ACE router or source NAT

Similar Messages

• Example Config ACE routed mode with NAT

  Hi all,
  i have a two-arm loadbalancer (routed mode).
  client ->vlan100->[VIP]Loadbalancer[NAT] ->vlan200-> serverfarm
  But i have my problems to configure the NAT. Can anybody show me a example configuration of a two-arm loadbalancer with NAT?
  Especially the access-list, class-map, policy-map and on which interface the NAT-Policy must be added.
  BR
  Dominik

  Hi Dominik,
  Something like this:
  access-list ANYONE line 10 extended permit ip any any
  rserver host SERVER_01
    ip address 10.198.16.2
    inservice
  rserver host SERVER_02
    ip address 10.198.16.3
    inservice
  rserver host SERVER_03
    ip address 10.198.16.4
    inservice
  serverfarm host REAL_SERVERS
    rserver SERVER_01
      inservice
    rserver SERVER_02
      inservice
    rserver SERVER_03
      inservice
  class-map match-all VIP-30
    2 match virtual-address 192.168.1.30 tcp eq www
  class-map type management match-any REMOTE_ACCESS
    description remote-access-traffic-match
    2 match protocol telnet any
    3 match protocol ssh any
    4 match protocol icmp any
  policy-map type management first-match REMOTE_MGT
    class REMOTE_ACCESS
      permit
  policy-map type loadbalance first-match SLB_LOGIC
    class class-default
      serverfarm REAL_SERVERS
  policy-map multi-match CLIENT_VIPS
    class VIP-30
      loadbalance vip inservice
      loadbalance policy SLB_LOGIC
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 452
  interface vlan 451
      ip address 192.168.1.2 255.255.255.0
    access-group input ANYONE
    service-policy input CLIENT_VIPS
    no shutdown
  interface vlan 452
    description Servers vlan
    ip address 10.198.16.1 255.255.255.0
    access-group input ANYONE
    nat-pool 1 10.198.16.5 10.198.16.5 netmask 255.255.255.0 pat
    no shutdown
  ip route 0.0.0.0 0.0.0.0 192.168.1.1
  Cesar R
  ANS Team

• ACE One-Arm Source-NAT HTTP Header Insert

  Hellow ACE Gurus,
  This is probably a dumb question but I'm looking for info on HTTP Header Insert for SSL sessions.  Does the HTTP header re-write action list work for SSL traffic?  I guess I'm not clear on whether or not the header is encrypted and if the ACE can modify on an HTTPS session.  Any input would be greatly appreciated.
  /r
  Rob

  Hi Rob,
  When using HTTPS, all the data is encrypted, including the HTTP headers.
  In such a situation, if you want to insert headers (or do any other kind of L7 processing), you will have to configure the ACE to do SSL termination. Once the connection is decrypted, the ACE can do any processing it needs before sending the connection towards the server either in clear text or again using HTTPS.
  I would recommend you to have a look at the link below. This is an example of how to configure an ACE for end-to-end SSL (so, HTTPS on both sides of the ACE). In the example, the only L7 processing that is being done is matching on the URL, but it would be enough to replace that part with whatever header insertion commands you need
  http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml
  If you still need more help to understand any of the points involved in the process, please, do not hesitate to contact me again.
  Regards
  Daniel

• ACE: Significance of mask in nat-pools configured for Source NAT

  Hi guys
  If I am using source nat in ACE (One IP address 10.10.10.200) used for all client address translations.
  What would be the difference between the nat-pools configured with different netmask.
  What is the recommended netmask for pat, 255.255.255.255 or Vlan interface's Mask (/24 in this case)
  and why?
  case1:
  interface vlan 7
  ip address 10.10.10.100 255.255.255.0
  nat-pool 1 10.10.10.200 10.10.10.200 netmask 255.255.255.0 pat
  service-policy input clientvips
  no shutdown
  case2:
  interface vlan 7
  ip address 10.10.10.100 255.255.255.0
  nat-pool 1 10.10.10.200 10.10.10.200 netmask 255.255.255.255 pat
  service-policy input clientvips
  no shutdown
  Thanks in Advance
  A.

  Gilles
  Thanks a lot. It makes more sense now.
  I posted another question for an ACE design validation. Could you please validate this
  I am planning to deploy ACE module in following manner:
  > ACE will be in one arm mode ( Only one vlan connected to the ACE).
  > Vips & Rservers (all serverfarms) will be in the same Vlan X.
  > Default gateway on the ACE & Real servers will be the upstream router
  > There will be Source NAT configured for all Serverfarms.
  ACE --- Vlan X -------Router--- internet
  .................|
  .................|-- Sfarm 1
  .................|
  .................|-- Sfarm 2
  .................|
  .................|-- Sfarm n
  I am pretty sure that it should work.
  Just wanted an expert opinion.
  Thanks

• ACE: as firewall and NAT. inbound and outbound originals

  Hi Team,
  This time no load balancing is required.
  Two servers inside (with private IP) need to communicate with clients and servers on the internet. ie, internet client originate inbound traffic to our servers, and also our servers originate connections to some internet servers.
  Both of our servers will work indipendently for this purpose.
  I have a few ideas to mix and match configs in the ACE. (This was originally working with FWSM setup). I would like to hear some sound ideas to acheive this using ACE only as firewall/router. No plan to load balance at present.
  Regards to all
  SS

  Gilles,
  Inbound traffic and the related reply traffic can be handled with normal class-map by defining a VIP with public IP.
  The above real server with private IP is now going to make a different connection to the internet. ie,
  outbound traffic and related reply traffic need handling. (no load balancing planned).
  Detination NAT, Static NAT sounds interesting
  Source NAT, Static NAT sounds interesting. Mixing these sound very interesting!! I'm looking for sample configs please.
  SS

• ACE: 4710 Policy-Map NAT

  Greets. I have a scenario where the rservers are located on two different VLAN's in One Arm Mode.
  My question is, am I able to assign two different NAT commands in my policy map (as written below)? Will the NAT command only kick off for the selected rservers vlan?
  policy-map multi-match PM_Loadbalance
    class VIP_Farm
      loadbalance vip inservice
      loadbalance vip icmp-reply active
      nat dynamic 7 vlan 7
      nat dynamic 741 vlan 741
  Thanks,
  -b

  Hello Brian-
  You can apply 2 different NAT statements, yes.
  The way it works:
  1.)  A client sends a SYN into a vlan where the vip is applied as a service-policy input.
  2.) The ACE matches the SYN to the class in question, the loadbalance policy is checked, and eventually a server in the associated serverfarm is chosen.
  3.) ACE prepares to forward the SYN out of the appropriate VLAN based on the route table.
  4.) Before the packet leaves, if the packet will egress either vlan 7 or 741, the the packet would be source NATted by the group number mentioned in the statement.  This occurs because the "vlan 7" and "vlan 741" in the NAT statements under the class are filters. If the destination matches either vlan, then the nat group for that statement is used.
  i.e.
  rserver host server_1
  ip address 10.0.0.10
  inservice
  rserver host server_2
  ip address 172.16.35.60
  inservice
  serverfarm host SF_1
  rserver server_1
    inservice
  class-map match-any VIP_80
  2 match virtual-address 172.16.35.80 tcp eq 80
  policy map type loadbalance first-match LB
  class class-default
    serverfarm SF_1
  policy map multi-match X
  class VIP_80
    loadbalance policy LB
    loadbalance vip inservice
    nat dynamic 5 vlan 7
    nat dynamic 7 vlan 741
  interface vlan 7
  ip address 172.16.35.2 255.255.255.0
  nat 5 172.16.35.100 172.16.35.100 netmask 255.255.255.0 pat
  service-policy input X
  Interface vlan 741
  ip address 10.0.0.2 255.255.255.0
  nat 7 10.0.0.100 10.0.0.100 netmask 255.255.255.0 pat
  service-policy input X
  If a packet comes into either vlan destine to 172.16.35.80 on port 80, it will be balanced to either 10.0.0.10 or 172.16.35.60.  If 10.0.0.10 was chosen, then natpool 7 under vlan 741 would be used because 10.0.0.10 is layer 2 adjacent to vlan 741.  If 172.16.35.60 was chosen, then natpool 5 would be chosen because that server is layer 2 adjacent to vlan 7.
  Regards,
  Chris Higgins

