CSS 11503 Natting

tulletts · ‎06-02-2004

Is there a way of configuring the CSS to NAT the Back End Server IP Address, back to the VIP Address ?

The reason I ask is that our CSS is accessed via a Checkpoint FW. The flow from my PC to the Load balanced server is fine and the retuun flow thru the CSS is fine. But , when the return flow hits the FW, the packet is dropped as the firewall determines the TCP packet to be out of state. Looking at the flows, it shows my PC as the source address, destination adress is the VIP and the Natted destination is the load balanced server. The return flow shows the load balanced server talking directly with my PC (170.198.239.24):-

170.198.239.24 192.168.57.249 192.168.57.238

192.168.57.238 170.198.239.24 170.198.239.24

(I have removed the port numbers etc to fit the display in)

The FW is expecting a retunr packet with a source address of 192.168.57.249, But it sees 192.168.57.238

We are running ver 7.10 Build 504

Any advice ?

jfoerster · ‎06-02-2004

HI ,

sounds a lot as if the returnflow is bypassing the CSS. Is it ensured, that the return flow hits the CSS and that the server does not want to talk directly to your PC?

Two solutions if this is the case:

1)

do client nat on the CSS so that the server thinks the request is comming from the CSS and anwers directly

2)

point the GW of the sever needed for reaching your clients network towards the CSS so that the return flow reaches the CSS.

Kind Regards,

Joerg

tulletts · ‎06-02-2004

Thanks Joerg

I'm looking into the servers routing table as I type. Out of interest, how do you set up a Client nat on the CSS ?

Mike

Gilles Dufour · ‎06-03-2004

client nat is achieved by configuring a group.

ie :

group clientnat

vip address x.x.x.x

add destination service xyz

active

this will nat client ip to x.x.x.x address when traffic is sent to service xyz.

Regards,

Gilles.