Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

CSS Server initiated flows, NAT Bypass

Hello,

I've been trying for two days to understand how no to NAT server initiated flows.

The IPERF servers always sees the VIP as source address. I would like to see the real server's IP as source address.

I don't see what wrong in my config.

Here's what I got :

vlan 101, 10.0.2.0/24. PC 10.0.2.220. The pc Is running iperf as server on port tcp 5001. DFGW is the CSS.

|

|

|

CSS : see below for config.

|

|

|

VLAN 100, 10.0.1.0/24. server 10.0.1.101 initiates a tcp connection to 10.0.2.220 on port 5001.

!Generated on 05/25/2007 15:53:44

!Active version: sg0810109s

configure

!*************************** GLOBAL ***************************

acl enable

logging subsystem natmgr level debug-7

logging subsystem portmapper level debug-7

!************************* INTERFACE *************************

interface 1/1

trunk

vlan 1

default-vlan

vlan 100

vlan 101

!************************** CIRCUIT **************************

circuit VLAN100

ip address 10.0.1.200 255.255.255.0

ip virtual-router 1 priority 150 preempt

ip redundant-interface 1 10.0.1.1

ip critical-reporter 1 r1

circuit VLAN101

ip address 10.0.2.200 255.255.255.0

ip virtual-router 2 priority 150 preempt

ip redundant-interface 2 10.0.2.100

ip redundant-vip 2 10.0.2.50

ip critical-reporter 2 r1

!************************** REPORTER **************************

reporter r1

type vrid-peering

vrid 10.0.2.200 2

vrid 10.0.1.200 1

active

!************************** SERVICE **************************

service web1

ip address 10.0.1.101

keepalive type ssl

active

service web2

ip address 10.0.1.102

keepalive type ssl

active

!*************************** OWNER ***************************

owner lab

content web

add service web1

add service web2

port 443

protocol tcp

advanced-balance sticky-srcip

sticky-inact-timeout 120

vip address 10.0.2.50

active

!*************************** GROUP ***************************

group lab

add service web1

vip address 10.0.2.50

active

!**************************** ACL ****************************

acl 1

clause 10 permit any any destination any sourcegroup lab

clause 3 bypass tcp any destination any eq 5001

apply circuit-(VLAN100)

acl 2

clause 1 permit any any destination any

apply circuit-(VLAN101)

Here's what I have in iperf (client side)

D:\iperf>iperf.exe -s

------------------------------------------------------------

Server listening on TCP port 5001

TCP window size: 8.00 KByte (default)

------------------------------------------------------------

[1860] local 10.0.2.220 port 5001 connected with 10.0.2.50 port 3174

[ ID] Interval Transfer Bandwidth

[1860] 0.0-10.0 sec 35.8 MBytes 29.9 Mbits/sec

Server side :

C:\>iperf -c 10.0.2.220

------------------------------------------------------------

Client connecting to 10.0.2.220, TCP port 5001

TCP window size: 8.00 KByte (default)

------------------------------------------------------------

[884] local 10.0.1.101 port 1116 connected with 10.0.2.220 port 5001

[ ID] Interval Transfer Bandwidth

[884] 0.0-10.0 sec 35.8 MBytes 29.9 Mbits/sec

1 REPLY
New Member

Re: CSS Server initiated flows, NAT Bypass

Problem solved by Cisco TAC.

I had to remove the add service in the group config and

change the ACL with

acl 1

clause 100 permit any any destination any sourcegroup lab

apply circuit-(VLAN100)

clause 3 bypass any 10.0.1.105 255.255.255.255 destination 10.0.2.221 255.255.255.255

285
Views
0
Helpful
1
Replies
CreatePlease to create content