NAT outgoing traffic from server?

Answered Question
Jun 29th, 2007

this was a simple config to provide a "sorry" link when the server was down -

content elibrary

protocol tcp

port 80

url "/*"

add service corey

vip address X.X .132.180

active

service corey

protocol tcp

port 80

ip address X.X .126.180

active

service sorry-library

ip address X.X .132.239

keepalive type none

type redirect

redirect-string " aaa.bbb.ccc.uk/online/library/sorry/"

active

... until the server needed to be able to initiate outgoing connections to 300 data providers on the internet using TCP:210, 2100, 2121, 3210, AND with the VIP ( X.X .132.180) as source address.

Q1.....If I add

group coreyNAT

add service corey

vip address X.X .132.180

active

is that all I need to do, or do I need to create 4 more services -

service corey210

protocol TCP

port 210

ip address X.X .126.180

service corey2100

etc...

and add them to group coreyNAT as well?

Q2.... So that existing live servers on the .126 subnet don't NAT to .132 when initiating connections, and corey doesn't NAT to .132 for connections initiated to internal servers, do I add this -

acl 1

clause 99 permit any any destination any

apply circuit-VLAN1 (this is the outside connection)

acl 26

clause 10 permit any X.X .126.180 255.255.255.255 destination X.X.0.0 0.0.255.255

clause 20 permit any X.X .126.180 255.255.255.255 destination any sourcegroup coreyNAT

clause 99 permit any any destination any

apply circuit-VLAN126 (this is the inside connection to the server corey)

acl 27

clause 99 permit any any destination any

apply circuit-VLAN127 (this is another inside connection)

acl enable

Regards

KeithR

I have this problem too.
0 votes
Correct Answer by Gilles Dufour about 9 years 7 months ago

Keith,

if you configure the 'add service' under the group, the CSS will always nat traffic from that particular service.

If you want to only nat under certain condition, do not speficy and 'add service' and simly use an ACL to determine when to use the sourcegroup as you showed.

You don't need to create a service for each port the server needs to reach.

Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Gilles Dufour Fri, 06/29/2007 - 07:26

Keith,

if you configure the 'add service' under the group, the CSS will always nat traffic from that particular service.

If you want to only nat under certain condition, do not speficy and 'add service' and simly use an ACL to determine when to use the sourcegroup as you showed.

You don't need to create a service for each port the server needs to reach.

Gilles.

keithredding Fri, 06/29/2007 - 08:21

Thanks for the swift response, Gilles.

I'll try not to bother you again for a while!

Regards

KeithR

Actions

This Discussion