Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACE: as firewall and NAT. inbound and outbound originals

Hi Team,

This time no load balancing is required.

Two servers inside (with private IP) need to communicate with clients and servers on the internet. ie, internet client originate inbound traffic to our servers, and also our servers originate connections to some internet servers.

Both of our servers will work indipendently for this purpose.

I have a few ideas to mix and match configs in the ACE. (This was originally working with FWSM setup). I would like to hear some sound ideas to acheive this using ACE only as firewall/router. No plan to load balance at present.

Regards to all

SS

4 REPLIES
Cisco Employee

Re: ACE: as firewall and NAT. inbound and outbound originals

ACE will route by default if the traffic is permitted with an access-group.

So, there is nothing much to do if you just need basic routing.

TCP normalization is on by default, so you get the TCP protection.

You can then add per protocol inspection if needed.

G.

New Member

Re: ACE: as firewall and NAT. inbound and outbound originals

Thanks G,

The internal servers use private IP address hence need to do NAT on the ACE (previouly it was done by FWSM).

The traffic originates from internal and also from internet.

NAT in both direction is needed.

Static Destination NAT for EACH server can be used if originating in Internet.

What NAT to use for the same serverS if they originate traffic towards internet?

Regards

SS

Cisco Employee

Re: ACE: as firewall and NAT. inbound and outbound originals

The idea is always the same.

Catch your traffic with a class-map, link the class-map to a policy that performs the needed action - ie: nat. Assign the policy to the inbound interface.

Here is an example:

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3041.shtml

Gilles.

New Member

Re: ACE: as firewall and NAT. inbound and outbound originals

Gilles,

Inbound traffic and the related reply traffic can be handled with normal class-map by defining a VIP with public IP.

The above real server with private IP is now going to make a different connection to the internet. ie,

outbound traffic and related reply traffic need handling. (no load balancing planned).

Detination NAT, Static NAT sounds interesting

Source NAT, Static NAT sounds interesting. Mixing these sound very interesting!! I'm looking for sample configs please.

SS

330
Views
5
Helpful
4
Replies