ACE VIP FTP Server Farm and Outgoing NAT

Unanswered Question
Jul 5th, 2010
User Badges:

We have an ACE-20 module for the 6500.


Our organization has an FTP Server Farm with a VIP setup on the ACE for Incoming Connections

within a DMZ in order to load balance across multiple FTP servers. This is working just fine.


However, for Outgoing connections in the DMZ, we would like the outgoing NAT IP address to be the same

as the VIP IP address. This is so that we can give a single IP address to vendors for opening up firewall

ports.


Does the ACE-20 module for the 6500 support configuring the envrionment to allow any outgoing

connections from the FTP servers to utilize the same NAT IP address as the VIP?


Would this cause load balancing across the servers to stop working in any form?


Thanks....JW

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Hi James,


  Firstly you'd need to configure an outbound PAT statement (not a NAT) and this can co-exist with an inbound VIP configuration. Secondly I'd recommend two interfaces for simplicity.


  To configure both of these features would require two service-policies being configured. The service-policy being applied to the customer facing interface would require the VIP service-policy and the server facing service-policy would have the PAT configuration.


For example.


access-list OUTSIDE_ACL line 10 extended permit ip any any
access-list INSIDE_ACL line 10 extended permit ip any any
access-list INSIDE-HOSTS-PAT_ACL line 10 extended permit ip host 10.20.7.1 any
access-list INSIDE-HOSTS-PAT_ACL line 20 extended permit ip host 10.20.7.2 any


probe ftp FTP-PROBE
  interval 2
  expect status 220 220


rserver host 10-20-7-1
  ip address 10.20.7.1
  inservice
rserver host 10-20-7-2
  ip address 10.20.7.2
  inservice


serverfarm host FTP-21-SF
  probe FTP-PROBE
  rserver 10-20-7-1
    inservice
  rserver 10-20-7-2
    inservice


sticky ip-netmask 255.255.255.255 address source 40
  timeout 60
  replicate sticky
  serverfarm FTP-21-SF


class-map match-all FTP-21-CM
  2 match virtual-address 10.20.6.200 tcp eq ftp
class-map match-any INSIDE-HOSTS-PAT-cm
  2 match access-list INSIDE-HOSTS-PAT_ACL


policy-map type loadbalance first-match FTP-21-PM
  class class-default
    sticky-serverfarm 40


policy-map multi-match OUTSIDE-INTERFACE-POLICY
  class FTP-21-CM
    loadbalance vip inservice
    loadbalance policy FTP-21-PM
    loadbalance vip icmp-reply active
    inspect ftp


policy-map multi-match INSIDE-INTERFACE-POLICY
  class INSIDE-HOSTS-PAT-cm
    nat dynamic 1 vlan 100


interface vlan 100
  description Customer Facing Interface
  ip address 10.20.6.2 255.255.255.0
  alias 10.20.6.1 255.255.255.0
  peer ip address 10.20.6.3 255.255.255.0
  access-group input OUTSIDE_ACL
  nat-pool 1 10.20.6.200 10.20.6.200 netmask 255.255.255.255 pat
  service-policy input OUTSIDE-INTERFACE-POLICY
  no shutdown
interface vlan 101
  description Server Facing Interface
  ip address 10.20.7.2 255.255.255.0
  alias 10.20.7.1 255.255.255.0
  peer ip address 10.20.7.3 255.255.255.0
  access-group input INSIDE_ACL
  service-policy input INSIDE-INTERFACE-POLICY
  no shutdown

Actions

This Discussion