Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACE: Server Source NAT is not working

I have 1 ACE appliance which running in routed mode. There are 2 vlans which are client vlan and server vlan. My VIP subnet is same as server vlan subnet. I would like to Source Nat each farm of servers orignated traffic to their own VIP. I have tested to ping from server vlan's server to client vlan's PC but the "show xlate" didn't show NATing and Packet Capture at client vlan's PC also showed that the source IP from server is not NATed. I have configured as the following but is not working, can any expert help me to look at my config whether I got miss out something:

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ACE: Server Source NAT is not working

To answer your latest questions.

Yes, the service-policy must be configured on the interface facing the server (inbound interface) and the nat-pool must configured on the outbound interface.

Also note that we do not nat bridged traffic.

I don't think the show xlate will show any entries when pat is configured.

You should check with a 'show service-policy' if you have any hit on your class-map NAT-POLICY.

Also, do a 'clear conn' before your test or use telnet instead of ping.

All your icmp traffic from 1src to 1 dst will fall under the same flow.

If the flow was created before the nat policy, there will be no nating until the flow times out which can tale a long time for icmp.

Gilles.

9 REPLIES
New Member

Re: ACE: Server Source NAT is not working

Hi,

I checked the config and did see any vlan 22 defined in the ACE(I can see 100 and 220 only)

policy-map multi-match NAT-POLICY

class NAT-EXCHANGE

nat dynamic 1 vlan 22

class NAT-SMS

nat dynamic 2 vlan 22

class NAT-PROXY

nat dynamic 3 vlan 22

---------------------------------

sample config..this might be helpful

class-map match-all SNAT

2 match source-address 2.2.2.10 255.255.255.0

policy-map multi-match L4

class HTTP-SFARM

loadbalance vip inservice

loadbalance policy WEB-PM

loadbalance vip icmp-reply

class SNAT

nat dynamic 100 vlan 31

interface vlan 31

ip address 2.2.2.1 255.255.255.0

mac-sticky enable

access-group input 1

nat-pool 100 1.1.1.1 1.1.1.1 netmask 255.255.255.255 pat

service-policy input L4

no shutdown

New Member

Re: ACE: Server Source NAT is not working

Hi Rajesh,

Sorry for typo as actually the NAT-POLICY is pointing out to vlan220:

class NAT-EXCHANGE

nat dynamic 1 vlan 220

class NAT-SMS

nat dynamic 2 vlan 220

class NAT-PROXY

nat dynamic 3 vlan 220

Thanks for your sample. according to the line you gave in the sample **2 match source-address 2.2.2.10 255.255.255.0**. Yours is with netmask 255.255.255.0 and mine is with 255.255.255.255. Is it your matching cretiria is mathing whole 2.2.2.0/24 segment to nated.

By the way, is the NAT-Policy should put at facing server vlan while nat-pool should put at vlan that traffic being nated to nat-pool ip and going out?

Thanks

Cisco Employee

Re: ACE: Server Source NAT is not working

To answer your latest questions.

Yes, the service-policy must be configured on the interface facing the server (inbound interface) and the nat-pool must configured on the outbound interface.

Also note that we do not nat bridged traffic.

I don't think the show xlate will show any entries when pat is configured.

You should check with a 'show service-policy' if you have any hit on your class-map NAT-POLICY.

Also, do a 'clear conn' before your test or use telnet instead of ping.

All your icmp traffic from 1src to 1 dst will fall under the same flow.

If the flow was created before the nat policy, there will be no nating until the flow times out which can tale a long time for icmp.

Gilles.

New Member

Re: ACE: Server Source NAT is not working

Hi Gdufour,

Thanks for your detail explanation. Greatly appreciate. Tomorrow I will go and troubleshoot the problem again and hope I can solve the problem. Let's me mine multiple nat-pools are running smoothly too.

I will update here once I solve the problem.

New Member

Re: ACE: Server Source NAT is not working

I have tested and the PAT finally works. However, there is a issue. The PAT will do the NAT whether the traffic is server initiated or server return traffic and this caused the problem because client received return traffic with port different from it's initiated flow. Luckly my environment allow me not do the PAT for server initiated traffic too.

Thansks to everyone that has help on this issue.

Cisco Employee

Re: ACE: Server Source NAT is not working

This is not possible that we nat the server traffic if not initiated by the server.

The only reason you see nating is because the client when to the VIP which was nated to the server ip and when the response comes back we do the reverse nating.

PAT is not involved in this process.

The ports being used should be the one used by the client when opening the connection with the vip.

Gilles.

New Member

Re: ACE: Server Source NAT is not working

Hi Gdufour,

Thanks for your explanation. Really appreciate your kindness.

New Member

Re: ACE: Server Source NAT is not working

Hi,

When you say:

"I don't think the show xlate will show any entries when pat is configured."

Is this some kind of bug, as I haven't found something like this mentioned in the ACE documentation?

Regards,

Jasmina

Cisco Employee

Re: ACE: Server Source NAT is not working

As far as I know this is the intended behavior.

Haven't verified however if this is true.

G.

626
Views
0
Helpful
9
Replies