https://community.cisco.com/t5/application-networking/css-11503-natting/m-p/308207#M4841 <HTML><HEAD></HEAD><BODY><P>Thanks Joerg</P><P></P><P>I'm looking into the servers routing table as I type. Out of interest, how do you set up a Client nat on the CSS ?</P><P></P><P>Mike</P></BODY></HTML> Wed, 02 Jun 2004 08:59:47 GMT tulletts 2004-06-02T08:59:47Z https://community.cisco.com/t5/application-networking/css-11503-natting/m-p/308205#M4839 <P>Is there a way of configuring the CSS to NAT the Back End Server IP Address, back to the VIP Address ?</P><P>The reason I ask is that our CSS is accessed via a Checkpoint FW. The flow from my PC to the Load balanced server is fine and the retuun flow thru the CSS is fine. But , when the return flow hits the FW, the packet is dropped as the firewall determines the TCP packet to be out of state. Looking at the flows, it shows my PC as the source address, destination adress is the VIP and the Natted destination is the load balanced server. The return flow shows the load balanced server talking directly with my PC (170.198.239.24):-</P><P></P><P>170.198.239.24 192.168.57.249 192.168.57.238 </P><P>192.168.57.238 170.198.239.24 170.198.239.24 </P><P></P><P>(I have removed the port numbers etc to fit the display in)</P><P></P><P>The FW is expecting a retunr packet with a source address of 192.168.57.249, But it sees 192.168.57.238</P><P></P><P>We are running ver 7.10 Build 504</P><P></P><P></P><P>Any advice ?</P> Wed, 02 Jun 2004 07:37:48 GMT https://community.cisco.com/t5/application-networking/css-11503-natting/m-p/308205#M4839 tulletts 2004-06-02T07:37:48Z https://community.cisco.com/t5/application-networking/css-11503-natting/m-p/308206#M4840 <HTML><HEAD></HEAD><BODY><P>HI ,</P><P>sounds a lot as if the returnflow is bypassing the CSS. Is it ensured, that the return flow hits the CSS and that the server does not want to talk directly to your PC?</P><P>Two solutions if this is the case:</P><P>1)</P><P>do client nat on the CSS so that the server thinks the request is comming from the CSS and anwers directly</P><P>2)</P><P>point the GW of the sever needed for reaching your clients network towards the CSS so that the return flow reaches the CSS.</P><P>Kind Regards,</P><P> Joerg</P></BODY></HTML> Wed, 02 Jun 2004 08:39:07 GMT https://community.cisco.com/t5/application-networking/css-11503-natting/m-p/308206#M4840 jfoerster 2004-06-02T08:39:07Z https://community.cisco.com/t5/application-networking/css-11503-natting/m-p/308207#M4841 <HTML><HEAD></HEAD><BODY><P>Thanks Joerg</P><P></P><P>I'm looking into the servers routing table as I type. Out of interest, how do you set up a Client nat on the CSS ?</P><P></P><P>Mike</P></BODY></HTML> Wed, 02 Jun 2004 08:59:47 GMT https://community.cisco.com/t5/application-networking/css-11503-natting/m-p/308207#M4841 tulletts 2004-06-02T08:59:47Z https://community.cisco.com/t5/application-networking/css-11503-natting/m-p/308208#M4842 <HTML><HEAD></HEAD><BODY><P>client nat is achieved by configuring a group.</P><P></P><P>ie :</P><P></P><P>group clientnat</P><P> vip address x.x.x.x</P><P> add destination service xyz</P><P> active</P><P></P><P>this will nat client ip to x.x.x.x address when traffic is sent to service xyz.</P><P></P><P>Regards,</P><P></P><P>Gilles.</P></BODY></HTML> Thu, 03 Jun 2004 11:22:58 GMT https://community.cisco.com/t5/application-networking/css-11503-natting/m-p/308208#M4842 Gilles Dufour 2004-06-03T11:22:58Z