CSM RHI interaction with NAT on FWSM

Unanswered Question
Aug 1st, 2007

assuming this arrangement in Aggregation/Distribution layer chassis:

to core layer

| (L3 p-t-p /30 net)

MSFC (OSPF)

| (shared firewall outside vlan)

FWSM (routed mode context)

| (CSM client vlan = fw inside vlan)

CSM (bridge mode)

| (CSM server vlan)

layer-2 access vlan

if we want to use private addresses on the CSM server vlan and have route health injection (RHI) on CSM inject static routes onto MSFC routing process, then the NAT needs to happen up at the MSFC.

Or is there another way?

Question 1: is there any way to have RHI inject an alternate vserver address corresponding to pre-static-NAT address on FWSM?

Question 2: If I have a vserver on CSM with VIP A and TCP port X and another vserver with VIP A and TCP port Y, doesn't RHI mask the availability at the port level since RHI and routing and don't track transport layer ports?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Fri, 08/03/2007 - 00:46

the trick is to configure fake vserver on the csm with the fwsm nat address and use the same serverfarm with the advertise command.

Like this the CSM will insert a route to the correct address.

The FWSM will nat the traffic and send it to the correct vserver [not the one with the nated address].

I didn't try it myself, but I have seen some people doing it.

Gilles.

Actions

This Discussion