Client nat in csm?

in csm, we need client nat.
I have a question about client nat.
client nat is pat or nat?
if that is pat, that is operated with rotary type?
if client nat is just nat, we have problem.

The PAT for FTP service setting vserver is 1025 - 8192.
For others, the PAT range is 8193-65535.
It start at 8193 and incrementing.
PAT is always on.
Gilles.

Similar Messages

Use of client nat pools on the CSM

Hi Guys,
Just a quick questions about the use of NAT POOLS, which the configuration guide is a little scant for information.
If a client NAT pool such as this is used (16 addresses):
natpool POOL1 10.1.5.0 10.1.5.15 netmask 255.255.255.240
I just want to make sure that port address translation (PAT) will be used by the CSM if the number of sessions exceed the number of IP addresses available in the NAT pool?
I hope this makes sense!
thanks
Sheldon

the CSM does PAT by default.
Gilles.

CSM - Client NAT for routable server subnet

I have clients and servers that are outside of the vlans that are the defined ones for CSM. I am using a client NAT pool that is part of the server side address space and server NAT. I see in a packet capture that the server is replying to pings to one of the NAT pool addresses. The ping does not get back to the client. The CSM is acting like it is not listening to traffic for the client NAT address. I saw an article that talked about "Secure router mode" and doing "IP SLB MODE CSM". I am not in that mode. Do I need to be and what effect will that have on my current load balanced servers?

Thanks. This is now working.
I see that the NAT has to be in the client address space as that is where the default gateway for the CSM is. Made the following changes:
no natpool CLIENTNAT1 10.200.0.230 10.200.0.232 netmask 255.255.255.0
natpool CLIENTNAT1 10.200.250.230 10.200.250.232 netmask 255.255.255.0
Noticed that a previous "show mod csm 5 arp" showed:
10.200.2.100 -->10.200.250.1 0 REAL routed
10.200.2.101 -->10.200.250.1 0 REAL routed
10.200.2.102 -->10.200.250.1 0 REAL routed

Client NAT and Source IP Sticky

How can we implement client NAT and source IP sticky for the same server farm without running into issues? Our NAT pool is using IPs from the VIPs' subnet. Is this possible? This configuration is on Cat 6500 w/ CSM-S v. 2.1.1. Thanks.

this is possible.
The CSM will first determine the destination server based on the client ip and the sticky srcip table and then it will nat the client ip address using your pool.
It does not matter which subnet is being used as long as the servers know to respond back to the CSM.
Regards,
Gilles.

Nat on csm

hi,
i just couldnt find a good documentation as to when do we need NAT on our CSM configuration..can anyone explain or provide some link pls.
thx a lot.

there is 2 types of natting.
client nat and server nat.
You will normally do server nat unless all your servers share 1 loopback ip address.
In this case, you use this loopback ip address as the vserver address and you don't do nat.
Otherwise you need server nat so the ip address of the server is used when forwarding the traffic.
Client is used when you want to hide the client ip or when you want to make sure the response from the server will be sent to the CSM.
Most of the poeple do not use client nat.
Gilles.

2 client vlan for CSM - possible?

Hi,
Is it possible that CSM has two client side vlans? The reason why i need to configure 2 client-side vlans is the ip address of the first client-side vlan is running out.
Thanks.
J.W.

Yes you can definitely use mulitiple client vlans with CSM.
CSM keeps track of the MAC address from where it recieves the flow
and send the reponse from reals back there.
If you define two default gateways then you will face some routing issues. With multiple
gateways defined, CSM randomly picks one gateway. This random selection can hurt you if your reals intiate coonections.
To tackle server initiated connection issue you can use following workaround
vserver Server-side
virtual 0.0.0.0 0.0.0.0 any
vlan 100 <------- server vlan where real exist
serverfarm RealX-out
inservice
serverfarm RealX-out
no nat server
real 192.168.1.1 <---- Gateway that you want to use for this traffic
inservice
Hope it helps
Syed Iftekhar Ahmed

Help with dynamic NAT and CSM 4.4 and ASA 8.3

Hello
I currently try to add a dynamic NAT rule into CSM 4.4 for a ASA 8.3 device, but I fails at the deployment with the error message:
Failed to generate delta config
The following commands have not been recognized by the Configuration Parser:
==========================
(inside,outside) source dynamic range-192.168.0.0_24 range-100.0.0.1_32 destination static any any
So let's asume we use the internal IP Range for the users is 192.168.0.0/24 and we received the public IP Address 100.0.0.1/32 from our ISP.
How do I have to do a normal dynamic NAT in CSM 4.4 for this case?
Traffic comes from inside and has to leave the outside with the changed source IP.
I would really appreciate a screenshot from CSM 4.4 which shows the correctly filled fields.
Thanks
Patrick

