ASA/ACE/GSS High-level design ideas

Unanswered Question
Mar 27th, 2009
User Badges:

I'm deploying an HA ASA primary / standby with 1 GSS and ACE in primary and standby at DC 1 and the same at DC 2.

Before I get to deep into the technology here is a basic layout of the network

Two Layer 2 switches with servers dual homed between each layer 2 switch.

The switches are cross connected with ether-channel, running spanning tree 802.1w primary root and secondary root defined on them and the servers are running network bonding software.

The network will have two Cisco ASA firewalls one running primary and the other standby mode.

One GSS devices and two Cisco ASA running primary and standby for server load balancing of the website.

I would like some ideas on how to physical connect the devices.

My first design is as such

1. GSS on the public internet side

2. Cisco ASA with three interfaces outside / inside / DMZ

3. ACE with two interfaces on the inside network and on the DMZ network

4. Servers hosted on the DMZ network

5. ACE inside network interface used for management

6. ACE DMZ network interface used for incoming load balancing

First question

Can we improve on the design idea above for more efficient use but keeping things simple?

How does GSS communicate with ACE? Do I need to place another GSS interface on the DMZ side or the internal side?

Do I keep GSS on the internal network and publish the required protocols for external DNS communication and communicate to the other GSS over the ASA?

What will be the servers default gateway? The ACE or the ASA, I believe the ACE

Thanks a lot for everyone's contribution


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Syed Iftekhar Ahmed Thu, 04/02/2009 - 23:27
User Badges:
  • Blue, 1500 points or more

You can do the following

GSS & ASA's WAN interfaces in one Vlan,

ASA's Inside & ACE outside Interface in another Vlan

ACE inside & Servers in the 3rd Vlan.

A seperate management Vlan for ACE,ASA management.

GSS simply sends probe to ACE to check the VIP's availability. Traffic from GSS to ACE depends on the probe configured on GSS. If you are using http probe on GSS then you need to make sure that http is allowed between GSS & ACE.

If you are using one GSS only then you can use it behind Firewall. If you have a GSS network (multiple GSSs where one GSS acts as GSSM primary) then all Inter-GSS communication uses the IP configured on GSS, as a result you cannot put GSS behind a NAT device.

If you are using ACE in routing mode then ACE will be the default Gateway, If ACE will be used in Bridged mode then ASA will the default gateway on servers.


Syed Iftekhar Ahmed

juan-ruiz Fri, 04/03/2009 - 09:21
User Badges:

Syed Iftekhar Ahmed,

Thank you very much for your response.

Just to clarify I will be using two GSS one in a west coast data-center

And the other in an east coast data center

I will want to use both data-centers as an active active solution and failover to each other.

1. ACE, GSS, and ASA outside interfaces on their own external public VLAN

2. ACE and ASA DMZ interface on the Server VLAN (DMZ)

3. ACE in routing mode so servers use ACE server interface as the default-gateway

4. ASA inside interface and ACE internal interface on the inside VLAN also used for management.


1. Do I create the Network address translations for the Server VIP using the ASA or ACE?

a. If I use the ASA my default route on the ACE will be to use the DMZ interface of the ASA

2. If I use the ACE to create the one to one static mapping (internal ip, public ip) does the ACE have enough firewall capabilities like the ASA or should I use the ASA to create the static mappings and publish the server VIP through the ASA?

3. Will the GSS only have one public interface or will it also have an internal interface?

4. Will the internal interface of the GSS be connected to the DMZ Vlan to probe the servers or will it probe the servers using the public VIP IP

Thanks a lot for your response



Syed Iftekhar Ahmed Fri, 04/03/2009 - 15:23
User Badges:
  • Blue, 1500 points or more


Why would you expose ACE to the internet?

You should have ASA protecting your Application (VIP on ACE).

GSS needs to be internet facing due to CSCea28410 ( Inter-GSS communications breaks when there is a NAT device between them).


1. If you are using ACE in Routed mode then your VIP & real servers will be in different IP subnets (Hence Destination NAT will be performed by ACE). ON ASA you will need to NAT the ACE's VIP.

2. Its not a good idea to expose ACE on Internet.

3. Just One Interface can be used.

(If you want to use one interface for probes & one interface for Inter-GSS communication then its possible too).

4. You dont need to connect GSS to internal Network. GSS can probe the VIP on ACE (just like regular application traffic will access the app)


juan-ruiz Fri, 04/03/2009 - 16:05
User Badges:

I think I got it

Here is my high - level layout

ASA with three interfaces

Inside, outside, and DMZ

I will host the management network on the inside interface for ACE and ASA

I will host the VIP network on a dedicated VLAN

I will host my servers and ACE server interface on the DMZ network

The ACE default gateway will be the ASA DMZ interface

The servers default gateway will be the ACE interface

I will create my NAT on the ASA for the VIP to external internet

The GSS will be on the outside network communicating to the other data-center and probing the public VIP

Again many thanks for your response


This Discussion