Re: nat and flow-state command on css11503

aolabisi · ‎04-22-2004

How do I disable NAT for certain ports e.g. ntp on a CSS11503? the "flow-state udp 123 nat-disable" command is not available.

I'm running version 7.20.104. I'm trying to configure servers behind the CSS to reach a restrictive NTP server outside the CSS. Sniffer traces show that traffic hitting the NTP server is using the VIP address on the CSS instead of the actual address of the servers behind the CSS.

suggestions, ideas, tricks etc. are most welcome.

dayo

Gilles Dufour · ‎04-22-2004

you probably have a group config to nat the servers ip address.

you can remove the group to disable completely nat for traffic issued by the servers.

If you need nat for some traffic, you can keep the group but remove all servers from its definition.

[so you just havea group name and a vip].

Then use an acl to define the traffic that needs to be nated using a command like this

acl 1

clause 10 permit udp any eq 123 destination any eq 123

clause 20 permit udp any destination any sourcegroup

clause 30 permit any any destination any

in this example, NTP traffic is permitted but not natted.

the rest of udp traffic is permitted but natted.

Finally, the rest of the traffic is permitted but no nating.

Regards,

Gilles.

aolabisi · ‎04-23-2004

the only reason I have the groups is b/c I'm doing ASR. Can I do without groups if ASR is required?

dayo

aolabisi · ‎04-23-2004

pls disregard my earlier comments. I believe this issue is resolved.