cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1654
Views
23
Helpful
9
Replies

ACE4710 Client source IP NAT

mmertens
Level 1
Level 1

I'm going to be replacing a CSS with a 4710 ACE. The CSS is one-armed, with the VIPS using a 192.168.50.0 addressing. The CSS used the "group" config to NAT each client's source IP address with that of the VIP, when forwarding the packet to the server. The CCO NAT examples don't explicitly specify how I would do this. Could someone please help out?

THANKS!

9 Replies 9

I have written this example. Hopefully it will help you understand. Remember that only latest code on ACE allows to use VIP as Natted address.

rserver host app1-srvr1

ip address 10.10.10.22

inservice

rserver host app1-srvr2

ip address 10.10.10.17

inservice

serverfarm host app1-sf

predictor leastconns

probe TCP80

rserver app1-srvr1

inservice

rserver app1-srvr1

inservice

class-map match-all app1-classmap

2 match virtual-address 10.10.10.100 tcp eq 80

policy-map type loadbalance first-match app1-policy

class class-default

serverfarm app1-sf

nat dynamic 1000 vlan 10 serverfarm primary

policy-map multi-match VIPS

class app1-classmap

loadbalance vip inservice

loadbalance policy app1-policy

loadbalance vip icmp-reply active

interface vlan 10

ip address 10.10.10.1 255.255.255.0

peer ip address 10.10.10.2 255.255.255.0

access-group input ANYONE

nat-pool 1000 10.10.10.100 10.10.10.100 netmask 255.255.255.0 pat

service-policy input VIPS

no shutdown

Syed Iftekhar Ahmed

Syed,

Thanks!!!! I think this does what I'm looking for; in affect, the "group" command on the CSS.

Hi Syed,

With this config it means that you do not need the PBR or source NAT on the upstream router (e.g MSFC) right?

./G

This example is with SRC NAT

nat dynamic 1000 vlan 10 serverfarm primary

command translates client's source address to the Address in the NAT pool.

Syed

Thanks Syed for you prompt answer. So PBR or Src Nat is not required. If the ACE is within the the serverfarm vlan (L2 one arm - see attachement) how is this affect the solution? Servers must have an ARP entry for the VIP since ACE and servers will be L2 adjacent. Is SSL termination supported with this config?

./G

The slide you have attached is discussing DSR (Direct server return) topology. With DSR the client requests are forwarded to the Servers through ACE and the response from servers bypass ACE to get maximum throughput.

DSR is only valid for Layer 4 traffic. You cannot loadbalance Layer 7 traffic using this.

DSR is not recommended and cannot be used for L7 load balanced connection and it requires special configurations (requires VIP to be configured as loopback of secondary address) on the servers.

Using the same diagram If you introduce PBR/SRC NAT on ACE then it will become typical One ARM mode and you can loadbalance all type of traffic L4/L7 and you dont need any special config on Servers.

Syed Iftekhar Ahmed

Ok, but it will need to be on a different network than the serverfarm. In my case a new zone on the firewall.

./G

It doesnt need to be on a diff vlan.

You can have ACE and Rservers on the same vlan with Rservers & ACE using the firewall as the default gateway.

The traffic destined to VIP will be forwarded to ACE by the firewall. ACE will select the server using LB predictor configured and will source NAT the request before sending it to the selected Server.

The Server response will be destined to the Natted IP (configured on ACE in the nat pool).

ACE will change the dest address to the client's source address and will handover the server response to the firewall.

Syed Iftekhar Ahmed

Ok i got this straight this time. In the L2 one-arm the ACE is like in bridge mode (so the L2 one-arm) thus the servers need the VIP as loopback.

Thanks for your help. You are great!!!

./G

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: