05-09-2008 11:14 AM
Can anyone be my second pair of eyes and confirm for me that this configuration is good? I am having problems doing source NAT from a real server to a VIP for which it is a service for.
The two real servers here are within a serverfarm for the VIP etrust2vip. The real servers themselves need to hit that VIP. In the configuration below I have a NAT applied to the server vlan (vlan71) to SNAT the packets destined for the VIP in the acl (enat).
'sh xlate' shows me nothing nor do I see any hits in 'sh conn'. The default gateway for the real servers is the alias address on vlan71.
The equipment I am working with is an ACE appliance with code 3.0(0)A1(7b).
Any help would be greatly appreciated.
access-list enat line 3 extended permit ip host 10.24.71.18 host 10.24.70.176
access-list enat line 4 extended permit ip host 10.24.71.19 host 10.24.70.176
access-list allacl line 10 extended permit ip any any
probe tcp P-20389
port 20389
interval 5
faildetect 2
passdetect interval 10
passdetect count 5
connection term forced
open 2
rserver host etrustserver1
ip address 10.24.71.18
inservice
rserver host etrustserver2
ip address 10.24.71.19
inservice
serverfarm host etrust2sfarm
failaction purge
predictor leastconns
probe P-20389
retcode 100 500 check count
rserver etrustserver1 20389
inservice
rserver etrustserver2 20389
inservice
sticky ip-netmask 255.255.255.0 address source STICKY-2
timeout 720
replicate sticky
serverfarm etrust2sfarm
class-map match-any SNAT
description Source NAT connections to the VIPs
2 match access-list enat
class-map match-all etrust2vip
2 match virtual-address 10.24.70.176 tcp eq 20389
policy-map type loadbalance first-match etrust2lbpolicy
class class-default
sticky-serverfarm STICKY-2
policy-map multi-match vlan70-service
class etrust2vip
loadbalance vip inservice
loadbalance policy etrust2lbpolicy
loadbalance vip icmp-reply
policy-map multi-match vlan71-service
class SNAT
nat dynamic 2 vlan 70
interface vlan 70
description CLIENT-SIDE
ip address 10.24.70.183 255.255.255.0
alias 10.24.70.182 255.255.255.0
peer ip address 10.24.70.185 255.255.255.0
mac-sticky enable
access-group input allacl
access-group output allacl
nat-pool 2 10.24.70.200 10.24.70.200 netmask 255.255.255.255 pat
service-policy input vlan70-service
no shutdown
interface vlan 71
description RSERVER-SIDE
ip address 10.24.71.4 255.255.255.0
alias 10.24.71.5 255.255.255.0
peer ip address 10.24.71.6 255.255.255.0
mac-sticky enable
access-group input allacl
access-group output allacl
nat-pool 1 10.24.71.200 10.24.71.205 netmask 255.255.255.255 pat
service-policy input vlan71-service
no shutdown
05-09-2008 12:27 PM
the natpool that you use must be one existing on the outgoing interface.
So, since the incoming and outgoing interface are in this case the rserver vlan, you need to use the vlan 71.
you also need to add your vip policy to the vlan 71 interface so that traffic from the rserver can hit the vip.
So you need
policy-map multi-match vlan71-service
class SNAT
nat dynamic 1 vlan 71
AND
interface vlan 71
service-policy input vlan70-service
Gilles.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: