10-02-2007 10:16 AM
I have a need to use 1 CSS to balance server farms that reside on 2 different PIX segments. So Internet traffic destined for a server farm on "DMZ 1" would be balanced and traffic destined for a server farm on "DMZ 2" would be balanced through the same CSS. Also, I have a 2nd CSS for redundancy. I am not sure of the best way to accomplish this and keep traffic routing through the proper PIX interface.
10-03-2007 12:05 AM
Placing the CSS outside is the easiest solution.
But then the device is not protected by the firewalls.
If you attach the CSS to both DMZ, then you have a device routing between 2 DMZ, bypassing the firewalls which is not a great idea.
Placing the CSS in 1 DMZ is ok, but then you need to turn on client nat for traffic having to be loadbalanced to the other DMZ.
Placing the CSS inside, is the worst, as you need client nat for both DMZ.
So, hopefully you'll be able to decide what is better for you with this information.
Gilles.
10-03-2007 03:24 AM
Right now I have the CSS connected to both DMZ's and all VIP's are in in "DMZ1". When I connect to a VIP with servers in "DMZ2" it seems to work OK. I had to set the defalt gateway of the servers in DMZ2 to the VLAN interface on the CSS. The problem is that when one of those servers tries to initiate a connection to the Internet, it can't since the gateway is the CSS and the CSS only has 1 default route and that is through DMZ1. So now I have asymetric routing through the PIX.
There has to be a better way.
10-03-2007 04:11 AM
you can use an acl to match traffic from the servers in DMZ2 and set the nexthop to be the pix ip in dmz2.
Sth like this :
service pix-dmz2
ip address x.x.x.x
type transparent
active
acl 1
clause 10 permit any any destination any prefer pix-dmz2
apply circuit-vlan-dmz2
But being connected to the 2 dmz is not "secure" as the CSS can bypass the firewall.
There is no point using 2 DMZ if at the end you have a device being able to connect those 2 vlans bypassing the firewall.
So, just use 1 DMZ.
Gilles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide