Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
515
Views
0
Helpful
3
Replies

Problem with GSLB and NAT

mattbclarke
Level 1
Level 1

‎04-11-2006 06:38 AM

Hi,

I have been having a few problems with NAT and gslb.

The scenario is as follows. I have two sites with one gslb in each location using rule based dns.. the dns and vips are statically nated behind pix using the static dns attribute.

If I do a lookup externally to the primary css dns I get the correct 'A' record for the VIP passed back and all works ok.. this is also the case for the backup site..

However I have now linked these two css via app and they are dynamically passing vips. Now if I suspend the primary site services (forcing failover to backup site) and do a dns lookup I get the real private 'A' record for the backup site which is no use.

I have tried configuring the primary pix with a static for the other sites global and private address (as suspected this did not work).. Has anyone come across this?

Thanks

Matt

Labels:
0 Helpful
3 Replies 3

Gilles Dufour
Cisco Employee
Cisco Employee

‎04-11-2006 11:23 PM

Matt,

you should use the dns fixup function of the pix.

It will inspect nat response and replace internal address with external address.

See the following example

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml

Gilles.

0 Helpful

mattbclarke
Level 1
Level 1
In response to Gilles Dufour

‎04-11-2006 11:44 PM

Hi Gilles,

Thanks for the response. I actually already have the dns a records working using PIX fixup with the following command (from lab):

static (inside,outside) 200.200.200.4 10.1.1.4 dns netmask 255.255.255.255 0 0

However this works fine if I query css1 (at site 1)which is behind PIX1 and it returns VIP1 (local to this css) with the correct NAT A record on the firewall.

However the problem is when I query this CSS1 for VIP2 which is learnt through an app session to CSS2, the problem is that this VIP's DNS a record is not changed.

I have tried putting a similar static on PIX1 to do the dns fixup for the global and private address on PIX2.. but this doesn't seem to work..

Let me know if this makes sense? So in summary dns fixup is working fine on each site independantly however when each site passes the other sites VIP in a dns response this is not modified..

Thanks

Matt

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to mattbclarke

‎04-12-2006 01:44 AM

the solution is dns fixup.

If it does not work, you should ask the security forum why.

The CSS correctly returns the vip ip address.

Gilles.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card