09-15-2009 05:21 AM
Hello,
- How can one configure the ACE to translate a public address to a
private VIP?
I have configured a test context (cf annexe
running-config_test_context.txt) following the instructions given in
Configuring Network Address Translation
Configuring Static NAT and Static Port Redirection
(By the way it seems to me that there are some mistakes in this
document: the syntax for netmasks used in the examples does not work
on my ACE and the DNAT example at the end mentions incoherent IP
addresses 10.0.0.0 vs 172.27.16.100).
When testing the public address, the connection is immediatly
terminated (RST packet, 0002 in the capture):
123.456.17.10# telnet 123.456.251.180 443
Trying 123.456.251.180...
telnet: Unable to connect to remote host: Connection refused
A capture shows that the ACE drops the packets (cf. annexe
capture_detail.txt).
The NAT configuration half works: there is a hit but the connection is
dropped
ACE/test_context# show service-policy test_nat_policy detail
Status : ACTIVE
Description: -----------------------------------------
Interface: vlan 300
service-policy: test_nat_policy
class: test_nat_class
nat:
nat static 123.456.251.180 443 vlan 251
curr conns : 0 , hit count : 1
dropped conns : 1
client pkt count : 1 , client byte count: 48
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
and no NAT translation is recorded:
ACE/test_context# show xlate
ACE/test_context#
Strangely the access-list is not active:
ACE/test_context# show access-list test_nat_acl
access-list:test_nat_acl, elements: 1, status: NOT-ACTIVE
remark :
access-list test_nat_acl line 10 extended permit tcp host 10.13.1.180 eq htt
ps any
but the NAT config is:
ACE/test_context# show nat-fabric policies
Nat objects:
NAT object ID:38 mapped_if:24 policy_id:62 type:STATIC static_xlate_id:6
3
ID:63 Static port translation
Real addr:10.13.1.180 Real port:443 Real interface:22
Mapped addr:123.456.251.180 Mapped port:443 Mapped interface:24
Netmask:255.255.255.255
- What is wrong or missing in this configuration?
I also tried configuring "Static NAT Overwrite", but for some reason
it considers it as a duplicate address with the VIP:
ACE/test_context(config)# static vlan 251 vlan 300 123.456.251.180 10.13.1.180 netmask 255.255.255.255
Error: Specified ip address duplicates with an existing ip address configured in the context!
Thanks in advance for you help,
Dominique
Solved! Go to Solution.
09-15-2009 07:33 AM
ACE does translation from VIP to rserver.
you can not nat from a VIP to another address.
So, in order to do what you want, you need the public address to be routed to the ACE itself.
This can be achieved with static route.
On the ace itself, simply create a class-map with a virtual address matching the public ip OR the private ip.
ACE will then do the nating properly between public or private to rserver and vice versa automatically.
Gilles.
09-15-2009 05:34 AM
Hi,
What are you trying to do?
Can't you just configure the public IP as the VIP address on the ACEs?
Why do you want to do NAT of the VIP address?
Clients should hit the VIP and be load balanced to a serverfarm, I don't see the interest of using NAT for the VIP address.
If you want to use a private IP as VIP, you should do a static NAT of a public IP to a private IP on your FW or router in front of the ACE.
Please clearify what you are trying to do and why you are trying to do that ;)
HTH,
Dario
09-15-2009 06:13 AM
Hi,
On Sep 15, 2009, 6:34am PST dario.didio wrote:
> What are you trying to do?
> Can't you just configure the public IP as the VIP address on the
> ACEs?
> Why do you want to do NAT of the VIP address?
> Clients should hit the VIP and be load balanced to a serverfarm, I
> don't see the interest of using NAT for the VIP address.
In the planned ACE context there will be many private addresses:
intranet VIPs and addresses used to manage the real servers. Only a
few VIPs should be accessible via a public address from the outside
so we don't want to waste public addresses and only map those that are
really necessary, while keeping the rest private.
> If you want to use a private IP as VIP, you should do a static NAT
> of a public IP to a private IP on your FW or router in front of the
> ACE.
Well, we tried, but with just one NAT entry for a subnet the CPU of
the router (sup720) hit the roof (it handles more than 10 Tbytes per
day): unacceptable for the persons responsible for that equipment.
That is why we try to do the public-private translation on the ACE.
In any case, I'm still curious to understand why the configuration
does not work.
Best regards,
Dominique
09-15-2009 07:33 AM
ACE does translation from VIP to rserver.
you can not nat from a VIP to another address.
So, in order to do what you want, you need the public address to be routed to the ACE itself.
This can be achieved with static route.
On the ace itself, simply create a class-map with a virtual address matching the public ip OR the private ip.
ACE will then do the nating properly between public or private to rserver and vice versa automatically.
Gilles.
09-21-2009 06:47 AM
Hi,
Sorry to reply so late: to do further tests I had to wait for the
return of my colleague in charge of the router.
On Sep 15, 2009, 8:33am PST gdufour - CCIE wrote:
> ACE does translation from VIP to rserver.
> you can not nat from a VIP to another address.
OK.
> So, in order to do what you want, you need the public address to be
> routed to the ACE itself. This can be achieved with static route.
>
> On the ace itself, simply create a class-map with a virtual address
> matching the public ip OR the private ip.
> ACE will then do the nating properly between public or private to
> rserver and vice versa automatically.
I tried this (cf attachment running-config_test_context_2.txt) and
it works like a charm:
- no need to declare an interface associated to the ACE for the
subnet of the public address (vlan 251 in my previous attempt), and
- no need to explicitly configure a static route on the router for the
public VIP address; the ACE takes care of it (probably because of
the "loadbalance vip advertise" directive), and one finds the
following route is automatically defined on the router
O E2 123.456.251.180/32 [110/20] via 10.14.2.2, 01:01:26, Vlan701
The same connection test with telnet as in the previous attempt now
properly exchanges the initial TCP handshake packets:
123.456.17.10# telnet 123.456.251.180 443
Trying 123.456.251.180...
Connected to 123.456.251.180.
Escape character is '^]'.
A capture of this telnet session on the ACE shows the following
packets (summarized thanks to wireshark, the "show capture buffer
detail" is not as informative):
No. Time Source Destination Protocol Info
1 15:28:19.722768 123.456.17.10 123.456.251.180 TCP 55144 > https [SYN] Seq=0 [TCP CHECKSUM INCORRECT] Len=0 MSS=1460
2 15:28:19.723136 123.456.17.10 10.13.2.181 TCP 55144 > https [SYN] Seq=0 [TCP CHECKSUM INCORRECT] Len=0 MSS=1460
3 15:28:19.723441 10.13.2.181 123.456.17.10 TCP https > 55144 [SYN, ACK] Seq=0 Ack=1 Win=49640 Len=0 MSS=1460
4 15:28:19.723749 123.456.251.180 123.456.17.10 TCP https > 55144 [SYN, ACK] Seq=3986379226 Ack=1 Win=49640 [TCP CHECKSUM INCORRECT] Len=0 MSS=1460
5 15:28:19.724096 123.456.17.10 123.456.251.180 TCP 55144 > https [ACK] Seq=1 Ack=3986379227 Win=24820 Len=0
6 15:28:19.724480 123.456.17.10 10.13.2.181 TCP 55144 > https [ACK] Seq=1 Ack=1 Win=24820 [TCP CHECKSUM INCORRECT] Len=0
And of course, a connection to the private VIP (10.13.1.180) works just the same.
Thanks very much for your help with this issue.
Best regards,
Dominique
09-15-2009 06:44 AM
Hi,
What are you trying to do?
Can't you just configure the public IP as the VIP address on the ACEs?
Why do you want to do NAT of the VIP address?
Clients should hit the VIP and be load balanced to a serverfarm, I don't see the interest of using NAT for the VIP address.
If you want to use a private IP as VIP, you should do a static NAT of a public IP to a private IP on your FW or router in front of the ACE.
Please clearify what you are trying to do and why you are trying to do that ;)
HTH,
Dario
09-30-2009 10:59 PM
Are you sure you were able to attach two policy-maps to the same interface simultaneously?
interface vlan 300
service-policy input test_https_policy
service-policy input test_nat_policy
09-30-2009 11:29 PM
> Are you sure you were able to attach two policy-maps to the same interface simultaneously?
Yes.
The attachment to my post is the output of "show running-config".
In any case the problem that I tried to tackle was solved in a more natural way (see my previous post).
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: