Cisco Support Community
Community Member

CSS 11503 one arm configuration problem

I have a one css 11503 which i have configured in a one arm design. The configuration looks okay and i have seen a similar problem on the forum. the client PCs do not get any response when they try to access the web servers through the css, but if i try directly to reach them i can get html content properly. has anyone experienced this problem and what is the solution?

Cisco Employee

Re: CSS 11503 one arm configuration problem

use sniffer trace to verify if traffic gets to the CSS and if it then reach the server.

Then verify that the response from the server goes through the CSS and then to the client [not directly to the client].

The easy solution is configure a group to do client nat.


Community Member

Re: CSS 11503 one arm configuration problem

Hi Gilles,

i guess what i have is a client NAT, because i have created a group and used the "add destination service" command. Now i dont know if i have understood this well but if i want to NAT the server ip addresses i have to use the "add service " command within the group. Now what i would like to know is if its possible to have both the "add service" and the "add destination service" in order to nat both server and client IP addresses or is this not necessary.

this is my "sh flow" output what do you advise

Src Address SPort Dst Address DPort NAT Dst Address Prt InPort OutPort

--------------- ----- --------------- ----- --------------- --- ------- ------ 8000 2022 TCP 1/1 1/1 4183 80 TCP 1/1 1/1 8000 1058 TCP 1/1 Ipv4 8000 1051 TCP 1/1 Ipv4 19487 23 TCP 1/1 Ipv4



Cisco Employee

Re: CSS 11503 one arm configuration problem


is the connection that shows the problem opened from the server ?

You only need 'add service' for connections opened by the server.

If that's the case, you need to remove all 'add' commands from the goup config and use ACL to determine when to use the group.

sth like :

acl 1

clause 10 permit tcp any destination sourcegroup

clause 20 permit tcp destination any sourcegroup

The show flows is not very usefull because it doesn't tell you if we receive a response.

By default the CSS automatically create a flow for the response anticipating that we will receive one.

So, you should gather sniffer traces and follow the traffic to see where it fails.


CreatePlease to create content