12-09-2011 05:09 AM
Hi guys,
I know the CSS is too old but I have one in production environment and I was asked if it is possible to CSS to make NAT from inside addresses and translate them into one external IP address to diferent kind of communications, for example:
172.16.4.9 and 172.16.4.10 (inside addresses) should start connection to external IP addresses destinations 50.50.50.50 / 60.60.60.60 70.70.70.70 / 80.80.80.80 and so on, the default gateway to those Servers is the CSS and I would like to know if it is possible that all connection to external world to be translate into one IP address 172.16.4.100.
My CSS is 11503
Version: sg0810106
Regards,
--
Fernando
Solved! Go to Solution.
12-09-2011 09:14 AM
Hi Fernando,
You can do this enabling ACL's on the CSS and making them NAT only the specific traffic that you need:
I just pasted a config sample below, basically you'll need:
1) A source group with the specific IP you want to use for NAT, this sourcegroup will not have any services configured either as add service nor add destination service.
2) A network qualifier list (NQL) where you will add the internal hosts that require NAT
3) Finally create an ACL where you specify the NQL as the source of the request to the specific destination IP and the sourcegroup to NAT the request. Please note that at the end there's an IP any any so that all the traffic that is not matched by the first lines is routed/load balanced normally through the CSS.
* You need to create/apply an ACL per circuit on the CSS, even if that interface is just for redundancy.
group Outbound-NAT
vip address 172.16.4.100
active
nql Internal-Hosts
ip address 172.16.4.9 255.255.255.255
ip address 172.16.4.10 255.255.255.255
acl 1
clause 10 permit any nql Internal-Hosts destination 50.50.50.50 255.255.255.255 sourcegroup Outbound-NAT
clause 11 permit any nql Internal-Hosts destination 60.60.60.60 255.255.255.255 sourcegroup Outbound-NAT
clause 12 permit any nql Internal-Hosts destination 70.70.70.70 255.255.255.255 sourcegroup Outbound-NAT
clause 13 permit any nql Internal-Hosts destination 80.70.80.80 255.255.255.255 sourcegroup Outbound-NAT
clause 30 permit any any destination any
apply circuit-(VLANX)
CSS(config)# acl enable
HTH
__ __
Pablo
12-09-2011 09:14 AM
Hi Fernando,
You can do this enabling ACL's on the CSS and making them NAT only the specific traffic that you need:
I just pasted a config sample below, basically you'll need:
1) A source group with the specific IP you want to use for NAT, this sourcegroup will not have any services configured either as add service nor add destination service.
2) A network qualifier list (NQL) where you will add the internal hosts that require NAT
3) Finally create an ACL where you specify the NQL as the source of the request to the specific destination IP and the sourcegroup to NAT the request. Please note that at the end there's an IP any any so that all the traffic that is not matched by the first lines is routed/load balanced normally through the CSS.
* You need to create/apply an ACL per circuit on the CSS, even if that interface is just for redundancy.
group Outbound-NAT
vip address 172.16.4.100
active
nql Internal-Hosts
ip address 172.16.4.9 255.255.255.255
ip address 172.16.4.10 255.255.255.255
acl 1
clause 10 permit any nql Internal-Hosts destination 50.50.50.50 255.255.255.255 sourcegroup Outbound-NAT
clause 11 permit any nql Internal-Hosts destination 60.60.60.60 255.255.255.255 sourcegroup Outbound-NAT
clause 12 permit any nql Internal-Hosts destination 70.70.70.70 255.255.255.255 sourcegroup Outbound-NAT
clause 13 permit any nql Internal-Hosts destination 80.70.80.80 255.255.255.255 sourcegroup Outbound-NAT
clause 30 permit any any destination any
apply circuit-(VLANX)
CSS(config)# acl enable
HTH
__ __
Pablo
12-13-2011 05:12 AM
Hi Pablo,
Thanks for the help will help me alot.
Cheers,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide