ACE: as firewall and NAT. inbound and outbound originals

Unanswered Question
Dec 24th, 2008
User Badges:

Hi Team,

This time no load balancing is required.

Two servers inside (with private IP) need to communicate with clients and servers on the internet. ie, internet client originate inbound traffic to our servers, and also our servers originate connections to some internet servers.

Both of our servers will work indipendently for this purpose.

I have a few ideas to mix and match configs in the ACE. (This was originally working with FWSM setup). I would like to hear some sound ideas to acheive this using ACE only as firewall/router. No plan to load balance at present.

Regards to all


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Gilles Dufour Wed, 12/24/2008 - 06:49
User Badges:
  • Cisco Employee,

ACE will route by default if the traffic is permitted with an access-group.

So, there is nothing much to do if you just need basic routing.

TCP normalization is on by default, so you get the TCP protection.

You can then add per protocol inspection if needed.


s.srivas Wed, 12/24/2008 - 07:56
User Badges:

Thanks G,

The internal servers use private IP address hence need to do NAT on the ACE (previouly it was done by FWSM).

The traffic originates from internal and also from internet.

NAT in both direction is needed.

Static Destination NAT for EACH server can be used if originating in Internet.

What NAT to use for the same serverS if they originate traffic towards internet?



s.srivas Wed, 12/31/2008 - 11:03
User Badges:


Inbound traffic and the related reply traffic can be handled with normal class-map by defining a VIP with public IP.

The above real server with private IP is now going to make a different connection to the internet. ie,

outbound traffic and related reply traffic need handling. (no load balancing planned).

Detination NAT, Static NAT sounds interesting

Source NAT, Static NAT sounds interesting. Mixing these sound very interesting!! I'm looking for sample configs please.



This Discussion