02-09-2009 04:53 AM
Hi
I am trying to configure the ACE to NAT both IP and port based on the source IP and destination port.
For example all traffic from an internal IP going to any destination to port 26 should be Natted to an external IP and the port 26 changed to 25.
At the moment when I am trying to configure
ACE-2/TEST(config-pmap-c)# nat static x.x.x.x netmask 255.255.255.255 tcp eq 25 vlan 99
I get the error back:
Error: Invalid real port configured for NAT static
Any ideas anyone? I can paste the config if required.
02-09-2009 05:02 AM
Hi,
The whole configuration might be useful if you are doing other things. For the case you cite you should do the NAT to the external IP address without worrying about the port and set the destination port on the rserver statements in the serverfarm definition.
serverfarm host whatever
rserver myserver1 25
inservice
rserver myserver2 25
inservice
HTH
Cathy
02-09-2009 06:07 AM
Hi
I have attached the relevant part of the config.
"policy-map multi-match Policy_Port26_Static" is where the static NAT with port redirection should go.
The problem is that some of our servers need to initiate outbound connections to a group of external mail servers that will only accept a connection from a certain IP. Hence the idea to intercept all the outbound traffic to the port 26 (we chose the port), NAT it to a particular Global IP and redirect the destination port from 26 to 25.
02-09-2009 06:50 AM
Hmm.
Under the
policy-map multi-match
Policy_Port26_Static
class Class_Port26
there should be loadbalance vip statements using policy-map Mail as well as a nat dynamic statement to do the nat.
loadbalance vip inservice
loadbalance policy Mail
loadbalance vip icmp-reply
nat dynamic x vlan 99
The trouble with partial configurations is that it is difficult to know what if anything is missing or just redacted.
Does that help?
Cathy
02-09-2009 07:55 AM
The missing configuration is this:
ACE-2/TEST(config-pmap-c)# nat static x.x.x.x netmask 255.255.255.255 tcp eq 25 vlan 99
I get the error back:
Error: Invalid real port configured for NAT static
This is why it is not in the config I have pasted.
It is not load balancing that I am trying to achieve, it is actually outbound NAT with port redirection.
Something like this:
onlu I cannot make it work.
02-09-2009 11:49 PM
The manual uses a different syntax for static nat:
The following DNAT static port redirection example specifies the nat static command as an action for a static NAT policy map:
host1/C1(config)# policy-map multi-action NAT_POLICY
host1/C1(config-pmap)# class NAT_CLASS
host1/C1(config-pmap-c)# nat static 192.168.12.0 255.255.255.0 80
vlan 101
Cathy
02-10-2009 03:07 AM
I have noticed that. I believe the manual is actually for the ACE module, not for the appliance. However I would think that it should work just as well.
This is the config I am trying to achieve in a nat shell:
access-list Mail_Out line 10 extended permit tcp host 172.x.x.x any eq 26
class-map match-any Class_Port26
2 match access-list Mail_Out
policy-map multi-match Policy_Port26_Static
class Class_Port26
nat static x.x.x.x netmask 255.255.255.255 25 vlan EXTERNAL
int vlan INTERNAL
service-policy input Policy_Port26_Static
When I put the "nat static x.x.x.x etc" under class Class_Port26 in the policy map it comes back with that error I described before:
Error: Invalid real port configured for NAT static
WHY??? :)
02-10-2009 03:27 AM
When typing the "nat static" command, what options do you have (using ?) at each stage?
02-10-2009 03:45 AM
I am not sure I understand the question.
Is this what you mean?
ACE-2/TEST(config-pmap)# class Class_Port26
ACE-2/TEST(config-pmap-c)# nat static ?
ACE-2/TEST(config-pmap-c)# nat static x.x.x.x ?
netmask Configure mapped netmask for translation
ACE-2/TEST(config-pmap-c)# nat static x.x.x.x netmask 255.255.255.255 ?
<1-65535> Specify port number
tcp Tcp protocol
udp Udp protocol
vlan VLAN interface
ACE-2/TEST(config-pmap-c)# nat static x.x.x.x netmask 255.255.255.255 tcp ?
eq Specify tcp port number
ACE-2/TEST(config-pmap-c)# nat static x.x.x.x <0-65535> Mapped port
ftp File Transfer Protocol (21)
http Hyper Text Transfer Protocol (80)
https HTTP over TLS/SSL (443)
irc Internet Relay Chat (194)
matip-a Matip Type A (350)
nntp Network News Transport Protocol (119)
pop2 Post Office Protocol v2 (109)
pop3 Post Office Protocol v3 (110)
rtsp Real Time Stream control Protocol (554)
smtp Simple Mail Transfer Protocol (25)
telnet Telnet (23)
ACE-2/TEST(config-pmap-c)# nat static x.x.x.x netmask 255.255.255.255 tcp eq smtp ?
vlan VLAN interface
ACE-2/TEST(config-pmap-c)# nat static x.x.x.x netmask 255.255.255.255 tcp eq smtp vlan ?
<2-4094> VLAN number
ACE-2/TEST(config-pmap-c)# nat static x.x.x.x netmask 255.255.255.255 tcp eq smtp vlan 99
Error: Invalid real port configured for NAT static
ACE-2/TEST(config-pmap-c)#
**VLAN 99 is the external VLAN facing Internet
02-10-2009 04:00 AM
The example in the ACE manual (which should be good for the 4710) is:
Static Port Redirection (DNAT) Configuration Example
The following DNAT configuration example shows those sections of the running configuration related to the commands necessary to configure static port redirection on your ACE. Typically, this configuration is used for DNAT, where HTTP packets that are destined to 192.0.0.0/8 and ingressing the ACE on VLAN 101 are translated to 10.0.0.0/8 and port 8080. In this example, the servers are hosting HTTP on custom port 8080.
access-list acl1 line 10 extended permit tcp 10.0.0.0 255.0.0.0
eq 8080 any
class-map match-any NAT_CLASS
match access-list acl1
policy-map multi-match NAT_POLICY
class NAT_CLASS
nat static 192.0.0.0 255.0.0.0 80 vlan 101
interface vlan 100
mtu 1500
ip address 192.168.1.100 255.255.255.0
service-policy input NAT_POLICY
no shutdown
interface vlan 101
mtu 1500
ip address 172.27.16.100 255.255.255.0
no shutdown
which does differ in the ACL definition etc. If this doesn't work then I'm baffled.
Cathy
02-10-2009 04:21 AM
This ACL specifies traffic from 10.0.0.0 255.0.0.0 with the source port of 8080
permit tcp 10.0.0.0 255.0.0.0
eq 8080 any
I am trying to redirect the destination port
permit tcp host x.x.x.x any eq 26
I am going mad here :)
02-10-2009 04:47 AM
I must admit - the example you mentioned confuses me. Could you explain how it works please?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide