Thanks for that Gilles, in doing that would i just assign both the inbound and outbound interface to the same vlan, as my css will be inside a single DMZ subnet and therefore will really never have to route into other vlans?

the fact that your inbound and outbound interfaces are in the same vlan, is not related to the question of nating or not.

If the true question is 'can we put the CSS inline between firewall and servers' then the answer is yes. Simply put the interfaces in the same vlan.

But that's not a reason not to nat.

I mean, traffic can be routed or bridged without nating but traffic that hit a content rule should normally be nated.

We can prevent it with the command I gave you in my first answer, but I do not think that's what you want to do.

Gilles.

Maybe he's after using destination services unless the servers all respond to the VIP addr? If he's load-balancing in the same subnet, then I think destination services (to source nat) are the only option.

Hi, what i have is a firewall natting from the Internet to a VIP address in the dmz, only thing is for political reasons we want to keep all the services(servers) also in the dmz, in the same ip subnet as the VIP. all the examples ive seen on cisco.com all have the CSS natting to the servers. im my example we do not want to nat again for loadbalancing. I have almost got this to work, when i type show flows I can see traffic passing from the VIP to the respective servers, but not getting the webpage on my client. What ip address do i put on the servers as a default gateway, the same vip, i dont suspect the firewalls address should be used??

hi,

If you want to disable natting, and the clients are in a different subnet, you need to remove source natting and put VIP address as server gateway address. Source nat configuration in CSS will look as below

group test

add destination service server1

add destination service server1

vip address 3.3.3.3

active