Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
658
Views
0
Helpful
2
Replies

CCS11503 and NAT

Go to solution
fedefalchi
Level 1
Level 1

‎12-09-2011 05:09 AM

Hi guys,

I know the CSS is too old but I have one in production environment and I was asked if it is possible to CSS to make NAT from inside addresses and translate them into one external IP address to diferent kind of communications, for example:

172.16.4.9 and 172.16.4.10 (inside addresses) should start connection to external IP addresses destinations 50.50.50.50 / 60.60.60.60  70.70.70.70 / 80.80.80.80 and so on, the default gateway to those Servers is the CSS and I would like to know if it is possible that all connection to external world to be translate into one IP address 172.16.4.100.

My CSS is 11503

Version: sg0810106

Regards,

--

Fernando

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pablo.nxh
Level 3
Level 3

‎12-09-2011 09:14 AM

Hi Fernando,

You can do this enabling ACL's on the CSS and making them NAT only the specific traffic that you need:

I just pasted a config sample below, basically you'll need:

1) A source group with the specific IP you want to use for NAT, this sourcegroup will not have any services configured either as add service nor add destination service.

2) A network qualifier list (NQL) where you will add the internal hosts that require NAT

3) Finally create an ACL where you specify the NQL as the source of the request to the specific destination IP and the sourcegroup to NAT the request. Please note that at the end there's an IP any any so that all the traffic that is not matched by the first lines is routed/load balanced normally through the CSS.

* You need to create/apply an ACL per circuit on the CSS, even if that interface is just for redundancy.

group Outbound-NAT

  vip address 172.16.4.100

  active

nql Internal-Hosts

  ip address 172.16.4.9 255.255.255.255

  ip address 172.16.4.10 255.255.255.255

acl 1

clause 10 permit any nql Internal-Hosts destination 50.50.50.50 255.255.255.255 sourcegroup Outbound-NAT

clause 11 permit any nql Internal-Hosts destination 60.60.60.60 255.255.255.255 sourcegroup Outbound-NAT

clause 12 permit any nql Internal-Hosts destination 70.70.70.70 255.255.255.255 sourcegroup Outbound-NAT

clause 13 permit any nql Internal-Hosts destination 80.70.80.80 255.255.255.255 sourcegroup Outbound-NAT

clause 30 permit any any destination any

apply circuit-(VLANX)

CSS(config)# acl enable

HTH

__ __

Pablo

View solution in original post

0 Helpful
2 Replies 2

Go to solution
pablo.nxh
Level 3
Level 3

‎12-09-2011 09:14 AM

Hi Fernando,

You can do this enabling ACL's on the CSS and making them NAT only the specific traffic that you need:

I just pasted a config sample below, basically you'll need:

1) A source group with the specific IP you want to use for NAT, this sourcegroup will not have any services configured either as add service nor add destination service.

2) A network qualifier list (NQL) where you will add the internal hosts that require NAT

3) Finally create an ACL where you specify the NQL as the source of the request to the specific destination IP and the sourcegroup to NAT the request. Please note that at the end there's an IP any any so that all the traffic that is not matched by the first lines is routed/load balanced normally through the CSS.

* You need to create/apply an ACL per circuit on the CSS, even if that interface is just for redundancy.

group Outbound-NAT

  vip address 172.16.4.100

  active

nql Internal-Hosts

  ip address 172.16.4.9 255.255.255.255

  ip address 172.16.4.10 255.255.255.255

acl 1

clause 10 permit any nql Internal-Hosts destination 50.50.50.50 255.255.255.255 sourcegroup Outbound-NAT

clause 11 permit any nql Internal-Hosts destination 60.60.60.60 255.255.255.255 sourcegroup Outbound-NAT

clause 12 permit any nql Internal-Hosts destination 70.70.70.70 255.255.255.255 sourcegroup Outbound-NAT

clause 13 permit any nql Internal-Hosts destination 80.70.80.80 255.255.255.255 sourcegroup Outbound-NAT

clause 30 permit any any destination any

apply circuit-(VLANX)

CSS(config)# acl enable

HTH

__ __

Pablo

0 Helpful

Go to solution
fedefalchi
Level 1
Level 1
In response to pablo.nxh

‎12-13-2011 05:12 AM

Hi Pablo,

Thanks for the help will help me alot.

Cheers,

0 Helpful
Customers Also Viewed These Support Documents