Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Destination NAT on ACE - overlap vip/NAT


I have a situation where we need a destination nat to happen on ACE for an outbound flow that is redirected into SSLM modules, then coming back to the ACE and forwarded outward. There is a requirement to keep the SSLM module redirection so will not be able to achieve the encryption for the outbound connection by using the ACE.

I have a conflict when trying to implement as the real destination VIP ( 443) is being matched on two “match-any” class-maps. One is needed to direct traffic to the destination VIP via the SSLMs, and the other class-map is required to “static nat” the destination address when the flow leaves the ACE.

Any suggestion how to achieve the destination natting in this case?


! redirect to/from ssl blades - (incoming to SSLM on port 80 - outgoing from SSLM on port 8443)

class-map match-any traffic-from-ssl-blade-cm

description match vip and Port 443

168 match virtual-address tcp eq 8443

class-map match-any traffic-to-ssl-blade-cm

168 match virtual-address tcp eq 80

! Match the destination address that will be natted for on port 443

access-list nat-test-srvr line 8 extended permit tcp host eq 443 any

class-map match-any nat-test-srvr-cm

2 match access-list nat-test-srvr

! Apply the static nat on the policy associated with the outside interface - natting to be triggered when packets

! leave the ACE

policy-map multi-match Dnat_policy

class nat-test-srvr-cm

nat static netmask tcp eq 8443 vlan 491

Error: Cannot overlap vip or NAT address configured in a shared interface

interface vlan 490

description Outside interface

bridge-group 4

service-policy input Dnat_policy

interface vlan 491

description Inside interface - flow from SSLM

bridge-group 4

service-policy input traffic-from-sslm


Cisco Employee

Re: Destination NAT on ACE - overlap vip/NAT

if you want to do a destination nat, simply configure loadbalancing with a single real.

So do a class-map to match virtual ip tcp eq 443.

Create a rserver with ip address

Add this rserver in a serverfarm.

And link everything together with a policy.


CreatePlease to create content