a couple of question..
how is the logic of nat on ace? i put the pool on interface 'outside' and a policy on interface inside?
server farm nat how it works? i've not understood well...
last one :)
ace with two interface <server side> & <outside>
topology is ace with above 2 interface, gw of ace a FW with 3 interface, toward internet, toward ace e toward internal network (10.0.0.0)
SRC 188.8.131.52, 184.108.40.206 --> VIP 220.127.116.11 --> real --> 18.104.22.168, 22.214.171.124 in this situation i put a pool nat on <server side> interface and a nat statement on a <server side> interface, is easy.
src 126.96.36.199 --> dst 10.0.0.0 i have not to nat
3 src 188.8.131.52 --> dst internet port 443,80,25 i have to nat 184.108.40.206
rule 2 and 3 may overlap, 'cause i could contact also on intranet ports 80 and 443 and for this flow i havo not to nat
1 flows not problem, is just a simple server to server nat hitting the VIP, with server on same subnet
2 flows server farm in transparent mode with VIP 10.0.0.0 255.0.0.0 and rserver is the FW
3 flows src NAT hitting destination port 80 and 443...
is right? lookup of policy on ACE permit IT? i mean when ace see a packet with destination 10.0.0.0 forward packet without NAT if see also port 80,443?
i want to put load balancing rule in a different policy and put it before NAT statement.
client nat is done with a policy configured on the 'inside' and the nat-pool on the outside.
In other words, we perform the nating when the traffic is leaving the ACE.
So we first need to decide which "exit" to take....which outgoing interface.
Then we look if we have a natpool to nat the source address on that particular interface.
This allows you to have different nating depending on the destination.
With ACE you need to split everything into multiple steps
1/ classify the traffic using class-map
2/ assign action for each class
3/ order the different class as ACE will parse the list and will match the first class it finds.
So in your case you need 3 class-map
1, match vip
2, match dst 10.0.0.0/8
3, match port 443 or match port 80
This is easy to do.
Then you create the actions or policies.
For the vip you need loadbalance + nat
For the 2nd one you just need a forward policy.
For the 3rd one you need to nat.
To arrange the class, you can go 1,2,3 if you don't want to nat 10.0.0.0/8 even for port 80 and 443.
If you also need to nat 80 and 443 you organise the class as 1,3,2
Your final policy would look like
policy-map multimatch ALL
load policy FWD
nat dynamic ...
The class FWD would be
switch/Admin(config)# policy-map type load first-match FWD
switch/Admin(config-pmap-lb)# class class-default
Hope this helps.