I configured the DNAT on ACE. You can see this configuration below:
access-list traffic line 8 extended permit ip any any
class-map match-any NAT_class
2 match destination-address 192.168.1.11 255.255.255.255
policy-map multi-match NAT_policy
nat static 172.16.11.11 netmask 255.255.255.255 vlan 345
access-group input traffic
interface vlan 341
description Server vlan
ip address 192.168.1.1 255.255.255.0
service-policy input NAT_policy
interface vlan 345
ip address 172.16.11.2 255.255.255.0
When I tried to ping from the server to the address 192.168.1.11 - no NAT is provided:-( I have no matches in the output show service-policy:
sho service-policy NAT_policy detail
Status : ACTIVE
Interface: vlan 341
nat static 172.16.11.11 vlan 345
curr conns : 0 , hit count : 0
dropped conns : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
I hope that the configuration is right. So why the NAT is not provided by ACE?
Thank you very much.
The configuration you supplied is for source nat. With the configuration you have, any packet destined for 192.168.1.11, will be source natted to 172.16.11.11 if it exits interface 345.
The ACE is a loadbalancer, so by default the ACE will do destination NAT so to get the desired behavior you want you should create a virutal address and do it that way.
rserver host server
ip address 172.16.11.11
serverfarm host serverfarm
class-map match-all vip
match virtual address 192.168.1.11 any
policy-map type loadbalance first-match TEST
policy-map multi-match policy
loadbalance vip inservice
loadbalance policy TEST
loadbalance vip icmp-reply active
interface vlan 342
service-policy input policy
so there is no possibility to provide destination NAT?
For example in situation when I want to communicate from a server to some private address as destination address and this address will be translated into public address on the client side. See:
server will sent the packet with destination address 10.0.0.1 - ACE will translate this destination address into the address 184.108.40.206.
I don't want to use LB with VIP!!
To my knowledge what you are asking for is not possible without going through a vip. When you create a match desitnation address 192.168.1.11, the ace does not create an arp entry for it. So the upstream router would not know where to send the packet.