Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
504
Views
0
Helpful
1
Replies

ACE: rserver access to its own VIP

ahuffer
Level 1
Level 1

‎05-09-2008 11:14 AM

Can anyone be my second pair of eyes and confirm for me that this configuration is good? I am having problems doing source NAT from a real server to a VIP for which it is a service for.

The two real servers here are within a serverfarm for the VIP etrust2vip. The real servers themselves need to hit that VIP. In the configuration below I have a NAT applied to the server vlan (vlan71) to SNAT the packets destined for the VIP in the acl (enat).

'sh xlate' shows me nothing nor do I see any hits in 'sh conn'. The default gateway for the real servers is the alias address on vlan71.

The equipment I am working with is an ACE appliance with code 3.0(0)A1(7b).

Any help would be greatly appreciated.

access-list enat line 3 extended permit ip host 10.24.71.18 host 10.24.70.176

access-list enat line 4 extended permit ip host 10.24.71.19 host 10.24.70.176

access-list allacl line 10 extended permit ip any any

probe tcp P-20389

port 20389

interval 5

faildetect 2

passdetect interval 10

passdetect count 5

connection term forced

open 2

rserver host etrustserver1

ip address 10.24.71.18

inservice

rserver host etrustserver2

ip address 10.24.71.19

inservice

serverfarm host etrust2sfarm

failaction purge

predictor leastconns

probe P-20389

retcode 100 500 check count

rserver etrustserver1 20389

inservice

rserver etrustserver2 20389

inservice

sticky ip-netmask 255.255.255.0 address source STICKY-2

timeout 720

replicate sticky

serverfarm etrust2sfarm

class-map match-any SNAT

description Source NAT connections to the VIPs

2 match access-list enat

class-map match-all etrust2vip

2 match virtual-address 10.24.70.176 tcp eq 20389

policy-map type loadbalance first-match etrust2lbpolicy

class class-default

sticky-serverfarm STICKY-2

policy-map multi-match vlan70-service

class etrust2vip

loadbalance vip inservice

loadbalance policy etrust2lbpolicy

loadbalance vip icmp-reply

policy-map multi-match vlan71-service

class SNAT

nat dynamic 2 vlan 70

interface vlan 70

description CLIENT-SIDE

ip address 10.24.70.183 255.255.255.0

alias 10.24.70.182 255.255.255.0

peer ip address 10.24.70.185 255.255.255.0

mac-sticky enable

access-group input allacl

access-group output allacl

nat-pool 2 10.24.70.200 10.24.70.200 netmask 255.255.255.255 pat

service-policy input vlan70-service

no shutdown

interface vlan 71

description RSERVER-SIDE

ip address 10.24.71.4 255.255.255.0

alias 10.24.71.5 255.255.255.0

peer ip address 10.24.71.6 255.255.255.0

mac-sticky enable

access-group input allacl

access-group output allacl

nat-pool 1 10.24.71.200 10.24.71.205 netmask 255.255.255.255 pat

service-policy input vlan71-service

no shutdown

Labels:
0 Helpful
1 Reply 1

Gilles Dufour
Cisco Employee
Cisco Employee

‎05-09-2008 12:27 PM

the natpool that you use must be one existing on the outgoing interface.

So, since the incoming and outgoing interface are in this case the rserver vlan, you need to use the vlan 71.

you also need to add your vip policy to the vlan 71 interface so that traffic from the rserver can hit the vip.

So you need

policy-map multi-match vlan71-service

class SNAT

nat dynamic 1 vlan 71

AND

interface vlan 71

service-policy input vlan70-service

Gilles.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents