cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
435
Views
0
Helpful
1
Replies

CSS acl w/o sourcegroup

Marvin Rhoads
Hall of Fame
Hall of Fame

Hello,

I have a CSS 11501 running 08.10.1.06. It is configured with VLAN 82 (10.10.82.0/24) on the inside (server side) and VLAN 48 (10.10.48.0/22) on the outside (client side). Recently, my customer asked me to set it up such that requests INITIATED from the servers use the VIP address. I figured that I could do so using an acl with the sourcegroup option. That worked just fine.

Now, however, they are reporrting that certain NFS mounts don't work - initiated from the servers to network attached storage out on the client side of the CSS. I thought that if I just added some lines to the acl WITHOUT the sourcegroup argument that would make those server requests wok as they had earlier. No luck - when checking the storage logs, we still see the mount requests being originated from the sourcegrup VIP, not the servers' real IP addresses.

The real server IPs are 10.10.82.100, .101, .110, and .111.

The storage they are trying to mount is at 10.10.50.211 and 10.10.50.241.

The sourcegroup VIP that we are seeing used (which we DON'T want) is 10.10.50.168.

Any ideas?

Here are the config sections:

1. my acl:

!**************************** ACL ****************************
acl 1
  clause 1 permit any 10.10.82.100 destination 10.10.50.211
  clause 2 permit any 10.10.82.100 destination 10.10.50.241
  clause 3 permit any 10.10.82.101 destination 10.10.50.211
  clause 4 permit any 10.10.82.101 destination 10.10.50.241
  clause 5 permit any 10.10.82.110 destination 10.10.50.211
  clause 6 permit any 10.10.82.110 destination 10.10.50.241
  clause 7 permit any 10.10.82.111 destination 10.10.50.211
  clause 8 permit any 10.10.82.111 destination 10.10.50.241
  clause 10 permit any 10.10.82.0 255.255.255.0 destination 10.10.50.170 255.255.255.255 sourcegroup vmi_load
  clause 20 permit any 10.10.82.0 255.255.255.0 destination 10.10.48.0 255.255.252.0
  clause 30 permit any 10.10.82.0 255.255.255.0 destination 69.40.0.0 255.255.248.0 sourcegroup default_nat
  clause 100 permit any any destination any
  apply circuit-(VLAN82)

2. my sourcegroups:

!*************************** GROUP ***************************
group default_nat
  vip address 10.10.50.180
  active

group vmi_load
  vip address 10.10.50.168
  add service vmi-82-100-443
  add service vmi-82-101-443
  add service vmi-82-110-443
  add service vmi-82-111-443
  add service vmi-82-100-80
  add service vmi-82-101-80
  add service vmi-82-110-80
  add service vmi-82-111-80
  add service vmi-82-100-8001
  add service vmi-82-101-8001
  add service vmi-82-100-8000
  add service vmi-82-101-8000
  active

3. The relevant services:

!************************** SERVICE **************************
service vmi-82-100-443
  ip address 10.10.82.100
  protocol tcp
  port 443
  keepalive type tcp
  keepalive port 443
  active

service vmi-82-100-80
  ip address 10.10.82.100
  protocol tcp
  port 80
  keepalive type tcp
  keepalive port 80
  active

service vmi-82-100-8000
  ip address 10.10.82.100
  protocol tcp
  port 8000
  keepalive type tcp
  keepalive port 8000
  active

service vmi-82-100-8001
  ip address 10.10.82.100
  protocol tcp
  port 8001
  keepalive type tcp
  keepalive port 8001
  active

service vmi-82-101-443
  ip address 10.10.82.101
  protocol tcp
  port 443
  keepalive type tcp
  keepalive port 443
  active

service vmi-82-101-80
  ip address 10.10.82.101
  protocol tcp
  port 80
  keepalive type tcp
  keepalive port 80
  active

service vmi-82-101-8000
  ip address 10.10.82.101
  protocol tcp
  port 8000
  keepalive type tcp
  keepalive port 8000
  active

service vmi-82-101-8001
  ip address 10.10.82.101
  protocol tcp
  port 8001
  keepalive type tcp
  keepalive port 8001
  active

service vmi-82-110-443
  ip address 10.10.82.110
  protocol tcp
  port 443
  keepalive type tcp
  keepalive port 443
  active

service vmi-82-110-80
  ip address 10.10.82.110
  protocol tcp
  port 80
  keepalive type tcp
  keepalive port 80
  active

service vmi-82-111-443
  ip address 10.10.82.111
  protocol tcp
  port 443
  keepalive type tcp
  keepalive port 443
  active

service vmi-82-111-80
  ip address 10.10.82.111
  protocol tcp
  port 80
  keepalive type tcp
  keepalive port 80
  active

1 Reply 1

stmccabe
Cisco Employee
Cisco Employee

Hi,

If I understand your end state correctly you want the servers sourcing nfs mount requests to bypass source nat, yes?  If so, you will need to change your current acl clauses:

clause 1 permit any  10.10.82.100 destination 10.10.50.211
  clause 2 permit any  10.10.82.100 destination 10.10.50.241
  clause 3 permit any  10.10.82.101 destination 10.10.50.211
  clause 4 permit any  10.10.82.101 destination 10.10.50.241
  clause 5 permit any  10.10.82.110 destination 10.10.50.211
  clause 6 permit any  10.10.82.110 destination 10.10.50.241
  clause 7 permit any  10.10.82.111 destination 10.10.50.211
  clause 8 permit any  10.10.82.111 destination 10.10.50.241

To the following:

clause 1 bypass any  10.10.82.100 destination 10.10.50.211
  clause 2 bypass any  10.10.82.100 destination 10.10.50.241
  clause 3 bypass any  10.10.82.101 destination 10.10.50.211
  clause 4 bypass any  10.10.82.101 destination 10.10.50.241
  clause 5 bypass any  10.10.82.110 destination 10.10.50.211
  clause 6 bypass any  10.10.82.110 destination 10.10.50.241
  clause 7 bypass any  10.10.82.111 destination 10.10.50.211
  clause 8 bypass any 10.10.82.111 destination 10.10.50.241

This is an order of operation paradigm of how the CSS processes connections associated with IPs tied to content rules and services..

Hth..

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: