Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
610
Views
0
Helpful
4
Replies

NAT issue

Go to solution
donaghq_2
Level 1
Level 1

‎08-04-2006 06:20 AM

Hi,

I have a test content switch CSS11503 with one leg on 10.152.21.0/24 and the other leg on 10.40.21.0/24. I have SSL services set up to hit 10.40.26.1 and 10.40.26.2. I have a content rule with 10.40.21.26 as the VIP which load balances to the aforementioned services. In order for traffic from other networks to hit the services I need to source NAT them to an address on the 10.40.21.0 subnet. Otherwise the traffic will hit 10.40.26.1 or 2 and will return via the default gateway of 10.40.26.250 (and will not return via the content switch) The business would now like if the NAT did not take place as they would like to be able to see the real addresses hitting the website. I have tried to remove the NAT and add in a route to a one of these other network on the 10.40.26.250 mls but this does not seem to work. Any ideas?

I hope my question is clear !

Many Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee
In response to donaghq_2

‎08-04-2006 07:27 AM

the client will respond to the client [since you do not nat anymore].

So you need a default route pointing back to the CSS - not a route for the vip.

That's the reason why people use policy routing.

So your server can still use the normal default gateway most of the times and the CSS when needed.

Gilles.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎08-04-2006 06:53 AM

as you already pointed out you need the traffic to come back to the CSS after hitting the real server.

The first solution is the nating which you do not want anymore.

The 2nd option is the routing. You have to make sure the return traffic goes back to the CSS. Change your router routing table to point traffic from the server back to the CSS.

This can also be down is policy routing.

Use sniffer traces to make sure the traffic comes back to the CSS.

There is no other solution.

Gilles.

0 Helpful

Go to solution
donaghq_2
Level 1
Level 1
In response to Gilles Dufour

‎08-04-2006 07:20 AM

thanks for your reponse Gilles.

I presume I should route the traffic back to the VIP address?

0 Helpful

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee
In response to donaghq_2

‎08-04-2006 07:27 AM

the client will respond to the client [since you do not nat anymore].

So you need a default route pointing back to the CSS - not a route for the vip.

That's the reason why people use policy routing.

So your server can still use the normal default gateway most of the times and the CSS when needed.

Gilles.

0 Helpful

Go to solution
donaghq_2
Level 1
Level 1
In response to Gilles Dufour

‎08-04-2006 07:56 AM

thanks i will try routing the traffic back to the interface on the CSS.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card