Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Groups question

Is the concept of groups to keep the traffic flowing through the VIP address, to the multiple services added to the group?

This way, the connection from the client to the end machine (which ever service the original connection is made) stays intact?

I have seen questions about possible NATing and routing problems with the CSS and load balancing, is this what prevents those problems?

The routing stays through the CSS when groups are configured?

I have also seen FTP configured diferent ways with and without the:

application ftp-control

Is that needed as long as groups are configured?

content ftp

vip address 2.1.1.80

protocol tcp

port 21

application ftp-control

add service MCI-FTP1

add service MCI-FTP2

group ftp-group

vip address 2.1.1.80

add destination service MCI-FTP1

add destination service MCI-FTP2

21 REPLIES
New Member

Re: Groups question

Hello Wilson,

Is the concept of groups to keep the traffic flowing through the VIP address, to the multiple services added to the group?

R/ the purpose of the groups are NAT the incoming or the outgoing traffic, the most common is use the add destination service in order to NAT the incoming traffic (if you have the vips and the servers on the same vlan) that is used in order to avoid asymmetric flows.

With add destination the CSS will use the vip address that you specified as the source ip address of the packets, so the server will think that the CSS is the client, and it will respond always back to the CSS.

The add service will NAT the outgoing connections, this means when the servers are the ones that initiate the connections.

This way, the connection from the client to the end machine (which ever service the original connection is made) stays intact?

R/ The group will Nat the incoming or the outgoing traffic.

I have seen questions about possible NATing and routing problems with the CSS and load balancing, is this what prevents those problems?

R/ yep, as I explained above, the group with add destination is used in order to avoid asymmetric flows, if the server is able to respond directly or use a different route to send the packets back to the client that will break the TCP connection since the client open the connection with the vip address.

The routing stays through the CSS when groups are configured?

R/ yep, but depending of the setup or how your network is design we don't need to use the groups.

I have also seen FTP configured different ways with and without the:

application ftp-control

Is that needed as long as groups are configured?

R/ the application ftp-control is required to let the CSS know it is FTP traffic. Also since we need to specify the port 21 which is used for the control connection, if you are balancing Passive FTP that means that the user also will open the data connection that will come with a different port, the application ftp-control will let that connection pass trough the same content rule what we have with port 21.

Now, if you are balancing active ftp, that means that the server will open the data connection, in this case we need to NAT the outgoing traffic (add service under the group), since the user open the connection to the vip we need to NAT the data connection that is being generated by the server using the vip address of the ftp content rule, because if not, the user will drop the packets.

We can have just one group with add destination or add service at the time, so if you need to balance active FTP, you will need to configure a group with add service, and configure an ACL in order to NAT the incoming traffic (like add destination does).

Hope this help.

-Rodrigo

New Member

Re: Groups question

Thanks for the excellent answers rodrigo,

I have a CSS configure with the below, are you saying I only need the group?

and can you give an example of the acl needed?

!************************** SERVICE **************************

service FTP-dr

ip address 2.1.1.79

protocol tcp

port 21

service FTP

ip address 2.1.1.78

protocol tcp

port 21

!************************** OWNER **************************

owner ftp

content ftp

vip address 2.1.1.80

application ftp-control

protocol tcp

port 21

add service FTP

add service FTP-dr

!*************************** GROUP ***************************

group ftp-group

vip address 2.1.1.80

add destination service FTP

add destination service FTP-dr

New Member

Re: Groups question

The reason I am asking this question is that I have a CSS set up to failover a web connection, the client can redirect a transaction from the server and the server will go to another server to make the transaction.

When my server makes the transaction, it makes it from the static NAT in the firewall ant not the CSS VIP address.

I hear you about the routing ,but do not see and explanation anywhre about the proper way to configure that or the ACL you describe

New Member

Re: Groups question

Rodrigo,

Is the topology supposed to be that everything gets routed through the CSS from the Internet router to the Firewall (if it sits between them)?

It seems that in order for the acl that you mentioned to always match packets, there should be no way for the destination server to bypass the CSS, if it makes a connection to another server, for exapmle, to complete a transaction requested by a client.

Is that the case?

Is there an example of this per your comment:

"you will need to configure a group with add service, and configure an ACL in order to NAT the incoming traffic"

Green
New Member

Re: Groups question

yes, thanks man, I did see that.

I think I am getting what I need to do, I appreciate your input.

It drives me nuts to not understand it exactly. Why is it that the example documentation is never a scenario that is even remotely close to what you are working on?

It turns out I don't need the DNS component.

