> Any other ideas?
I'd be tempted to put a router behind the PIX, for a couple of
reasons; in this case, it happens to give you somewhere you *know*
you can put the ARP statement. (Well, actually, since I would put
these servers in a DMZ, there'd need to be a router *there* for this
to work....)
> Now I have a second test array behind the PIX firewall, configured
> identically except that I use a private network and NAT in the PIX.
> I have "static" and "conduit" statements in the PIX to pass the
> x.y.x.170 traffic to 20.0.0.170 (port 80 and 443 only),
This *is* a typo, right? 20.x.x.x is not a private address.
Dave Gillett
On 25 Sep 2001, at 0:22, Harry Whitehouse wrote:
> Hello All!
>
> I'm trying to configure a MS Load Balancing Array. This is software-based
> load balancing on NT/W2000.
>
> I have a test configuration outside of my PIX firewall. After much ado, I
> got this rig working properly.
> Basically, I have a "virtual" IP address of x.y.z.150. And I have two
> load-leveled test servers which are
> really configured at x.y.z.151 and x.y.z.152, even though they are addressed
> as x.y.z.150.
>
> I had to add an ARP statement to my router so folks external to my subnet
> could "see" this virtual node.
> This was per a MS Knowledge Base article here:
>
> http://support.microsoft.com/support/kb/articles/Q197/8/62.AS
>
> The LB array has a virtual MAC which is used in the router ARP statementlike
> this:
>
> ARP x.y.z.150 03bf.1400.00aa ARPA
>
>
> OK, so all of this worked as long as everything is outside the firewall. I
> gather the ARP statement in the router deals with the fact that packets
> destined for .150 are really going to/from .151 or .152 (but I clearly don't
> understand exactly what's going on here). But it DOES work!
>
>
> Now I have a second test array behind the PIX firewall, configured
> identically except that I use a private network
> and NAT in the PIX. I have "static" and "conduit" statements in the PIX to
> pass the x.y.x.170 traffic to 20.0.0.170 (port 80 and 443 only), and I have
> two load balanced servers at .171 and .172. I can "see" the .170 address
> from my internal network, but folks outside the network can't reach it.
>
> I suspect that I must deal with the ARP issue in the PIX firewall as well as
> in the router. When the PIX performs NAT,
> perhaps it does so only on the .170 address.
>
> Questions:
>
> Is there such a thing as an ARP configuration statement for the
> PIX?
> Should I establish statics/conduits for .171 and .172 to support
> this array behind the firewall?
> Any other ideas?
>
> Thanks in advance!
>
>
> Harry
>
>
>
>
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
>
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
