Problem with NAT

Answered Question
Apr 12th, 2012

Hi,

I'm trying to use the NAT dynamic translation and here is the example that I use to test it and understand it! Unfortunately It doesn't run...!

Could someone help me?

hostname ACE2

interface gigabitEthernet 1/1

  switchport access vlan 1000

  no shutdown

interface gigabitEthernet 1/2

  shutdown

interface gigabitEthernet 1/3

  shutdown

interface gigabitEthernet 1/4

  shutdown

access-list ACL1 line 8 extended permit tcp any eq www any

class-map type management match-any L4_REMOTE-ACCESS_CLASS

  2 match protocol icmp any

  3 match protocol http any

  4 match protocol ssh any

  5 match protocol https any

  6 match protocol xml-https any

class-map match-all L_CLASS

  2 match source-address 192.168.10.88 255.255.255.0

policy-map type management first-match L4_REMOTE-ACCESS_MATCH

  class L4_REMOTE-ACCESS_CLASS

    permit

policy-map multi-match L4_POLICY

  class L_CLASS

    nat dynamic 1 vlan 1000

interface vlan 1000

  ip address 192.168.10.252 255.255.255.0

  nat-pool 1 192.168.10.205 192.168.10.205 netmask 255.255.255.0

  service-policy input L4_REMOTE-ACCESS_MATCH

  service-policy input L4_POLICY

  no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.10.1

username admin password 5 $1$yGY2HM8q$fSl.uxYYOlmtUPe/6uUnA.  role Admin domain

default-domain

username www password 5 $1$i/TshwS6$WdMVudA/tn.ER6dR.33r7/  role Admin domain de

fault-domain

ssh key dsa 1024 force

When I'm connected with SSH  it is always the same IP Adresse for my computer :

ACE2/Admin# sh conn

conn-id    np dir proto vlan source                destination           state

----------+--+---+-----+----+---------------------+---------------------+------+

43         1  in  TCP   1000 192.168.10.88:50263   192.168.10.252:22     ESTAB

30         1  out TCP   1000 192.168.10.252:22     192.168.10.88:50263   ESTAB

I have this problem too.
0 votes
Correct Answer by andrew-travis about 2 years 4 days ago

blankguy7,

That's great news!  It looks like NAT is working as expected for you.

When you SSH to the ACE appliance (192.168.10.249), you are not being NAT'd since there isn't a need.  You are terminating the SSH connection on the ACE itself for managment.  If you needed to SSH to the web servers through the load-balancer, you will need another class-map to match 192.168.10.250 on tcp eq ssh.

Please let me know if that is confusing or not.  Thank you.

Andrew

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
blankguy7 Thu, 04/12/2012 - 01:44

Hi,

Thanks Sandeep for the links and infos!

But I would like to know where is the problem in my configuration...

Thanks,

sandkum5 Thu, 04/12/2012 - 02:22

Hi,

The NAT configuration looks ok but the translated destination IP cannot be a ACE IP.

Additionally, you need the following configurations to make this work:

- You should apply the ACL on the vlan 1000 interface using the access-group command to allow the traffic.

The configured acl will allow only www traffic.

- You should configure rserver and serverfarm configurations to forward the traffic to the respective server. Else, how will ACE know where to forward the traffic.

Please refer the previously provided link regarding one arm mode configuration on ACE for more info on the setup.

If you need more info, please provide complete setup info on what exactly you are trying to acheive along with IP details.

Hope this answers your question.

Thanks,
Sandeep

andrew-travis Thu, 04/12/2012 - 05:52

blankguy7,

A couple of things stand out that could be causing you issues:

- Since you're only translating to one IP address, you'll want to add "pat" to the end of the NAT statement to do port address translation.

     nat-pool 1 192.168.10.205 192.168.10.205 netmask 255.255.255.0 pat

- Interface VLAN 1000 has an implicit deny any any on it unless otherwise specified.  You'll need to add an access-group to that interface.

     access-list everyone line 8 extended permit ip any any

     access-list everyone line 16 extended permit icmp any any

     interface vlan 1000

          access-group input everyone

          access-group output everyone

- You don't have any serverfarms or real servers to load-balance traffic to.

     rserver ________

          inservice

     serverfarm _________

          rserver _________

               inservice

     policy-map multi-match L4_POLICY

          class L_CLASS

               serverfarm ________

Any of those things could be why your SSH connection is not load-balanced through the ACE.  I would recommend looking through the links that Sandeep posted so that you can complete your configuration.

Andrew

blankguy7 Thu, 04/12/2012 - 06:17

Hi Andrew

Thanks for your reply!

So, I've corrected the error (except this:

  policy-map multi-match L4_POLICY

          class L_CLASS

               serverfarm ________

because there're not possibility to add serverfarm)

Now, I'll read the doc again because it doesn't really run...

Here's config again:

switch/GAAS# sh run

Generating configuration....

access-list PERMIT-ALL line 8 extended permit ip any any

access-list PERMIT-ALL line 16 extended permit icmp any any

rserver redirect REDIRECT

  webhost-redirection http://192.168.0.33%p

  inservice

serverfarm redirect REDIRECT-OURWEBSITE

  rserver REDIRECT

    inservice

class-map type management match-any CONTEXT-ACCESS_CLASS

  2 match protocol icmp any

  3 match protocol http any

  4 match protocol https any

  5 match protocol ssh any

class-map type http loadbalance match-all MATCH-OURWEBSITE

  2 match http header Host header-value "192.168.10.250"

class-map match-all VIP-OURWEBSITE

  2 match virtual-address 192.168.10.250 tcp eq www

policy-map type management first-match CONTEXT-ACCESS_MAP

  class CONTEXT-ACCESS_CLASS

    permit

policy-map type loadbalance first-match LB-OURWEBSITE

  class MATCH-OURWEBSITE

    serverfarm REDIRECT-OURWEBSITE

policy-map multi-match VIP-SERVICE-POLICY

  class VIP-OURWEBSITE

    loadbalance vip inservice

    loadbalance policy LB-OURWEBSITE

    loadbalance vip icmp-reply active

    nat dynamic 1 vlan 500

interface vlan 500

  ip address 192.168.10.249 255.255.255.0

  no normalization

  no icmp-guard

  access-group input PERMIT-ALL

  nat-pool 1 192.168.10.253 192.168.10.253 netmask 255.255.255.0 pat

  service-policy input CONTEXT-ACCESS_MAP

  service-policy input VIP-SERVICE-POLICY

  no shutdown

domain D1

  add-object interface vlan 500

  add-object serverfarm REDIRECT-OURWEBSITE

  add-object rserver REDIRECT

  add-object access-list extended PERMIT-ALL

role R1

  rule 1 permit create feature interface

  rule 2 permit create feature loadbalance

  rule 3 permit create feature real-inservice

  rule 4 permit create feature rserver

  rule 5 permit create feature serverfarm

ip route 0.0.0.0 0.0.0.0 192.168.10.1

username USER1 password 5 $1$lB1AQmxN$uH70ynfEN6X8GycrlitfP/  role R1 domain D1

andrew-travis Thu, 04/12/2012 - 06:27

blankguy7, what are the symptoms exactly?  When you hit the VIP (192.168.10.250) in your web browser, what happens?

A couple of other things to check are:

- Typo on the redirection URL (missing the / before the %p), should be: http://192.168.0.33/%p

- Missing access-group on outgoing traffic (necessary since using ACE in One Arm Mode): access-group output PERMIT-ALL

As you've pointed out, with the redirect serverfarm you won't need to create a different serverfarm.  What you have for that should work (minus the typo on the redirect URL).

Please let me know the results of those two changes.

Thanks.

Andrew

blankguy7 Thu, 04/12/2012 - 06:45

Hi Andrew,

Oh, sorry! I'm working on two ACE at the same time.. but it does not matter! On this side, when I give

192.168.10.250 on my website, I will be redirect to http://192.168.0.33 that's mean it's work BUT I've sniffed the network and I see that after the redirection the communication run between the website and my pc and not between the wesite and the ACE. The ACE send to the website the IP address from my PC and not the NAT...

I want to enable NAT because I want that the communication goes always through the ACE!

