Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
640
Views
0
Helpful
1
Replies

CSS Server initiated flows, NAT Bypass

lionellemaire
Level 1
Level 1

‎05-25-2007 06:53 AM

Hello,

I've been trying for two days to understand how no to NAT server initiated flows.

The IPERF servers always sees the VIP as source address. I would like to see the real server's IP as source address.

I don't see what wrong in my config.

Here's what I got :

vlan 101, 10.0.2.0/24. PC 10.0.2.220. The pc Is running iperf as server on port tcp 5001. DFGW is the CSS.

|

|

|

CSS : see below for config.

|

|

|

VLAN 100, 10.0.1.0/24. server 10.0.1.101 initiates a tcp connection to 10.0.2.220 on port 5001.

!Generated on 05/25/2007 15:53:44

!Active version: sg0810109s

configure

!*************************** GLOBAL ***************************

acl enable

logging subsystem natmgr level debug-7

logging subsystem portmapper level debug-7

!************************* INTERFACE *************************

interface 1/1

trunk

vlan 1

default-vlan

vlan 100

vlan 101

!************************** CIRCUIT **************************

circuit VLAN100

ip address 10.0.1.200 255.255.255.0

ip virtual-router 1 priority 150 preempt

ip redundant-interface 1 10.0.1.1

ip critical-reporter 1 r1

circuit VLAN101

ip address 10.0.2.200 255.255.255.0

ip virtual-router 2 priority 150 preempt

ip redundant-interface 2 10.0.2.100

ip redundant-vip 2 10.0.2.50

ip critical-reporter 2 r1

!************************** REPORTER **************************

reporter r1

type vrid-peering

vrid 10.0.2.200 2

vrid 10.0.1.200 1

active

!************************** SERVICE **************************

service web1

ip address 10.0.1.101

keepalive type ssl

active

service web2

ip address 10.0.1.102

keepalive type ssl

active

!*************************** OWNER ***************************

owner lab

content web

add service web1

add service web2

port 443

protocol tcp

advanced-balance sticky-srcip

sticky-inact-timeout 120

vip address 10.0.2.50

active

!*************************** GROUP ***************************

group lab

add service web1

vip address 10.0.2.50

active

!**************************** ACL ****************************

acl 1

clause 10 permit any any destination any sourcegroup lab

clause 3 bypass tcp any destination any eq 5001

apply circuit-(VLAN100)

acl 2

clause 1 permit any any destination any

apply circuit-(VLAN101)

Here's what I have in iperf (client side)

D:\iperf>iperf.exe -s

------------------------------------------------------------

Server listening on TCP port 5001

TCP window size: 8.00 KByte (default)

------------------------------------------------------------

[1860] local 10.0.2.220 port 5001 connected with 10.0.2.50 port 3174

[ ID] Interval Transfer Bandwidth

[1860] 0.0-10.0 sec 35.8 MBytes 29.9 Mbits/sec

Server side :

C:\>iperf -c 10.0.2.220

------------------------------------------------------------

Client connecting to 10.0.2.220, TCP port 5001

TCP window size: 8.00 KByte (default)

------------------------------------------------------------

[884] local 10.0.1.101 port 1116 connected with 10.0.2.220 port 5001

[ ID] Interval Transfer Bandwidth

[884] 0.0-10.0 sec 35.8 MBytes 29.9 Mbits/sec

Labels:
Preview file
57 KB
Preview file
42 KB
0 Helpful
1 Reply 1

lionellemaire
Level 1
Level 1

‎05-29-2007 03:50 AM

Problem solved by Cisco TAC.

I had to remove the add service in the group config and

change the ACL with

acl 1

clause 100 permit any any destination any sourcegroup lab

apply circuit-(VLAN100)

clause 3 bypass any 10.0.1.105 255.255.255.255 destination 10.0.2.221 255.255.255.255

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card