01-04-2010 06:07 AM
We are currently in a scenario where a Server (located on the server side) needs to access the VIP on the client side network. The VIP loadbalances to adjacent LDAP rservers and the regarding server needs to access this loadbalanced service. Is it correct that i need NAT (SNAT) the traffic from the accessing server to a dedicated IP in the client side vlan?
I made quick drawing which hopefully explains my question better.
Thanks for reading
Roble
Solved! Go to Solution.
01-04-2010 11:51 PM
Robble,
if the destination ip address is a vip, the outgoing interface is not vlan 10 (where the vip address belongs) but vlan 192 where the rservers are located.
So, you will need a natpool in the rserver vlan 192 and modify your nat dynamic command to point at this natpool.
Gilles.
01-04-2010 07:51 AM
Robble,
happy new year.
Your assumption is correct. You need snat for servers to access the vip.
But the nat address can be anything. It does not have to be from the client side. Easiest solution is to use an ip address for the server subnet so that the servers can simply access it with an arp request.
Gilles.
01-04-2010 01:07 PM
Hey Gilles and happy new year,
i am not really sure if i understood it correctly regarding the above scenario. Would following config snippet make sure that traffic originating from 192.168.10.0/24 gets translated to 10.20.30.230 when accessing any resource within 10.20.30.0/24?
Is it correct that the nat pool defined in vlan 10 could be anything eg. (nat-pool 69 1.2.3.4 1.2.3.4 netmask 255.255.255.0 pat) as long as that address does not need to be routed?
Thanks for reading
Roble
---
access-list NAT-Definition line 10 extended permit tcp 192.168.10.0 255.255.255.0 10.20.30.0 255.255.255.0
!
class-map match-any NAT_CLASS
match access-list NAT-Definition
!
policy-map multi-match NAT-Policy
class NAT_CLASS
nat dynaymic 69 vlan 10
!
policy-map multi-match LB-POLICY
class foo
[...]
class foobar
[...]
!
interface vlan 192
description Server_Side_VLAN
ip address 192.168.10.254 255.255.255.0
service-policy input NAT-Policy
no shut
!
interface vlan 10
description Client_Side_VLAN
ip address 10.20.30.254 255.255.255.0
nat-pool 69 10.20.30.230 10.20.30.230 netmask 255.255.255.0 pat
service-policy input LB-POLICY
no shut
01-04-2010 11:51 PM
Robble,
if the destination ip address is a vip, the outgoing interface is not vlan 10 (where the vip address belongs) but vlan 192 where the rservers are located.
So, you will need a natpool in the rserver vlan 192 and modify your nat dynamic command to point at this natpool.
Gilles.
01-07-2010 12:03 AM
Hi Gilles,
i think i get it now. Because the NAT'ed IP stays local to the ACE it can be anything and the initial issue is with the returning traffic from the Real Server not flowing back through the ACE but directly being send to the requesting host.
Is that and the according config snippet correct?
access-list NAT-Definition line 10 extended permit tcp 192.168.10.0 255.255.255.0 10.20.30.0 255.255.255.0
!
class-map match-any NAT_CLASS
match access-list NAT-Definition
!
policy-map multi-match NAT-Policy
description NAT-Policy´
class NAT_CLASS
nat dynaymic 1 vlan 192
!
interface vlan 192
description Server Side VLAN
ip address 192.168.10.254 255.255.255.0
nat-pool 1 172.16.32.1 172.16.32.1 netmask 255.255.255.0 pat
service-policy input NAT-Policy
no shut
Roble
01-07-2010 02:22 AM
your understanding is correct.
You need to avoid the rserver responding directly to the client sitting on the same subnet (the client would not accept the answer since it is expecting a response from the vip=ACE).
The config looks good.
Gilles.
01-08-2010 01:42 AM
Hey Gilles,
thanks again for the clarification. The configuration worked out problem solved!
Roble
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide