restricted source nat on ACE

Unanswered Question
Sep 11th, 2009

access-list oracle extended permit tcp host 10.7.40.124 host 10.7.40.245 eq 8060

access-list oracle extended permit tcp host 10.7.40.125 host 10.7.40.245 eq 8060

serverfarm host sfarm1_oracle_hostfile

description DB servers to preeb.mfl.co.u.uk

predictor leastconn

failaction purge

probe port-8060

rserver zhc1nora5 8060

inservice

rserver zhc1nora6 8060

inservice

class-map match-all sfarm1_oracle_hostfile_classmap

description host file issue

3 match access-list oracle_hostfile

4 match virtual-address 10.7.40.245 tcp eq 8060

policy-map type loadbalance first-match sfarm1_oracle_hostfile_pol

class class-default

sticky-serverfarm ORACLE-DB-STICKY-GP

policy-map multi-match Oracle-hostfile

class sfarm1_oracle_hostfile_classmap

loadbalance vip inservice

loadbalance policy sfarm1_oracle_hostfile_pol

loadbalance vip icmp-reply active

nat dynamic 1 vlan 740

Sticky ip-netmask 255.255.255.255 address source ORACLE-DB-STICKY-GP

timeout 60

replicate sticky

server-farm sfarm1_oracle_hostfile

nterface vlan 740

description interface facing Servers

bridge-group 2

access-group input BPDU

access-group input ALLOW_ALL

nat-pool 1 10.7.40.246 10.7.40.254 netmask 255.255.255.0 pat

service-policy input Oracle-hostfile

above is the config

looking to allow some servers hitting a vip on the same vlan. have enabled source nat and used access-list to match the conditions. i tried connecting to port via telnet 10.7.40.245 8060 and its connected with the below

service-policy: Oracle-hostfile

class: sfarm1_oracle_hostfile_classmap

nat:

nat dynamic 1 vlan 740

curr conns : 0 , hit count : 9

dropped conns : 0

client pkt count : 45 , client byte count: 1930

server pkt count : 45 , server byte count: 4192

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

loadbalance:

L7 loadbalance policy: sfarm1_oracle_hostfile_pol

VIP Route Metric : 77

VIP Route Advertise : DISABLED

VIP ICMP Reply : ENABLED-WHEN-ACTIVE

VIP State: INSERVICE

curr conns : 0 , hit count : 13

dropped conns : 4

client pkt count : 49 , client byte count: 2122

server pkt count : 45 , server byte count: 4192

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

but i can connect from any system in the subnet 10.7.40.x. the class map have a match-all statement. does match-all means both the conditions or any

if i want to achieve the above what is the best option

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Fri, 09/11/2009 - 06:06

usually, you put the src ip match statement in a class-map and use the class-map under the policy.

ie:

class-map type http loadbalance match-any SERVERS

2 match source-address 192.168.30.27 255.255.255.255

3 match source-address 192.168.30.48 255.255.255.255

Then

policy-map type loadbalance first-match sfarm1_oracle_hostfile_pol

class SERVERS

sticky-serverfarm ORACLE-DB-STICKY-GP

nat dynamic 1 vlan 740

class class-default

sticky-serverfarm ORACLE-DB-STICKY-GP

Gilles.

followurself Fri, 09/11/2009 - 06:53

in the same class-map

class-map type http loadbalance match-any SERVERS

how can i add the vip address?

both condition should match , traffic coming from a specific source address to a specific vip address. if both conditions match then apply the policy

followurself Tue, 09/15/2009 - 07:25

any suggestions

also is it possible to get static nat instead of dynamic nat

thnx

Gilles Dufour Tue, 09/15/2009 - 07:29

you need to use separate class-map.

One to catch the vip traffic and used in the multimatch policy and another class-map as described in my previous post to catch traffic from the servers and used in the type loadbalance policy.

G.

helenokeeffe Thu, 09/17/2009 - 07:11

Agreed, I'm also of the opinion that you need a class and a policy for loadbalancing and a class and policy for nat. Both policies receive the incoming traffic, then perform their seperate operations on it and meet up afterwards.

In it's simplest form...

NAT:

class-map match-any NAT_Class

2 match access-list NAT_ACL

policy-map multi-match NAT_Policy

class NAT_Class

nat dynamic 1 vlan 123

LB:

policy-map type loadbalance first-match L7_Policy

class class-default

sticky ServerfarmX

policy-map multi-match LB_Policy

class VIP_Class

loadbalance vip inservice

loadbalance policy L7_Policy

loadbalance vip icmp-reply active

loadbalance vip advertise active

In NAT_ACL you will specify your conditions as desired.

Cheers,

Claire

Actions

This Discussion