Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
662
Views
0
Helpful
3
Replies

a DNAT is not working on ACE

ROMAN TOMASEK
Level 1
Level 1

‎02-14-2012 07:05 AM

Hi,

I configured the DNAT on ACE. You can see this configuration below:

access-list traffic line 8 extended permit ip any any

class-map match-any NAT_class
  2 match destination-address 192.168.1.11 255.255.255.255

policy-map multi-match NAT_policy
  class NAT_class
    nat static 172.16.11.11 netmask 255.255.255.255 vlan 345

access-group input traffic

interface vlan 341
  description Server vlan
  ip address 192.168.1.1 255.255.255.0
  service-policy input NAT_policy
  no shutdown
interface vlan 345
  ip address 172.16.11.2 255.255.255.0
  no shutdown

When I tried to ping from the server to the address 192.168.1.11 - no NAT is provided:-( I have no matches in the output show service-policy:

sho service-policy NAT_policy detail

Status     : ACTIVE
Description: -----------------------------------------
Interface: vlan 341
  service-policy: NAT_policy
    class: NAT_class
      nat:
        nat static 172.16.11.11 vlan 345
        curr conns       : 0         , hit count        : 0
        dropped conns    : 0
        client pkt count : 0         , client byte count: 0
        server pkt count : 0         , server byte count: 0
        conn-rate-limit      : 0         , drop-count : 0
        bandwidth-rate-limit : 0         , drop-count : 0

I hope that the configuration is right. So why the NAT is not provided by ACE?

Thank you very much.

Roman

Labels:
0 Helpful
3 Replies 3

cpomeroy
Level 1
Level 1

‎02-14-2012 07:45 AM

Roman,

      The configuration you supplied is for source nat.   With the configuration you have, any packet destined for 192.168.1.11, will be source natted to 172.16.11.11 if it exits interface 345. 

The ACE is a loadbalancer, so by default the ACE will do destination NAT so to get the desired behavior you want you should create a virutal address and do it that way. 

for example

rserver host server

ip address 172.16.11.11

inservice

serverfarm host serverfarm

rserver server

inservice

class-map match-all vip

match virtual address 192.168.1.11 any

policy-map type loadbalance first-match TEST

class class-default

serverfarm serverfarm

policy-map multi-match policy

class vip

loadbalance vip inservice

loadbalance policy TEST

loadbalance vip icmp-reply active

interface vlan 342

service-policy input policy


http://www.cisco.com/en/US/partner/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/classlb.html

0 Helpful

ROMAN TOMASEK
Level 1
Level 1
In response to cpomeroy

‎02-14-2012 09:52 AM

Hi Christopher,

so there is no possibility to provide destination NAT?

For example in situation when I want to communicate from a server to some private address as destination address and this address will be translated into public address on the client side. See:

server will sent the packet with destination address 10.0.0.1 - ACE will translate this destination address into the address 193.16.0.1.

I don't want to use LB with VIP!!

Thanks

Roman

0 Helpful

cpomeroy
Level 1
Level 1
In response to ROMAN TOMASEK

‎02-15-2012 08:20 AM

To my knowledge what you are asking for is not possible without going through a vip.  When you create a match desitnation address 192.168.1.11, the ace does not create an arp entry for it.  So the upstream router would not know where to send the packet. 

Thanks,

Chris

0 Helpful
Customers Also Viewed These Support Documents