Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

connections through ACE module

when a client makes a connection to a vip which is in the client side vlan, and the ace sends the load balanced request to the rserver, and the rserver replies  - does the rserver always get nat'd to the vip in the reply - if no nat is configured? Because if teh client sends a syn to the vip and receives a syn,ack from a different ip, it'll just send a reset correct?

how about in this example using nat~? Does teh rserver's reply get patted to 172.19.192.26, then get nated again to the vip? Or do they go straight to the client?

vlan 195 is teh client side

vlan 719 is the server side

access-list acl_NAT_VIP line 40 extended permit ip 172.19.254.0 255.255.254.0 172.19.192.0 255.255.252.0

class-map match-any NAT_CLASS_VIP
  2 match access-list acl_NAT_VIP

policy-map multi-match NAT_POLICY
  class NAT_CLASS_VIP

    nat dynamic 5 vlan 719

interface vlan 195
  ip address 172.19.192.19 255.255.252.0
  alias 172.19.192.18 255.255.252.0
  peer ip address 172.19.192.20 255.255.252.0
  access-group input allowall
  access-group output allowall
  nat-pool 2 172.19.195.37 172.19.195.37 netmask 255.255.255.255 pat
  nat-pool 3 172.19.195.39 172.19.195.39 netmask 255.255.255.255 pat
  nat-pool 4 172.19.195.40 172.19.195.40 netmask 255.255.255.255 pat
  nat-pool 1 172.19.195.46 172.19.195.46 netmask 255.255.255.255 pat
  nat-pool 6 172.19.195.36 172.19.195.36 netmask 255.255.255.255 pat
  service-policy input LB_POLICY
  no shutdown

interface vlan 719
  ip address 10.1.9.66 255.255.255.240
  alias 10.1.9.65 255.255.255.240
  peer ip address 10.1.9.67 255.255.255.240
  access-group input allowall
  access-group output allowall
  nat-pool 5 172.19.192.26 172.19.192.26 netmask 255.255.255.255 pat

  service-policy input LB_POLICY
  service-policy input NAT_POLICY
  no shutdown

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: connections through ACE module

Bryan,

As long as the server replies back to the ACE the client should only be commmunicating with the VIP address in either of your two examples.

In your first example the flow will look like this.

client > VIP after the ACE  client > rserver

the reply would be

rserver > client after the ACE VIP > rserver

In your second example using client nat it will look like this

Client > VIP   After ACE  Natpool > rserver.

the reply would be

rserver > Nat-pool  after ACE VIP > client.

The ACE by default will always nat the vip to the server ip unless you use the command "transparent" under the serverfarm. When using this command we send the packet to the MAC address of the server leaving the destination IP of the VIP. The server would need to have the VIP address configured under the loopback interface.

Regards

Jim

2 REPLIES
Cisco Employee

Re: connections through ACE module

Bryan,

As long as the server replies back to the ACE the client should only be commmunicating with the VIP address in either of your two examples.

In your first example the flow will look like this.

client > VIP after the ACE  client > rserver

the reply would be

rserver > client after the ACE VIP > rserver

In your second example using client nat it will look like this

Client > VIP   After ACE  Natpool > rserver.

the reply would be

rserver > Nat-pool  after ACE VIP > client.

The ACE by default will always nat the vip to the server ip unless you use the command "transparent" under the serverfarm. When using this command we send the packet to the MAC address of the server leaving the destination IP of the VIP. The server would need to have the VIP address configured under the loopback interface.

Regards

Jim

New Member

Re: connections through ACE module

Jim,

I'm slightly confused. Are you saying the the traffic flow using the ACE in one arm mode with source NAT would look like this:

Client>NAT Pool>VIP>Rserver

Reply:

Rserver>VIP>NAT Pool>Client?

Regards,

John...

232
Views
4
Helpful
2
Replies
CreatePlease to create content