topic Re: ACE: (r)server access to own VIP = NAT? in Application Networking

ACE: (r)server access to own VIP = NAT?

Roble Mumin — Mon, 04 Jan 2010 14:07:22 GMT

We are currently in a scenario where a Server (located on the server side) needs to access the VIP on the client side network. The VIP loadbalances to adjacent LDAP rservers and the regarding server needs to access this loadbalanced service. Is it correct that i need NAT (SNAT) the traffic from the accessing server to a dedicated IP in the client side vlan?

I made quick drawing which hopefully explains my question better.

Thanks for reading

Roble

Re: ACE: (r)server access to own VIP = NAT?

Gilles Dufour — Mon, 04 Jan 2010 15:51:42 GMT

Robble,

happy new year.

Your assumption is correct. You need snat for servers to access the vip.

But the nat address can be anything. It does not have to be from the client side. Easiest solution is to use an ip address for the server subnet so that the servers can simply access it with an arp request.

Gilles.

Re: ACE: (r)server access to own VIP = NAT?

Roble Mumin — Mon, 04 Jan 2010 21:07:22 GMT

Hey Gilles and happy new year,

i am not really sure if i understood it correctly regarding the above scenario. Would following config snippet make sure that traffic originating from 192.168.10.0/24 gets translated to 10.20.30.230 when accessing any resource within 10.20.30.0/24?

Is it correct that the nat pool defined in vlan 10 could be anything eg. (nat-pool 69 1.2.3.4 1.2.3.4 netmask 255.255.255.0 pat) as long as that address does not need to be routed?

Thanks for reading

Roble

---

access-list NAT-Definition line 10 extended permit tcp 192.168.10.0 255.255.255.0 10.20.30.0 255.255.255.0

class-map match-any NAT_CLASS

match access-list NAT-Definition

policy-map multi-match NAT-Policy

class NAT_CLASS

nat dynaymic 69 vlan 10

policy-map multi-match LB-POLICY

class foo

[...]

class foobar

[...]

interface vlan 192

description Server_Side_VLAN

ip address 192.168.10.254 255.255.255.0

service-policy input NAT-Policy

no shut

interface vlan 10

description Client_Side_VLAN

ip address 10.20.30.254 255.255.255.0

nat-pool 69 10.20.30.230 10.20.30.230 netmask 255.255.255.0 pat

service-policy input LB-POLICY

no shut

Re: ACE: (r)server access to own VIP = NAT?

Gilles Dufour — Tue, 05 Jan 2010 07:51:19 GMT

Robble,

if the destination ip address is a vip, the outgoing interface is not vlan 10 (where the vip address belongs) but vlan 192 where the rservers are located.

So, you will need a natpool in the rserver vlan 192 and modify your nat dynamic command to point at this natpool.

Gilles.

Re: ACE: (r)server access to own VIP = NAT?

Roble Mumin — Thu, 07 Jan 2010 08:03:55 GMT

Hi Gilles,

i think i get it now. Because the NAT'ed IP stays local to the ACE it can be anything and the initial issue is with the returning traffic from the Real Server not flowing back through the ACE but directly being send to the requesting host.

Is that and the according config snippet correct?

access-list NAT-Definition line 10 extended permit tcp 192.168.10.0 255.255.255.0 10.20.30.0 255.255.255.0
!
class-map match-any NAT_CLASS
match access-list NAT-Definition
!
policy-map multi-match NAT-Policy
description NAT-Policy´
class NAT_CLASS
nat dynaymic 1 vlan 192
!
interface vlan 192
description Server Side VLAN
ip address 192.168.10.254 255.255.255.0
nat-pool 1 172.16.32.1 172.16.32.1 netmask 255.255.255.0 pat
service-policy input NAT-Policy
no shut

Roble

Re: ACE: (r)server access to own VIP = NAT?

Gilles Dufour — Thu, 07 Jan 2010 10:22:51 GMT

your understanding is correct.

You need to avoid the rserver responding directly to the client sitting on the same subnet (the client would not accept the answer since it is expecting a response from the vip=ACE).

The config looks good.

Gilles.

Re: ACE: (r)server access to own VIP = NAT?

Roble Mumin — Fri, 08 Jan 2010 09:42:47 GMT

Hey Gilles,

thanks again for the clarification. The configuration worked out problem solved!

Roble