NAT throughput on ACE

Unanswered Question
Nov 2nd, 2007

I put a couple web servers behind the ACE and it appears to work. But I cannot get to the internet. I'm assuming I need to enable NAT on the ACE and I read the SCE Security Guide. If I enable NAT on ACE for my outgoing traffic, will it impact the number of simultaneous connections I can have to a virtual server?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Syed Iftekhar Ahmed Fri, 11/02/2007 - 16:24

You do not need to enable NAT for server initiated connections on ACE. You just need an accesslist that allows outbound traffic that allows server initiated traffic.

Example

If you are running ACe in Bridge mode

Bridge mode:

access-list outbound line 1 extended permit ip any any

!

interface vlan 100

bridge-group 1

access-group input anyone

If you are running ACe in Routed mode

Routed mode:

access-list anyone line 1 extended permit ip any any

!

interface vlan 100

ip address a.b.c.d 255.255.255.0

access-group input anyone

You need to make sure that your Routing infrastructure can take server initiated connections to the ISP-bound router and the return traafic is routed back towards the Real Servers.

syed

blade_ace Mon, 11/05/2007 - 14:25

So where do I apply the access list? On the server side VLAN interface? Here is basically my config other than the LB policy containing the ip adddress 9.9.9.30. vlan10 is outside. vlan 20 is inside.

interface vlan 20

ip address 10.1.20.5 255.255.255.0

alias 10.1.20.4 255.255.255.0

peer ip address 10.1.20.6 255.255.255.0

no shutdown

interface vlan 10

ip address 9.9.9.5 255.255.255.128

alias 9.9.9.4 255.255.255.128

peer ip address 9.9.9.6 255.255.255.128

mac-sticky enable

access-group input WWW

service-policy input DOWNLOAD_LB_VIP_POLICY

no shutdown

access-list WWW line 8 extended permit tcp any host 9.9.9.30 eq www

blade_ace Mon, 11/05/2007 - 14:54

i tried just added an input access list to vlan20 with permit ip all and I can ping out but not connect to any servers on port 80. When I traceroute my first hop is the msfc ip, not the ace ip. This makes me think that my packets are hitting the vlan20 interface on ACE then being passed to the MSFC on vlan 20 and then being NATed on the msfc which is not the desired behavior. Maybe i just need to adjust my understanding of the ACE. I am using one arm mode with a default gateway pointing to the ACE internal ip and routes for my internal network going to the MSFC. It appears to work from the outside but obviously I cannot access the internet from the load balacned server. I assumed I need to add NAT configuration to ACE to get this server to access the internet. I posted question to ask if I enabled NAT would it limit me in some fashion. For example, I have 10 servers load balacned behind a single external ip address. If I enabled NAT, would that limit me to 64K connections to all load balanced servers rather than 64K to each. Would the NAT traffic adversely impact the performance of the ACE? I would assume it would since NAT is rewriting packets...

Actions

This Discussion