Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
377
Views
0
Helpful
3
Replies

One CSS behind 2 PIX Segments

b.tyler
Level 1
Level 1

‎10-02-2007 10:16 AM

I have a need to use 1 CSS to balance server farms that reside on 2 different PIX segments. So Internet traffic destined for a server farm on "DMZ 1" would be balanced and traffic destined for a server farm on "DMZ 2" would be balanced through the same CSS. Also, I have a 2nd CSS for redundancy. I am not sure of the best way to accomplish this and keep traffic routing through the proper PIX interface.

Labels:
0 Helpful
3 Replies 3

Gilles Dufour
Cisco Employee
Cisco Employee

‎10-03-2007 12:05 AM

Placing the CSS outside is the easiest solution.

But then the device is not protected by the firewalls.

If you attach the CSS to both DMZ, then you have a device routing between 2 DMZ, bypassing the firewalls which is not a great idea.

Placing the CSS in 1 DMZ is ok, but then you need to turn on client nat for traffic having to be loadbalanced to the other DMZ.

Placing the CSS inside, is the worst, as you need client nat for both DMZ.

So, hopefully you'll be able to decide what is better for you with this information.

Gilles.

0 Helpful

b.tyler
Level 1
Level 1
In response to Gilles Dufour

‎10-03-2007 03:24 AM

Right now I have the CSS connected to both DMZ's and all VIP's are in in "DMZ1". When I connect to a VIP with servers in "DMZ2" it seems to work OK. I had to set the defalt gateway of the servers in DMZ2 to the VLAN interface on the CSS. The problem is that when one of those servers tries to initiate a connection to the Internet, it can't since the gateway is the CSS and the CSS only has 1 default route and that is through DMZ1. So now I have asymetric routing through the PIX.

There has to be a better way.

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to b.tyler

‎10-03-2007 04:11 AM

you can use an acl to match traffic from the servers in DMZ2 and set the nexthop to be the pix ip in dmz2.

Sth like this :

service pix-dmz2

ip address x.x.x.x

type transparent

active

acl 1

clause 10 permit any any destination any prefer pix-dmz2

apply circuit-vlan-dmz2

But being connected to the 2 dmz is not "secure" as the CSS can bypass the firewall.

There is no point using 2 DMZ if at the end you have a device being able to connect those 2 vlans bypassing the firewall.

So, just use 1 DMZ.

Gilles.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents