Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
355
Views
0
Helpful
1
Replies

Newbie questions about CSS (11503)

Go to solution
dprakken1
Level 1
Level 1

‎03-19-2007 11:03 AM

I am going to be installing a couple ASA failover pairs plus a redundant CSS load-balancing solution soon, and I have some basic newbie questions about setting up the CSS11503's. The basic scenario is this:

Internet -> FW Pair 1(A/S Failover) -> DMZ1 -> CSS (Failover) -> Web Servers -> FW Pair 2(A/S Failover) -> DMZ2 -> SQL Servers

The customer seems to think that DMZ1, CSS, Web Servers and FW pair 2 outside interface should all be in the same subnet. It appears from reading several posts, that this may be possible - but is it the best way to do it? I have the ability to influence the design, so I want to know the best way.

I also am not sure what is optimum for how NAT is accomplished. Should FW pair 1 do it, or is it better to let the CSS pair do it. Also, what is the best design for the CSS failover.

If you had a clean slate, how would you do it?

Thanks

Dave

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎03-20-2007 05:29 AM

The CSS can work in brigde mode or routed mode.

What your customer wants to do is ok. It's good to save on ip addresses if you need to.

But that's the only advantage. The CSS works the same weither you do bridge mode or routed mode.

For CSS failover, I definitely recommend Vip/Interface redundancy vs Box-to-Box.

You get faster failover time and you get the possibility to enable ASR for stateful failover.

Regarding nat, I prefer to let the firewall do it.

Gilles.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎03-20-2007 05:29 AM

The CSS can work in brigde mode or routed mode.

What your customer wants to do is ok. It's good to save on ip addresses if you need to.

But that's the only advantage. The CSS works the same weither you do bridge mode or routed mode.

For CSS failover, I definitely recommend Vip/Interface redundancy vs Box-to-Box.

You get faster failover time and you get the possibility to enable ASR for stateful failover.

Regarding nat, I prefer to let the firewall do it.

Gilles.

0 Helpful
Customers Also Viewed These Support Documents