12-15-2011 11:06 PM
I am working on the live production enviroment to deploy serveriron .I have proposed INLINE solution.
INTERNET client--Internet ROUTER---FIREWALL dmz---SERVERIRON----REAL SERVERS(directly connected to Serveriron)
Firewall DMZ,SERVERIRON and REAL SERVERS are in same IP subnet
I have requested firewall engineer to do nat pointing to VIP and that VIP is binding to respective real servers.Default route on SERVERIRON is firewall
As the solution is INLINE,all servers are connected directly to SERVERIRON ports and default gateway is FIREWALL on REAL SERVERS .
I have some important queries
1)When internet client from outside hit the firewall public IP ,It will nat to VIP and forward traffic to real servers but in case of return traffic of real servers
how it will go to internet client back though source IP (Client IP never changed) and when Real server will reply to connection(return traffic) to defaultgateway (which is mentioned Firewall ),It will be new session for firewall which has source IP of real server ?
It means firewall is sending to VIP but Real server is replying to firewall which is annoying me .?How firewall detect its already created session
I am little bit confuse in packet flow (Source mac,dest mac source IP dest IP) from internet router to real server
do serveriron replaces mac address across the path ? Please explain
For firewall ,What will be the source IP of real server (REAL SERVER IP or VIP) when real servers will go outside internet in INLINE mode ?? no special configuration on SERVERIRON (eg source-ip,source nat)
2)If some internet ADMIN USER need to access REAL SERVERS from outside by remote desktop ,It will require seperate NAT rule with Public IP to REAL SERVER private IP with needed service. am I correct ?
Experts valuable suggestion are most welcome (PLEASE CONSIDER YOUR OPINION for INLINE MODE)
Thanks and best Regards,
01-10-2012 11:24 AM
01-31-2012 04:56 PM
For the first question, please, find IP address translation flow below. I skipped on the mac address part because it's not that important to understand the flow.
In (x, y), x is a source IP address and y is a destination IP address. You don't need source-nat on the SI to make the flow work.
For the second question, yes, you're correct.