Private addresses from CSS being seen on PIX internal interface
Ok I've been looking at this for three days now and I can seem to fix it. The short story is we use a CSS11503 code 7.02 as a one armed load balancer for several Proxy servers. Generally speaking, things are working. However, when traffic gets heavy, I start seeing the private addresses from behind the CSS (192.168.5.191 & 192) trying to access the internet without being NATed to (220.127.116.11 & 192). Someone please give me a hint. The basic config is below cutting out all of the junk..
service ProxyA ip address 192.168.5.191 keepalive type tcp keepalive port 8857 weight 2 active
service ProxyB ip address 192.168.5.192 keepalive port 8857 keepalive type tcp weight 2 active
content ISA add service ProxyB vip address 18.104.22.168 add service ProxyA flow-timeout-multiplier 225 advanced-balance sticky-srcip balance weightedrr active
content ProxyA add service ProxyA vip address 22.214.171.124 flow-timeout-multiplier 225 active
content ProxyB vip address 126.96.36.199 add service ProxyB flow-timeout-multiplier 225 active
They started out the same. I forgot to change some of those rules when I was working on this current problem. In any case, I've updated them all and still see the same results.
I addition, I read a note about the CSS being less efficient as a "one arm" so I connected a second interface and separaged "Internal" and "External" CSS interfaces. Don't know that it helped at all. Still getting the 192.168 address flowing out to my PIX. Wile I was tinkering yesterday, I did notice that by disabling the Group for a proxy server, ALL of his traffic continued to flow into my PIX without NAT. I didn't know that could happen. I figured without a Group assigned to a server, it couldn't pass traffic outside the CSS.
Here are some commonly asked questions and answers to help with your adoption of Cisco ACI solution. Subscribe to this post to stay up-to-date with the latest Q&A and recommended Ask the Experts (ATXs) sessions to attend.
Join us for this #CiscoChat focused on how you can unlock the power of your hybrid cloud infrastructure. A panel of Cisco and industry experts will discuss Cisco’s hybrid cloud strategy and dive deep into the future-ready infrastructure behind it all.