Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSS 11503 SNAT?

I have a subnet that has a Cisco load balancer in it that is in the process of moving. The current subnet is behind a FWSM and has been working for years. The new subnet will be in front of the firewall.

In the current state, the default gateway and default route point to the firewall interface for the existing subnet. The load balancers are in a one-armed configuration. I would like to use the same pair of load balancers on the new subnet.

The load balancers have circuits in both VLANs, but keep using the default route for return traffic for both networks. So, traffic will come in on the new network, get load balanced appropriately, and the return traffic with be routed asymmetrically to the default gateway instead of the local gateway. I can see my firewall blocking the return traffic.

Is there a way to configure the CSS to either use the local gateway or possibly to use Source NAT (without an ACE module) to make the CSS bridge in this manner?

Any help would be appreciated! Thanks in advance!

Jason

5 REPLIES
New Member

Re: CSS 11503 SNAT?

Hello Jason,

I'm a bit confused. Can you attach topology? :)

If you need use SNAT on CSS look for 'group' command (http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/content_lb/guide/SGrp.html)

^^ it's helpful SNAT?

martin

New Member

Re: CSS 11503 SNAT?

The 'group' command is for source nat with respect to the servers behind the CSS. I need to do SNAT for incoming requests. I've attached a Visio diagram of what I'm talking about.

New Member

Re: CSS 11503 SNAT?

Group command also allows you to SNAT trafic with respect to the destination instead of source. In this case, it might be a default gw.

I'm also a bit confused by your topology... Anyway isnt it a bit unsecure to bridge behind and above your FW?

New Member

Re: CSS 11503 SNAT?

The hard part is that all the users from various IP Networks will be coming in as the source. I'm not sure how to write the group command to handle this.

As for the topology, it is unsecure to be doing things this way, but we're migrating the servers from the screened network to the unscreened one.

New Member

Re: CSS 11503 SNAT?

You can base your SNAT on the destination - add destination service instead of add service - in that case you can match on the providing server ie.

858
Views
0
Helpful
5
Replies