Cisco CSM - reals / VIP seperated by a firewall

Similar Messages

• Cisco C6500 CSM - Real server cannot ping its VIP.

  I've been running into an issue with Cisco CSM for a number of years, but always found a way around it.  Im attempting to get to the bottom of this to find out once and for all, if this is infact a limitation of the device, or a config issue/work around is possible.
  Here is my situation.  My CSM's are configured in bridging mode.  Traffic works great, traffic bridges across vlans correctly.  Everything works and have many instances of smilar configurations running in production.  Every once and a while, a client requests that a "real" server (ie LWCMW-021)
  cannot ping its VIP address (10.95.88.68).  I am assuming this is related to the NAT Server, but not 100% sure.  Clients have requested this functionality for some type of application based purpose, but Im unaware if CSM in bridging mode can provide this or not. 
  Any suggestions?
  real LWCMW-021
  address 10.95.88.59
  inservice
  real LWCMW-022
  address 10.95.88.60
  inservice
  serverfarm LWCMW-80
  nat server
  no nat client
  real name LWCMW-021 80
    inservice
  real name LWCMW-022 80
    inservice
  probe HTTP-80 (defined elsewhere)
  vserver LWCMW-80
  virtual 10.95.88.68 tcp WWW
  vlan 120
  serverfarm LWCMW-80
  persistent rebalance
  inservice

  Sorry for giving false hope. It is only possible in ACE module. In case of CSM I believe we can only use workaround.
  In case of ACE we can bind the Virtual IP to mutliple vlan. In that case we see a ARP entry like this.
  10.10.10.111    e0.5f.b9.a1.72.2b  vlan345   VSERVER    LOCAL     _         up
  10.10.10.111    e0.5f.b9.a1.72.2b  vlan346   VSERVER    LOCAL     _         up
  As Virtual IP is not bound to a particular vlan in case of CSM it does not work here, but I can say for sure it is expected behavior.
  The logic would be that the server tries to resolve the ARP for Virtual IP and it does not get a response.
  In my case virtual ip is 10.10.10.111 before applying policy on ACE  you can see that it is exhibiting the same behaviour.
  Time     | Vmware_b4:72:11                       | 10.0.0.0                              | 10.10.10.4                            |
  |         |                   | Broadcast         |                   | 224.0.0.1         |                   | 224.0.0.22        |                  
  |0.000    |         Who has 10.10.10.11           |                   |                   |                   |                   |ARP: Who has 10.10.10.111?  Tell 10.10.10.11
  |         |(0)      ------------------>  (0)      |                   |                   |                   |          |
  |0.999    |         Who has 10.10.10.11           |                   |                   |                   |                   |ARP: Who has 10.10.10.111?  Tell 10.10.10.11
  |         |(0)      ------------------>  (0)      |                   |                   |                   |                   |
  |         |                   |                   |                   |                   |(0)      ------------------>  (0)      |
  |1.998    |         Who has 10.10.10.11           |                   |                   |                   |                   |ARP: Who has 10.10.10.111?  Tell 10.10.10.11
  |         |(0)      ------------------>  (0)      |                   |                   |                   |                   |
  |3.014    |         Who has 10.10.10.11           |                   |                   |                   |                   |ARP: Who has 10.10.10.111?  Tell 10.10.10.11
  |         |(0)      ------------------>  (0)      |                   |                   |                   |                   |
  |4.014    |         Who has 10.10.10.11           |                   |                   |                   |                   |ARP: Who has 10.10.10.111?  Tell 10.10.10.11
  |         |(0)      ------------------>  (0)      |                   |                   |                   |                   |
  Hope that helps.

• CISCO CSM- IP transparency

  Hi,
  I work for a software development company. Our application clients (Typically different TCP/IP devices) connect to the server a over custom port (44XX).
  Now we want to support server farms, load balancing using CISCO CSM to fulfill a customer need.
  Our application requires knowing the IP address of the client connecting. If load balancer is in between client and server, when client connected to our server port, Do we (Server) see the IP address of load balancer or IP address of the client when opening the socket or sending the data ?
  If Server sees load balancer IP, is there any thing we can configure in load balancer so that Server/port sees the IP address of client instead of load balancer IP ?
  Thanks for your help.

  Hi,
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  All depends on your logical/physical topology between your 6500/CSM/Servers.
  Iif the CSM is configured on bridging mode meaning that your servers are on a L2 VLAN on the MSFC and pointing their default gateway to the CSM then you won't require source NAT on your set up. In this case the backend servers will be able to see/log the real IP address of your clients as the CSM does not modify anything at L3.
  On the other hand if you have a "routed" mode where your servers are sitting on a L3 VLAN on the MSFC and their default gateway usually points to the SVI they belong to then most likely you'll face asymmetric routing issues where the response from a load balance connection will bypass the CSM as the servers are able to respond to the client directly. In this case you do implement source NAT on your SF's which will overwrite the source IP address of the client with the IP address that you configure on the Natpool in question.
  In the second case for HTTP traffic you can always perform the header-insert function on the CSM so that the real IP address of the client will be appended to a new HTTP header, the configuration will look like this:
  map HEADER-INSERT header
    insert protocol http header X-Forwarder-For header-value %is
  policy INSERT
  header-map HEADER-INSERT
  serverfarm WEBFARM
  vserver Webfarm               
    virtual 10.44.60.160 any
    slb-policy INSERT <--- Policy
    advertise
    persistent rebalance
    inservice
  You will see the following in the HTTP header:
  Hypertext Transfer Protocol
      GET / HTTP/1.1\r\n
          Request Method: GET
          Request URI: /
          Request Version: HTTP/1.1
             X-Forwarder-For: 161.44.77.112\r\n
  Hope this helps.
  Pablo
  Cisco TAC

• Cisco CSM and WCS on same server

  Hi,
  Currently we are running Cisco CSM and Cisco WCS applications on different servers.
  Please let me know can it possible to install Cisco CSM and Cisco WCS on one server.
  Regards,

  As per their datasheet, both CSM and WCS support VMware or can run as virtual servers. So it should be possible to implement both as virtual servers and run on the same physical server.

• Cisco CSM - Has anyone deployed it in their environment for IDS/IPS devices

  We are an MSP and are evaluating Cisco CSM to manage about 50 IDS/IPS devices. Each of these devices has their own customer signature policy.
  Does anyone use it in their production environments? Do you find it useful?
  Regarding policy management for devices that already have a signature policy, I know you can discover the policy, what we want to do is take the current discovered policy, modify it if we need to and then re-deploy it to the device. I'm finding that this is all read only once the policy is discovered.
  Is there a way to modify the signature, for example, adding a logging parameter and then re-deploy?
  Just curious if others had similar experiences with CSM.
  Thanks!

  haxworthy,
  I currently use CSM to manager a variety of IPS devices (IOS IPS, 42xx Sensors, 65xx-series blades). The policies vary on some devices. CSM works wonderfully. CSM discoveries the various policies on the device on an individual basis. Policies can then be edited on a per-sensor basis or on a group level. Has worked wonderful in our environment. A nice upgrade from the old IPSMC. Let me know if you have any other questions.
  -Mike
  http://cs-mars.blogspot.com

• Cisco CSM 4.1: import/export IPv6 networks/hosts

  Does sombodey know an import/export functionality for the IPv6 network/host objects in Cisco CSM? The existing perl script PolicyObjectImportExport.pl supports only IPv4 objects.
  Thx

  Yep
  I had this issue with the service objects. When I created the fliter for the service objects also the CSM predefined objects are displayed. I selected all these objects and choose to delete them. During the delete process CSM stopped to delete the objects by the first CSM predefined object.
  I think you have the same issue (for example with the predefined "any" object, if not referenced in your polocies).
  Workaround:
  - apply filter again and delete the displayed objects (deselect the predefined objects before).

• How cisco CSM parses packets?

  Hi all, Some days ago i had a problem with a Cisco CSM configuration. The short history is that i had to change the parse-length (virtual server submode) command to the max. 4000 bytes value for this implementation to work, if i dont do this the CSM sends resets to the client. what i would like to know is if someone knows how the CSM parses packets when it is "searching" for a string,cookie,etc, i am having some difficulties finding info about this.

  The parse length on the CSM is the amount of bytes we can store to find the needed information (ie: cookie).
  So when we get an HTTP request or response the CSM will buffer everything it received up to max parse-len or header limit (\r\n\r\n).
  Once we reached the end of the HTTP header we stop buffering.
  While buffering we also start looking for the info that we need.
  If we do find it we also stop buffering.
  There is nothing magic here.
  If the HTTP header gets so big that the info we are looking for goes beyond the max-parse-len when we start buffering looking for the info, we endup using all the buffer space allocated to the connection and decide to drop the connections as we don't know if the info is just not there, or somewhere further in the header but we don't have space to buffer more.
  When the CSM was created a long time ago, 2000bytes for the header was normal.
  Nowadays, http header tends to be bigger and it is very often require to bump the parse length even further than 4000 bytes.
  This can be done with a variable.
  Gilles.

• Cisco CSM 4.1: delete unused networks/hosts objects

  I will delete all unused networks/hosts objects in Cisco CSM 4.2 befor I compare the objects with the entries in our IPAM. Does somebody know how this is possible?
  Many thanks for your support.

  Yep
  I had this issue with the service objects. When I created the fliter for the service objects also the CSM predefined objects are displayed. I selected all these objects and choose to delete them. During the delete process CSM stopped to delete the objects by the first CSM predefined object.
  I think you have the same issue (for example with the predefined "any" object, if not referenced in your polocies).
  Workaround:
  - apply filter again and delete the displayed objects (deselect the predefined objects before).

• Linksys WRT600N vs CISCO PIX 506E.... Firewall / Routing Performance

  Hi:
  I am new to the forum and was hoping to tap into some of your expertise. I have a Linksys WRT600N version 1.1 and I recently acquired a CISCO PIX 506E firewall. My question is what should I use as a firewall? Both have SPI etc. Should I:
  a) Use the 506E as a firewall and use the 600 as a wireless access point, or
  b) Use the 600 as a firewall and wireless access point.
  Do both routers have the same firewall routing performance? I want to use the storage feautre on the 600N, but if I do that and use it as a wireless access point the 600 can't get the proper time from the Internet, so my time for newly created folders and files shows they are 10 years old.
  Anyway, just thought I would post and find out what some of the experts thought and maybe someone from Linksys or CISCO. I know the 506E is discontinued and was manufactured around 2001 and the 600N is a new model.
  (Edited subject to keep threads from stretching. Thanks!)
  Message Edited by JOHNDOE_06 on 05-06-2008 10:41 AM

  The PIX is a real firewall. The WRT has a firewall which mostly protects the router itself. People prefer to buy a "SPI firewall router" instead of a simple "router" even though the router firewall does nothing or little to protect the LAN. The only firewall configurations on the WRTs you can usually do is on the Access Restrictions tab. But that's usually all. The LAN itself is not protected by the firewall. You would notice this if you had a public IP subnet and ran it through the WRT: the LAN would be fully exposed to the internet. Some routers have a few functions like protection against denial of service attacks or similar. But even then this often filters only the traffic targeted at the router and not the LAN.
  The common protection of your LAN you have on the WRT is because you use private IP addresses inside your LAN and the router does NAT. However, NAT is not a security mechanism but a mechanism to solve the problem that you can only have a single public IP address but want to use multiple computers, which is why you have to use private IP addresses. Current NAT implementations usually drop unsolicited incoming traffic because they don't know to which IP address in the LAN to send it to. But the notion of NAT is to deliver and to allow connectivity. This has nothing to do with security or a firewall.
  Thus, if you want to use a real firewall use the PIX. On the PIX you can configure the traffic which is allowed to enter the LAN and which not. It is far superior in this respect to the WRT. However, as it is a older model, I cannot tell how fast the PIX is. You should be able to find the old data sheets of the PIX somewhere on the cisco website. They should mention the possible throughput. I guess it won't be an issue.
  To me another point for the PIX are the VPN capabilities which allow you to securely access your LAN while you are on the road.
  Of course, you must know how to configure the PIX correctly. It is a complex device and can be configured pretty much for anything you like. This means of course if you do it wrong you may end up with little or no security.
  BTW, there are no people from linksys in this forums except the moderators (which may be from lithium). To hear from Linksys you have to contact Linksys support.

• Cisco 5520 ASA Port Forward to Endian Firewall VPN Question

  Hello,
  We have had a VPN operational on our Endian Firewall which uses OpenVPN server on port number 1194.  We recently purchased a Cisco 5520 ASA to put in front of our Endian Firewall and I am still hoping to use our current Endian Firewall VPN server.  So I am thinking the easiest way to make this happen is to port forward all vpn traffic through the ASA to our Endian Firewall to access the VPN.  Anyhow, I am just hoping someone with higher knowledge can let me know if this is the best course of action or if there is another easier or more efficient way of doing this?
  Thanks for your comments in advance I am new to cisco technology,
  Joe        

  Wrong forum, post in "Secuirity - Firewalling". You can move your posting with the Actions panel on the right.

• NME-NAM with Cisco Prime 5.1.2 and IOS Firewall

  Hello,
  I have installed and configured the Cisco NME-NAM with Prime 5.1.2 and have access to the NAM via a web browser. It is not picking up any data even though I havew configured the following:
  internal data source
  network site 10.10.16.0/20
  All reports show "No data for selected time interval"
  I am running IOS 15.1 on a 2811 with IOS firewall enabled.
  Do I need to create a FW rule to allow traffic to be monitored by the NME-NAM?
  Thank you,
  Matthew

  Hi rajeeshp,
  Currently I am not allowed to upgrade it because of internal procedures involved in upgrading a specific piece of software (obtaining permissions from various departments). Is it free to upgrade from 1.2 to 1.3 or there is a specific charge for that.
  Predrag Petrovic

• NTP protocol support in Cisco CSM module

  Can anyone plz advice if CSM module will support load balancing NTP traffic on the server ?

  Here is what i see in CSM with ntp traffic reaching real servers
  prot vlan source destination state
  In UDP 45 10.200.210.20:123 172.20.95.39:123 ESTAB
  Out UDP 39 172.20.88.101:123 10.200.210.20:123 ESTAB
  vs = NFTBZTKVIP, ftp = No, csrp = True
  real = (n/a)
  Could it be that..real servers not replying back to these ntp based packets or from your point what could be holding them back.
  I will send you the trace once i pick them up.
  Kashi

• Cisco CSM: Duplication of udp packets possible instead of load balancing?

  Hi all,
  Does anybody know if it's possible to use the csm (WS-X6066-SLB-APC, OS 4.3.1) to duplicate udp packets to several real servers instead of balancing them.
  In our special case we want to test duplicating snmp traps to several network management systems whereas on the snmp clients only one target address (the vserver address) is configured.
  Many thanks in advance,
  Thorsten

  Hi Thorsten,
  I'm afraid this is not possible. With the CSM you can only load-balance.
  Regards
  Daniel

• Cisco CSM 4.0 large deloyment

  Hi!
  when i can get information about hardware requirements for management of up to 2000 security devises? (IPS's and ASA's)  ?

  Alex,
  let's go back to the design guide. 500 is the recommended number of device for that hw, however there is no hard limit on the number of device that you can import. So there are chance that if you import 2000 device your CSM still works fine.
  However this really depends on the number/complexity of the policies you have on these devices and you might hit peformance issue even with less then 500 devices if these policies are too complex, as stated in the doc:
  http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.0/deployment/guide/cmsdg40.html#wp44044
  Now, most likely 2000 device on a single server might be too much and you might notice some performance hit, so you might want to use different servers to manage your devices (this is usually good choice). The way you organize your servers is arbitrary (you can do per location, per device type per technology etc...) An idea on how to organize multiple servers is given in the deployment guide as well:
  http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.0/deployment/guide/cmsdg40.html#wp45159
  I advice anyway to reach your Account Team, they will be able to suggest the solution that best fits your requirements
  Hope this helps
  Stefano

• Configuring Cisco ACS 5.1 with Juniper Netscreen Firewall wit Radius & Tacacs+

  Hello,
  Can anybody tell me the step-by-step configuration of Cisco ACS 5.1, to configured it with Juniper Netscreen Firewall for radius & tacacs+ authentication and authorization?
  I am able to configure this with Cisco ACS 4.2 with customise VSA file but can't understand how to configure it on ACS 5.1.
  Thanks in Advance.

  Hi Eduardo,
  Can you tell me how to map ACS 4.2?
  service=junos-exec
  local-user-name=Engineering
  Into the new "shell profiles" on ACS 5.2? How do I verify these attributes are passed onto ACS 5.2? I don't have access to a sniffer or tap nor do I have writes on this box. I have to instruct our systems folks to investigate. It has been a back and forth battle.
  Also, I'd like to see where I'd map this on ACS 5.2.  Keep in mind in both cases I have a JUNOS config mapping to a login user Engineer and operations respectively.
  local-user-name=opertions
  allow-commands=((^ping *)|(^mtrace *)|(^traceroute *)|(^monitor *))
  deny-commands= ((^start *)|(^file delete *)|(^file rename *)|(^request *)|(^set cli restart-on-upgrade *)|(^set cli prompt *)|(^set chassis *)|(^set date *)|(^test *)|(^clear *)|(^op *))