06-04-2007 06:38 AM
I need the ability to have a single server in a one armed configuration separated by an ASA5510. From what I understand, this is possible by natting the source address in the CSS so the return traffic from the server will flow through it. Question is, how do I get the initial request to flow to the CSS with my static in the firewall? Any request from the outside will go directly inside. I'm obviously missing something here.
@@@@@@@@OUTSIDE@@@@@@@@
@@@@@@@@@@|@@@@@@@@@@
@@@@@@@@@@|@@@@@@@@@@
CSS11501 -- DMZ -- ASA -- INSIDE -- SERVER(172.16.1.10)
-ASA-
ip addr outside 1.1.1.1
ip addr inside 172.16.1.1
ip addr dmz 192.168.200.1
static (inside,outside) 1.1.1.2 172.16.1.10 netmask 255.255.255.255
-CSS-
192.168.200.10
06-04-2007 07:21 AM
you need to change the destination so that is belongs to the CSS.
The CSS then nat the destination ip with the server ip and the client ip with whatever ip that belongs to the CSS.
If you can change the dns server, you can create a new ip on the CSS for the content rule and use this vip address in your dns server.
If you can't change it or don't want to, you can take the server ip and use it for the CSS content rule and change the server ip with a new one.
Gilles.
06-04-2007 07:59 AM
Thanks Gilles,
Actually the CSS is the authoritative DNS, so that should work?
Is this what you mean?
-ASA-
static (inside,outside) 1.1.1.2 192.168.200.10 netmask 255.255.255.255
-CSS-
circuit VLAN200
ip address 192.168.200.2 255.255.255.0
service ftp1
ip address 172.16.1.10
protocol tcp
port 21
active
content FTP
dnsbalance preferlocal
vip address 1.1.1.2
add service ftp1
add dns ftp.mydomain.com
active
thanks.
06-04-2007 10:19 AM
Will that work?
06-05-2007 07:05 AM
the CSS vlan is 192.168.200.2, so the vip should most probably be 192.168.200.10 internally.
If you want the CSS to advertise 1.1.1.2, you should let the firewall do dns fixup to update the dns response when going out.
Or use a zone based dns on the CSS instead of rule based.
Zone based dns let's you configure dns a record and therefore use whatever ip you want in the response.
gilles.
06-05-2007 11:53 AM
So let me see if I have this straight.
If the vip was 192.168.200.10 internally, my static would remain the same...
static (inside,outside) 1.1.1.2 192.168.200.10 netmask 255.255.255.255
But the A record on the CSS would not be the vip it would be 1.1.1.2.
Once the request hit the CSS requesting 192.168.200.10, it would nat the source address to itself, then translate the destination to the inside address 172.16.1.10?
06-06-2007 01:41 AM
you got it right.
Except that the client ip address is by default unchanged. If you want to nat the source address as well, you need to configure a source group with the command 'group'
gilles.
06-06-2007 05:22 AM
Thanks Gilles, you've been quite helpful.
I have looked through the documentation you posted previously on zones, but am not sure how to go about switching from my current GSLB setup. Will my current GSLB setup remain the same, the only thing that changes is the way the dns works?
06-13-2007 12:16 PM
I suppose moving to zone based will make my current site redundancy setup not function properly. I don't see any way to use zone based dns and have the decision based upon content rules like you can do with rules based dns and an acl.
Comments?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: