>>This concept is valid if you have no loadbalancer, but with a CSS, you can use probe to detect a server that is down and new connections will automatically go the next server.

well,its just so i want.

but question is not in my design!

Question - why my acl to bypass and sourcegroup is not working? if i want to NAT only specific traffic from servers.

thanks.

Hi,

where is the 10.x.y.z ip-address located? What is the circuit your traffic enters the CSS? Why did you not apply the ACL to all ciruits and give it a try? Next if the traffic hits a rule the CSS is not able to decide which destination is chosen. This should not be any problem in your case as the service are in the range of 192.168.x.y.

kind Regards,

Joerg

Hello

10.x.y.z is located in other side of CSS,but not in the same subnet

10.x.y.z

|

uplink router

|

CSS

|

192.168.x.y (server side)

I just want pass traffic from servers to some IPs in 10.x.y.z directly (not NATing), to others IPs with NATing. And dont understand why its not work via acl?

ACL with sourcegroup is apply to server circuit only.

To other citcuits apllies other ACLs (Let even permit any destination any)

thanks.

answer : the bypass option does not apply to source group but only content rules.

Again, I don't see the need for 2 content rules.

Please explain why you need 2 content rule and why a client would have to try 1 vip and then the other ???

If 2 rules are not needed [as I believe] then your config is not required and everything is simple and easy.

Gilles.

>>answer : the bypass option does not apply to source group but only content rules.

OK, how to configure CSS to not NAT specific traffic,but NAT the rest one?

and what about this: http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a008029cab6.html#wp1150203

there in example used bypass option in ACL. Or I dont something understand?

2 content rules i need not for one client!

I my design the first client must always communicate with first server and if first server fail switch to second server, second client always communicate with second server and if second server fail switch to first. Thats why i tried do it using two content rules, first for first and second for second client.

But because of ftp-data connection and using only one sourcegroup (with ip = vip of any content rules) for it i cannot use 2 content rules.

this part of the documentation might not be perfectly clear, but what it says is that clause 2 of the acl is not using the 'sourcegroup' option so there is no client nat and it is using bypass, so traffic will not match any rule, so no destination nat.

As you can see in this same acl, clause 3 is what you need to do.

At step #1, define your group with no services assigned.

At step #3, create an acl to define which traffic should use the sourcegroup.

Now, I have a better understanding of your design requirement.

However, I still believe this design comes from a time when there was no loadbalancer.

I would personally prefer to have all my users going to 1 ip and share the 2 servers all the time.

With the current config, the CSS is useless.

Having half your clients going to ip1 and the other half to ip2 and 2 servers, you can do this without a CSS or any loadbalancer.

This is just an advice from my own experience.

Gilles.

Thanks for quick reply, Gilles!

I'll try this.