cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1774
Views
0
Helpful
10
Replies

One Arm ACE Natting

helsayed78
Level 1
Level 1

Is it possible  that ACE in a one-arm mode to NAT using the same source Address ? If yes , then how?

Regards,

Hesham                  

3 Accepted Solutions

Accepted Solutions

jsirstin
Level 1
Level 1

Hesham,

What source address are you refering to the original client IP that is making the request? If so this is not possible. You need to use a Nat-pool address that the ACE can own to force the server reply back to the ACE rather than sending directly back to the client.

Regards

Jim

View solution in original post

Hesham,

Transparent mode does not change the vip address to the server ip. Nat-pools are used to change the client IP to an address the ACE owns to avoid asymetric traffic flows. Not quite sure what you are trying to accomplish. Can you give more detail?

View solution in original post

Hesham,

Here is a sample with 3 vips using the same IP and 3 nat-pools, you would use the same template for the rest of your vips.

class-map match-all vip-1

  2 match virtual-address 172.16.0.15 tcp eq www

class-map match-all vip-2

  2 match virtual-address 172.16.0.16 tcp eq www

class-map match-all vip-3

  2 match virtual-address 172.16.0.17 tcp eq www

policy-map multi-match VIPs

  class vip-1

    loadbalance vip inservice

    loadbalance policy WEB_L7_POLICY-1

    loadbalance vip icmp-reply active

    loadbalance vip advertise active

    nat dynamic 1 vlan 511

  class vip-2

    loadbalance vip inservice

    loadbalance policy WEB_L7_POLICY-2

    loadbalance vip icmp-reply active

    loadbalance vip advertise active

    nat dynamic 2 vlan 511

  class vip-3

    loadbalance vip inservice

    loadbalance policy WEB_L7_POLICY-3

    loadbalance vip icmp-reply active

    loadbalance vip advertise active

    nat dynamic 3 vlan 511

interface vlan 511

  ip address 172.16.0.130 255.255.255.0

  alias 172.16.0.128 255.255.255.0

  peer ip address 172.16.0.131 255.255.255.0

  access-group input any

  nat-pool 1 172.16.0.15 172.16.0.15 netmask 255.255.255.0 pat

  nat-pool 2 172.16.0.16 172.16.0.16 netmask 255.255.255.0 pat

  nat-pool 3 172.16.0.17 172.16.0.17 netmask 255.255.255.0 pat

  no shutdown

View solution in original post

10 Replies 10

jsirstin
Level 1
Level 1

Hesham,

What source address are you refering to the original client IP that is making the request? If so this is not possible. You need to use a Nat-pool address that the ACE can own to force the server reply back to the ACE rather than sending directly back to the client.

Regards

Jim

So that will only work in transparent mode?

Regards,

Hesham

Hesham,

Transparent mode does not change the vip address to the server ip. Nat-pools are used to change the client IP to an address the ACE owns to avoid asymetric traffic flows. Not quite sure what you are trying to accomplish. Can you give more detail?

Ok, So if I have 10 VIP IPs on ACE? , can I specify the NAT IP for each  VIP IP.  because if that is not possible, then how will I restrict access to servers that are LB by Cisco ACE and these servers are behind a firewall.

Regards,

Hesham

in other words...  all requests hiting  the servers will be from the NAT pool IPs !!! so if theses servers are protected by a firewall then I won't be able to have restrictions bases on source IPs ( Client IPS ).

Is there a work around to solve this issue?

Regards,

H

Does anyone have an idea to solve this issue?

Regards,

Hesham,

With the statement "Ok, So if I have 10 VIP IPs on ACE? , can I specify the NAT IP for each  VIP IP.", are you talking about using the same nat-pool address as the vip IP?

Example: If you have the class-map like this

class-map match-all L4VIPCLASS

  2 match virtual-address 10.86.178.254 tcp eq www

And use the same IP in the nat-pool?

interface vlan 178

  description Client Vlan

  ip address 10.86.178.227 255.255.255.0

  peer ip address 10.86.178.228 255.255.255.0

  mac-sticky enable

  access-group input ANYONE

  nat-pool 56 10.86.178.254 10.86.178.254 netmask 255.255.255.255 pat

  service-policy input REMOTE_MGMT_ALLOW_POLICY

  service-policy input VIPs

  service-policy input jim

  no shutdown

If this is what you are talking about it is definitely possible. Even if you do not want to use the same VIP IP as the nat-pool IP you can still have one Nat-pool IP tied to just one VIP IP.

Regards

Jim

Thanks for your reply.

That is exactly what I was asking for but what if I have several class maps with different VIPs!!. in your example you only stated one VIP using the same NAT IP for it.

How can do they same with other VIPs? please give me an example as the one you mentioned above.

Regards,

Hesham,

Here is a sample with 3 vips using the same IP and 3 nat-pools, you would use the same template for the rest of your vips.

class-map match-all vip-1

  2 match virtual-address 172.16.0.15 tcp eq www

class-map match-all vip-2

  2 match virtual-address 172.16.0.16 tcp eq www

class-map match-all vip-3

  2 match virtual-address 172.16.0.17 tcp eq www

policy-map multi-match VIPs

  class vip-1

    loadbalance vip inservice

    loadbalance policy WEB_L7_POLICY-1

    loadbalance vip icmp-reply active

    loadbalance vip advertise active

    nat dynamic 1 vlan 511

  class vip-2

    loadbalance vip inservice

    loadbalance policy WEB_L7_POLICY-2

    loadbalance vip icmp-reply active

    loadbalance vip advertise active

    nat dynamic 2 vlan 511

  class vip-3

    loadbalance vip inservice

    loadbalance policy WEB_L7_POLICY-3

    loadbalance vip icmp-reply active

    loadbalance vip advertise active

    nat dynamic 3 vlan 511

interface vlan 511

  ip address 172.16.0.130 255.255.255.0

  alias 172.16.0.128 255.255.255.0

  peer ip address 172.16.0.131 255.255.255.0

  access-group input any

  nat-pool 1 172.16.0.15 172.16.0.15 netmask 255.255.255.0 pat

  nat-pool 2 172.16.0.16 172.16.0.16 netmask 255.255.255.0 pat

  nat-pool 3 172.16.0.17 172.16.0.17 netmask 255.255.255.0 pat

  no shutdown

Thank you.

I will test it and tell you how it goes.

Do you have any documentation regarding this that can help me.

Regards,

Hesm

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: