source destination group NAT

Unanswered Question
Sep 11th, 2008
User Badges:


I have two CSS configured with an external VLAN and a public redundant-vip. I also have an internal VLAN with private subnet and servers directly connected, CSS have a redundant-interface on this side.

My servers are dual-homed and their default gateway doesn't point to the redundant-interface.

Using source destination group, I'm able to NAT the source IP of ingress traffic to the redundant-vip address, in order to get the reverse traffic back through the CSS'. But this is not the behavior I want.

I would like the source IP for ingress traffic to be translated to the redundant-interface's IP (the CSS private address) so that the servers reply back to this address that is in the same subnet.

Is this possible?

Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
aghaznavi Wed, 09/17/2008 - 06:24
User Badges:
  • Silver, 250 points or more

NAT source IP addresses and source ports for flows originating from a client (client-side) on the public side of the CSS, add existing services to a source group as destination services. You can also configure access control lists (ACLs) to perform source NATing. When a flow is originated from the back-end server with a private address, the request appears to come from the public Virtual IP (VIP) of the source group. You can also use source groups (with Access Lists (ACLs)) to translate clients' private IP addresses (which reside on the back-end of the CSS) to a public IP address (the VIP).

For more information click this URL


This Discussion