Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
523
Views
0
Helpful
2
Replies

Source Address

rich.polyak
Level 1
Level 1

‎03-10-2008 06:17 AM

Good Day, I'm running into an issue were I have a pair of 11506's extended to a server subnet, and are balancing 2 servers for a Virtual Directory. The owner of the VD states that they require to see the source address so I'm not using any source group for this setup. The servers default gateway is setup to point to the CSS's. Everything is working fine until another app server on the same subnet as the VD servers require to access the Virtual directory. The new servers do not care if the source address is natted but I cannot nat for the original requirement. Is there any other way I could modify or add a new content rule so that the new servers can access the Virtual Directory without natting the original services? Could I match on source address and if the request comes from said new servers could I put them on a different set of rules? Please find following the original content rules for the Virtual Directories.

Thx

-Rich

owner Virtual_Directory

content VD_389

protocol tcp

vip address 1.1.93.36

advanced-balance sticky-srcip

port 389

redundant-index 9389

add service ressvds01

add service ressvds02

active

content VD_636

protocol tcp

vip address 1.1.93.36

advanced-balance sticky-srcip

port 636

add service ressvds01

add service ressvds02

redundant-index 9636

active

service ressvds01

ip address 1.2.201.52

redundant-index 9952

keepalive port 636

keepalive type tcp

active

service ressvds02

ip address 1.2.201.53

redundant-index 9953

keepalive type tcp

keepalive port 636

active

Labels:
0 Helpful
2 Replies 2

Diego Vargas
Cisco Employee
Cisco Employee

‎03-10-2008 07:31 AM

Hi Rick,

So what you need is to NAT for some clients (within same subnet) but not for some other clients (already working without using the source group)

If this is what you need, you can do it using an ACL.

You can build an ACL that will use the group only for those clients that need the NATing, like this:

css(config)# acl 1

css11501b(config-acl[1])# clause 10 permit tcp 1.2.201.0 255.255.255.0 destination content Virtual_Directory/VD_389 sourcegroup VD

css11501b(config-acl[1])# clause 20 permit any any destination any

css11501b(config-acl[1])# apply circuit-(VLANxxx)

group VD

vip address 1.1.93.36

active

****Make sure to create an ACL with permit any for ALL VLANs, otherwise everything will get denied on that VLAN

**** Remeber to run the global command "acl enable"

Notice there are no services on the group, the ACL defines the source and the destination is the content rule configured.

Hope it helps!!

Diego M

0 Helpful

Diego Vargas
Cisco Employee
Cisco Employee
In response to Diego Vargas

‎03-10-2008 07:32 AM

BTW: Keep in mind that mine is an example, you might need to customize.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card