ACE: Significance of mask in nat-pools configured for Source NAT

Unanswered Question
Jun 25th, 2008

Hi guys

If I am using source nat in ACE (One IP address 10.10.10.200) used for all client address translations.

What would be the difference between the nat-pools configured with different netmask.

What is the recommended netmask for pat, 255.255.255.255 or Vlan interface's Mask (/24 in this case)

and why?

case1:

interface vlan 7

ip address 10.10.10.100 255.255.255.0

nat-pool 1 10.10.10.200 10.10.10.200 netmask 255.255.255.0 pat

service-policy input clientvips

no shutdown

case2:

interface vlan 7

ip address 10.10.10.100 255.255.255.0

nat-pool 1 10.10.10.200 10.10.10.200 netmask 255.255.255.255 pat

service-policy input clientvips

no shutdown

Thanks in Advance

A.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Gilles Dufour Wed, 06/25/2008 - 21:50

I always use a netmask matching the subnet.

But actually it can be whatever you want.

The netmask is not being used.

Gilles.

AnthonyGZ Wed, 06/25/2008 - 23:02

Gilles

Thanks a lot. It makes more sense now.

I posted another question for an ACE design validation. Could you please validate this

I am planning to deploy ACE module in following manner:

> ACE will be in one arm mode ( Only one vlan connected to the ACE).

> Vips & Rservers (all serverfarms) will be in the same Vlan X.

> Default gateway on the ACE & Real servers will be the upstream router

> There will be Source NAT configured for all Serverfarms.

ACE --- Vlan X -------Router--- internet

.................|

.................|-- Sfarm 1

.................|

.................|-- Sfarm 2

.................|

.................|-- Sfarm n

I am pretty sure that it should work.

Just wanted an expert opinion.

Thanks

g-hopkinson Fri, 09/19/2008 - 08:58

Hi,

The netmasks are both correct for the pools, however if the mask was 255.255.255.252, the address would fall on the network portion, so the only valid addresses would be 201, and 202. Giles might correct me for the ACE.

Gary

Gilles Dufour Mon, 09/22/2008 - 00:22

Gary is correct.

The netmask is actually used (it wasn't before but it is now) to determine what addresses in the pool should not be used (broadcast addresses).

G.

Actions

This Discussion