Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CSS11501/3 GSLB/SSL-Term with servers using alt gateway

Is it really required to have servers connected directly to the CSS with the CSS VIP(s) as their gateways? Can we not simply configure our ASA for static-NAT to the VIPs on the CSS, with the servers using the ASA DMZ int as their gateway? What do lose if we do this?

4 REPLIES
Cisco Employee

Re: CSS11501/3 GSLB/SSL-Term with servers using alt gateway

it is indeed not required to use the CSS as default gateway for your server.

But since the CSS is a stateful device it needs to see both flows of a connection.

So, you need to guarantee that the server response goes back to the CSS.

If not using the CSS as a default gateway for the servers, you then need either policy routing or client nat on the CSS.

If going for client nat, your servers only see connections from a single ip address.

So no more statistics and no way for the server to know the real client from the source ip address.

Gilles.

New Member

Re: CSS11501/3 GSLB/SSL-Term with servers using alt gateway

I hadn't thought of losing state - that may be a reason not to try doing it "our way". If we continue this way, though, you're referring to running policy maps on the actual gateway, correct?

Thanks for your reply!

New Member

Re: CSS11501/3 GSLB/SSL-Term with servers using alt gateway

In further thinking on this, perhaps we will stick with servers attached to the CSS. Our primary concern is that we can use the ASA on the perimeter and place the CSS in the DMZ (static NAT's to the VIPs), with the servers behind the entire framework. So, in essence we would have a real of 10.0.0.10, for example, NAT it at the ASA to 172.16.0.10 (VIP on CSS) in the DMZ, with servers on 172.16.0.x. We don't want a scenario where we're placing the CSS either in front of or parallel to the ASAs.

Make sense?

New Member

Re: CSS11501/3 GSLB/SSL-Term with servers using alt gateway

I forgot to add that our primary interest in GSLB is to provide a VIP to "the world" while we're moving data centers. The goal would be to have www.abccompany.com resolve to a VIP in data center X, which would direct to either servers in X, or servers in data center Y. So, once our new servers in Y are online, we would simply take servers in X out of service, and change DNS for the VIP to be resolved to Y. And, we want the CSS in the DMZ the entire time.

139
Views
0
Helpful
4
Replies