Css11800 running ap0610405 (6.10 Build 405). Try to setup default routing with NAT as suggested on the

forum "default routing depending on source-address" dated 08/11/04.

CSS connects to two firewall interfaces - 10.1.1.1 and 10.1.2.1 (vlan 10 and 20 respectively).

!

ip route 0.0.0.0 0.0.0.0 10.1.1.1

ip route 0.0.0.0 0.0.0.0 10.1.2.1

!

circuit vlan10

description "to fw 1"

ip address 10.1.1.2 255.255.255.252

!

circuit vlan20

description "to fw 2"

ip address 10.1.2.2 255.255.255.252

!

circuit vlan100

description "to real servers"

ip address 10.10.10.1 255.255.255.0

!

service fw-1

ip address 10.1.1.1

keepalive type none

type transparent-cache

active

!

service 10.10.10.20

ip address 10.10.10.20

port 80

protocol tcp

active

!

content 192.168.10.20.com

vip address 192.168.10.20

port 80

protocol tcp

add service 10.10.10.20

active

!

group 192.168.10.20

vip address 192.168.10.20

active

!

acl 100

clause 50 permit any 10.10.10.0 255.255.255.0 destination any prefer fw-1

clause 200 permit any any destination any

apply circuit-(VLAN100)

!

http to vip 192.168.10.20.com is working fine (traffic directed to service 10.10.10.20)

test PING from 10.10.10.20 to external. With acl 10 clause 50, the ping packet is sent through vlan 10.

Add a new acl clause 49 for source NAT, outboudn PING request is NATed to 192.168.10.20 but the packet

is sent through vlan 20 (instead of vlan 10 - service fw-1).

ACL 100

clause 49 permit any 10.10.10.0 255.255.255.0 destination any sourcegroup 192.168.10.20 prefer fw-1

Any suggestion! Thanks.