Matty
Not familiar with SIP so can't say for sure about that in terms of ports but some comments -
1) you don't show other interfaces but presumably the LAN interface(s) has "ip nat inside" enabled
2) the PBX subnet is 10.1.1.0/24 yet your static NATs are referring to 10.18.21.2 ?
3) following on from 2) your PBX_SUBNET acl is wrong, it should be -
ip access-list extended PBX_SUBNET
permit ip 10.1.1.0 0.0.0.255 any <-- note the last octet of the wildcard mask is 255.
Edit - also assuming that any internal subnets not directy connected to the router have routes setup for them so you router knows how to get to them.
Jon

Client NAT - ACE

Hi All,
We are trying to configure client NAT on ACE , I have tried with the following configuration.
I want to make sure the following things
1) Whether this is a right way or not or if this is possible?
2) If it is and any one is having ideas for that please do let me know so that I can send the topology diagram as well to get it understand easily.
class-map match-all CLIENT-TO-AVS-VIP
2 match virtual-address 172.16.30.110 tcp eq www
class-map match-all NAT
2 match source-address 0.0.0.0 0.0.0.0
3 match destination-address 172.16.30.110 255.255.255.255
policy-map multi-match MOON-POLICY
class CLIENT-TO-AVS-VIP
loadbalance vip inservice
loadbalance policy MOON_AVS_CLIENT
loadbalance vip icmp-reply
class NAT
nat dynamic 9 vlan 300
interface vlan 300
description Clentside interface
bridge-group 30
access-group input ALL
nat-pool 9 172.16.30.200 172.16.30.210 netmask 255.255.255.255 pat
service-policy input REMOTE-MGMT
service-policy input MOON-POLICY
no shutdown
Regards
Aslam...

Hi Aslam,
yes it's possible in a quite simple way, I see some errors in your configuration :
You don't need a second class map "NAT", the first one is sufficient. You can tell the ACE "When traffic matches CLIENT-TO-AVS-VIP, loadbalance AND nat client traffic".
To do so, simply insert the "nat dynamic 9 vlan 300" command inside the "class CLIENT-TO-AVS-VIP" mapping in the multi-match policy.
This should work as you want :
class-map match-all CLIENT-TO-AVS-VIP
2 match virtual-address 172.16.30.110 tcp eq www
policy-map multi-match MOON-POLICY
class CLIENT-TO-AVS-VIP
loadbalance vip inservice
loadbalance policy MOON_AVS_CLIENT
loadbalance vip icmp-reply
nat dynamic 9 vlan 300
remember that an instruction like
"2 match source-address 0.0.0.0 0.0.0.0" is a pleonasm, no instruction on source-address means match any source.
You can check some other scenarios on source nat here :
http://snippets101.blogspot.com/2007/12/source-nat-on-cisco-ace.html
Hope this helps.
Alberto

Client NAT in CSS11500

Hi,
I'm currently redesigning my portal infrastructure and as such, I need to redo a few things on my CSS. But I can't seem to find anything about Client-NAT on the CSS. I need to NAT/PAT external sessions to an inside RFC1918-address. The config below simply passes the original src.ip through and consequently the session is blocked by the firewall. So far I've been unsuccessfull in finding the proper documentation, so I'm hoping someone here can help me get started.
owner BK019TF
content BK019TF-SSL
vip address a.b.c.d
add service SSLMODULE1
port 443
protocol tcp
active
content BK019TF
redundant-index 142
advanced-balance sticky-srcip
port 4433
protocol tcp
vip address a.b.c.d
add service Misys-ben-3
add service Misys-ben-4
active
Thanks
/Ulrih

Source groups are used on CSS to NAT the source ip addresses. There could be two scenarios
1. A connection is open to the server.
In this case you need 'add destination service'.
2.The server opens the connection. In this case you need 'add service ...'
Following example will give you some idea of how to implement src NAt with CSS
http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080093dff.shtml
Thanks
Syed Iftekhar Ahmed

