- How can one configure the ACE to translate a public address to a
I have configured a test context (cf annexe
running-config_test_context.txt) following the instructions given in
Configuring Network Address Translation
Configuring Static NAT and Static Port Redirection
(By the way it seems to me that there are some mistakes in this
document: the syntax for netmasks used in the examples does not work
on my ACE and the DNAT example at the end mentions incoherent IP
addresses 10.0.0.0 vs 172.27.16.100).
When testing the public address, the connection is immediatly
terminated (RST packet, 0002 in the capture):
123.456.17.10# telnet 123.456.251.180 443
telnet: Unable to connect to remote host: Connection refused
A capture shows that the ACE drops the packets (cf. annexe
The NAT configuration half works: there is a hit but the connection is
ACE/test_context# show service-policy test_nat_policy detail
Status : ACTIVE
Interface: vlan 300
nat static 123.456.251.180 443 vlan 251
curr conns : 0 , hit count : 1
dropped conns : 1
client pkt count : 1 , client byte count: 48
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
and no NAT translation is recorded:
ACE/test_context# show xlate
Strangely the access-list is not active:
ACE/test_context# show access-list test_nat_acl
access-list:test_nat_acl, elements: 1, status: NOT-ACTIVE
access-list test_nat_acl line 10 extended permit tcp host 10.13.1.180 eq htt
but the NAT config is:
ACE/test_context# show nat-fabric policies
NAT object ID:38 mapped_if:24 policy_id:62 type:STATIC static_xlate_id:6
ID:63 Static port translation
Real addr:10.13.1.180 Real port:443 Real interface:22
Mapped addr:123.456.251.180 Mapped port:443 Mapped interface:24
- What is wrong or missing in this configuration?
I also tried configuring "Static NAT Overwrite", but for some reason
it considers it as a duplicate address with the VIP:
ACE/test_context(config)# static vlan 251 vlan 300 123.456.251.180 10.13.1.180 netmask 255.255.255.255
Error: Specified ip address duplicates with an existing ip address configured in the context!
Thanks in advance for you help,
ACE does translation from VIP to rserver.
you can not nat from a VIP to another address.
So, in order to do what you want, you need the public address to be routed to the ACE itself.
This can be achieved with static route.
On the ace itself, simply create a class-map with a virtual address matching the public ip OR the private ip.
ACE will then do the nating properly between public or private to rserver and vice versa automatically.