Re: How to mamage outbound connections on a CSS 11500

pavlosd · ‎07-12-2005

Hi all,

we currently have in our network a LoadBalancer that is infront of an SMS application. All inbound connections work fine on a global rule:

content Application_SMS

vip address 110.10.10.10

add service SRV_a

add service SRV_b

add service SRV_c

add service SRV_d

balance leastconn

active

Now, we want the pool of servers, to be able to initiate back connections to clients for reporting status, but from the same address (10.10.10.10)

How do we achive this? Do we have to be port specific all we can live it as global?

Gilles Dufour · ‎07-12-2005

you need to create group for all nating purpose.

In your case all you need is :

group

vip address 110.10.10.10

add service SRV_a

add service SRV_b

..

active

!

Regards,

Gilles.

thanks for rating this answer.

pavlosd · ‎07-12-2005

Hi,

How will the Loadbalancer, know that is outbound purpose? for example, I cannot see any difference betwwen what you are suggesting and what I have (see my initial question). Still, the requests, go outbound using their internal IP address, not the NATed (NATed works inbound with what you suggested)

Gilles Dufour · ‎07-12-2005

you should read more carefully.

Your config start with "content ...".

What I'm asking you to do is ADD "group ..."

As mentioned a group [or source group] is being used to nat traffic.

The CSS knows this is outbound by looking at the source ip address of the traffic.

If it matches one of the 'add service ...' command, the CSS will perform nating.

Hope it makes more sense.

Regards,

Gilles.

Thanks for rating.

pavlosd · ‎07-14-2005

What if the Load balancer has more than 2 interfaces. In our case, we have an interface to the intranet, an interface to the public and an interface to the servers. we used "group" for an ftp application and the problem is that the servers are "NATed" with same IP address even if the destination is the Public or the Intranet.

How can we overcome this? Is there a policy routing feature?

group FTP

add service ServerA

add service ServerB

add service ServerC

add service ServerD

vip address 10.10.10.10

active

Gilles Dufour · ‎07-15-2005

if you want to use different ip addresses depending on the destination ip address, you need to configure 2 groups with no service added.

Then, you have to create an acl to define when to use one group or the other.

example.

group intranet

vip address 10.10.10.10

active

group public

vip address x.x.x.x

active

acl 1

clause 10 permit ip x.x.x.x/24 destination x.x.x.x/24 sourcegroup intranet

clause 20 permit ip x.x.x.x/24 destination any sourcegroup public

clause 99 permit any any destination any

apply vlan-server

Regards,

Gilles.

pavlosd · ‎07-15-2005

Thanks.

pavlosd · ‎07-27-2005

Is there a way to ensure that outbound connections preserve their source and destination ports? We are using UCP protocol for the SMS and the way the server works it expects connections from specific port to a specific port (separating this way the accounts on the SMS Server).

So if outbound connection from SMS is started from server A on port 5000 to Client A on port 8000, we want to keep this TCP Parameters (only translate source IP Address).

Is that possible?

Gilles Dufour · ‎07-27-2005

for tcp this is not possible unfortunately.

For udp traffic, you can use the command 'portmap disable' but it only works for udp traffic.

Gilles.

pavlosd · ‎07-29-2005

Thanks.