CSS Source NAT

Similar Messages

• Source NAT for specific servers in a rule

  Hello,
  I am trying to achieve source NATing on the CSS and want to confirm if below configuration is good.
  VIP address: 61.61.61.61
  Services: 10.1.1.1, 10.1.1.2, 20.1.1.1 and 20.1.1.2
  Front-end circuit IP: 61.61.61.1 (Same subnet as 61.61.61.61)
  Back-end circuit: 10.1.1.10 (Same subnet as 10.1.1.1 or .2)
  service AAAA
  ip address 10.1.1.1
  active
  service BBBB
  ip address 10.1.1.2
  active
  service XXXX
  ip address 20.1.1.1
  active
  service YYYY
  ip address 20.1.1.2
  active
  owner Gateway
  content Gateway1
  vip address 61.61.61.61
  add service 10.1.1.1
  add service 10.1.1.2
  add service 20.1.1.2
  add service 20.1.1.1
  active
  As the two servers 20.1.1.1 and 20.1.1.2 are not in the same subnet, we configured the below to source NAT specifically to these two servers.
  group Gateway
  vip address 61.61.61.61
  add destination service 20.1.1.1
  add destination service 20.1.1.2
  active
  In the past this configuration didn't work. We are going to try it again. Is there anything missing and what else should we check to get it to work.
  Appreciate any help.

  Using 'add destination service' in the group rule NATs the original client IP as the VIP (in your case), and ensures that return traffic from the remote 20.x.x.x servers flows back to the CSS and then to the client instead of directly to the client (which would reject the traffic). There's no need to worry about any kind of load balancing loop being created. The downside to implementing this is that your servers will see all traffic as originating from the VIP and not the unique client IPs, and since the CSS doesn't support the x-forwarded-for header you're kinda stuck with that side effect.
  Also, it's my understanding that the group rule must match the content rule in terms of VIP address and services within it to be effective. You would need to change your group rule to the following for it to work:
  FROM:
  group Gateway
    vip address 61.61.61.61
    add destination service 20.1.1.1
    add destination service 20.1.1.2
    active
  TO:
  group Gateway
    vip address 61.61.61.61
    add destination service 10.1.1.1
    add destination service 10.1.1.2
    add destination service 20.1.1.1
    add destination service 20.1.1.2
    active
  Good luck!
  James

• Is it possible to source NAT health checks?

  I am source natting the data traffic to the back end servers using a source group but I notice the health checks are not affected and they use the interface physical address. The way I found out is the service is down and the firewall was dropping the health checks. Does anyone know a way to source nat health checks? Either that or have them source from the redundant VIP address that is configured on the interface and not the "real" address. CCO and google produced nothing... thanks!

  you can't nat probes.
  The CSS will use its outgoing interface ip address as the source ip.
  Just make sure your firewall allows this traffic.
  Gilles.

• Dynamic Source NAT for multiple POOLS

  I am setting up Dynamic Source NAT with a few Pools and Access-list to translate according to the Access-list. However when configure some ACL don't work anything. And the ACL don't "match" any. I know that the correct way would be to apply the ACL about interface with "ip access-group <ACL-name> in/out" however in this case would be impossible to apply more one ACL with ip access-group command.
  FurthermoreI have tested to creating a route-map named TEST with all ACLs; but cannot to create all "ip nat inside source route-map... " with the same route-map name. Also checked the cisco example: http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13739-nat-routemap.html...
  Attach the all configurations.
  I  need your help, 
  Thanks in advance!

  Oh my God!! Already works fine! I hadn't thought that "log"  would be a painful 
  Thanks John Marshall! 
  Attach my troubleshooting:
  INET#show ip nat translations
  Pro Inside global      Inside local       Outside local      Outside global
  tcp 195.77.205.33:49529 10.55.0.1:49529   4.2.2.2:22         4.2.2.2:22
  tcp 200.200.200.1:62978 10.55.1.1:62978   4.2.2.2:4343       4.2.2.2:4343
  tcp 195.77.205.20:13493 181.70.12.18:13493 195.47.200.32:443 195.47.200.32:443
  Furthermore we can to check the "rotary option also works!"
  "INET#show ip nat translations
  Pro Inside global      Inside local       Outside local      Outside global
  tcp 195.77.205.33:57238 10.55.0.1:57238   4.2.2.2:22         4.2.2.2:22
  tcp 195.77.205.33:16393 10.55.1.1:16393   4.2.2.2:22         4.2.2.2:22"
  Thanks again!

