VIP ACCESS ISSUES WITH CSS/PIX

steverc · ‎04-25-2003

Configuration:

INET-----PIX525------CSS11503-------CAT2950---------SERVERS

The CSS is configured with Global VIP's, and local (RFC1918) IP's on the servers. During intial testing we bypassed the firewall / 2950 and had the traffic pass directly to the CSS, then onto the servers. This worked fine.

Now (using the new [supplied] config) we're having problems getting to the VIP's on the CSS. We can telnet directly to the CSS through the firewall. We have all the ACL's set up on the PIX 525 that we can think of.

The PIX can ping all of the VIP's, but you can't ping them from outside the PIX. It's seems odd to me that all of the ACL's are set up the same, but yet only one of them is passing traffic?

Does anyone have experience with the above type of configuration? Any help would be greatly appreciated.

cdeeds · ‎04-29-2003

EXAMPLE:

1.1.1.1 = Private IP

2.2.2.2 = Public IP

name 1.1.1.1 HOSTA

static (inside,outside) 2.2.2.2 HOSTA netmask 255.255.255.255

access-list outside-access permit tcp any host 2.2.2.2 eq https

access-group outside-access in interface outside

This is how we have our VIPs configured to work through our PIX firewalls and it works good. As far as the 2950 switch is concerned that you have, we are not using a switch behind our CSS. All of our servers utilizing the CSS are directly connected to it. I don't see any issues with the 2950 behind the CSS, but I could be wrong. Hope this helps.