Solved: ACE: How to translate a public address to a private VIP?

dpetitpierre · ‎09-15-2009

Hello,

- How can one configure the ACE to translate a public address to a

private VIP?

I have configured a test context (cf annexe

running-config_test_context.txt) following the instructions given in

Configuring Network Address Translation

Configuring Static NAT and Static Port Redirection

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/security/guide/nat.html#wp1084392

(By the way it seems to me that there are some mistakes in this

document: the syntax for netmasks used in the examples does not work

on my ACE and the DNAT example at the end mentions incoherent IP

addresses 10.0.0.0 vs 172.27.16.100).

When testing the public address, the connection is immediatly

terminated (RST packet, 0002 in the capture):

123.456.17.10# telnet 123.456.251.180 443

Trying 123.456.251.180...

telnet: Unable to connect to remote host: Connection refused

A capture shows that the ACE drops the packets (cf. annexe

capture_detail.txt).

The NAT configuration half works: there is a hit but the connection is

dropped

ACE/test_context# show service-policy test_nat_policy detail

Status : ACTIVE

Description: -----------------------------------------

Interface: vlan 300

service-policy: test_nat_policy

class: test_nat_class

nat:

nat static 123.456.251.180 443 vlan 251

curr conns : 0 , hit count : 1

dropped conns : 1

client pkt count : 1 , client byte count: 48

server pkt count : 0 , server byte count: 0

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

and no NAT translation is recorded:

ACE/test_context# show xlate

ACE/test_context#

Strangely the access-list is not active:

ACE/test_context# show access-list test_nat_acl

access-list:test_nat_acl, elements: 1, status: NOT-ACTIVE

remark :

access-list test_nat_acl line 10 extended permit tcp host 10.13.1.180 eq htt

ps any

but the NAT config is:

ACE/test_context# show nat-fabric policies

Nat objects:

NAT object ID:38 mapped_if:24 policy_id:62 type:STATIC static_xlate_id:6

3

ID:63 Static port translation

Real addr:10.13.1.180 Real port:443 Real interface:22

Mapped addr:123.456.251.180 Mapped port:443 Mapped interface:24

Netmask:255.255.255.255

- What is wrong or missing in this configuration?

I also tried configuring "Static NAT Overwrite", but for some reason

it considers it as a duplicate address with the VIP:

ACE/test_context(config)# static vlan 251 vlan 300 123.456.251.180 10.13.1.180 netmask 255.255.255.255

Error: Specified ip address duplicates with an existing ip address configured in the context!

Thanks in advance for you help,

Dominique

Gilles Dufour · ‎09-15-2009

ACE does translation from VIP to rserver.

you can not nat from a VIP to another address.

So, in order to do what you want, you need the public address to be routed to the ACE itself.

This can be achieved with static route.

On the ace itself, simply create a class-map with a virtual address matching the public ip OR the private ip.

ACE will then do the nating properly between public or private to rserver and vice versa automatically.

Gilles.

View solution in original post

dario.didio · ‎09-15-2009

Hi,

What are you trying to do?

Can't you just configure the public IP as the VIP address on the ACEs?

Why do you want to do NAT of the VIP address?

Clients should hit the VIP and be load balanced to a serverfarm, I don't see the interest of using NAT for the VIP address.

If you want to use a private IP as VIP, you should do a static NAT of a public IP to a private IP on your FW or router in front of the ACE.

Please clearify what you are trying to do and why you are trying to do that ;)

HTH,

Dario

dpetitpierre · ‎09-15-2009

Hi,

On Sep 15, 2009, 6:34am PST dario.didio wrote:

> What are you trying to do?

> Can't you just configure the public IP as the VIP address on the

> ACEs?

> Why do you want to do NAT of the VIP address?

> Clients should hit the VIP and be load balanced to a serverfarm, I

> don't see the interest of using NAT for the VIP address.

In the planned ACE context there will be many private addresses:

intranet VIPs and addresses used to manage the real servers. Only a

few VIPs should be accessible via a public address from the outside

so we don't want to waste public addresses and only map those that are

really necessary, while keeping the rest private.

> If you want to use a private IP as VIP, you should do a static NAT

> of a public IP to a private IP on your FW or router in front of the

> ACE.

Well, we tried, but with just one NAT entry for a subnet the CPU of

the router (sup720) hit the roof (it handles more than 10 Tbytes per

day): unacceptable for the persons responsible for that equipment.

