03-25-2008 12:56 AM
I have a one css 11503 which i have configured in a one arm design. The configuration looks okay and i have seen a similar problem on the forum. the client PCs do not get any response when they try to access the web servers through the css, but if i try directly to reach them i can get html content properly. has anyone experienced this problem and what is the solution?
03-25-2008 07:38 AM
use sniffer trace to verify if traffic gets to the CSS and if it then reach the server.
Then verify that the response from the server goes through the CSS and then to the client [not directly to the client].
The easy solution is configure a group to do client nat.
Gilles.
03-25-2008 11:20 AM
Hi Gilles,
i guess what i have is a client NAT, because i have created a group and used the "add destination service" command. Now i dont know if i have understood this well but if i want to NAT the server ip addresses i have to use the "add service " command within the group. Now what i would like to know is if its possible to have both the "add service" and the "add destination service" in order to nat both server and client IP addresses or is this not necessary.
this is my "sh flow" output what do you advise
Src Address SPort Dst Address DPort NAT Dst Address Prt InPort OutPort
--------------- ----- --------------- ----- --------------- --- ------- ------
10.2.1.106 8000 10.2.1.153 2022 10.2.5.35 TCP 1/1 1/1
10.2.5.35 4183 10.2.1.153 80 10.2.1.106 TCP 1/1 1/1
10.2.1.107 8000 10.2.1.154 1058 0.0.0.0 TCP 1/1 Ipv4
10.2.1.106 8000 10.2.1.154 1051 0.0.0.0 TCP 1/1 Ipv4
10.2.5.35 19487 10.2.1.154 23 0.0.0.0 TCP 1/1 Ipv4
Thanks
Eric
03-26-2008 01:41 AM
Eric,
is the connection that shows the problem opened from the server ?
You only need 'add service' for connections opened by the server.
If that's the case, you need to remove all 'add' commands from the goup config and use ACL to determine when to use the group.
sth like :
acl 1
 clause 10 permit tcp any destination 
 clause 20 permit tcp 
The show flows is not very usefull because it doesn't tell you if we receive a response.
By default the CSS automatically create a flow for the response anticipating that we will receive one.
So, you should gather sniffer traces and follow the traffic to see where it fails.
Gilles.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide