Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

CSS11506 - Moving backend web servers behind firewall

Again another newbie CSS question. But now that I have the CSS terminating both SSL connections for my backend web servers. Is it possible to move the servers off the same subnet as the CSS (public zone) and move them back into my production LAN which is behind another pix interface ? Not sure on how I could do this as so far I can only make my setup work when the web servers are connected to the CSS11506 switch module.

Looking for best practice suggestions here.

Any help is appreciated.



Cisco Employee

Re: CSS11506 - Moving backend web servers behind firewall


you can.

However, you have to guarantee that the response from the server to the client goes through the CSS. Because the client is normally talking to the vip and not the server. So, the CSS needs to see the traffic to nat the server ip into the vip.

If the CSS is in a DMZ and the server on the inside, the chance is the server will respond directly to the client, breaking the setup.

You can force the CSS to do client nat using source group. This will guarantee that all responses go back to the CSS.

But your server log will show only connections from the CSS.

Another solution is to put the CSS on the inside as well with the servers.

Or to place it on the outside between the firewall and the gateway, but it will be subject to attack.


New Member

Re: CSS11506 - Moving backend web servers behind firewall

Thanks Gilles, I ended up using the source group approach. That seems to work fine. I dont think the web server logs are an issue at this point.

Thanks again.


CreatePlease to create content