ACE: rserver access to its own VIP

Unanswered Question
May 9th, 2008
User Badges:

Can anyone be my second pair of eyes and confirm for me that this configuration is good? I am having problems doing source NAT from a real server to a VIP for which it is a service for.


The two real servers here are within a serverfarm for the VIP etrust2vip. The real servers themselves need to hit that VIP. In the configuration below I have a NAT applied to the server vlan (vlan71) to SNAT the packets destined for the VIP in the acl (enat).


'sh xlate' shows me nothing nor do I see any hits in 'sh conn'. The default gateway for the real servers is the alias address on vlan71.


The equipment I am working with is an ACE appliance with code 3.0(0)A1(7b).


Any help would be greatly appreciated.


access-list enat line 3 extended permit ip host 10.24.71.18 host 10.24.70.176

access-list enat line 4 extended permit ip host 10.24.71.19 host 10.24.70.176

access-list allacl line 10 extended permit ip any any


probe tcp P-20389

port 20389

interval 5

faildetect 2

passdetect interval 10

passdetect count 5

connection term forced

open 2


rserver host etrustserver1

ip address 10.24.71.18

inservice

rserver host etrustserver2

ip address 10.24.71.19

inservice


serverfarm host etrust2sfarm

failaction purge

predictor leastconns

probe P-20389

retcode 100 500 check count

rserver etrustserver1 20389

inservice

rserver etrustserver2 20389

inservice


sticky ip-netmask 255.255.255.0 address source STICKY-2

timeout 720

replicate sticky

serverfarm etrust2sfarm


class-map match-any SNAT

description Source NAT connections to the VIPs

2 match access-list enat

class-map match-all etrust2vip

2 match virtual-address 10.24.70.176 tcp eq 20389


policy-map type loadbalance first-match etrust2lbpolicy

class class-default

sticky-serverfarm STICKY-2

policy-map multi-match vlan70-service

class etrust2vip

loadbalance vip inservice

loadbalance policy etrust2lbpolicy

loadbalance vip icmp-reply

policy-map multi-match vlan71-service

class SNAT

nat dynamic 2 vlan 70


interface vlan 70

description CLIENT-SIDE

ip address 10.24.70.183 255.255.255.0

alias 10.24.70.182 255.255.255.0

peer ip address 10.24.70.185 255.255.255.0

mac-sticky enable

access-group input allacl

access-group output allacl

nat-pool 2 10.24.70.200 10.24.70.200 netmask 255.255.255.255 pat

service-policy input vlan70-service

no shutdown

interface vlan 71

description RSERVER-SIDE

ip address 10.24.71.4 255.255.255.0

alias 10.24.71.5 255.255.255.0

peer ip address 10.24.71.6 255.255.255.0

mac-sticky enable

access-group input allacl

access-group output allacl

nat-pool 1 10.24.71.200 10.24.71.205 netmask 255.255.255.255 pat

service-policy input vlan71-service

no shutdown


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Fri, 05/09/2008 - 12:27
User Badges:
  • Cisco Employee,

the natpool that you use must be one existing on the outgoing interface.

So, since the incoming and outgoing interface are in this case the rserver vlan, you need to use the vlan 71.


you also need to add your vip policy to the vlan 71 interface so that traffic from the rserver can hit the vip.


So you need


policy-map multi-match vlan71-service

class SNAT

nat dynamic 1 vlan 71


AND


interface vlan 71

service-policy input vlan70-service


Gilles.



Actions

This Discussion