Solved: ace and NAT...

danilodicesare · ‎10-30-2009

Hi all,

a couple of question..

how is the logic of nat on ace? i put the pool on interface 'outside' and a policy on interface inside?

server farm nat how it works? i've not understood well...

last one :)

ace with two interface <server side> & <outside>

topology is ace with above 2 interface, gw of ace a FW with 3 interface, toward internet, toward ace e toward internal network (10.0.0.0)

flows:

first one

SRC 1.1.1.1, 1.1.1.2 --> VIP 5.5.5.5 --> real --> 1.1.1.3, 1.1.1.4 in this situation i put a pool nat on <server side> interface and a nat statement on a <server side> interface, is easy.

2

src 1.1.1.1 --> dst 10.0.0.0 i have not to nat

3 src 1.1.1.1 --> dst internet port 443,80,25 i have to nat 1.1.1.1

rule 2 and 3 may overlap, 'cause i could contact also on intranet ports 80 and 443 and for this flow i havo not to nat

idea is

1 flows not problem, is just a simple server to server nat hitting the VIP, with server on same subnet

2 flows server farm in transparent mode with VIP 10.0.0.0 255.0.0.0 and rserver is the FW

3 flows src NAT hitting destination port 80 and 443...

is right? lookup of policy on ACE permit IT? i mean when ace see a packet with destination 10.0.0.0 forward packet without NAT if see also port 80,443?

i want to put load balancing rule in a different policy and put it before NAT statement.

tnx

Dan

Gilles Dufour · ‎10-30-2009

client nat is done with a policy configured on the 'inside' and the nat-pool on the outside.

In other words, we perform the nating when the traffic is leaving the ACE.

So we first need to decide which "exit" to take....which outgoing interface.

Then we look if we have a natpool to nat the source address on that particular interface.

This allows you to have different nating depending on the destination.

With ACE you need to split everything into multiple steps

1/ classify the traffic using class-map

2/ assign action for each class

3/ order the different class as ACE will parse the list and will match the first class it finds.

So in your case you need 3 class-map

1, match vip

2, match dst 10.0.0.0/8

3, match port 443 or match port 80

This is easy to do.

Then you create the actions or policies.

For the vip you need loadbalance + nat

For the 2nd one you just need a forward policy.

For the 3rd one you need to nat.

To arrange the class, you can go 1,2,3 if you don't want to nat 10.0.0.0/8 even for port 80 and 443.

If you also need to nat 80 and 443 you organise the class as 1,3,2

Your final policy would look like

policy-map multimatch ALL

class VIP

.....

class NO-NAT

load policy FWD

class NAT

nat dynamic ...

The class FWD would be

switch/Admin(config)# policy-map type load first-match FWD

switch/Admin(config-pmap-lb)# class class-default

switch/Admin(config-pmap-lb-c)# forward

Hope this helps.

Gilles

View solution in original post

Gilles Dufour · ‎10-30-2009

client nat is done with a policy configured on the 'inside' and the nat-pool on the outside.

In other words, we perform the nating when the traffic is leaving the ACE.

So we first need to decide which "exit" to take....which outgoing interface.

Then we look if we have a natpool to nat the source address on that particular interface.

This allows you to have different nating depending on the destination.

With ACE you need to split everything into multiple steps

1/ classify the traffic using class-map

2/ assign action for each class

3/ order the different class as ACE will parse the list and will match the first class it finds.

So in your case you need 3 class-map

1, match vip

2, match dst 10.0.0.0/8

3, match port 443 or match port 80

This is easy to do.

Then you create the actions or policies.

For the vip you need loadbalance + nat

For the 2nd one you just need a forward policy.

For the 3rd one you need to nat.

To arrange the class, you can go 1,2,3 if you don't want to nat 10.0.0.0/8 even for port 80 and 443.

If you also need to nat 80 and 443 you organise the class as 1,3,2

Your final policy would look like

policy-map multimatch ALL

class VIP

.....

class NO-NAT

load policy FWD

class NAT

nat dynamic ...

The class FWD would be

switch/Admin(config)# policy-map type load first-match FWD

switch/Admin(config-pmap-lb)# class class-default

switch/Admin(config-pmap-lb-c)# forward

Hope this helps.

