One Arm ACE Natting

Answered Question
Aug 8th, 2012
User Badges:

Is it possible  that ACE in a one-arm mode to NAT using the same source Address ? If yes , then how?




Regards,

Hesham                  

Correct Answer by jsirstin about 5 years 1 week ago

Hesham,


Here is a sample with 3 vips using the same IP and 3 nat-pools, you would use the same template for the rest of your vips.


class-map match-all vip-1

  2 match virtual-address 172.16.0.15 tcp eq www

class-map match-all vip-2

  2 match virtual-address 172.16.0.16 tcp eq www

class-map match-all vip-3

  2 match virtual-address 172.16.0.17 tcp eq www


policy-map multi-match VIPs

  class vip-1

    loadbalance vip inservice

    loadbalance policy WEB_L7_POLICY-1

    loadbalance vip icmp-reply active

    loadbalance vip advertise active

    nat dynamic 1 vlan 511

  class vip-2

    loadbalance vip inservice

    loadbalance policy WEB_L7_POLICY-2

    loadbalance vip icmp-reply active

    loadbalance vip advertise active

    nat dynamic 2 vlan 511

  class vip-3

    loadbalance vip inservice

    loadbalance policy WEB_L7_POLICY-3

    loadbalance vip icmp-reply active

    loadbalance vip advertise active

    nat dynamic 3 vlan 511


interface vlan 511

  ip address 172.16.0.130 255.255.255.0

  alias 172.16.0.128 255.255.255.0

  peer ip address 172.16.0.131 255.255.255.0

  access-group input any

  nat-pool 1 172.16.0.15 172.16.0.15 netmask 255.255.255.0 pat

  nat-pool 2 172.16.0.16 172.16.0.16 netmask 255.255.255.0 pat

  nat-pool 3 172.16.0.17 172.16.0.17 netmask 255.255.255.0 pat

  no shutdown

Correct Answer by jsirstin about 5 years 1 week ago

Hesham,


Transparent mode does not change the vip address to the server ip. Nat-pools are used to change the client IP to an address the ACE owns to avoid asymetric traffic flows. Not quite sure what you are trying to accomplish. Can you give more detail?

Correct Answer by jsirstin about 5 years 1 week ago

Hesham,


What source address are you refering to the original client IP that is making the request? If so this is not possible. You need to use a Nat-pool address that the ACE can own to force the server reply back to the ACE rather than sending directly back to the client.


Regards

Jim

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
jsirstin Wed, 08/08/2012 - 05:47
User Badges:
  • Cisco Employee,

Hesham,


What source address are you refering to the original client IP that is making the request? If so this is not possible. You need to use a Nat-pool address that the ACE can own to force the server reply back to the ACE rather than sending directly back to the client.


Regards

Jim

helsayed78 Wed, 08/08/2012 - 05:50
User Badges:

So that will only work in transparent mode?



Regards,

Hesham

Correct Answer
jsirstin Wed, 08/08/2012 - 05:56
User Badges:
  • Cisco Employee,

Hesham,


Transparent mode does not change the vip address to the server ip. Nat-pools are used to change the client IP to an address the ACE owns to avoid asymetric traffic flows. Not quite sure what you are trying to accomplish. Can you give more detail?

helsayed78 Wed, 08/08/2012 - 05:57
User Badges:

Ok, So if I have 10 VIP IPs on ACE? , can I specify the NAT IP for each  VIP IP.  because if that is not possible, then how will I restrict access to servers that are LB by Cisco ACE and these servers are behind a firewall.


Regards,

Hesham

helsayed78 Wed, 08/08/2012 - 06:05
User Badges:

in other words...  all requests hiting  the servers will be from the NAT pool IPs !!! so if theses servers are protected by a firewall then I won't be able to have restrictions bases on source IPs ( Client IPS ).


Is there a work around to solve this issue?


Regards,

H

helsayed78 Wed, 08/08/2012 - 11:53
User Badges:

Does anyone have an idea to solve this issue?


Regards,

jsirstin Thu, 08/09/2012 - 08:11
User Badges:
  • Cisco Employee,

Hesham,


With the statement "Ok, So if I have 10 VIP IPs on ACE? , can I specify the NAT IP for each  VIP IP.", are you talking about using the same nat-pool address as the vip IP?

Example: If you have the class-map like this

class-map match-all L4VIPCLASS

  2 match virtual-address 10.86.178.254 tcp eq www


And use the same IP in the nat-pool?


interface vlan 178

  description Client Vlan

  ip address 10.86.178.227 255.255.255.0

  peer ip address 10.86.178.228 255.255.255.0

  mac-sticky enable

  access-group input ANYONE

  nat-pool 56 10.86.178.254 10.86.178.254 netmask 255.255.255.255 pat

  service-policy input REMOTE_MGMT_ALLOW_POLICY

  service-policy input VIPs

  service-policy input jim

  no shutdown


If this is what you are talking about it is definitely possible. Even if you do not want to use the same VIP IP as the nat-pool IP you can still have one Nat-pool IP tied to just one VIP IP.

Regards

Jim

helsayed78 Thu, 08/09/2012 - 10:08
User Badges:

Thanks for your reply.


That is exactly what I was asking for but what if I have several class maps with different VIPs!!. in your example you only stated one VIP using the same NAT IP for it.


How can do they same with other VIPs? please give me an example as the one you mentioned above.


Regards,

Correct Answer
jsirstin Thu, 08/09/2012 - 10:26
User Badges:
  • Cisco Employee,

Hesham,


Here is a sample with 3 vips using the same IP and 3 nat-pools, you would use the same template for the rest of your vips.


class-map match-all vip-1

  2 match virtual-address 172.16.0.15 tcp eq www

class-map match-all vip-2

  2 match virtual-address 172.16.0.16 tcp eq www

class-map match-all vip-3

  2 match virtual-address 172.16.0.17 tcp eq www


policy-map multi-match VIPs

  class vip-1

    loadbalance vip inservice

    loadbalance policy WEB_L7_POLICY-1

    loadbalance vip icmp-reply active

    loadbalance vip advertise active

    nat dynamic 1 vlan 511

  class vip-2

    loadbalance vip inservice

    loadbalance policy WEB_L7_POLICY-2

    loadbalance vip icmp-reply active

    loadbalance vip advertise active

    nat dynamic 2 vlan 511

  class vip-3

    loadbalance vip inservice

    loadbalance policy WEB_L7_POLICY-3

    loadbalance vip icmp-reply active

    loadbalance vip advertise active

    nat dynamic 3 vlan 511


interface vlan 511

  ip address 172.16.0.130 255.255.255.0

  alias 172.16.0.128 255.255.255.0

  peer ip address 172.16.0.131 255.255.255.0

  access-group input any

  nat-pool 1 172.16.0.15 172.16.0.15 netmask 255.255.255.0 pat

  nat-pool 2 172.16.0.16 172.16.0.16 netmask 255.255.255.0 pat

  nat-pool 3 172.16.0.17 172.16.0.17 netmask 255.255.255.0 pat

  no shutdown

helsayed78 Thu, 08/09/2012 - 10:44
User Badges:

Thank you.


I will test it and tell you how it goes.


Do you have any documentation regarding this that can help me.


Regards,

Hesm

Actions

This Discussion