CSM Source NAT

Is there a way to NAT a server initiated connection based upon destination similar to what's possible using a souce group in a CSS. What I'd like to do is NAT a server initiated connection to the Virtual IP when the server is connecting to the internet, but bypass NAT when the connection is to an internal network.

make a vserver to catch the internal traffic and use a predictor forward serverfarm with no client nat and no server nat.
Make another vserver with catch all traffic from server vlan and use a predictor forward serverfarm with client nat enable.
Gilles.

Similar Messages

Source Nat and Destination Nat

Is any of the above working in the ACE OR CSM module by default?
What is an advantage of configuring destination NAT on the ACE Box?

Hello,
On both the CSM and ACE, destination NAT (a.k.a. server nat) is enabled by default in a serverfarm. Source NAT needs to be manually configured on both devices, as it is not a default configuration.
In server load balancing, destination NAT is very common. When clients connect to a VIP on the load balancer, the load balancer will then choose a real server the send the connection to. The destination IP address of the client-to-server traffic will be NAT'd from the virtual IP address (VIP) to the real server's IP address. The server's reply will be sourced with the real server's IP address, initially. The load balancer will again perform NAT to change the source IP address from the real server's IP address back to the VIP address prior to forwarding the response back to the client. This way, the client only knows about the VIP address, and not the real server's IP address.
Best regards,
Sean

CSM Source Nating

Hello,
I'll looking for some info on how to source nat inter site requests on the CSM. At present I have two servers on different layers of my platform.
Server A with address 192.168.1.1 & server B with address 192.168.2.1 both are connected to different router below the CSM and can route via a firewall on their private addresses.
The application on server A has to talk to server B on 155.y.y.7 public address.
The issue is that the source of serverA is not getting nated so the return traffic is not going back via CSM but being routed back to firewall with the two private addresses thus we are getting out of sync packets.
Existing Config on CSM
static nat virtual
real 192.168.1.1
real 192.168.2.1
serverfarm serverA
no nat client
real 192.168.1.1
inservice
vserver serverA-vip
virtual 155.x.x.1 tcp 0
serverfarm serverA
persistent rebalance
inservice
serverfarm serviceB
nat server
no nat client
real 192.168.2.1
inservice
vserver serverB-vip
virtual 155.y.y.7 tcp 0
serverfarm serviceB
persistent rebalance
inservice
Thanks.
Charlie.

Charlie,
as you can see in your config, you have 'no nat client'.
This is the source nat.
All you have to do is create a pool of address and then assign it to the serverfarm with 'nat client '.
This will nat all traffic from any client.
If you want to avoid this, you need to create a 2nd serverfarm that would be used exclusively when connection is made from server A.
Let me know if you need anything else.
Regards,
Gilles.

Dynamic Source NAT for multiple POOLS

I am setting up Dynamic Source NAT with a few Pools and Access-list to translate according to the Access-list. However when configure some ACL don't work anything. And the ACL don't "match" any. I know that the correct way would be to apply the ACL about interface with "ip access-group <ACL-name> in/out" however in this case would be impossible to apply more one ACL with ip access-group command.
FurthermoreI have tested to creating a route-map named TEST with all ACLs; but cannot to create all "ip nat inside source route-map... " with the same route-map name. Also checked the cisco example: http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13739-nat-routemap.html...
Attach the all configurations.
I need your help,
Thanks in advance!

Oh my God!! Already works fine! I hadn't thought that "log" would be a painful
Thanks John Marshall!
Attach my troubleshooting:
INET#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 195.77.205.33:49529 10.55.0.1:49529 4.2.2.2:22 4.2.2.2:22
tcp 200.200.200.1:62978 10.55.1.1:62978 4.2.2.2:4343 4.2.2.2:4343
tcp 195.77.205.20:13493 181.70.12.18:13493 195.47.200.32:443 195.47.200.32:443
Furthermore we can to check the "rotary option also works!"
"INET#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 195.77.205.33:57238 10.55.0.1:57238 4.2.2.2:22 4.2.2.2:22
tcp 195.77.205.33:16393 10.55.1.1:16393 4.2.2.2:22 4.2.2.2:22"
Thanks again!

CSS Source NAT

Hi,
I have CSS in single arm deploymenet model. I am trying to do the exchange server load balancing. But I am facing problem
with the soruce NAT. I dont want to NAT the client IP in VIP.
Exchange team dont want to have Client IP address to be NATTED. They want real Client IP to appear in Exchange so that they can track exact
user IP address for mail replying and tracking.
Please let me know is there any way bypass the source NAT for specific VIP.

