I would like to configure NAT on the returning traffic from the rservers.
So far I'vebeen able to nat traffic from client side to server side ok but for some reason i am unavailable to nat the returning traffic from the reals to the clients.
I want to retruning traffic to show a dummy source ip address when sent from the ace to the client hence the 10.10.106.31 ip address.
My problem is that even though I've got this "match any" statement with my NAT class map it does not seem to match anything.
Same thing I 've configured an access-list on the server interface to deny the returning traffic and it did not block anything on vlan 999.
Traffic obviously flows through vlan 999 but I don't know why it does not trigger the class-map statement or event the access-list I've applied before.
It seem the only way to have a hit on both the class map or the access-list is to apply it on the client side or globally.
Configuration I've tried is :
access-list PERMIT_ALL line 10 extended permit ip any any
rserver host SRV01 ip address 192.168.1.10 inservice rserver host SRV02 ip address 192.168.1.11 inservice
class-map match-any CM_L4_NAT_TEST 2 match any
policy-map multi-match PM_L4_NAT_TEST class CM_L4_NAT_TEST nat dynamic 1 vlan 2000
interface vlan 999 description SERVER SIDE / INSIDE INTERFACE ip address 192.168.1.252 255.255.255.0 alias 192.168.1.254 255.255.255.0 peer ip address 192.168.1.253 255.255.255.0 no icmp-guard service-policy input PM_L4_NAT_TEST no shutdown
interface vlan 1999 description CLIENT SIDE VLAN ip address 192.168.48.28 255.255.255.224 alias 192.168.48.30 255.255.255.224 peer ip address 192.168.48.29 255.255.255.224 no icmp-guard access-group input PERMIT_ALL access-group output PERMIT_ALL nat-pool 1 10.10.106.31 10.10.106.31 netmask 255.255.255.255 pat service-policy input PM_L4_ICMP_POLICY no shutdown
>> Any idea on how to nat source ip address for returning traffic?
This document will provide screenshots to outline the steps to setup
TACACS+ configuration to ACI and also the configuration required on
Cisco ACS server. Please find the official Cisco guide for configuring
TACACS+ Authentication to ACI:
Is it supported or NOT supported? It's a frequently asked question.
Before APIC, release 2.3(1f), transit routing was not supported within a
single L3Out profile. In APIC, release 2.3(1f) and later, you can
configure transit routing with a single L3Out pr...
Cisco Documents are usually accurate, but when it came to the document
on Cisco APIC Signature-Based Transactions it was slightly off the mark.
This document is for those novices to API like me who cant seem to
figure out how to go about performing signat...