Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

source destination group NAT


I have two CSS configured with an external VLAN and a public redundant-vip. I also have an internal VLAN with private subnet and servers directly connected, CSS have a redundant-interface on this side.

My servers are dual-homed and their default gateway doesn't point to the redundant-interface.

Using source destination group, I'm able to NAT the source IP of ingress traffic to the redundant-vip address, in order to get the reverse traffic back through the CSS'. But this is not the behavior I want.

I would like the source IP for ingress traffic to be translated to the redundant-interface's IP (the CSS private address) so that the servers reply back to this address that is in the same subnet.

Is this possible?

Thanks in advance.


Re: source destination group NAT

NAT source IP addresses and source ports for flows originating from a client (client-side) on the public side of the CSS, add existing services to a source group as destination services. You can also configure access control lists (ACLs) to perform source NATing. When a flow is originated from the back-end server with a private address, the request appears to come from the public Virtual IP (VIP) of the source group. You can also use source groups (with Access Lists (ACLs)) to translate clients' private IP addresses (which reside on the back-end of the CSS) to a public IP address (the VIP).

For more information click this URL

CreatePlease login to create content