Client NAT - ACE

Unanswered Question
Apr 10th, 2008
User Badges:

Hi All,

We are trying to configure client NAT on ACE , I have tried with the following configuration.

I want to make sure the following things

1) Whether this is a right way or not or if this is possible?

2) If it is and any one is having ideas for that please do let me know so that I can send the topology diagram as well to get it understand easily.


class-map match-all CLIENT-TO-AVS-VIP

2 match virtual-address 172.16.30.110 tcp eq www


class-map match-all NAT

2 match source-address 0.0.0.0 0.0.0.0

3 match destination-address 172.16.30.110 255.255.255.255



policy-map multi-match MOON-POLICY

class CLIENT-TO-AVS-VIP

loadbalance vip inservice

loadbalance policy MOON_AVS_CLIENT

loadbalance vip icmp-reply

class NAT

nat dynamic 9 vlan 300


interface vlan 300

description Clentside interface

bridge-group 30

access-group input ALL

nat-pool 9 172.16.30.200 172.16.30.210 netmask 255.255.255.255 pat

service-policy input REMOTE-MGMT

service-policy input MOON-POLICY

no shutdown



Regards

Aslam...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
agiaccone Mon, 04/14/2008 - 03:11
User Badges:
  • Bronze, 100 points or more

Hi Aslam,

yes it's possible in a quite simple way, I see some errors in your configuration :


You don't need a second class map "NAT", the first one is sufficient. You can tell the ACE "When traffic matches CLIENT-TO-AVS-VIP, loadbalance AND nat client traffic".

To do so, simply insert the "nat dynamic 9 vlan 300" command inside the "class CLIENT-TO-AVS-VIP" mapping in the multi-match policy.


This should work as you want :


class-map match-all CLIENT-TO-AVS-VIP

2 match virtual-address 172.16.30.110 tcp eq www


policy-map multi-match MOON-POLICY

class CLIENT-TO-AVS-VIP

loadbalance vip inservice

loadbalance policy MOON_AVS_CLIENT

loadbalance vip icmp-reply

nat dynamic 9 vlan 300


remember that an instruction like

"2 match source-address 0.0.0.0 0.0.0.0" is a pleonasm, no instruction on source-address means match any source.


You can check some other scenarios on source nat here :

http://snippets101.blogspot.com/2007/12/source-nat-on-cisco-ace.html


Hope this helps.

Alberto



Actions

This Discussion