Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
311
Views
0
Helpful
3
Replies

FWSM with CSS11501

Go to solution
nkariyawasam
Level 1
Level 1

‎08-04-2008 12:37 AM - edited ‎03-11-2019 06:25 AM

I have CSS11501 attached to one segment (A) on FWSM. Actual WEB servers are on another segement (B). Users are sitting on segement C.

Users in C cannot get the screen over port 80 , when they try to acccess CSS. When we use anohter machine in the same CSS segment (A), we can access the servers via CSS.

Also if we use another real web server in segment A whrere CSS is sitting, all the users can access it. This prooves that firewall is allowing port 80 to be accesed from user segment.

It seems like something special required in either CSS or firewall configuration, when clients are coming through firewall.

Is there any experince that anybody can share with me for similar situation ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Syed Iftekhar Ahmed
Level 8
Level 8

‎08-04-2008 11:51 AM

When you say "when they try to access CSS", do you mean the VIPs configured on CSS?

If that is the case then you need to verify that the return traffic from real server (when request hitss the VIP) is passing through the CSS or not.

If your client hits the VIP on CSS and and CSS takes the request to the SERVERs in Segment B. The return traffic from these servers could hit the client directly (if your server's default gateway is FWSM B segment interface & Source Nat is not configured on CSS).

Syed Iftekhar Ahmed

View solution in original post

0 Helpful
3 Replies 3

Go to solution
dhananjoy chowdhury
Level 5
Level 5

‎08-04-2008 01:33 AM

Connect a laptop in segment A and try to access the web servers in segment B.

It seems the CSS is not able to access the web servers in seg B.

0 Helpful

Go to solution
Syed Iftekhar Ahmed
Level 8
Level 8

‎08-04-2008 11:51 AM

When you say "when they try to access CSS", do you mean the VIPs configured on CSS?

If that is the case then you need to verify that the return traffic from real server (when request hitss the VIP) is passing through the CSS or not.

If your client hits the VIP on CSS and and CSS takes the request to the SERVERs in Segment B. The return traffic from these servers could hit the client directly (if your server's default gateway is FWSM B segment interface & Source Nat is not configured on CSS).

Syed Iftekhar Ahmed

0 Helpful

Go to solution
nkariyawasam
Level 1
Level 1
In response to Syed Iftekhar Ahmed

‎08-06-2008 08:57 PM

Yes we found that this is exactly what happens there. he actual server is sitting on another segement and it is directly sending return traffic to client directly. Since the reply comoing from differant zone , firewall simply block the traffic.

The server team says that thet the server requires client actial IP address for the server application. Thererfore we cannot do NAT in CSS.

What we have done is to add specific routes in server for client subnets pointing back to the CSS, and it worked. The drawback is that there are some clints sitting in the same subnet who need to access server directly for another application, they simple cannot access the serever now becase all the return traffic from this subnet sent back to CSS, irrespective of wherer it is a direct request or request via CSS.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card