Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

One CSS LB two firewalls, DMZ, return path?

Hi,

I have a client wanting to setup their (only)CSS to load balance two firewalls on the public side, servers in the DMZ, and return path through the firewalls. I recommended they keep the CSS off the public side, but they want the external FWLB. My question is, is it as simple as setting up another VLAN for the CSS on the public side then VIPing the FW addresses?

I saw the docs on FWLB, but it states you cannot use NAT, how is security accomplished through the firewalls then?

Thanks in advance,

Bob James

3 REPLIES
New Member

Re: One CSS LB two firewalls, DMZ, return path?

I typically don't assign public IP's on my Internet facing firewalls. The public addresses reside on a device behind the firewall. Then you simply configure your rules to allow access to the public IP's as needed. In my opinion this is more secure than having public IP's and NAT on your firewalls.

I use two LB's to load balance firewalls. I'm not sure it would work with only one?

New Member

Re: One CSS LB two firewalls, DMZ, return path?

Hi,

I don't quite understand what you are saying? What is the purpose of the firewall (or firewalls) if traffic is just allowed to flow through them? No NAT, or packet filtering?

How can this be more secure than a very standard practice?

Thanks in advance,

New Member

Re: One CSS LB two firewalls, DMZ, return path?

You can do packet filtering without NAT.

230
Views
0
Helpful
3
Replies
CreatePlease login to create content