Did you see the last post in the other thread:

To collect show tech from CSS, use command line "script play

showtech".

Green

Re: Groups question

I know what you mean. Glad you got over the dns hurdle, or no dns hurdle I guess in this case.

I understand the source groups and having the CSS nat the source address of the client, but the confusion comes in when you have to get the clients request to hit the CSS in the first place, not going directly to the server through the static in your firewall. I think that's what you were talking about, didn't read your whole post.

I did try out the script play showtech and it works fine, thanks for that.

New Member

Re: Groups question

Well, actually this stems from:

I have the groups set up and they with the "destination service" which according to Gilles:

"We use 'add destination service' when we want to guarantee that the server will send its response back to the CSS and we can't have the routing table adjusted to guarantee this. "

One problem is that we have client requests that hit the server and that works fine, but when the client selects a link to do bill pay, the transaction goes from our server to a remote server.

The remote server sees the transaction as originating from the service address and not the VIP address.

They had to change their Firewall to allow the new source IP address from us.

Not a real problem, but I was wondering if this would be an issue when I set up the FTP VIP and services, or if the topology here is incorrect.

Or the CSS should be configured differently

I have the CSS in between the Firewall and internet router, so the server addresses are already being NATed.

I am also wondeing if the CSS should actually be a passthrough for ALL traffic and apply an access-list to hit the services in the CSS and pass everything else.

Where do you go get these questions answered?

Green

Re: Groups question

"Where do you go get these questions answered?"

-Here, but some go unanswered. Searching through old posts is pretty good too. I'm a CSS newbie, so that usually works better than the actual documentation from cisco.

New Member

Re: Groups question

yeah,

I have been looking through the old posts for several weeks.

It seems that when one question gets answered and you think about the answer, it just brings up three more questions.

They are like tribbles

Bronze

Re: Groups question

Wilson,

I refer your lines, "The remote server sees the transaction as originating from the service address and not the VIP address"

This shouldn't be allowed and it would be a breach of security as well. When the server intiates a connection to outside world it needs to be SNAT-ed. How we can do this? Create a group config and just add this service under that group and do NOT use destination service here. The VIP can be the same as the incident VIP, I mean the one used in the Content Rule. Yes you can re-use it.

thanks

New Member

Re: Groups question

Thanks for the reply,

Since I have my CSS sitting in the same VLAN (subnet)as the service addresses (static NAT on firewall), which is a one armed config between the Internet router and firewall, couldn't removing "destination" cause a problem with potential asymetric flows to the client?

Bronze

Re: Groups question

Wilson,

In your case the incoming and outgoing traffic is on the same circuit VLAN on the CSS, aka single armed configuration. Here it is mandatory to use 'destination service'.

Reg the server intiated outgoing traffic that goes out w/o NAT-ing in your case, you might want to point your server default gateway to the CSS. This way that hits a CSS group and gets SNAT-ed. Otherwise if its not a security issue, you can let them go straight hitting the FW which does the NAT-ing for you as of now.

thanks

New Member

Re: Groups question

Thank for the reply again,

The servers are siting in the firewall DMZ with a private IP Address and has their DF gateways pointed to the DMZ interface address.

So i may be stuck with it the way it.

But, would this be an issue for FTP transactions if I wanted to set up the primary FTP server to failover to the DR server with a SorryService with the same routing topology?

New Member

Re: Groups question

Hello Wilson,

This is an example about how an one-armed configuration for ftp should looks like:

FTP passive/active, and if you need to nat the incoming and the outgoing traffic:

content FTP

add service web03-1

add service web04-1

protocol tcp

port 21

application ftp-control

vip address 10.90.208.50

active

group FTP

add service web03-1

add service web04-1

vip address 10.90.208.50

active

The acl would be like this:

acl 15

clause 10 permit tcp 10.90.208.0 255.255.255.0 any destination any sourcegroup FTP

clause 99 permit any any destination any

apply circuit-(VLAN1) < -- Content rules vlan.

Then in order to enable the acl you need to issue this command:

CSS(config)# acl enable.

http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note0918

6a0080093de6.shtml

Now, regarding the groups, as per our conversation this is the difference of

add service and add destination service:

The "add service" command under the group will NAT traffic that is originated from the Servers, heading to the outside of your network. This traffic will be NATed if the servers wishes to open a connection to someone

else on the your outside network.

The "add destination service" command will NAT the traffic that is heading towards the Server, being load balanced to your servers. All traffic that is incoming to the server will be NATed to the VIP configured.

