Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
423
Views
5
Helpful
2
Replies

NAT outgoing traffic from server?

Go to solution
keithredding
Level 1
Level 1

‎06-29-2007 05:41 AM

this was a simple config to provide a "sorry" link when the server was down -

content elibrary

protocol tcp

port 80

url "/*"

add service corey

vip address X.X .132.180

active

service corey

protocol tcp

port 80

ip address X.X .126.180

active

service sorry-library

ip address X.X .132.239

keepalive type none

type redirect

redirect-string " aaa.bbb.ccc.uk/online/library/sorry/"

active

... until the server needed to be able to initiate outgoing connections to 300 data providers on the internet using TCP:210, 2100, 2121, 3210, AND with the VIP ( X.X .132.180) as source address.

Q1.....If I add

group coreyNAT

add service corey

vip address X.X .132.180

active

is that all I need to do, or do I need to create 4 more services -

service corey210

protocol TCP

port 210

ip address X.X .126.180

service corey2100

etc...

and add them to group coreyNAT as well?

Q2.... So that existing live servers on the .126 subnet don't NAT to .132 when initiating connections, and corey doesn't NAT to .132 for connections initiated to internal servers, do I add this -

acl 1

clause 99 permit any any destination any

apply circuit-VLAN1 (this is the outside connection)

acl 26

clause 10 permit any X.X .126.180 255.255.255.255 destination X.X.0.0 0.0.255.255

clause 20 permit any X.X .126.180 255.255.255.255 destination any sourcegroup coreyNAT

clause 99 permit any any destination any

apply circuit-VLAN126 (this is the inside connection to the server corey)

acl 27

clause 99 permit any any destination any

apply circuit-VLAN127 (this is another inside connection)

acl enable

Regards

KeithR

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎06-29-2007 07:26 AM

Keith,

if you configure the 'add service' under the group, the CSS will always nat traffic from that particular service.

If you want to only nat under certain condition, do not speficy and 'add service' and simly use an ACL to determine when to use the sourcegroup as you showed.

You don't need to create a service for each port the server needs to reach.

Gilles.

View solution in original post

2 Replies 2

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎06-29-2007 07:26 AM

Keith,

if you configure the 'add service' under the group, the CSS will always nat traffic from that particular service.

If you want to only nat under certain condition, do not speficy and 'add service' and simly use an ACL to determine when to use the sourcegroup as you showed.

You don't need to create a service for each port the server needs to reach.

Gilles.

Go to solution
keithredding
Level 1
Level 1
In response to Gilles Dufour

‎06-29-2007 08:21 AM

Thanks for the swift response, Gilles.

I'll try not to bother you again for a while!

Regards

KeithR

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents