Destination NAT on ACE - overlap vip/NAT

Unanswered Question
Nov 15th, 2009

Greetings,

I have a situation where we need a destination nat to happen on ACE for an outbound flow that is redirected into SSLM modules, then coming back to the ACE and forwarded outward. There is a requirement to keep the SSLM module redirection so will not be able to achieve the encryption for the outbound connection by using the ACE.

I have a conflict when trying to implement as the real destination VIP (10.11.12.158 443) is being matched on two “match-any” class-maps. One is needed to direct traffic to the destination VIP via the SSLMs, and the other class-map is required to “static nat” the destination address when the flow leaves the ACE.

Any suggestion how to achieve the destination natting in this case?

------------------------------------------------------------------------------------------------------

! redirect to/from ssl blades - (incoming to SSLM on port 80 - outgoing from SSLM on port 8443)

class-map match-any traffic-from-ssl-blade-cm

description match vip and Port 443

168 match virtual-address 10.11.12.158 tcp eq 8443

class-map match-any traffic-to-ssl-blade-cm

168 match virtual-address 10.11.12.158 tcp eq 80

! Match the destination address that will be natted for on port 443

access-list nat-test-srvr line 8 extended permit tcp host 211.212.213.105 eq 443 any

class-map match-any nat-test-srvr-cm

2 match access-list nat-test-srvr

! Apply the static nat on the policy associated with the outside interface - natting to be triggered when packets

! leave the ACE

policy-map multi-match Dnat_policy

class nat-test-srvr-cm

nat static 10.11.12.158 netmask 255.255.255.255 tcp eq 8443 vlan 491

Error: Cannot overlap vip or NAT address configured in a shared interface

interface vlan 490

description Outside interface

bridge-group 4

service-policy input Dnat_policy

interface vlan 491

description Inside interface - flow from SSLM

bridge-group 4

service-policy input traffic-from-sslm

------------------------------------------------------------------------------------------------------

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Mon, 11/16/2009 - 05:45

if you want to do a destination nat, simply configure loadbalancing with a single real.

So do a class-map to match virtual ip 211.212.213.105 tcp eq 443.

Create a rserver with ip address 10.11.12.158

Add this rserver in a serverfarm.

And link everything together with a policy.

Gilles.

Actions

This Discussion