That is why we try to do the public-private translation on the ACE.

In any case, I'm still curious to understand why the configuration

does not work.

Best regards,

Dominique

Gilles Dufour · ‎09-15-2009

ACE does translation from VIP to rserver.

you can not nat from a VIP to another address.

So, in order to do what you want, you need the public address to be routed to the ACE itself.

This can be achieved with static route.

On the ace itself, simply create a class-map with a virtual address matching the public ip OR the private ip.

ACE will then do the nating properly between public or private to rserver and vice versa automatically.

Gilles.

dpetitpierre · ‎09-21-2009

Hi,

Sorry to reply so late: to do further tests I had to wait for the

return of my colleague in charge of the router.

On Sep 15, 2009, 8:33am PST gdufour - CCIE wrote:

> ACE does translation from VIP to rserver.

> you can not nat from a VIP to another address.

OK.

> So, in order to do what you want, you need the public address to be

> routed to the ACE itself. This can be achieved with static route.

>

> On the ace itself, simply create a class-map with a virtual address

> matching the public ip OR the private ip.

> ACE will then do the nating properly between public or private to

> rserver and vice versa automatically.

I tried this (cf attachment running-config_test_context_2.txt) and

it works like a charm:

- no need to declare an interface associated to the ACE for the

subnet of the public address (vlan 251 in my previous attempt), and

- no need to explicitly configure a static route on the router for the

public VIP address; the ACE takes care of it (probably because of

the "loadbalance vip advertise" directive), and one finds the

following route is automatically defined on the router

O E2 123.456.251.180/32 [110/20] via 10.14.2.2, 01:01:26, Vlan701

The same connection test with telnet as in the previous attempt now

properly exchanges the initial TCP handshake packets:

123.456.17.10# telnet 123.456.251.180 443

Trying 123.456.251.180...

Connected to 123.456.251.180.

Escape character is '^]'.

A capture of this telnet session on the ACE shows the following

packets (summarized thanks to wireshark, the "show capture buffer

detail" is not as informative):

No. Time Source Destination Protocol Info

1 15:28:19.722768 123.456.17.10 123.456.251.180 TCP 55144 > https [SYN] Seq=0 [TCP CHECKSUM INCORRECT] Len=0 MSS=1460

2 15:28:19.723136 123.456.17.10 10.13.2.181 TCP 55144 > https [SYN] Seq=0 [TCP CHECKSUM INCORRECT] Len=0 MSS=1460

3 15:28:19.723441 10.13.2.181 123.456.17.10 TCP https > 55144 [SYN, ACK] Seq=0 Ack=1 Win=49640 Len=0 MSS=1460

4 15:28:19.723749 123.456.251.180 123.456.17.10 TCP https > 55144 [SYN, ACK] Seq=3986379226 Ack=1 Win=49640 [TCP CHECKSUM INCORRECT] Len=0 MSS=1460

5 15:28:19.724096 123.456.17.10 123.456.251.180 TCP 55144 > https [ACK] Seq=1 Ack=3986379227 Win=24820 Len=0

6 15:28:19.724480 123.456.17.10 10.13.2.181 TCP 55144 > https [ACK] Seq=1 Ack=1 Win=24820 [TCP CHECKSUM INCORRECT] Len=0

And of course, a connection to the private VIP (10.13.1.180) works just the same.

Thanks very much for your help with this issue.

Best regards,

Dominique

dario.didio · ‎09-15-2009

Hi,

What are you trying to do?

Can't you just configure the public IP as the VIP address on the ACEs?

Why do you want to do NAT of the VIP address?

Clients should hit the VIP and be load balanced to a serverfarm, I don't see the interest of using NAT for the VIP address.

If you want to use a private IP as VIP, you should do a static NAT of a public IP to a private IP on your FW or router in front of the ACE.

Please clearify what you are trying to do and why you are trying to do that ;)

HTH,

Dario

koltl-gold · ‎09-30-2009

Are you sure you were able to attach two policy-maps to the same interface simultaneously?

interface vlan 300

service-policy input test_https_policy

service-policy input test_nat_policy

dpetitpierre · ‎09-30-2009

> Are you sure you were able to attach two policy-maps to the same interface simultaneously?

Yes.

The attachment to my post is the output of "show running-config".

In any case the problem that I tried to tackle was solved in a more natural way (see my previous post).