ACE & 1/2 NAT vs. Fulk NAT

Answered Question
Jun 22nd, 2007
User Badges:

I'm running into a problem with Half-NAT vs. Full-NAT conflict. I have two server farms within the same context. Both farms are in the same Server VLAN and both farms get their requrests from the same front-end client-side VLAN. For Farm1 I need FULL NAT because some of the servers make calls back to the same VIP. This works ok for me. Farm2 doesn't need FULL NAT and wants 1/2 NAT so that the client IP is visible to the servers (LDAP in this case). That's not a problem either.


My problem is that servers in Farm1 make LDAP calls to the VIP which is for Farm2. Since Farm2 is 1/2 NAT the 3-way TCP connection breaks on the SYN-ACK.


- Is there a way to configure FULL NAT for connections initiated from the FARM and only to the VIP(s) while all other connections be treated as 1/2 NAT?


- Is there an alternative method for me to do what I need?


- Would having a 2nd Server VLAN in the same context for Farm2 solve this problem? I'd rather avoid this as my VLAN/IPs could get ugly.


Thanks in advance.


Casey

Correct Answer by Gilles Dufour about 10 years 1 week ago

Casy,


You can apply a nat policy to the server vlan only, so traffic will only be nated when the connection comes from the server vlan.

If you don't want to nat all traffic, you can use a class-map that only matches a specific destination ip.


If you need further detail let me know.


Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Gilles Dufour Fri, 06/22/2007 - 07:11
User Badges:
  • Cisco Employee,

Casy,


You can apply a nat policy to the server vlan only, so traffic will only be nated when the connection comes from the server vlan.

If you don't want to nat all traffic, you can use a class-map that only matches a specific destination ip.


If you need further detail let me know.


Gilles.

cajalat Mon, 07/09/2007 - 09:15
User Badges:

Gilles,


I've been meaning to respond back to tell you that this is a better answer than I had hoped for. The only reason I needed to use NAT in the first place was because of the TCP 3-way handshake problem with servers from behind the ACE needing to access the VIP. This is perfect. Thank you.


Casey

Actions

This Discussion