Thanks

bg

andrew-travis Thu, 04/12/2012 - 07:06

blankguy7,

Ahh, now I understand what you really want to do and what the issue is.  You want to redirect traffic to a real server, but you want the traffic to go through the ACE.  Source NAT will force return traffic through the ACE, but if the ACE is simply redirecting you (and not load-balancing you) to another IP address, there is no way to force the traffic flow through the ACE.  We're just going about this the wrong way.  For what you want, you need a serverfarm so that you can load-balance the traffic to it (this load-balancing does the redirection that you want).  Try this:

rserver host web-server

  ip address 192.168.0.33

  inservice

serverfarm host web-serverfarm

  rserver web-server

    inservice

class-map match-all VIP-OURWEBSITE

  2 match virtual-address 192.168.10.250 tcp eq www

policy-map type loadbalance first-match LB-OURWEBSITE

  class class-default

    serverfarm web-serverfarm

policy-map multi-match VIP-SERVICE-POLICY

  class VIP-OURWEBSITE

    loadbalance vip inservice

    loadbalance policy LB-OURWEBSITE

    loadbalance vip icmp-reply active

    nat dynamic 1 vlan 500

From your configs and requirements, I don't believe you need to do any URL redirection, you just need to load-balanced web traffic to a real server (in a serverfarm).  Try that and lemme know how it goes.

Andrew

blankguy7 Fri, 04/13/2012 - 00:08

Hi Andrew,

Yes, you're right! It's exactly what I want but my english is not perfect to explain that.... and sometimes I found the

cisco litterature too big or difficult to find what reallya I need!

Now, I understood and I configured like your example and the "load-balancing" is running well (yeah) and I think that the nat is running well too!

So, I don't see the ip nat on "sniffer" on the client side (PC) but, when I've made a telnet session on this serverfarm from command line on my PC:

C:\>telnet 192.168.10.250 80

than I see :

switch/Admin# sh xlate

TCP PAT from vlan500:192.168.10.88/51230 to vlan500:192.168.10.253/1029

switch/Admin#

switch/Admin# sh nat-fabric src-nat 1 3

        NAT object ID:2 mapped_if:3 policy_id:1 type:DYNAMIC IPv4/6: 1/0 nat_poo

l_id:2

                Pool ID:2 PAT:1 pool_id:1 mapped_if:3 Ref_count:1 binding:all

                lower:192.168.10.253 upper:192.168.10.253 Bitmap-ID:33

                List of NAT object IDs: 2

switch/Admin# sh service-policy VIP-SERVICE-POLICY

Status     : ACTIVE

-----------------------------------------

Interface: vlan 1 500

  service-policy: VIP-SERVICE-POLICY

    class: VIP-OURWEBSITE

      nat:

        nat dynamic 1 vlan 500

        curr conns       : 1         , hit count        : 5

        dropped conns    : 0

        client pkt count : 34        , client byte count: 3883

        server pkt count : 37        , server byte count: 27263

        conn-rate-limit      : 0         , drop-count : 0

        bandwidth-rate-limit : 0         , drop-count : 0

      loadbalance:

        L7 loadbalance policy: LB-OURWEBSITE

I think that's all right!

Just another question: actually the ACE run NAT only in case of "loasd-balancing" but not in a ssh connection on vlan500?

Yeah, a great thanks to your help and have a nice day,


Correct Answer
andrew-travis Fri, 04/13/2012 - 05:39

blankguy7,

That's great news!  It looks like NAT is working as expected for you.

When you SSH to the ACE appliance (192.168.10.249), you are not being NAT'd since there isn't a need.  You are terminating the SSH connection on the ACE itself for managment.  If you needed to SSH to the web servers through the load-balancer, you will need another class-map to match 192.168.10.250 on tcp eq ssh.

Please let me know if that is confusing or not.  Thank you.

Andrew

blankguy7 Fri, 04/13/2012 - 06:01

Hi Andrew

Yes, it's a great news...

Thanks for your SSH explanations, it's now ok for me and not more confusing!

Now, I could continue my configuration. I'll programm tcl on ACE...

Thanks a lot again for your help... was great!

Actions

Login or Register to take actions

This Discussion

Posted April 12, 2012 at 12:20 AM
Stats:
Replies:11 Avg. Rating:5
Views:522 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 1,551
2 369
3 333
4 228
5 212
Rank Username Points
5