cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1112
Views
0
Helpful
4
Replies

show flows on CSS

Branimir Turk
Level 1
Level 1

Hi,

I am using source group on my CSS to nat server initiated traffic to VIP address.

Currently it does not work, so I am doing troubleshooting.

I am using ISA1-NAT service for source group.

configure

!*************************** GLOBAL ***************************

cdp run

ip uncond-bridging

ip route 0.0.0.0 0.0.0.0 172.20.3.15 1

!************************* INTERFACE *************************

interface 1/1

trunk

description "ZG-DMZ-XCONN-Customer-Facing"

vlan 203

interface 1/2

description "ZG-DMZ-XCONN-Server-Facing"

trunk

vlan 207

!************************** CIRCUIT **************************

circuit VLAN207

description "Server-Facing"

ip address 172.20.7.2 255.255.255.0

ip virtual-router 207 priority 101 preempt

ip redundant-interface 207 172.20.7.1

circuit VLAN203

description "Customer-Facing"

ip address 172.20.3.103 255.255.255.0

ip virtual-router 203 priority 101 preempt

ip redundant-vip 203 172.20.3.105

!************************** SERVICE **************************

service HTTP-TO-HTTPS-OWA-REDIRECT

keepalive type none

type redirect

no prepend-http

domain https://xxx.xxx

service ISA1-NAT

ip address 172.20.7.101

active

service ISA1-OWA-HTTPS

weight 2

keepalive port 443

protocol tcp

port 443

ip address 172.20.7.101

active

service ISA1-PROXY

ip address 172.20.7.101

weight 2

port 8080

keepalive port 8080

protocol tcp

active

service ISA2-NAT

ip address 172.20.7.102

active

service ISA2-OWA-HTTPS

weight 2

keepalive port 443

protocol tcp

port 443

ip address 172.20.7.102

active

service ISA2-PROXY

ip address 172.20.7.102

weight 2

port 8080

protocol tcp

keepalive port 8080

active

service upstream-ping

!*************************** OWNER ***************************

owner HEP

content HTTP-PROXY

protocol tcp

port 8080

advanced-balance sticky-srcip

sticky-inact-timeout 10

add service ISA1-PROXY

add service ISA2-PROXY

vip address 172.20.3.105

active

content OWA

protocol tcp

port 443

advanced-balance sticky-srcip

sticky-inact-timeout 10

vip address 172.20.3.105

add service ISA1-OWA-HTTPS

add service ISA2-OWA-HTTPS

active

content OWA-HTTP-REDIRECT

vip address 172.20.3.105

protocol tcp

port 80

url "/*"

add service HTTP-TO-HTTPS-OWA-REDIRECT

!*************************** GROUP ***************************

group ISANat

vip address 172.20.3.105

add service ISA1-NAT

active

Does my show flows output look ok?

ZG-CSS1# sh flows

--------------- ----- --------------- ----- --------------- --- ------- ------

Src Address SPort Dst Address DPort NAT Dst Address Prt InPort OutPort

--------------- ----- --------------- ----- --------------- --- ------- ------

80.243.40.241 80 172.20.3.105 2020 172.20.7.101 TCP 1/1-203 1/2-207

172.20.7.101 4958 80.243.40.241 80 80.243.40.241 TCP 1/2-207 1/1-203

I dont get why in one case DPort is 2020 and ind second SPort is 4958? Should not the be the same?

1 Accepted Solution

Accepted Solutions

The CSS will intercept the traffic based on the src ip, and it will change the src ip and the src port.

Since there is a single ip address for potentially multiple servers, we can't keep the same source port as 2 devices could come in with the same value.

So we take a new port from the list of available ports.

This is called PAT.

G.

View solution in original post

4 Replies 4

Gilles Dufour
Cisco Employee
Cisco Employee

when we do client nat, we also nat the src port.

It seems to work for me.

Gilles.

Hi,

I am trying to nat server initiated traffic. For example, http requests from my private servers to www servers on Internet.

I dont see why (and how) i can do nat of the src port? (In this case src prots are dynamic.)

Regards,

Branimir

The CSS will intercept the traffic based on the src ip, and it will change the src ip and the src port.

Since there is a single ip address for potentially multiple servers, we can't keep the same source port as 2 devices could come in with the same value.

So we take a new port from the list of available ports.

This is called PAT.

G.

Hi G,

Thank you for the explanation. It was helpful.

Regards,

Branimir

Review Cisco Networking for a $25 gift card