Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Per-ServerFarm SNAT on ACE Module.

Dear all,

I hace an ACE Module configured in Multiple Routed Contexts.

My cust wants to configure some NAT Feature that prevents the real server IP Address appear outside the ACE. They want that the only IP address outside the ACE will be the Virtual IP Adress (VIP) that represents the serverfarm.

Also, the cust wants that different serverfarms comunicate each other within the same VLAN.

I was reading and the option that acomplish both tasks is Dynamic (PAT) Per-ServerFarm SNAT using the VIP address.

Is this correct?

The software version is A2(3,5).

Thanks a lot!


Cisco Employee

Per-ServerFarm SNAT on ACE Module.

Hi David

Could you please calrify and maybe separate tasks you have ?

As I understand you have such tasks for now :

1) Don't show rserver IPs anywere outside ACE

2) Servers in the same VLAN should be able to communicate with serverfarm which is located in the same VLAN via VIP

First task is a little bit unclear. I mean - actually you have VIP outiside of ACE and all outiside clients communicate to serverfarm via VIP and don't need to know rserers IPs (e.g. they can even be private and VIP is public, if we're talking about Internet)

Or do you mean that rservers need to communicate with outside world through ACE but you want to NAT these flows too ?

2) Yes, it's possible. For such configuration you need to create a service policy, with the same VIP and configuration as you have for outside interface and put it on inside interface. The only one key difference is that you need to add NAT statement , because return traffic should go to ACE and as rservers and clients in this case are in the same VLAN, you need to use NAT.


policy-map multi-match VIP_IN

class MY-CLASS

loadb vip ins

loadb policy MY-L7Policy

nat 1 dynamic vlan X << - inside interface

and then on inside interface

inter vlan X

nat-pool 1Y.Y.Y.Y netmask pat

In this case it will work in this way : say you have servers in vlan 10. Servers #1 and #2 are rservers in your serverfarms and server #3 wants to connect to serverfarm through VIP. Let's say that vlan 10 has subnet and VIP for this serverfarm is When you confiure like I wrote above this will happen :

Server #3 connects to, traffic goes to ACE as a gateway, as you have a policy map on inside interface which catches traffic to , ACE will catch it an proceed it. You have a SNAT statement there, so ACE will perform standard loadblanacing and replace source IP with NAT IP (say , thus when server #1 which gets this loadbalanced traffic receives it , it will send return traffic to , thus to ACE.

Per-ServerFarm SNAT on ACE Module.

Hy Borys.

I'm going to try to explain you better.



As you say, I need that rserver IP address stay hidden outside ACE. The clients talks always with the VIP and they don't know anything about real IP addresses but there are situations when the rserver open a session outside ACE. In this case, the cust wants that every rserver appear whith outside ACE with the VIP that represents it. In other words, I need to user SNAT with the VIP address. This NAT will be different for each serverfarm.



The cust wants to concentrate all rservers in one VLAN. Obviosly, in this VLAN will be different serverfarms and they need to communicate each other. Another time, I need SNAT to force the traffic pass through the ACE, but this NAT must be different for each serverfarm, because the cust want to use the VIP of every serverfarm to do the NAT.

I hope this will be more clear

Thank you!!!