I would like to configure NAT on the returning traffic from the rservers.
So far I'vebeen able to nat traffic from client side to server side ok but for some reason i am unavailable to nat the returning traffic from the reals to the clients.
I want to retruning traffic to show a dummy source ip address when sent from the ace to the client hence the 10.10.106.31 ip address.
My problem is that even though I've got this "match any" statement with my NAT class map it does not seem to match anything.
Same thing I 've configured an access-list on the server interface to deny the returning traffic and it did not block anything on vlan 999.
Traffic obviously flows through vlan 999 but I don't know why it does not trigger the class-map statement or event the access-list I've applied before.
It seem the only way to have a hit on both the class map or the access-list is to apply it on the client side or globally.
Configuration I've tried is :
access-list PERMIT_ALL line 10 extended permit ip any any
rserver host SRV01
ip address 192.168.1.10
rserver host SRV02
ip address 192.168.1.11
class-map match-any CM_L4_NAT_TEST
2 match any
policy-map multi-match PM_L4_NAT_TEST
nat dynamic 1 vlan 2000
interface vlan 999
description SERVER SIDE / INSIDE INTERFACE
ip address 192.168.1.252 255.255.255.0
alias 192.168.1.254 255.255.255.0
peer ip address 192.168.1.253 255.255.255.0
service-policy input PM_L4_NAT_TEST
interface vlan 1999
description CLIENT SIDE VLAN
ip address 192.168.48.28 255.255.255.224
alias 192.168.48.30 255.255.255.224
peer ip address 192.168.48.29 255.255.255.224
access-group input PERMIT_ALL
access-group output PERMIT_ALL
nat-pool 1 10.10.106.31 10.10.106.31 netmask 255.255.255.255 pat
service-policy input PM_L4_ICMP_POLICY
>> Any idea on how to nat source ip address for returning traffic?
Here is what I do if I am going to NAT for the RServers...
class-map match-all REAL_31
2 match source-address a.b.c.31 255.255.255.255
class-map match-all REAL_32
2 match source-address a.b.c.32 255.255.255.255
class-map match-all REAL_33
2 match source-address a.b.c.33 255.255.255.255
class-map match-all REAL_34
2 match source-address a.b.c.34 255.255.255.255
class-map match-all REAL_41
2 match source-address a.b.c.41 255.255.255.255
class-map match-all REAL_42
2 match source-address a.b.c.42 255.255.255.255
class-map match-all REAL_43
2 match source-address a.b.c.43 255.255.255.255
class-map match-all REAL_44
2 match source-address a.b.c.44 255.255.255.255
policy-map multi-match src-nat-servers
nat static a.b.c.131 netmask 255.255.255.255 vlan 311
nat static a.b.c.132 netmask 255.255.255.255 vlan 311
nat static a.b.c.133 netmask 255.255.255.255 vlan 311
nat static a.b.c.141 netmask 255.255.255.255 vlan 311
nat static a.b.c.142 netmask 255.255.255.255 vlan 311
nat static a.b.c.143 netmask 255.255.255.255 vlan 311
nat static a.b.c.134 netmask 255.255.255.255 vlan 311
nat static a.b.c.144 netmask 255.255.255.255 vlan 311
interface vlan 310
description WEB FE VLAN (RSEVERS ARE ON THIS INTERFACE)
service-policy input src-nat-servers
interface vlan 311
description TO_ASA (VIPS are Mapped here)
Hope this helps
Thanks for your answer.
As I explained ealier on, the problem I have is that no match statements seem to.... "match" the traffic returning to the client from the rservers.
I used :
class-map match-any CM_NAME
2 match any
and even that did not get any hits. (I verified with the show service-policy POLICY_NAME)
Aside from that, my conf is pretty similar to yours.
I don't think you want to NAT the returning traffic from your servers with a different IP other than the VIP,
and that is an action the ACE takes by default when the response comes back from your physical server.
I'm checking on my ACE books and can't find any possible config to do such a thing. Not sure how your app
works but most likely if this would've been possible the TCP connection will never complete as the client will receive
a response from a different source than the VIP which leads to drops the packet, exact same thing you see when facing assymetric routing issues.
If you're looking to NAT server initiated traffic that ACE can do ... for example TFTP/DNS server response.
Thanks for you answer.
It does not make sense to change the source IP for the returning traffic, it's just me playing with the ACE appliance and wireshark.
To be honest I'm surprised the class-map "match any" does not match the client's returning traffic on the server side interface.
I'd be curious to see how class-map / policy-maps work internally.