https://community.cisco.com/t5/application-networking/nat-and-flow-state-command-on-css11503/m-p/289088#M4397 <HTML><HEAD></HEAD><BODY><P>the only reason I have the groups is b/c I'm doing ASR. Can I do without groups if ASR is required?</P><P></P><P>dayo</P></BODY></HTML> Fri, 23 Apr 2004 19:15:24 GMT aolabisi 2004-04-23T19:15:24Z https://community.cisco.com/t5/application-networking/nat-and-flow-state-command-on-css11503/m-p/289086#M4395 <P>How do I disable NAT for certain ports e.g. ntp on a CSS11503? the "flow-state udp 123 nat-disable" command is not available.</P><P></P><P>I'm running version 7.20.104. I'm trying to configure servers behind the CSS to reach a restrictive NTP server outside the CSS. Sniffer traces show that traffic hitting the NTP server is using the VIP address on the CSS instead of the actual address of the servers behind the CSS.</P><P></P><P>suggestions, ideas, tricks etc. are most welcome.</P><P></P><P>dayo</P> Thu, 22 Apr 2004 14:16:21 GMT https://community.cisco.com/t5/application-networking/nat-and-flow-state-command-on-css11503/m-p/289086#M4395 aolabisi 2004-04-22T14:16:21Z https://community.cisco.com/t5/application-networking/nat-and-flow-state-command-on-css11503/m-p/289087#M4396 <HTML><HEAD></HEAD><BODY><P>you probably have a group config to nat the servers ip address.</P><P></P><P>you can remove the group to disable completely nat for traffic issued by the servers.</P><P></P><P>If you need nat for some traffic, you can keep the group but remove all servers from its definition.</P><P>[so you just havea group name and a vip].</P><P>Then use an acl to define the traffic that needs to be nated using a command like this</P><P></P><P>acl 1</P><P> clause 10 permit udp any eq 123 destination any eq 123</P><P> clause 20 permit udp any destination any sourcegroup <NAME></NAME></P><P> clause 30 permit any any destination any</P><P></P><P>in this example, NTP traffic is permitted but not natted.</P><P>the rest of udp traffic is permitted but natted.</P><P>Finally, the rest of the traffic is permitted but no nating.</P><P></P><P>Regards,</P><P></P><P>Gilles.</P></BODY></HTML> Fri, 23 Apr 2004 06:26:22 GMT https://community.cisco.com/t5/application-networking/nat-and-flow-state-command-on-css11503/m-p/289087#M4396 Gilles Dufour 2004-04-23T06:26:22Z https://community.cisco.com/t5/application-networking/nat-and-flow-state-command-on-css11503/m-p/289088#M4397 <HTML><HEAD></HEAD><BODY><P>the only reason I have the groups is b/c I'm doing ASR. Can I do without groups if ASR is required?</P><P></P><P>dayo</P></BODY></HTML> Fri, 23 Apr 2004 19:15:24 GMT https://community.cisco.com/t5/application-networking/nat-and-flow-state-command-on-css11503/m-p/289088#M4397 aolabisi 2004-04-23T19:15:24Z https://community.cisco.com/t5/application-networking/nat-and-flow-state-command-on-css11503/m-p/289089#M4398 <HTML><HEAD></HEAD><BODY><P>pls disregard my earlier comments. I believe this issue is resolved.</P></BODY></HTML> Fri, 23 Apr 2004 20:24:58 GMT https://community.cisco.com/t5/application-networking/nat-and-flow-state-command-on-css11503/m-p/289089#M4398 aolabisi 2004-04-23T20:24:58Z