Re: CSM - Client NAT for routable server subnet

glenn.newman · ‎04-21-2006

I have clients and servers that are outside of the vlans that are the defined ones for CSM. I am using a client NAT pool that is part of the server side address space and server NAT. I see in a packet capture that the server is replying to pings to one of the NAT pool addresses. The ping does not get back to the client. The CSM is acting like it is not listening to traffic for the client NAT address. I saw an article that talked about "Secure router mode" and doing "IP SLB MODE CSM". I am not in that mode. Do I need to be and what effect will that have on my current load balanced servers?

Gilles Dufour · ‎04-24-2006

you don't need the command "IP SLB MODE CSM".

This is a command from the past when the CSM was configured with 'ip slb' commands.

This is not the case anymore.

Are you sure the response from the server goes back to the CSM and enter the CSM through vlan 200 ?

Capture a trace of the CSM portchannel.

Also, check with the command 'sho mod csm x conn detail' after initiating a ping if there is a connection listed on the CSM.

It should show you what ip addresses the CSM is using.

Regards,

Gilles.

glenn.newman · ‎04-28-2006

Thanks. This is now working.

I see that the NAT has to be in the client address space as that is where the default gateway for the CSM is. Made the following changes:

no natpool CLIENTNAT1 10.200.0.230 10.200.0.232 netmask 255.255.255.0

natpool CLIENTNAT1 10.200.250.230 10.200.250.232 netmask 255.255.255.0

Noticed that a previous "show mod csm 5 arp" showed:

10.200.2.100 -->10.200.250.1 0 REAL routed

10.200.2.101 -->10.200.250.1 0 REAL routed

10.200.2.102 -->10.200.250.1 0 REAL routed

Gilles Dufour · ‎05-01-2006

the nat does NOT have to be in the client address space. It can be whatever you want.

If it wasn't working with another address, this is most probably because your server did not have a route pointing back to the CSM for the nat address you were using.

Gilles.