Source Nat and Destination Nat

Is any of the above working in the ACE OR CSM module by default?
What is an advantage of configuring destination NAT on the ACE Box?

Hello,
On both the CSM and ACE, destination NAT (a.k.a. server nat) is enabled by default in a serverfarm. Source NAT needs to be manually configured on both devices, as it is not a default configuration.
In server load balancing, destination NAT is very common. When clients connect to a VIP on the load balancer, the load balancer will then choose a real server the send the connection to. The destination IP address of the client-to-server traffic will be NAT'd from the virtual IP address (VIP) to the real server's IP address. The server's reply will be sourced with the real server's IP address, initially. The load balancer will again perform NAT to change the source IP address from the real server's IP address back to the VIP address prior to forwarding the response back to the client. This way, the client only knows about the VIP address, and not the real server's IP address.
Best regards,
Sean

Similar Messages

Source transactions and destination transactions

hi,
In HFM9.3.1, we have created some consolidation rules but we are unable to get transaction details while
performing the following action on the data grid.
select account -> right click-> destination/source transactions
The list always appears to be empty, irrespective of whatever complex consolidation rule we write??
Are there any specific settings required to enable this feature.
Pls, help me out.

The transaction details report, always considers your point of view, therefore, you will get different information depending on whether it is a parent account or a base level. If it is a base level account the support will only apply to the custom dimensions. If it is a parent account, you won't see line item detail or J/E or audit detail. Also, you may want to check your display options for journal details, and Custom dimension supression, and all other options.

In RV 042 How to determine Source IP and Destination IP?

Good day,
Sir is my configuration correct? for Source IP? for Destination IP? 192.168.0.1 is my router
im binding:
http
http secondary
https
to Wan1
Thank YOU..
-newbie

Hi Ian, thank you for using our forum, my name is Luis and I am part of the Small Business Support Community.
I will be more tan glad to assist you with your configuration, I found an article where you could get specific steps in order to configure the Protocol Binding. Please check the Link below.
Manage Protocol Binding
Please search Manage Protocol Binding in the article.
I hope you find this answer useful,
“Please rate useful posts so other users can benefit from it”
Greetings,
Luis Arias.
Cisco Network Support Engineer.

Setting up a project where source and destination are different formats

Howdy...
I'm a recent Vegas user who is just switching over to FCP6.
My question is this: When your source footage and destination format are two unrelated formats (for instance, HDV for source footage, Apple-TV H264 for destination), is it better to set up the project for your source footage format, or for your destination format?
In Vegas it didn't really matter, but it was good to use the destination format because you could preview what it'd look like at the size and frame-rate that you were going to end up in.
In FCP6, however, it seems that importing HDV into a H264 project may not work as well, becuase it wants to render the footage into the correct format before you can preview it.
FYI: The final desitnation is my gadget podcast, http://www.neo-fight.tv, which I have shot on HDV and edited on Vegas for the past year. FCP is very new to me, but I'm enjoying learning something new.
Let me know your thoughts...
Best,
Benjamin
http://www.neo-fight.tv [The TV Show for The 'Not-So-Geeky']
MacBook, MacPro Mac OS X (10.4.9)

Hi Benjamin - Prior to fcs 2 I worked in whatever my capture format was and will still continue to do that. I plan to use ProRes now - but if I was coming from an hdv source I'd prolly opt to capture using DVCPro HD and working in that.
"In FCP6, however, it seems that importing HDV into a H264 project may not work as well, becuase it wants to render the footage into the correct format before you can preview it."
As far as working in .h264 is concerned and combining other formats into that I really don't know.
h264 for me is a delivery format - so I'd opt to still work in native capture format and then transcode/convert at the end. More options ....

CSS Source NAT

Hi,
I have CSS in single arm deploymenet model. I am trying to do the exchange server load balancing. But I am facing problem
with the soruce NAT. I dont want to NAT the client IP in VIP.
Exchange team dont want to have Client IP address to be NATTED. They want real Client IP to appear in Exchange so that they can track exact
user IP address for mail replying and tracking.
Please let me know is there any way bypass the source NAT for specific VIP.

Hi,
I need something like that, I need to hide all servers behind the CSS11501. So, any client will contact the server as follows:
1- Client initiates the traffic to the VIP which will be forwarded to the servers. Then the server will replay to the client, from VIP to the client. In this case, I need to configure service and content.
2- Server initiates traffic to the client, the source will be VIP, the destination is client IP. In this case, I need to configure service and group.
Q1: Is that right?
I am facing a problem because some client applications discovered the server IP not VIP, the make failure..
Q2: Where is the problem?

Source NAT for specific servers in a rule

Hello,
I am trying to achieve source NATing on the CSS and want to confirm if below configuration is good.
VIP address: 61.61.61.61
Services: 10.1.1.1, 10.1.1.2, 20.1.1.1 and 20.1.1.2
Front-end circuit IP: 61.61.61.1 (Same subnet as 61.61.61.61)
Back-end circuit: 10.1.1.10 (Same subnet as 10.1.1.1 or .2)
service AAAA
ip address 10.1.1.1
active
service BBBB
ip address 10.1.1.2
active
service XXXX
ip address 20.1.1.1
active
service YYYY
ip address 20.1.1.2
active
owner Gateway
content Gateway1
vip address 61.61.61.61
add service 10.1.1.1
add service 10.1.1.2
add service 20.1.1.2
add service 20.1.1.1
active
As the two servers 20.1.1.1 and 20.1.1.2 are not in the same subnet, we configured the below to source NAT specifically to these two servers.
group Gateway
vip address 61.61.61.61
add destination service 20.1.1.1
add destination service 20.1.1.2
active
In the past this configuration didn't work. We are going to try it again. Is there anything missing and what else should we check to get it to work.
Appreciate any help.

Using 'add destination service' in the group rule NATs the original client IP as the VIP (in your case), and ensures that return traffic from the remote 20.x.x.x servers flows back to the CSS and then to the client instead of directly to the client (which would reject the traffic). There's no need to worry about any kind of load balancing loop being created. The downside to implementing this is that your servers will see all traffic as originating from the VIP and not the unique client IPs, and since the CSS doesn't support the x-forwarded-for header you're kinda stuck with that side effect.
Also, it's my understanding that the group rule must match the content rule in terms of VIP address and services within it to be effective. You would need to change your group rule to the following for it to work:
FROM:
group Gateway
vip address 61.61.61.61
add destination service 20.1.1.1
add destination service 20.1.1.2
active
TO:
group Gateway
vip address 61.61.61.61
add destination service 10.1.1.1
add destination service 10.1.1.2
add destination service 20.1.1.1
add destination service 20.1.1.2
active
Good luck!
James

Dynamic Source NAT for multiple POOLS

I am setting up Dynamic Source NAT with a few Pools and Access-list to translate according to the Access-list. However when configure some ACL don't work anything. And the ACL don't "match" any. I know that the correct way would be to apply the ACL about interface with "ip access-group <ACL-name> in/out" however in this case would be impossible to apply more one ACL with ip access-group command.
FurthermoreI have tested to creating a route-map named TEST with all ACLs; but cannot to create all "ip nat inside source route-map... " with the same route-map name. Also checked the cisco example: http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13739-nat-routemap.html...
Attach the all configurations.
I need your help,
Thanks in advance!

Oh my God!! Already works fine! I hadn't thought that "log" would be a painful
Thanks John Marshall!
Attach my troubleshooting:
INET#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 195.77.205.33:49529 10.55.0.1:49529 4.2.2.2:22 4.2.2.2:22
tcp 200.200.200.1:62978 10.55.1.1:62978 4.2.2.2:4343 4.2.2.2:4343
tcp 195.77.205.20:13493 181.70.12.18:13493 195.47.200.32:443 195.47.200.32:443
Furthermore we can to check the "rotary option also works!"
"INET#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 195.77.205.33:57238 10.55.0.1:57238 4.2.2.2:22 4.2.2.2:22
tcp 195.77.205.33:16393 10.55.1.1:16393 4.2.2.2:22 4.2.2.2:22"
Thanks again!

ACE: Significance of mask in nat-pools configured for Source NAT

Hi guys
If I am using source nat in ACE (One IP address 10.10.10.200) used for all client address translations.
What would be the difference between the nat-pools configured with different netmask.
What is the recommended netmask for pat, 255.255.255.255 or Vlan interface's Mask (/24 in this case)
and why?
case1:
interface vlan 7
ip address 10.10.10.100 255.255.255.0
nat-pool 1 10.10.10.200 10.10.10.200 netmask 255.255.255.0 pat
service-policy input clientvips
no shutdown
case2:
interface vlan 7
ip address 10.10.10.100 255.255.255.0
nat-pool 1 10.10.10.200 10.10.10.200 netmask 255.255.255.255 pat
service-policy input clientvips
no shutdown
Thanks in Advance
A.

Gilles
Thanks a lot. It makes more sense now.
I posted another question for an ACE design validation. Could you please validate this
I am planning to deploy ACE module in following manner:
> ACE will be in one arm mode ( Only one vlan connected to the ACE).
> Vips & Rservers (all serverfarms) will be in the same Vlan X.
> Default gateway on the ACE & Real servers will be the upstream router
> There will be Source NAT configured for all Serverfarms.
ACE --- Vlan X -------Router--- internet
.................|
.................|-- Sfarm 1
.................|
.................|-- Sfarm 2
.................|
.................|-- Sfarm n
I am pretty sure that it should work.
Just wanted an expert opinion.
Thanks

ACE router or source NAT

Can anyone tell me what the best practice is for the ACE 4710 appliance. Should I deploy it in routed mode or source NAT mode. And what can be the pros and cons of each method....

The advantage of running SNAT is the ACE is deployed in a "one-arm" mode. In this deployment the advantage is the ACE does not have to process all traffic as oppossed to being directly in the transit path when deployed inline (routed).
In one arm mode you can use either PBR or SNAT for server return traffic. One arm mode also allows for direct server return butlimited to L4 load balance.
In routed mode the ACE acts as the server default gateway.
Routed mode is the easier of the two to configure.

Issues with source NAT configuration in VNMC

Before coming to the questions/doubts let me explain the ASA 1000v setup that I have
ASA 1000v
-          inside interface with ip 10.1.1.1 (attached to a network with subnet 10.1.1.0/24 and vlan 515)
-          outside interface with ip 10.147.30.236 (attached to a network with subnet 10.147.30.0/24 and vlan 30)
On ASA running ‘show route’ outputs following:
C             10.1.1.0 255.255.255.0 is directly connected, esp-in
C             10.147.28.0 255.255.255.0 is directly connected, management
C             10.147.30.0 255.255.255.0 is directly connected, esp-out
S*           0.0.0.0 0.0.0.0 [1/0] via 10.147.30.1 via esp-out
On VNMC I created edge firewall with inside interface as ‘esp_in’ (10.1.1.1) and outside as ‘esp_out’ (10.147.30.236)
Now I want to configure the following scenarios through VNMC:
1.       Source NAT : 10.1.1.0/24 -> 10.147.30.236. While trying to configure this I see the following error in VNMC
ERROR: Executing CLI returned error message: object network pe_internal_net_obj_range_10.1.1.2_10.1.1.254;range 10.1.1.2
10.1.1.254;object-group network NSONOg:source-nat:source-nat-rule@esp-out;network-object object
pe_internal_net_obj_range_10.1.1.2_10.1.1.254;nat (esp-out,any) 1 source static NSONOg: source-nat:source-nat-rule@esp-out interface;
ERROR: interface keyword is not allowed when translated interface is any;
2.       I created another NAT rule from 10.1.1.0/24 -> 10.147.30.237. I also created ACL rule for allowing outbout ssh traffic. This working for me initially and I was able to ssh from a VM attached to subnet 10.1.1.0/24 to an outside VM. But after I did a re-assign with the same ASA appliance this stopped working and there was a configuration error:
ERROR: Executing CLI returned error message: service-policy mpf-sp0001 interface sp0001;         ^;ERROR: % Invalid input detected at ^ marker;
ERROR: Executing CLI returned error message: service-policy mpf-esp-out interface esp-out;     ^;ERROR: % Invalid input detected at ^ marker;
Version details
VNMC 2.0
ASA 1000v version
Cisco Adaptive Security Appliance Software Version 8.7(1)1
Device Manager Version 6.7(1)
Questions:
-          Can anyone let me know what is the correct configuration for setting up source NAT as mentioned above. Why am I getting the errors mentioned and how to fix them?
-      Why is there an error on reassigning asa 1000v to the edge firewall
-          How to enabling logging/debugging on ASA or VNMC to see packet details and how rules are getting applied?
Thanks,
Koushik

Hello Arseny,
How did you resolve this issue?
We are still facing the same problem in WebI 4.1 SP5 Patch 4.
The issue is still under SAP investigation with KBA 2131762.
Regards,
Mirko

Is it possible to source NAT health checks?

I am source natting the data traffic to the back end servers using a source group but I notice the health checks are not affected and they use the interface physical address. The way I found out is the service is down and the firewall was dropping the health checks. Does anyone know a way to source nat health checks? Either that or have them source from the redundant VIP address that is configured on the interface and not the "real" address. CCO and google produced nothing... thanks!

you can't nat probes.
The CSS will use its outgoing interface ip address as the source ip.
Just make sure your firewall allows this traffic.
Gilles.

I am using the pattern stamp tool. when i select my pattern it adds a hatching to teh source pattern and copies that hatching to the destination image

I am using the pattern stamp tool. when i select my pattern it adds a hatching to the source pattern and copies that hatching to the destination image

Please post screenshots to illustrate what you are talking about.

How to keep sort order in Shuttle item's source and destination boxes?

I have defined a shuttle item on a page and the list of values in the source box is populated by a SQL with sort order specified. In the Settings of the shuttle item, Show Controls value is set to Moving Only instead of All. When a user moves selected values from the source box to the destination box or vice versa, the list of values does not maintain the original sort order. For example, if I have 26 values A through Z, a user can put value Z before A in the destination box. And when a user move A from the destination box to the source box, A is the last item in the source box. The reset button clears everything in the destination box and resets the source box to the original sorted list. This is not the solution that I am looking for. I would like to see the items in the source and destination boxes to maintain their original sort order all the time.
Is it possible?
APEX v4.0.1.00.03
Oracle 11g (v11.2.0.1.0)

Hi,
See if this post help
Re: Sort Shuttle Right
Regards,
Jari

Dbms_lob.getlength() returns different source and destination lengths

I am fairly new to PL/SQL so maybe this is an obvious problem but here goes. I am updating a clob field with a text file ~5KB in size. The field updates fine (as far as I can tell). Before I update the field, I open the source file as a bfile and then inquire the length using dbms_lob.getlength(). I then update the clob field using dbms_lob.loadclobfromfile(). This seems to work fine. However, when I use dbms_lob.getlength() on the destination object returned by dbms_lob.loadclobfromfile(), I get a length 3 characters less than then the source object (5072 vs 5075). Both the source and destination offsets are set to 1.
Probing on what documentation I could find, I found this at http://download.oracle.com/docs/cd/B28359_01/appdev.111/b28419/d_lob.htm#i998484:
"The length returned for a BFILE includes the EOF, if it exists. Any 0-byte or space filler in the LOB caused by previous ERASE or WRITE operations is also included in the length count. The length of an empty internal LOB is 0."
I did not create the source file and I believe it is a Unix type file (because of the lack of CRs) and I am running on Windows 7. I am also using 11g Express. Could the use of a Unix-type file for a CLOB on a Windows system be causing this character count difference?
Once I found this issue I can work around it. I just want to understand what is going on.
Thanks to all who look at this.

The EOF and the LF versus CR/LF could influence the count difference, yes.
Another explain could possibly be character set conversions. The BFILE I believe counts bytes, a CLOB would count "characters" - so if the source happens to contain a few multibyte characters (UTF), then the byte count would be larger than the character count.
To help you find the cause for your exact file, then I can suggest a couple of things you might do to explore the issue:
<li>Load the file into a BLOB instead of a CLOB and see what getlength() returns for the BLOB. BLOBs would also do byte counts and not try to treat the source as text.
<li>Save the CLOB back into the filesystem and compare the original file with the exported CLOB and check the differences with some filecompare tool.

Source and destination clarification needed

Hi Guys,
We are using SRM as an add-on component to ECC 6.0. We are on SRM Server 5.5. In the defination of backend system SAP asked us to create 4 entries.
1. ONECLNTERP : RFC tick is on
2. ONECLNTEBP:
3. ONECLNTSUS:
4. XXXCLNTYYY: Local tick is on.
So this means 'ONECLNTERP' is my backend system i.e. ECC 6.0 and 'XXXCLNTYYY' is my local system.
Now while defining backend system for Product category there is one 'Source System and there is 'Target system'. Source System: System from which master data is replicated. So this should be my SRM system (as Product category is a part of SRM) or this should be ECC (as My product categories are copy of material group from ECC).
Target system is the system into which follow-on document of SC is transfered i.e. Backend ECC system.
Am I correct to say the above. I'm confused about which system is source and which system is destination.
While defining the Account Assignement category and defining the PR document type I'm facing the same problem as I've to define the source system.
Can anybody clarify me??
Thanks
Debashish

Hello Deb,
I have not worked on ECC 6.0.
But logically speaking the
source system - has to be yr ECC as SRM would be taking the ref of matl masters from there only
Target system - would be yr same ECC again if you are using only one backend (and I think you are)
(if you are using multiple backend and you want followon document in diff backend then here the SID of that backend would come)
BR
Dinesh

Source Nat and Destination Nat

Similar Messages

Maybe you are looking for