05-12-2011 12:38 PM
Hi all folks!
I have two CSS 11500 series...
________________LAN to LAN_____________________
| |
| |
|------SITE A------| |------SITE B------|
[Firewall] ===============IPSEC============= [Firewall]
| |
| |
[CSS-A]-[CSS-B] [SWITCH]
| | | |
[SWITCH] | |
[srvA] [srvB] [srvC] [srvD] [srvE]
05-13-2011 12:15 AM
Hi Esteban,
There is nothing wrong with this topology, it will work fine.
However, there is one thing you need to take into account. You need to make sure that the traffic from the servers back to the clients is going through the CSS so tha the NAT from the real server IP to the content rule IP can be done. If traffic goes back to the clients directly, connections will break.
There are a few ways to achieve this, some more complicated than others, but the most common ones are:
I hope this helps
Daniel
05-17-2011 09:37 AM
Daniel!
Sorry by delay!
Thank you so much for you time for reply.
Thanks in advance again!!!
Have nice day!
Regards.
Esteban.
05-19-2011 03:20 AM
Hi Esteban,
Both are perfectly valid methods. The main difference is that, if you use ACLs to specify the NAT, you have a lot more granularity, because you can define different NAT configurations based on combinations of source/destination IP addresses. As a drawback, it's also more cumbersone to configure.
With normal source groups, you can just define the NAT address to be used based on the server to which the connection is going to be sent to. This is more limited in terms of possibilities, but it's also much easier to configure.
For your setup, I don't think you need any complicated NAT configuration, because you are just trying to send the return traffic back to the CSS, so I would recommend you to just use source groups for the configuration, forgetting completely about the ACLs
Regards
Daniel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide