Nat on csm

Similar Messages

• Help with dynamic NAT and CSM 4.4 and ASA 8.3

  Hello
  I currently try to add a dynamic NAT rule into CSM 4.4 for a ASA 8.3 device, but I fails at the deployment with the error message:
  Failed to generate delta config
  The following commands have not been recognized by the Configuration Parser:
  ==========================
  (inside,outside) source dynamic range-192.168.0.0_24 range-100.0.0.1_32 destination static any any
  So let's asume we use the internal IP Range for the users is 192.168.0.0/24 and we received the public IP Address 100.0.0.1/32 from our ISP.
  How do I have to do a normal dynamic NAT in CSM 4.4 for this case?
  Traffic comes from inside and has to leave the outside with the changed source IP.
  I would really appreciate a screenshot from CSM 4.4 which shows the correctly filled fields.
  Thanks
  Patrick

  Matty
  Not familiar with SIP so can't say for sure about that in terms of ports but some comments -
  1) you don't show other interfaces but presumably the LAN interface(s) has "ip nat inside" enabled
  2) the PBX subnet is 10.1.1.0/24 yet your static NATs are referring to 10.18.21.2 ?
  3) following on from 2) your PBX_SUBNET acl is wrong, it should be -
  ip access-list extended PBX_SUBNET
  permit ip 10.1.1.0 0.0.0.255 any      <-- note the last octet of the wildcard mask is 255.
  Edit - also assuming that any internal subnets not directy connected to the router have routes setup for them so you router knows how to get to them.
  Jon

• Client nat in csm?

  in csm, we need client nat.
  I have a question about client nat.
  client nat is pat or nat?
  if that is pat, that is operated with rotary type?
  if client nat is just nat, we have problem.

  The PAT for FTP service setting vserver is 1025 - 8192.
  For others, the PAT range is 8193-65535.
  It start at 8193 and incrementing.
  PAT is always on.
  Gilles.

• CSM connection stats missing?

  Hi
  I have a policy-map to insert an Ip address into the http header. I am also binding this to a sticky group using src ip address(See policy ICHAIN1-INSERT).
  When I initiate a connection within the policy, although the connection is successful, when I try to view the connection stats (show mod csm 3 conns) my client is not listed in the connection table.
  When I remove the "sticky-group 10" command then show the connection table, I see my client listed.
  Is this normal behaviour?
  Also when I issue the show sticky command the real ip's are garbled as shown:-
  10 ip 143.52.208.19 D^OI^TD^Z^P!KP 65282
  10 ip 10.6.1.14 P2^hD^Z^D^B*^X 79985
  Config;
  module ContentSwitchingModule 2
  ft group 1 vlan 107
  priority 20 alt 10
  preempt
  vlan 105 client
  ip address 10.14.105.6 255.255.255.0
  gateway 10.14.105.1
  natpool CSM-PR1-USERS 10.14.105.10 10.14.105.18 netmask 255.255.255.0
  probe ICHAIN-HTTP1 tcp
  interval 10
  failed 60
  port 80
  probe ZEN-APPS1-PRB tcp
  interval 10
  failed 60
  port 524
  probe ZEN-LDAP1-PRB tcp
  interval 10
  failed 60
  port 636
  probe ZEN-SERVER1-PRB tcp
  interval 10
  failed 60
  port 524
  map ICHAIN1-X-FOR header
  insert protocol http header X-Forwarded-For header-value %is
  real BONG
  address 143.52.2.120
  inservice
  real HUORN
  address 10.11.33.44
  inservice
  real ICHAIN101
  address 10.14.72.21
  inservice
  real ICHAIN202
  address 10.14.72.70
  inservice
  real JOSHUA
  address 143.52.2.121
  inservice
  real KARAKA
  address 143.52.2.42
  inservice
  real KARO
  address 10.11.33.30
  inservice
  real PATE
  address 10.11.33.32
  inservice
  serverfarm ICHAIN-BB1
  nat server
  nat client CSM-PR1-USERS
  predictor leastconns
  real name ICHAIN1
  inservice
  real name ICHAIN2
  inservice
  probe ICHAIN-HTTP1
  serverfarm ZEN-APPS1
  nat server
  nat client CSM-PR1-USERS
  predictor leastconns
  real name BONG
  inservice
  real name JOSHUA
  inservice
  real name KARO
  inservice
  real name PATE
  inservice
  probe ZEN-APPS1-PRB
  serverfarm ZEN-LDAP1
  nat server
  nat client CSM-PR1-USERS
  predictor leastconns
  real name HUORN
  inservice
  real name KARAKA
  inservice
  probe ZEN-LDAP1-PRB
  serverfarm ZEN-SERVER1
  nat server
  nat client CSM-PR1-USERS
  predictor leastconns
  real name HUORN
  inservice
  real name KARAKA
  inservice
  probe ZEN-SERVER1-PRB
  sticky 10 netmask 255.255.255.255 timeout 2880
  policy ICHAIN1-INSERT
  header-map ICHAIN1-X-FOR
  sticky-group 10
  serverfarm ICHAIN-BB1
  vserver VIP-ICHAIN1
  virtual 10.14.105.20 tcp www
  serverfarm ICHAIN-BB1
  sticky 2880 group 10
  replicate csrp sticky
  replicate csrp connection
  persistent rebalance
  slb-policy ICHAIN1-INSERT
  inservice
  vserver VIP-ICHAIN1-SSL
  virtual 10.14.105.20 tcp https
  serverfarm ICHAIN-BB1
  sticky 1440 group 10
  replicate csrp sticky
  replicate csrp connection
  persistent rebalance
  inservice
  vserver ZEN-APPS1-VIP
  virtual 10.14.105.21 tcp 0
  serverfarm ZEN-APPS1
  replicate csrp connection
  persistent rebalance
  inservice
  vserver ZEN-LDAP1-VIP
  virtual 10.14.105.22 tcp 0
  serverfarm ZEN-LDAP1
  replicate csrp connection
  persistent rebalance
  inservice
  vserver ZEN-SERVER1-VIP
  virtual 10.14.105.23 tcp 0
  serverfarm ZEN-SERVER1
  replicate csrp connection
  persistent rebalance
  inservice
  Many Thanks
  Scott

