Converting from CSS11501 to ACE 4710 appliance - Need help

Unanswered Question
Sep 9th, 2009

I am trying to replicate this environment (see attached) on our new ace appliances but it doesn't like what the css-conversion tool had me do and the only way I can make it work is with transparent mode, no NAT, and the default route being set on my servers to the ACE. This is not a good solution since these servers are accessed by user subnets directly in some cases. What I tried....

(this works, says service is operational)

probe tcp p80_PROBE

interval 15

passdetect interval 5

port 80

rserver host web-s1

inservice

ip address 192.168.1.2

rserver host web-s2

inservice

ip address 192.168.1.3

serverfarm host web

probe p80_PROBE

rserver web-s1 80

inservice

rserver web-s2 80

inservice

class-map match-all web_CLASS

match virtual-address 192.168.100.66 tcp eq 80

policy-map type loadbalance first-match web_POLICY

class class-default

serverfarm web

policy-map multi-match POLICY

class web_CLASS

loadbalance vip inservice

loadbalance vip icmp-reply active

loadbalance policy web_POLICY

nat dynamic 10 vlan 100

interface vlan 100

nat-pool 10 192.168.100.66 netmask 255.255.255.0 pat

service-policy input POLICY

I have also put ACLs allowing everything on all interfaces but that doesn't change anything.

serverfarm details shows failures and no connections when i try to access from my browser

am I messing up how I do NAT? What else may be the issue?

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JeramyKoval Thu, 09/10/2009 - 07:13

Is that an edited config from your ACE? I just don't see an IP address for the interface. You will want the ACL as well or the ACE will deny the connections.

katieraezer Thu, 09/10/2009 - 09:06

yes it is edited, i assigned an ip address and also added an access-group in and out that permits any any

Actions

This Discussion