Hi,
I need something like that, I need to hide all servers behind the CSS11501. So, any client will contact the server as follows:
1- Client initiates the traffic to the VIP which will be forwarded to the servers. Then the server will replay to the client, from VIP to the client. In this case, I need to configure service and content.
2- Server initiates traffic to the client, the source will be VIP, the destination is client IP. In this case, I need to configure service and group.
Q1: Is that right?
I am facing a problem because some client applications discovered the server IP not VIP, the make failure..
Q2: Where is the problem?

ACE: Significance of mask in nat-pools configured for Source NAT

Hi guys
If I am using source nat in ACE (One IP address 10.10.10.200) used for all client address translations.
What would be the difference between the nat-pools configured with different netmask.
What is the recommended netmask for pat, 255.255.255.255 or Vlan interface's Mask (/24 in this case)
and why?
case1:
interface vlan 7
ip address 10.10.10.100 255.255.255.0
nat-pool 1 10.10.10.200 10.10.10.200 netmask 255.255.255.0 pat
service-policy input clientvips
no shutdown
case2:
interface vlan 7
ip address 10.10.10.100 255.255.255.0
nat-pool 1 10.10.10.200 10.10.10.200 netmask 255.255.255.255 pat
service-policy input clientvips
no shutdown
Thanks in Advance
A.

Gilles
Thanks a lot. It makes more sense now.
I posted another question for an ACE design validation. Could you please validate this
I am planning to deploy ACE module in following manner:
> ACE will be in one arm mode ( Only one vlan connected to the ACE).
> Vips & Rservers (all serverfarms) will be in the same Vlan X.
> Default gateway on the ACE & Real servers will be the upstream router
> There will be Source NAT configured for all Serverfarms.
ACE --- Vlan X -------Router--- internet
.................|
.................|-- Sfarm 1
.................|
.................|-- Sfarm 2
.................|
.................|-- Sfarm n
I am pretty sure that it should work.
Just wanted an expert opinion.
Thanks

ACE router or source NAT

Can anyone tell me what the best practice is for the ACE 4710 appliance. Should I deploy it in routed mode or source NAT mode. And what can be the pros and cons of each method....

The advantage of running SNAT is the ACE is deployed in a "one-arm" mode. In this deployment the advantage is the ACE does not have to process all traffic as oppossed to being directly in the transit path when deployed inline (routed).
In one arm mode you can use either PBR or SNAT for server return traffic. One arm mode also allows for direct server return butlimited to L4 load balance.
In routed mode the ACE acts as the server default gateway.
Routed mode is the easier of the two to configure.

Source NAT for specific servers in a rule

Hello,
I am trying to achieve source NATing on the CSS and want to confirm if below configuration is good.
VIP address: 61.61.61.61
Services: 10.1.1.1, 10.1.1.2, 20.1.1.1 and 20.1.1.2
Front-end circuit IP: 61.61.61.1 (Same subnet as 61.61.61.61)
Back-end circuit: 10.1.1.10 (Same subnet as 10.1.1.1 or .2)
service AAAA
ip address 10.1.1.1
active
service BBBB
ip address 10.1.1.2
active
service XXXX
ip address 20.1.1.1
active
service YYYY
ip address 20.1.1.2
active
owner Gateway
content Gateway1
vip address 61.61.61.61
add service 10.1.1.1
add service 10.1.1.2
add service 20.1.1.2
add service 20.1.1.1
active
As the two servers 20.1.1.1 and 20.1.1.2 are not in the same subnet, we configured the below to source NAT specifically to these two servers.
group Gateway
vip address 61.61.61.61
add destination service 20.1.1.1
add destination service 20.1.1.2
active
In the past this configuration didn't work. We are going to try it again. Is there anything missing and what else should we check to get it to work.
Appreciate any help.