Ace module in bridged mode with client nat

Could someone confirm whatever a NAT is supported for ACE-20 module, please?
Let me to explain technical details.
I do need to convert working CSM(SLB) config to ACE configuration and I am not quite sure
if the configuration below is correct. ACE module should be configured in bridge mode with two
vlans - vlan 36 (client) and vlan 436 (server) - bridged with interface bvi 36.
NAT on ACE configurad as "nat dynamic 1025 vlan 436" into corresponding
"policy-map type loadbalance"
Could you check two parts of configs and advise me if the ACE config is
properly converted from CSM and will be working in the same way (especialy for NAT).
Thank you in advance.
CSM config
=======
vlan 36 client
ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
gateway 10.36.3.1
vlan 436 server
ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
natpool WEB-MAIL 10.36.3.100 10.36.3.100 netmask 255.255.255.0
sticky 30 netmask 255.255.255.255 address source timeout 60
probe SHAREPOINT tcp
interval 30
failed 120
open 3
port 80
probe WEBMAIL-443 tcp
interval 5
failed 60
open 2
port 443
serverfarm WEBMAIL-443
nat server
nat client WEB-MAIL
predictor leastconns
real 10.36.3.101 443
   inservice
real 10.36.3.102 443
   inservice
probe WEBMAIL-443
serverfarm WEBMAIL-80
nat server
nat client WEB-MAIL
predictor leastconns
real 10.36.3.101 80
   inservice
real 10.36.3.102 80
   inservice
probe SHAREPOINT
vserver WEBMAIL-443
virtual 10.36.3.100 tcp https
serverfarm WEBMAIL-443
sticky 60 group 30
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
vserver WEBMAIL-80
virtual 10.36.3.100 tcp www
serverfarm WEBMAIL-80
replicate csrp connection
persistent rebalance
inservice
ACE config
=======
probe tcp WEBMAIL-443
interval 5
open 2
passdetect interval 60
port 443
probe tcp SHAREPOINT
interval 30
open 3
passdetect interval 120
port 80
serverfarm host WEBMAIL-443
predictor leastconns
probe WEBMAIL-443
rserver 10-36-3-101 443
    inservice
rserver 10-36-3-102 443
    inservice
serverfarm host WEBMAIL-80
predictor leastconns
probe SHAREPOINT
rserver 10-36-3-101 80
    inservice
rserver 10-36-3-102 80
    inservice
class-map match-all WEBMAIL-80
match virtual-address 10.36.3.100 tcp eq www
class-map match-all WEBMAIL-443
match virtual-address 10.36.3.100 tcp eq https
sticky ip-netmask 255.255.255.255 address source 30
serverfarm WEBMAIL-443
replicate sticky
timeout 60
policy-map type loadbalance first-match WEBMAIL-80
class class-default
    serverfarm WEBMAIL-80
    nat dynamic 1025 vlan 436 serverfarm primary
policy-map type loadbalance first-match WEBMAIL-443
class class-default
    sticky-serverfarm 30
    nat dynamic 1025 vlan 436 serverfarm primary
parameter-map type http HTTP_ADV_OPT
persistence-rebalance
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
    appl-parameter http advanced-options HTTP_ADV_OPT
    loadbalance policy WEBMAIL-80
    loadbalance vip inservice
    loadbalance vip icmp-reply active
class WEBMAIL-443
    appl-parameter http advanced-options HTTP_ADV_OPT
    loadbalance policy WEBMAIL-443
    loadbalance vip inservice
    loadbalance vip icmp-reply active
interface vlan 36
bridge-group 36
service-policy input IFVLAN36-POLICY
mac-sticky enable
no shutdown
interface vlan 436
bridge-group 36
nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0
no shutdown
interface bvi 36
ip address 10.36.3.3 255.255.255.0
peer ip address 10.36.3.4 255.255.255.0
no shutdown

Hello F.Makarenko-
You will want to use PAT while you do nat, so change the natpool configuration to this:
   nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0 pat
You also need to apply the nat like this:
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
    appl-parameter http advanced-options HTTP_ADV_OPT
    loadbalance policy WEBMAIL-80
    loadbalance vip inservice
    loadbalance vip icmp-reply active
    nat dynamic 1025 vlan 436
class WEBMAIL-443
    appl-parameter http advanced-options HTTP_ADV_OPT
    loadbalance policy WEBMAIL-443
    loadbalance vip inservice
    loadbalance vip icmp-reply active
    nat dynamic 1025 vlan 436
If you are going to build out a lot of classes, you can instead do source nat like this:
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
    appl-parameter http advanced-options HTTP_ADV_OPT
    loadbalance policy WEBMAIL-80
    loadbalance vip inservice
    loadbalance vip icmp-reply active
class WEBMAIL-443
    appl-parameter http advanced-options HTTP_ADV_OPT
    loadbalance policy WEBMAIL-443
    loadbalance vip inservice
    loadbalance vip icmp-reply active
class class-default
    nat dynamic 1025 vlan 436
Regards,
Chris Higgins

RV042 Shrew soft client NAT-t new mapping

Hi everyone,
Since I had Quick VPN issue, so I tried the Shrew soft client hoping to get the IPSec tunnel with router RV042 in Client2gateway mode.
On Shrew client, I got "Tunnel is activated" but got establised failed errors.
On RV042 IPSec log, it ended with : NAT-T: x.x.x.x new mapping.
What does it mean?
Thanks for your answers.

Hi Hdam,
That's good :)
- Yes you can change the FQDN from remote.com to other domain name.
- Why I don't select IP address as remote ? because from the router first when you select Group VPN automatically the VPN will be responder and waiting for a connection, also in that case we don't need to specify the Public or LAN network of the client because they can connect from anywhere.
Now from the client the local ID should be the same as remote ID in the router (remember when you configure VPN tunnel between two router the local address from site B should be the remote local on Site A is the same here with shrewVPN but using FQDN)
- Just I want to clarify for RV0xx doesn't support VLAN's it's Port based Vlan and multiple Subnet BUT you can achieve what you need :)
Please follow this steps :
Step 1 : I assume that you have already add additional subnet if not just add it under Setup --> Network and then add additional subnet and for better implementation for the subnet better to have like this example if you have the default network 192.168.1.1/24 add second subnet 192.168.2.1/24 in this case in the VPN setup we can do subnet summarization and will be 192.168.0.0/16 class B and all the PC connected to the router should have gateway 192.168.1.1 or 192.168.2.1 in my example of course
Step 2 : Under VPN -- > summary --> edit the old configuration for VPN client and change the local network to 192.168.0.0 mask 255.255.0.0
Step 3 : on shrew VPN also under policy --> Remote Network Resource change to 192.168.0.0 255.255.0.0
and should work :)
Please rate this post to help other Cisco Customer
Greetings
Mehdi

ACE 4710 client NAT (outgoing)

Hi Experts,
     I have a ace 4710 set as load balancing http and https only, seems working fine.
     Now I have another requirment to NAT all real servers IP (server side internal network 10.8.8.0) to VIP (192.168.1.20).
our configuration is as below,
two real server ip are 10.8.8.2 and 10.8.8.3 connected to VLAN interface v500 (ip is 10.8.8.254)
vlan v400 face to public, v400 interface ip 192.168.1.10, and one VIP 192.168.1.20, VIP is mapped to two real servers.
I need to config: all outgoing trafic from network 10.8.8.0 to public to NAT the source IP to 192.168.1.20 (VIP, not the interface real IP 192.168.1.10).
Thanks,
BQ

Here are a few things you could try
1. nat-pool 5 192.168.1.20 192.168.1.20 netmask 255.255.255.0 pat
changeto
nat-pool 5 192.168.1.20 192.168.1.20 netmask 255.255.255.255 (/32 host)
2.service-policy input remote-access
do you have a management Vlan interface defined if so add to that interface
3. The requirements are to LB http (80), and https (443). In this case you would need two seperate VIPS defined
VIP1:
class-map match-all slb-vip
2 match virtual-address 192.168.1.20 eq tcp 80
VIP2:
class-map match-all slb-vip
2 match virtual-address 192.168.1.20 eq tcp 443
Is there a requirement to redirect http traffic ? If so you would need to define another class-map to redirect http traffic to https
show service-policy client-vips detail
HTH

Second Client Side VLAN - CSM

Our current environment has grown to the size that a single Class C subnet on the client side of the CSM is full. We have a need to add an additional Class C subnet for the client side, but our TCOM group gave us a range which is not contiguous to the existing range and therefore cannot be added by simply changing the subnet mask (from 24 to 23).
The default route for all traffic from the CSM is an IP address on the subnet described above.
How should the new subnet be configured? I understand that there can only be one gateway on the CSM...so if traffic comes in on the second subnet, does this mean that it will go back out on the first subnet?
Does this look right
vlan 111 client
ip address 192.168.111.5 255.255.255.0
gateway 192.168.111.1
vlan 222 client
ip address 192.168.222.5 255.255.255.0
On the Switch, when I run
"sho ip route 192.168.111.5"
it replys with "directly connected, via VLan111"
When I run
"sho ip route 192.168.222.5"
it also replies back with the same:
"directly connected, via VLan111"
Please note: That I only manage the CSM and SSL-M. The switch and MSFC are managed by our TCOM group. Thanks for any information on this request!

First, I want to thank you for the quick replies.
I understand what you are explaining here and believe that our current configuration is as you have explained, but need to further clarify what we have in place.
The single vlan on the client side previously had only a single class C subnet. It now has two separate Class C subnets. Traffic can reach the CSM, but never returns back to the client. When I added the configuration for the second VLAN client side and addressed it as part of the second class C address, content would now be returned to the client from the server side. But, I could not get the content to be forwarded to the SSL module which resides on a separate VLAN. I then removed client VLAN and traffic continued to flow properly (except to SSL module). I then cleared connections to the vservers (to emulate a reboot), this caused all traffic to no longer return to the client.
Below is configuration (IP addresses changed to protect the innocent).
ssl-proxy module 2 allowed-vlan 4,219
ip subnet-zero
vlan 200 server
ip address 172.54.200.2 255.255.254.0
alias 172.54.200.1 255.255.254.0
vlan 4 server
ip address 192.168.219.5 255.255.255.0
vlan 219 client
ip address 192.168.219.5 255.255.255.0
gateway 192.168.219.1
natpool SERVERSIDE1 172.54.200.241 172.54.200.254 netmask 255.255.254.0
interface Vlan64
description Network 64
ip address 172.32.64.219 255.255.255.0
ip accounting output-packets
ip route-cache flow
logging event link-status
shutdown
interface Vlan65
description Network 65
ip address 172.32.65.219 255.255.255.0
ip accounting output-packets
ip route-cache flow
logging event link-status
interface Vlan219
description WebTeam URL Network
ip address 192.168.222.2 255.255.255.0 secondary
ip address 192.168.219.2 255.255.255.0
no ip redirects
no ip unreachables
ip pim dense-mode
ip route-cache flow
no ip mroute-cache
standby 10 ip 192.168.219.1
standby 10 timers 3 9
standby 10 priority 110
standby 10 preempt
standby 11 ip 192.168.222.1
standby 11 timers 3 9
standby 11 priority 110
standby 11 preempt
ip classless
ip route 172.54.200.0 255.255.254.0 192.168.219.5
NOTES: SSL-MODULE IP address 192.168.219.6 on VLAN 4.
I will go ahead and open TAC Case and post results later.

Combination bridged mode routed mode CSM

We run an active/standby pair of
CSM with SSL WS-X6066-SLB-S-K9
currently we have our real servers in 2 vlans: 116 and 117. our VIPS are mostly in the client vlan 119. load balancing works fine.
We now want to load balance between real servers in the 116 vlan. So far we have been unsuccessfull to get it owrking. I suspect because we essentially require a configuration that combines routed with bridged mode.
has any one been able to configure such a setup? Is it possible at all?

This type of topology is not 'bridged mode'.
When you has source and destination of load-balancing process in the same subnet (in your topology vlan116) you need use source NAT (client nat in CSM terminology).
Let me explain it:
1. client (srcIP-vlan116) sedn request to VIP (VIP-vlan116).
2. CSM process (modified) request and send it to dstIP-vlan116 (src IP is srcIP-vlan116) (*)
3. server receive request. It will resopnse to srcIP-vlan116 and response is not delivered through CSM, but direct. TCP communication is not possible, because client's request is modified on the CSM.
* when CSM modify source IP for example to one of IP addresses of CSM, response from server is send always to CSM and not direct.
Martin

CSM Source NAT

Is there a way to NAT a server initiated connection based upon destination similar to what's possible using a souce group in a CSS. What I'd like to do is NAT a server initiated connection to the Virtual IP when the server is connecting to the internet, but bypass NAT when the connection is to an internal network.

make a vserver to catch the internal traffic and use a predictor forward serverfarm with no client nat and no server nat.
Make another vserver with catch all traffic from server vlan and use a predictor forward serverfarm with client nat enable.
Gilles.

Client nat in csm?

Similar Messages

Maybe you are looking for