Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

a DNAT is not working on ACE


I configured the DNAT on ACE. You can see this configuration below:

access-list traffic line 8 extended permit ip any any

class-map match-any NAT_class
  2 match destination-address

policy-map multi-match NAT_policy
  class NAT_class
    nat static netmask vlan 345

access-group input traffic

interface vlan 341
  description Server vlan
  ip address
  service-policy input NAT_policy
  no shutdown
interface vlan 345
  ip address
  no shutdown

When I tried to ping from the server to the address - no NAT is provided:-( I have no matches in the output show service-policy:

sho service-policy NAT_policy detail

Status     : ACTIVE
Description: -----------------------------------------
Interface: vlan 341
  service-policy: NAT_policy
    class: NAT_class
        nat static vlan 345
        curr conns       : 0         , hit count        : 0
        dropped conns    : 0
        client pkt count : 0         , client byte count: 0
        server pkt count : 0         , server byte count: 0
        conn-rate-limit      : 0         , drop-count : 0
        bandwidth-rate-limit : 0         , drop-count : 0

I hope that the configuration is right. So why the NAT is not provided by ACE?

Thank you very much.


Everyone's tags (2)
New Member

Re: a DNAT is not working on ACE


      The configuration you supplied is for source nat.   With the configuration you have, any packet destined for, will be source natted to if it exits interface 345. 

The ACE is a loadbalancer, so by default the ACE will do destination NAT so to get the desired behavior you want you should create a virutal address and do it that way. 

for example

rserver host server

ip address


serverfarm host serverfarm

rserver server


class-map match-all vip

match virtual address any

policy-map type loadbalance first-match TEST

class class-default

serverfarm serverfarm

policy-map multi-match policy

class vip

loadbalance vip inservice

loadbalance policy TEST

loadbalance vip icmp-reply active

interface vlan 342

service-policy input policy

New Member

Re: a DNAT is not working on ACE

Hi Christopher,

so there is no possibility to provide destination NAT?

For example in situation when I want to communicate from a server to some private address as destination address and this address will be translated into public address on the client side. See:

server will sent the packet with destination address - ACE will translate this destination address into the address

I don't want to use LB with VIP!!



New Member

a DNAT is not working on ACE

To my knowledge what you are asking for is not possible without going through a vip.  When you create a match desitnation address, the ace does not create an arp entry for it.  So the upstream router would not know where to send the packet.