SNAT not working on ACE4710

Answered Question
Sep 14th, 2010
User Badges:

Hi All,


I've been trying to do SNAT on ACE but for some weird reason its not happning. We have 6 ACE 4710 appliances, except on 1 SNAT is working fine with similar config on other ace appliances.


Please help as the customer needs this application asap. Here is the config.


rserver host SPB-37
  ip address 172.18.128.37
  inservice
rserver host SPB-38
  ip address 172.18.128.38
  inservice



serverfarm host SPB-SRVFARM
  predictor leastconns
  probe TCP-7001
  rserver SPB-37 7001
    inservice
  rserver SPB-38 7001
    inservice
serverfarm host SPB-SRVFARM-30389
  probe ICMP-ICMP-Probe
  probe TCP-30389
  rserver SPB-37 30389
    inservice
  rserver SPB-38 30389
    inservice



class-map match-any SPB-30389-VIP
  2 match virtual-address 172.18.133.25 tcp eq 30389
class-map match-any SPB-VIP
  2 match virtual-address 172.18.133.25 tcp eq 7001



policy-map type loadbalance first-match SPB-30389-l7slb
  class class-default
    serverfarm SPB-SRVFARM-30389
policy-map type loadbalance first-match SPB-l7slb
  class class-default
    serverfarm SPB-SRVFARM


policy-map multi-match All_Policy_Maps
  class SPB-VIP
    loadbalance vip inservice
    loadbalance policy SPB-l7slb
    loadbalance vip icmp-reply
    nat dynamic 28 vlan 128
  class SPB-30389-VIP
    loadbalance vip inservice
    loadbalance policy SPB-30389-l7slb
    loadbalance vip icmp-reply
    nat dynamic 28 vlan 128



interface vlan 98
  description *** Server Vlan ***
  ip address 10.105.98.180 255.255.255.0
  alias 10.105.98.181 255.255.255.0
  peer ip address 10.105.98.182 255.255.255.0
  access-group input ALL
  nat-pool 98 172.18.133.128 172.18.133.128 netmask 255.255.255.255 pat // This works fine.
  service-policy input remote_mgmt_allow_policy
  no shutdown
interface vlan 128

description *** Server Vlan ***
  ip address 172.18.128.8 255.255.255.0
  alias 172.18.128.7 255.255.255.0
  peer ip address 172.18.128.9 255.255.255.0
  access-group input ALL
  nat-pool 28 172.18.135.165 172.18.135.165 netmask 255.255.255.255 pat  // This doesnt work.
  service-policy input remote_mgmt_allow_policy
  no shutdown
interface vlan 133
  description *** Client vlan ***
  ip address 172.18.133.5 255.255.255.128
  peer ip address 172.18.133.6 255.255.255.128
  access-group input ALL
  service-policy input Service-Policy-IDAM-7777
  service-policy input SDP-SE
  service-policy input Service-Policy-SDP-NT-8001
  service-policy input Service-Policy-SDP-Deliver-7002
  service-policy input Service-Policy-SDP-Deliver-7007
  service-policy input Service-Policy-SDP-Deliver-7006
  service-policy input Service-Policy-SDP-RE
  service-policy input Service-Policy-SDP-SE-7002
  service-policy input Service-Policy-SDP-SE-7101
  service-policy input Service-Policy-SDP-RE-7101
  service-policy input All_Policy_Maps
  no shutdown

Attachment: 
Correct Answer by Gilles Dufour about 6 years 9 months ago

the problem is this :


policy-map multi-match Service-Policy-SDP-NT-8001
  class SNAT-Outside
    nat dynamic 98 vlan 98



This policy shows up before the one you identified


interface vlan 133
  description *** Client vlan ***
  ip address  172.18.133.5 255.255.255.128
  peer ip address 172.18.133.6  255.255.255.128
  access-group input ALL
  service-policy input  Service-Policy-IDAM-7777
  service-policy input SDP-SE
service-policy input Service-Policy-SDP-NT-8001
  service-policy  input Service-Policy-SDP-Deliver-7002
  service-policy input  Service-Policy-SDP-Deliver-7007
  service-policy input  Service-Policy-SDP-Deliver-7006
  service-policy input  Service-Policy-SDP-RE
  service-policy input  Service-Policy-SDP-SE-7002
  service-policy input  Service-Policy-SDP-SE-7101
  service-policy input  Service-Policy-SDP-RE-7101
  service-policy input All_Policy_Maps


The class SNAT-Outside is a match 0.0.0.0/0 so it will match all your traffic.

Therefore, the nat action will be : nat dynamic 98 vlan 98.

Since traffic goes out vlan 128, there is no rule to nat the traffic.


Multiple solutions.


1/ remove Service-Policy-SDP-NT-8001 and add it after  All_Policy_Maps

2/ add "nat dynamic 28 vlan 128" under Service-Policy-SDP-NT-8001

policy-map multi-match Service-Policy-SDP-NT-8001
   class SNAT-Outside
     nat dynamic 98 vlan 98

    nat dynamic 28 vlan 128


Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Gilles Dufour Tue, 09/14/2010 - 01:41
User Badges:
  • Cisco Employee,

the problem is this :


policy-map multi-match Service-Policy-SDP-NT-8001
  class SNAT-Outside
    nat dynamic 98 vlan 98



This policy shows up before the one you identified


interface vlan 133
  description *** Client vlan ***
  ip address  172.18.133.5 255.255.255.128
  peer ip address 172.18.133.6  255.255.255.128
  access-group input ALL
  service-policy input  Service-Policy-IDAM-7777
  service-policy input SDP-SE
service-policy input Service-Policy-SDP-NT-8001
  service-policy  input Service-Policy-SDP-Deliver-7002
  service-policy input  Service-Policy-SDP-Deliver-7007
  service-policy input  Service-Policy-SDP-Deliver-7006
  service-policy input  Service-Policy-SDP-RE
  service-policy input  Service-Policy-SDP-SE-7002
  service-policy input  Service-Policy-SDP-SE-7101
  service-policy input  Service-Policy-SDP-RE-7101
  service-policy input All_Policy_Maps


The class SNAT-Outside is a match 0.0.0.0/0 so it will match all your traffic.

Therefore, the nat action will be : nat dynamic 98 vlan 98.

Since traffic goes out vlan 128, there is no rule to nat the traffic.


Multiple solutions.


1/ remove Service-Policy-SDP-NT-8001 and add it after  All_Policy_Maps

2/ add "nat dynamic 28 vlan 128" under Service-Policy-SDP-NT-8001

policy-map multi-match Service-Policy-SDP-NT-8001
   class SNAT-Outside
     nat dynamic 98 vlan 98

    nat dynamic 28 vlan 128


Gilles.

akhil.abrol Tue, 09/14/2010 - 02:16
User Badges:

Hi Gilles,


Thanks for the solution. I was expecting a reply from you only.



Have a wonderful day.


Cheers.!

Actions

This Discussion