• Routing Experts please help with below LAN routing issue with NAT

  Hello Experts,
  I have a weird situation and requirement.
  The existing setup is -
  We have email/ticketing server hosted in the LAN which is reachable on the publicly NAT'ed IP with respective port numbers of 89 & 443. We have LAN & servers on the same subnet. The internet is with public DHCP IP assigned by ISP (/29). We use linksys router GUI for NAT settings (attached).We are using the same public IP for the server NAT & user NAT.
  We tried to refresh our network by separating the subnets for LAN users & servers. We used the Cisco 3845 router to create sub-interfaces in the LAN and configure respective subnets. Now both user subnet and server subnet are connecting to the Internet with same public IP (static NAT for servers & dynamic for users). We can connect to the server IP from the Internet and it resolves fine. However user LAN subnet cannot connect to the server if we try the URL. Users can access the Internet fine.
  Please find attached short diagram and below configuration and please give your inputs to solve this.
  Cisco 3845 router
  access-list 1 permit 10.155.60.0 0.0.0.255
  access-list 2 permit 10.155.61.0 0.0.0.255
  access-list 3 permit 10.155.62.0 0.0.0.255
  ip nat inside source list 1 int g0/0 overload
  ip nat inside source list 2 int g0/0 overload
  ip nat inside source list 3 int g0/0 overload
  int g0/0
  ip add 8.8.8.8 255.255.255.248
  ip nat outside
  no shut
  int g0/1
  description Trunk-to-Switch
  no shut
  int g0/1.60
  description User vlan
  ip add 10.155.60.1 255.255.255.0
  encapsulation dot1q 60
  ip nat inside
  int g0/1.62
  description Server vlan
  ip add 10.155.62.1 255.255.255.0
  encapsulation dot1q 62
  ip nat inside
  exit
  aaa new-model
  aaa authentication login default local
  aaa authentication login vpn_xauth_ml_1 local
  aaa authentication login sslvpn local
  aaa authorization network vpn_group_ml_1 local
  aaa session-id common
  acl 120
  max-users 10
  exit
  !access-list 120 remark ==[Cisco VPN Users]==
  access-list 120 permit ip any host 192.168.0.10
  access-list 120 permit ip any host 192.168.0.11
  access-list 120 permit ip any host 192.168.0.12
  access-list 120 permit ip any host 192.168.0.13
  access-list 120 permit ip any host 192.168.0.14
  access-list 120 permit ip any host 192.168.0.15
  access-list 120 permit ip any host 192.168.0.16
  access-list 120 permit ip any host 192.168.0.17
  access-list 120 permit ip any host 192.168.0.18
  access-list 120 permit ip any host 192.168.0.19
  no access-list 100
  access-list 100 remark [Deny NAT for VPN Clients]=-
  access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.10
  access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.11
  access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.12
  access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.13
  access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.14
  access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.15
  access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.16
  access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.17
  access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.18
  access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.19
  access-list 100 remark
  access-list 100 remark -=[Internet NAT Service]=-
  access-list 100 permit ip 192.168.0.0 0.0.0.255 any
  exit
  ip nat inside source static tcp 10.155.62.55 21 8.8.8.8 21
  ip nat inside source static tcp 10.155.62.55 88 8.8.8.8 88
  ip nat inside source static udp 10.155.62.55 88 8.8.8.8 88
  ip nat inside source static tcp 10.155.62.84 3389 8.8.8.8 3389
  ip nat inside source static udp 10.155.62.84 3389 8.8.8.8 3389
  ip nat inside source static tcp 10.155.62.98 80 8.8.8.8 80
  ip nat inside source static udp 10.155.62.98 80 8.8.8.8 80
  ip nat inside source static tcp 10.155.62.98 443 8.8.8.8 443
  ip nat inside source static udp 10.155.62.98 443 8.8.8.8 443
  ip nat inside source static tcp 10.155.62.98 25 8.8.8.8 25
  ip nat inside source static udp 10.155.62.98 25 8.8.8.8 25
  ip nat inside source static tcp 10.155.62.84 8080 8.8.8.8 89
  ip nat inside source static udp 10.155.62.84 8080 8.8.8.8 89
  ip nat inside source static tcp 10.155.62.84 9005 8.8.8.8 9005
  ip nat inside source static udp 10.155.62.84 9005 8.8.8.8 9005
  ip nat inside source static tcp 10.155.62.84 135 8.8.8.8 135
  ip nat inside source static udp 10.155.62.84 135 8.8.8.8 135
  ip nat inside source static tcp 10.155.62.84 139 8.8.8.8 139
  ip nat inside source static udp 10.155.62.84 139 8.8.8.8 139
  ip nat inside source static tcp 10.155.62.84 445 8.8.8.8 445
  ip nat inside source static udp 10.155.62.84 445 8.8.8.8 445
  ip nat inside source static tcp 10.155.62.84 90 8.8.8.8 465
  ip nat inside source static udp 10.155.62.84 90 8.8.8.8 465
  ip nat inside source static tcp 10.155.62.143 3381 8.8.8.8 3381
  ip nat inside source static udp 10.155.62.143 3381 8.8.8.8 3381
  ip nat inside source static tcp 10.155.62.46 8081 8.8.8.8 91
  ip nat inside source static udp 10.155.62.46 8081 8.8.8.8 91
  ip http server
  ip http authentication local
  no ip http secure-server
  ip http path flash:/cme-gui-7.1.0.1
  file privilege 0
  telephony-service
  dn-webedit
  time-webedit
  transport input ssh
  line con 0
  line vty 0 15
  login local
  ntp server ntp.first2know.net
  clock timezone gmt 0
  clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
  ntp update-calendar
  ntp master
  =========================================================================================================================================
  Cisco 3750 Config;
  vlan 60
  name User
  vlan 61
  name Voice
  vlan 62
  name Server
  exit
  interface g1/0/1
  description Trunk-to-Router
  switchport trunk encapsulation dot1q
  switchport mode trunk
  spanning-tree portfast trunk
  interface vlan 60
  description User Vlan
  ip add 10.155.60.2 255.255.255.0
  interface vlan 61
  description Voice Vlan
  ip add 10.155.61.2 255.255.255.0
  interface vlan 62
  description Server Vlan
  ip add 10.155.62.2 255.255.255.0
  service dhcp
  ip dhcp pool Users
  network 10.155.60.0 255.255.255.0
  default-router 10.155.60.1
  dns server 4.2.2.2
  ip dhcp pool Voice
  network 10.155.61.0 255.255.255.0
  dns server 4.2.2.2
  exit
  ip dhcp excluded-address 10.155.60.1 10.155.60.2 10.155.60.3
  ip dhcp excluded-address 10.155.61.1 10.155.61.2
  interface range g1/0/2 - 1/0/21
  switchport mode access
  switchport access vlan 60
  switchport access vlan 61
  exit
  exit
  interface range g1/0/22 - 1/0/26
  switchport mode access
  switchport access vlan 62
  exit
  Thanks,
  Deepak

  One more thing I should clarify the route I am putting into the 10.10.1.9 server is
  route add 10.1.6.0 mask 255.255.255.0 10.10.1.250 which tells the server to bypass the ASA and go directly to the ISP router.(then i can successfully tracert everything).  The big question here is how to make the inside ASA connection 10.10.1.1 to force all traffic to 10.10.1.250.
  Thanks in advance.

• Dynamic Source NAT for multiple POOLS

  I am setting up Dynamic Source NAT with a few Pools and Access-list to translate according to the Access-list. However when configure some ACL don't work anything. And the ACL don't "match" any. I know that the correct way would be to apply the ACL about interface with "ip access-group <ACL-name> in/out" however in this case would be impossible to apply more one ACL with ip access-group command.
  FurthermoreI have tested to creating a route-map named TEST with all ACLs; but cannot to create all "ip nat inside source route-map... " with the same route-map name. Also checked the cisco example: http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13739-nat-routemap.html...
  Attach the all configurations.
  I  need your help, 
  Thanks in advance!

  Oh my God!! Already works fine! I hadn't thought that "log"  would be a painful 
  Thanks John Marshall! 
  Attach my troubleshooting:
  INET#show ip nat translations
  Pro Inside global      Inside local       Outside local      Outside global
  tcp 195.77.205.33:49529 10.55.0.1:49529   4.2.2.2:22         4.2.2.2:22
  tcp 200.200.200.1:62978 10.55.1.1:62978   4.2.2.2:4343       4.2.2.2:4343
  tcp 195.77.205.20:13493 181.70.12.18:13493 195.47.200.32:443 195.47.200.32:443
  Furthermore we can to check the "rotary option also works!"
  "INET#show ip nat translations
  Pro Inside global      Inside local       Outside local      Outside global
  tcp 195.77.205.33:57238 10.55.0.1:57238   4.2.2.2:22         4.2.2.2:22
  tcp 195.77.205.33:16393 10.55.1.1:16393   4.2.2.2:22         4.2.2.2:22"
  Thanks again!

