Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
603
Views
4
Helpful
2
Replies

Single CSM, load balanced ISA Firewall, how to route through

dojnetsup
Level 1
Level 1

‎08-04-2005 12:19 AM

Am trying to set up a single CSM with 2 load balanced ISA firewalls. Have seen the CCO information on how to do this, but can't get it to work correctly.

My setup is as follows:

Outside Server (Vlan 10)

IP 10.0.0.100

------|

IP 10.0.0.1

Router (MSFC)

IP 192.168.79.1

------|

CSM (Vlan 79) IP 192.168.79.4

------|-------------------|

ISA1 (.35) VIP (.50) ISA2 (.36)

------|-------------------|

CSM (Vlan 247) IP 192.168.247.4

------|

ip 192.168.247.1

Router

IP 192.168.254.1

------|

Inside Workstation (Vlan 903)

IP 192.168.254.100

If that makes any sense I am trying to connect between workstation and server and have the CSM determine which ISA to use (Load balanced)

I also have a requirement to use the ISA servers as a HTTP proxy so need to target the VIP address.

My main question, I think is around the routing. How should I set the routers to route the traffic through the network? Do I point to route to the ISA VIP or to the CSM Vlan address?

Current Config:

module ContentSwitchingModule 4

vlan 247 server

ip address 192.168.247.4 255.255.255.0

gateway 192.168.247.1

!

vlan 903 client

ip address 192.168.254.4 255.255.255.0

!

vlan 79 server

ip address 192.168.79.4 255.255.0.0

!

vlan 10 server

ip address 10.0.0.4 255.255.255.0

gateway 10.0.0.1

!

serverfarm FORWARD

no nat server

no nat client

predictor forward

!

serverfarm ISALB_IN2OUT

no nat server

no nat client

real 192.168.79.35

no inservice

real 192.168.79.36

inservice

!

serverfarm ISALB_OUT2IN

no nat server

no nat client

real 192.168.247.35

no inservice

real 192.168.247.36

inservice

!

serverfarm ISA_INSIDE

nat server

no nat client

real 192.168.247.36

inservice

real 192.168.247.35

inservice

serverfarm ISA_OUTSIDE

nat server

no nat client

real 192.168.79.35

inservice

real 192.168.79.36

inservice

!

serverfarm ROUTERS

no nat server

no nat client

real 192.168.247.1

inservice

real 192.168.79.1

inservice

real 192.168.254.1

inservice

real 10.0.0.1

inservice

!

sticky 1 netmask 0.0.0.0 timeout 120

!

vserver IN2OUT

virtual 192.168.254.0 255.255.255.0 any

vlan 247

serverfarm FORWARD

sticky 240

reverse-sticky 1

persistent rebalance

inservice

!

vserver ISA2SERV

virtual 10.0.0.0 255.255.255.0 any

vlan 79

serverfarm FORWARD

sticky 240

reverse-sticky 1

persistent rebalance

inservice

!

vserver ISA_10_7_50

virtual 192.167.79.50 any

vlan 79

serverfarm ISA_OUTSIDE

persistent rebalance

inservice

!

vserver OUT2IN

virtual 0.0.0.0 0.0.0.0 any

vlan 903

serverfarm ISALB_OUT2IN

sticky 240

reverse-sticky 1

persistent rebalance

inservice

!

vserver SERV2ISA

virtual 192.168.254.0 255.255.255.0 any

vlan 10

serverfarm ISALB_IN2OUT

sticky 240

reverse-sticky 1

persistent rebalance

inservice

!

If I set the routers to point to an individual ISA address, traffic flows correctly (but only through the single ISA).

If I set the routers to direct to the Virtual address then nothing flows and no connections are made on the switch

I have tried pointing the routes to the CSM addresses without success

Any help with this would be greatly appreciated

Many Thanks

LP

Labels:
0 Helpful
2 Replies 2

Gilles Dufour
Cisco Employee
Cisco Employee

‎08-08-2005 11:11 PM

the CSM is connected to vlan 10.

So, your clients should use the CSM as default gateway.

If you want to use the MSFC, remove vlan 10 from the CSM.

Also, you have configured 2 default gateways.

You should not.

Have 1 default gateway only pointing to the MSFC on vlan 79.

Then, if there is still a problem, capture show commands to see if traffic hit the correct rules.

'sho mod csm X conns detail' and 'sho mod csm X vserver name detail'

Thanks,

Gilles.

dojnetsup
Level 1
Level 1
In response to Gilles Dufour

‎08-15-2005 01:15 AM

Thanks for the reply Gilles

After your reply, I completely redesigned the scenario (closer to the proposed reality anyway) and with much effort & testing managed to make it work. I did this without implementing MSFC VLAN interfaces for the ISA Servers and added a router on the outside.

Please feel free to edit/debunk any of the following config, but at the moment this is working just fine.

FYI for others. Note there is probably some config here that is not strictly required, but is included because I was testing different configurations.

New design

Outside World PC (192.168.254.x)

---|

Router - Outside interface

Router - Outer CSM Vlan 239. IP 10.20.228.1

I have not defined this as a MSFC interface. Have separate router

-------|

CSM Client Vlan 239. IP 10.20.228.4

CSM Server Vlan 236. IP 10.20.229.17. No Msfc

----|------------------|

ISA1 (10.20.229.19) ISA2 (10.20.229.20).

ISA1 (10.20.230.19) ISA2 (10.20.230.20).

----|------------------|

CSM Server vlan 247. IP 10.20.230.17. no MSFC

CSM Client Vlan 1400. IP 10.20.227.4

-----|

Router via MSFC Int 10.20.227.1

-----|

Inside Network PC 10.x.x.x

Routing:

on outside router

ip route 10.0.0.0 255.0.0.0 10.20.228.4

on MSFC

ip route 192.168.254.0 255.255.255.0 10.20.227.4

CSM Config

module ContentSwitchingModule 4

vlan 247 server

ip address 10.20.230.17 255.255.255.240

!

vlan 236 server

ip address 10.20.229.17 255.255.255.240

!

vlan 239 client

ip address 10.20.228.4 255.255.255.192

gateway 10.20.228.1

!

vlan 1400 server

ip address 10.20.227.4 255.255.255.192

route 89.0.0.0 255.0.0.0 gateway 10.20.227.1

!

serverfarm FORWARD

no nat server

no nat client

predictor forward

!

serverfarm INROUTER

nat server

no nat client

real 10.20.227.1

inservice

!

serverfarm ISALB_INSIDE

no nat server

no nat client

real 10.20.230.19

no inservice

real 10.20.230.21

inservice

!

serverfarm ISALB_OUTSIDE

no nat server

no nat client

real 10.20.229.19

no inservice

real 10.20.229.20

no inservice

!

serverfarm ISA_INSIDE

nat server

no nat client

real 10.20.230.19

inservice

real 10.20.230.20

inservice

!

serverfarm ISA_OUTSIDE

nat server

no nat client

real 10.20.229.19

inservice

real 10.20.229.20

inservice

!

! for csm arp only - not sure if required

serverfarm ROUTERS

nat server

no nat client

real 10.20.227.1

inservice

real 10.20.228.1

inservice

!

! still testing sticky config

sticky 1 netmask 255.255.255.255 address both

!

vserver CSM2IN

virtual 89.0.0.0 255.0.0.0 any

vlan 1400

serverfarm FORWARD

persistent rebalance

inservice

!

vserver CSM2OUT

virtual 192.168.254.0 255.255.255.0 any

vlan 239

serverfarm FORWARD

persistent rebalance

inservice

!

vserver IN2ISA

virtual 192.168.254.0 255.255.255.0 any

vlan 247

serverfarm FORWARD

persistent rebalance

no inservice

!

vserver IN2OUT

virtual 192.168.254.0 255.255.255.0 any

vlan 1400

serverfarm ISALB_INSIDE

sticky 5

persistent rebalance

inservice

!

vserver ISA2OUT

virtual 192.168.254.0 255.255.255.0 any

vlan 236

serverfarm FORWARD

persistent rebalance

inservice

!

vserver ISALB_INSIDE

virtual 10.20.227.10 any

vlan 1400

serverfarm ISA_INSIDE

persistent rebalance

inservice

!

vserver ISALB_OUTSIDE

virtual 10.20.228.10 any

vlan 239

serverfarm ISA_OUTSIDE

persistent rebalance

inservice

!

vserver ISA_IN

virtual 10.20.230.30 any

vlan 1400

serverfarm ISA_INSIDE

persistent rebalance

inservice

!

vserver OUT2IN virtual 89.0.0.0 255.0.0.0 any

vlan 239

serverfarm ISALB_OUTSIDE

sticky 5

persistent rebalance

inservice

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card