Hi all, is it possible to get the SRC NAT'ing to work in an ACE module configured in a bridged mode?
We have the following set up:
MSFC > FWSM(routed) > ACE(bridged)
The ACE is running code 3.0(0)A1(4a).
I've added the configuration of two VIP's that I am trying to set up. I need to have servers that are part of VIP1 to be able to connect to VIP2, and vice-versa. The servers and the VIP's are in the same L3 subnet.
Is this possbile with my set up?
Any help would be greately appreciated.
yes nating is possible in bridge-mode as long as you hit a virtual ip.
Is traffic coming vlan 122 and going out vlan 122 ?
The natpool must be on the outgoing interface.
You should also upgrade asap !!!
Thank you Gilles for your reply.
Vlan 122 is the ingress interface for the traffic coming into the ACE, and we have a vlan 322 for the servers.
I have applied the nat-pool command to the egress interface vlan322 and changed the policy-map configuration to reflect the egress vlan 322:
interface vlan 322
nat-pool 1 10.0.0.100 10.0.0.100 netmask 255.255.255.255 pat
policy-map multi-match SERVICE_POLICY_MAP
nat dynamic 1 vlan 322
nat dynamic 1 vlan 322
But I still can't connect to either VIP from the servers. Am I missing something in the configuration?
We plan to upgrade the ACE code in the near future.
Thanks again for your help!!
I have revised my configuration and it is attached, but still can't access the VIP's from the servers.
Can anyone see if there is something wrong?
VLAN 122 is the "Client Vlan" where the traffic comes in to the ACE from the FWSM, and VLAN 322 is the "Server Vlan" traffic that leaves the servers.
you need the put the service policy on inbound interface and the nat-pool on outbound interface.
If the vip is accessed by the server through the gateway, the first packet is bridged (and therefore not nated) to the gateway which send the traffic back to the ace.
It is then nated because traffic hits the vip.
Get sniffer traces to understand the path of the traffic and do 'show service-policy' to see if traffic his your different rules.
Thank you Gilles for the help.
Just to clarify when you say "inbound interface" it is the Client facing interface and the "outbound" is the server facing interfaces?
inbound is where the SYN comes in and outbound is where we send it.
If the problem is to nat traffic from servers, using "client facing" or "server facing" can be misleading.
Also, if the vip is not in the same subnet as the servers, the traffic will first be bridged to the gateway (the server will use the gateway mac as destination). The gateway then sends it back to ACE.
We can't src nat traffic that is bridged.
So we can't nat the SYN when we bridge it to the gateway. But when it comes back and hit the vip, we can apply src nat.
Thank you Gilles for the clarification.
In my scenario the servers and the VIP are on the same subnet.
So in my case the SYN would be coming in to the ACE on the "server facing" interface that in my case is called vlan 322.
I applied the Service policy for SRC NAT on that interface and applied the natpool on the other interface (vlan 122) but still can't get the connections from the servers to the VIP to work.
From the Cisco documents I've read the "nat dynamic" statement has to be applied to the
same interface the natpool is applied to. Is that the case?
Any news on that issue ???
It looks like I'm not able to NAT the server when it tries to connect to an outside client.
When a client (from vlan 909) wants to access the server (vlan 910), I'v got no problem with the nat.
Apr 21 2010 17:15:09 10.247.208.61/Test-BVI: %ACE-6-305009: Built static translation from vlan910:10.247.207.10 to vlan909:220.127.116.11
Apr 21 2010 17:15:09 10.247.208.61/Test-BVI: %ACE-6-302022: Built TCP connection 0x9c8 for vlan909:10.247.207.3/14338 (10.247.207.3/14338) to
When the server wants to access the client, the source IP is not natted :
Apr 21 2010 17:12:31 10.247.208.61/Test-BVI: %ACE-6-302022: Built TCP connection 0x9b5 for vlan910:10.247.207.10/58882 (10.247.207.10/58882) to vlan909:10.247.207.1/23 (10.247.207.1/23)
SUP720 VRFA --- ACE(Bridge mode) --- SUP720 VRF B
ACE version : A2(3.0)
access-list Vlan-909-in line 8 extended permit ip any any
access-list Vlan-910-in line 10 extended permit ip any any
class-map match-all NAT_SUD
2 match source-address 10.247.207.10 255.255.255.255
policy-map multi-match POL_NAT_SUD
nat static 18.104.22.168 netmask 255.255.255.255 vlan 909
interface vlan 909
access-group input Vlan-909-in
interface vlan 910
access-group input Vlan-910-in
service-policy input POL_NAT_SUD
interface bvi 1
ip address 10.247.207.5 255.255.255.240
alias 10.247.207.6 255.255.255.240
peer ip address 10.247.207.4 255.255.255.240
Why the "show arp" does not display the arp entry for the nat ?
Could you explain more in detail what you are trying to accomplish?
Do you need that some backend server start connections to external users? Is it matching any VIP to go outside?
A server farm behind a ace accessible by a VIP.
And each server could connect to a client and is hidden natted behind the VIP IP.
from the pasted config you don't appear to be hitting a vip with the server's originated connections, this is a requirement for the to ACE perform source natting in bridge mode, so no, with the above config in bridge mode natting will not happen.
There was an enhancement request for this (CSCek61037) but unfortunately it wasn't and it will not be implemented.
Hope it helps,