08-16-2006 07:34 PM
Hi,
Anyone can advise if this is the best practice? I have an ASR (HA) configuration
Outside Server(192.20.10.57)-----FW1--->192.31.20.192/28 Network (vip is 192.31.20.197-->LB's---->internalwebserverfarm(192.31.20.160/27 on of the server is 192.31.20.169)
I have the routing from the LB ip route 0.0.0.0 0.0.0.0 192.31.20.163
The HA and Content rules are working fine, when WWW users access the VIP 192.31.20.197, we can
see the http content of the serverfarm (192.31.20.160/27),however, the server farm needs
to communicate with the outside server of ip 192.20.10.57 for some updates through ports tcp 80, 443, 1080.
All FW rules have been opened
Questions:
1. The internal server farm is trying to access outside servers with services (80 and 443) is this
possible? the outside world only knows the server farms VIP of 192.31.20.197
2. If the internal servers(192.31.20.160/27) initiate traffic to outside server(192.20.10.57), will it be natted to the VIP address of 192.31.20.197?
3. The internal servers got another NIC card (management ip) can this be used instead to initiate traffic to the outside server (192.20.10.57)?
4. Is it advisable to initiate traffic from internal server farm to outside server ( the connection--meaning tcp flows---will pass through the LB(CSS box)?
Attached is the network diagram
Solved! Go to Solution.
08-17-2006 01:29 AM
To Nat source IP addresses for flow originating from server-side of CSS, add existing services to a source group.
E.g.
(config)#group outbondnat
(config-group[outbondnat])#vip address 192.31.20.197
add service <1stservice name>
add service <2nd service name>
active
hope it helps
Syed
08-17-2006 01:29 AM
To Nat source IP addresses for flow originating from server-side of CSS, add existing services to a source group.
E.g.
(config)#group outbondnat
(config-group[outbondnat])#vip address 192.31.20.197
add service <1stservice name>
add service <2nd service name>
active
hope it helps
Syed
08-17-2006 06:24 PM
Hi Syed,
Are there security issues in doing the Natting? do u think having a separate nic card for traffic is better than natting it in the CSS?
regards
r.docuyanan
08-17-2006 06:34 PM
Well if your firewall is not allowing access to the serverfarm's real IPs then I dont see any issues.
Your setup is pretty normal. All Windows servers sitting behind LBs normaly need access to "windows update site" :).
08-17-2006 06:45 PM
Thanks for the help !
08-18-2006 01:03 AM
Hi,
I created the group but
seems I cant connect to the other server
Src Address SPort Dst Address DPort NAT Dst Address Prt InPort OutPort
--------------- ----- --------------- ----- --------------- --- ------- ------
192.31.20.171 32827 192.20.10.57 80 192.20.10.57 TCP e5 e3
192.20.10.57 80 192.31.20.199 2021 192.31.20.171 TCP e3 e5
It seems that the flow back the port become 2021?
08-18-2006 03:18 PM
The output you posted show a complete session
1. 192.31.20.171:32827 (src) intitiated connection to 192.20.10.57:80 (dst)
2. css change the port and address hence the src became 192.31.20.199:2021 (src) and dest remain the same 192.20.10.57:80
3. return traffic
src 192.20.10.57:80 to dst 192.31.20.199:2021
4. CSS converted back the port and IP and packet became
src 192.20.10.57:80 dst: 192.31.20.171:32827
Run sniffer on the server and look for the return traffic from outside server.
Syed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide