CSS11506 - Moving backend web servers behind firewall

Unanswered Question

Again another newbie CSS question. But now that I have the CSS terminating both SSL connections for my backend web servers. Is it possible to move the servers off the same subnet as the CSS (public zone) and move them back into my production LAN which is behind another pix interface ? Not sure on how I could do this as so far I can only make my setup work when the web servers are connected to the CSS11506 switch module.

Looking for best practice suggestions here.

Any help is appreciated.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Gilles Dufour Tue, 05/15/2007 - 04:19
User Badges:
  • Cisco Employee,


you can.

However, you have to guarantee that the response from the server to the client goes through the CSS. Because the client is normally talking to the vip and not the server. So, the CSS needs to see the traffic to nat the server ip into the vip.

If the CSS is in a DMZ and the server on the inside, the chance is the server will respond directly to the client, breaking the setup.

You can force the CSS to do client nat using source group. This will guarantee that all responses go back to the CSS.

But your server log will show only connections from the CSS.

Another solution is to put the CSS on the inside as well with the servers.

Or to place it on the outside between the firewall and the gateway, but it will be subject to attack.



This Discussion