-P

persistent rebalance

inservice

!

vserver BIZNESS-P-SSL

virtual 158.139.219.27 tcp https

serverfarm SSL-MODS

persistent rebalance

inservice

!

*(This works - but no SSL is in place - should have same serverfarm as BIZNESS-P for redirect to 443)

!

vserver BIZNESS-P-V200

virtual 158.139.219.27 tcp www

vlan 200

serverfarm SERVERFARM3-SRV

persistent rebalance

inservice

!

vserver BIZNESS-P-V4

virtual 158.139.219.27 tcp www

vlan 4

serverfarm SERVERFARM3

sticky 30

persistent rebalance

inservice

-----------------------------------------------

SSL-M

ssl-proxy service bizness-p

virtual ipaddr 158.139.219.27 protocol tcp port 443 secondary

server ipaddr 158.139.218.5 protocol tcp port 80

certificate rsa general-purpose trustpoint bizlink-p

no nat server

policy url-rewrite generic-80

inservice

!

Gilles Dufour · ‎01-14-2008

you need the clientnat on the csm as well.

Simply reuse the same serverfarm for your decrypted traffic and everything will be ok.

Gilles.