Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSS source group NAT question


Not sure if this is a common requirement or not but done a search on here on and seen similar questions so hoping someone might be able to help.

We have Cisco 11503`s and 2 x UNIX boxes each with 3 NIC`s that need to use SSH for internal management and also transfer of files.

The main problem is the UNIX hosts cannot control which interface the traffic leaves so whilst we have specific functions for most services tied to each NIC, SSH can use any of them.

Inbound is not a problem - content rule on the VIP however outbound is causing us some grief as we don't want ALL SSH traffic to be sourced by the NAT.

Is it possible to force the CSS to use the source group for specific hosts only ?

I.e. all normal internal traffic is not using the source group VIP but our defined hosts are forced to use the source NAT?

I've done some reading on ACL's but I'm not entirely sure these will help or not.

Any help appreciated.

Cisco Employee

Re: CSS source group NAT question

you need an acl with the option 'sourcegroup'.

The acl must match the inbound traffic that will require nating.


New Member

Re: CSS source group NAT question

Do you know where I could find any configuration examples ?

There doesn`t seem to many floating around for ACLS.