One Armed nat to multiple ports on a single server

Unanswered Question
Jun 29th, 2010
User Badges:

Basically I want to do PAT to multiple ports on a single server.  The problem that I am seeing is that regular IP load-balancing is not forwarding http requests to specific directories.  We can overcome this with a redirect to the appropriate directory but the IP and port is not being masked.

So the vip is X.X.X.1:15000 and we are trying to load-balance to X.X.X.2 on ports 80 81 82 to a directory X.X.X.2/TEST.  How can I NAT and load-balance to multiple ports while masking the rserver IP address?

I have seen multiple examples, but nothing with this combination.

If I put:

rserver host TEST1

ip address X.X.X.2 80


rserver host TEST2

ip address X.X.X.2 81


rserver host TEST3

ip address X.X.X.2 82


The traffic is load-balanced and nat'd, but the directories are not reachable.  If I do the redirect, the destination IP and port are not masked.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Sean Merrow Tue, 06/29/2010 - 08:14
User Badges:
  • Silver, 250 points or more


I'm assuming that the client is coming into the VIP as and you want them to be load balanced to the server on one of the three ports, but to

Is this correct?

If so, then you would configure a redirect that would have the ACE redirect the client to come back to the same VIP but with the /test at the end of their URL.  Now the ACE will load balance the connection to the rserver on one of the ports configure, perform NAT, and the client's request will have the /test at the end of the URL.

Is this what you're looking for?


aweaver7 Tue, 06/29/2010 - 08:25
User Badges:

More or less.  The problem is that when I do the redirect the %h doesn't seem to work?  Or I am not understanding how to implement it.  We are currently working with IPs and not FQDNs.

So how do I apply the redirect and still load-balance to the same IP port 80 81 and 82 while masking the destination?  Do you have some sample code?

Sean Merrow Tue, 06/29/2010 - 08:48
User Badges:
  • Silver, 250 points or more

I'm not sure I understand what you mean by "masking the destination".  Below is a sample config that will take a request from a client for and redirect the client to connect to  After the client connects to the new URL on the same VIP and port, the ACE will load balance the client to the rserver on one of the three configured ports and to the /test URL.  It will also perform source NAT on the one-armed config.

rserver redirect REDIRECT-TO-TEST-DIR
webhost-redirection 301

rserver host SERVER_01
  ip address

serverfarm redirect REDIRECT-SERVERFARM

serverfarm host REAL_SERVERS
  rserver SERVER_01 80
  rserver SERVER_01 81
  rserver SERVER_01 82

class-map match-all HTTP-VIP
  2 match virtual-address tcp eq http

class-map type http loadbalance match-any ROOT
  2 match http url /

policy-map type loadbalance first-match SLB-LOGIC
  class ROOT
  class class-default
    serverfarm REAL-SERVERS

policy-map multi-match WEB-TRAFFIC
  class HTTP-VIP
    loadbalance vip inservice
    loadbalance policy SLB-LOGIC
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 10

interface vlan 10
  description Servers vlan
  ip address
  access-group input ANYONE
  service-policy input WEB-TRAFFIC
  nat-pool 1 netmask pat
  no shutdown

ip route

Does this help?


aweaver7 Tue, 06/29/2010 - 09:24
User Badges:


I think this is what I was looking for, this seems to tie everything together.  I will do some testing today and see how it works out?  We have 1 6.3a is that a problem?


Sean Merrow Tue, 06/29/2010 - 09:29
User Badges:
  • Silver, 250 points or more

I would highly encourage you to upgrade to A2(3.1) before you get started.  The code you are on is very old and many, many bugs have been fixed since then.  We have also added a lot of popular features since then..


aweaver7 Tue, 06/29/2010 - 10:31
User Badges:

would X.X.X.X/test work the same as well?  I can't figure out why it's not working, must be the code and not the configs   What if the server is doing the redirecting?  Should that matter?

Sean Merrow Tue, 06/29/2010 - 10:42
User Badges:
  • Silver, 250 points or more

So with the example I gave it would work like this:

  1. Client connects to or (assuming DNS will resolve to the VIP)
  2. ACE redirects the client to
  3. Client connects to
  4. ACE load balances client connection to the server on one of the three ports

If you wanted, you could change the string '' in the relocation string to, as long as will resolve to the VIP.  Or, as long as DNS will resolve to the VIP, then you could change the host from to %h in the relocation string.  In that case, it would be http://%h/test/

It is fine if the server is sending a redirect, as long as the host in the redirect Location header is either the VIP or an FQDN that resolves to the VIP.

Hope this helps,



This Discussion