Solved: Re: connections through ACE module

Thompso7540_2 · ‎10-27-2010

when a client makes a connection to a vip which is in the client side vlan, and the ace sends the load balanced request to the rserver, and the rserver replies - does the rserver always get nat'd to the vip in the reply - if no nat is configured? Because if teh client sends a syn to the vip and receives a syn,ack from a different ip, it'll just send a reset correct?

how about in this example using nat~? Does teh rserver's reply get patted to 172.19.192.26, then get nated again to the vip? Or do they go straight to the client?

vlan 195 is teh client side

vlan 719 is the server side

access-list acl_NAT_VIP line 40 extended permit ip 172.19.254.0 255.255.254.0 172.19.192.0 255.255.252.0

class-map match-any NAT_CLASS_VIP
2 match access-list acl_NAT_VIP

policy-map multi-match NAT_POLICY
class NAT_CLASS_VIP

nat dynamic 5 vlan 719

interface vlan 195
ip address 172.19.192.19 255.255.252.0
alias 172.19.192.18 255.255.252.0
peer ip address 172.19.192.20 255.255.252.0
access-group input allowall
access-group output allowall
nat-pool 2 172.19.195.37 172.19.195.37 netmask 255.255.255.255 pat
nat-pool 3 172.19.195.39 172.19.195.39 netmask 255.255.255.255 pat
nat-pool 4 172.19.195.40 172.19.195.40 netmask 255.255.255.255 pat
nat-pool 1 172.19.195.46 172.19.195.46 netmask 255.255.255.255 pat
nat-pool 6 172.19.195.36 172.19.195.36 netmask 255.255.255.255 pat
service-policy input LB_POLICY
no shutdown

interface vlan 719
ip address 10.1.9.66 255.255.255.240
alias 10.1.9.65 255.255.255.240
peer ip address 10.1.9.67 255.255.255.240
access-group input allowall
access-group output allowall
nat-pool 5 172.19.192.26 172.19.192.26 netmask 255.255.255.255 pat

service-policy input LB_POLICY
service-policy input NAT_POLICY
no shutdown

jsirstin · ‎10-27-2010

Bryan,

As long as the server replies back to the ACE the client should only be commmunicating with the VIP address in either of your two examples.

In your first example the flow will look like this.

client > VIP after the ACE client > rserver

the reply would be

rserver > client after the ACE VIP > rserver

In your second example using client nat it will look like this

Client > VIP After ACE Natpool > rserver.

the reply would be

rserver > Nat-pool after ACE VIP > client.

The ACE by default will always nat the vip to the server ip unless you use the command "transparent" under the serverfarm. When using this command we send the packet to the MAC address of the server leaving the destination IP of the VIP. The server would need to have the VIP address configured under the loopback interface.

Regards

Jim

View solution in original post

jsirstin · ‎10-27-2010

Bryan,

As long as the server replies back to the ACE the client should only be commmunicating with the VIP address in either of your two examples.

In your first example the flow will look like this.

client > VIP after the ACE client > rserver

the reply would be

rserver > client after the ACE VIP > rserver

In your second example using client nat it will look like this

Client > VIP After ACE Natpool > rserver.

the reply would be

rserver > Nat-pool after ACE VIP > client.

The ACE by default will always nat the vip to the server ip unless you use the command "transparent" under the serverfarm. When using this command we send the packet to the MAC address of the server leaving the destination IP of the VIP. The server would need to have the VIP address configured under the loopback interface.

Regards

Jim

jteixido · ‎10-28-2010

Jim,

I'm slightly confused. Are you saying the the traffic flow using the ACE in one arm mode with source NAT would look like this:

Client>NAT Pool>VIP>Rserver

Reply:

Rserver>VIP>NAT Pool>Client?

Regards,

John...