ACE source NAT for server initiated connections

Answered Question
Oct 10th, 2008


I have 1 VLAN (VLAN 10) with all my VIPs, and 4 VLANs (VLAN 11,12,13,14) with my real servers.

All my servers can start sessions, but I want them to be source natted to their VIP addresses.

I assume that I will get something like this:

access-list SNAT-acl line 8 extended permit ip any any

class-map SNAT-cm

match access-list SNAT-acl

policy-map multi-match SNAT-1-pm

class-map SNAT-cm

nat dynamic 1 vlan 10

policy-map multi-match SNAT-2-pm

class-map SNAT-cm

nat dynamic 2 vlan 10

policy-map multi-match SNAT-3-pm

class-map SNAT-cm

nat dynamic 3 vlan 10

policy-map multi-match SNAT-4-pm

class-map SNAT-cm

nat dynamic 4 vlan 10

int vla 11

desc server-vlan

service-policy input SNAT-1-pm

int vla 12

desc server-vlan

service-policy input SNAT-2-pm

int vla 13

desc server-vlan

service-policy input SNAT-3-pm

int vla 14

desc server-vlan

service-policy input SNAT-4-pm

int vlan 10

desc client-vlan

nat pool 1 netmask pat

nat pool 2 netmask pat

nat pool 3 netmask pat

nat pool 4 netmask pat

But this seems kind of not correct. I can't test this at the moment, so I don't know if this works or not.

Would this solution work?

Is this the best way in doing SNAT for server initiated connections?

Is there a better way for doing SNAT for server initiated connections?

Thanks in advance!

I have this problem too.
0 votes
Correct Answer by Gilles Dufour about 8 years 1 week ago

that's the right way to do it.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)


This Discussion