cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
309
Views
5
Helpful
2
Replies

CSS11506 - Moving backend web servers behind firewall

dclee
Level 1
Level 1

Again another newbie CSS question. But now that I have the CSS terminating both SSL connections for my backend web servers. Is it possible to move the servers off the same subnet as the CSS (public zone) and move them back into my production LAN which is behind another pix interface ? Not sure on how I could do this as so far I can only make my setup work when the web servers are connected to the CSS11506 switch module.

Looking for best practice suggestions here.

Any help is appreciated.

Thanks

Dave

2 Replies 2

Gilles Dufour
Cisco Employee
Cisco Employee

Dave,

you can.

However, you have to guarantee that the response from the server to the client goes through the CSS. Because the client is normally talking to the vip and not the server. So, the CSS needs to see the traffic to nat the server ip into the vip.

If the CSS is in a DMZ and the server on the inside, the chance is the server will respond directly to the client, breaking the setup.

You can force the CSS to do client nat using source group. This will guarantee that all responses go back to the CSS.

But your server log will show only connections from the CSS.

Another solution is to put the CSS on the inside as well with the servers.

Or to place it on the outside between the firewall and the gateway, but it will be subject to attack.

Gilles.

Thanks Gilles, I ended up using the source group approach. That seems to work fine. I dont think the web server logs are an issue at this point.

Thanks again.

Dave

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: