Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

ACE VIP FTP Server Farm and Outgoing NAT

We have an ACE-20 module for the 6500.

Our organization has an FTP Server Farm with a VIP setup on the ACE for Incoming Connections

within a DMZ in order to load balance across multiple FTP servers. This is working just fine.

However, for Outgoing connections in the DMZ, we would like the outgoing NAT IP address to be the same

as the VIP IP address. This is so that we can give a single IP address to vendors for opening up firewall


Does the ACE-20 module for the 6500 support configuring the envrionment to allow any outgoing

connections from the FTP servers to utilize the same NAT IP address as the VIP?

Would this cause load balancing across the servers to stop working in any form?


New Member

Re: ACE VIP FTP Server Farm and Outgoing NAT

Hi James,

  Firstly you'd need to configure an outbound PAT statement (not a NAT) and this can co-exist with an inbound VIP configuration. Secondly I'd recommend two interfaces for simplicity.

  To configure both of these features would require two service-policies being configured. The service-policy being applied to the customer facing interface would require the VIP service-policy and the server facing service-policy would have the PAT configuration.

For example.

access-list OUTSIDE_ACL line 10 extended permit ip any any
access-list INSIDE_ACL line 10 extended permit ip any any
access-list INSIDE-HOSTS-PAT_ACL line 10 extended permit ip host any
access-list INSIDE-HOSTS-PAT_ACL line 20 extended permit ip host any

probe ftp FTP-PROBE
  interval 2
  expect status 220 220

rserver host 10-20-7-1
  ip address
rserver host 10-20-7-2
  ip address

serverfarm host FTP-21-SF
  probe FTP-PROBE
  rserver 10-20-7-1
  rserver 10-20-7-2

sticky ip-netmask address source 40
  timeout 60
  replicate sticky
  serverfarm FTP-21-SF

class-map match-all FTP-21-CM
  2 match virtual-address tcp eq ftp
class-map match-any INSIDE-HOSTS-PAT-cm
  2 match access-list INSIDE-HOSTS-PAT_ACL

policy-map type loadbalance first-match FTP-21-PM
  class class-default
    sticky-serverfarm 40

policy-map multi-match OUTSIDE-INTERFACE-POLICY
  class FTP-21-CM
    loadbalance vip inservice
    loadbalance policy FTP-21-PM
    loadbalance vip icmp-reply active
    inspect ftp

policy-map multi-match INSIDE-INTERFACE-POLICY
    nat dynamic 1 vlan 100

interface vlan 100
  description Customer Facing Interface
  ip address
  peer ip address
  access-group input OUTSIDE_ACL
  nat-pool 1 netmask pat
  service-policy input OUTSIDE-INTERFACE-POLICY
  no shutdown
interface vlan 101
  description Server Facing Interface
  ip address
  peer ip address
  access-group input INSIDE_ACL
  service-policy input INSIDE-INTERFACE-POLICY
  no shutdown

CreatePlease to create content