Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACE 4710 client NAT (outgoing)

Hi Experts,

     I have a ace 4710 set as load balancing http and https only, seems working fine.

     Now I have another requirment to NAT all real servers IP (server side internal network 10.8.8.0) to VIP (192.168.1.20).

our configuration is as below,

two real server ip are 10.8.8.2 and 10.8.8.3 connected to VLAN interface v500 (ip is 10.8.8.254)

vlan v400 face to public, v400 interface ip 192.168.1.10, and one VIP 192.168.1.20, VIP is mapped to two real servers.

I need to config: all outgoing trafic from network 10.8.8.0 to public to NAT the source IP to 192.168.1.20 (VIP, not the interface real IP 192.168.1.10).

Thanks,

BQ

4 REPLIES

ACE 4710 client NAT (outgoing)

Hello BQ,

I would say it should look like this:

access-list everyone line 8 extended permit ip any any

access-list everyone line 16 extended permit icmp any any

interface vlan 50

  description "Client-Server VLAN"

  ip address  192.168.1.2 255.255.255.0

  access-group input everyone

  service-policy input client-vips

  service-policy input remote-access

  nat-pool 5 192.168.1.20 192.168.1.20 netmask 255.255.255.0 pat

  no shutdown

policy-map multi-match client-vips

  class slb-vip

    loadbalance vip inservice

    loadbalance policy slb

    nat dynamic 5 vlan 50

class-map match-all slb-vip

  2 match virtual-address 192.168.1.20 eq tcp www

policy-map type loadbalance first-match slb

  class class-default

    serverfarm web

serverfarm host web

  rserver lnx1

    inservice

  rserver lnx2

    inservice

rserver host lnx1

  ip address 10.8.8.2

  inservice

rserver host lnx2

  ip address 10.8.8.3

  inservice

ip route 0.0.0.0 0.0.0.0 192.168.1.1

Hope this helps!!!

Jorge

New Member

ACE 4710 client NAT (outgoing)

Hi Jorge,

Thanks for your reply, i have add the NAT pool "nat-pool 5 192.168.1.20 192.168.1.20 netmask 255.255.255.0 pat" already, but it seems no affect for the trafic, whether add nat pool or not , it is no different. is the nap pool impact the outgoing package(like initiated trafic from real server to access public web server (www.yahoo.com))?  i want public user see all trafic from VIP 192.168.1.20.

Thanks!!!

ACE 4710 client NAT (outgoing)

Where is the traffic generated? from the client side or the server side?

Could you provide us with an output like this: "#show service-policy client-vips class slb-vip detail" ?

Jorge

ACE 4710 client NAT (outgoing)

Here are a few things you could try

1. nat-pool 5 192.168.1.20 192.168.1.20 netmask 255.255.255.0 pat

changeto

nat-pool 5 192.168.1.20 192.168.1.20 netmask 255.255.255.255 (/32 host)

2.service-policy input remote-access

do you have a management Vlan interface defined if so add to that interface

3. The requirements are to LB http (80), and https (443). In this case you would need two seperate VIPS defined

VIP1:

class-map match-all slb-vip

  2 match virtual-address 192.168.1.20 eq tcp 80

VIP2:

class-map match-all slb-vip

  2 match virtual-address 192.168.1.20 eq tcp 443

Is there a requirement to redirect http traffic ? If so you would need to define another class-map to redirect http traffic to https

show service-policy client-vips detail   

HTH

652
Views
0
Helpful
4
Replies
CreatePlease login to create content