  Hello, I have the same problem running CSM Ver 4.1(7)
  Showing connection stats with any of
  show module csm 4 conn
  show module csm 4 real
  do not show any connections nor does it matter if I specify vserver or client or detail as the options
  I am using cookie-based sticky and the show mod csm 4 sticky command seems to give correct info so that is not an issue for me

• CSM Modules and Server availability project

  I have 2 geographically separated sites, site A in the main office and site B is the Disaster recovery office. These 2 sites are connected by a high speed Layer 3 link (10Gb), The goal is to have duplicate servers available in site B in the event of partial server failure in site A or even complete failure of site A. Can I accomplished this with the CSM modules given that these servers will be in different networks and overall how would this configuration work, I really appreciate it.

  Are you planning to put CSMs in both data centers or a single data center?
  If CSM will be at one site (site A) only then
  You need to use source NAT on CSM (Assumption: its in Site A) to make sure that the return traffic from servers in "site B"
  can go back to the client through CSM at "Site A"
  If both Data centers will have their own CSM modules then the best approach is to use GSS or any any Geo redundant setup that can check the load/health/availability/proximity of the VIPs (virtual ips configured on each CSM) in each data center and direct the clients intelligently to the appropriate data center.
  Syed Iftekhar Ahmed

• Combination bridged mode routed mode CSM

  We run an active/standby pair of
  CSM with SSL WS-X6066-SLB-S-K9
  currently we have our real servers in 2 vlans: 116 and 117. our VIPS are mostly in the client vlan 119. load balancing works fine.
  We now want to load balance between real servers in the 116 vlan. So far we have been unsuccessfull to get it owrking. I suspect because we essentially require a configuration that combines routed with bridged mode.
  has any one been able to configure such a setup? Is it possible at all?

  This type of topology is not 'bridged mode'.
  When you has source and destination of load-balancing process in the same subnet (in your topology vlan116) you need use source NAT (client nat in CSM terminology).
  Let me explain it:
  1. client (srcIP-vlan116) sedn request to VIP (VIP-vlan116).
  2. CSM process (modified) request and send it to dstIP-vlan116 (src IP is srcIP-vlan116) (*)
  3. server receive request. It will resopnse to srcIP-vlan116 and response is not delivered through CSM, but direct. TCP communication is not possible, because client's request is modified on the CSM.
  * when CSM modify source IP for example to one of IP addresses of CSM, response from server is send always to CSM and not direct.
  Martin

• CSM Loadbalancing multiple server VLANs

  Is it possible to loadbalance servers located in multiple VLANs using the CSM? I have a need to loadbalance sites the may be located in different VLANs/Subnets but I am unable to consolidate them into a single subnet.

  Its possible.
  Just make sure that return traffic from Real Servers should not bypass CSM.
  This can be achieved by using one of the three methods.
  1. By configuring CSM's server Vlan IP as the Default Gateway on Real Servers.
  Or
  2. Using Source NAT on CSM.
  Or
  3. Using PBR
  HTH
  Syed Iftekhar Ahmed

• Use of client nat pools on the CSM

  Hi Guys,
  Just a quick questions about the use of NAT POOLS, which the configuration guide is a little scant for information.
  If a client NAT pool such as this is used (16 addresses):
  natpool POOL1 10.1.5.0 10.1.5.15 netmask 255.255.255.240
  I just want to make sure that port address translation (PAT) will be used by the CSM if the number of sessions exceed the number of IP addresses available in the NAT pool?
  I hope this makes sense!
  thanks
  Sheldon

  the CSM does PAT by default.
  Gilles.

• CSM - Client NAT for routable server subnet

  I have clients and servers that are outside of the vlans that are the defined ones for CSM. I am using a client NAT pool that is part of the server side address space and server NAT. I see in a packet capture that the server is replying to pings to one of the NAT pool addresses. The ping does not get back to the client. The CSM is acting like it is not listening to traffic for the client NAT address. I saw an article that talked about "Secure router mode" and doing "IP SLB MODE CSM". I am not in that mode. Do I need to be and what effect will that have on my current load balanced servers?

  Thanks. This is now working.
  I see that the NAT has to be in the client address space as that is where the default gateway for the CSM is. Made the following changes:
  no natpool CLIENTNAT1 10.200.0.230 10.200.0.232 netmask 255.255.255.0
  natpool CLIENTNAT1 10.200.250.230 10.200.250.232 netmask 255.255.255.0
  Noticed that a previous "show mod csm 5 arp" showed:
  10.200.2.100 -->10.200.250.1 0 REAL routed
  10.200.2.101 -->10.200.250.1 0 REAL routed
  10.200.2.102 -->10.200.250.1 0 REAL routed

• Nat pool in CSM

  Hi,
  Can we use Same Nat pool for 2 different Server farms in CSM? Does it work. Or will it create any issue
  (For E.g)
  natpool XYZ  10.0.0.63 10.0.0.63 netmask 255.255.255.128
  serverfarm ABC
    nat server
    nat client XYZ
    real name Real1
     health probe TCP-3139
     inservice
    real name Real2
     health probe TCP-3139
     inservice
  serverfarm QAZ
    nat server
  nat client  XYZ
    real name Real1
     health probe HTTP-7779
     inservice
    real name Real2
     health probe HTTP-7779
     inservice

  Hi,
  Yes, it's perfectly fine to use the same nat pool.
  Regards
  Daniel

• CSM nat client sample config

  Hi
  We have one pair of CSM confiugred in bridge mode.
  The user wants the servers to be able to access the VIP also.
  Understand one solution is to use NAT client.
  Anyone got a working config on NAT client for bridge mode?
  Thanks!

  natpool ....
  serverfarm from-server2server
  nat server
  nat client
  real x.x.x.x
  ins
  real x.x.x.x
  ins
  vserver from-server2server
  vip x.x.x.x tcp
  vlan
  serverfarm from-server2server
  ins
  That's it.
  Any question, let me know.
  Regards,
  Gilles.
  Thanks for rating this answer.

• CSM Source NAT

  Is there a way to NAT a server initiated connection based upon destination similar to what's possible using a souce group in a CSS. What I'd like to do is NAT a server initiated connection to the Virtual IP when the server is connecting to the internet, but bypass NAT when the connection is to an internal network.

  make a vserver to catch the internal traffic and use a predictor forward serverfarm with no client nat and no server nat.
  Make another vserver with catch all traffic from server vlan and use a predictor forward serverfarm with client nat enable.
  Gilles.

• CSCut55025 - CSM 4.8 - Error loading page NAT - Address Pools

  We did experience this bug and have reverted back to 4.7.  I've been told by TAC that it is scheduled to be fixed in 4.9.

  Hi,
  You can try this packet Tracer:-
  packet input outside udp <External Source Ip on the internet>  45657 <Outside interface IP> 43139 det
  For the captures , you just need to verify that the ASA device is passing the traffic through as this is UDP traffic , we would not be able to find much.
  For more information on captures:-
  https://supportforums.cisco.com/document/69281/asa-using-packet-capture-troubleshoot-asa-firewall-configuration-and-scenarios
  Let me know if you have any further queries.
  Thanks and Regards,
  Vibhor Amrodia

• RPC Load Balancing on CSM and SSL

  We are load-balancing SSL successfully but the Exchange people want to use RPC to access
  mailboxes using CSM.
  We need to allow ports 6005 through 59530 used by the Client Access Servers. Any suggestions?

  Thanks. I tried that, but according to our exchange administrators, the solution didn't work. Here is my configuration:
  serverfarm EXCH-CAS
  nat server
  no nat client
  real x.x.248.100
    inservice
  real x.x.248.101
    inservice
  probe EXCH-CAS
  serverfarm EXCH-CAS-SSL
  nat server
  no nat client
  real x.x.254.60
    inservice
  real x.x.254.61
    inservice
  probe SSL-FARM
  ! vserver EXCH-CAS
    virtual x.x.254.154 tcp www
    vlan 460
    serverfarm EXCH-CAS
    sticky 1440 group 152
    replicate csrp sticky
    replicate csrp connection
    persistent rebalance
    inservice
  vserver EXCH-CAS-S
    virtual x.x.214.139 tcp https
    vlan 400
    serverfarm EXCH-CAS-SSL
    sticky 5 group 252
    replicate csrp sticky
    replicate csrp connection
    persistent rebalance
    inservice
  vserver EXCH-CAS-TEST-S
    virtual x.x.214.139 tcp 0
    vlan 400
    serverfarm EXCH-CAS
    sticky 5 group 252
    replicate csrp sticky
    replicate csrp connection
    persistent rebalance
    inservice
  Thanks,
  Mohamad

• Fault Tolerance not working between CSMs

  I have two CSM modules in two differnt switches (Bridge mode) configured for high availability. After noticing one of the CSM modules was in failed mode, I reset the module. While the module reboots I get the following messages: %CSM_SLB-4-REDUNDANCY_WARN: Module 3 FT warning: LRP: no ACK from standby.. standby may be down
  %CSM_SLB-4-TOPOLOGY: Module 3 warning: IP address conflict: ARP frame from 170.41.228.10 with MAC 00:01:64:f9:
  1a:07 received on VLAN 2.
  With both online a "show mod csm 3 ft" shows both modules active.
  I can no longer access the real servers.
  When I remove the module that I reset (Primary) I can access the servers using the backup CSM.
  Whe I remove the backup CSM and insert the Primary, I cannot acces the servers once again.
  The FT vlan is VLAN 7 configured on both switches and is the only allowed VLAN on the trunk.
  The config for the Primary CSM is:redundancy
  mode sso
  main-cpu
  auto-sync running-config
  spanning-tree mode pvst
  module ContentSwitchingModule 3
  ft group 7 vlan 7
  priority 30
  preempt
  vlan 2 client
  ip address 170.41.228.20 255.255.255.192
  gateway 170.41.228.1
  vlan 8 server
  ip address 170.41.228.20 255.255.255.192
  probe CARMENWEBPROBE tcp
  interval 10
  failed 100
  probe HTTPS tcp
  interval 10
  failed 100
  port 443
  serverfarm CARMENWEBFARM
  nat server
  no nat client
  real 170.41.228.15
  inservice
  real 170.41.228.16
  inservice
  probe HTTPS
  vserver CARMENVSERVER
  virtual 170.41.228.10 tcp 0
  serverfarm CARMENWEBFARM
  persistent rebalance
  inservice
  Trunk for VLAN 7 config :
  interface GigabitEthernet4/2
  switchport
  switchport trunk encapsulation isl
  switchport trunk allowed vlan 7
  switchport mode trunk
  no ip address
  logging event link-status
  logging event spanning-tree status
  logging event trunk-status
  Has anyone had this problem?
  Thanks, Donald

  The plan is to take a working CSM from a DR site with the same config to try in place of the not working active. I did not want to risk taking the working stanby and moving it and possibly having an outage at this time since this is a production switch being heavily utilized at the moment. I wanted to verify there was not something in the config that was not configured properly.