show flows on CSS

Answered Question
Oct 1st, 2008

Hi,

I am using source group on my CSS to nat server initiated traffic to VIP address.

Currently it does not work, so I am doing troubleshooting.

I am using ISA1-NAT service for source group.

configure

!*************************** GLOBAL ***************************

cdp run

ip uncond-bridging

ip route 0.0.0.0 0.0.0.0 172.20.3.15 1

!************************* INTERFACE *************************

interface 1/1

trunk

description "ZG-DMZ-XCONN-Customer-Facing"

vlan 203

interface 1/2

description "ZG-DMZ-XCONN-Server-Facing"

trunk

vlan 207

!************************** CIRCUIT **************************

circuit VLAN207

description "Server-Facing"

ip address 172.20.7.2 255.255.255.0

ip virtual-router 207 priority 101 preempt

ip redundant-interface 207 172.20.7.1

circuit VLAN203

description "Customer-Facing"

ip address 172.20.3.103 255.255.255.0

ip virtual-router 203 priority 101 preempt

ip redundant-vip 203 172.20.3.105

!************************** SERVICE **************************

service HTTP-TO-HTTPS-OWA-REDIRECT

keepalive type none

type redirect

no prepend-http

domain https://xxx.xxx

service ISA1-NAT

ip address 172.20.7.101

active

service ISA1-OWA-HTTPS

weight 2

keepalive port 443

protocol tcp

port 443

ip address 172.20.7.101

active

service ISA1-PROXY

ip address 172.20.7.101

weight 2

port 8080

keepalive port 8080

protocol tcp

active

service ISA2-NAT

ip address 172.20.7.102

active

service ISA2-OWA-HTTPS

weight 2

keepalive port 443

protocol tcp

port 443

ip address 172.20.7.102

active

service ISA2-PROXY

ip address 172.20.7.102

weight 2

port 8080

protocol tcp

keepalive port 8080

active

service upstream-ping

!*************************** OWNER ***************************

owner HEP

content HTTP-PROXY

protocol tcp

port 8080

advanced-balance sticky-srcip

sticky-inact-timeout 10

add service ISA1-PROXY

add service ISA2-PROXY

vip address 172.20.3.105

active

content OWA

protocol tcp

port 443

advanced-balance sticky-srcip

sticky-inact-timeout 10

vip address 172.20.3.105

add service ISA1-OWA-HTTPS

add service ISA2-OWA-HTTPS

active

content OWA-HTTP-REDIRECT

vip address 172.20.3.105

protocol tcp

port 80

url "/*"

add service HTTP-TO-HTTPS-OWA-REDIRECT

!*************************** GROUP ***************************

group ISANat

vip address 172.20.3.105

add service ISA1-NAT

active

Does my show flows output look ok?

ZG-CSS1# sh flows

--------------- ----- --------------- ----- --------------- --- ------- ------

Src Address SPort Dst Address DPort NAT Dst Address Prt InPort OutPort

--------------- ----- --------------- ----- --------------- --- ------- ------

80.243.40.241 80 172.20.3.105 2020 172.20.7.101 TCP 1/1-203 1/2-207

172.20.7.101 4958 80.243.40.241 80 80.243.40.241 TCP 1/2-207 1/1-203

I dont get why in one case DPort is 2020 and ind second SPort is 4958? Should not the be the same?

I have this problem too.
0 votes
Correct Answer by Gilles Dufour about 8 years 1 month ago

The CSS will intercept the traffic based on the src ip, and it will change the src ip and the src port.

Since there is a single ip address for potentially multiple servers, we can't keep the same source port as 2 devices could come in with the same value.

So we take a new port from the list of available ports.

This is called PAT.

G.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Gilles Dufour Wed, 10/01/2008 - 09:14

when we do client nat, we also nat the src port.

It seems to work for me.

Gilles.

Branimir Turk Wed, 10/01/2008 - 10:13

Hi,

I am trying to nat server initiated traffic. For example, http requests from my private servers to www servers on Internet.

I dont see why (and how) i can do nat of the src port? (In this case src prots are dynamic.)

Regards,

Branimir

Correct Answer
Gilles Dufour Wed, 10/01/2008 - 23:23

The CSS will intercept the traffic based on the src ip, and it will change the src ip and the src port.

Since there is a single ip address for potentially multiple servers, we can't keep the same source port as 2 devices could come in with the same value.

So we take a new port from the list of available ports.

This is called PAT.

G.

Actions

This Discussion