Example Config ACE routed mode with NAT

Similar Messages

• ACE Routed mode - cannot see serverside network

  Hi all,
  I'm having a problem with the first context I've set up in pure routed mode without NAT. Taking advice from this forum I've defined the interface for the serverside VLAN only in the ACE context. Trouble is this doesn't seem to have propagted into the routing table.
  The ACE can see the servers - they are in the ARP cache and can be PINGed from the context.
  A show IP route on the 6500 doesn't find the serverside subnet in the routing table.
  Am I missing something obvious. I've attached the config if that helps.
  Thank you
  Cathy

  I am not sure what your question is
  Are you not seeing the VIPs in 6500 routing table? If its about vip the RHI (Route health injection (loadbalance vip advertise) should take care of it.
  Or you want to see the Server vlan in the routing table of 6500?.
  If thats the case then that is not going to happen. You will have to add static routes and redistribute them in the network (on upstream router).
  Syed Iftekhar Ahmed

• Routing Experts please help with below LAN routing issue with NAT

  Hello Experts,
  I have a weird situation and requirement.
  The existing setup is -
  We have email/ticketing server hosted in the LAN which is reachable on the publicly NAT'ed IP with respective port numbers of 89 & 443. We have LAN & servers on the same subnet. The internet is with public DHCP IP assigned by ISP (/29). We use linksys router GUI for NAT settings (attached).We are using the same public IP for the server NAT & user NAT.
  We tried to refresh our network by separating the subnets for LAN users & servers. We used the Cisco 3845 router to create sub-interfaces in the LAN and configure respective subnets. Now both user subnet and server subnet are connecting to the Internet with same public IP (static NAT for servers & dynamic for users). We can connect to the server IP from the Internet and it resolves fine. However user LAN subnet cannot connect to the server if we try the URL. Users can access the Internet fine.
  Please find attached short diagram and below configuration and please give your inputs to solve this.
  Cisco 3845 router
  access-list 1 permit 10.155.60.0 0.0.0.255
  access-list 2 permit 10.155.61.0 0.0.0.255
  access-list 3 permit 10.155.62.0 0.0.0.255
  ip nat inside source list 1 int g0/0 overload
  ip nat inside source list 2 int g0/0 overload
  ip nat inside source list 3 int g0/0 overload
  int g0/0
  ip add 8.8.8.8 255.255.255.248
  ip nat outside
  no shut
  int g0/1
  description Trunk-to-Switch
  no shut
  int g0/1.60
  description User vlan
  ip add 10.155.60.1 255.255.255.0
  encapsulation dot1q 60
  ip nat inside
  int g0/1.62
  description Server vlan
  ip add 10.155.62.1 255.255.255.0
  encapsulation dot1q 62
  ip nat inside
  exit
  aaa new-model
  aaa authentication login default local
  aaa authentication login vpn_xauth_ml_1 local
  aaa authentication login sslvpn local
  aaa authorization network vpn_group_ml_1 local
  aaa session-id common
  acl 120
  max-users 10
  exit
  !access-list 120 remark ==[Cisco VPN Users]==
  access-list 120 permit ip any host 192.168.0.10
  access-list 120 permit ip any host 192.168.0.11
  access-list 120 permit ip any host 192.168.0.12
  access-list 120 permit ip any host 192.168.0.13
  access-list 120 permit ip any host 192.168.0.14
  access-list 120 permit ip any host 192.168.0.15
  access-list 120 permit ip any host 192.168.0.16
  access-list 120 permit ip any host 192.168.0.17
  access-list 120 permit ip any host 192.168.0.18
  access-list 120 permit ip any host 192.168.0.19
  no access-list 100
  access-list 100 remark [Deny NAT for VPN Clients]=-
  access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.10
  access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.11
  access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.12
  access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.13
  access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.14
  access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.15
  access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.16
  access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.17
  access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.18
  access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.19
  access-list 100 remark
  access-list 100 remark -=[Internet NAT Service]=-
  access-list 100 permit ip 192.168.0.0 0.0.0.255 any
  exit
  ip nat inside source static tcp 10.155.62.55 21 8.8.8.8 21
  ip nat inside source static tcp 10.155.62.55 88 8.8.8.8 88
  ip nat inside source static udp 10.155.62.55 88 8.8.8.8 88
  ip nat inside source static tcp 10.155.62.84 3389 8.8.8.8 3389
  ip nat inside source static udp 10.155.62.84 3389 8.8.8.8 3389
  ip nat inside source static tcp 10.155.62.98 80 8.8.8.8 80
  ip nat inside source static udp 10.155.62.98 80 8.8.8.8 80
  ip nat inside source static tcp 10.155.62.98 443 8.8.8.8 443
  ip nat inside source static udp 10.155.62.98 443 8.8.8.8 443
  ip nat inside source static tcp 10.155.62.98 25 8.8.8.8 25
  ip nat inside source static udp 10.155.62.98 25 8.8.8.8 25
  ip nat inside source static tcp 10.155.62.84 8080 8.8.8.8 89
  ip nat inside source static udp 10.155.62.84 8080 8.8.8.8 89
  ip nat inside source static tcp 10.155.62.84 9005 8.8.8.8 9005
  ip nat inside source static udp 10.155.62.84 9005 8.8.8.8 9005
  ip nat inside source static tcp 10.155.62.84 135 8.8.8.8 135
  ip nat inside source static udp 10.155.62.84 135 8.8.8.8 135
  ip nat inside source static tcp 10.155.62.84 139 8.8.8.8 139
  ip nat inside source static udp 10.155.62.84 139 8.8.8.8 139
  ip nat inside source static tcp 10.155.62.84 445 8.8.8.8 445
  ip nat inside source static udp 10.155.62.84 445 8.8.8.8 445
  ip nat inside source static tcp 10.155.62.84 90 8.8.8.8 465
  ip nat inside source static udp 10.155.62.84 90 8.8.8.8 465
  ip nat inside source static tcp 10.155.62.143 3381 8.8.8.8 3381
  ip nat inside source static udp 10.155.62.143 3381 8.8.8.8 3381
  ip nat inside source static tcp 10.155.62.46 8081 8.8.8.8 91
  ip nat inside source static udp 10.155.62.46 8081 8.8.8.8 91
  ip http server
  ip http authentication local
  no ip http secure-server
  ip http path flash:/cme-gui-7.1.0.1
  file privilege 0
  telephony-service
  dn-webedit
  time-webedit
  transport input ssh
  line con 0
  line vty 0 15
  login local
  ntp server ntp.first2know.net
  clock timezone gmt 0
  clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
  ntp update-calendar
  ntp master
  =========================================================================================================================================
  Cisco 3750 Config;
  vlan 60
  name User
  vlan 61
  name Voice
  vlan 62
  name Server
  exit
  interface g1/0/1
  description Trunk-to-Router
  switchport trunk encapsulation dot1q
  switchport mode trunk
  spanning-tree portfast trunk
  interface vlan 60
  description User Vlan
  ip add 10.155.60.2 255.255.255.0
  interface vlan 61
  description Voice Vlan
  ip add 10.155.61.2 255.255.255.0
  interface vlan 62
  description Server Vlan
  ip add 10.155.62.2 255.255.255.0
  service dhcp
  ip dhcp pool Users
  network 10.155.60.0 255.255.255.0
  default-router 10.155.60.1
  dns server 4.2.2.2
  ip dhcp pool Voice
  network 10.155.61.0 255.255.255.0
  dns server 4.2.2.2
  exit
  ip dhcp excluded-address 10.155.60.1 10.155.60.2 10.155.60.3
  ip dhcp excluded-address 10.155.61.1 10.155.61.2
  interface range g1/0/2 - 1/0/21
  switchport mode access
  switchport access vlan 60
  switchport access vlan 61
  exit
  exit
  interface range g1/0/22 - 1/0/26
  switchport mode access
  switchport access vlan 62
  exit
  Thanks,
  Deepak

  One more thing I should clarify the route I am putting into the 10.10.1.9 server is
  route add 10.1.6.0 mask 255.255.255.0 10.10.1.250 which tells the server to bypass the ASA and go directly to the ISP router.(then i can successfully tracert everything).  The big question here is how to make the inside ASA connection 10.10.1.1 to force all traffic to 10.10.1.250.
  Thanks in advance.

