Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSS, PIX and NAT question

Hi,

Please advise.... i have one CSS11051, one acess router and a PIX.

Where should the CSS be, in the DMZ or inside ?!?!

His there any problem configuring NAT in the PIX towards the CSS

What should be the architecture, because all the examples available don't mention it ?!?

Thanks,

PT

3 REPLIES
New Member

Re: CSS, PIX and NAT question

Hi,

You need to look at your security policy for this. My advise would be that if you are load balancing public web servers then the CSS and web servers should be placed on the DMZ. This is standard practice for any firewall installation.

From an operational point of the VIP (Virtual IP Addresses) of the CSS can be natted, packet filtered without an issue but this can be a problem if the application you are trying to load balance has issues. If it is just web servers you are load balancing then generally there is not problem.

New Member

Re: CSS, PIX and NAT question

...not even.. fot now the css is only front-ending for the web servers and providing services for them

isn't it redundant to have nat on the pix and then pseudo-nat (vip translation) on the css ????

advice thks

New Member

Re: CSS, PIX and NAT question

It is not a question of nat but a question of security. The CSS is not a firewall and if you have a PIX you should use it for packet filtering to enhance the security of the CSS and the web servers.

159
Views
0
Helpful
3
Replies
CreatePlease to create content