07-01-2002 06:14 AM
Hi,
Please advise.... i have one CSS11051, one acess router and a PIX.
Where should the CSS be, in the DMZ or inside ?!?!
His there any problem configuring NAT in the PIX towards the CSS
What should be the architecture, because all the examples available don't mention it ?!?
Thanks,
PT
07-01-2002 02:19 PM
Hi,
You need to look at your security policy for this. My advise would be that if you are load balancing public web servers then the CSS and web servers should be placed on the DMZ. This is standard practice for any firewall installation.
From an operational point of the VIP (Virtual IP Addresses) of the CSS can be natted, packet filtered without an issue but this can be a problem if the application you are trying to load balance has issues. If it is just web servers you are load balancing then generally there is not problem.
07-02-2002 02:31 AM
...not even.. fot now the css is only front-ending for the web servers and providing services for them
isn't it redundant to have nat on the pix and then pseudo-nat (vip translation) on the css ????
advice thks
07-02-2002 02:51 AM
It is not a question of nat but a question of security. The CSS is not a firewall and if you have a PIX you should use it for packet filtering to enhance the security of the CSS and the web servers.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: