Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

One CSS behind 2 PIX Segments

I have a need to use 1 CSS to balance server farms that reside on 2 different PIX segments. So Internet traffic destined for a server farm on "DMZ 1" would be balanced and traffic destined for a server farm on "DMZ 2" would be balanced through the same CSS. Also, I have a 2nd CSS for redundancy. I am not sure of the best way to accomplish this and keep traffic routing through the proper PIX interface.

3 REPLIES
Cisco Employee

Re: One CSS behind 2 PIX Segments

Placing the CSS outside is the easiest solution.

But then the device is not protected by the firewalls.

If you attach the CSS to both DMZ, then you have a device routing between 2 DMZ, bypassing the firewalls which is not a great idea.

Placing the CSS in 1 DMZ is ok, but then you need to turn on client nat for traffic having to be loadbalanced to the other DMZ.

Placing the CSS inside, is the worst, as you need client nat for both DMZ.

So, hopefully you'll be able to decide what is better for you with this information.

Gilles.

New Member

Re: One CSS behind 2 PIX Segments

Right now I have the CSS connected to both DMZ's and all VIP's are in in "DMZ1". When I connect to a VIP with servers in "DMZ2" it seems to work OK. I had to set the defalt gateway of the servers in DMZ2 to the VLAN interface on the CSS. The problem is that when one of those servers tries to initiate a connection to the Internet, it can't since the gateway is the CSS and the CSS only has 1 default route and that is through DMZ1. So now I have asymetric routing through the PIX.

There has to be a better way.

Cisco Employee

Re: One CSS behind 2 PIX Segments

you can use an acl to match traffic from the servers in DMZ2 and set the nexthop to be the pix ip in dmz2.

Sth like this :

service pix-dmz2

ip address x.x.x.x

type transparent

active

acl 1

clause 10 permit any any destination any prefer pix-dmz2

apply circuit-vlan-dmz2

But being connected to the 2 dmz is not "secure" as the CSS can bypass the firewall.

There is no point using 2 DMZ if at the end you have a device being able to connect those 2 vlans bypassing the firewall.

So, just use 1 DMZ.

Gilles.

129
Views
0
Helpful
3
Replies