11-15-2009 03:44 PM
Greetings,
I have a situation where we need a destination nat to happen on ACE for an outbound flow that is redirected into SSLM modules, then coming back to the ACE and forwarded outward. There is a requirement to keep the SSLM module redirection so will not be able to achieve the encryption for the outbound connection by using the ACE.
I have a conflict when trying to implement as the real destination VIP (10.11.12.158 443) is being matched on two âmatch-anyâ class-maps. One is needed to direct traffic to the destination VIP via the SSLMs, and the other class-map is required to âstatic natâ the destination address when the flow leaves the ACE.
Any suggestion how to achieve the destination natting in this case?
------------------------------------------------------------------------------------------------------
! redirect to/from ssl blades - (incoming to SSLM on port 80 - outgoing from SSLM on port 8443)
class-map match-any traffic-from-ssl-blade-cm
description match vip and Port 443
168 match virtual-address 10.11.12.158 tcp eq 8443
class-map match-any traffic-to-ssl-blade-cm
168 match virtual-address 10.11.12.158 tcp eq 80
! Match the destination address that will be natted for on port 443
access-list nat-test-srvr line 8 extended permit tcp host 211.212.213.105 eq 443 any
class-map match-any nat-test-srvr-cm
2 match access-list nat-test-srvr
! Apply the static nat on the policy associated with the outside interface - natting to be triggered when packets
! leave the ACE
policy-map multi-match Dnat_policy
class nat-test-srvr-cm
nat static 10.11.12.158 netmask 255.255.255.255 tcp eq 8443 vlan 491
Error: Cannot overlap vip or NAT address configured in a shared interface
interface vlan 490
description Outside interface
bridge-group 4
service-policy input Dnat_policy
interface vlan 491
description Inside interface - flow from SSLM
bridge-group 4
service-policy input traffic-from-sslm
------------------------------------------------------------------------------------------------------
11-16-2009 05:45 AM
if you want to do a destination nat, simply configure loadbalancing with a single real.
So do a class-map to match virtual ip 211.212.213.105 tcp eq 443.
Create a rserver with ip address 10.11.12.158
Add this rserver in a serverfarm.
And link everything together with a policy.
Gilles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide