Re: Question with source group NAT ACL on CSS

mchockalingam · ‎03-29-2005

Hi All,

I am little confused with source group NAT ACLs. I have the following design with our CSS.

I have a firewall with inside, outside and a CSS interface. The CSS is sitting in between the firewall and the server vlan 203. I have the following config

!************************* INTERFACE ****************

interface 1/1

bridge vlan 99

description "Failover link to secondary"

interface 2/1

bridge vlan 210

description "Link to VIP vlan (firewall)"

interface 2/2

bridge vlan 203

description "Link to dmz servers"

!************************** CIRCUIT *****************

circuit VLAN999

ip address 10.56.99.3 255.255.255.0

redundancy-protocol

circuit VLAN210

redundancy

ip address 10.56.10.3 255.255.255.0

circuit VLAN203

redundancy

ip address 10.56.3.3 255.255.255.0

!**************************** ACL *****************

acl 1

clause 1 bypass any 10.0.0.0 255.0.0.0 destination 10.56.3.0 255.255.255.0

clause 2 bypass any 192.168.0.0 255.255.0.0 destination 10.56.3.0 255.255.255.0

clause 100 permit any any destination any

apply circuit-(VLAN210)

acl 2

clause 1 bypass any 10.56.3.0 255.255.255.0 destination any

apply circuit-(VLAN203)

acl 3

clause 1 permit any any destination any

apply circuit-(VLAN999)

------------------------

With the above configuration, the servers on the 203 vlan (for example 10.56.3.40) cannot get to a website which has a VIP address of 10.56.10.10 because of the ACLs applied to vlan 203. The gateway for the vlan 203 servers is 10.56.10.3 which is the CSS.

We have internal DNS servers pointing to the VIP address for web page resolution and the external servers point to the outside address and our firewalls does a static translation.

Will source group NAT fix this problem?

pknoops · ‎03-29-2005

I am a little confused on what you are doing here.

1. Is the VIP in question actually on this CSS that you show here but just did not cut/paste here ?

2. If #1 is true, then is the VIP on this CSS load balancing to servers on VLAN203 ?

3. Can you add "permit any any destination any" to acl2 as clause 10. I ask this because if clause 1 does not get a hit, then the traffic will be denied by default.

4. Did you do a show acl to see if any of these are getting hits as you would expect them to ?

Regards

Pete..

mchockalingam · ‎03-29-2005

Sorry for the confusion. Since Vlan203 has combination of servers in which some needs load balancing and some do not, I have to bypass some traffic.

ACL 1 permits the traffic from inside network to get to the server directly (like terminal services etc) for maintenance of the srevers in 203 vlan (10.56.3.x).

Inside DNS servers resolve www.net.com to the VIP address of 10.56.10.11 and external DNS resolves to 67.x.x.x. The firewalls static NAT 10.56.10.11 to 67.x.x.x.

The VIP in question is on the CSS and I have added the full config here.

!************************* INTERFACE ****************

interface 1/1

bridge vlan 999

description "Failover link to secondary"

interface 2/1

bridge vlan 210

description "Link to VIP vlan (firewall)"

interface 2/2

bridge vlan 203

description "Link to dmz servers"

!************************** CIRCUIT *****************

circuit VLAN999

ip address 10.56.99.3 255.255.255.0

redundancy-protocol

circuit VLAN210

redundancy

ip address 10.56.10.3 255.255.255.0

circuit VLAN203

redundancy

ip address 10.56.3.3 255.255.255.0

!************************** SERVICE **************

service 10.56.3.50-443

ip address 10.56.3.50

port 443

keepalive frequency 10

keepalive type ssl

keepalive port 443

active

service 10.56.3.50-80

ip address 10.56.3.50

port 80

keepalive frequency 10

keepalive type http

keepalive port 80

keepalive uri "/lbcheck.asp"

active

service 10.56.3.60-443

ip address 10.56.3.60

port 443

keepalive frequency 10

keepalive type ssl

keepalive port 443

active

service 10.56.3.60-80

ip address 10.56.3.60

port 80

keepalive frequency 10

keepalive type http

keepalive port 80

keepalive uri "/lbcheck.asp"

active

service 10.56.3.70-443

ip address 10.56.3.70

port 443

keepalive frequency 10

keepalive type ssl

keepalive port 443

active

service 10.56.3.70-80

ip address 10.56.3.70

port 80

keepalive frequency 10

keepalive type http

keepalive port 80

keepalive uri "/lbcheck.asp"

active

!*************************** OWNER ******************

owner net

content www.net.com

add service 10.56.3.50-80

vip address 10.56.10.11

add service 10.56.3.60-80

add service 10.56.3.70-80

protocol tcp

port 80

active

!**************************** ACL *******************

acl 1

clause 1 bypass any 10.0.0.0 255.0.0.0 destination 10.56.3.0 255.255.255.0

clause 2 bypass any 192.168.0.0 255.255.0.0 destination 10.56.3.0 255.255.255.0

clause 100 permit any any destination any

apply circuit-(VLAN210)

acl 2

clause 1 bypass any 10.56.3.0 255.255.255.0 destination any

apply circuit-(VLAN203)

acl 3

clause 1 permit any any destination any

apply circuit-(VLAN999)

I would like the servers in vlan 203 to get to www.net.com and currently they cannot. The servers in vlan 203 resolve the address to 10.56.10.11 for www.net.com