Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
525
Views
0
Helpful
4
Replies

Cisco CSS 11501 Service Redirection

acharyr123
Level 3
Level 3

‎04-04-2007 01:13 AM

Hi,

We have kept CSS 1 & CSS 2 in DMZ zone & servers are kept at LAN segment. Proxy, DNS & OID (Oracle Instance ID) services are created at these CSS. I want users coming from outside will hit CSS at DMZ zone & based upon access requirement he will be redirected to the LAN servers for proxy , dns or OID access. Whether it is possible? If so then please guide me with the config...

Labels:
0 Helpful
4 Replies 4

Gilles Dufour
Cisco Employee
Cisco Employee

‎04-04-2007 01:32 AM

you have to be careful when using the term redirect.

redirect is a possibility with HTTP.

For other protocols, there is no concept of redirect. But you can forward the traffic from the CSS in the DMZ to a server on the internal network.

The only thing to remember is that the CSS, like a firewall, needs to see all traffic from client to server and from server to client.

So, in your setup, since the CSS will not be inline between client-server, you have to find a way to force the traffic to go back to the CSS.

The easiest solution is to nat traffic going through the CSS.

The drawbacks is that the servers do not see the real client ip address. They just see the nated ip address.

Another solution, more complex is to use policy routing to intercept traffic and forward when need to the CSS.

Regards,

Gilles.

0 Helpful

acharyr123
Level 3
Level 3
In response to Gilles Dufour

‎04-04-2007 01:47 AM

Thanks for quick reply Gilles. But can u help with config example for the setup that i have? I attached the logical diagram also & from CSS to LAN server access is happening to-fro.

Regards...Partha Acharya

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to acharyr123

‎04-04-2007 02:38 AM

there is no special config if the servers are remote or locally attached.

Just configure ip addresses and make sure routing table is correct.

Then, if you want to use the easy solution to nat all traffic here is a sample config

service proxy1

ip x.x.x.x

active

owner Company

content proxy

vip x.x.x.x

add service proxy1

active

group NatClient

vip x.x.x.x

add destination service proxy1

active

Gilles.

0 Helpful

acharyr123
Level 3
Level 3
In response to Gilles Dufour

‎04-04-2007 02:58 AM

Gilles,

thanks a lot for this help. One last query:

group NatClient

vip-----is this the same ip address of "vip-content proxy?"

Regards..Partha Acharya

0 Helpful
Customers Also Viewed These Support Documents