Internet Traffic Through ACE

Answered Question
Nov 19th, 2008
User Badges:

I'm having trouble getting to the internet on the servers in my server VLAN. The SLB is working correctly, the servers can get DNS queries and access other things within our internal network but I cannot get out to the internet. Do I need to setup some kind in inspection to pass normal internet traffic for those servers or how do I make that work? THanks

Correct Answer by Syed Iftekhar Ahmed about 8 years 8 months ago

You need to apply

service-policy input NAT

under server vlan (vlan 151) not Client side vlan.


int vlan 151

ip addresss 192.168.151.176 255.255.255.0

alias 192.168.151.175 255.255.255.0

peer ip address 192.168.151.177 255.255.255.0

service-policy input NAT

no shutdown


int vlan 181

ip address 192.168.181.5 255.255.255.0

alias ip address 192.168.181.4 255.255.255.0

peer ip address 192.168.181.6 255.255.255.0

nat-pool 1 192.168.181.150 192.168.181.200 netmask 255.255.255.0




Syed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Syed Iftekhar Ahmed Wed, 11/19/2008 - 12:23
User Badges:
  • Blue, 1500 points or more

You simply need to allow server originated traffic through the ACE and Perform NAT on this traffic before it leaves your network.


Similarly for return traffic you need to make sure that the upstream L3 devices knows how to route return traffic back to ACE for server vlan.


Syed Iftekhar Ahmed

thefindjack Wed, 11/19/2008 - 13:00
User Badges:

I'm pretty sure its because I'm not NATing the traffic but I can't figure out why my NAT wont work. Here is what I'm doing.....


Client VLAN 181

Server VLAN 151


The servers are setup with the default route as the ACE's alias IP address on VLAN 151. The VIP is in VLAN 181, and the SLB works correctly. So I need to figure out how to NAT traffic originating from the SERVER VLAN. This is what I was trying but I couldnt get it working.....



access-list NAT_ACL extended permit ip 192.168.151.0 255.255.255.0 any


class-map match-any NAT_CLASS

2 match access-list NAT_ACL


policy-map multi-match NAT

class NAT_CLASS

dynamic 1 vlan 181



int vlan 151

ip addresss 192.168.151.176 255.255.255.0

alias 192.168.151.175 255.255.255.0

peer ip address 192.168.151.177 255.255.255.0

no shutdown


int vlan 181

ip address 192.168.181.5 255.255.255.0

alias ip address 192.168.181.4 255.255.255.0

peer ip address 192.168.181.6 255.255.255.0

nat-pool 1 192.168.181.150 192.168.181.200 netmask 255.255.255.0

service-policy input NAT

Correct Answer
Syed Iftekhar Ahmed Wed, 11/19/2008 - 14:21
User Badges:
  • Blue, 1500 points or more

You need to apply

service-policy input NAT

under server vlan (vlan 151) not Client side vlan.


int vlan 151

ip addresss 192.168.151.176 255.255.255.0

alias 192.168.151.175 255.255.255.0

peer ip address 192.168.151.177 255.255.255.0

service-policy input NAT

no shutdown


int vlan 181

ip address 192.168.181.5 255.255.255.0

alias ip address 192.168.181.4 255.255.255.0

peer ip address 192.168.181.6 255.255.255.0

nat-pool 1 192.168.181.150 192.168.181.200 netmask 255.255.255.0




Syed

thefindjack Thu, 11/20/2008 - 06:46
User Badges:

Thanks for you help! I got it working, you were right about applying that service-policy. I also had to add the NAT_ACL to VLAN 151 as "access-group input NAT_ACL".

Actions

This Discussion