Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Problem with GSLB and NAT

Hi,

I have been having a few problems with NAT and gslb.

The scenario is as follows. I have two sites with one gslb in each location using rule based dns.. the dns and vips are statically nated behind pix using the static dns attribute.

If I do a lookup externally to the primary css dns I get the correct 'A' record for the VIP passed back and all works ok.. this is also the case for the backup site..

However I have now linked these two css via app and they are dynamically passing vips. Now if I suspend the primary site services (forcing failover to backup site) and do a dns lookup I get the real private 'A' record for the backup site which is no use.

I have tried configuring the primary pix with a static for the other sites global and private address (as suspected this did not work).. Has anyone come across this?

Thanks

Matt

3 REPLIES
Cisco Employee

Re: Problem with GSLB and NAT

Matt,

you should use the dns fixup function of the pix.

It will inspect nat response and replace internal address with external address.

See the following example

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml

Gilles.

Community Member

Re: Problem with GSLB and NAT

Hi Gilles,

Thanks for the response. I actually already have the dns a records working using PIX fixup with the following command (from lab):

static (inside,outside) 200.200.200.4 10.1.1.4 dns netmask 255.255.255.255 0 0

However this works fine if I query css1 (at site 1)which is behind PIX1 and it returns VIP1 (local to this css) with the correct NAT A record on the firewall.

However the problem is when I query this CSS1 for VIP2 which is learnt through an app session to CSS2, the problem is that this VIP's DNS a record is not changed.

I have tried putting a similar static on PIX1 to do the dns fixup for the global and private address on PIX2.. but this doesn't seem to work..

Let me know if this makes sense? So in summary dns fixup is working fine on each site independantly however when each site passes the other sites VIP in a dns response this is not modified..

Thanks

Matt

Cisco Employee

Re: Problem with GSLB and NAT

the solution is dns fixup.

If it does not work, you should ask the security forum why.

The CSS correctly returns the vip ip address.

Gilles.

165
Views
0
Helpful
3
Replies
CreatePlease to create content