CSS11501/3 GSLB/SSL-Term with servers using alt gateway

Unanswered Question
Oct 2nd, 2007

Is it really required to have servers connected directly to the CSS with the CSS VIP(s) as their gateways? Can we not simply configure our ASA for static-NAT to the VIPs on the CSS, with the servers using the ASA DMZ int as their gateway? What do lose if we do this?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Wed, 10/03/2007 - 00:01

it is indeed not required to use the CSS as default gateway for your server.

But since the CSS is a stateful device it needs to see both flows of a connection.

So, you need to guarantee that the server response goes back to the CSS.

If not using the CSS as a default gateway for the servers, you then need either policy routing or client nat on the CSS.

If going for client nat, your servers only see connections from a single ip address.

So no more statistics and no way for the server to know the real client from the source ip address.

Gilles.

tonycody Wed, 10/03/2007 - 04:56

I hadn't thought of losing state - that may be a reason not to try doing it "our way". If we continue this way, though, you're referring to running policy maps on the actual gateway, correct?

Thanks for your reply!

tonycody Wed, 10/03/2007 - 06:41

In further thinking on this, perhaps we will stick with servers attached to the CSS. Our primary concern is that we can use the ASA on the perimeter and place the CSS in the DMZ (static NAT's to the VIPs), with the servers behind the entire framework. So, in essence we would have a real of 10.0.0.10, for example, NAT it at the ASA to 172.16.0.10 (VIP on CSS) in the DMZ, with servers on 172.16.0.x. We don't want a scenario where we're placing the CSS either in front of or parallel to the ASAs.

Make sense?

tonycody Wed, 10/03/2007 - 06:51

I forgot to add that our primary interest in GSLB is to provide a VIP to "the world" while we're moving data centers. The goal would be to have www.abccompany.com resolve to a VIP in data center X, which would direct to either servers in X, or servers in data center Y. So, once our new servers in Y are online, we would simply take servers in X out of service, and change DNS for the VIP to be resolved to Y. And, we want the CSS in the DMZ the entire time.

Actions

This Discussion