Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
586
Views
0
Helpful
3
Replies

ACE questions related to routing and NAT

HWangLoyalty_2
Level 1
Level 1

‎10-27-2010 12:02 PM

Given a topology of

asa---vlan10-------ace------vlan20------server

We configured ACE enviroment like the previous topology. Vlan 10 is VIP Vlan and Vlan 20 is real server VLAN. Both of them are behind ASA firewall.There still is a management vlan 100 in this context. My questions are:

a. How to set up default route on ACE? If all of traffics are pointed to asa interface as the next hop, how about management traffics? the MGMT VLAN is internal VLAN. Inbound traffics won't be gone through firewall.But the default route will cause any return traffics going through firewall.

b. for example, vip is 1.1.1.10 ;real servers are 1.1.2.10 and 1.1.2.11. I had the experience with CSM beofre. When I configure as "no nat client, nat server" command on csm, all of return traffics will be changed source address as 1.1.1.10. How about the ACE? any similar commands?

Thanks a lot!  

Labels:
0 Helpful
3 Replies 3

Daniel Arrondo Ostiz
Cisco Employee
Cisco Employee

‎10-30-2010 01:19 AM

Hi

For question A, you can use the "ip route" command. It works like the IOS one, and would allow you to configure the ASA as default gateway and a more specific route for the management traffic.

For question B, I believe you are misunderstanding the use of the CSM command, so let me give you a more detailed explanation.

On the client side, for a established connection, traffic from the servers will always come with the ip address of the VIP that the client was using to access.

The "nat server" command defines that, in the server side, the destination IP of the connection will be natted to the real IP address of the server, while the "nat client" will be used to nat the IP address of the client on the server side.

On the ACE, server nat is done by default, but you can still disable it if you configure the serverfarm as "transparent"

0 Helpful

HWangLoyalty_2
Level 1
Level 1
In response to Daniel Arrondo Ostiz

‎11-11-2010 04:48 PM

Thanks for your clarification. But I still did not understand your answer about Question A.

If I am correct, the routing table is controlled return traffics. For example, Subnet 1.1.1.0/24 is allowed to access both VIP VLAN and management VLAN. How to set up the specific route for this subnet?

Please let me know more details. Thanks a lot

0 Helpful

Daniel Arrondo Ostiz
Cisco Employee
Cisco Employee
In response to HWangLoyalty_2

‎11-15-2010 02:18 AM

Hi,

I'm afraid it's not possible to have separate routing tables per interface, which is what you would need.

On the ACE, you can only configure router on a per-destination basis, so, even if a specific subnet is allowed to access both the VIPs and the management interface, only one return route can be configured.

I can think of two possible ways around this:

- Use some policy based routing on the switch to route traffic differently based on the source IP address (the one of the ACE)

- Use the default gateway for management traffic and "mac-sticky" for the load-balanced connections. With mac-sticky enabled, the ACE will send the return traffic to the MAC address from where the original traffic came instead of following the routing table

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents