CSS NAT Problems

scott-goodwin · ‎11-02-2006

Hi Guys,

I recently swapped my CSS intallation from bridged to routed as I was adding a secondary CSS for redundancy. I have set up NAT using services and groups to allow connection direct to the devices on there old IP's so I don't have to change all the fw nat and rulebase. However I am experiencing problems with backups.

Using source group, does this use PAT rather than static NAT and if so how can I implement a 1-1 NAT for direct connection to the servers on there old ip address's??

Sample of config below;

ip route 0.0.0.0 0.0.0.0 x.x.50.66 1

!************************* INTERFACE *************************

interface e7

isc-port-two

interface e8

isc-port-one

!************************** CIRCUIT **************************

circuit VLAN10

description "PHYSICAL_IP_VLAN10"

ip address x.x.50.79 255.255.255.0

ip virtual-router 2 priority 90

ip redundant-interface 2 x.x.50.73

ip redundant-vip 2 x.x.50.70

ip redundant-vip 2 x.x.50.76

ip redundant-vip 2 x.x.50.77

circuit VLAN20

description "Server VLAN20"

ip address x.x.200.2 255.255.255.0

ip virtual-router 3 priority 90

ip redundant-interface 3 x.x.200.1

ip critical-service 3 upstrem

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list ssl_list1

ssl-server 70

ssl-server 70 version ssl

ssl-server 70 vip address x.x.50.70

ssl-server 70 cipher rsa-with-3des-ede-cbc-sha x.x.50.70 81

ssl-server 70 unclean-shutdown

ssl-server 70 rsacert ******

active

!************************** SERVICE **************************

service Server1

ip address x.x.200.10

active

service Server1_TCP444

string server1444

ip address x.x.200.10

protocol tcp

port 444

keepalive type tcp

keepalive frequency 3

keepalive retryperiod 3

keepalive port 444

active

service Server1_TCP80

string server180

ip address x.x.200.10

port 80

protocol tcp

keepalive type tcp

keepalive port 80

keepalive frequency 3

keepalive retryperiod 3

active

service Server2

ip address x.x.200.11

active

service Server2_TCP444

string server2444

ip address x.x.200.11

protocol tcp

port 444

keepalive type tcp

keepalive port 444

keepalive frequency 3

keepalive retryperiod 3

active

service Server2_TCP80

ip address x.x.200.11

protocol tcp

port 80

keepalive type tcp

keepalive port 80

keepalive frequency 3

keepalive retryperiod 3

string server280

active

service ssl_serv1

type ssl-accel

slot 2

keepalive type none

add ssl-proxy-list ssl_list1

active

service upstrem

ip address x.x.50.66

active

owner *****

content HS_443

vip address x.x.50.70

protocol tcp

port 443

add service ssl_serv1

application ssl

active

content HS_80

vip address x.x.50.70

url "/*"

protocol tcp

port 80

advanced-balance arrowpoint-cookie

add service Server1_TCP80

add service Server2_TCP80

active

content HS_SSL

vip address x.x.50.70

add service Server1_TCP444

add service Server2_TCP444

advanced-balance arrowpoint-cookie

protocol tcp

port 81

url "/*"

active

content Server1

vip address x.x.50.76

add service Server1

active

content Server2

vip address x.x.50.77

add service Server2

active

group server1

add service Server1

vip address x.x.50.76

active

group server2

vip address x.x.50.77

add service Server2

active

Gilles Dufour · ‎11-02-2006

the group is to nat traffic sourced by the server.

So, if you want to open a connection to x.x.50.76 and x.x.50.76 you need to configured a content rule

content Server1

vip x.x.50.76

add service Server1

active

!

CSS does pat all the time.

Gilles.