Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

a DNAT is not working on ACE

Hi,

I configured the DNAT on ACE. You can see this configuration below:

access-list traffic line 8 extended permit ip any any

class-map match-any NAT_class
  2 match destination-address 192.168.1.11 255.255.255.255

policy-map multi-match NAT_policy
  class NAT_class
    nat static 172.16.11.11 netmask 255.255.255.255 vlan 345

access-group input traffic

interface vlan 341
  description Server vlan
  ip address 192.168.1.1 255.255.255.0
  service-policy input NAT_policy
  no shutdown
interface vlan 345
  ip address 172.16.11.2 255.255.255.0
  no shutdown

When I tried to ping from the server to the address 192.168.1.11 - no NAT is provided:-( I have no matches in the output show service-policy:

sho service-policy NAT_policy detail

Status     : ACTIVE
Description: -----------------------------------------
Interface: vlan 341
  service-policy: NAT_policy
    class: NAT_class
      nat:
        nat static 172.16.11.11 vlan 345
        curr conns       : 0         , hit count        : 0
        dropped conns    : 0
        client pkt count : 0         , client byte count: 0
        server pkt count : 0         , server byte count: 0
        conn-rate-limit      : 0         , drop-count : 0
        bandwidth-rate-limit : 0         , drop-count : 0

I hope that the configuration is right. So why the NAT is not provided by ACE?

Thank you very much.

Roman

Everyone's tags (2)
3 REPLIES
New Member

Re: a DNAT is not working on ACE

Roman,

      The configuration you supplied is for source nat.   With the configuration you have, any packet destined for 192.168.1.11, will be source natted to 172.16.11.11 if it exits interface 345. 

The ACE is a loadbalancer, so by default the ACE will do destination NAT so to get the desired behavior you want you should create a virutal address and do it that way. 

for example

rserver host server

ip address 172.16.11.11

inservice

serverfarm host serverfarm

rserver server

inservice

class-map match-all vip

match virtual address 192.168.1.11 any

policy-map type loadbalance first-match TEST

class class-default

serverfarm serverfarm

policy-map multi-match policy

class vip

loadbalance vip inservice

loadbalance policy TEST

loadbalance vip icmp-reply active

interface vlan 342

service-policy input policy


http://www.cisco.com/en/US/partner/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/classlb.html

New Member

Re: a DNAT is not working on ACE

Hi Christopher,

so there is no possibility to provide destination NAT?

For example in situation when I want to communicate from a server to some private address as destination address and this address will be translated into public address on the client side. See:

server will sent the packet with destination address 10.0.0.1 - ACE will translate this destination address into the address 193.16.0.1.

I don't want to use LB with VIP!!

Thanks

Roman

New Member

a DNAT is not working on ACE

To my knowledge what you are asking for is not possible without going through a vip.  When you create a match desitnation address 192.168.1.11, the ace does not create an arp entry for it.  So the upstream router would not know where to send the packet. 

Thanks,

Chris

402
Views
0
Helpful
3
Replies