ACE4710 Client source IP NAT

Unanswered Question

I'm going to be replacing a CSS with a 4710 ACE. The CSS is one-armed, with the VIPS using a addressing. The CSS used the "group" config to NAT each client's source IP address with that of the VIP, when forwarding the packet to the server. The CCO NAT examples don't explicitly specify how I would do this. Could someone please help out?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (5 ratings)
Syed Iftekhar Ahmed Thu, 07/24/2008 - 12:12

I have written this example. Hopefully it will help you understand. Remember that only latest code on ACE allows to use VIP as Natted address.

rserver host app1-srvr1

ip address


rserver host app1-srvr2

ip address


serverfarm host app1-sf

predictor leastconns

probe TCP80

rserver app1-srvr1


rserver app1-srvr1


class-map match-all app1-classmap

2 match virtual-address tcp eq 80

policy-map type loadbalance first-match app1-policy

class class-default

serverfarm app1-sf

nat dynamic 1000 vlan 10 serverfarm primary

policy-map multi-match VIPS

class app1-classmap

loadbalance vip inservice

loadbalance policy app1-policy

loadbalance vip icmp-reply active

interface vlan 10

ip address

peer ip address

access-group input ANYONE

nat-pool 1000 netmask pat

service-policy input VIPS

no shutdown

Syed Iftekhar Ahmed

g-georgiou Thu, 09/18/2008 - 06:17

Hi Syed,

With this config it means that you do not need the PBR or source NAT on the upstream router (e.g MSFC) right?


Syed Iftekhar Ahmed Thu, 09/18/2008 - 08:36

This example is with SRC NAT

nat dynamic 1000 vlan 10 serverfarm primary

command translates client's source address to the Address in the NAT pool.


g-georgiou Fri, 09/19/2008 - 04:12

Thanks Syed for you prompt answer. So PBR or Src Nat is not required. If the ACE is within the the serverfarm vlan (L2 one arm - see attachement) how is this affect the solution? Servers must have an ARP entry for the VIP since ACE and servers will be L2 adjacent. Is SSL termination supported with this config?


Syed Iftekhar Ahmed Fri, 09/19/2008 - 04:49

The slide you have attached is discussing DSR (Direct server return) topology. With DSR the client requests are forwarded to the Servers through ACE and the response from servers bypass ACE to get maximum throughput.

DSR is only valid for Layer 4 traffic. You cannot loadbalance Layer 7 traffic using this.

DSR is not recommended and cannot be used for L7 load balanced connection and it requires special configurations (requires VIP to be configured as loopback of secondary address) on the servers.

Using the same diagram If you introduce PBR/SRC NAT on ACE then it will become typical One ARM mode and you can loadbalance all type of traffic L4/L7 and you dont need any special config on Servers.

Syed Iftekhar Ahmed

g-georgiou Fri, 09/19/2008 - 04:52

Ok, but it will need to be on a different network than the serverfarm. In my case a new zone on the firewall.


Syed Iftekhar Ahmed Fri, 09/19/2008 - 05:09

It doesnt need to be on a diff vlan.

You can have ACE and Rservers on the same vlan with Rservers & ACE using the firewall as the default gateway.

The traffic destined to VIP will be forwarded to ACE by the firewall. ACE will select the server using LB predictor configured and will source NAT the request before sending it to the selected Server.

The Server response will be destined to the Natted IP (configured on ACE in the nat pool).

ACE will change the dest address to the client's source address and will handover the server response to the firewall.

Syed Iftekhar Ahmed

g-georgiou Fri, 09/19/2008 - 05:19

Ok i got this straight this time. In the L2 one-arm the ACE is like in bridge mode (so the L2 one-arm) thus the servers need the VIP as loopback.

Thanks for your help. You are great!!!



This Discussion