Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACE & 1/2 NAT vs. Fulk NAT

I'm running into a problem with Half-NAT vs. Full-NAT conflict. I have two server farms within the same context. Both farms are in the same Server VLAN and both farms get their requrests from the same front-end client-side VLAN. For Farm1 I need FULL NAT because some of the servers make calls back to the same VIP. This works ok for me. Farm2 doesn't need FULL NAT and wants 1/2 NAT so that the client IP is visible to the servers (LDAP in this case). That's not a problem either.

My problem is that servers in Farm1 make LDAP calls to the VIP which is for Farm2. Since Farm2 is 1/2 NAT the 3-way TCP connection breaks on the SYN-ACK.

- Is there a way to configure FULL NAT for connections initiated from the FARM and only to the VIP(s) while all other connections be treated as 1/2 NAT?

- Is there an alternative method for me to do what I need?

- Would having a 2nd Server VLAN in the same context for Farm2 solve this problem? I'd rather avoid this as my VLAN/IPs could get ugly.

Thanks in advance.

Casey

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ACE & 1/2 NAT vs. Fulk NAT

Casy,

You can apply a nat policy to the server vlan only, so traffic will only be nated when the connection comes from the server vlan.

If you don't want to nat all traffic, you can use a class-map that only matches a specific destination ip.

If you need further detail let me know.

Gilles.

2 REPLIES
Cisco Employee

Re: ACE & 1/2 NAT vs. Fulk NAT

Casy,

You can apply a nat policy to the server vlan only, so traffic will only be nated when the connection comes from the server vlan.

If you don't want to nat all traffic, you can use a class-map that only matches a specific destination ip.

If you need further detail let me know.

Gilles.

New Member

Re: ACE & 1/2 NAT vs. Fulk NAT

Gilles,

I've been meaning to respond back to tell you that this is a better answer than I had hoped for. The only reason I needed to use NAT in the first place was because of the TCP 3-way handshake problem with servers from behind the ACE needing to access the VIP. This is perfect. Thank you.

Casey

207
Views
0
Helpful
2
Replies
CreatePlease login to create content