Re: Some basic CSS questions...

drakewhite · ‎07-24-2006

Q1. I understand that for server initiated connections hitting internet we use source group to translate "private ip" of service to an internet routable "public ip".What if the server initiated connections are not for internet but for some internal host connected via a router that routes "service ip's" to css.

Q2. what is the significance of "bypass" feature in CSS ACL.

lets say we have 2 services (10.10.10.1 & 10.10.10.2) behind a vip 200.200.200.200 and each servers needs to call the vip for some pages.

what will be the difference between the following two ACLs

group outbond_nat

vip 200.200.200.1

active

option#1

clause 10 permit any 10.10.10.0 255.255.255.0 content <rule> sourcegroup outband_nat

clause 20 permit any any destination any

option#2

clause 10 permit any 10.10.10.0 255.255.255.0 content <rule> sourcegroup outband_nat

clause 20 bypass 10.10.10.0 255.255.255.0 destination any

clause 30 permit any any destination any

Q3 IS it needed to create an ACL for established connections? for example if the services initiate connection to internet then do we need ACLs on the circuit facing internet.

Thanks in advance

d.

Gilles Dufour · ‎07-25-2006

A1: if you don't need nating, simply do not use a group.

A2: route the traffic without checking if it hits a content rule.

Your acl 1 will permit all traffic and nat traffic from 10.10.10.0/24 when hitting a specific content rule.

Your acl 2 is the same but if you have more content rules the traffic 10.10.10.0/24 will simply be routed and will not hit any of them.

We usually use the bypass for cache devices that would need to access a server directly.

A3: ACL are not mandatory. By default the CSS permits all traffic. If you enable acl so, you then need to explicitly permit the traffic you want to have across the CSS.

Gilles.