Gilles

danilodicesare · ‎10-30-2009

Hi Gilles,

doesn't work :(

class-map match-all CM_forward

2 match virtual-address 4.0.0.0 255.0.0.0 any (is not possible to put destination address in class map that is associated to a multi match)

class-map match-any C_Nat_SRVtoInternet

2 match port tcp eq telnet

policy-map type loadbalance first-match L7_P_forward_internal

class class-default

forward

policy-map multi-match testdanilo_be

class CM_forward

loadbalance vip inservice

loadbalance policy L7_P_forward_internal

class C_Nat_SRVtoInternet

nat dynamic 108 vlan 903

interface vlan 901

description BE_server_side

ip address 172.18.1.254 255.255.255.0

no icmp-guard

access-group input BE

service-policy input P_MNGT_POLICY

service-policy input testdanilo_be

service-policy input P_MM_NatSRVtoSrvBeViaVIP

no shutdown

interface vlan 903

description FE

ip address 192.168.0.162 255.255.255.0

mac-sticky enable

no icmp-guard

access-group input FE

nat-pool 108 192.168.0.254 192.168.0.254 netmask 255.255.255.255 pat

service-policy input P_MNGT_POLICY

no shutdown

than from the same server i'm trying to telnet a IP 4.4.4.1 and is natted....when i telnet another IP nat....argh always nat!

tnx Dany

danilodicesare · ‎10-30-2009

Hi again,

in this way it works (see below).....but i wonder how ACE parse policies and decide what to hit and logic. it's pretty strange that forward policy is matched (i saw show service-policy) and also NAT policy (i'm speaking about example of previous mail).Both policy have an increment of counters if i see show command.

access-list ACL_nat line 8 extended deny ip any host 4.4.4.1

access-list ACL_nat line 24 extended permit ip any any

class-map match-any C_Nat_SRVtoInternet

2 match access-list ACL_nat

policy-map multi-match testdanilo_NAT

class C_Nat_SRVtoInternet

nat dynamic 108 vlan 903

interface vlan 901

description BE_server_side

ip address 172.18.1.254 255.255.255.0

no icmp-guard

access-group input BE

service-policy input P_MNGT_POLICY

service-policy input testdanilo_be

service-policy input P_MM_NatSRVtoSrvBeViaVIP

service-policy input testdanilo_NAT

no shutdown

interface vlan 903

description FE

ip address 192.168.0.162 255.255.255.0

mac-sticky enable

no icmp-guard

access-group input FE

nat-pool 108 192.168.0.254 192.168.0.254 netmask 255.255.255.255 pat

service-policy input P_MNGT_POLICY

no shutdown

tnx

Dany

Gilles Dufour · ‎10-31-2009

Dany,

what is not possible exactly.

The config I gave you works.

You said you wante to match a subnet and this is possible.

If you want to do something else...specify what exactly.

G.

danilodicesare · ‎10-31-2009

Hi Gilles,

first of all thx very much.

1 if i put loadbalance vip inservice in a policy MM with a class that has destination-address and not virtual-address this error appears:

Error: LB action requires match vip command!

2 with configuration that i've posted before (below reported) forward clause are matched but parsing of policy carry on and match also NAT statement.

I expected that after first match (forward) no match was done on second statement. Stuff that happens is that if i telnet ip 4.4.4.1 (inside the range of 4.0.0.0/8 virtual-address) comunication is natted. so not just forward policy is hitted. In fact i can see counters incrementing in both service policy

class-map match-all CM_forward

2 match virtual-address 4.0.0.0 255.0.0.0 any (is not possible to put destination address in class map that is associated to a multi match)

class-map match-any C_Nat_SRVtoInternet

2 match port tcp eq telnet

policy-map type loadbalance first-match L7_P_forward_internal

class class-default

forward

policy-map multi-match testdanilo_be

class CM_forward

loadbalance vip inservice

loadbalance policy L7_P_forward_internal

class C_Nat_SRVtoInternet

nat dynamic 108 vlan 903

interface vlan 901

description BE_server_side

ip address 172.18.1.254 255.255.255.0

no icmp-guard

access-group input BE

service-policy input P_MNGT_POLICY

service-policy input testdanilo_be

service-policy input P_MM_NatSRVtoSrvBeViaVIP

no shutdown

interface vlan 903

description FE

ip address 192.168.0.162 255.255.255.0

mac-sticky enable

no icmp-guard

access-group input FE

nat-pool 108 192.168.0.254 192.168.0.254 netmask 255.255.255.255 pat

service-policy input P_MNGT_POLICY

no shutdown

thx

Dan