01-16-2004 04:53 AM
I'm preparing configurations for CSM oriented solution. Now i'm testing PIX load balancing using CSM. For simplisity there is situation like in:
Configuring Regular Firewall Load Balancing, page 5-17
where we got:
Internet -> CSM@6509 -> PIXes -> CSM@6509 -> DMZs
where DMZs could be internet users, intranet with FW-1 and so on.
I had configuration exactly as in mentioned document:
cat6509 (Internet side):
module ContentSwitchingModule 5
vlan 100 client
ip address 100.0.0.25 255.255.255.0
gateway 100.0.0.13
!
vlan 101 server
ip address 100.0.0.25 255.255.255.0
alias 100.0.0.20 255.255.255.0
!
serverfarm FORWARD-SF
no nat server
no nat client
predictor forward
!
serverfarm INSEC-SF
no nat server
no nat client
predictor hash address source
real 100.0.0.3
inservice
real 100.0.0.4
inservice
!
vserver FORWARD-VS
virtual 0.0.0.0 0.0.0.0 any
vlan 101
serverfarm FORWARD-SF
persistent rebalance
inservice
!
vserver INSEC-VS
virtual 200.0.0.0 255.255.255.0 any
vlan 100
serverfarm INSEC-SF
persistent rebalance
inservice
!
[..]
interface Vlan100
ip address 100.0.0.13 255.255.255.0
!
ip route 10.0.0.0 255.0.0.0 100.0.0.20
ip route 200.0.0.0 255.0.0.0 100.0.0.20
[..]
cat6509:DMZs/intRAnet side:
module ContentSwitchingModule 5
vlan 201 server
ip address 200.0.0.26 255.255.255.0
alias 200.0.0.20 255.255.255.0
!
vlan 20 server
ip address 10.1.0.26 255.255.255.0
!
vlan 200 client
ip address 200.0.0.26 255.255.255.0
!
serverfarm GENERIC-SF
nat server
no nat client
real 10.1.0.66
inservice
!
serverfarm SEC-SF
no nat server
no nat client
predictor hash address destination
real 200.0.0.3
inservice
real 200.0.0.4
inservice
!
vserver GENERIC-VS
virtual 200.0.0.127 tcp 0
vlan 201
serverfarm GENERIC-SF
persistent rebalance
inservice
!
vserver SEC-20-VS
virtual 200.0.0.0 255.255.255.0 any
vlan 20
serverfarm SEC-SF
persistent rebalance
inservice
!
vserver SEC-200-VS
virtual 200.0.0.0 255.255.255.0 any
serverfarm SEC-SF
persistent rebalance
inservice
!
VLANs:
100 - Internet
101 - PIX Outisdes
201 - PIX Insides
200 - sample DMZ with users..
20 - sample DMZ with servers
Internet need access to servers@VLAN20
Hosts from VLAN 200 and VL 20 need access to Internet
Trafice beetwen DMZs need to be allowed
01-16-2004 05:39 AM
I see one problem already.
Your MSFC has an interface vlan 100 and a static route pointing at address 100.0.0.20 which is the alias in vlan 101.
Your MSFC probably can't ping 100.0.0.20
You should configure an alias in vlan 100 of the CSM and have the MSFC pointing to this alias.
Also, the 2nd CSM does not have a serverfarm FORWARD.
You will need one normally to forward traffic to your local subnet without loadbalancing.
[what you configured is possible but I'm not sure this is the result you are expecting]
Regards,
Gilles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide