Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
340
Views
0
Helpful
1
Replies

PIX balancing with CSMs on both ends...

aobszynski
Level 1
Level 1

‎01-16-2004 04:53 AM

I'm preparing configurations for CSM oriented solution. Now i'm testing PIX load balancing using CSM. For simplisity there is situation like in:

Configuring Regular Firewall Load Balancing, page 5-17

where we got:

Internet -> CSM@6509 -> PIXes -> CSM@6509 -> DMZs

where DMZs could be internet users, intranet with FW-1 and so on.

I had configuration exactly as in mentioned document:

cat6509 (Internet side):

module ContentSwitchingModule 5

vlan 100 client

ip address 100.0.0.25 255.255.255.0

gateway 100.0.0.13

!

vlan 101 server

ip address 100.0.0.25 255.255.255.0

alias 100.0.0.20 255.255.255.0

!

serverfarm FORWARD-SF

no nat server

no nat client

predictor forward

!

serverfarm INSEC-SF

no nat server

no nat client

predictor hash address source

real 100.0.0.3

inservice

real 100.0.0.4

inservice

!

vserver FORWARD-VS

virtual 0.0.0.0 0.0.0.0 any

vlan 101

serverfarm FORWARD-SF

persistent rebalance

inservice

!

vserver INSEC-VS

virtual 200.0.0.0 255.255.255.0 any

vlan 100

serverfarm INSEC-SF

persistent rebalance

inservice

!

[..]

interface Vlan100

ip address 100.0.0.13 255.255.255.0

!

ip route 10.0.0.0 255.0.0.0 100.0.0.20

ip route 200.0.0.0 255.0.0.0 100.0.0.20

[..]

cat6509:DMZs/intRAnet side:

module ContentSwitchingModule 5

vlan 201 server

ip address 200.0.0.26 255.255.255.0

alias 200.0.0.20 255.255.255.0

!

vlan 20 server

ip address 10.1.0.26 255.255.255.0

!

vlan 200 client

ip address 200.0.0.26 255.255.255.0

!

serverfarm GENERIC-SF

nat server

no nat client

real 10.1.0.66

inservice

!

serverfarm SEC-SF

no nat server

no nat client

predictor hash address destination

real 200.0.0.3

inservice

real 200.0.0.4

inservice

!

vserver GENERIC-VS

virtual 200.0.0.127 tcp 0

vlan 201

serverfarm GENERIC-SF

persistent rebalance

inservice

!

vserver SEC-20-VS

virtual 200.0.0.0 255.255.255.0 any

vlan 20

serverfarm SEC-SF

persistent rebalance

inservice

!

vserver SEC-200-VS

virtual 200.0.0.0 255.255.255.0 any

serverfarm SEC-SF

persistent rebalance

inservice

!

VLANs:

100 - Internet

101 - PIX Outisdes

201 - PIX Insides

200 - sample DMZ with users..

20 - sample DMZ with servers

Internet need access to servers@VLAN20

Hosts from VLAN 200 and VL 20 need access to Internet

Trafice beetwen DMZs need to be allowed

Labels:
0 Helpful
1 Reply 1

Gilles Dufour
Cisco Employee
Cisco Employee

‎01-16-2004 05:39 AM

I see one problem already.

Your MSFC has an interface vlan 100 and a static route pointing at address 100.0.0.20 which is the alias in vlan 101.

Your MSFC probably can't ping 100.0.0.20

You should configure an alias in vlan 100 of the CSM and have the MSFC pointing to this alias.

Also, the 2nd CSM does not have a serverfarm FORWARD.

You will need one normally to forward traffic to your local subnet without loadbalancing.

[what you configured is possible but I'm not sure this is the result you are expecting]

Regards,

Gilles.

0 Helpful
Customers Also Viewed These Support Documents