ACE in bridge mode with FWSM as gateway

Unanswered Question
Apr 22nd, 2009

our design

FWSM--vlan 7--ACE-vlan 8---servers with default gateway as FWSM

originally there were no plans of servers looking to load balance traffic when they wanted to communicate each other. now there is a need this

since ACE is in bridge mode, there are no ip address to VLAN configured on it and cant do source NAT

what we want servers in serverfarm A can contact a single ip which can be load balanced and traffic to be sent to serverfarm B. both serverfarms reside in vlan 8 and ace is in bridge. with VLAN not having IP how can we get this working. we were looking to create a policy on ACE with an ip address in vlan 8 and then do a source NAT to send the traffic to serverfarm 7.

with FWSM as the default gateway, by enabling permit intra traffic , it doesnt work because the command routes the traffic, dont think will send the traffic back to the same vlan

e.g static (inside,outside) 10.7.0.1 10.7.8.13 and allow intra traffic.

so when a machine 10.7.8.11 pings 10.7.0.1 it goes to the FWSM but fwsm doesnt look for 10.7.8.13

with ACE in bridge and FWSM doing above how to get around. can something be done on ACE in bridge mode with source NAT

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Wed, 04/22/2009 - 23:50

First, why don't you have an ip in your ACE vlan ?

Then, for traffic hitting a vip, we can do source nating even in bridge mode.

But if the vip is not an ip in vlan 8, your server will anyway send the traffic to the FWSM and ACE will first bridge the request.

The FWSM should then send the request back to ACE (not sure how this can be done).

So the request from the server will actually hit the vip on vlan 7 (not vlan 8).

So your policy-map with client nat must be on vlan 7.

Another option would be to configure a static route on the server to point the vip to the ACE vlan 8 ip address (which you should have configured).

In this case, the policy-map will have to be in vlan 8 with client-nat.

Gilles.

followurself Thu, 04/23/2009 - 02:32

Thanks Giles

Thats exactly what i am trying now to get NAT working in bridge mode. i am looking to use nested class-map and have access-list to restrict access and use other match command for the VIP.

how to use static nat in bridge mode, because in bridge mode vlan dont have ip address and while creating policy map and define nat the command requires VLAN interface

Also a context can be run in both routed and bridge mode. so can i have

say

vlan 7

bridge group 1

vlan 8

bridge group 1

bv1

ip address 10.1.10.1 255.255.255.0

and have

vlan 9

ip address 10.1.10.2 255.255.255.0

can bvi and vlan 9 be in the same subnet?

thanks

Actions

This Discussion