Using 'add destination service' in the group rule NATs the original client IP as the VIP (in your case), and ensures that return traffic from the remote 20.x.x.x servers flows back to the CSS and then to the client instead of directly to the client (which would reject the traffic). There's no need to worry about any kind of load balancing loop being created. The downside to implementing this is that your servers will see all traffic as originating from the VIP and not the unique client IPs, and since the CSS doesn't support the x-forwarded-for header you're kinda stuck with that side effect.
Also, it's my understanding that the group rule must match the content rule in terms of VIP address and services within it to be effective. You would need to change your group rule to the following for it to work:
FROM:
group Gateway
vip address 61.61.61.61
add destination service 20.1.1.1
add destination service 20.1.1.2
active
TO:
group Gateway
vip address 61.61.61.61
add destination service 10.1.1.1
add destination service 10.1.1.2
add destination service 20.1.1.1
add destination service 20.1.1.2
active
Good luck!
James

Issues with source NAT configuration in VNMC

Before coming to the questions/doubts let me explain the ASA 1000v setup that I have
ASA 1000v
-          inside interface with ip 10.1.1.1 (attached to a network with subnet 10.1.1.0/24 and vlan 515)
-          outside interface with ip 10.147.30.236 (attached to a network with subnet 10.147.30.0/24 and vlan 30)
On ASA running ‘show route’ outputs following:
C             10.1.1.0 255.255.255.0 is directly connected, esp-in
C             10.147.28.0 255.255.255.0 is directly connected, management
C             10.147.30.0 255.255.255.0 is directly connected, esp-out
S*           0.0.0.0 0.0.0.0 [1/0] via 10.147.30.1 via esp-out
On VNMC I created edge firewall with inside interface as ‘esp_in’ (10.1.1.1) and outside as ‘esp_out’ (10.147.30.236)
Now I want to configure the following scenarios through VNMC:
1.       Source NAT : 10.1.1.0/24 -> 10.147.30.236. While trying to configure this I see the following error in VNMC
ERROR: Executing CLI returned error message: object network pe_internal_net_obj_range_10.1.1.2_10.1.1.254;range 10.1.1.2
10.1.1.254;object-group network NSONOg:source-nat:source-nat-rule@esp-out;network-object object
pe_internal_net_obj_range_10.1.1.2_10.1.1.254;nat (esp-out,any) 1 source static NSONOg: source-nat:source-nat-rule@esp-out interface;
ERROR: interface keyword is not allowed when translated interface is any;
2.       I created another NAT rule from 10.1.1.0/24 -> 10.147.30.237. I also created ACL rule for allowing outbout ssh traffic. This working for me initially and I was able to ssh from a VM attached to subnet 10.1.1.0/24 to an outside VM. But after I did a re-assign with the same ASA appliance this stopped working and there was a configuration error:
ERROR: Executing CLI returned error message: service-policy mpf-sp0001 interface sp0001;         ^;ERROR: % Invalid input detected at ^ marker;
ERROR: Executing CLI returned error message: service-policy mpf-esp-out interface esp-out;     ^;ERROR: % Invalid input detected at ^ marker;
Version details
VNMC 2.0
ASA 1000v version
Cisco Adaptive Security Appliance Software Version 8.7(1)1
Device Manager Version 6.7(1)
Questions:
-          Can anyone let me know what is the correct configuration for setting up source NAT as mentioned above. Why am I getting the errors mentioned and how to fix them?
-      Why is there an error on reassigning asa 1000v to the edge firewall
-          How to enabling logging/debugging on ASA or VNMC to see packet details and how rules are getting applied?
Thanks,
Koushik

Hello Arseny,
How did you resolve this issue?
We are still facing the same problem in WebI 4.1 SP5 Patch 4.
The issue is still under SAP investigation with KBA 2131762.
Regards,
Mirko

Is it possible to source NAT health checks?

I am source natting the data traffic to the back end servers using a source group but I notice the health checks are not affected and they use the interface physical address. The way I found out is the service is down and the firewall was dropping the health checks. Does anyone know a way to source nat health checks? Either that or have them source from the redundant VIP address that is configured on the interface and not the "real" address. CCO and google produced nothing... thanks!

you can't nat probes.
The CSS will use its outgoing interface ip address as the source ip.
Just make sure your firewall allows this traffic.
Gilles.

ACE Source NAT

Hi Team,
I have ACE implemented in the routed mode.We have 2 servers and 2 users in the same vlan.
2 of the servers are getting loadbalanced.Now the other 2(users) which are not getting load balanced want to access the severs using in VIP for the load balanced servers.
Now the issue is all the servers are having the same subnet, How should i proceed in this can i have the sample configuration regarding this.

Hi,
configuration example that may be helpful for u.
class-map match-all SNAT
2 match source-address 10.10.10.0 255.255.255.0
policy-map multi-match L4
class HTTP-SFARM
loadbalance vip inservice
loadbalance policy WEB-PM
loadbalance vip icmp-reply
class SNAT
nat dynamic 100 vlan 31
interface vlan 31(Server Vlan)
ip address 10.10.10.2 255.255.255.0
alias 10.10.10.1 255.255.255.0
peer ip address 10.10.10.4 255.255.255.0
mac-sticky enable
access-group input 1
nat-pool 100 1.1.1.100 1.1.1.100 netmask 255.255.255.255 pat
service-policy input L4
no shutdown
ACE1/SP1# sh xlate
TCP PAT from vlan31:10.10.10.10/1149 to vlan31:1.1.1.100/1025
Regards,
Rajesh

CSM - Client NAT for routable server subnet

I have clients and servers that are outside of the vlans that are the defined ones for CSM. I am using a client NAT pool that is part of the server side address space and server NAT. I see in a packet capture that the server is replying to pings to one of the NAT pool addresses. The ping does not get back to the client. The CSM is acting like it is not listening to traffic for the client NAT address. I saw an article that talked about "Secure router mode" and doing "IP SLB MODE CSM". I am not in that mode. Do I need to be and what effect will that have on my current load balanced servers?

Thanks. This is now working.
I see that the NAT has to be in the client address space as that is where the default gateway for the CSM is. Made the following changes:
no natpool CLIENTNAT1 10.200.0.230 10.200.0.232 netmask 255.255.255.0
natpool CLIENTNAT1 10.200.250.230 10.200.250.232 netmask 255.255.255.0
Noticed that a previous "show mod csm 5 arp" showed:
10.200.2.100 -->10.200.250.1 0 REAL routed
10.200.2.101 -->10.200.250.1 0 REAL routed
10.200.2.102 -->10.200.250.1 0 REAL routed

Best practice for Source NATTING ?

Is there a general design rule for configuring source NATing ? Is it best to configure the CSS is one/two armed mode.
What are the perfomance limitations in doing this ?
Can soure NATed and non source NATed content rules be configured on the CSS with no impact ?
Cheers, Mike

Source groups translate the source address of packets from back-end services before forwarding them. When a flow is originated from the back-end server with a private address, the request appears to come from the public Virtual IP (VIP) of the source group. You can also use source groups (with Access Lists (ACLs)) to translate clients' private IP addresses (which reside on the back-end of the CSS) to a public IP address (the VIP).
The use of this type of source group is useful when setting up a one-armed configuration where client and server traffic flows through the same CSS switch. For more information read the following document.
http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a0080093dfc.shtml

Destination NAT and Source Nat

Hi, my network have mobile users with notebooks, and they use public smtp IP address, when they out of office, without VPN ASA works well, but when they comes back in office they should change SMTP IP back to private. I know that my task could be solved via DNS service, but for some reason I should do Dnat and Snat on ASA, please answer me, Is it posible? (Because ASA have to nat and dnat on same interface Insidem and back this traffic to Inside again
)Please see this picture, I draw my task there. Thanks!

Yes it is posible through policy nat.
here is the example.
access−list policy−nat extended permit ip host 10.1.1.20 host 5.5.5.5
global (dmz) 2 192.168.2.2
nat (inside) 2 access-list policy−nat
Hope that helps.
thanks

ACE One-Arm Source-NAT HTTP Header Insert

Hellow ACE Gurus,
This is probably a dumb question but I'm looking for info on HTTP Header Insert for SSL sessions. Does the HTTP header re-write action list work for SSL traffic? I guess I'm not clear on whether or not the header is encrypted and if the ACE can modify on an HTTPS session. Any input would be greatly appreciated.
/r
Rob

Hi Rob,
When using HTTPS, all the data is encrypted, including the HTTP headers.
In such a situation, if you want to insert headers (or do any other kind of L7 processing), you will have to configure the ACE to do SSL termination. Once the connection is decrypted, the ACE can do any processing it needs before sending the connection towards the server either in clear text or again using HTTPS.
I would recommend you to have a look at the link below. This is an example of how to configure an ACE for end-to-end SSL (so, HTTPS on both sides of the ACE). In the example, the only L7 processing that is being done is matching on the URL, but it would be enough to replace that part with whatever header insertion commands you need
http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml
If you still need more help to understand any of the points involved in the process, please, do not hesitate to contact me again.
Regards
Daniel

CSM Source NAT

Similar Messages

Maybe you are looking for