Thanks for the excellent answers rodrigo,

I have a CSS configure with the below, are you saying I only need the group?

and can you give an example of the acl needed?

!************************** SERVICE **************************

service FTP-dr

ip address 2.1.1.79

protocol tcp

port 21

service FTP

ip address 2.1.1.78

protocol tcp

port 21

!************************** OWNER **************************

owner ftp

content ftp

vip address 2.1.1.80

application ftp-control

protocol tcp

port 21

add service FTP

add service FTP-dr

!*************************** GROUP ***************************

group ftp-group

vip address 2.1.1.80

add destination service FTP

add destination service FTP-dr

The reason I am asking this question is that I have a CSS set up to failover a web connection, the client can redirect a transaction from the server and the server will go to another server to make the transaction.

When my server makes the transaction, it makes it from the static NAT in the firewall ant not the CSS VIP address.

I hear you about the routing ,but do not see and explanation anywhre about the proper way to configure that or the ACL you describe

Rodrigo,

Is the topology supposed to be that everything gets routed through the CSS from the Internet router to the Firewall (if it sits between them)?

It seems that in order for the acl that you mentioned to always match packets, there should be no way for the destination server to bypass the CSS, if it makes a connection to another server, for exapmle, to complete a transaction requested by a client.

Is that the case?

Is there an example of this per your comment:

"you will need to configure a group with add service, and configure an ACL in order to NAT the incoming traffic"

Wilson, did you look at gilles comments in this thread I had? Maybe that will help?

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Networking%20Solutions&topic=Application%20Networking&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddeb1e5

yes, thanks man, I did see that.

I think I am getting what I need to do, I appreciate your input.

It drives me nuts to not understand it exactly. Why is it that the example documentation is never a scenario that is even remotely close to what you are working on?

It turns out I don't need the DNS component.

Did you see the last post in the other thread:

To collect show tech from CSS, use command line "script play

showtech".

I know what you mean. Glad you got over the dns hurdle, or no dns hurdle I guess in this case.

I understand the source groups and having the CSS nat the source address of the client, but the confusion comes in when you have to get the clients request to hit the CSS in the first place, not going directly to the server through the static in your firewall. I think that's what you were talking about, didn't read your whole post.

I did try out the script play showtech and it works fine, thanks for that.

Well, actually this stems from:

I have the groups set up and they with the "destination service" which according to Gilles:

"We use 'add destination service' when we want to guarantee that the server will send its response back to the CSS and we can't have the routing table adjusted to guarantee this. "

One problem is that we have client requests that hit the server and that works fine, but when the client selects a link to do bill pay, the transaction goes from our server to a remote server.

The remote server sees the transaction as originating from the service address and not the VIP address.

They had to change their Firewall to allow the new source IP address from us.

Not a real problem, but I was wondering if this would be an issue when I set up the FTP VIP and services, or if the topology here is incorrect.

Or the CSS should be configured differently

I have the CSS in between the Firewall and internet router, so the server addresses are already being NATed.

I am also wondeing if the CSS should actually be a passthrough for ALL traffic and apply an access-list to hit the services in the CSS and pass everything else.

Where do you go get these questions answered?

"Where do you go get these questions answered?"

-Here, but some go unanswered. Searching through old posts is pretty good too. I'm a CSS newbie, so that usually works better than the actual documentation from cisco.

yeah,

I have been looking through the old posts for several weeks.

It seems that when one question gets answered and you think about the answer, it just brings up three more questions.

They are like tribbles

Wilson,

I refer your lines, "The remote server sees the transaction as originating from the service address and not the VIP address"

This shouldn't be allowed and it would be a breach of security as well. When the server intiates a connection to outside world it needs to be SNAT-ed. How we can do this? Create a group config and just add this service under that group and do NOT use destination service here. The VIP can be the same as the incident VIP, I mean the one used in the Content Rule. Yes you can re-use it.

thanks

Thanks for the reply,

Since I have my CSS sitting in the same VLAN (subnet)as the service addresses (static NAT on firewall), which is a one armed config between the Internet router and firewall, couldn't removing "destination" cause a problem with potential asymetric flows to the client?

Wilson,

In your case the incoming and outgoing traffic is on the same circuit VLAN on the CSS, aka single armed configuration. Here it is mandatory to use 'destination service'.

Reg the server intiated outgoing traffic that goes out w/o NAT-ing in your case, you might want to point your server default gateway to the CSS. This way that hits a CSS group and gets SNAT-ed. Otherwise if its not a security issue, you can let them go straight hitting the FW which does the NAT-ing for you as of now.

thanks

Thank for the reply again,

The servers are siting in the firewall DMZ with a private IP Address and has their DF gateways pointed to the DMZ interface address.

So i may be stuck with it the way it.

But, would this be an issue for FTP transactions if I wanted to set up the primary FTP server to failover to the DR server with a SorryService with the same routing topology?