Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1001
Views
0
Helpful
4
Replies

show flows on CSS

Go to solution
Branimir Turk
Level 1
Level 1

‎10-01-2008 06:26 AM

Hi,

I am using source group on my CSS to nat server initiated traffic to VIP address.

Currently it does not work, so I am doing troubleshooting.

I am using ISA1-NAT service for source group.

configure

!*************************** GLOBAL ***************************

cdp run

ip uncond-bridging

ip route 0.0.0.0 0.0.0.0 172.20.3.15 1

!************************* INTERFACE *************************

interface 1/1

trunk

description "ZG-DMZ-XCONN-Customer-Facing"

vlan 203

interface 1/2

description "ZG-DMZ-XCONN-Server-Facing"

trunk

vlan 207

!************************** CIRCUIT **************************

circuit VLAN207

description "Server-Facing"

ip address 172.20.7.2 255.255.255.0

ip virtual-router 207 priority 101 preempt

ip redundant-interface 207 172.20.7.1

circuit VLAN203

description "Customer-Facing"

ip address 172.20.3.103 255.255.255.0

ip virtual-router 203 priority 101 preempt

ip redundant-vip 203 172.20.3.105

!************************** SERVICE **************************

service HTTP-TO-HTTPS-OWA-REDIRECT

keepalive type none

type redirect

no prepend-http

domain https://xxx.xxx

service ISA1-NAT

ip address 172.20.7.101

active

service ISA1-OWA-HTTPS

weight 2

keepalive port 443

protocol tcp

port 443

ip address 172.20.7.101

active

service ISA1-PROXY

ip address 172.20.7.101

weight 2

port 8080

keepalive port 8080

protocol tcp

active

service ISA2-NAT

ip address 172.20.7.102

active

service ISA2-OWA-HTTPS

weight 2

keepalive port 443

protocol tcp

port 443

ip address 172.20.7.102

active

service ISA2-PROXY

ip address 172.20.7.102

weight 2

port 8080

protocol tcp

keepalive port 8080

active

service upstream-ping

!*************************** OWNER ***************************

owner HEP

content HTTP-PROXY

protocol tcp

port 8080

advanced-balance sticky-srcip

sticky-inact-timeout 10

add service ISA1-PROXY

add service ISA2-PROXY

vip address 172.20.3.105

active

content OWA

protocol tcp

port 443

advanced-balance sticky-srcip

sticky-inact-timeout 10

vip address 172.20.3.105

add service ISA1-OWA-HTTPS

add service ISA2-OWA-HTTPS

active

content OWA-HTTP-REDIRECT

vip address 172.20.3.105

protocol tcp

port 80

url "/*"

add service HTTP-TO-HTTPS-OWA-REDIRECT

!*************************** GROUP ***************************

group ISANat

vip address 172.20.3.105

add service ISA1-NAT

active

Does my show flows output look ok?

ZG-CSS1# sh flows

--------------- ----- --------------- ----- --------------- --- ------- ------

Src Address SPort Dst Address DPort NAT Dst Address Prt InPort OutPort

--------------- ----- --------------- ----- --------------- --- ------- ------

80.243.40.241 80 172.20.3.105 2020 172.20.7.101 TCP 1/1-203 1/2-207

172.20.7.101 4958 80.243.40.241 80 80.243.40.241 TCP 1/2-207 1/1-203

I dont get why in one case DPort is 2020 and ind second SPort is 4958? Should not the be the same?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee
In response to Branimir Turk

‎10-01-2008 11:23 PM

The CSS will intercept the traffic based on the src ip, and it will change the src ip and the src port.

Since there is a single ip address for potentially multiple servers, we can't keep the same source port as 2 devices could come in with the same value.

So we take a new port from the list of available ports.

This is called PAT.

G.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎10-01-2008 09:14 AM

when we do client nat, we also nat the src port.

It seems to work for me.

Gilles.

0 Helpful

Go to solution
Branimir Turk
Level 1
Level 1
In response to Gilles Dufour

‎10-01-2008 10:13 AM

Hi,

I am trying to nat server initiated traffic. For example, http requests from my private servers to www servers on Internet.

I dont see why (and how) i can do nat of the src port? (In this case src prots are dynamic.)

Regards,

Branimir

0 Helpful

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee
In response to Branimir Turk

‎10-01-2008 11:23 PM

The CSS will intercept the traffic based on the src ip, and it will change the src ip and the src port.

Since there is a single ip address for potentially multiple servers, we can't keep the same source port as 2 devices could come in with the same value.

So we take a new port from the list of available ports.

This is called PAT.

G.

0 Helpful

Go to solution
Branimir Turk
Level 1
Level 1
In response to Gilles Dufour

‎10-02-2008 12:24 AM

Hi G,

Thank you for the explanation. It was helpful.

Regards,

Branimir

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents