×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

PIX balancing with CSMs on both ends...

Unanswered Question
Jan 16th, 2004
User Badges:

I'm preparing configurations for CSM oriented solution. Now i'm testing PIX load balancing using CSM. For simplisity there is situation like in:


Configuring Regular Firewall Load Balancing, page 5-17


where we got:


Internet -> [email protected] -> PIXes -> [email protected] -> DMZs

where DMZs could be internet users, intranet with FW-1 and so on.


I had configuration exactly as in mentioned document:


cat6509 (Internet side):

module ContentSwitchingModule 5

vlan 100 client

ip address 100.0.0.25 255.255.255.0

gateway 100.0.0.13

!

vlan 101 server

ip address 100.0.0.25 255.255.255.0

alias 100.0.0.20 255.255.255.0

!

serverfarm FORWARD-SF

no nat server

no nat client

predictor forward

!

serverfarm INSEC-SF

no nat server

no nat client

predictor hash address source

real 100.0.0.3

inservice

real 100.0.0.4

inservice

!

vserver FORWARD-VS

virtual 0.0.0.0 0.0.0.0 any

vlan 101

serverfarm FORWARD-SF

persistent rebalance

inservice

!

vserver INSEC-VS

virtual 200.0.0.0 255.255.255.0 any

vlan 100

serverfarm INSEC-SF

persistent rebalance

inservice

!

[..]

interface Vlan100

ip address 100.0.0.13 255.255.255.0

!

ip route 10.0.0.0 255.0.0.0 100.0.0.20

ip route 200.0.0.0 255.0.0.0 100.0.0.20

[..]


cat6509:DMZs/intRAnet side:

module ContentSwitchingModule 5

vlan 201 server

ip address 200.0.0.26 255.255.255.0

alias 200.0.0.20 255.255.255.0

!

vlan 20 server

ip address 10.1.0.26 255.255.255.0

!

vlan 200 client

ip address 200.0.0.26 255.255.255.0

!

serverfarm GENERIC-SF

nat server

no nat client

real 10.1.0.66

inservice

!

serverfarm SEC-SF

no nat server

no nat client

predictor hash address destination

real 200.0.0.3

inservice

real 200.0.0.4

inservice

!

vserver GENERIC-VS

virtual 200.0.0.127 tcp 0

vlan 201

serverfarm GENERIC-SF

persistent rebalance

inservice

!

vserver SEC-20-VS

virtual 200.0.0.0 255.255.255.0 any

vlan 20

serverfarm SEC-SF

persistent rebalance

inservice

!

vserver SEC-200-VS

virtual 200.0.0.0 255.255.255.0 any

serverfarm SEC-SF

persistent rebalance

inservice

!


VLANs:

100 - Internet

101 - PIX Outisdes

201 - PIX Insides

200 - sample DMZ with users..

20 - sample DMZ with servers


Internet need access to [email protected]

Hosts from VLAN 200 and VL 20 need access to Internet

Trafice beetwen DMZs need to be allowed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Fri, 01/16/2004 - 05:39
User Badges:
  • Cisco Employee,

I see one problem already.

Your MSFC has an interface vlan 100 and a static route pointing at address 100.0.0.20 which is the alias in vlan 101.

Your MSFC probably can't ping 100.0.0.20


You should configure an alias in vlan 100 of the CSM and have the MSFC pointing to this alias.


Also, the 2nd CSM does not have a serverfarm FORWARD.

You will need one normally to forward traffic to your local subnet without loadbalancing.

[what you configured is possible but I'm not sure this is the result you are expecting]


Regards,


Gilles.

Actions

This Discussion