CSS 11503 one arm configuration problem

Unanswered Question
Mar 25th, 2008
User Badges:

I have a one css 11503 which i have configured in a one arm design. The configuration looks okay and i have seen a similar problem on the forum. the client PCs do not get any response when they try to access the web servers through the css, but if i try directly to reach them i can get html content properly. has anyone experienced this problem and what is the solution?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Tue, 03/25/2008 - 07:38
User Badges:
  • Cisco Employee,

use sniffer trace to verify if traffic gets to the CSS and if it then reach the server.

Then verify that the response from the server goes through the CSS and then to the client [not directly to the client].


The easy solution is configure a group to do client nat.


Gilles.

ericmwangi Tue, 03/25/2008 - 11:20
User Badges:

Hi Gilles,


i guess what i have is a client NAT, because i have created a group and used the "add destination service" command. Now i dont know if i have understood this well but if i want to NAT the server ip addresses i have to use the "add service " command within the group. Now what i would like to know is if its possible to have both the "add service" and the "add destination service" in order to nat both server and client IP addresses or is this not necessary.


this is my "sh flow" output what do you advise


Src Address SPort Dst Address DPort NAT Dst Address Prt InPort OutPort

--------------- ----- --------------- ----- --------------- --- ------- ------

10.2.1.106 8000 10.2.1.153 2022 10.2.5.35 TCP 1/1 1/1

10.2.5.35 4183 10.2.1.153 80 10.2.1.106 TCP 1/1 1/1

10.2.1.107 8000 10.2.1.154 1058 0.0.0.0 TCP 1/1 Ipv4

10.2.1.106 8000 10.2.1.154 1051 0.0.0.0 TCP 1/1 Ipv4

10.2.5.35 19487 10.2.1.154 23 0.0.0.0 TCP 1/1 Ipv4


Thanks


Eric

Gilles Dufour Wed, 03/26/2008 - 01:41
User Badges:
  • Cisco Employee,

Eric,


is the connection that shows the problem opened from the server ?

You only need 'add service' for connections opened by the server.

If that's the case, you need to remove all 'add' commands from the goup config and use ACL to determine when to use the group.


sth like :

acl 1

clause 10 permit tcp any destination sourcegroup

clause 20 permit tcp destination any sourcegroup


The show flows is not very usefull because it doesn't tell you if we receive a response.

By default the CSS automatically create a flow for the response anticipating that we will receive one.

So, you should gather sniffer traces and follow the traffic to see where it fails.


Gilles.

Actions

This Discussion