CSS - unable to connect to destination servers in same subnet

Unanswered Question
Aug 2nd, 2009
User Badges:

I have a frontend subnet 10.2.2.0/24 (has the VIP's) and backend subnet 10.1.1.0/24 (contains the physical servers)


VIP Address for WEB service is 10.2.2.4 (in the frontend subnet)


The destinations are 10.1.1.70, 71, 72 (on the backend subnet)


The source server is 10.1.1.200



External servers can connect to 10.2.2.4 fine and see the traffic as from that ip only.


However when the source server IP is in the same subnet as the destination servers is unable to connect to the VIP.

It will send the initial syn packet to 10.2.2.4, but recieves back a packet from the IP of the destination servers (ie 10.1.1.70, 71, 72)

Because this packet doesn't match the original request it fails to connect.



I tried adding a Group with the VIP and same destination service - but this forces all connections to the destination services to look like they are coming from the VIP Address of

10.2.2.4, I want the services to see it coming from the original ip only.


group WEB

vip address 10.2.2.4

add destination service WEB-01

add destination service WEB-02

add destination service WEB-03



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Mon, 08/03/2009 - 02:01
User Badges:
  • Cisco Employee,

you can creat an acl to apply the group only to those devices who need to be nated.


group WEB

vip address 10.2.2.4

active


acl 1

clause 10 permit any host 10.1.1.200 destination content

clause 99 permit any any destination any

apply circuit-VLANXXX


Gilles.

Actions

This Discussion