Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1414
Views
0
Helpful
5
Replies

CSS 11503 SNAT?

jnaglich
Level 1
Level 1

‎07-14-2009 07:45 AM

I have a subnet that has a Cisco load balancer in it that is in the process of moving. The current subnet is behind a FWSM and has been working for years. The new subnet will be in front of the firewall.

In the current state, the default gateway and default route point to the firewall interface for the existing subnet. The load balancers are in a one-armed configuration. I would like to use the same pair of load balancers on the new subnet.

The load balancers have circuits in both VLANs, but keep using the default route for return traffic for both networks. So, traffic will come in on the new network, get load balanced appropriately, and the return traffic with be routed asymmetrically to the default gateway instead of the local gateway. I can see my firewall blocking the return traffic.

Is there a way to configure the CSS to either use the local gateway or possibly to use Source NAT (without an ACE module) to make the CSS bridge in this manner?

Any help would be appreciated! Thanks in advance!

Jason

Labels:
0 Helpful
5 Replies 5

Martin Kyrc
Level 3
Level 3

‎07-15-2009 12:40 AM

Hello Jason,

I'm a bit confused. Can you attach topology? :)

If you need use SNAT on CSS look for 'group' command (http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/content_lb/guide/SGrp.html)

^^ it's helpful SNAT?

martin

0 Helpful

jnaglich
Level 1
Level 1
In response to Martin Kyrc

‎07-15-2009 06:22 AM

The 'group' command is for source nat with respect to the servers behind the CSS. I need to do SNAT for incoming requests. I've attached a Visio diagram of what I'm talking about.

7000-CSS - new config.vsd
0 Helpful

David Coupez
Level 1
Level 1
In response to jnaglich

‎07-15-2009 07:23 AM

Group command also allows you to SNAT trafic with respect to the destination instead of source. In this case, it might be a default gw.

I'm also a bit confused by your topology... Anyway isnt it a bit unsecure to bridge behind and above your FW?

0 Helpful

jnaglich
Level 1
Level 1
In response to David Coupez

‎07-15-2009 12:58 PM

The hard part is that all the users from various IP Networks will be coming in as the source. I'm not sure how to write the group command to handle this.

As for the topology, it is unsecure to be doing things this way, but we're migrating the servers from the screened network to the unscreened one.

0 Helpful

David Coupez
Level 1
Level 1
In response to jnaglich

‎07-23-2009 12:08 AM

You can base your SNAT on the destination - add destination service instead of add service - in that case you can match on the providing server ie.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents