CSS, PIX and NAT question

ptrigueira · ‎07-01-2002

Hi,

Please advise.... i have one CSS11051, one acess router and a PIX.

Where should the CSS be, in the DMZ or inside ?!?!

His there any problem configuring NAT in the PIX towards the CSS

What should be the architecture, because all the examples available don't mention it ?!?

Thanks,

PT

lynchp · ‎07-01-2002

Hi,

You need to look at your security policy for this. My advise would be that if you are load balancing public web servers then the CSS and web servers should be placed on the DMZ. This is standard practice for any firewall installation.

From an operational point of the VIP (Virtual IP Addresses) of the CSS can be natted, packet filtered without an issue but this can be a problem if the application you are trying to load balance has issues. If it is just web servers you are load balancing then generally there is not problem.

ptrigueira · ‎07-02-2002

...not even.. fot now the css is only front-ending for the web servers and providing services for them

isn't it redundant to have nat on the pix and then pseudo-nat (vip translation) on the css ????

advice thks

lynchp · ‎07-02-2002

It is not a question of nat but a question of security. The CSS is not a firewall and if you have a PIX you should use it for packet filtering to enhance the security of the CSS and the web servers.