Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1253
Views
0
Helpful
8
Replies

CSS outbound NAT

Go to solution
mbell
Level 1
Level 1

‎01-07-2007 11:15 AM

I've seen several posts in this forum relating to outbound (source) NAT'ing on a CSS but am still confused as to what I need to accomplish this. I've got four servers behind a CSS that need to be PAT'd to a single public address for outbound access. I've read through this page:

http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a0080093dfc.shtml

but still have some questions since this page does not discuss topology. First, which circuit should the "apply circuit-" command be used for? Is that for the public side or private side? Second, is this all the configuration I need to enable outbound NAT? Third, what (if any) impact does this have on the inbound configuration for these servers?

If anybody has a config showing how to do this, that would be great!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee
In response to mbell

‎01-22-2007 01:30 AM

you are correct, the ACL will only apply to new connections opened from the servers.

This could have an impact on UDP connection, if you have udp content rules.

Gilles.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
mbell
Level 1
Level 1
In response to Gilles Dufour

‎01-16-2007 03:41 PM

That is a very helpful link. Out of the 20 or so hosts on the inside segment, I only want to NAT four of them to a public IP address. To prevent NAT'ing the other hosts, would I use something like:

clause 5 permit any 192.168.1.10 255.255.255.255 destination any sourcegroup outbound

clause 10 bypass any 192.168.1.0 255.255.255.0 destination any

The thing I'm confused about is that in the original link I saw, the ACL had permit statements for internal networks _to_ the internal networks, i.e. permit any 192.168.1.0 255.255.255.0 destination 192.168.1.0 255.255.255.0.

What is the purpose of these statements and why would they not be shown in the second link?

Also, I'm assuming that if I only want to NAT outbound traffic and not permit inbound connections, I don't have to apply a "permit any any" ACL to the outside interface, correct?

0 Helpful

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee
In response to mbell

‎01-17-2007 12:22 AM

we often nat when a server itself open a connection with a vip. This is because the CSS will forward the request to a server [could even be the same one that opened the connection] that resides in the same subnet as the source and to guarantee that the response goes back to the CSS client is necessary.

In your case, you want to nat outbound traffic.

So simply make an acl that matches your source/destination and you should be ok.

Gilles.

0 Helpful

Go to solution
mbell
Level 1
Level 1
In response to Gilles Dufour

‎01-17-2007 09:14 PM

So if I want to NAT these four servers to the Internet but not the other servers behind the CSS, then what entries in the ACL do I need for the servers that I do not want to NAT? Would I use "deny" or "bypass"? I thought CSS ACLs have implicit "denies" like IOS ACLs and I need something to allow the other traffic through.

I'm assuming I'll need four ACL entries that permit traffic from the four hosts I want to NAT to the source-group plus some other entries that allow non-NAT'd traffic to "any". I'm just trying to figure out what the entries should look like for the inside hosts that will not be NAT'd.

0 Helpful

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee
In response to mbell

‎01-18-2007 07:04 AM

you need a permit for the rest of the traffic if you simply want the traffic to be processed by the CSS. A Deny if you want to drop it or a bypass if you want the css to only route the traffic [no match possible on any content rule].

so you should end up with something like this.

acl 1

clause 10 permit any X destination Y sourcegroup Z

...

clause 99 permit any any destination any

apply all

Gilles.

0 Helpful

Go to solution
frankamankwah
Level 1
Level 1
In response to Gilles Dufour

‎01-18-2007 01:58 PM

clause 5 permit any 192.168.1.10 255.255.255.255 destination any sourcegroup outbound

clause 10 bypass any 192.168.1.0 255.255.255.0 destination any

The above would definitely fix your issue as stated earlier by a contributor. You would need to bypass the content rules

0 Helpful

Go to solution
mbell
Level 1
Level 1
In response to Gilles Dufour

‎01-22-2007 12:29 AM

Once again, great information. Something else that I just want to double-check... If I already have these four servers configured to provide inbound services _from_ the Internet, i.e.:

content manager

add service manager5

add service manager6

protocol tcp

port 8080

add service manager3

add service manager4

advanced-balance arrowpoint-cookie

vip address 60.1.1.1

active

will the new outbound NAT configuration have any impact on the inbound services and the replies for those services? In the link you provided originally, I found "The CSS 11000/11500 does not apply ACLs to response traffic because you already have a flow established." so I am assuming that this new ACL/NAT configuration would not have any impact on the services or content rules that are already configured for these hosts, correct?

0 Helpful

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee
In response to mbell

‎01-22-2007 01:30 AM

you are correct, the ACL will only apply to new connections opened from the servers.

This could have an impact on UDP connection, if you have udp content rules.

Gilles.

0 Helpful
Customers Also Viewed These Support Documents