• Can VIP and Rservers be in the same subnet in ACE Routed Mode

  Good Day,
  Sorry for the lengthy post.
  Currently I have a 6509s running in VSS mode with ACE30 in each chassis.
  I have 5 vlans, which the VSS is the L3 interface for each. 1 Vlan is for management, the others are the data vlans for the servers.
  The ACE is configured in bridge mode, with all VLANs going to a specific context (non Admin).
  Some of the Host on each VLANs are not utilized for load-balancing. The default gateway for each VLAN is configured on the VSS.
  I would like to setup the ACE in the routed mode, without having to change the IP address of each servers on different VLANs.
  Basically I want to turn off the SVIs on VSS and move the L3 interface on the ACE Context, and let it perform the local routing for all the hosts.
  I was going to add a new /30 L3 interface between the VSS and ACE to be utilized for default route traffic coming from the ACE Context, and static routes from VSS to ACE for traffic destined to host that are being load-balanced and not being load-balanced. Basically force the traffic through the load-balancer in/out.
  For future deployment, I was planning on using different IP address for the VIPs, and Real servers (most likely RFC 1918).
  From most of the examples I have seen the VIP and Rservers are in different Subnets. But because I am trying to not change the IP address of the rservers and VIP, I wanted to know if the VIP and Rservers can be configured to be in the same subnet where the ACE is in routed mode.
  Unfortunately I don't have a spare ACE to test scenario.
  As always any help would greatly be appreciated.
  Regards,
  Raman

  Link-local addresses are usually the self assigned IP address that a device will set when a DHCP server cannot be found. These are the addresses with 169.254.x.x subnet.
  If the router is assigning IP addresses for your network, then they will usually have a different IP subnet, possibly 192.168.0 for D-Link. And this subnet would be for the wired and wireless connections. So it would be more a case of bridging the two network topolgies rather than routing them.
  The network host is busy message could be more to do with the driver and the IP protocol selected when creating the queue than the connection being broken between the Mac and printer. If you were to open Network Utility and select the Ping tab, enter the IP address of the HP and set the pings to 4, pressing the Ping button will soon show if there is a path through the wireless to the printer.
  If you get a response to the ping you could then open Safari and type the ip address as the URL. This would then connect to the internal web page of the printer and possibly let you enable an IP protocol like LPR so that you can use LPD on the Mac instead of Bonjour to connect to the printer.
  As for the driver, you could look at using a Gutenprint driver instead of the HP driver or the hpijs package to get past the limitations that some printer drivers have with network connections.

• How to configure a RV220W in normal routing mode (No NAT)

  Hi,
  I have been very busy the last few days in trying to configure this router in normal routing mode. I do not want to have double NAT in my network. This is my setup:
  C class IP network connected to the internet via a Fritzbox router. I need this router becasue of the VOIP services it provides. I want to use the RV220W to isolate certain users from the rest of the network. When I configure the router in WAN (NAT) it partially works, e.g. I can browse, send email but cant make a connection to a apple fileserver which is on the base network. When I try to operate in normal routing mode I cant get it to work. I am sure I am doing something wrong with the static routes. 
  Setup: 
  Internet <-> Fritzbox (192.168.12.0/24) network <-> RV220W <-> LAN 1 (192.168.1.0/24) users to be isolated.
  On the 192.168.12..0/24 network the printer, fileserver and PBX are connected. 
  Please help me in configuring this.
  The firmware is the latest 1.0.5.8.
  Thanks in advance!
  Peter

  Hello Peter,
  Sorry for the late reply, but I figured I would post anyone in case anyone else has this question.
  You can put the router in what is called router mode by logging into the admin page and going to Networking >> Routing >> Routing Mode and selecting Router.  
  I am only looking at an emulator, but I believe this will cause a reboot.  Once in router mode NAT and the firewall are disabled, however access rules do still work.  
  You will still need a static route from your Fritzbox to the 192.168.1.0/24 network on the RV220W, and the RV220W should have the Fritzbox as it's default gateway on it's WAN interface.  You may also need to create an ACL to allow traffic from the Fritzbox network through the RV's WAN port.
  Some Apple devices depend on the Bonjour protocol to work properly, which doesn't always traverse subnets well, so if after all of that it still doesn't work you may have an issue with Apple.
  Thank you for choosing Cisco,
  Christopher Ebert
  Network Support Engineer - Cisco Small Business Support Center

• Sharing a VLAN between FWSM and ACE (Routed Mode)

  Anybody in here with experience on sharing a Vlan between an ACE and a FWSM module?
  I have a transfer network between the ACE and the FWSM in the same chassis. FWSM gets several vlans and ACE gets some Vlans.
  I wanted to configure it like this.
  firewall vlan group 10 <FWSM only vlans>
  firewall vlan group 20 <shared FWSM and ACE vlan>
  or
  svclc vlan group 20 <shared FWSM and ACE vlan>
  svclc vlan group 30 <ACE only vlans>
  The design hides the client side network and the server side network for the ACE behind the FWSM module.
  Layout:
  |-- Clients <--> MSFC <--> FWSM <--> ACE <--> Server --|
  So allocation on the 65xx would be like this.
  firewall module n vlan-group 10,20
  svclc module n vlan-group 20,30
  Any obvious issues with this design if you share the vlan(s) referred in group 20 with both modules?
  FWSM and ACE will be in routed mode.
  Thanks for reading...
  Roble

  Never mind...
  Just found the perfect answer for this in a another posting from Syed.
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Data%20Center&topic=SNA%20Data%20Center%20Networking&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dddee0b/0#selected_message
  Roble

• ACE routed mode design issue

  I am configuring ACE in routing mode ,
  Below is my ACE interface config.
  interface vlan 28
    description "CLIENT VLAN"
    ip address 192.168.10.11 255.255.255.248
    peer ip address 192.168.10.12 255.255.255.248
    mtu 1500
    mac-sticky enable
    access-group input ALL
    service-policy input remote_mgmt_allow_policy
    service-policy input POLICY
    no shutdown
  interface vlan 29
    description "SERVER VLAN"
    ip address 192.168.10.19 255.255.255.248
    peer ip address 192.168.10.20 255.255.255.248
    mtu 1500
    mac-sticky enable
    access-group input ALL
    service-policy input remote_mgmt_allow_policy
    service-policy input POLICY
    no shutdown
  When I  configuring my servers in vlan 29 and  point the default gateway to 192.168.10.19  it works fine no issues,but when this ACEs goes down and the standby becomes active ,my servers default gateway will be still pointing to 192.168.10.19  do i need to manually change it .20
  or can I configure HSRP,Please advise me on this

  Hi ,
  Yes the alias should be set as gateway for the servers.
  The alias is a shared address between the peers. This address will be on the ACTIVE ace. 
  Regards
  Dan

• ACE router or source NAT

  Can anyone tell me what the best practice is for the ACE 4710 appliance. Should I deploy it in routed mode or source NAT mode. And what can be the pros and cons of each method....

  The advantage of running SNAT is the ACE is deployed in a "one-arm" mode. In this deployment the advantage is the ACE does not have to process all traffic as oppossed to being directly in the transit path when deployed inline (routed).
  In one arm mode you can use either PBR or SNAT for server return traffic. One arm mode also allows for direct server return butlimited to L4 load balance.
  In routed mode the ACE acts as the server default gateway.
  Routed mode is the easier of the two to configure.

• Slow file browsing in MED-V / XP Mode with NAT and DFS

  Note, for the purposes of this question, this issue is with the Windows Virtual PC / XP Mode integration portion of MED-V so is not MED-V specific.
  We are in the process of deploying hundreds of MED-V instances to Windows 7 PCs to support legacy applications until they are replaced with versions that are compatible with Windows 7.  Due to security concerns and our network infrastructure configuration,
  we are required to use "Shared Networking (NAT)" mode for the Windows XP virtual machines.  Our network drives are mapped to DFS shares.  Depending on the site and drive mappings of a user, when opening or saving a file in an application,
  it can take several minutes to browse to the target directory, even if it's not on a DFS share.  Occasionally, it takes so long that the RemoteApp window hangs and disappears, even though the application is still running in the Windows XP VM.
  Running network traces in the VM, I can see that Windows XP tries to "ping" all of the DFS targets whenever the network drives are enumerated, such as when clicking on My Computer.  It waits for responses, then eventually times out. 
  From what I understand, this is the way that Windows XP determines which DFS target link is the fastest.  Unfortunately, since vpc.exe does not run with admin rights in Windows 7, ICMP (ping sends ICMP ECHO REQUESTS) is blocked by the NAT
  between the VM and the Windows 7 host.  (This is why you cannot ping other PCs on the network from within the Windows XP VM when using NAT.)  Therefore, the long wait times happen while XP waits for the replies that never come.
  To verify that this is indeed the problem, I started vpc.exe with admin rights, then started the MED-V Workspace.  I could ping other computers now from within XP and browsing took seconds instead of minutes.  However, our users will not have admin
  rights in Windows 7 so this is not an option for them.  I also tested in bridged mode instead of Shared Networking mode with the same positive results.  However, this is also not an option in our environment.
  Any solutions or recommendations will be greatly appreciated.
  Thank you in advance,
  Victor S.
  Victor S. - Sogeti USA

  Hi,
  I would do some research on this issue.
  And I would update as soon as possible.
  If you have any feedback on our support, please click
  here
  Alex Zhao
  TechNet Community Support

• Ace routing mode desging issue

  need some assistance in configuring an application using routing mode on cisco ace
          clients ---asa--3750--cisco ace--- servers behind vip
                                                              |
                                                            visa card transaction servers
  i am able to setup a vip on ace using routing mode on ACE,as the  servers need to see the client ip ,so we are not  performing SNAT,this  part is working fine
  when a request comes from the client ,it goes to the vip and to one of the backend servers ,and the request will be forwaded back to the ace ,as the default gateway on the servers is pointing to the server vlan on ace.
  but if the transaction from the servers need to go to the visa card transaction servers ,how can we acheive this ,and after fetching the data from visa servers,does the reply will be fwd to the ACE or ASAs directly
  Or do we need to have static routes defined on the visa servers to point to ASA
  please advise me on this

  Clint
  No they are completely in a different network ,
  When a client hits the VIP ,the request goes to the ASA
  ASA fwd the  vip traffic to the ACE (VIP) interface  ,and from there it fwd the traffic to the (server vlan) interface and to the appropriate backend servers.
  Backend server responds back to the (server vlan ) interface and the traffic fwd back to the ASA.
  But when  visa card transaction need to take place ( farm servers ) need to route the traffic to the visa servers which will be in different subnet range .
  Do the farm serevrs send the request back to the ASA and can we configure static routes on ASA to point to the visa servers.
  Are on the farm servers can we have static routes for the visa servers
  Or can I defind static routes on ACEs for the visa servers.

• ACE routed mode

                Two  ACEs LoadBalancers    are setup as active standby    in routed mode.
  serverfarm host s1
    predictor leastconns
    probe PROBE_HTTP
    rserver app1
      inservice
    rserver app2
      inservice
  class-map match-all s1_CLASS
    2 match virtual-address 10.12.7.11 tcp any
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  policy-map type loadbalance first-match s1_POLICY
    class class-default
      serverfarm s1
  policy-map multi-match POLICY
    class s1_CLASS
      loadbalance vip inservice
      loadbalance policy s1_POLICY
      loadbalance vip icmp-reply active
  we had one connection  from client to app2 server
  performed a code upgrade  on LB2 ,did a swithover to make LB2 active,.the client connection was still on app2 server
  when LB1 was upgraded  and made it primary , the connection was still on app2 .
  but after couple mins was seeing the connection on app1 ,instead of app2 .
  please help me on this
  when
  when

  Hi,
  What you saw it is totally expected behavior.
  What happens is that the ACE will keep the connections active and they will be served until the either the connection is closed by the client( by closing the browser) or times out due to inactivity, then if you switchover to another ACE then all "NEW" connections will be handled by the new master ACE since there´s no reason to send the traffic to the previous master ACE because it is not longer the Primary.
  Again, this is expected.
  Hope this helps
  Jorge

• ACE Routed Mode - Servers

  Is it possible in a routed setup for clients to talk to the servers in the Server Farm directly? IE - Not through the VIP. IE - I want to ping the real server or access a file share, etc.
  As you know, in a routed setup, the server gateway is the ACE. It appears that when I try to talk to the server directly, the server talks back to the ACE and traffic is dropped/lost.
  I ask because our servers run many applications. I need to load balance to just one of the applications (WWW) but not to the other several apps that are running.

  Yes it is possible.
  You need to have an ACL applied to ACE that allows traffic to the real servers.
  Yourd upstream routers should be configured such that they route the traffic destined to he real servers to the ACE.
  Syed Iftekhar Ahmed

• RV220W - in routing mode changes external Ip with router IP

  Good day.
  I just installed one RV220W in my network, in routing mode (not NAT) using on WAN port public Ip 193.111.184.xxx and on LAN side on IP from my company public C class (212.100.143.0). It's working, but main ang huge problem is than Router is changing any IP coming from intenet with it's own 212.100.143.xxx IP, which mess up everything (logs, counters, etc).
  It was using 1.0.1.0 firmware, I switched to 1.0.0.26 but nothing changed.
  Also I have a VPN - gate to gate with another location (RV042), and all computers from other side of tunnel reports same router IP 212.100.143.xxx when accesing servers from my side, which also is bad.
  Previously I user an RV082 for this joB and everything was great, except 100 Mb WAN/LAN ports of RV082, which I will use until get Rv220W working right.
  Any idea is apreciated.
  Thank you,
  Catalin Burla

  I have changed this weekend from a DSL using a Linksys by Cisco WAG54G2 to a Cisco RV220W Small Business Router and just found out the same problem. This is serious for me, for one, it completely destroys SPAM blocking with DNS blacklists.
  This is how it looked when using the linksys:
  Apr  9 03:18:17 vanroodewierda postfix/smtpd[49507]: connect from 189-041-10-204.xd-dynamic.ctbcnetsuper.com.br[189.41.10.204]
  Apr  9 03:18:18 vanroodewierda postfix/smtpd[49507]: NOQUEUE: reject: RCPT from 189-041-10-204.xd-dynamic.ctbcnetsuper.com.br[189.41.10.204]: 554 5.7.1 Service unavailable; Client host [189.41.10.204] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=189.41.10.204; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<189-041-10-204.xd-dynamic.ctbcnetsuper.com.br>
  This is how it looks when using the RV220W:
  Apr 10 18:34:29 vanroodewierda postfix/smtpd[31608]: connect from ciscorouter.rna.nl[192.168.2.254]
  And thus DNSBL is not possible. My RV220W uses One-to-One NAT to route one of the 5 outside WAN IP addresses I to the mail server on the LAN. Because I do not get the external IP address passed on to the inside, postfix has nothing to go on. I tried instead to use the  normal port forwarding in the IPv4 rules on my main WAN IP address, but that doesn't help.
  How and where can I report this and how long will it take Cisco to fix something like this? Because this is very important for me (and my users) and I'll have to return the router and buy another brand if it takes too long.

• SNAT on routed mode.

  Hi,
  i have a topology where i have to set up an ACE in routed mode with two context. one for service provider A and one for ISP B.
  what i want to do is when i receive a request coming from service proveder A i would like to SNAT that request to de VIP with a specific IP of the servers LAN to hide the source IP of the cliente in that way a can receive the request on the server with a local IP and the resever can respond to that IP.
  in the same way to handle traffic on the second ISP.
  i have try to set up the configuration in the same way it would work in one arm but it has not worked out for me.
  is there a guide to follow or if someone can help me whit this config.
  best regards.

  Hi Lucas,
  Does your current NAT config like this?
  class-map match-any ISP-1
    2 match virtual-address 20.20.20.10 tcp any
  policy-map multi-match LB
    class ISP-1
      loadbalance vip inservice
      loadbalance policy ISP
      loadbalance vip icmp-reply active
      nat dynamic 7 vlan 10
  interface vlan 10
    description Server VLAN
    ip address 10.10.10.1 255.255.255.0
    nat-pool 7 10.10.10.15 10.10.10.20 netmask 255.255.255.0 pat
    access-group input any
    access-group output any
    no shutdown
  interface vlan 20
    description ISP VLAN
    ip address 20.20.20.1 255.255.255.0
    access-group input any
    access-group output any
    service-policy input LB
    no shutdown
  Pablo

• Cuestion about CSM on bridge&router mode

  Hello!!
  Plese help me with this cuestion about CSM connection modes:
  We have 2 Cat6500 with a CSM inside of each (CSM1 on Cat6500_1 and CSM2 on Cat6500-2)
  The CSM1 is on bridge mode with Vlan31 for Client side and Vlan131 for Server side.
  The CSM2 is on router mode with Vlan30 for Client side an Vlan2 for Server side.
  We want to join both switches for redundancy purposes (switches and CSMs).
  We want to merge the two Client Vlans (include the logical IP segments) on a /23 mask.
  But the cuestions here are:
  Can we keep the original config (bridge mode and router mode) on the CSM1 (for example)
  considering this Module as active and CSM2 as standby?
  Is there any consideration to take in count in order to configure this? (Some examples...)
  Thanks in advance
  Pedro

  yes, you can mix bridge more and router mode and so merge the 2 configs.
  Gilles.