Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

IIS Logs display CSS11501 IP address instead of external source IP address.

Unanswered Question
Nov 20th, 2006
User Badges:


Basic configuration, everything on VLAN1. Servers in web farm are logging attacks, etc. Source IP address all show the CSS instead of the originating IP address coming from the outside.

What do I need to add/change to allow servers to see the actual IPs from the outside?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Tue, 11/21/2006 - 01:26
User Badges:
  • Cisco Employee,

is the CSS really inline between FW and servers ?

or is more like a one-armed scenario

FW----+------- CSS


..... servers

If you look in your config you must have the following commands :


vip x.x.x.x

add destination server



This is what tells the CSS to do client.

It is required if you do not have the servers behing the CSS or if you did not make the CSS the default gateway for the servers.

The CSS is a stateful device like a firewall and it requires to see all the packets of a connection - both ways.

The client nat that you have, is the simplest solution to implement but the drawback is that the server only see 1 client - the CSS.

So, up to you to adjust your design to guarantee that the server response goes back to the CSS without client nat.


twinfield Tue, 11/21/2006 - 09:52
User Badges:

Yes, inline configuration. FW connects to L2 switch crossed over to CSS, Servers are connected to CSS ports directly. However the servers Default Gateway is the FW not the CSS, that is what I believe I need to change in order for it to work, is that correct, or is there something else?


circuit VLAN1

ip address x.x.x.x x.x.x.x

owner xyz

address "xyz"

content rule.100.https

protocol tcp

port 443

url "/*"

add service serv.1.https weight 1

add service serv.2.https weight 2

add service serv.3.https weight 3

vip address x.x.x.100

application ssl

advanced-balance ssl


sticky-inact-timeout 15

dnsbalance roundrobin

balance srcip


group source.100

vip address x.x.x.100

add destination service serv.1.https

add destination service serv.2.https

add destination service serv.3.https


Gilles Dufour Tue, 11/21/2006 - 23:18
User Badges:
  • Cisco Employee,

if the servers are really inline and all traffic needs to go accross the CSS to reach the firewall, you can safely "suspend" the group and everything should work.

No need to change the default-gateway on the servers.



This Discussion