Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Source Address

Good Day, I'm running into an issue were I have a pair of 11506's extended to a server subnet, and are balancing 2 servers for a Virtual Directory. The owner of the VD states that they require to see the source address so I'm not using any source group for this setup. The servers default gateway is setup to point to the CSS's. Everything is working fine until another app server on the same subnet as the VD servers require to access the Virtual directory. The new servers do not care if the source address is natted but I cannot nat for the original requirement. Is there any other way I could modify or add a new content rule so that the new servers can access the Virtual Directory without natting the original services? Could I match on source address and if the request comes from said new servers could I put them on a different set of rules? Please find following the original content rules for the Virtual Directories.

Thx

-Rich

owner Virtual_Directory

content VD_389

protocol tcp

vip address 1.1.93.36

advanced-balance sticky-srcip

port 389

redundant-index 9389

add service ressvds01

add service ressvds02

active

content VD_636

protocol tcp

vip address 1.1.93.36

advanced-balance sticky-srcip

port 636

add service ressvds01

add service ressvds02

redundant-index 9636

active

service ressvds01

ip address 1.2.201.52

redundant-index 9952

keepalive port 636

keepalive type tcp

active

service ressvds02

ip address 1.2.201.53

redundant-index 9953

keepalive type tcp

keepalive port 636

active

2 REPLIES
Cisco Employee

Re: Source Address

Hi Rick,

So what you need is to NAT for some clients (within same subnet) but not for some other clients (already working without using the source group)

If this is what you need, you can do it using an ACL.

You can build an ACL that will use the group only for those clients that need the NATing, like this:

css(config)# acl 1

css11501b(config-acl[1])# clause 10 permit tcp 1.2.201.0 255.255.255.0 destination content Virtual_Directory/VD_389 sourcegroup VD

css11501b(config-acl[1])# clause 20 permit any any destination any

css11501b(config-acl[1])# apply circuit-(VLANxxx)

group VD

vip address 1.1.93.36

active

****Make sure to create an ACL with permit any for ALL VLANs, otherwise everything will get denied on that VLAN

**** Remeber to run the global command "acl enable"

Notice there are no services on the group, the ACL defines the source and the destination is the content rule configured.

Hope it helps!!

Diego M

Cisco Employee

Re: Source Address

BTW: Keep in mind that mine is an example, you might need to customize.

110
Views
0
Helpful
2
Replies
CreatePlease to create content