03-04-2008 12:23 PM
Hello,
I really hope that someone will be able to give me a hand on this. Has been struggling for a while with no luck.
Somehow, the real servers can not access Internet in our Data Center. We are running paired 6500s with FWSM and CSM-S. If we change the gateway on the server to point directly to the FWSM (10.10.2.1) it works, but it has to go through the CSM (10.10.20.10) and that is when I run into problem.
Below is the partial configuration from one of the switches.
****************************************
serverfarm SRVR1-SSL
nat server
no nat client
description SRVR1 SSL
real 10.10.14.52 local
inservice
serverfarm SRVR1-WWW
nat server
no nat client
predictor leastconns
description Srvr1 Web
real 10.10.20.52
inservice
real 10.10.20.53
inservice
real 10.10.20.54
inservice
vserver SRVR1-SSL
virtual 10.10.8.52 tcp https
serverfarm SRVR1-SSL
persistent rebalance
inservice
!
vserver SRVR1-WWW
virtual 10.10.8.52 tcp www
serverfarm SRVR1-WWW
persistent rebalance
slb-policy CSM_WRS
inservice
vlan 14 server
ip address 10.10.14.11 255.255.255.0 alt 10.10.14.12 255.255.255.0
alias 10.10.14.10 255.255.255.0
vlan 8 client
ip address 10.10.8.11 255.255.255.0 alt 10.255.8.12 255.255.255.0
gateway 10.10.8.1
static nat virtual
real 10.10.20.0 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.10.2.1 (IP address of the FWSM)
interface Vlan8
no ip address
interface Vlan14
no ip address
interface Vlan20
ip address 10.10.20.251 255.255.255.0
standby 20 ip 10.10.20.254
standby 20 timers 5 15
standby 20 preempt
standby 20 authentication XXXXX
**********************************
The Real Server has default gateway of 10.10.20.10
**********************************
SSL Daughter Card Config:
**********************************
ssl-proxy service SRVR1
virtual ipaddr 10.10.14.52 protocol tcp port 443 secondary
server ipaddr 10.10.8.52 protocol tcp port 80
certificate rsa general-purpose trustpoint TP-SRVR1
inservice
ssl-proxy vlan 2
ipaddr 10.10.2.31 255.255.255.0
gateway 10.10.2.254
admin
ssl-proxy vlan 14
ipaddr 10.10.14.1 255.255.255.0
route 10.10.8.0 255.255.255.0 gateway 10.10.14.10
ip route 0.0.0.0 0.0.0.0 10.255.2.254
ip route 10.10.8.0 255.255.255.0 10.10.14.10
************************************
************************************
FWST Configuration
************************************
interface Vlan2
nameif inside
security-level 100
ip address 10.10.2.1 255.255.255.0 standby 10.10.2.2
interface Vlan8
nameif SERVER1
security-level 10
ip address 10.10.8.1 255.255.255.0 standby 10.10.8.2
interface Vlan20
nameif WEB
security-level 25
ip address 10.10.20.1 255.255.255.0 standby 10.10.20.2
nat (inside) 1 10.10.2.0 255.255.255.0
nat (SERVER1) 1 10.10.8.0 255.255.255.0
access-list acl_out extended permit tcp any host 206.206.206.206 eq https
access-list acl_out extended permit tcp any host 206.206.206.206 eq www
static (Sbox_WebOut,outside) 206.206.206.206 10.10.8.53 netmask 255.255.255.255
****************************************
03-04-2008 02:36 PM
Hi,
can you clarify something? you said that when reals (10.10.20.52/53/54) are pointing to 10.10.20.10 as default gateway, this is not working, right?
Now, only the server VLAN that I see on the CSM is
vlan 14 server
ip address 10.10.14.11 255.255.255.0 alt 10.10.14.12 255.255.255.0
alias 10.10.14.10 255.255.255.0
And those reals are not on that subnet, also I see no server vlan defined for 10.10.20.x 255.255.255.0 and I see it configured as Vlan20 on the MSFC.
Also I do not see 10.10.20.10 configured on the CSM.
Don't you have a server VLAN20 on the CSM?
Diego M
03-05-2008 06:07 AM
Sorry - I missed that in my original snapshot. We do have Vlan 20 on both - the CSM and MSFC:
vlan 20 server
description Reals
ip address 10.10.20.11 255.255.255.0 alt 10.10.20.12 255.255.255.0
alias 10.10.20.10 255.255.255.0
vlan 20
description Reals
And we link them to the FWSM on the MSFC:
firewall multiple-vlan-interfaces
firewall module 1 vlan-group 1
firewall vlan-group 1 2,3,5-8,10,15,20,40,50,51,992
******************************
NATing on the CSM is working - when I ping the FWSM on 10.10.8.1 going through the CSM I can see hits coming from the virtual (10.10.8.52) IP address. Not from the real 10.10.20.52. But I can not ping any other interface on the firewall (10.10.2.1 for example) or go through it.
Do you know what debuging on the FWSM can I use to see what exactly is happening there? I have a feeling that I am either missing an access-list or NATing/Routing is wrong...
03-05-2008 06:21 AM
Well, if the ping from the real can make it to the FWSM, then I would say that the CSM is working fine and probably the FWSM is blocking or something else is happening.
With regards with the ability of pinging that FWSM IP but not others, well is weird, perhaps is related to the fact that the CSM ARPs only for gateway and reals IPs, so it might have the ARP entry for 10.10.8.1 and not for other FWSM IPs.
You can check that with:
show mod csm x arp
Unfortunately I am not such an expert on FWSM so I am not sure what debugging ca be turn on there, but perhaps a trace between the CSM and FWSM can you what the issue is.
Hope it helps!!
Diego M
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide