Firewall Load Balancing with CSS 11503

Answered Question
Mar 5th, 2007
User Badges:

We are trying to figure out if it is possible to port forward traffic from the Internet to a CSS content rule and have it load balance across a set of services with-out a default gateway.


Here is what we have:


Internet

|

|

RouterA

(Port forward SMTP from public IP to private IP VIP address on CCS)

|

| Internal Network A

|

FirewallA

|

| Internal Network B

|

11503CSS

|

| SMTP VIP on Internal Network C

|

+SMTPServiceA

|

+SMTPServiceB



Because the source IP is a public IP, we seem to only be able to make this work by configuring a global IP route of 0.0.0.0 0.0.0.0 to the Internal Network B IP on FirewallA.


Although it does work, we want to add another FirewallB for just HTTP traffic to be port forwarded to a different VIP; i.e. we want SMTP traffic through one firewall, and HTTP traffic through a different one. Now I have two paths to maintain a session. Can the CSS support this type of configuration? Is there a better way (we tried firewall load balancing the first time around, but were unable to get it to allow different protocols to go through different firewalls.)


Thanks!


- John

Correct Answer by Gilles Dufour about 10 years 4 months ago

you can configure 2 defaut routes on the css, it will select the appropriate one automatically based on where the request came from.

So, if your HTTP traffic comes in from firewall-B, the CSS will send the response to firewall-B.


Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Gilles Dufour Tue, 03/06/2007 - 00:27
User Badges:
  • Cisco Employee,

you can configure 2 defaut routes on the css, it will select the appropriate one automatically based on where the request came from.

So, if your HTTP traffic comes in from firewall-B, the CSS will send the response to firewall-B.


Gilles.

john.robel Tue, 03/06/2007 - 11:01
User Badges:

Gilles,


Wow, that works! However, I don't understand how or why it works. Seems like there are now two paths to the same network.


On a related note, with multiple default gateways on the CSS, how could I direct all outbound traffic that originates from the servers to a single default gateway? Does the CSS just round robin outbound traffic accross equal cost paths?


Thank you for your help.


- John

Actions

This Discussion