Destination NAT on ACE - overlap vip/NAT

Unanswered Question
Nov 15th, 2009
User Badges:

Greetings,


I have a situation where we need a destination nat to happen on ACE for an outbound flow that is redirected into SSLM modules, then coming back to the ACE and forwarded outward. There is a requirement to keep the SSLM module redirection so will not be able to achieve the encryption for the outbound connection by using the ACE.


I have a conflict when trying to implement as the real destination VIP (10.11.12.158 443) is being matched on two “match-any” class-maps. One is needed to direct traffic to the destination VIP via the SSLMs, and the other class-map is required to “static nat” the destination address when the flow leaves the ACE.


Any suggestion how to achieve the destination natting in this case?


------------------------------------------------------------------------------------------------------


! redirect to/from ssl blades - (incoming to SSLM on port 80 - outgoing from SSLM on port 8443)


class-map match-any traffic-from-ssl-blade-cm

description match vip and Port 443

168 match virtual-address 10.11.12.158 tcp eq 8443


class-map match-any traffic-to-ssl-blade-cm

168 match virtual-address 10.11.12.158 tcp eq 80


! Match the destination address that will be natted for on port 443


access-list nat-test-srvr line 8 extended permit tcp host 211.212.213.105 eq 443 any


class-map match-any nat-test-srvr-cm

2 match access-list nat-test-srvr


! Apply the static nat on the policy associated with the outside interface - natting to be triggered when packets

! leave the ACE


policy-map multi-match Dnat_policy

class nat-test-srvr-cm

nat static 10.11.12.158 netmask 255.255.255.255 tcp eq 8443 vlan 491

Error: Cannot overlap vip or NAT address configured in a shared interface


interface vlan 490

description Outside interface

bridge-group 4

service-policy input Dnat_policy


interface vlan 491

description Inside interface - flow from SSLM

bridge-group 4

service-policy input traffic-from-sslm


------------------------------------------------------------------------------------------------------


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Mon, 11/16/2009 - 05:45
User Badges:
  • Cisco Employee,

if you want to do a destination nat, simply configure loadbalancing with a single real.


So do a class-map to match virtual ip 211.212.213.105 tcp eq 443.


Create a rserver with ip address 10.11.12.158


Add this rserver in a serverfarm.


And link everything together with a policy.


Gilles.

Actions

This Discussion