VIP ACCESS ISSUES WITH CSS/PIX
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-25-2003 08:23 AM
Configuration:
INET-----PIX525------CSS11503-------CAT2950---------SERVERS
The CSS is configured with Global VIP's, and local (RFC1918) IP's on the servers. During intial testing we bypassed the firewall / 2950 and had the traffic pass directly to the CSS, then onto the servers. This worked fine.
Now (using the new [supplied] config) we're having problems getting to the VIP's on the CSS. We can telnet directly to the CSS through the firewall. We have all the ACL's set up on the PIX 525 that we can think of.
The PIX can ping all of the VIP's, but you can't ping them from outside the PIX. It's seems odd to me that all of the ACL's are set up the same, but yet only one of them is passing traffic?
Does anyone have experience with the above type of configuration? Any help would be greatly appreciated.
- Labels:
-
Application Networking
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-29-2003 11:02 AM
EXAMPLE:
1.1.1.1 = Private IP
2.2.2.2 = Public IP
name 1.1.1.1 HOSTA
static (inside,outside) 2.2.2.2 HOSTA netmask 255.255.255.255
access-list outside-access permit tcp any host 2.2.2.2 eq https
access-group outside-access in interface outside
This is how we have our VIPs configured to work through our PIX firewalls and it works good. As far as the 2950 switch is concerned that you have, we are not using a switch behind our CSS. All of our servers utilizing the CSS are directly connected to it. I don't see any issues with the 2950 behind the CSS, but I could be wrong. Hope this helps.
