02-01-2012 07:24 PM
Hi Experts,
I have a ace 4710 set as load balancing http and https only, seems working fine.
Now I have another requirment to NAT all real servers IP (server side internal network 10.8.8.0) to VIP (192.168.1.20).
our configuration is as below,
two real server ip are 10.8.8.2 and 10.8.8.3 connected to VLAN interface v500 (ip is 10.8.8.254)
vlan v400 face to public, v400 interface ip 192.168.1.10, and one VIP 192.168.1.20, VIP is mapped to two real servers.
I need to config: all outgoing trafic from network 10.8.8.0 to public to NAT the source IP to 192.168.1.20 (VIP, not the interface real IP 192.168.1.10).
Thanks,
BQ
02-01-2012 08:04 PM
Hello BQ,
I would say it should look like this:
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
interface vlan 50
description "Client-Server VLAN"
ip address 192.168.1.2 255.255.255.0
access-group input everyone
service-policy input client-vips
service-policy input remote-access
nat-pool 5 192.168.1.20 192.168.1.20 netmask 255.255.255.0 pat
no shutdown
policy-map multi-match client-vips
class slb-vip
loadbalance vip inservice
loadbalance policy slb
nat dynamic 5 vlan 50
class-map match-all slb-vip
2 match virtual-address 192.168.1.20 eq tcp www
policy-map type loadbalance first-match slb
class class-default
serverfarm web
serverfarm host web
rserver lnx1
inservice
rserver lnx2
inservice
rserver host lnx1
ip address 10.8.8.2
inservice
rserver host lnx2
ip address 10.8.8.3
inservice
ip route 0.0.0.0 0.0.0.0 192.168.1.1
Hope this helps!!!
Jorge
02-02-2012 07:47 PM
Hi Jorge,
Thanks for your reply, i have add the NAT pool "nat-pool 5 192.168.1.20 192.168.1.20 netmask 255.255.255.0 pat" already, but it seems no affect for the trafic, whether add nat pool or not , it is no different. is the nap pool impact the outgoing package(like initiated trafic from real server to access public web server (www.yahoo.com))? i want public user see all trafic from VIP 192.168.1.20.
Thanks!!!
02-04-2012 06:02 AM
Where is the traffic generated? from the client side or the server side?
Could you provide us with an output like this: "#show service-policy client-vips class slb-vip detail" ?
Jorge
02-04-2012 01:25 PM
Here are a few things you could try
1. nat-pool 5 192.168.1.20 192.168.1.20 netmask 255.255.255.0 pat
changeto
nat-pool 5 192.168.1.20 192.168.1.20 netmask 255.255.255.255 (/32 host)
2.service-policy input remote-access
do you have a management Vlan interface defined if so add to that interface
3. The requirements are to LB http (80), and https (443). In this case you would need two seperate VIPS defined
VIP1:
class-map match-all slb-vip
2 match virtual-address 192.168.1.20 eq tcp 80
VIP2:
class-map match-all slb-vip
2 match virtual-address 192.168.1.20 eq tcp 443
Is there a requirement to redirect http traffic ? If so you would need to define another class-map to redirect http traffic to https
show service-policy client-vips detail
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide