Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

NAT issue

Hi,

I have a test content switch CSS11503 with one leg on 10.152.21.0/24 and the other leg on 10.40.21.0/24. I have SSL services set up to hit 10.40.26.1 and 10.40.26.2. I have a content rule with 10.40.21.26 as the VIP which load balances to the aforementioned services. In order for traffic from other networks to hit the services I need to source NAT them to an address on the 10.40.21.0 subnet. Otherwise the traffic will hit 10.40.26.1 or 2 and will return via the default gateway of 10.40.26.250 (and will not return via the content switch) The business would now like if the NAT did not take place as they would like to be able to see the real addresses hitting the website. I have tried to remove the NAT and add in a route to a one of these other network on the 10.40.26.250 mls but this does not seem to work. Any ideas?

I hope my question is clear !

Many Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: NAT issue

the client will respond to the client [since you do not nat anymore].

So you need a default route pointing back to the CSS - not a route for the vip.

That's the reason why people use policy routing.

So your server can still use the normal default gateway most of the times and the CSS when needed.

Gilles.

4 REPLIES
Cisco Employee

Re: NAT issue

as you already pointed out you need the traffic to come back to the CSS after hitting the real server.

The first solution is the nating which you do not want anymore.

The 2nd option is the routing. You have to make sure the return traffic goes back to the CSS. Change your router routing table to point traffic from the server back to the CSS.

This can also be down is policy routing.

Use sniffer traces to make sure the traffic comes back to the CSS.

There is no other solution.

Gilles.

New Member

Re: NAT issue

thanks for your reponse Gilles.

I presume I should route the traffic back to the VIP address?

Cisco Employee

Re: NAT issue

the client will respond to the client [since you do not nat anymore].

So you need a default route pointing back to the CSS - not a route for the vip.

That's the reason why people use policy routing.

So your server can still use the normal default gateway most of the times and the CSS when needed.

Gilles.

New Member

Re: NAT issue

thanks i will try routing the traffic back to the interface on the CSS.

133
Views
0
Helpful
4
Replies
CreatePlease to create content