ACE Source NAT

Unanswered Question
Feb 3rd, 2008

Trying to implement Source NAT for a vlan 400(subnet 10.1.4.x/24)which contains both the servers & the vips.

Servers - Default Gateway is the VLAN 400 INterface on the 6500 (which populates the ace module inside) and not the vlan 400 interface on the ACE module (tried using ACE interface, but it doesnt work)..

ACL - Configured for Server to VIP Connectivity

Class Map - COnfigured to match ACL

Policy Map

Matching class map and Nat dynamic statement

Service policy for the above configured policy map.

Nat pool <ip similar to the 10.1.4.x subnet> on the vlan interface.

Test Results:-

Connection attempted from server to vip could see the connection coming in for the vip from the Server to the vip..But dont see a connection going out..I am sure the Server is trying to return the packet to the vip, searching it locally rather than reaching the ACE. Am i Missing something here..

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ptscharn Mon, 02/04/2008 - 02:45

Could you pls send the config? Remember that the nat-pool has to reside on the outgoing IF of ACE (if you have 2 IF on ACE). Not sure about which topology you're talking about.


Gilles Dufour Mon, 02/04/2008 - 06:08

send us the config and a sniffer trace.

Also get a 'show conn detail' and 'show service-policy detail' just after opening a connection from the server.


rmathiyalagan Mon, 02/04/2008 - 09:51

sh conn output


ACE1/Admin# sh conn | include

438 2 in TCP 400 SYNSEEN


The above output clearly shows the ACK packet is not send back to the ACE..Will get back with more info soon..

Config Enclosed..

Gilles Dufour Mon, 02/04/2008 - 10:13

I do not think your natting works.

The natpool on vlan 400 which is the server vlan has natpool id 40 not 100 as you have configured in the nat policy.

policy-map multi-match nat

class nat

nat dynamic 1 vlan 700

nat dynamic 100 vlan 400 <===

nat dynamic 300 vlan 300


rmathiyalagan Mon, 02/04/2008 - 10:17

Sorry..Gave you the old config..I had done so many changes on the config for testing, that i gave you the wrong one..

This is the latest..

Gilles Dufour Mon, 02/04/2008 - 12:00


Did you verify that nating was working ??

Maybe get a sniffer trace.


rmathiyalagan Mon, 02/04/2008 - 16:11

With this config, it didnt work..I am going to change the gateway of the servers directly to the ACE interface rather than the VLAN interface on the MSFC to get more control on the return traffic..Hopefully it will assist me to capture packets at granular level when compared to packets captured at the MSFC for the entire vlan that span across the ACE & other CSS boxes..

Thanks for your help Giles. I will definitely come back with more results and queries..



This Discussion