Hi Pablo,

Thank you for your answer. The clients are few, so I'll try your first solution and let you know the result.

Just curious though, under group VLAN20, why the VIP is 10.1.1.10 instead of IP from VLAN 20 (10.1.2.20 for example)?

Raymond.

Hi Raymond,

The VIP that you configure under the group can also be any available IP address from VLAN 20,

commonly the same VIP is configured just so you don't use/waste another IP but this should work either way.

Let us know if the group does the trick

HTH

__ __

Pablo

Hi Pablo,

Your solution works!! Thank you very much.

Hi Raymond

Great Glad to be of help!

__ __

Pablo

I have the same problem as the origional posted , but with one difference. The devices in VLAN20 that need to access the VIP via http are the two real servers for that VIP. Here is the changed example, I highlighted the olny difference in bold.

I have a question regarding CSS loadbalancer. Let's say there are 2 vlans in CSS:

1. Vlan 10: 10.1.1.0/24 as external interface, interface where most of the clients are coming from.

2. Vlan 20: 10.1.2.0/24 for real server vlan.

Virtual IP 10.1.1.10 is created in CSS on behalf of two real servers (10.1.2.11 & .12) in Vlan 20.

Client from Vlan 10 can http access to 10.1.1.10 successfully.

In Vlan 20 there's also few clients which need to access servers via virtual IP.

Vlan 20 Clients (10.1.2.11 & .12) can ping 10.1.1.10, but can't access 10.1.1.10 http service.

I created the following services and group, but I am still unable to access 10.1.1.10 from 10.1.2.11 & 10.1.2.12 via http.) I am using the IP address so there is not DNS resolution.)

!
service client-11

   ip address 10.1.2.11

   active
!
service client-12
   ip address 10.1.2.12
   active
!
group source-nat-10
  add service client-11
  add service client-12
  vip address 10.1.1.10

  active
!

Hi,

Are your servers NIC-teamed? Can you try to NAT using a VIP from VLAN 20 range; say 10.1.2.20?

__ __

Pablo

Turned out that the real servers have many IPs bound to the NICs. Up to now I was specifying the bound IPs in the services for the source NAT group. Looking at my upstream firewall logs I could see that when each of these real servers made an outbound connection to the Internet they appeared as the origional IP that was aplied to the real server when it wwas build.

I created services for these IPs and added them to my source NAT group, all appears to be working correctly. Rather than getting a 404 error when accessing the VIP via http , I get a 403 error letting me know that the request is getting to the VIP and the VIP is responding. I sent a request to the IIS admins to check permissions on the site.

I will update this thread as to whether or not this is working once the server owner checks permissions...I believe it is now working.

I went ahead and gave the source NAT group a vlan20 VIP IP, once in place I got the 404 error when accessing the VIP via http.

I then changed the source NAT VIP IP to a different vlan10 VIP IP other than 10.1.1.10 and it works!!!