This a in line document:

http://www.cisco.com/en/US/customer/products/hw/contnetw/ps789/products_conf

iguration_example09186a0080093dff.shtml

Now, does not matter the default gateway of your servers since you are going to NAT on the CSS so, the server always should respond back to the CSS.

Please let me know if this make sense.

-Rodrigo

New Member

Re: Groups question

Ok Rodrigo

So are you saying that since I have a one armed config, I can use this (with the access-lists)for any circumstance where asymetric flows could be a problem?

And if I need to do this with SMTP or anything else, I just follow the example you have here is that correct?

New Member

Re: Groups question

Wilson,

That depends, if you are going to use active FTP you will need to use the group with add service and the ACL.

And if you are going to balance just passive FTP you can use just the group with add destination service, and you wont need the ACL.

It is easiest to use the groups instead of OSPF.

Regarding your question about SMTP, please check this example:

!************ SERVICE **************

service test

ip address 10.10.10.3

port 25

suspend

service test2

ip address 10.10.10.4

port 25

active

!************* OWNER ***************

owner L3_Owner

content SMTP

add service test

add service test2

vip address 10.10.10.2

port 25

protocol tcp

active

*****************************

In your case since you have a one-armed, you will need to use a group with add destination service, in order to nat the incoming traffic.

- Rodrigo

New Member

Re: Groups question

what exactly is the acl doing?

New Member

Re: Groups question

Rodrigo,

Why wouldnt I want to use this method for all configured servers in the CSS with a one armed config?

It seems that with SMTP, if I send mail from inside our network, the server can go straight from the firewall to the router, then to the Internet, it could bypass the CSS and there could be problems with the remote server and reverse lookups.

My mail could be coming from the firewall NAT rather than the CSS VIP, correct?

Why wouldnt I ALWAYS want to make sure all traffic went through the CSS that originates from my servers configured with services?

And just to eliminate problems, it seems that if I had the choice, I would want all traffic to and from the CSS balanced server to go throught the CSS.

Is this correct?

New Member

Re: Groups question

Hi Wilson,

It is simple, if you are going to use the CSS to do load balancing for your mail servers, the users are going to open the connection with the VIP address that you are using to balance the SMTP traffic.

The server must send the responses back to the CSS, because if not, we are going to have an asymmetric flow.

The users are waiting the respond from the CSS (VIP address).

Now, this depends about what you need or what you would like to do, if you want you can send all the SMTP traffic from your PIX to your servers, and the servers are going to respond back to the PIX.

Since you have a one-armed, you need to use the group in order to NAT the incoming traffic in order to avoid the asymmetric flows. Or if you want you can do policy based routing on your switch or disable the sysopt noproxyarp on you PIX, use your CSS as the default gateway on your servers and use the command no redirects on the CSS, but I will prefer to use the groups.

Regarding your question, what exactly is the acl doing?

R/ there are a couple of things that we need to be clear.

- One armed setup, means that 95% of the time we are going to need to use groups with add destination service in order to nat the incoming traffic and avoid the asymmetric flow (the servers are going to respond always back to the CSS).

- What type of FTP are you going to balance?, passive or active?, if it is passive, with the add destination group is going to be enough, since the user is going to open the data and the control connection.

- If you are going to balance active FTP, we will need to NAT the incoming traffic (because you have a one-armed), and the outgoing connections, (because the server is going to open the data connection). Now we can assign the services just in one group, so, we need to choose: configure the group with add destination service (in order to nat the incoming traffic) or use the group with add service (in order to nat the outgoing traffic).

- The ACL on the CSS is not able to NAT the FTP port command (http://slacksite.com/other/ftp.html), so we need to use the group with add service because the group can NAT the PORT command.

- Since we have a one-armed, what happen with the incoming traffic?, since I am already using the group with add service.

- We need to configure the ACL in order to do the ?add destination service?, and nat the incoming traffic, like the example that I posted.

All the traffic that the CSS is balancing needs to pass trough it, the incoming and the outgoing.

The best way to know if everything is going to work is configuring the devices, and start the tests.

Hope you have everything clear now.

- Rodrigo

New Member

Re: Groups question

Rodrigo,

Sorry about this but, i just want to make sure I understand:

The mail server is not always just accepting connections from the outside.

People on the inside are sending mail, so if my server is initiating the transfer of mail, there is no outside connection to reply back to the VIP.

Wouldn't my server send the mail out the service address as opposed to the VIP address with the "add service"?

193
Views
35
Helpful
21
Replies
CreatePlease to create content