Showing results for 
Search instead for 
Did you mean: 

PAT NAT problem on ASA and CSS


Hi All,

Hitting my head against a wall with this any solution would be greatfully recieved.

Basically I have a server on VLAN x connected to a 11500 CSS which is connected to the ASA on VLAN y. The CSS is creating a VIP on VLAN y for web traffic but not load balancing as there is only 1 server.

I have natted a external addess to the VIP. My problem is that all other outbound traffic must go out of the ASA on the same external address as the VIP.

My only thought is to PAT the WWW and HTTPS to the VIP but is there any way to say all other ports should go to the true server address? or is there another way round this.



1 Reply 1


Hi Scott,

I am not 100% sure what you want, but the CSS can route trafic, no problem.

If you have the CSS on a kind of public DMZ, and here is the VIP of the CSS. The ASA does a staic nat from outside to this DMZ.

The server(s) is on another DMZ and they route (default GW) from servers to the curcet ip of the CSS.

Outbound trafic from serves can be done on more than one way. here is a option.

The VIP can be running on port so (443 and 80), the rest of the outbound trafic can go routed by the CSS so you will see the CSS Curcet address on that.

If this is not what you want pls. tell or send a picture with some info


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers