topic Re: Disabling NAT in Application Networking

Disabling NAT

merc-int — Wed, 25 Apr 2007 19:17:31 GMT

Hi All,

I am doing load balancing for users accessing an application servers.

In basic configuration the application servers see the source IP of the users as the VIP of thier group and not the original client source IP.

Is there a way to disable the NAT and what implications can this have on the load balancing?

Thanks in advance,

Ziv

Re: Disabling NAT

jasmina27s — Wed, 25 Apr 2007 19:47:18 GMT

Hi,

Source NAT is usually disabled by default...

What device are you using (CSS,CSM...)?

How does the config look like?

Possible situations when you need source NAT:

1. if you need server-to-server load-balancing, or

2. when you have one-arm load-balancer topology and you want returning traffic to hit load-balancer first and not to go directly to the client...

Regards,

Jasmina

Re: Disabling NAT

merc-int — Wed, 25 Apr 2007 19:54:30 GMT

The configuration is really big.

I am using CSS11501, here is a sample of a service and content configurations.

The address being shown in the servers is the 192.168.30.150.

service ?????????????????

protocol tcp

ip address 192.168.30.152

active

owner ??????????

content ???????????

protocol tcp

add service ?????????

vip address 192.168.30.150

add service ?????????

active

Ziv

Re: Disabling NAT

Syed Iftekhar Ahmed — Fri, 27 Apr 2007 08:11:16 GMT

On CSS by default source nat is disabled.CSS changes the destination ip (from VIP to real server ip) and preserves the source IP when a content rule is hit.

If you are not seeing source IP of traffic hitting real server as Client IP then source NAt (source group) is configured on your CSS.

The source group config is to nat traffic initiated by the server or to nat the client ip when traffic hits a content rule.

source group config looks like the following

group groupx

vip address 192.168.30.152

add service destination server1

add service destination server2

active

If you are running CSS in one arm mode then source natting is necessary to ensure that the return traffic from real servers doesnt bypass CSS.

Syed

Re: Disabling NAT

mathews.baby — Thu, 12 Jul 2007 06:29:22 GMT

Hi syed,

Thanks for earlier inputs.

Could you explain css running in one arm mode

Thanks

Mathews

Re: Disabling NAT

Syed Iftekhar Ahmed — Thu, 12 Jul 2007 08:17:11 GMT

Following link will give you details about CSS in one arm mode

http://www.cisco.com/warp/public/117/one_armed_bandit.html

Thanks

Syed Iftekhar Ahmed

Re: Disabling NAT

mathews.baby — Thu, 12 Jul 2007 09:17:43 GMT

Hi Syed,

I have css11501 in one armed mode, balancing 3servers. Now the client requirement is that servers should get client's ip as the source address. How can i make this possible..

Can I achieve this, if source natting is removed and server's gateway address changed to Vip.

Thanks

Mathews

Re: Disabling NAT

Syed Iftekhar Ahmed — Thu, 12 Jul 2007 16:46:33 GMT

If the clients do not belong to the same subnet where real servers are then yes changing the default gateway on reals to CSS circuit ip will do.

If clients belong to the same subnet then the return traffic will bypass CSS and hence will cause problems. This can be controlled by using source nat just for traffic originating from this subnet.

Syed Iftekhar Ahmed

Re: Disabling NAT

mathews.baby — Fri, 13 Jul 2007 03:42:02 GMT

Thanks for valuable inputs

Mathews