NAT outbound traffic to the VIP address

arthurlove · ‎03-12-2010

Hi all

I need to NAT realserver IP addresses to the VIP address as the customer firewall upstream is dropping packets returnign from the ACE, becuase the out bound packet have a destination addy of 1.1.1.1 and the retruning traffic has a source of 2.2.2.1 and 2.2.2.2

I cant find any examples of this;

but seen somethign like

:

rserver host MAPY1
ip address 2.2.2.1

rserver host MAPY2
ip address 2.2.2.2 inservice

serverfarm host SERV_FARM
    rserver FRMAPY1
    inservice
rserver MAPY2
    inservice

sticky ip-netmask 255.255.255.0 address both STICKY_GP1
replicate sticky
serverfarm SERV_FARM

class-map match-all CLIENT_VIPS
2 match virtual-address 1.1.1.1 any

policy-map multi-match NAT-POL
class SERVER
nat dynamic 1 vlan vlan 50

interface vlan 40
service-policy input NAT-POL
description Server Side Vlan
ip address 2.2.2.3 255.255.255.0
no normalization
no icmp-guard
access-group input ANY
access-group output ANY
service-policy input REMOTE_MGMT_ALLOW_POLICY
nat-pool 1 1.1.1 netmask 255.255.255.0 pat
no shutdown

interface vlan 50
description Client Side Vlan
ip address 1.1.1.3 255.255.255.0
no normalization
no icmp-guard
access-group input ANY
access-group output ANY
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input CLIENT_VIPS
no shutdown

Sean Merrow · ‎03-14-2010

Hello,

I just want to first be clear on your problem. Are you saying that client connections come out of the firewall and go to the ACE VIP, then are load balanced to one of the rservers, but then the server response comes back to the firewall sourced by the rserver's IP address instead of being sourced by the VIP address? If so, then you may not have a problem with NAT, but a problem with asymmetric routing.

If the client connection that hits the VIP is successfully load balanced, and the server's response comes back to the ACE, then the ACE will automatically perform source NAT on the response so the source IP address is that of the VIP when it hits the firewall. The only time you would see the rserver's real IP address is if the rserver is bypassing the ACE on the response and going to the firewall. If this is what is happening , then you would need to find out why the response is bypassing the ACE and resolve that. Usually, the resolution to this scenario is source NAT on the backend load balanced connection or policy-based routing.

However, if it is server initiated connections that you need to source NAT to the VIP, then you should be able to use a similar config to what you posted, though I would modify it just a bit.

class-map match-all SERVERS
2 match source-address 2.2.2.0 255.255.255.0

policy-map multi-match NAT-POL
class SERVER
nat dynamic 1 vlan vlan 50

interface vlan 40
service-policy input NAT-POL
description Server Side Vlan
ip address 2.2.2.3 255.255.255.0
no normalization
no icmp-guard
access-group input ANY
access-group output ANY
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
interface vlan 50
description Client Side Vlan
ip address 1.1.1.3 255.255.255.0
no normalization
no icmp-guard
access-group input ANY
access-group output ANY
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input CLIENT_VIPS
nat-pool 1 1.1.1.1 netmask 255.255.255.0 pat
no shutdown

Hope this helps,

Sean

arthurlove · ‎03-14-2010

Sean,

Cheers for the reply.

i sooo glad that you have suggested asymetric routing !! I have been having this very bun fight with the server/security/project mgrs. - Have got wireshark traces clearly showing the responses commign back from the VIP.

Thanks for the fast response and the ammo you have now given me !!!

Cheers.

aljaloudi · ‎03-15-2010

Will if i need to NAT rservers to VIP, i would recommend to switch to DSR topology, where you configure the VIP on the server loopback interface once packet get loadbalanced the return traffic will be sent directly by the server to the client having the VIP IP address..