11-02-2006 03:34 AM
Hi Guys,
I recently swapped my CSS intallation from bridged to routed as I was adding a secondary CSS for redundancy. I have set up NAT using services and groups to allow connection direct to the devices on there old IP's so I don't have to change all the fw nat and rulebase. However I am experiencing problems with backups.
Using source group, does this use PAT rather than static NAT and if so how can I implement a 1-1 NAT for direct connection to the servers on there old ip address's??
Sample of config below;
ip route 0.0.0.0 0.0.0.0 x.x.50.66 1
!************************* INTERFACE *************************
interface e7
isc-port-two
interface e8
isc-port-one
!************************** CIRCUIT **************************
circuit VLAN10
description "PHYSICAL_IP_VLAN10"
ip address x.x.50.79 255.255.255.0
ip virtual-router 2 priority 90
ip redundant-interface 2 x.x.50.73
ip redundant-vip 2 x.x.50.70
ip redundant-vip 2 x.x.50.76
ip redundant-vip 2 x.x.50.77
circuit VLAN20
description "Server VLAN20"
ip address x.x.200.2 255.255.255.0
ip virtual-router 3 priority 90
ip redundant-interface 3 x.x.200.1
ip critical-service 3 upstrem
!*********************** SSL PROXY LIST ***********************
ssl-proxy-list ssl_list1
ssl-server 70
ssl-server 70 version ssl
ssl-server 70 vip address x.x.50.70
ssl-server 70 cipher rsa-with-3des-ede-cbc-sha x.x.50.70 81
ssl-server 70 unclean-shutdown
ssl-server 70 rsacert ******
active
!************************** SERVICE **************************
service Server1
ip address x.x.200.10
active
service Server1_TCP444
string server1444
ip address x.x.200.10
protocol tcp
port 444
keepalive type tcp
keepalive frequency 3
keepalive retryperiod 3
keepalive port 444
active
service Server1_TCP80
string server180
ip address x.x.200.10
port 80
protocol tcp
keepalive type tcp
keepalive port 80
keepalive frequency 3
keepalive retryperiod 3
active
service Server2
ip address x.x.200.11
active
service Server2_TCP444
string server2444
ip address x.x.200.11
protocol tcp
port 444
keepalive type tcp
keepalive port 444
keepalive frequency 3
keepalive retryperiod 3
active
service Server2_TCP80
ip address x.x.200.11
protocol tcp
port 80
keepalive type tcp
keepalive port 80
keepalive frequency 3
keepalive retryperiod 3
string server280
active
service ssl_serv1
type ssl-accel
slot 2
keepalive type none
add ssl-proxy-list ssl_list1
active
service upstrem
ip address x.x.50.66
active
owner *****
content HS_443
vip address x.x.50.70
protocol tcp
port 443
add service ssl_serv1
application ssl
active
content HS_80
vip address x.x.50.70
url "/*"
protocol tcp
port 80
advanced-balance arrowpoint-cookie
add service Server1_TCP80
add service Server2_TCP80
active
content HS_SSL
vip address x.x.50.70
add service Server1_TCP444
add service Server2_TCP444
advanced-balance arrowpoint-cookie
protocol tcp
port 81
url "/*"
active
content Server1
vip address x.x.50.76
add service Server1
active
content Server2
vip address x.x.50.77
add service Server2
active
group server1
add service Server1
vip address x.x.50.76
active
group server2
vip address x.x.50.77
add service Server2
active
11-02-2006 06:54 AM
the group is to nat traffic sourced by the server.
So, if you want to open a connection to x.x.50.76 and x.x.50.76 you need to configured a content rule
content Server1
vip x.x.50.76
add service Server1
active
!
CSS does pat all the time.
Gilles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide