Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CSM NAT

Hello.

I am used to work with ACE where I perform NAT at interface level.

I am going to work with CSM and I would like to perform NAT based on client IP addresses; is it possible to do that with CSM? I only see NAT Client at Serverfarm Level and it does not seems scalable.

Best regards,

Joao Ribau 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

CSM NAT

Good afternoon Joao,

It is possible to do it, but I'm afraid it's a bit more complicated than on ACE.

On the CSM, you could do this through the use of policies (see

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csm/4.2.x/configuration/guide/mapolcy.html#wp1036728 for more details).

What you would need to do is add several policies to the vserver, and for each of them you associate one client-group (an ACL defining the clients to be natted), a source-nat configuration and the serverfarm (this serverfarm will be the same for all policies).

Please, have a look at the link and let me know if you need any further clarifications.

Regards

Daniel

Cisco Employee

Re: CSM NAT

Hi Joao,

This kind of topology should not cause any issues.

The CSM will always do mac-sticky for load-balanced connections, so the return traffic will always be sent to the MAC address from which the original SYN packet was received. Even if it was not like that, as you said, you have routes pointing towards the servers, so these would be used before the default gateway.

Daniel

5 REPLIES
Cisco Employee

CSM NAT

Good afternoon Joao,

It is possible to do it, but I'm afraid it's a bit more complicated than on ACE.

On the CSM, you could do this through the use of policies (see

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csm/4.2.x/configuration/guide/mapolcy.html#wp1036728 for more details).

What you would need to do is add several policies to the vserver, and for each of them you associate one client-group (an ACL defining the clients to be natted), a source-nat configuration and the serverfarm (this serverfarm will be the same for all policies).

Please, have a look at the link and let me know if you need any further clarifications.

Regards

Daniel

New Member

Re: CSM NAT

Daniel,

Thanks for your reply.

I have my CSM with 2 vlan (client and server) in router mode. Also have a default gateway to the client side and more specific routes (to the servers) to the server side gateway. Do you know if there is a CSM feature like the mac-sticky enable that exists on ACE? In my topology there may be clients that are also real server of serverfarms and I dont know how to solve this issue.

Real servers are several hops (layer 3) away from CSM.

Regards,

Joao.

Cisco Employee

Re: CSM NAT

Hi Joao,

This kind of topology should not cause any issues.

The CSM will always do mac-sticky for load-balanced connections, so the return traffic will always be sent to the MAC address from which the original SYN packet was received. Even if it was not like that, as you said, you have routes pointing towards the servers, so these would be used before the default gateway.

Daniel

New Member

Re: CSM NAT

Daniel,

Once again you were extremely helpful. I was performing some tests and I forgot to give some permissions in FWSM and so I assumed that mac-sticky was not an option.

Regards,
Joao.

New Member

Re: CSM NAT

nice to find this post, this saves me a lot of time.

acoolme

511
Views
0
Helpful
5
Replies