• ACE Routed mode - cannot see serverside network

  Hi all,
  I'm having a problem with the first context I've set up in pure routed mode without NAT. Taking advice from this forum I've defined the interface for the serverside VLAN only in the ACE context. Trouble is this doesn't seem to have propagted into the routing table.
  The ACE can see the servers - they are in the ARP cache and can be PINGed from the context.
  A show IP route on the 6500 doesn't find the serverside subnet in the routing table.
  Am I missing something obvious. I've attached the config if that helps.
  Thank you
  Cathy

  I am not sure what your question is
  Are you not seeing the VIPs in 6500 routing table? If its about vip the RHI (Route health injection (loadbalance vip advertise) should take care of it.
  Or you want to see the Server vlan in the routing table of 6500?.
  If thats the case then that is not going to happen. You will have to add static routes and redistribute them in the network (on upstream router).
  Syed Iftekhar Ahmed

• Issues with source NAT configuration in VNMC

  Before coming to the questions/doubts let me explain the ASA 1000v setup that I have
  ASA 1000v
  -          inside interface with ip 10.1.1.1 (attached to a network with subnet 10.1.1.0/24 and vlan 515)
  -          outside interface with ip 10.147.30.236 (attached to a network with subnet 10.147.30.0/24 and vlan 30)
  On ASA running ‘show route’ outputs following:
  C             10.1.1.0 255.255.255.0 is directly connected, esp-in
  C             10.147.28.0 255.255.255.0 is directly connected, management
  C             10.147.30.0 255.255.255.0 is directly connected, esp-out
  S*           0.0.0.0 0.0.0.0 [1/0] via 10.147.30.1 via esp-out
  On VNMC I created edge firewall with inside interface as ‘esp_in’ (10.1.1.1) and outside as ‘esp_out’ (10.147.30.236)
  Now I want to configure the following scenarios through VNMC:
  1.       Source NAT : 10.1.1.0/24 -> 10.147.30.236. While trying to configure this I see the following error in VNMC
  ERROR: Executing CLI returned error message: object network pe_internal_net_obj_range_10.1.1.2_10.1.1.254;range 10.1.1.2
  10.1.1.254;object-group network NSONOg:source-nat:source-nat-rule@esp-out;network-object object
  pe_internal_net_obj_range_10.1.1.2_10.1.1.254;nat (esp-out,any) 1 source static NSONOg: source-nat:source-nat-rule@esp-out interface;
  ERROR:  interface keyword is not allowed when translated interface is any;
  2.       I created another NAT rule from 10.1.1.0/24 -> 10.147.30.237. I also created ACL rule for allowing outbout ssh traffic. This working for me initially and I was able to ssh from a VM attached to subnet 10.1.1.0/24 to an outside VM. But after I did a re-assign with the same ASA appliance this stopped working and there was a configuration error:
  ERROR: Executing CLI returned error message: service-policy mpf-sp0001 interface sp0001;         ^;ERROR: % Invalid input detected at ^ marker;
  ERROR: Executing CLI returned error message: service-policy mpf-esp-out interface esp-out;     ^;ERROR: % Invalid input detected at ^ marker;
  Version details
  VNMC 2.0
  ASA 1000v version
  Cisco Adaptive Security Appliance Software Version 8.7(1)1
  Device Manager Version 6.7(1)
  Questions:
  -          Can anyone let me know what is the correct configuration for setting up source NAT as mentioned above. Why am I getting the errors mentioned and how to fix them?
  -      Why is there an error on reassigning asa 1000v to the edge firewall
  -          How to enabling logging/debugging on ASA or VNMC to see packet details and how rules are getting applied?
  Thanks,
  Koushik

  Hello Arseny,
  How did you resolve this issue?
  We are still facing the same problem in WebI 4.1 SP5 Patch 4.
  The issue is still under SAP investigation with KBA 2131762.
  Regards,
  Mirko

