Nat on csm
hi,
i just couldnt find a good documentation as to when do we need NAT on our CSM configuration..can anyone explain or provide some link pls.
thx a lot.
there is 2 types of natting.
client nat and server nat.
You will normally do server nat unless all your servers share 1 loopback ip address.
In this case, you use this loopback ip address as the vserver address and you don't do nat.
Otherwise you need server nat so the ip address of the server is used when forwarding the traffic.
Client is used when you want to hide the client ip or when you want to make sure the response from the server will be sent to the CSM.
Most of the poeple do not use client nat.
Gilles.
Similar Messages
-
Help with dynamic NAT and CSM 4.4 and ASA 8.3
Hello
I currently try to add a dynamic NAT rule into CSM 4.4 for a ASA 8.3 device, but I fails at the deployment with the error message:
Failed to generate delta config
The following commands have not been recognized by the Configuration Parser:
==========================
(inside,outside) source dynamic range-192.168.0.0_24 range-100.0.0.1_32 destination static any any
So let's asume we use the internal IP Range for the users is 192.168.0.0/24 and we received the public IP Address 100.0.0.1/32 from our ISP.
How do I have to do a normal dynamic NAT in CSM 4.4 for this case?
Traffic comes from inside and has to leave the outside with the changed source IP.
I would really appreciate a screenshot from CSM 4.4 which shows the correctly filled fields.
Thanks
PatrickMatty
Not familiar with SIP so can't say for sure about that in terms of ports but some comments -
1) you don't show other interfaces but presumably the LAN interface(s) has "ip nat inside" enabled
2) the PBX subnet is 10.1.1.0/24 yet your static NATs are referring to 10.18.21.2 ?
3) following on from 2) your PBX_SUBNET acl is wrong, it should be -
ip access-list extended PBX_SUBNET
permit ip 10.1.1.0 0.0.0.255 any <-- note the last octet of the wildcard mask is 255.
Edit - also assuming that any internal subnets not directy connected to the router have routes setup for them so you router knows how to get to them.
Jon -
in csm, we need client nat.
I have a question about client nat.
client nat is pat or nat?
if that is pat, that is operated with rotary type?
if client nat is just nat, we have problem.The PAT for FTP service setting vserver is 1025 - 8192.
For others, the PAT range is 8193-65535.
It start at 8193 and incrementing.
PAT is always on.
Gilles. -
CSM connection stats missing?
Hi
I have a policy-map to insert an Ip address into the http header. I am also binding this to a sticky group using src ip address(See policy ICHAIN1-INSERT).
When I initiate a connection within the policy, although the connection is successful, when I try to view the connection stats (show mod csm 3 conns) my client is not listed in the connection table.
When I remove the "sticky-group 10" command then show the connection table, I see my client listed.
Is this normal behaviour?
Also when I issue the show sticky command the real ip's are garbled as shown:-
10 ip 143.52.208.19 D^OI^TD^Z^P!KP 65282
10 ip 10.6.1.14 P2^hD^Z^D^B*^X 79985
Config;
module ContentSwitchingModule 2
ft group 1 vlan 107
priority 20 alt 10
preempt
vlan 105 client
ip address 10.14.105.6 255.255.255.0
gateway 10.14.105.1
natpool CSM-PR1-USERS 10.14.105.10 10.14.105.18 netmask 255.255.255.0
probe ICHAIN-HTTP1 tcp
interval 10
failed 60
port 80
probe ZEN-APPS1-PRB tcp
interval 10
failed 60
port 524
probe ZEN-LDAP1-PRB tcp
interval 10
failed 60
port 636
probe ZEN-SERVER1-PRB tcp
interval 10
failed 60
port 524
map ICHAIN1-X-FOR header
insert protocol http header X-Forwarded-For header-value %is
real BONG
address 143.52.2.120
inservice
real HUORN
address 10.11.33.44
inservice
real ICHAIN101
address 10.14.72.21
inservice
real ICHAIN202
address 10.14.72.70
inservice
real JOSHUA
address 143.52.2.121
inservice
real KARAKA
address 143.52.2.42
inservice
real KARO
address 10.11.33.30
inservice
real PATE
address 10.11.33.32
inservice
serverfarm ICHAIN-BB1
nat server
nat client CSM-PR1-USERS
predictor leastconns
real name ICHAIN1
inservice
real name ICHAIN2
inservice
probe ICHAIN-HTTP1
serverfarm ZEN-APPS1
nat server
nat client CSM-PR1-USERS
predictor leastconns
real name BONG
inservice
real name JOSHUA
inservice
real name KARO
inservice
real name PATE
inservice
probe ZEN-APPS1-PRB
serverfarm ZEN-LDAP1
nat server
nat client CSM-PR1-USERS
predictor leastconns
real name HUORN
inservice
real name KARAKA
inservice
probe ZEN-LDAP1-PRB
serverfarm ZEN-SERVER1
nat server
nat client CSM-PR1-USERS
predictor leastconns
real name HUORN
inservice
real name KARAKA
inservice
probe ZEN-SERVER1-PRB
sticky 10 netmask 255.255.255.255 timeout 2880
policy ICHAIN1-INSERT
header-map ICHAIN1-X-FOR
sticky-group 10
serverfarm ICHAIN-BB1
vserver VIP-ICHAIN1
virtual 10.14.105.20 tcp www
serverfarm ICHAIN-BB1
sticky 2880 group 10
replicate csrp sticky
replicate csrp connection
persistent rebalance
slb-policy ICHAIN1-INSERT
inservice
vserver VIP-ICHAIN1-SSL
virtual 10.14.105.20 tcp https
serverfarm ICHAIN-BB1
sticky 1440 group 10
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
vserver ZEN-APPS1-VIP
virtual 10.14.105.21 tcp 0
serverfarm ZEN-APPS1
replicate csrp connection
persistent rebalance
inservice
vserver ZEN-LDAP1-VIP
virtual 10.14.105.22 tcp 0
serverfarm ZEN-LDAP1
replicate csrp connection
persistent rebalance
inservice
vserver ZEN-SERVER1-VIP
virtual 10.14.105.23 tcp 0
serverfarm ZEN-SERVER1
replicate csrp connection
persistent rebalance
inservice
Many Thanks
ScottHello, I have the same problem running CSM Ver 4.1(7)
Showing connection stats with any of
show module csm 4 conn
show module csm 4 real
do not show any connections nor does it matter if I specify vserver or client or detail as the options
I am using cookie-based sticky and the show mod csm 4 sticky command seems to give correct info so that is not an issue for me -
CSM Modules and Server availability project
I have 2 geographically separated sites, site A in the main office and site B is the Disaster recovery office. These 2 sites are connected by a high speed Layer 3 link (10Gb), The goal is to have duplicate servers available in site B in the event of partial server failure in site A or even complete failure of site A. Can I accomplished this with the CSM modules given that these servers will be in different networks and overall how would this configuration work, I really appreciate it.
Are you planning to put CSMs in both data centers or a single data center?
If CSM will be at one site (site A) only then
You need to use source NAT on CSM (Assumption: its in Site A) to make sure that the return traffic from servers in "site B"
can go back to the client through CSM at "Site A"
If both Data centers will have their own CSM modules then the best approach is to use GSS or any any Geo redundant setup that can check the load/health/availability/proximity of the VIPs (virtual ips configured on each CSM) in each data center and direct the clients intelligently to the appropriate data center.
Syed Iftekhar Ahmed -
Combination bridged mode routed mode CSM
We run an active/standby pair of
CSM with SSL WS-X6066-SLB-S-K9
currently we have our real servers in 2 vlans: 116 and 117. our VIPS are mostly in the client vlan 119. load balancing works fine.
We now want to load balance between real servers in the 116 vlan. So far we have been unsuccessfull to get it owrking. I suspect because we essentially require a configuration that combines routed with bridged mode.
has any one been able to configure such a setup? Is it possible at all?This type of topology is not 'bridged mode'.
When you has source and destination of load-balancing process in the same subnet (in your topology vlan116) you need use source NAT (client nat in CSM terminology).
Let me explain it:
1. client (srcIP-vlan116) sedn request to VIP (VIP-vlan116).
2. CSM process (modified) request and send it to dstIP-vlan116 (src IP is srcIP-vlan116) (*)
3. server receive request. It will resopnse to srcIP-vlan116 and response is not delivered through CSM, but direct. TCP communication is not possible, because client's request is modified on the CSM.
* when CSM modify source IP for example to one of IP addresses of CSM, response from server is send always to CSM and not direct.
Martin -
CSM Loadbalancing multiple server VLANs
Is it possible to loadbalance servers located in multiple VLANs using the CSM? I have a need to loadbalance sites the may be located in different VLANs/Subnets but I am unable to consolidate them into a single subnet.
Its possible.
Just make sure that return traffic from Real Servers should not bypass CSM.
This can be achieved by using one of the three methods.
1. By configuring CSM's server Vlan IP as the Default Gateway on Real Servers.
Or
2. Using Source NAT on CSM.
Or
3. Using PBR
HTH
Syed Iftekhar Ahmed -
Use of client nat pools on the CSM
Hi Guys,
Just a quick questions about the use of NAT POOLS, which the configuration guide is a little scant for information.
If a client NAT pool such as this is used (16 addresses):
natpool POOL1 10.1.5.0 10.1.5.15 netmask 255.255.255.240
I just want to make sure that port address translation (PAT) will be used by the CSM if the number of sessions exceed the number of IP addresses available in the NAT pool?
I hope this makes sense!
thanks
Sheldonthe CSM does PAT by default.
Gilles. -
CSM - Client NAT for routable server subnet
I have clients and servers that are outside of the vlans that are the defined ones for CSM. I am using a client NAT pool that is part of the server side address space and server NAT. I see in a packet capture that the server is replying to pings to one of the NAT pool addresses. The ping does not get back to the client. The CSM is acting like it is not listening to traffic for the client NAT address. I saw an article that talked about "Secure router mode" and doing "IP SLB MODE CSM". I am not in that mode. Do I need to be and what effect will that have on my current load balanced servers?
Thanks. This is now working.
I see that the NAT has to be in the client address space as that is where the default gateway for the CSM is. Made the following changes:
no natpool CLIENTNAT1 10.200.0.230 10.200.0.232 netmask 255.255.255.0
natpool CLIENTNAT1 10.200.250.230 10.200.250.232 netmask 255.255.255.0
Noticed that a previous "show mod csm 5 arp" showed:
10.200.2.100 -->10.200.250.1 0 REAL routed
10.200.2.101 -->10.200.250.1 0 REAL routed
10.200.2.102 -->10.200.250.1 0 REAL routed -
Hi,
Can we use Same Nat pool for 2 different Server farms in CSM? Does it work. Or will it create any issue
(For E.g)
natpool XYZ 10.0.0.63 10.0.0.63 netmask 255.255.255.128
serverfarm ABC
nat server
nat client XYZ
real name Real1
health probe TCP-3139
inservice
real name Real2
health probe TCP-3139
inservice
serverfarm QAZ
nat server
nat client XYZ
real name Real1
health probe HTTP-7779
inservice
real name Real2
health probe HTTP-7779
inserviceHi,
Yes, it's perfectly fine to use the same nat pool.
Regards
Daniel -
Hi
We have one pair of CSM confiugred in bridge mode.
The user wants the servers to be able to access the VIP also.
Understand one solution is to use NAT client.
Anyone got a working config on NAT client for bridge mode?
Thanks!natpool ....
serverfarm from-server2server
nat server
nat client
real x.x.x.x
ins
real x.x.x.x
ins
vserver from-server2server
vip x.x.x.x tcp
vlan
serverfarm from-server2server
ins
That's it.
Any question, let me know.
Regards,
Gilles.
Thanks for rating this answer. -
Is there a way to NAT a server initiated connection based upon destination similar to what's possible using a souce group in a CSS. What I'd like to do is NAT a server initiated connection to the Virtual IP when the server is connecting to the internet, but bypass NAT when the connection is to an internal network.
make a vserver to catch the internal traffic and use a predictor forward serverfarm with no client nat and no server nat.
Make another vserver with catch all traffic from server vlan and use a predictor forward serverfarm with client nat enable.
Gilles. -
CSCut55025 - CSM 4.8 - Error loading page NAT - Address Pools
We did experience this bug and have reverted back to 4.7. I've been told by TAC that it is scheduled to be fixed in 4.9.
Hi,
You can try this packet Tracer:-
packet input outside udp <External Source Ip on the internet> 45657 <Outside interface IP> 43139 det
For the captures , you just need to verify that the ASA device is passing the traffic through as this is UDP traffic , we would not be able to find much.
For more information on captures:-
https://supportforums.cisco.com/document/69281/asa-using-packet-capture-troubleshoot-asa-firewall-configuration-and-scenarios
Let me know if you have any further queries.
Thanks and Regards,
Vibhor Amrodia -
RPC Load Balancing on CSM and SSL
We are load-balancing SSL successfully but the Exchange people want to use RPC to access
mailboxes using CSM.
We need to allow ports 6005 through 59530 used by the Client Access Servers. Any suggestions?Thanks. I tried that, but according to our exchange administrators, the solution didn't work. Here is my configuration:
serverfarm EXCH-CAS
nat server
no nat client
real x.x.248.100
inservice
real x.x.248.101
inservice
probe EXCH-CAS
serverfarm EXCH-CAS-SSL
nat server
no nat client
real x.x.254.60
inservice
real x.x.254.61
inservice
probe SSL-FARM
! vserver EXCH-CAS
virtual x.x.254.154 tcp www
vlan 460
serverfarm EXCH-CAS
sticky 1440 group 152
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
vserver EXCH-CAS-S
virtual x.x.214.139 tcp https
vlan 400
serverfarm EXCH-CAS-SSL
sticky 5 group 252
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
vserver EXCH-CAS-TEST-S
virtual x.x.214.139 tcp 0
vlan 400
serverfarm EXCH-CAS
sticky 5 group 252
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
Thanks,
Mohamad -
Fault Tolerance not working between CSMs
I have two CSM modules in two differnt switches (Bridge mode) configured for high availability. After noticing one of the CSM modules was in failed mode, I reset the module. While the module reboots I get the following messages: %CSM_SLB-4-REDUNDANCY_WARN: Module 3 FT warning: LRP: no ACK from standby.. standby may be down
%CSM_SLB-4-TOPOLOGY: Module 3 warning: IP address conflict: ARP frame from 170.41.228.10 with MAC 00:01:64:f9:
1a:07 received on VLAN 2.
With both online a "show mod csm 3 ft" shows both modules active.
I can no longer access the real servers.
When I remove the module that I reset (Primary) I can access the servers using the backup CSM.
Whe I remove the backup CSM and insert the Primary, I cannot acces the servers once again.
The FT vlan is VLAN 7 configured on both switches and is the only allowed VLAN on the trunk.
The config for the Primary CSM is:redundancy
mode sso
main-cpu
auto-sync running-config
spanning-tree mode pvst
module ContentSwitchingModule 3
ft group 7 vlan 7
priority 30
preempt
vlan 2 client
ip address 170.41.228.20 255.255.255.192
gateway 170.41.228.1
vlan 8 server
ip address 170.41.228.20 255.255.255.192
probe CARMENWEBPROBE tcp
interval 10
failed 100
probe HTTPS tcp
interval 10
failed 100
port 443
serverfarm CARMENWEBFARM
nat server
no nat client
real 170.41.228.15
inservice
real 170.41.228.16
inservice
probe HTTPS
vserver CARMENVSERVER
virtual 170.41.228.10 tcp 0
serverfarm CARMENWEBFARM
persistent rebalance
inservice
Trunk for VLAN 7 config :
interface GigabitEthernet4/2
switchport
switchport trunk encapsulation isl
switchport trunk allowed vlan 7
switchport mode trunk
no ip address
logging event link-status
logging event spanning-tree status
logging event trunk-status
Has anyone had this problem?
Thanks, DonaldThe plan is to take a working CSM from a DR site with the same config to try in place of the not working active. I did not want to risk taking the working stanby and moving it and possibly having an outage at this time since this is a production switch being heavily utilized at the moment. I wanted to verify there was not something in the config that was not configured properly.
Maybe you are looking for
-
I have iPhoto 11.When I double click on an event the pics do not spread out. I just get a yellow frame around the event. This is when I double click with left finger. With right finger option is slideshow. I can not enlage a pic with double click eit
-
What does this error mean? Error: Access violation at address 0053DD46
I am trying to run diff reports using batch scripts, and its very puzzling that some of the diff report scripts within the batch script are running and some are not, there is no consistency to what is getting errored out. I then tried running them ma
-
In CS3 there was a button in the preferences panel under the general tab that basically allowed you to switch off css and enable in-line html tags. It was a check box that said "Use CSS instead of HTML tags" I can't find it in CS4; does anybody know
-
Direct Database Request Error: illegal number at oci
Hello, all. In Oracle BI Answers i get an error by building an direct database request: illegal number at oci..... The reason of error is in expression to_char((date_1-date_2)*24, '9990.99') The error disappears if i write expression to_char((date_1-
-
The downloads page for Crystal Reports | XI Release 2 | * (at https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/bobj_download/main.htm) shows three SP5 downloads: Crystal Reports XI Release 2 - SP 5 .NET Merge Modules Crystal Reports XI Re