Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSS11050 Redirect IP Address

I try to setup two web servers (10.1.1.10 and 10.1.1.11) using CSS11000 for load balancing. By using VIP address 10.1.1.30 with stricky content rule. However when the application server rely back the request the URL still contain the web server ip address (10.1.1.10 or 10.1.1.11) , is there the way to redirect or change the url contents point to VIP address rather then the web server ip address from the CSS ?

6 REPLIES
Bronze

Re: CSS11050 Redirect IP Address

Yes there is/

You can create a group to NAT the servers response back out to the VIP address.

group pete

vip address 10.1.1.30

add service server1

add service server2

active

This will take all traffic being sourced from the servers going outbound through the CSS and NAT the source ip to the VIP address and not show the servers ip address

Regards

Pete Knoops

Cisco Systems

New Member

Re: CSS11050 Redirect IP Address

Thank you Pete

New Member

Re: CSS11050 Redirect IP Address

What if you need each server to access a domain controller by it's individual address not the VIP? Is there a way to exclude the Group from being applied to flows to the domain controller?

Bronze

Re: CSS11050 Redirect IP Address

The only way to do this is to apply the group in a different manner.

So you would still have a group configured, but you would not add any services to it. It would simply be a group with a vip in it and it was active.

Then you would use acls on the box to to apply the sourcegroup given certain source and destination criteria. If you do not already use ACLs, beware as they can be dangerous and they have an implicit deny on all traffic to all vlans if not configured correctly.

So in conclusion, you tell the CSS when to NAT as opposed to NATing everything with regards to the servers.

Regards

Pete..

New Member

Re: CSS11050 Redirect IP Address

I assume I would need to use the "bypass" command on the ACL to exclude the content rule to the domain controllers. Thanks for the info!

Bronze

Re: CSS11050 Redirect IP Address

Most people think you would use the bypass command on the acl for this particular issue, but bypass does not work on a source group. It is mainly for bypassing content rules. The equivalent of bypass when using acls and source groups is to explicitly state which traffic gets nat'd and not which traffic does not get nat'd. It's kind of a reverse thinking approach. When you have to tell the CSS which traffic not to nat, you in fact tell it only which traffic to nat and leave out the traffic you do not want the CSS to nat.

Pete..

191
Views
4
Helpful
6
Replies
CreatePlease login to create content