06-11-2010 03:27 PM
Hello,
I have a CSS 11501 running 08.10.1.06. It is configured with VLAN 82 (10.10.82.0/24) on the inside (server side) and VLAN 48 (10.10.48.0/22) on the outside (client side). Recently, my customer asked me to set it up such that requests INITIATED from the servers use the VIP address. I figured that I could do so using an acl with the sourcegroup option. That worked just fine.
Now, however, they are reporrting that certain NFS mounts don't work - initiated from the servers to network attached storage out on the client side of the CSS. I thought that if I just added some lines to the acl WITHOUT the sourcegroup argument that would make those server requests wok as they had earlier. No luck - when checking the storage logs, we still see the mount requests being originated from the sourcegrup VIP, not the servers' real IP addresses.
The real server IPs are 10.10.82.100, .101, .110, and .111.
The storage they are trying to mount is at 10.10.50.211 and 10.10.50.241.
The sourcegroup VIP that we are seeing used (which we DON'T want) is 10.10.50.168.
Any ideas?
Here are the config sections:
1. my acl:
!**************************** ACL ****************************
acl 1
clause 1 permit any 10.10.82.100 destination 10.10.50.211
clause 2 permit any 10.10.82.100 destination 10.10.50.241
clause 3 permit any 10.10.82.101 destination 10.10.50.211
clause 4 permit any 10.10.82.101 destination 10.10.50.241
clause 5 permit any 10.10.82.110 destination 10.10.50.211
clause 6 permit any 10.10.82.110 destination 10.10.50.241
clause 7 permit any 10.10.82.111 destination 10.10.50.211
clause 8 permit any 10.10.82.111 destination 10.10.50.241
clause 10 permit any 10.10.82.0 255.255.255.0 destination 10.10.50.170 255.255.255.255 sourcegroup vmi_load
clause 20 permit any 10.10.82.0 255.255.255.0 destination 10.10.48.0 255.255.252.0
clause 30 permit any 10.10.82.0 255.255.255.0 destination 69.40.0.0 255.255.248.0 sourcegroup default_nat
clause 100 permit any any destination any
apply circuit-(VLAN82)
2. my sourcegroups:
!*************************** GROUP ***************************
group default_nat
vip address 10.10.50.180
active
group vmi_load
vip address 10.10.50.168
add service vmi-82-100-443
add service vmi-82-101-443
add service vmi-82-110-443
add service vmi-82-111-443
add service vmi-82-100-80
add service vmi-82-101-80
add service vmi-82-110-80
add service vmi-82-111-80
add service vmi-82-100-8001
add service vmi-82-101-8001
add service vmi-82-100-8000
add service vmi-82-101-8000
active
3. The relevant services:
!************************** SERVICE **************************
service vmi-82-100-443
ip address 10.10.82.100
protocol tcp
port 443
keepalive type tcp
keepalive port 443
active
service vmi-82-100-80
ip address 10.10.82.100
protocol tcp
port 80
keepalive type tcp
keepalive port 80
active
service vmi-82-100-8000
ip address 10.10.82.100
protocol tcp
port 8000
keepalive type tcp
keepalive port 8000
active
service vmi-82-100-8001
ip address 10.10.82.100
protocol tcp
port 8001
keepalive type tcp
keepalive port 8001
active
service vmi-82-101-443
ip address 10.10.82.101
protocol tcp
port 443
keepalive type tcp
keepalive port 443
active
service vmi-82-101-80
ip address 10.10.82.101
protocol tcp
port 80
keepalive type tcp
keepalive port 80
active
service vmi-82-101-8000
ip address 10.10.82.101
protocol tcp
port 8000
keepalive type tcp
keepalive port 8000
active
service vmi-82-101-8001
ip address 10.10.82.101
protocol tcp
port 8001
keepalive type tcp
keepalive port 8001
active
service vmi-82-110-443
ip address 10.10.82.110
protocol tcp
port 443
keepalive type tcp
keepalive port 443
active
service vmi-82-110-80
ip address 10.10.82.110
protocol tcp
port 80
keepalive type tcp
keepalive port 80
active
service vmi-82-111-443
ip address 10.10.82.111
protocol tcp
port 443
keepalive type tcp
keepalive port 443
active
service vmi-82-111-80
ip address 10.10.82.111
protocol tcp
port 80
keepalive type tcp
keepalive port 80
active
06-11-2010 07:24 PM
Hi,
If I understand your end state correctly you want the servers sourcing nfs mount requests to bypass source nat, yes? If so, you will need to change your current acl clauses:
clause 1 permit any 10.10.82.100 destination 10.10.50.211
clause 2 permit any 10.10.82.100 destination 10.10.50.241
clause 3 permit any 10.10.82.101 destination 10.10.50.211
clause 4 permit any 10.10.82.101 destination 10.10.50.241
clause 5 permit any 10.10.82.110 destination 10.10.50.211
clause 6 permit any 10.10.82.110 destination 10.10.50.241
clause 7 permit any 10.10.82.111 destination 10.10.50.211
clause 8 permit any 10.10.82.111 destination 10.10.50.241
To the following:
clause 1 bypass any 10.10.82.100 destination 10.10.50.211
clause 2 bypass any 10.10.82.100 destination 10.10.50.241
clause 3 bypass any 10.10.82.101 destination 10.10.50.211
clause 4 bypass any 10.10.82.101 destination 10.10.50.241
clause 5 bypass any 10.10.82.110 destination 10.10.50.211
clause 6 bypass any 10.10.82.110 destination 10.10.50.241
clause 7 bypass any 10.10.82.111 destination 10.10.50.211
clause 8 bypass any 10.10.82.111 destination 10.10.50.241
This is an order of operation paradigm of how the CSS processes connections associated with IPs tied to content rules and services..
Hth..
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: