Cisco CSS 11501 Service Redirection

Unanswered Question
Apr 4th, 2007
User Badges:


We have kept CSS 1 & CSS 2 in DMZ zone & servers are kept at LAN segment. Proxy, DNS & OID (Oracle Instance ID) services are created at these CSS. I want users coming from outside will hit CSS at DMZ zone & based upon access requirement he will be redirected to the LAN servers for proxy , dns or OID access. Whether it is possible? If so then please guide me with the config...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Wed, 04/04/2007 - 01:32
User Badges:
  • Cisco Employee,

you have to be careful when using the term redirect.

redirect is a possibility with HTTP.

For other protocols, there is no concept of redirect. But you can forward the traffic from the CSS in the DMZ to a server on the internal network.

The only thing to remember is that the CSS, like a firewall, needs to see all traffic from client to server and from server to client.

So, in your setup, since the CSS will not be inline between client-server, you have to find a way to force the traffic to go back to the CSS.

The easiest solution is to nat traffic going through the CSS.

The drawbacks is that the servers do not see the real client ip address. They just see the nated ip address.

Another solution, more complex is to use policy routing to intercept traffic and forward when need to the CSS.



acharyr123 Wed, 04/04/2007 - 01:47
User Badges:

Thanks for quick reply Gilles. But can u help with config example for the setup that i have? I attached the logical diagram also & from CSS to LAN server access is happening to-fro.

Regards...Partha Acharya

Gilles Dufour Wed, 04/04/2007 - 02:38
User Badges:
  • Cisco Employee,

there is no special config if the servers are remote or locally attached.

Just configure ip addresses and make sure routing table is correct.

Then, if you want to use the easy solution to nat all traffic here is a sample config

service proxy1

ip x.x.x.x


owner Company

content proxy

vip x.x.x.x

add service proxy1


group NatClient

vip x.x.x.x

add destination service proxy1



acharyr123 Wed, 04/04/2007 - 02:58
User Badges:


thanks a lot for this help. One last query:

group NatClient

vip-----is this the same ip address of "vip-content proxy?"

Regards..Partha Acharya


This Discussion