I'm running into a problem with Half-NAT vs. Full-NAT conflict. I have two server farms within the same context. Both farms are in the same Server VLAN and both farms get their requrests from the same front-end client-side VLAN. For Farm1 I need FULL NAT because some of the servers make calls back to the same VIP. This works ok for me. Farm2 doesn't need FULL NAT and wants 1/2 NAT so that the client IP is visible to the servers (LDAP in this case). That's not a problem either.
My problem is that servers in Farm1 make LDAP calls to the VIP which is for Farm2. Since Farm2 is 1/2 NAT the 3-way TCP connection breaks on the SYN-ACK.
- Is there a way to configure FULL NAT for connections initiated from the FARM and only to the VIP(s) while all other connections be treated as 1/2 NAT?
- Is there an alternative method for me to do what I need?
- Would having a 2nd Server VLAN in the same context for Farm2 solve this problem? I'd rather avoid this as my VLAN/IPs could get ugly.
Thanks in advance.
You can apply a nat policy to the server vlan only, so traffic will only be nated when the connection comes from the server vlan.
If you don't want to nat all traffic, you can use a class-map that only matches a specific destination ip.
If you need further detail let me know.