Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
462
Views
0
Helpful
1
Replies

VIP ACCESS ISSUES WITH CSS/PIX

steverc
Level 1
Level 1

‎04-25-2003 08:23 AM

Configuration:

INET-----PIX525------CSS11503-------CAT2950---------SERVERS

The CSS is configured with Global VIP's, and local (RFC1918) IP's on the servers. During intial testing we bypassed the firewall / 2950 and had the traffic pass directly to the CSS, then onto the servers. This worked fine.

Now (using the new [supplied] config) we're having problems getting to the VIP's on the CSS. We can telnet directly to the CSS through the firewall. We have all the ACL's set up on the PIX 525 that we can think of.

The PIX can ping all of the VIP's, but you can't ping them from outside the PIX. It's seems odd to me that all of the ACL's are set up the same, but yet only one of them is passing traffic?

Does anyone have experience with the above type of configuration? Any help would be greatly appreciated.

Labels:
0 Helpful
1 Reply 1

cdeeds
Level 1
Level 1

‎04-29-2003 11:02 AM

EXAMPLE:

1.1.1.1 = Private IP

2.2.2.2 = Public IP

name 1.1.1.1 HOSTA

static (inside,outside) 2.2.2.2 HOSTA netmask 255.255.255.255

access-list outside-access permit tcp any host 2.2.2.2 eq https

access-group outside-access in interface outside

This is how we have our VIPs configured to work through our PIX firewalls and it works good. As far as the 2950 switch is concerned that you have, we are not using a switch behind our CSS. All of our servers utilizing the CSS are directly connected to it. I don't see any issues with the 2950 behind the CSS, but I could be wrong. Hope this helps.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card