Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1786
Views
0
Helpful
1
Replies

Destination NAT on ACE - overlap vip/NAT

kam-hash00
Level 1
Level 1

‎11-15-2009 03:44 PM

Greetings,

I have a situation where we need a destination nat to happen on ACE for an outbound flow that is redirected into SSLM modules, then coming back to the ACE and forwarded outward. There is a requirement to keep the SSLM module redirection so will not be able to achieve the encryption for the outbound connection by using the ACE.

I have a conflict when trying to implement as the real destination VIP (10.11.12.158 443) is being matched on two “match-any” class-maps. One is needed to direct traffic to the destination VIP via the SSLMs, and the other class-map is required to “static nat” the destination address when the flow leaves the ACE.

Any suggestion how to achieve the destination natting in this case?

------------------------------------------------------------------------------------------------------

! redirect to/from ssl blades - (incoming to SSLM on port 80 - outgoing from SSLM on port 8443)

class-map match-any traffic-from-ssl-blade-cm

description match vip and Port 443

168 match virtual-address 10.11.12.158 tcp eq 8443

class-map match-any traffic-to-ssl-blade-cm

168 match virtual-address 10.11.12.158 tcp eq 80

! Match the destination address that will be natted for on port 443

access-list nat-test-srvr line 8 extended permit tcp host 211.212.213.105 eq 443 any

class-map match-any nat-test-srvr-cm

2 match access-list nat-test-srvr

! Apply the static nat on the policy associated with the outside interface - natting to be triggered when packets

! leave the ACE

policy-map multi-match Dnat_policy

class nat-test-srvr-cm

nat static 10.11.12.158 netmask 255.255.255.255 tcp eq 8443 vlan 491

Error: Cannot overlap vip or NAT address configured in a shared interface

interface vlan 490

description Outside interface

bridge-group 4

service-policy input Dnat_policy

interface vlan 491

description Inside interface - flow from SSLM

bridge-group 4

service-policy input traffic-from-sslm

------------------------------------------------------------------------------------------------------

Labels:
0 Helpful
1 Reply 1

Gilles Dufour
Cisco Employee
Cisco Employee

‎11-16-2009 05:45 AM

if you want to do a destination nat, simply configure loadbalancing with a single real.

So do a class-map to match virtual ip 211.212.213.105 tcp eq 443.

Create a rserver with ip address 10.11.12.158

Add this rserver in a serverfarm.

And link everything together with a policy.

Gilles.

0 Helpful
Customers Also Viewed These Support Documents