01-25-2010 10:48 AM
Hi,
We've got a CSS running software 8.1 and we're performing source NAT on IP addresses in our back-end networks to a IP addresses on a front-end network.
Essentially each IP on the back-end is transleted to a single IP address on the front-end (customer side) network, for example:
service Service_Example1
ip address 10.0.0.1
active
!
group NAT-Example1
vip address 192.168.100.100
add service Service_Example1
flow-timeout-multiplier 1350
active
!
The problem we're experiencing is that the CSS upon performing source NAT for connections outbound from the back-end, it also randomizes the source TCP port for the outgoing packet which poses a problem with an application which expects the TCP source port to be within a very tight range.
Restricting the port-map range for the NAT also doesn't help as it will still randomize the TCP source port but just to a smaller range.
I know that the source port randomization can be disabled for UDP flows but can this be done for TCP and if so, how?
02-02-2010 01:23 AM
portmap [base-port base_number|disable|enable|number-of-ports number|vip-address-range number]
There is no possibility to disable it for TCP.
We need to source nat the port to guarantee that the server response comes back on the same module/CPU and the internal packet allocation algorithm is based on src and dst ports.µ
Gilles:
02-02-2010 01:26 AM
Hi,
There's only one problem with your sugestion with regards to my original question:
This option does not affect TCP flows.
02-02-2010 01:58 AM
Yes, I realised I had forgotten the last part and updated my initial comment.
This does not apply to TCP and therefore there is no solution for TCP.
This behavior is required because the CSS is modular and all modules participate to packet processing.
The traffic is assigned to the modules based on a hash of the src and dst port.
Since one module needs to process inbound and outbound traffic of a single connection, we need to guarantee that the hash of the nated traffic does come back to the same module...so we change the src port since normally the src port should not matter for an application.
Gilles
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: