Cisco CSS how to turn off Source NAT?

Unanswered Question
Aug 17th, 2007


A question to load balancer officionados:

We currently have a CSS operating in a 'one-armed design', however this performs Source NAT so that return traffic from web servers goes back through the CSS.

The problem is that we have a requirement to log and filter source addresses on the web servers.

I have found some references mentioning that this is possible using Direct Server Return (it seems to employ dispatch mode to do this).

Does anyone have any experience, better ideas, thoughts on such a design & how to accomplish it, etc.

Any replies are appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Diego Vargas Fri, 08/17/2007 - 16:13


The CSS is not able to perform DSR, what you can do to remove source NATing is remove the groups and configure the CSS as the default gateway of the servers.

This is usually a configuration implemented when using in-line style, however should work fine on one-arm. Also disable ICMP redirects on the CSS to avoid causing the asymmetric flows.

You can disable the ICMP redirects with this command on the VLAN configuration:

CSS(config-circuit-ip[VLAN112-])# no redirects

Hope it helps!!


This Discussion