Solved: CSS - NAT, Groups and ACLs

jfoerster · ‎02-06-2005

Hi,

basically I can do src NAT in two ways. Either I use groups and use >>add destination service XYZ<< OR I use ACLs and groups and put the group as a source-group in the ACL. In case of the last possibility isn't it possible to specifiy which services are affected for SRC-NAT by adding a add service X in the group config or is it only possible to limit it in the ACL due to only allowing a certain destination in the ACL and is this destination the real service (needs to be if I would be able to achive what I'm tryin to achive)?

Furthermore is there a paper stating the order of opperation for the CSS when happens ACL-Chechking when happens the NAT with ACLs and so on?

TIA

Kind Regards,

Joerg

Gilles Dufour · ‎02-07-2005

Joerg,

if I understand correctly, you want to nat the client ip address but only when going to specific servers.

This is not possible.

If we take a CSS11500, ACL permit/deny are applied in hardware even before doing a flow lookup.

ACL with enhanced function like sourcegroup select are done in software before doing the loadbalancing decision.

The ACL function will pass the nating argument to the loadbalancing decision.

So at the time you do not, you don't know yet which real server will be used.

Regards,

Gilles.

View solution in original post

Gilles Dufour · ‎02-07-2005