CSS one armed configuration help

Unanswered Question
Jun 4th, 2007

I need the ability to have a single server in a one armed configuration separated by an ASA5510. From what I understand, this is possible by natting the source address in the CSS so the return traffic from the server will flow through it. Question is, how do I get the initial request to flow to the CSS with my static in the firewall? Any request from the outside will go directly inside. I'm obviously missing something here.




CSS11501 -- DMZ -- ASA -- INSIDE -- SERVER(


ip addr outside

ip addr inside

ip addr dmz

static (inside,outside) netmask


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Gilles Dufour Mon, 06/04/2007 - 07:21

you need to change the destination so that is belongs to the CSS.

The CSS then nat the destination ip with the server ip and the client ip with whatever ip that belongs to the CSS.

If you can change the dns server, you can create a new ip on the CSS for the content rule and use this vip address in your dns server.

If you can't change it or don't want to, you can take the server ip and use it for the CSS content rule and change the server ip with a new one.


acomiskey Mon, 06/04/2007 - 07:59

Thanks Gilles,

Actually the CSS is the authoritative DNS, so that should work?

Is this what you mean?


static (inside,outside) netmask


circuit VLAN200

ip address

service ftp1

ip address

protocol tcp

port 21


content FTP

dnsbalance preferlocal

vip address

add service ftp1

add dns ftp.mydomain.com



Gilles Dufour Tue, 06/05/2007 - 07:05

the CSS vlan is, so the vip should most probably be internally.

If you want the CSS to advertise, you should let the firewall do dns fixup to update the dns response when going out.

Or use a zone based dns on the CSS instead of rule based.

Zone based dns let's you configure dns a record and therefore use whatever ip you want in the response.


acomiskey Tue, 06/05/2007 - 11:53

So let me see if I have this straight.

If the vip was internally, my static would remain the same...

static (inside,outside) netmask

But the A record on the CSS would not be the vip it would be

Once the request hit the CSS requesting, it would nat the source address to itself, then translate the destination to the inside address

Gilles Dufour Wed, 06/06/2007 - 01:41

you got it right.

Except that the client ip address is by default unchanged. If you want to nat the source address as well, you need to configure a source group with the command 'group'


acomiskey Wed, 06/06/2007 - 05:22

Thanks Gilles, you've been quite helpful.

I have looked through the documentation you posted previously on zones, but am not sure how to go about switching from my current GSLB setup. Will my current GSLB setup remain the same, the only thing that changes is the way the dns works?

acomiskey Wed, 06/13/2007 - 12:16

I suppose moving to zone based will make my current site redundancy setup not function properly. I don't see any way to use zone based dns and have the decision based upon content rules like you can do with rules based dns and an acl.



This Discussion