Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Client NAT - ACE

Hi All,

We are trying to configure client NAT on ACE , I have tried with the following configuration.

I want to make sure the following things

1) Whether this is a right way or not or if this is possible?

2) If it is and any one is having ideas for that please do let me know so that I can send the topology diagram as well to get it understand easily.

class-map match-all CLIENT-TO-AVS-VIP

2 match virtual-address 172.16.30.110 tcp eq www

class-map match-all NAT

2 match source-address 0.0.0.0 0.0.0.0

3 match destination-address 172.16.30.110 255.255.255.255

policy-map multi-match MOON-POLICY

class CLIENT-TO-AVS-VIP

loadbalance vip inservice

loadbalance policy MOON_AVS_CLIENT

loadbalance vip icmp-reply

class NAT

nat dynamic 9 vlan 300

interface vlan 300

description Clentside interface

bridge-group 30

access-group input ALL

nat-pool 9 172.16.30.200 172.16.30.210 netmask 255.255.255.255 pat

service-policy input REMOTE-MGMT

service-policy input MOON-POLICY

no shutdown

Regards

Aslam...

3 REPLIES
New Member

Re: Client NAT - ACE

New Member

Re: Client NAT - ACE

Hi Aslam,

yes it's possible in a quite simple way, I see some errors in your configuration :

You don't need a second class map "NAT", the first one is sufficient. You can tell the ACE "When traffic matches CLIENT-TO-AVS-VIP, loadbalance AND nat client traffic".

To do so, simply insert the "nat dynamic 9 vlan 300" command inside the "class CLIENT-TO-AVS-VIP" mapping in the multi-match policy.

This should work as you want :

class-map match-all CLIENT-TO-AVS-VIP

2 match virtual-address 172.16.30.110 tcp eq www

policy-map multi-match MOON-POLICY

class CLIENT-TO-AVS-VIP

loadbalance vip inservice

loadbalance policy MOON_AVS_CLIENT

loadbalance vip icmp-reply

nat dynamic 9 vlan 300

remember that an instruction like

"2 match source-address 0.0.0.0 0.0.0.0" is a pleonasm, no instruction on source-address means match any source.

You can check some other scenarios on source nat here :

http://snippets101.blogspot.com/2007/12/source-nat-on-cisco-ace.html

Hope this helps.

Alberto

New Member

Re: Client NAT - ACE

Thnx Alberto ,

The solution is working,

245
Views
0
Helpful
3
Replies