Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
426
Views
0
Helpful
4
Replies

CSS11501/3 GSLB/SSL-Term with servers using alt gateway

tonycody
Level 1
Level 1

‎10-02-2007 08:29 PM

Is it really required to have servers connected directly to the CSS with the CSS VIP(s) as their gateways? Can we not simply configure our ASA for static-NAT to the VIPs on the CSS, with the servers using the ASA DMZ int as their gateway? What do lose if we do this?

Labels:
0 Helpful
4 Replies 4

Gilles Dufour
Cisco Employee
Cisco Employee

‎10-03-2007 12:01 AM

it is indeed not required to use the CSS as default gateway for your server.

But since the CSS is a stateful device it needs to see both flows of a connection.

So, you need to guarantee that the server response goes back to the CSS.

If not using the CSS as a default gateway for the servers, you then need either policy routing or client nat on the CSS.

If going for client nat, your servers only see connections from a single ip address.

So no more statistics and no way for the server to know the real client from the source ip address.

Gilles.

0 Helpful

tonycody
Level 1
Level 1
In response to Gilles Dufour

‎10-03-2007 04:56 AM

I hadn't thought of losing state - that may be a reason not to try doing it "our way". If we continue this way, though, you're referring to running policy maps on the actual gateway, correct?

Thanks for your reply!

0 Helpful

tonycody
Level 1
Level 1
In response to Gilles Dufour

‎10-03-2007 06:41 AM

In further thinking on this, perhaps we will stick with servers attached to the CSS. Our primary concern is that we can use the ASA on the perimeter and place the CSS in the DMZ (static NAT's to the VIPs), with the servers behind the entire framework. So, in essence we would have a real of 10.0.0.10, for example, NAT it at the ASA to 172.16.0.10 (VIP on CSS) in the DMZ, with servers on 172.16.0.x. We don't want a scenario where we're placing the CSS either in front of or parallel to the ASAs.

Make sense?

0 Helpful

tonycody
Level 1
Level 1
In response to tonycody

‎10-03-2007 06:51 AM

I forgot to add that our primary interest in GSLB is to provide a VIP to "the world" while we're moving data centers. The goal would be to have www.abccompany.com resolve to a VIP in data center X, which would direct to either servers in X, or servers in data center Y. So, once our new servers in Y are online, we would simply take servers in X out of service, and change DNS for the VIP to be resolved to Y. And, we want the CSS in the DMZ the entire time.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents