Internet Traffic Through ACE

Answered Question
Nov 19th, 2008

I'm having trouble getting to the internet on the servers in my server VLAN. The SLB is working correctly, the servers can get DNS queries and access other things within our internal network but I cannot get out to the internet. Do I need to setup some kind in inspection to pass normal internet traffic for those servers or how do I make that work? THanks

Correct Answer by Syed Iftekhar Ahmed about 8 years 3 months ago

You need to apply

service-policy input NAT

under server vlan (vlan 151) not Client side vlan.

int vlan 151

ip addresss 192.168.151.176 255.255.255.0

alias 192.168.151.175 255.255.255.0

peer ip address 192.168.151.177 255.255.255.0

service-policy input NAT

no shutdown

int vlan 181

ip address 192.168.181.5 255.255.255.0

alias ip address 192.168.181.4 255.255.255.0

peer ip address 192.168.181.6 255.255.255.0

nat-pool 1 192.168.181.150 192.168.181.200 netmask 255.255.255.0

Syed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Syed Iftekhar Ahmed Wed, 11/19/2008 - 12:23

You simply need to allow server originated traffic through the ACE and Perform NAT on this traffic before it leaves your network.

Similarly for return traffic you need to make sure that the upstream L3 devices knows how to route return traffic back to ACE for server vlan.

Syed Iftekhar Ahmed

thefindjack Wed, 11/19/2008 - 13:00

I'm pretty sure its because I'm not NATing the traffic but I can't figure out why my NAT wont work. Here is what I'm doing.....

Client VLAN 181

Server VLAN 151

The servers are setup with the default route as the ACE's alias IP address on VLAN 151. The VIP is in VLAN 181, and the SLB works correctly. So I need to figure out how to NAT traffic originating from the SERVER VLAN. This is what I was trying but I couldnt get it working.....

access-list NAT_ACL extended permit ip 192.168.151.0 255.255.255.0 any

class-map match-any NAT_CLASS

2 match access-list NAT_ACL

policy-map multi-match NAT

class NAT_CLASS

dynamic 1 vlan 181

int vlan 151

ip addresss 192.168.151.176 255.255.255.0

alias 192.168.151.175 255.255.255.0

peer ip address 192.168.151.177 255.255.255.0

no shutdown

int vlan 181

ip address 192.168.181.5 255.255.255.0

alias ip address 192.168.181.4 255.255.255.0

peer ip address 192.168.181.6 255.255.255.0

nat-pool 1 192.168.181.150 192.168.181.200 netmask 255.255.255.0

service-policy input NAT

Correct Answer
Syed Iftekhar Ahmed Wed, 11/19/2008 - 14:21

You need to apply

service-policy input NAT

under server vlan (vlan 151) not Client side vlan.

int vlan 151

ip addresss 192.168.151.176 255.255.255.0

alias 192.168.151.175 255.255.255.0

peer ip address 192.168.151.177 255.255.255.0

service-policy input NAT

no shutdown

int vlan 181

ip address 192.168.181.5 255.255.255.0

alias ip address 192.168.181.4 255.255.255.0

peer ip address 192.168.181.6 255.255.255.0

nat-pool 1 192.168.181.150 192.168.181.200 netmask 255.255.255.0

Syed

thefindjack Thu, 11/20/2008 - 06:46

Thanks for you help! I got it working, you were right about applying that service-policy. I also had to add the NAT_ACL to VLAN 151 as "access-group input NAT_ACL".

Actions

This Discussion