12-11-2009 05:23 PM
HI all,
i've got two questions about CSM:
1 i've got this config:
real foo
address 1.1.1.5
inservice
real bar
address 1.1.1.6
inservice
real foo1
address 1.1.1.7
inservice
!
serverfarm S_foo
nat server
no nat client
real foo 53
inservice
real bar 53
inservice
real foo1 53
inservice
!
serverfarm ROUTE
no nat server
no nat client
predictor forward
!
vserver V_route
virtual 1.1.1.0 255.255.255.0 any
serverfarm ROUTE
persistent rebalance
inservice
!
vserver V_foo
virtual 1.1.1.1 udp dns
serverfarm S_foo
idle 4
persistent rebalance
inservice
!
vserver V_bar
virtual 1.1.1.2 udp dns
serverfarm S_foo
idle 4
persistent rebalance
inservice
may you see any issue in having serverfarm and vserver for forwarding real address and having some VIP for load balancing with different subnet?
what is order of hit for CSM? I need to reach real IP and also to loadbalnce...do you thing i'll have some problem? do you think should be better to have different subnet for real ip and vserver?
2 sometimes when i query balanced DNS server (resolver) i can see (checking on a firewall beetwen CSM and client, inside interface is csm side, outside client side) some connection that seems to be generated from 1.1.1.1, 1.1.1.2...is pretty strange 'cause all response from the DNS should be in conn table of ASA and not generated from DNS towards client. on firewall i can see an ACL (applied on inside interface CSM side) increasing hits (ACL is permit 1.1.1.1-2 to any). My expectation was seeing just outside ACL increasing HITS (client --> DNS trought ASA and CSM).
tnx for any response
Dan
Solved! Go to Solution.
12-14-2009 07:19 AM
Dan,
1/ this is ok. You can have multiple vip subnets.
CSM does a longest match - so first /32 and then /24.
2/ You should configure a very low idle timeout - 4sec.
Because currently, the CSM will setup flows and keep them for one hour.
Since this is UDP, the connections will stay there and if the server sends a udp packet which matches an existing connections, the CSM will forward assume it belongs to the old connection and send everything to the firewall doing nat with the virtual ip.
Gilles.
12-11-2009 06:05 PM
On a CSS I would recommend implementing some sort of source group rule if your DNS servers are replying directly back to the client. I've never used a CSM, but I would imagine you would would want to NAT the source address of the client so that your DNS servers will reply back through the CSM and then back out to the clients.
Consider this existing serverfarm:
serverfarm S_foo
nat server
no nat client
real foo 53
inservice
real bar 53
inservice
real foo1 53
inservice
You can create a NAT pool consisting of (1) or more IP's, and use that to NAT incoming client traffic:
natpool MY_POOL 1.1.1.254 1.1.1.254 netmask 255.255.255.0
serverfarm S_foo
nat server
nat client MY_POOL
real foo 53
inservice
real bar 53
inservice
real foo1 53
inservice
All incoming requests to your DNS servers would appear to come from 1.1.1.254, and the DNS servers would reply to that address. The CSM would then perform NAT to change 1.1.1.254 to the VIP that was originally requested, and the destination IP would be that of the client. On the ASA you would then only see DNS traffic to/from the VIP. 1.1.1.1 and 1.1.1.2 should not be seen unless they initiate outbound traffic.
Hope I'm even close to what you're asking for!
- James
12-11-2009 11:56 PM
Hi James,
tnx but i think is not the answer....'cause i can reach DNS server from the real IP address of client (clients are on internet). I need not source group and src NAT for letting infrastructure works properly.
I wonder wheter serverfarm 'forward' serverfarm balanced can work without problem toghether if i have same subnet fot both (as i said befor for SF balancing i've got two /32 and for serverfarm forward i've got /24 on same 1.1.1.0).
And why sometimes i can see traffic beginning from server in subnet 1.1.1.0 BUT the source is 1.1.1.1 and 1.1.1.2 (are vserver IP address) ports 53 towards client port random. I can see that traffic begin from there because hit an ACL on a firewall on inside interface, inside interface side to CSM and outside interface side to internet.
tnx
Dan
12-14-2009 07:19 AM
Dan,
1/ this is ok. You can have multiple vip subnets.
CSM does a longest match - so first /32 and then /24.
2/ You should configure a very low idle timeout - 4sec.
Because currently, the CSM will setup flows and keep them for one hour.
Since this is UDP, the connections will stay there and if the server sends a udp packet which matches an existing connections, the CSM will forward assume it belongs to the old connection and send everything to the firewall doing nat with the virtual ip.
Gilles.
12-15-2009 12:44 AM
Merci Gilles.
Observe
Dan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide