Cisco CSS 11000 Series Content Services Switches

NAT and Client Addresses on the CSS 11000

Cisco - NAT and Client Addresses on the CSS 11000

Document ID: 12634

Updated: Jan 30, 2006



This document provides information on using Network Address Translation (NAT) and client addresses on the Content Services Switch (CSS) 11000.

Before You Begin


For more information on document conventions, see the Cisco Technical Tips Conventions.


There are no specific prerequisites for this document.

Components Used

The information in this document is based on all Cisco CSS 11000 series content services switches and Cisco WebNS Software Release 3.01 and later.

The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.


Source groups translate the source address of packets from back-end services before forwarding them. When a flow is originated from the back-end server with a private address, the request appears to come from the public Virtual IP (VIP) of the source group. You can also use source groups (with Access Lists (ACLs)) to translate clients' private IP addresses (which reside on the back-end of the CSS) to a public IP address (the VIP).

The use of this type of source group is useful when setting up a one-armed configuration where client and server traffic flows through the same CSS switch.

For this configuration, clients reside off the CSS. The clients' IP address range is 10.10.10.x/ The goal is to use NAT on all of the clients' private IP addresses to one common public IP address (the VIP).


  1. Configure an ACL if there are no ACLs currently configured.

    CS100# configure
    CS100(config)# acl 1
    Create ACL <1>, [y/n]:y
    CS100(config-acl[1])# clause 50 permit any any destination any
    CS100(config-acl[1])# apply circuit-(VLAN1)
    CS100(config-acl[1])# ex
    CS100(config)# acl enable
  2. Configure a source group so the clients can be NATed with a public IP address.

    CS100(config)# group clients-group
    Create group <clients-group>, [y/n]:y
    CS100(config-group[clients-group])# vip address
    CS100(config-group[clients-group])# act
  3. Configure an ACL to allow/permit the clients (source IP address ranges) to the source group for NATing.

    CS100(config)# acl disable
    CS100(config)# acl 1
    CS100(config-acl[1])# clause 10 permit any 
    CS100(config-acl[1])# clause 15 permit any 
                       destination any sourcegroup clients-group
    CS100(config-acl[1])# remove circuit-(VLAN1)
    CS100(config-acl[1])# apply circuit-(VLAN1)
    CS100(config-acl[1])# ex
    CS100(config)# acl enable

Related Information

Updated: Jan 30, 2006
Document ID: 12634