• When I am using firebug how do I enable editing of css source code? I can use the edit menu "find" option but cannot change the code. It won't allow that.

  I am not allowed to edit my css source code. I can open a css file
  and see all the code but when I try to change any of the text, it
  will not do it. I thought I could text edit to update css files. How do I do that?

  If your intention is to upload the changed file(s) to the server then you need to use an external editor.<br />
  Otherwise you can look at an extension like Web Developer.
  *Web Developer: https://addons.mozilla.org/firefox/addon/web-developer/

• ACE: Significance of mask in nat-pools configured for Source NAT

  Hi guys
  If I am using source nat in ACE (One IP address 10.10.10.200) used for all client address translations.
  What would be the difference between the nat-pools configured with different netmask.
  What is the recommended netmask for pat, 255.255.255.255 or Vlan interface's Mask (/24 in this case)
  and why?
  case1:
  interface vlan 7
  ip address 10.10.10.100 255.255.255.0
  nat-pool 1 10.10.10.200 10.10.10.200 netmask 255.255.255.0 pat
  service-policy input clientvips
  no shutdown
  case2:
  interface vlan 7
  ip address 10.10.10.100 255.255.255.0
  nat-pool 1 10.10.10.200 10.10.10.200 netmask 255.255.255.255 pat
  service-policy input clientvips
  no shutdown
  Thanks in Advance
  A.

  Gilles
  Thanks a lot. It makes more sense now.
  I posted another question for an ACE design validation. Could you please validate this
  I am planning to deploy ACE module in following manner:
  > ACE will be in one arm mode ( Only one vlan connected to the ACE).
  > Vips & Rservers (all serverfarms) will be in the same Vlan X.
  > Default gateway on the ACE & Real servers will be the upstream router
  > There will be Source NAT configured for all Serverfarms.
  ACE --- Vlan X -------Router--- internet
  .................|
  .................|-- Sfarm 1
  .................|
  .................|-- Sfarm 2
  .................|
  .................|-- Sfarm n
  I am pretty sure that it should work.
  Just wanted an expert opinion.
  Thanks

• ACE router or source NAT

  Can anyone tell me what the best practice is for the ACE 4710 appliance. Should I deploy it in routed mode or source NAT mode. And what can be the pros and cons of each method....

  The advantage of running SNAT is the ACE is deployed in a "one-arm" mode. In this deployment the advantage is the ACE does not have to process all traffic as oppossed to being directly in the transit path when deployed inline (routed).
  In one arm mode you can use either PBR or SNAT for server return traffic. One arm mode also allows for direct server return butlimited to L4 load balance.
  In routed mode the ACE acts as the server default gateway.
  Routed mode is the easier of the two to configure.

• Issues with source NAT configuration in VNMC

  Before coming to the questions/doubts let me explain the ASA 1000v setup that I have
  ASA 1000v
  -          inside interface with ip 10.1.1.1 (attached to a network with subnet 10.1.1.0/24 and vlan 515)
  -          outside interface with ip 10.147.30.236 (attached to a network with subnet 10.147.30.0/24 and vlan 30)
  On ASA running ‘show route’ outputs following:
  C             10.1.1.0 255.255.255.0 is directly connected, esp-in
  C             10.147.28.0 255.255.255.0 is directly connected, management
  C             10.147.30.0 255.255.255.0 is directly connected, esp-out
  S*           0.0.0.0 0.0.0.0 [1/0] via 10.147.30.1 via esp-out
  On VNMC I created edge firewall with inside interface as ‘esp_in’ (10.1.1.1) and outside as ‘esp_out’ (10.147.30.236)
  Now I want to configure the following scenarios through VNMC:
  1.       Source NAT : 10.1.1.0/24 -> 10.147.30.236. While trying to configure this I see the following error in VNMC
  ERROR: Executing CLI returned error message: object network pe_internal_net_obj_range_10.1.1.2_10.1.1.254;range 10.1.1.2
  10.1.1.254;object-group network NSONOg:source-nat:source-nat-rule@esp-out;network-object object
  pe_internal_net_obj_range_10.1.1.2_10.1.1.254;nat (esp-out,any) 1 source static NSONOg: source-nat:source-nat-rule@esp-out interface;
  ERROR:  interface keyword is not allowed when translated interface is any;
  2.       I created another NAT rule from 10.1.1.0/24 -> 10.147.30.237. I also created ACL rule for allowing outbout ssh traffic. This working for me initially and I was able to ssh from a VM attached to subnet 10.1.1.0/24 to an outside VM. But after I did a re-assign with the same ASA appliance this stopped working and there was a configuration error:
  ERROR: Executing CLI returned error message: service-policy mpf-sp0001 interface sp0001;         ^;ERROR: % Invalid input detected at ^ marker;
  ERROR: Executing CLI returned error message: service-policy mpf-esp-out interface esp-out;     ^;ERROR: % Invalid input detected at ^ marker;
  Version details
  VNMC 2.0
  ASA 1000v version
  Cisco Adaptive Security Appliance Software Version 8.7(1)1
  Device Manager Version 6.7(1)
  Questions:
  -          Can anyone let me know what is the correct configuration for setting up source NAT as mentioned above. Why am I getting the errors mentioned and how to fix them?
  -      Why is there an error on reassigning asa 1000v to the edge firewall
  -          How to enabling logging/debugging on ASA or VNMC to see packet details and how rules are getting applied?
  Thanks,
  Koushik

  Hello Arseny,
  How did you resolve this issue?
  We are still facing the same problem in WebI 4.1 SP5 Patch 4.
  The issue is still under SAP investigation with KBA 2131762.
  Regards,
  Mirko

• Source Nat and Destination Nat

  Is any of the above working in the ACE OR CSM module by default?
  What is an advantage of configuring destination NAT on the ACE Box?

  Hello,
  On both the CSM and ACE, destination NAT (a.k.a. server nat) is enabled by default in a serverfarm. Source NAT needs to be manually configured on both devices, as it is not a default configuration.
  In server load balancing, destination NAT is very common. When clients connect to a VIP on the load balancer, the load balancer will then choose a real server the send the connection to. The destination IP address of the client-to-server traffic will be NAT'd from the virtual IP address (VIP) to the real server's IP address. The server's reply will be sourced with the real server's IP address, initially. The load balancer will again perform NAT to change the source IP address from the real server's IP address back to the VIP address prior to forwarding the response back to the client. This way, the client only knows about the VIP address, and not the real server's IP address.
  Best regards,
  Sean

• CSS source problems, property menu vanished etc - help!

  Hi all,
  First time poster - would be grateful for your help.
  I'm creating my first site with Dreamweaver. It was all going swimmingly, and suddenly the interface seems to have changed and I can't get it back to the one I now sort of understand!
  The properties tab along the bottom is now just "code view" and doesn't contain the stuff about links etc that was there previously. Additionally, my CSS source box is empty, and clicking "add source" doesn't seem to do anything. My "main.css" file is still there in the file hierarchy box above, but I don't seem to be able to add it as a source (not sure what I did to take it away in the first place!!)
  Help!

  Thanks for getting back to me. After hours of frustration, I turned it off and on again... All working as normal now...
  Doh!

• CSS 11050 NAT problem

  Hi, I have a problem with the NAT group intercepting connections to a PIX on the local VLAN. VLAN1 on the LB is the outside internet connection, VLAN2 is internal, at 10.0.10.0/24. The PIX IP is 10.0.10.254. If a webserver at 10.0.10.5 tries to connect to a server behind the PIX, the PIX logs a connection not from 10.0.10.5, but from the NAT group, which has an external IP address. Not only does this slow things down, but confuses the ACL config on the PIX. Any way to force devices to directly connect on the local VLAN, as one would normally expect? Thanks!

  What happens is the traffic that will use the group will need to match the source/dest configured in the ACL, but more importantly, the VLAN you apply to the ACL itself will determine what traffic is even looked at in the ACL itself. So if you apply vlan1 to the ACL, then only traffic coming into the CSS via VLAN1 will use the acl (assuming it matches the clause criteria configured).
  By using the ACL approach, you could put those ip addresses you want to NAT in the first clauses, and then leave out the ones you do not want to NAT. If there is no ACL match, then there will be no NAT.
  Instead of specifying all the ip addreses in separate ACLs, you can use the subnet mask to create a range of addresses.
  Hope this help. I do agree that this can be a bit of a maint challenge having to do this, but I'm not sure any other option exists unless there is something different about the way you have your source groups configured.
  Regards
  Pete..

• CSS and NAT problems (easy one?)

  Hi,
  I am trying the simplest of configurations, attempting to Load-Balance traffic using two servers and a single CSS. I am using "Routed" mode, but am experiencing problems with NAT. I am new to the world of CSSs.
  I have two servers that have the VIP 80.80.80.230. All traffic is initiated from the client-side (public) and talks to this VIP address. All RETURN traffic must be NATed (by the CSS) with this VIP address. I would expect:-
  CLIENT (PUBLIC) -----> 80.80.80.230 (SERVER-VIP)
  CLIENT (PUBLIC) <----- 80.80.80.230 (SERVER-VIP)
  However, this configuration does not seem to work for me. When I sniff, I see the return traffic is NOT being NATed ....I see the following :
  CLIENT (PUBLIC) ----------------------> 80.80.80.230
  CLIENT (PUBLIC) <----------------------10.10.10.2
  Here is my config :
  ip route 0.0.0.0 0.0.0.0 80.80.80.225 1
  !************************* INTERFACE *************************
  interface e2
  bridge vlan 2
  !************************** CIRCUIT **************************
  circuit VLAN1
  ip address 80.80.80.227 255.255.255.240
  circuit VLAN2
  ip address 10.10.10.1 255.255.255.0
  !************************** SERVICE **************************
  service server1
  ip address 10.10.10.2
  port 5060
  active
  service server2
  ip address 10.10.10.3
  port 5060
  !*************************** OWNER
  owner me
  content lbal
  port 5060
  protocol udp
  vip address 80.80.80.230
  add service server1
  add service server2
  application sip
  active
  !*************************** GROUP
  group clients-group
  vip address 80.80.80.230
  add service server1
  add service server2
  active
  CSS11501 /Version 7.4
  I have tried this config with and without the NAT Group (clients-group) but to no avail.
  Please please can someone stop me from going crazy with this. Any help really apprectaied.
  Grazie !
  Matt

  Hi Matt,
  On the group use "add destination service" instead of "add service". That will do source NATing of traffic hitting the VIP.
  Looks like this:
  group clients-group
  vip address 80.80.80.230
  add destination service server1
  add destination service server2
  active
  Diego

• Best practice for Source NATTING ?

  Is there a general design rule for configuring source NATing ? Is it best to configure the CSS is one/two armed mode.
  What are the perfomance limitations in doing this ?
  Can soure NATed and non source NATed content rules be configured on the CSS with no impact ?
  Cheers, Mike

  Source groups translate the source address of packets from back-end services before forwarding them. When a flow is originated from the back-end server with a private address, the request appears to come from the public Virtual IP (VIP) of the source group. You can also use source groups (with Access Lists (ACLs)) to translate clients' private IP addresses (which reside on the back-end of the CSS) to a public IP address (the VIP).
  The use of this type of source group is useful when setting up a one-armed configuration where client and server traffic flows through the same CSS switch. For more information read the following document.
  http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a0080093dfc.shtml

• Rendering erratic, script and css source visible

  Hi,
  Safari is rendering quite badly for a few days. Javascript code and css statements are visible and div positionnning is completely lost.
  I have the same problem in mail with html messages.
  Can someone help ?
  Thanks
  PS: Firefox is working well.

  the problem is not the CSS but really the design.
  If you configure the CSS to act transparently, the server will try to respon to the client directly.
  If the CSS can't intercept the response, the client will receive a SYN/ACK from the server while expecting a SYN/ACK from the VIP.
  So, the only way to have the CSS works transparently is to guarantee that the response from the server will go through the CSS.
  3 solutions
  - client nat and therefore you break transparency
  - move the CSS in front of the servers
  - use policy routing to intercept the server traffic and redirect it to the CSS.
  You have option#1.
  Option #3 is not possible with firewall, so you are left with option #2.
  Gilles.

• CSS 11501: NAT all ports?

  Hi, I have just a little experience with a CSS 11501, so this may be a dumb question.
  I created a service and content rule for a FTP server behind the CSS.
  This works fine, the public address is translated to the private address etc.
  But what i really would like is to NAT ALL requests for this public address to the private address, so not just FTP but also Remote Desktop (port 3389) etc.
  How can i accomplish this?

  be carefull that ftp uses data connections.
  By specifying the protocol and port you helped the CSS understand it was ftp traffic and therefore monitor the control session to find data sessions and do nating accordingly.
  So, instead of removing protocol and port, I would recommend to create a 2nd content rule with the same vip and the same service but no protocol or port.
  The first rule will handle ftp.
  The 2nd rule will handle the rest.
  Regards,
  Gilles.