ACE: Server Source NAT is not working

Answered Question
Dec 12th, 2008

I have 1 ACE appliance which running in routed mode. There are 2 vlans which are client vlan and server vlan. My VIP subnet is same as server vlan subnet. I would like to Source Nat each farm of servers orignated traffic to their own VIP. I have tested to ping from server vlan's server to client vlan's PC but the "show xlate" didn't show NATing and Packet Capture at client vlan's PC also showed that the source IP from server is not NATed. I have configured as the following but is not working, can any expert help me to look at my config whether I got miss out something:

Thanks

Attachment: 
I have this problem too.
0 votes
Correct Answer by Gilles Dufour about 8 years 1 month ago

To answer your latest questions.

Yes, the service-policy must be configured on the interface facing the server (inbound interface) and the nat-pool must configured on the outbound interface.

Also note that we do not nat bridged traffic.

I don't think the show xlate will show any entries when pat is configured.

You should check with a 'show service-policy' if you have any hit on your class-map NAT-POLICY.

Also, do a 'clear conn' before your test or use telnet instead of ping.

All your icmp traffic from 1src to 1 dst will fall under the same flow.

If the flow was created before the nat policy, there will be no nating until the flow times out which can tale a long time for icmp.

Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
rajesh.perumalla Sun, 12/14/2008 - 20:37

Hi,

I checked the config and did see any vlan 22 defined in the ACE(I can see 100 and 220 only)

policy-map multi-match NAT-POLICY

class NAT-EXCHANGE

nat dynamic 1 vlan 22

class NAT-SMS

nat dynamic 2 vlan 22

class NAT-PROXY

nat dynamic 3 vlan 22

---------------------------------

sample config..this might be helpful

class-map match-all SNAT

2 match source-address 2.2.2.10 255.255.255.0

policy-map multi-match L4

class HTTP-SFARM

loadbalance vip inservice

loadbalance policy WEB-PM

loadbalance vip icmp-reply

class SNAT

nat dynamic 100 vlan 31

interface vlan 31

ip address 2.2.2.1 255.255.255.0

mac-sticky enable

access-group input 1

nat-pool 100 1.1.1.1 1.1.1.1 netmask 255.255.255.255 pat

service-policy input L4

no shutdown

pingwarrior Sun, 12/14/2008 - 22:40

Hi Rajesh,

Sorry for typo as actually the NAT-POLICY is pointing out to vlan220:

class NAT-EXCHANGE

nat dynamic 1 vlan 220

class NAT-SMS

nat dynamic 2 vlan 220

class NAT-PROXY

nat dynamic 3 vlan 220

Thanks for your sample. according to the line you gave in the sample **2 match source-address 2.2.2.10 255.255.255.0**. Yours is with netmask 255.255.255.0 and mine is with 255.255.255.255. Is it your matching cretiria is mathing whole 2.2.2.0/24 segment to nated.

By the way, is the NAT-Policy should put at facing server vlan while nat-pool should put at vlan that traffic being nated to nat-pool ip and going out?

Thanks

Correct Answer
Gilles Dufour Mon, 12/15/2008 - 02:23

To answer your latest questions.

Yes, the service-policy must be configured on the interface facing the server (inbound interface) and the nat-pool must configured on the outbound interface.

Also note that we do not nat bridged traffic.

I don't think the show xlate will show any entries when pat is configured.

You should check with a 'show service-policy' if you have any hit on your class-map NAT-POLICY.

Also, do a 'clear conn' before your test or use telnet instead of ping.

All your icmp traffic from 1src to 1 dst will fall under the same flow.

If the flow was created before the nat policy, there will be no nating until the flow times out which can tale a long time for icmp.

Gilles.

pingwarrior Mon, 12/15/2008 - 05:39

Hi Gdufour,

Thanks for your detail explanation. Greatly appreciate. Tomorrow I will go and troubleshoot the problem again and hope I can solve the problem. Let's me mine multiple nat-pools are running smoothly too.

I will update here once I solve the problem.

pingwarrior Tue, 12/16/2008 - 19:56

I have tested and the PAT finally works. However, there is a issue. The PAT will do the NAT whether the traffic is server initiated or server return traffic and this caused the problem because client received return traffic with port different from it's initiated flow. Luckly my environment allow me not do the PAT for server initiated traffic too.

Thansks to everyone that has help on this issue.

Gilles Dufour Fri, 12/19/2008 - 00:45

This is not possible that we nat the server traffic if not initiated by the server.

The only reason you see nating is because the client when to the VIP which was nated to the server ip and when the response comes back we do the reverse nating.

PAT is not involved in this process.

The ports being used should be the one used by the client when opening the connection with the vip.

Gilles.

pingwarrior Fri, 12/19/2008 - 01:11

Hi Gdufour,

Thanks for your explanation. Really appreciate your kindness.

jasmina27s Tue, 01/20/2009 - 06:31

Hi,

When you say:

"I don't think the show xlate will show any entries when pat is configured."

Is this some kind of bug, as I haven't found something like this mentioned in the ACE documentation?

Regards,

Jasmina

Gilles Dufour Tue, 01/20/2009 - 08:42

As far as I know this is the intended behavior.

Haven't verified however if this is true.

G.

Actions

This Discussion