Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
688
Views
0
Helpful
2
Replies

ACE & 1/2 NAT vs. Fulk NAT

Go to solution
cajalat
Level 1
Level 1

‎06-22-2007 06:27 AM

I'm running into a problem with Half-NAT vs. Full-NAT conflict. I have two server farms within the same context. Both farms are in the same Server VLAN and both farms get their requrests from the same front-end client-side VLAN. For Farm1 I need FULL NAT because some of the servers make calls back to the same VIP. This works ok for me. Farm2 doesn't need FULL NAT and wants 1/2 NAT so that the client IP is visible to the servers (LDAP in this case). That's not a problem either.

My problem is that servers in Farm1 make LDAP calls to the VIP which is for Farm2. Since Farm2 is 1/2 NAT the 3-way TCP connection breaks on the SYN-ACK.

- Is there a way to configure FULL NAT for connections initiated from the FARM and only to the VIP(s) while all other connections be treated as 1/2 NAT?

- Is there an alternative method for me to do what I need?

- Would having a 2nd Server VLAN in the same context for Farm2 solve this problem? I'd rather avoid this as my VLAN/IPs could get ugly.

Thanks in advance.

Casey

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎06-22-2007 07:11 AM

Casy,

You can apply a nat policy to the server vlan only, so traffic will only be nated when the connection comes from the server vlan.

If you don't want to nat all traffic, you can use a class-map that only matches a specific destination ip.

If you need further detail let me know.

Gilles.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎06-22-2007 07:11 AM

Casy,

You can apply a nat policy to the server vlan only, so traffic will only be nated when the connection comes from the server vlan.

If you don't want to nat all traffic, you can use a class-map that only matches a specific destination ip.

If you need further detail let me know.

Gilles.

0 Helpful

Go to solution
cajalat
Level 1
Level 1
In response to Gilles Dufour

‎07-09-2007 09:15 AM

Gilles,

I've been meaning to respond back to tell you that this is a better answer than I had hoped for. The only reason I needed to use NAT in the first place was because of the TCP 3-way handshake problem with servers from behind the ACE needing to access the VIP. This is perfect. Thank you.

Casey

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card