CSS 11503 SNAT?

Unanswered Question
Jul 14th, 2009

I have a subnet that has a Cisco load balancer in it that is in the process of moving. The current subnet is behind a FWSM and has been working for years. The new subnet will be in front of the firewall.

In the current state, the default gateway and default route point to the firewall interface for the existing subnet. The load balancers are in a one-armed configuration. I would like to use the same pair of load balancers on the new subnet.

The load balancers have circuits in both VLANs, but keep using the default route for return traffic for both networks. So, traffic will come in on the new network, get load balanced appropriately, and the return traffic with be routed asymmetrically to the default gateway instead of the local gateway. I can see my firewall blocking the return traffic.

Is there a way to configure the CSS to either use the local gateway or possibly to use Source NAT (without an ACE module) to make the CSS bridge in this manner?

Any help would be appreciated! Thanks in advance!

Jason

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jnaglich Wed, 07/15/2009 - 06:22

The 'group' command is for source nat with respect to the servers behind the CSS. I need to do SNAT for incoming requests. I've attached a Visio diagram of what I'm talking about.

David Coupez Wed, 07/15/2009 - 07:23

Group command also allows you to SNAT trafic with respect to the destination instead of source. In this case, it might be a default gw.

I'm also a bit confused by your topology... Anyway isnt it a bit unsecure to bridge behind and above your FW?

jnaglich Wed, 07/15/2009 - 12:58

The hard part is that all the users from various IP Networks will be coming in as the source. I'm not sure how to write the group command to handle this.

As for the topology, it is unsecure to be doing things this way, but we're migrating the servers from the screened network to the unscreened one.

David Coupez Thu, 07/23/2009 - 00:08

You can base your SNAT on the destination - add destination service instead of add service - in that case you can match on the providing server ie.

Actions

This Discussion