This document provides information on using Network Address Translation (NAT) and client addresses on the Content Services Switch (CSS) 11000.
For more information on document conventions, see the Cisco Technical Tips Conventions.
There are no specific prerequisites for this document.
The information in this document is based on all Cisco CSS 11000 series content services switches and Cisco WebNS Software Release 3.01 and later.
The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.
Source groups translate the source address of packets from back-end services before forwarding them. When a flow is originated from the back-end server with a private address, the request appears to come from the public Virtual IP (VIP) of the source group. You can also use source groups (with Access Lists (ACLs)) to translate clients' private IP addresses (which reside on the back-end of the CSS) to a public IP address (the VIP).
The use of this type of source group is useful when setting up a one-armed configuration where client and server traffic flows through the same CSS switch.
For this configuration, clients reside off the CSS. The clients' IP address range is 10.10.10.x/255.255.255.0. The goal is to use NAT on all of the clients' private IP addresses to one common public IP address (the VIP).
Configure an ACL if there are no ACLs currently configured.
CS100# configure CS100(config)# acl 1 Create ACL <1>, [y/n]:y CS100(config-acl)# clause 50 permit any any destination any CS100(config-acl)# apply circuit-(VLAN1) CS100(config-acl)# ex CS100(config)# acl enable
Configure a source group so the clients can be NATed with a public IP address.
CS100(config)# group clients-group Create group <clients-group>, [y/n]:y CS100(config-group[clients-group])# vip address 184.108.40.206 CS100(config-group[clients-group])# act
Configure an ACL to allow/permit the clients (source IP address ranges) to the source group for NATing.
CS100(config)# acl disable CS100(config)# acl 1 CS100(config-acl)# clause 10 permit any 10.10.10.0 255.255.255.0 destination 10.10.10.0 255.255.255.0 CS100(config-acl)# clause 15 permit any 10.10.10.0 255.255.255.0 destination any sourcegroup clients-group CS100(config-acl)# remove circuit-(VLAN1) CS100(config-acl)# apply circuit-(VLAN1) CS100(config-acl)# ex CS100(config)# acl enable
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.