Solved: NEED HELP IN CSS ROUTING

r.docuyanan · ‎08-16-2006

Hi,

Anyone can advise if this is the best practice? I have an ASR (HA) configuration

Outside Server(192.20.10.57)-----FW1--->192.31.20.192/28 Network (vip is 192.31.20.197-->LB's---->internalwebserverfarm(192.31.20.160/27 on of the server is 192.31.20.169)

I have the routing from the LB ip route 0.0.0.0 0.0.0.0 192.31.20.163

The HA and Content rules are working fine, when WWW users access the VIP 192.31.20.197, we can

see the http content of the serverfarm (192.31.20.160/27),however, the server farm needs

to communicate with the outside server of ip 192.20.10.57 for some updates through ports tcp 80, 443, 1080.

All FW rules have been opened

Questions:

1. The internal server farm is trying to access outside servers with services (80 and 443) is this

possible? the outside world only knows the server farms VIP of 192.31.20.197

2. If the internal servers(192.31.20.160/27) initiate traffic to outside server(192.20.10.57), will it be natted to the VIP address of 192.31.20.197?

3. The internal servers got another NIC card (management ip) can this be used instead to initiate traffic to the outside server (192.20.10.57)?

4. Is it advisable to initiate traffic from internal server farm to outside server ( the connection--meaning tcp flows---will pass through the LB(CSS box)?

Attached is the network diagram

syediahm · ‎08-17-2006

To Nat source IP addresses for flow originating from server-side of CSS, add existing services to a source group.

E.g.

(config)#group outbondnat

(config-group[outbondnat])#vip address 192.31.20.197

add service <1stservice name>

add service <2nd service name>

active

hope it helps

Syed

View solution in original post

syediahm · ‎08-17-2006

To Nat source IP addresses for flow originating from server-side of CSS, add existing services to a source group.

E.g.

(config)#group outbondnat

(config-group[outbondnat])#vip address 192.31.20.197

add service <1stservice name>

add service <2nd service name>

active

hope it helps

Syed

r.docuyanan · ‎08-17-2006

Hi Syed,

Are there security issues in doing the Natting? do u think having a separate nic card for traffic is better than natting it in the CSS?

regards

r.docuyanan

syediahm · ‎08-17-2006

Well if your firewall is not allowing access to the serverfarm's real IPs then I dont see any issues.

Your setup is pretty normal. All Windows servers sitting behind LBs normaly need access to "windows update site" :).

r.docuyanan · ‎08-17-2006

Thanks for the help !

r.docuyanan · ‎08-18-2006

Hi,

I created the group but

seems I cant connect to the other server

Src Address SPort Dst Address DPort NAT Dst Address Prt InPort OutPort

--------------- ----- --------------- ----- --------------- --- ------- ------

192.31.20.171 32827 192.20.10.57 80 192.20.10.57 TCP e5 e3

192.20.10.57 80 192.31.20.199 2021 192.31.20.171 TCP e3 e5

It seems that the flow back the port become 2021?

syediahm · ‎08-18-2006

The output you posted show a complete session

1. 192.31.20.171:32827 (src) intitiated connection to 192.20.10.57:80 (dst)

2. css change the port and address hence the src became 192.31.20.199:2021 (src) and dest remain the same 192.20.10.57:80

3. return traffic

src 192.20.10.57:80 to dst 192.31.20.199:2021

4. CSS converted back the port and IP and packet became

src 192.20.10.57:80 dst: 192.31.20.171:32827

Run sniffer on the server and look for the return traffic from outside server.

Syed