• Packets not hitting the route-map's NAT access-list

  Hi Everyone,
  I've been struggling with this issue for two days, I have couple of VPN tunnels on a router and all are working fine with NAT because I created route-maps for nat to deny the packets that are going to the tunnel from getting NATed, I have the same config for all the tunnels but the issue is with xxx_NAT access-list that is not even being hit by the packets so my xxx tunnel wont come up. I am positive that the problem is NAT because when I remove NAT from the 0/1.102 interface it starts to work. here is my config :
  interface GigabitEthernet0/1.102
  description "xxx"
  encapsulation dot1Q 102
  ip address 10.300.301.1 255.255.255.0
  ip access-group xxx_ACL in
  ip nat inside
  ip virtual-reassembly
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip nat pool ???_POOL ??
  ip nat pool ???_POOL ??
  ip nat pool ???_POOL ??
  ip nat pool xxx_POOL ??
  ip nat inside source route-map ??? pool ???_POOL overload
  ip nat inside source route-map ??? pool ???_POOL overload
  ip nat inside source route-map xxx pool xxx_POOL overload
  ip nat inside source route-map ??? pool ???_POOL overload
  ip access-list extended xxx-VPN
  remark VPN to xxx
  permit ip 10.300.301.0 0.0.0.255 192.168.45.0 0.0.0.255
  permit ip 192.168.45.0 0.0.0.255 10.300.301.0 0.0.0.255
  ip access-list extended xxx_ACL
  deny   ip 10.300.301.0 0.0.0.255 192.168.56.0 0.0.0.255
  permit ip any any
  ip access-list extended xxx_NAT
  deny   ip 10.300.301.0 0.0.0.255 110.110.2.0 0.0.0.255
  deny   ip 10.300.301.0 0.0.0.255 192.168.45.0 0.0.0.255
  permit ip 10.300.301.0 0.0.0.255 any
  route-map ??? permit 10
  match ip address ???_NAT
  route-map xxx permit 10
  match ip address xxx_NAT
  route-map ??? permit 10
  match ip address NAT_???
  route-map ??? permit 10
  match ip address ???_NAT
  control-plane
  banner motd ^C

  As that is probably *not* the config you are having problems with (or are your route-maps really named ???, xxx etc. ?) it is hard to help.
  So just a guess:
  The "ip nat inside source route-map-"staements are processed in a lexical order. The naming of your route-maps has to reflect the order you want to achieve. If you have the wrong order your traffic will end in the wrong translation which you should see with "show ip nat translation".
  HTH, Karsten

• Source Nat and Destination Nat

  Is any of the above working in the ACE OR CSM module by default?
  What is an advantage of configuring destination NAT on the ACE Box?

  Hello,
  On both the CSM and ACE, destination NAT (a.k.a. server nat) is enabled by default in a serverfarm. Source NAT needs to be manually configured on both devices, as it is not a default configuration.
  In server load balancing, destination NAT is very common. When clients connect to a VIP on the load balancer, the load balancer will then choose a real server the send the connection to. The destination IP address of the client-to-server traffic will be NAT'd from the virtual IP address (VIP) to the real server's IP address. The server's reply will be sourced with the real server's IP address, initially. The load balancer will again perform NAT to change the source IP address from the real server's IP address back to the VIP address prior to forwarding the response back to the client. This way, the client only knows about the VIP address, and not the real server's IP address.
  Best regards,
  Sean

• How to configure a RV220W in normal routing mode (No NAT)

  Hi,
  I have been very busy the last few days in trying to configure this router in normal routing mode. I do not want to have double NAT in my network. This is my setup:
  C class IP network connected to the internet via a Fritzbox router. I need this router becasue of the VOIP services it provides. I want to use the RV220W to isolate certain users from the rest of the network. When I configure the router in WAN (NAT) it partially works, e.g. I can browse, send email but cant make a connection to a apple fileserver which is on the base network. When I try to operate in normal routing mode I cant get it to work. I am sure I am doing something wrong with the static routes. 
  Setup: 
  Internet <-> Fritzbox (192.168.12.0/24) network <-> RV220W <-> LAN 1 (192.168.1.0/24) users to be isolated.
  On the 192.168.12..0/24 network the printer, fileserver and PBX are connected. 
  Please help me in configuring this.
  The firmware is the latest 1.0.5.8.
  Thanks in advance!
  Peter

