Destination NAT ACE

Answered Question
Sep 3rd, 2009
User Badges:
  • Bronze, 100 points or more

Can someone provide some information on how you would setup 2 servers to proxy out as the VIP address?


On the CSS I know you can accomplish this though the use of a group rule


Ex:


group Outbound_Proxy

vip address 192.168.1.x

add service web1

add service web2

active


What would be the equivalent on the ACE? I am sure it would be a dynamic NAT configuration however, I am not to sure how to set that up.


Can someone please provide some advice?


Thank you in advance!

Correct Answer by Gilles Dufour about 7 years 8 months ago

Jason,


you do not have to take of the response traffic with ACE.

It is done automatically.


The config you have in place is for connection initiated by the server.


Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
JeramyKoval Fri, 09/04/2009 - 09:15
User Badges:

I have not tried this but I thought it was worth mentioning.


Create a nat pool on your interface with the same address as the VIP. Then assign the virtual server to that NAT pool.

jason.espino Fri, 09/04/2009 - 21:27
User Badges:
  • Bronze, 100 points or more

Well, I tried something similar by specifying the source IP addresses I wish to DNAT out as the VIP and bound them to a policy-map. However, the configuration I implemented does not work as I thought it would.


class-map match-any DNS-NAT-Servers

2 match source-address 192.168.100.158 255.255.255.255

3 match source-address 192.168.100.157 255.255.255.255


policy-map multi-match NAT-POLICY

class DNS-NAT-Servers

nat dynamic 2 vlan 695


interface vlan 91

description Inside

ip address 192.168.100.1 255.255.255.0

access-group input 100

access-group output 101

service-policy input icmp_inspect

service-policy input NAT-POLICY

no shutdown


interface vlan 695

description Outside

ip address 172.16.5.26 255.255.255.0

access-group input 101

access-group output 100

nat-pool 2 192.168.100.163 192.168.100.163 netmask 255.255.255.255 pat

service-policy input REMOTE_MGMT_ALLOW_POLICY

service-policy input VIPS

service-policy input icmp_inspect

no shutdown


I wish for the 192.168.100.157 and 192.168.100.158 server addresses to DNAT out as the 192.168.100.163 VIP address.


Any thoughts?

Gilles Dufour Mon, 09/07/2009 - 00:34
User Badges:
  • Cisco Employee,

Your config should work.

Did you check with a 'show service-policy detail' if you have any hit on your nat policy ?


Also do a 'show conn' and see if there are any connections from the servers and if they are nated.


How do you know it does not work ?

Did you take a sniffer trace ?


Gilles.

jason.espino Mon, 09/07/2009 - 13:34
User Badges:
  • Bronze, 100 points or more

Thank you for your response Gilles! Glad to know that my configuration should work.


The reason I assume it does not work is due to the output given from a 'show service-policy NAT-POLICY detail'. There is no registered hit count on any of the counters when I would initiate a connection to the .163 VIP were it should balance to either the 192.168.100.158 or 192.168.100.157 IP addresses. I thought the outbound response would have incremented something within the service-policy output.


Status : ACTIVE

Description: -----------------------------------------

Interface: vlan 91

service-policy: NAT-POLICY

class: DNS-NAT-Servers

nat:

nat dynamic 2 vlan 695

curr conns : 0 , hit count : 0

dropped conns : 0

client pkt count : 0 , client byte count: 0

server pkt count : 0 , server byte count: 0

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0


This is the reason I have not yet performed a packet capture.




I notice the connection establish just fine and the ACE forward/balance my connection to the correct destination server. However, looking at the me-stats for the connection ID I noticed it is not dynamically NAT'ing the response out.


ACE-12539-187036/spam# sho conn | i 64.39.0.40

150536 1 in TCP 695 64.39.0.40:56412 192.168.100.163:53 ESTAB

34566 1 out TCP 91 192.168.100.157:53 64.39.0.40:56412 ESTAB



Connection ID:seq: 34566[0x8706].5

Other ConnID : 150536[0x24c08].10

Proxy ConnID : 0[0x0].0

Next Q : 0[0x0]


192.168.100.157:53 -> 64.39.0.40:56412 [RX-NextHop: TX] [TX-NextHop: TX]

Flags: PAT: No DynNAT: No Implicit PAT: No On_Reuse: No

L3 Protocol : IPv4 L4 Protocol : 6

Inbound Flag : 0

Interface Match : Yes

Interface MatchID: 13

EncapsID:ver : 234:0 TCP ACK delta : 0x5194237d

MSS : 1380 TOS Stamp : 0

Repeat mode : No ARP Lookup : No

TOS Stamp : No TCP Window Check: No

ACE ID : 12898 NAT Policy ID : 0

Post NAT hop : 0

Packet Count : 1 Byte Count : 44

TCP Information: (State = 3)

Window size : 16384 Window scale : 0

FIN seen : No FIN/ACK seen : No

FIN/ACK exp : No Close initiator : No

FIN/ACK expval: 5b40000 Last seq : 79e90c16

timestamp_delta: 0 Last ack : 1

No Trigger : 0 Trigger Status : 0

Timestamp : 6279495f

TCP options negotiated:

Sack:Clear TS:Clear Windowscale: Clear

Reserved: Allow Exceed MSS: Deny Window var: Allow


Is the above connection output in the me-stats expected with my DNAT configuration? Would this DNAT configuration apply to only outbound connections initiated from the .158 or .157 IP addresses? I would assume it would work with the response traffic as well. I know I can setup dynamic NAT for a specific serverfarm. Do you think I should try that instead?


Thank you in advance!


- Jason

Correct Answer
Gilles Dufour Tue, 09/08/2009 - 02:27
User Badges:
  • Cisco Employee,

Jason,


you do not have to take of the response traffic with ACE.

It is done automatically.


The config you have in place is for connection initiated by the server.


Gilles.

jason.espino Wed, 09/09/2009 - 17:32
User Badges:
  • Bronze, 100 points or more

Thank you Gilles for clarifying that and verifying my configuration is correct!


Issue resolved.


- Jason Espino

Actions

This Discussion