03-29-2005 08:20 AM
Hi All,
I am little confused with source group NAT ACLs. I have the following design with our CSS.
I have a firewall with inside, outside and a CSS interface. The CSS is sitting in between the firewall and the server vlan 203. I have the following config
!************************* INTERFACE ****************
interface 1/1
bridge vlan 99
description "Failover link to secondary"
interface 2/1
bridge vlan 210
description "Link to VIP vlan (firewall)"
interface 2/2
bridge vlan 203
description "Link to dmz servers"
!************************** CIRCUIT *****************
circuit VLAN999
ip address 10.56.99.3 255.255.255.0
redundancy-protocol
circuit VLAN210
redundancy
ip address 10.56.10.3 255.255.255.0
circuit VLAN203
redundancy
ip address 10.56.3.3 255.255.255.0
!**************************** ACL *****************
acl 1
clause 1 bypass any 10.0.0.0 255.0.0.0 destination 10.56.3.0 255.255.255.0
clause 2 bypass any 192.168.0.0 255.255.0.0 destination 10.56.3.0 255.255.255.0
clause 100 permit any any destination any
apply circuit-(VLAN210)
acl 2
clause 1 bypass any 10.56.3.0 255.255.255.0 destination any
apply circuit-(VLAN203)
acl 3
clause 1 permit any any destination any
apply circuit-(VLAN999)
------------------------
With the above configuration, the servers on the 203 vlan (for example 10.56.3.40) cannot get to a website which has a VIP address of 10.56.10.10 because of the ACLs applied to vlan 203. The gateway for the vlan 203 servers is 10.56.10.3 which is the CSS.
We have internal DNS servers pointing to the VIP address for web page resolution and the external servers point to the outside address and our firewalls does a static translation.
Will source group NAT fix this problem?
03-29-2005 10:39 AM
I am a little confused on what you are doing here.
1. Is the VIP in question actually on this CSS that you show here but just did not cut/paste here ?
2. If #1 is true, then is the VIP on this CSS load balancing to servers on VLAN203 ?
3. Can you add "permit any any destination any" to acl2 as clause 10. I ask this because if clause 1 does not get a hit, then the traffic will be denied by default.
4. Did you do a show acl to see if any of these are getting hits as you would expect them to ?
Regards
Pete..
03-29-2005 11:29 AM
Sorry for the confusion. Since Vlan203 has combination of servers in which some needs load balancing and some do not, I have to bypass some traffic.
ACL 1 permits the traffic from inside network to get to the server directly (like terminal services etc) for maintenance of the srevers in 203 vlan (10.56.3.x).
Inside DNS servers resolve www.net.com to the VIP address of 10.56.10.11 and external DNS resolves to 67.x.x.x. The firewalls static NAT 10.56.10.11 to 67.x.x.x.
The VIP in question is on the CSS and I have added the full config here.
!************************* INTERFACE ****************
interface 1/1
bridge vlan 999
description "Failover link to secondary"
interface 2/1
bridge vlan 210
description "Link to VIP vlan (firewall)"
interface 2/2
bridge vlan 203
description "Link to dmz servers"
!************************** CIRCUIT *****************
circuit VLAN999
ip address 10.56.99.3 255.255.255.0
redundancy-protocol
circuit VLAN210
redundancy
ip address 10.56.10.3 255.255.255.0
circuit VLAN203
redundancy
ip address 10.56.3.3 255.255.255.0
!************************** SERVICE **************
service 10.56.3.50-443
ip address 10.56.3.50
port 443
keepalive frequency 10
keepalive type ssl
keepalive port 443
active
service 10.56.3.50-80
ip address 10.56.3.50
port 80
keepalive frequency 10
keepalive type http
keepalive port 80
keepalive uri "/lbcheck.asp"
active
service 10.56.3.60-443
ip address 10.56.3.60
port 443
keepalive frequency 10
keepalive type ssl
keepalive port 443
active
service 10.56.3.60-80
ip address 10.56.3.60
port 80
keepalive frequency 10
keepalive type http
keepalive port 80
keepalive uri "/lbcheck.asp"
active
service 10.56.3.70-443
ip address 10.56.3.70
port 443
keepalive frequency 10
keepalive type ssl
keepalive port 443
active
service 10.56.3.70-80
ip address 10.56.3.70
port 80
keepalive frequency 10
keepalive type http
keepalive port 80
keepalive uri "/lbcheck.asp"
active
!*************************** OWNER ******************
owner net
content www.net.com
add service 10.56.3.50-80
vip address 10.56.10.11
add service 10.56.3.60-80
add service 10.56.3.70-80
protocol tcp
port 80
active
!**************************** ACL *******************
acl 1
clause 1 bypass any 10.0.0.0 255.0.0.0 destination 10.56.3.0 255.255.255.0
clause 2 bypass any 192.168.0.0 255.255.0.0 destination 10.56.3.0 255.255.255.0
clause 100 permit any any destination any
apply circuit-(VLAN210)
acl 2
clause 1 bypass any 10.56.3.0 255.255.255.0 destination any
apply circuit-(VLAN203)
acl 3
clause 1 permit any any destination any
apply circuit-(VLAN999)
I would like the servers in vlan 203 to get to www.net.com and currently they cannot. The servers in vlan 203 resolve the address to 10.56.10.11 for www.net.com
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide