10-01-2008 06:26 AM
Hi,
I am using source group on my CSS to nat server initiated traffic to VIP address.
Currently it does not work, so I am doing troubleshooting.
I am using ISA1-NAT service for source group.
configure
!*************************** GLOBAL ***************************
cdp run
ip uncond-bridging
ip route 0.0.0.0 0.0.0.0 172.20.3.15 1
!************************* INTERFACE *************************
interface 1/1
trunk
description "ZG-DMZ-XCONN-Customer-Facing"
vlan 203
interface 1/2
description "ZG-DMZ-XCONN-Server-Facing"
trunk
vlan 207
!************************** CIRCUIT **************************
circuit VLAN207
description "Server-Facing"
ip address 172.20.7.2 255.255.255.0
ip virtual-router 207 priority 101 preempt
ip redundant-interface 207 172.20.7.1
circuit VLAN203
description "Customer-Facing"
ip address 172.20.3.103 255.255.255.0
ip virtual-router 203 priority 101 preempt
ip redundant-vip 203 172.20.3.105
!************************** SERVICE **************************
service HTTP-TO-HTTPS-OWA-REDIRECT
keepalive type none
type redirect
no prepend-http
domain https://xxx.xxx
service ISA1-NAT
ip address 172.20.7.101
active
service ISA1-OWA-HTTPS
weight 2
keepalive port 443
protocol tcp
port 443
ip address 172.20.7.101
active
service ISA1-PROXY
ip address 172.20.7.101
weight 2
port 8080
keepalive port 8080
protocol tcp
active
service ISA2-NAT
ip address 172.20.7.102
active
service ISA2-OWA-HTTPS
weight 2
keepalive port 443
protocol tcp
port 443
ip address 172.20.7.102
active
service ISA2-PROXY
ip address 172.20.7.102
weight 2
port 8080
protocol tcp
keepalive port 8080
active
service upstream-ping
!*************************** OWNER ***************************
owner HEP
content HTTP-PROXY
protocol tcp
port 8080
advanced-balance sticky-srcip
sticky-inact-timeout 10
add service ISA1-PROXY
add service ISA2-PROXY
vip address 172.20.3.105
active
content OWA
protocol tcp
port 443
advanced-balance sticky-srcip
sticky-inact-timeout 10
vip address 172.20.3.105
add service ISA1-OWA-HTTPS
add service ISA2-OWA-HTTPS
active
content OWA-HTTP-REDIRECT
vip address 172.20.3.105
protocol tcp
port 80
url "/*"
add service HTTP-TO-HTTPS-OWA-REDIRECT
!*************************** GROUP ***************************
group ISANat
vip address 172.20.3.105
add service ISA1-NAT
active
Does my show flows output look ok?
ZG-CSS1# sh flows
--------------- ----- --------------- ----- --------------- --- ------- ------
Src Address SPort Dst Address DPort NAT Dst Address Prt InPort OutPort
--------------- ----- --------------- ----- --------------- --- ------- ------
80.243.40.241 80 172.20.3.105 2020 172.20.7.101 TCP 1/1-203 1/2-207
172.20.7.101 4958 80.243.40.241 80 80.243.40.241 TCP 1/2-207 1/1-203
I dont get why in one case DPort is 2020 and ind second SPort is 4958? Should not the be the same?
Solved! Go to Solution.
10-01-2008 11:23 PM
The CSS will intercept the traffic based on the src ip, and it will change the src ip and the src port.
Since there is a single ip address for potentially multiple servers, we can't keep the same source port as 2 devices could come in with the same value.
So we take a new port from the list of available ports.
This is called PAT.
G.
10-01-2008 09:14 AM
when we do client nat, we also nat the src port.
It seems to work for me.
Gilles.
10-01-2008 10:13 AM
Hi,
I am trying to nat server initiated traffic. For example, http requests from my private servers to www servers on Internet.
I dont see why (and how) i can do nat of the src port? (In this case src prots are dynamic.)
Regards,
Branimir
10-01-2008 11:23 PM
The CSS will intercept the traffic based on the src ip, and it will change the src ip and the src port.
Since there is a single ip address for potentially multiple servers, we can't keep the same source port as 2 devices could come in with the same value.
So we take a new port from the list of available ports.
This is called PAT.
G.
10-02-2008 12:24 AM
Hi G,
Thank you for the explanation. It was helpful.
Regards,
Branimir
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: