05-19-2005 12:13 PM
Css11800 running ap0610405 (6.10 Build 405). Try to setup default routing with NAT as suggested on the
forum "default routing depending on source-address" dated 08/11/04.
CSS connects to two firewall interfaces - 10.1.1.1 and 10.1.2.1 (vlan 10 and 20 respectively).
!
ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip route 0.0.0.0 0.0.0.0 10.1.2.1
!
circuit vlan10
description "to fw 1"
ip address 10.1.1.2 255.255.255.252
!
circuit vlan20
description "to fw 2"
ip address 10.1.2.2 255.255.255.252
!
circuit vlan100
description "to real servers"
ip address 10.10.10.1 255.255.255.0
!
service fw-1
ip address 10.1.1.1
keepalive type none
type transparent-cache
active
!
service 10.10.10.20
ip address 10.10.10.20
port 80
protocol tcp
active
!
content 192.168.10.20.com
vip address 192.168.10.20
port 80
protocol tcp
add service 10.10.10.20
active
!
group 192.168.10.20
vip address 192.168.10.20
active
!
acl 100
clause 50 permit any 10.10.10.0 255.255.255.0 destination any prefer fw-1
clause 200 permit any any destination any
apply circuit-(VLAN100)
!
http to vip 192.168.10.20.com is working fine (traffic directed to service 10.10.10.20)
test PING from 10.10.10.20 to external. With acl 10 clause 50, the ping packet is sent through vlan 10.
Add a new acl clause 49 for source NAT, outboudn PING request is NATed to 192.168.10.20 but the packet
is sent through vlan 20 (instead of vlan 10 - service fw-1).
ACL 100
clause 49 permit any 10.10.10.0 255.255.255.0 destination any sourcegroup 192.168.10.20 prefer fw-1
Any suggestion! Thanks.
05-20-2005 05:46 AM
sounds like a bug.
Could you open a case for this and ask the TAC to reproduce and log a new defect ?
Thanks,
Gilles.
05-22-2005 04:41 PM
already did. thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide