Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Firewall Load Balancing with CSS 11503

We are trying to figure out if it is possible to port forward traffic from the Internet to a CSS content rule and have it load balance across a set of services with-out a default gateway.

Here is what we have:

Internet

|

|

RouterA

(Port forward SMTP from public IP to private IP VIP address on CCS)

|

| Internal Network A

|

FirewallA

|

| Internal Network B

|

11503CSS

|

| SMTP VIP on Internal Network C

|

+SMTPServiceA

|

+SMTPServiceB

Because the source IP is a public IP, we seem to only be able to make this work by configuring a global IP route of 0.0.0.0 0.0.0.0 to the Internal Network B IP on FirewallA.

Although it does work, we want to add another FirewallB for just HTTP traffic to be port forwarded to a different VIP; i.e. we want SMTP traffic through one firewall, and HTTP traffic through a different one. Now I have two paths to maintain a session. Can the CSS support this type of configuration? Is there a better way (we tried firewall load balancing the first time around, but were unable to get it to allow different protocols to go through different firewalls.)

Thanks!

- John

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Firewall Load Balancing with CSS 11503

you can configure 2 defaut routes on the css, it will select the appropriate one automatically based on where the request came from.

So, if your HTTP traffic comes in from firewall-B, the CSS will send the response to firewall-B.

Gilles.

2 REPLIES
Cisco Employee

Re: Firewall Load Balancing with CSS 11503

you can configure 2 defaut routes on the css, it will select the appropriate one automatically based on where the request came from.

So, if your HTTP traffic comes in from firewall-B, the CSS will send the response to firewall-B.

Gilles.

New Member

Re: Firewall Load Balancing with CSS 11503

Gilles,

Wow, that works! However, I don't understand how or why it works. Seems like there are now two paths to the same network.

On a related note, with multiple default gateways on the CSS, how could I direct all outbound traffic that originates from the servers to a single default gateway? Does the CSS just round robin outbound traffic accross equal cost paths?

Thank you for your help.

- John

222
Views
0
Helpful
2
Replies
CreatePlease to create content