cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
989
Views
0
Helpful
7
Replies

ACE Source NAT

rmathiyalagan
Level 1
Level 1

Trying to implement Source NAT for a vlan 400(subnet 10.1.4.x/24)which contains both the servers & the vips.

Servers - Default Gateway is the VLAN 400 INterface on the 6500 (which populates the ace module inside) and not the vlan 400 interface on the ACE module (tried using ACE interface, but it doesnt work)..

ACL - Configured for Server to VIP Connectivity

Class Map - COnfigured to match ACL

Policy Map

Matching class map and Nat dynamic statement

Service policy for the above configured policy map.

Nat pool <ip similar to the 10.1.4.x subnet> on the vlan interface.

Test Results:-

Connection attempted from server 10.1.4.218 to vip 10.1.4.172..I could see the connection coming in for the vip from the Server to the vip..But dont see a connection going out..I am sure the Server is trying to return the packet to the vip, searching it locally rather than reaching the ACE. Am i Missing something here..

7 Replies 7

ptscharn
Cisco Employee
Cisco Employee

Could you pls send the config? Remember that the nat-pool has to reside on the outgoing IF of ACE (if you have 2 IF on ACE). Not sure about which topology you're talking about.

pascal

Gilles Dufour
Cisco Employee
Cisco Employee

send us the config and a sniffer trace.

Also get a 'show conn detail' and 'show service-policy detail' just after opening a connection from the server.

Gilles.

sh conn output

----------------

ACE1/Admin# sh conn | include 10.1.4.172

438 2 in TCP 400 10.1.1.111:3182 10.1.4.172:8080 SYNSEEN

ACE1/Admin#

The above output clearly shows the ACK packet is not send back to the ACE..Will get back with more info soon..

Config Enclosed..

I do not think your natting works.

The natpool on vlan 400 which is the server vlan has natpool id 40 not 100 as you have configured in the nat policy.

policy-map multi-match nat

class nat

nat dynamic 1 vlan 700

nat dynamic 100 vlan 400 <===

nat dynamic 300 vlan 300

Gilles.

Sorry..Gave you the old config..I had done so many changes on the config for testing, that i gave you the wrong one..

This is the latest..

ok.

Did you verify that nating was working ??

Maybe get a sniffer trace.

Gilles.

With this config, it didnt work..I am going to change the gateway of the servers directly to the ACE interface rather than the VLAN interface on the MSFC to get more control on the return traffic..Hopefully it will assist me to capture packets at granular level when compared to packets captured at the MSFC for the entire vlan that span across the ACE & other CSS boxes..

Thanks for your help Giles. I will definitely come back with more results and queries..

Raja.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: