Hi Gilles,

Thanks for quick reply.

1) Our server networks are not directly attached to CSM blade. (eg. different location)

2) Unfortunally it's HTTPS

3) We need to have a relationship between client ipaddress and natted ip address. This had to be able to be logged. (for financial transactions is this important)

That's why I was thinking about a large NAT pool in Class A

Wim.

The solution of the nating is quite ugly.

As you said, you will have to use a Class-A range from the public space and that's not very nice.

A solution could be to insert an SSLM device and decrypt the HTTPS traffic, then insert the client ip in the header and re-encrypt the traffic before forwarding to the server.

Otherwise, I would try to reorganize the network so client nat is not needed.

Move the servers or make the CSM the only path from server to client [use PBR if needed].

Gilles.

Gilles,

I allways had the idea that the CSM can preform identity source NAT?

The results in our test lab showed my that this was not possible? The last digit of the nat'ed ipaddress is allways different then that of the client ip address.

Is it possible to do identity NAT on the CSM?

Thanks!

Wim

Wim,

unfortunately this is only possible for reals.

So in your case you would have to create a real for each client and then assign it the static nat entry.

Not good.

Gilles.

Gilles,

As a matter of fact, this could be a solutions:

In case of troubleshooting, we make our (only 1)client point to a different vserver in which we will use static NAT.

But, tell me. There might be a problem in my config:

vlan 150 server

ip address 10.33.30.6 255.255.255.0

route 0.0.0.0 0.0.0.0 gateway 10.33.30.1

alias 10.33.30.8 255.255.255.255

!

static nat 10.33.35.117

real 10.252.255.117

!

real T_TELNET_SRV1

address 10.33.77.39

inservice

!

serverfarm T_TELNET_SF

nat server

nat client static

real name T_TELNET_SRV1

inservice

!

vserver T_TELNET_SV

virtual 10.33.36.39 tcp telnet

vlan 150

serverfarm T_TELNET_SF

persistent rebalance

inservice

Thank you...

Wim

the config looks good like this but you have only 1 client configured and I though you wanted to do this for a full class A subnet.

Your config would be too big I believe or that amount of entries.

Gilles.

Gilles,

In normal conditions we let all our clients connect to virtual-server#1.

In case of problems, and if we want to know the source client ip address, we will have a few clients point at virtual-server#2.

Only at this time we 'll configure the static nat for these clients

Unfortunatly, if I telnet from client with ip address 10.252.255.117 to v-server 10.33.36.39, it does not work. I can't even see my connection with show module csm 8 connections.

Wim....

Wim,

check if you have a connection hit on your vserver.

Check path from client to csm and from server to client.

If you don't see your connections it's the indication that traffic is not hitting the vip.

Gilles.

Gilles,

I took a sniffertrace in which I see that at the clientside of the CSM, that the CSM blade answers immediat with a RST to my clients SYN packet.

There was also a sniffer running at the server side: I don't see any traffic coming from the csm blade.

If I replace the NAT CLIENT STATIC option in a NAT CLIENT NATPOOL1, it just works fine. Which means that path between client-csm-server seems to be fine.

Maybe there 's a example config at the cisco site?

Thx ... Wim

Wim,

you need to create a serverfarm that contains the real that you configured for static nat.

This serverfarm does not need to be used.

I tested it and it works fine for me.

[I was also able to see the RESET before configuring the serverfarm with the real].

Regards,

Gilles.

Gilles,

Indeed, this is working fine and is just what I need.

Thanks for support!

Wim