  Hello Peter,
  Sorry for the late reply, but I figured I would post anyone in case anyone else has this question.
  You can put the router in what is called router mode by logging into the admin page and going to Networking >> Routing >> Routing Mode and selecting Router.  
  I am only looking at an emulator, but I believe this will cause a reboot.  Once in router mode NAT and the firewall are disabled, however access rules do still work.  
  You will still need a static route from your Fritzbox to the 192.168.1.0/24 network on the RV220W, and the RV220W should have the Fritzbox as it's default gateway on it's WAN interface.  You may also need to create an ACL to allow traffic from the Fritzbox network through the RV's WAN port.
  Some Apple devices depend on the Bonjour protocol to work properly, which doesn't always traverse subnets well, so if after all of that it still doesn't work you may have an issue with Apple.
  Thank you for choosing Cisco,
  Christopher Ebert
  Network Support Engineer - Cisco Small Business Support Center

• CSS Source NAT

  Hi,
  I have CSS in single arm deploymenet model. I am trying to do the exchange server load balancing. But I am facing problem
  with the soruce NAT. I dont want to NAT the client IP in VIP.
  Exchange team dont want to have Client IP address to be NATTED. They want real Client IP to appear in Exchange so that they can track exact
  user IP address for mail replying and tracking.
  Please let me know is there any way bypass the source NAT for specific VIP.

  Hi,
  I need something like that, I need to hide all servers behind the CSS11501. So, any client will contact the server as follows:
  1-          Client initiates the traffic to the VIP which will be forwarded to the servers. Then the server will replay to the client, from VIP to the client. In this case, I need to configure service and content.
  2-          Server initiates traffic to the client, the source will be VIP, the destination is client IP. In this case, I need to configure service and group.
  Q1: Is that right?
  I am facing a problem because some client applications discovered the server IP not VIP, the make failure..
  Q2: Where is the problem?

• Source NAT for specific servers in a rule

  Hello,
  I am trying to achieve source NATing on the CSS and want to confirm if below configuration is good.
  VIP address: 61.61.61.61
  Services: 10.1.1.1, 10.1.1.2, 20.1.1.1 and 20.1.1.2
  Front-end circuit IP: 61.61.61.1 (Same subnet as 61.61.61.61)
  Back-end circuit: 10.1.1.10 (Same subnet as 10.1.1.1 or .2)
  service AAAA
  ip address 10.1.1.1
  active
  service BBBB
  ip address 10.1.1.2
  active
  service XXXX
  ip address 20.1.1.1
  active
  service YYYY
  ip address 20.1.1.2
  active
  owner Gateway
  content Gateway1
  vip address 61.61.61.61
  add service 10.1.1.1
  add service 10.1.1.2
  add service 20.1.1.2
  add service 20.1.1.1
  active
  As the two servers 20.1.1.1 and 20.1.1.2 are not in the same subnet, we configured the below to source NAT specifically to these two servers.
  group Gateway
  vip address 61.61.61.61
  add destination service 20.1.1.1
  add destination service 20.1.1.2
  active
  In the past this configuration didn't work. We are going to try it again. Is there anything missing and what else should we check to get it to work.
  Appreciate any help.

  Using 'add destination service' in the group rule NATs the original client IP as the VIP (in your case), and ensures that return traffic from the remote 20.x.x.x servers flows back to the CSS and then to the client instead of directly to the client (which would reject the traffic). There's no need to worry about any kind of load balancing loop being created. The downside to implementing this is that your servers will see all traffic as originating from the VIP and not the unique client IPs, and since the CSS doesn't support the x-forwarded-for header you're kinda stuck with that side effect.
  Also, it's my understanding that the group rule must match the content rule in terms of VIP address and services within it to be effective. You would need to change your group rule to the following for it to work:
  FROM:
  group Gateway
    vip address 61.61.61.61
    add destination service 20.1.1.1
    add destination service 20.1.1.2
    active
  TO:
  group Gateway
    vip address 61.61.61.61
    add destination service 10.1.1.1
    add destination service 10.1.1.2
    add destination service 20.1.1.1
    add destination service 20.1.1.2
    active
  Good luck!
  James