assuming this arrangement in Aggregation/Distribution layer chassis:
to core layer
| (L3 p-t-p /30 net)
| (shared firewall outside vlan)
FWSM (routed mode context)
| (CSM client vlan = fw inside vlan)
CSM (bridge mode)
| (CSM server vlan)
layer-2 access vlan
if we want to use private addresses on the CSM server vlan and have route health injection (RHI) on CSM inject static routes onto MSFC routing process, then the NAT needs to happen up at the MSFC.
Or is there another way?
Question 1: is there any way to have RHI inject an alternate vserver address corresponding to pre-static-NAT address on FWSM?
Question 2: If I have a vserver on CSM with VIP A and TCP port X and another vserver with VIP A and TCP port Y, doesn't RHI mask the availability at the port level since RHI and routing and don't track transport layer ports?