Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACE in bridge mode with FWSM as gateway

our design

FWSM--vlan 7--ACE-vlan 8---servers with default gateway as FWSM

originally there were no plans of servers looking to load balance traffic when they wanted to communicate each other. now there is a need this

since ACE is in bridge mode, there are no ip address to VLAN configured on it and cant do source NAT

what we want servers in serverfarm A can contact a single ip which can be load balanced and traffic to be sent to serverfarm B. both serverfarms reside in vlan 8 and ace is in bridge. with VLAN not having IP how can we get this working. we were looking to create a policy on ACE with an ip address in vlan 8 and then do a source NAT to send the traffic to serverfarm 7.

with FWSM as the default gateway, by enabling permit intra traffic , it doesnt work because the command routes the traffic, dont think will send the traffic back to the same vlan

e.g static (inside,outside) and allow intra traffic.

so when a machine pings it goes to the FWSM but fwsm doesnt look for

with ACE in bridge and FWSM doing above how to get around. can something be done on ACE in bridge mode with source NAT


Cisco Employee

Re: ACE in bridge mode with FWSM as gateway

First, why don't you have an ip in your ACE vlan ?

Then, for traffic hitting a vip, we can do source nating even in bridge mode.

But if the vip is not an ip in vlan 8, your server will anyway send the traffic to the FWSM and ACE will first bridge the request.

The FWSM should then send the request back to ACE (not sure how this can be done).

So the request from the server will actually hit the vip on vlan 7 (not vlan 8).

So your policy-map with client nat must be on vlan 7.

Another option would be to configure a static route on the server to point the vip to the ACE vlan 8 ip address (which you should have configured).

In this case, the policy-map will have to be in vlan 8 with client-nat.


New Member

Re: ACE in bridge mode with FWSM as gateway

Thanks Giles

Thats exactly what i am trying now to get NAT working in bridge mode. i am looking to use nested class-map and have access-list to restrict access and use other match command for the VIP.

how to use static nat in bridge mode, because in bridge mode vlan dont have ip address and while creating policy map and define nat the command requires VLAN interface

Also a context can be run in both routed and bridge mode. so can i have


vlan 7

bridge group 1

vlan 8

bridge group 1


ip address

and have

vlan 9

ip address

can bvi and vlan 9 be in the same subnet?