CSS one armed configuration help

Unanswered Question
Jun 4th, 2007

I need the ability to have a single server in a one armed configuration separated by an ASA5510. From what I understand, this is possible by natting the source address in the CSS so the return traffic from the server will flow through it. Question is, how do I get the initial request to flow to the CSS with my static in the firewall? Any request from the outside will go directly inside. I'm obviously missing something here.

@@@@@@@@OUTSIDE@@@@@@@@

@@@@@@@@@@|@@@@@@@@@@

@@@@@@@@@@|@@@@@@@@@@

CSS11501 -- DMZ -- ASA -- INSIDE -- SERVER(172.16.1.10)

-ASA-

ip addr outside 1.1.1.1

ip addr inside 172.16.1.1

ip addr dmz 192.168.200.1

static (inside,outside) 1.1.1.2 172.16.1.10 netmask 255.255.255.255

-CSS-

192.168.200.10

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Gilles Dufour Mon, 06/04/2007 - 07:21

you need to change the destination so that is belongs to the CSS.

The CSS then nat the destination ip with the server ip and the client ip with whatever ip that belongs to the CSS.

If you can change the dns server, you can create a new ip on the CSS for the content rule and use this vip address in your dns server.

If you can't change it or don't want to, you can take the server ip and use it for the CSS content rule and change the server ip with a new one.

Gilles.

acomiskey Mon, 06/04/2007 - 07:59

Thanks Gilles,

Actually the CSS is the authoritative DNS, so that should work?

Is this what you mean?

-ASA-

static (inside,outside) 1.1.1.2 192.168.200.10 netmask 255.255.255.255

-CSS-

circuit VLAN200

ip address 192.168.200.2 255.255.255.0

service ftp1

ip address 172.16.1.10

protocol tcp

port 21

active

content FTP

dnsbalance preferlocal

vip address 1.1.1.2

add service ftp1

add dns ftp.mydomain.com

active

thanks.

Gilles Dufour Tue, 06/05/2007 - 07:05

the CSS vlan is 192.168.200.2, so the vip should most probably be 192.168.200.10 internally.

If you want the CSS to advertise 1.1.1.2, you should let the firewall do dns fixup to update the dns response when going out.

Or use a zone based dns on the CSS instead of rule based.

Zone based dns let's you configure dns a record and therefore use whatever ip you want in the response.

gilles.

acomiskey Tue, 06/05/2007 - 11:53

So let me see if I have this straight.

If the vip was 192.168.200.10 internally, my static would remain the same...

static (inside,outside) 1.1.1.2 192.168.200.10 netmask 255.255.255.255

But the A record on the CSS would not be the vip it would be 1.1.1.2.

Once the request hit the CSS requesting 192.168.200.10, it would nat the source address to itself, then translate the destination to the inside address 172.16.1.10?

Gilles Dufour Wed, 06/06/2007 - 01:41

you got it right.

Except that the client ip address is by default unchanged. If you want to nat the source address as well, you need to configure a source group with the command 'group'

gilles.

acomiskey Wed, 06/06/2007 - 05:22

Thanks Gilles, you've been quite helpful.

I have looked through the documentation you posted previously on zones, but am not sure how to go about switching from my current GSLB setup. Will my current GSLB setup remain the same, the only thing that changes is the way the dns works?

acomiskey Wed, 06/13/2007 - 12:16

I suppose moving to zone based will make my current site redundancy setup not function properly. I don't see any way to use zone based dns and have the decision based upon content rules like you can do with rules based dns and an acl.

Comments?

Actions

This Discussion