Cisco ACE 4710 NAT All Traffic to VIP Address

Unanswered Question
Aug 22nd, 2013
User Badges:

I know that the ACE will NAT all return traffic to the VIP address, but what I need to do is to NAT traffic sourced from the real server that does not match an existing flow. Traffic like outbound connection initiated from the real servers, ICMP, etc. For information the real servers use the ACE as the Gateway for this traffic.


I tried a NAT pool without luck. Anyone have any luck doing this?


rserver host server1


  ip address 192.156.241.64


  inservice


rserver host server2


  ip address 192.156.241.65


  inservice




serverfarm host FARM


  failaction purge


  predictor leastconns slowstart 15


  rserver server1


    conn-limit max 4000000 min 4000000


    inservice


  rserver server2


    conn-limit max 4000000 min 4000000


    inservice






class-map match-all VIP


  2 match virtual-address 192.156.246.255 any


class-map type management match-any minimal-diag


  2 match protocol icmp any


class-map type management match-any remote-access


  2 match protocol icmp any


  3 match protocol ssh any


  4 match protocol telnet any




policy-map type loadbalance first-match VIP-POLICY


  class class-default


    serverfarm FARM




policy-map multi-match VIPS


  class VIP


    loadbalance vip inservice


    loadbalance policy VIP-POLICY


    loadbalance vip icmp-reply active primary-inservice


    nat dynamic 1 vlan 241




interface vlan 241


  description POS


  ip address 192.156.241.245 255.255.255.0


  alias 192.156.241.250 255.255.255.0


  peer ip address 192.156.241.246 255.255.255.0


  access-group input all


  access-group output all


  nat-pool 1 192.156.246.255 192.156.246.255 netmask 255.255.255.255 pat


  service-policy input VIPS


  no shutdown




ip route 192.156.245.0 255.255.255.0 192.156.241.7


ip route 0.0.0.0 0.0.0.0 192.156.241.7

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jorge Bejarano Thu, 08/22/2013 - 20:03
User Badges:
  • Silver, 250 points or more

Daniel,


Basically, you want to do something which is called: "server initiation traffic" where the servers are the ones which will start the connections to the ACE.


You said you do not want to match any VIP (virtual IP address) and just NAT the traffic to send it to the outbound side (Internet for example) , correct? or you want to start traffic from a server to hit a VIP to send it to another serverfarm?


Jorge

daniel.carlton@... Fri, 08/23/2013 - 05:15
User Badges:

Hi...


For the traffic I want to NAT, the server will send it to an outside address (not a VIP) and I want the ACE to NAT the source of the traffic so it appears to be coming from the VIP.


Dan

Cesar Roque Fri, 08/30/2013 - 15:17
User Badges:
  • Bronze, 100 points or more

Hi Daniel


You need something like this:


class-map match-all SERVERNAT
  2 match source-address x.x.x.x 255.255.255.255

 
policy-map multi-match NAT
  class SERVERNAT
    nat dynamic 1 vlan XX


interface vlan XX  ------fron side VLAN
  ip address 192.168.50.15 255.255.255.0
  mac-sticky enable
  access-group input Allow_all_traffic
  access-group output Allow_all_traffic
  natpool 1 x.x.x.x netmask 255.255.255.0 pat
  no shutdown

 interface vlan XX-------Server VLAN
  ip address 208.50.107.109 255.255.255.192
  mac-sticky enable
  access-group input Allow_all_traffic
  access-group output Allow_all_traffic
  service-policy input NAT
  no shutdown




---------------------
Cesar R
ANS Team

Fernando Bello Tue, 09/03/2013 - 12:00
User Badges:

Cesar, Jorge,


I've go something similar to this situation.


I've got several serverfarms. Each serverfarm relates to an app that is reached via a VIP in 10.11.12.0/24. Actually that subnet is used to provide VIPs for all apps in 3 different contexts.


Sometimes, a client needs to access VIP 10.11.12.100. It is loadbalanced against 5 realservers. Sometimes one of those realservers need to query another app that is reached via VIP 10.11.12.101 that is in the another context. How can I do that?


And if the realserver needed to query another app that is reached via VIP 10.11.12.102 that is in the same context, what should I do?


thanks in advance,

jasmina27s Thu, 09/05/2013 - 00:12
User Badges:

Hi Fernando,


It is not quite similar to the NAT problem

You need server-to-server load balancing.

Basically, you need appropriate routing and to provide that ACE can see both traffic directions. Otherwise it is the same as client-server. Server should just go to a destination VIP of another serverfarm.


If the traffic is routed between two ACE contexts, you sould not have a problem, it should work same as client-server traffic, and relevant ACE context (the one in charge for VIP) will see both directions of a connecton. Another context will just route the traffic. You just have to provide appropriate routing towards VIP address, and towards source server real IP address (ACE does not NAT source IP by default).


Situation is more complicated if you have two serverfarms with real server addresses on the same context in the same subnet (If they are in separate subnets, behavior is similar as above -> just routing). In case of real servers in a same subnet you have to force returning traffic to go via ACE. By default, destination server will see a real source IP of source server and will try to respond directly and avoid ACE. Only in that case you need source NAT to hide IP of a source server to force returning traffic to the ACE.


All above is if you have configured routed mode on ACE contexts...

If your scenario is more complicated, please give more details about your config.



Best regards,

Jasmina

Cesar Roque Mon, 09/09/2013 - 13:36
User Badges:
  • Bronze, 100 points or more

Hi Fernando,


You need to configure the service-policy in the server VLAN and probably SNAT will be needed.


Do you have the configuration? 



---------------------
Cesar R
ANS Team

Fernando Bello Thu, 09/12/2013 - 09:43
User Badges:

Thanks Cesar, Jasmine and you gave the necesary answer to the problem that I was facing.


Thanks!!!

Actions

This Discussion

Related Content