Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACE questions related to routing and NAT

Given a topology of

asa---vlan10-------ace------vlan20------server

We configured ACE enviroment like the previous topology. Vlan 10 is VIP Vlan and Vlan 20 is real server VLAN. Both of them are behind ASA firewall.There still is a management vlan 100 in this context. My questions are:

a. How to set up default route on ACE? If all of traffics are pointed to asa interface as the next hop, how about management traffics? the MGMT VLAN is internal VLAN. Inbound traffics won't be gone through firewall.But the default route will cause any return traffics going through firewall.

b. for example, vip is 1.1.1.10 ;real servers are 1.1.2.10 and 1.1.2.11. I had the experience with CSM beofre. When I configure as "no nat client, nat server" command on csm, all of return traffics will be changed source address as 1.1.1.10. How about the ACE? any similar commands?

Thanks a lot!  

  • Application Networking
3 REPLIES
Cisco Employee

Re: ACE questions related to routing and NAT

Hi

For question A, you can use the "ip route" command. It works like the IOS one, and would allow you to configure the ASA as default gateway and a more specific route for the management traffic.

For question B, I believe you are misunderstanding the use of the CSM command, so let me give you a more detailed explanation.

On the client side, for a established connection, traffic from the servers will always come with the ip address of the VIP that the client was using to access.

The "nat server" command defines that, in the server side, the destination IP of the connection will be natted to the real IP address of the server, while the "nat client" will be used to nat the IP address of the client on the server side.

On the ACE, server nat is done by default, but you can still disable it if you configure the serverfarm as "transparent"

New Member

Re: ACE questions related to routing and NAT

Thanks for your clarification. But I still did not understand your answer about Question A.

If I am correct, the routing table is controlled return traffics. For example, Subnet 1.1.1.0/24 is allowed to access both VIP VLAN and management VLAN. How to set up the specific route for this subnet?

Please let me know more details. Thanks a lot

Cisco Employee

Re: ACE questions related to routing and NAT

Hi,

I'm afraid it's not possible to have separate routing tables per interface, which is what you would need.

On the ACE, you can only configure router on a per-destination basis, so, even if a specific subnet is allowed to access both the VIPs and the management interface, only one return route can be configured.

I can think of two possible ways around this:

- Use some policy based routing on the switch to route traffic differently based on the source IP address (the one of the ACE)

- Use the default gateway for management traffic and "mac-sticky" for the load-balanced connections. With mac-sticky enabled, the ACE will send the return traffic to the MAC address from where the original traffic came instead of following the routing table

386
Views
0
Helpful
3
Replies
This widget could not be displayed.