Solved: Re: CSM NAT

jcarvalh · ‎11-08-2011

Hello.

I am used to work with ACE where I perform NAT at interface level.

I am going to work with CSM and I would like to perform NAT based on client IP addresses; is it possible to do that with CSM? I only see NAT Client at Serverfarm Level and it does not seems scalable.

Best regards,

Joao Ribau

Daniel Arrondo Ostiz · ‎11-09-2011

Good afternoon Joao,

It is possible to do it, but I'm afraid it's a bit more complicated than on ACE.

On the CSM, you could do this through the use of policies (see

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csm/4.2.x/configuration/guide/mapolcy.html#wp1036728 for more details).

What you would need to do is add several policies to the vserver, and for each of them you associate one client-group (an ACL defining the clients to be natted), a source-nat configuration and the serverfarm (this serverfarm will be the same for all policies).

Please, have a look at the link and let me know if you need any further clarifications.

Regards

Daniel

View solution in original post

Daniel Arrondo Ostiz · ‎11-10-2011

Hi Joao,

This kind of topology should not cause any issues.

The CSM will always do mac-sticky for load-balanced connections, so the return traffic will always be sent to the MAC address from which the original SYN packet was received. Even if it was not like that, as you said, you have routes pointing towards the servers, so these would be used before the default gateway.

Daniel

View solution in original post

Daniel Arrondo Ostiz · ‎11-09-2011

Good afternoon Joao,

It is possible to do it, but I'm afraid it's a bit more complicated than on ACE.

On the CSM, you could do this through the use of policies (see

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csm/4.2.x/configuration/guide/mapolcy.html#wp1036728 for more details).

What you would need to do is add several policies to the vserver, and for each of them you associate one client-group (an ACL defining the clients to be natted), a source-nat configuration and the serverfarm (this serverfarm will be the same for all policies).

Please, have a look at the link and let me know if you need any further clarifications.

Regards

Daniel

jcarvalh · ‎11-09-2011

Daniel,

Thanks for your reply.

I have my CSM with 2 vlan (client and server) in router mode. Also have a default gateway to the client side and more specific routes (to the servers) to the server side gateway. Do you know if there is a CSM feature like the mac-sticky enable that exists on ACE? In my topology there may be clients that are also real server of serverfarms and I dont know how to solve this issue.

Real servers are several hops (layer 3) away from CSM.

Regards,

Joao.

Daniel Arrondo Ostiz · ‎11-10-2011

Hi Joao,

This kind of topology should not cause any issues.

The CSM will always do mac-sticky for load-balanced connections, so the return traffic will always be sent to the MAC address from which the original SYN packet was received. Even if it was not like that, as you said, you have routes pointing towards the servers, so these would be used before the default gateway.

Daniel

jcarvalh · ‎11-10-2011

Daniel,

Once again you were extremely helpful. I was performing some tests and I forgot to give some permissions in FWSM and so I assumed that mac-sticky was not an option.

Regards,
Joao.

alexgeaney · ‎11-16-2011

nice to find this post, this saves me a lot of time.

acoolme