cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1434
Views
0
Helpful
3
Replies

ACE 4710 rserver NAT

eagles-nest
Level 1
Level 1

Hi

We have an ACE with the usual client and server facing vlans.  VIPs are presented on the client side subnet in order to load balance incoming requests to a group of servers in a serverfarm.  The client side VIPs are in a subnet behind our corporate firewall in a DMZ.

For one rserver in the server farm we need to allow it to talk to a database server on the inside of our network.

Can I NAT a single rserver address when going to a single host on our inside?  If so do I NAT to an address on our client facing subnet or can I allocate a pool, static NAT to a single address in the pool and route to the pool from our firewall via the DMZ interface.

So for example.

Our serverfarm farm1 contains rserver1 and rserver2 on addresses 192.168.1.10 and 11.  The VIP on the client side subnet is 192.168.101.111

Only rserver1 needs to talk to our db server at 10.3.1.145 on port 2345

So can I NAT rserver1 to another 192.168.101.x address or to an address from completely new range then route to that range via our DMZ interface with next hop as the client side ACE address ?  

I am assuming I can do either option and if so my preference would be to NAT to an address in the client side subnet to save any additional firwewall routing/ACL config.  If this is possible what would be the syntax of the commands ?

Thanks, Stuart.

1 Accepted Solution

Accepted Solutions

Peter Koltl
Level 7
Level 7

All the options can be set up. Actually you don't need NAT at all if 192.168.1.0 is known and routed.

View solution in original post

3 Replies 3

Peter Koltl
Level 7
Level 7

All the options can be set up. Actually you don't need NAT at all if 192.168.1.0 is known and routed.

Thanks for the reply Peter.

So just to clarify.  I can route to my rserver address directly via the client side IP address on the ACE?  I use the VIP address to hit the server farm and load balance but I can route directly to a server side IP address? 

I suppose that makes absolute sense since the ACE is in routed mode.

I appreciate your response.

Stuart.

Peter Koltl
Level 7
Level 7

Yes, why not? After all, ACE is a router... (-:

Just don't forget the ACLs.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: