Buy or Renew
Buy or Renew
ATTENTION: We are currently working an issue with posting. Thank you for your patience while we work on a resolution.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3836
Views
4
Helpful
4
Replies

ACE - 4710 : NAT return traffic

ThibaultMean
Level 1
Level 1

‎11-04-2010 12:06 PM

Hello,

I would like to configure NAT on the returning traffic from the rservers.

So far I'vebeen able to nat traffic from client side to server side ok but for some reason i am unavailable to nat the returning traffic from the reals to the clients.

I want to retruning traffic to show a dummy source ip address when sent from the ace to the client hence the 10.10.106.31 ip address.

My problem is that even though I've got this "match any"  statement with my NAT class map it does not seem to match anything.

Same thing I 've configured an access-list on the server interface to deny the returning traffic and it did not block anything on vlan 999.

Traffic obviously flows through vlan 999 but I don't know why it does not trigger the class-map statement or event the access-list I've applied before.

It seem the only way to have a hit on both the class map or the access-list is to apply it on the client side or globally.

Configuration I've tried is :

access-list PERMIT_ALL line 10 extended permit ip any any

rserver host SRV01
  ip address 192.168.1.10
  inservice
rserver host SRV02
  ip address 192.168.1.11
  inservice

class-map match-any CM_L4_NAT_TEST
  2 match any


policy-map multi-match PM_L4_NAT_TEST
  class CM_L4_NAT_TEST
    nat dynamic 1 vlan 2000


interface vlan 999
  description SERVER SIDE / INSIDE INTERFACE
  ip address 192.168.1.252 255.255.255.0
  alias 192.168.1.254 255.255.255.0
  peer ip address 192.168.1.253 255.255.255.0
  no icmp-guard
  service-policy input PM_L4_NAT_TEST
  no shutdown


interface vlan 1999
  description CLIENT SIDE VLAN
  ip address 192.168.48.28 255.255.255.224
  alias 192.168.48.30 255.255.255.224
  peer ip address 192.168.48.29 255.255.255.224
  no icmp-guard
  access-group input PERMIT_ALL
  access-group output PERMIT_ALL
  nat-pool 1 10.10.106.31 10.10.106.31 netmask 255.255.255.255 pat
  service-policy input PM_L4_ICMP_POLICY
  no shutdown


>> Any idea on how to nat source ip address for returning traffic?

Regards,

Thibault.

Labels:
0 Helpful
4 Replies 4

melcara
Level 1
Level 1

‎11-04-2010 12:39 PM

Here is what I do if I am going to NAT for the RServers...

class-map match-all REAL_31

  2 match source-address a.b.c.31 255.255.255.255

class-map match-all REAL_32

  2 match source-address a.b.c.32 255.255.255.255

class-map match-all REAL_33

  2 match source-address a.b.c.33 255.255.255.255

class-map match-all REAL_34

  2 match source-address a.b.c.34 255.255.255.255

class-map match-all REAL_41

  2 match source-address a.b.c.41 255.255.255.255

class-map match-all REAL_42

  2 match source-address a.b.c.42 255.255.255.255

class-map match-all REAL_43

  2 match source-address a.b.c.43 255.255.255.255

class-map match-all REAL_44

  2 match source-address a.b.c.44 255.255.255.255

policy-map multi-match src-nat-servers

  class REAL_31

    nat static a.b.c.131 netmask 255.255.255.255 vlan 311

  class REAL_32

    nat static a.b.c.132 netmask 255.255.255.255 vlan 311

  class REAL_33

    nat static a.b.c.133 netmask 255.255.255.255 vlan 311

  class REAL_41

    nat static a.b.c.141 netmask 255.255.255.255 vlan 311

  class REAL_42

    nat static a.b.c.142 netmask 255.255.255.255 vlan 311

  class REAL_43

    nat static a.b.c.143 netmask 255.255.255.255 vlan 311

  class REAL_34

    nat static a.b.c.134 netmask 255.255.255.255 vlan 311

  class REAL_44

    nat static a.b.c.144 netmask 255.255.255.255 vlan 311

interface vlan 310

  description WEB FE VLAN (RSEVERS ARE ON THIS INTERFACE)

  service-policy input src-nat-servers

interface vlan 311

  description TO_ASA (VIPS are Mapped here)

Hope this helps

0 Helpful

ThibaultMean
Level 1
Level 1
In response to melcara

‎11-04-2010 01:59 PM

Thanks for your answer.

As I explained ealier on, the problem I have is that no match statements seem to.... "match" the traffic returning to the client from the rservers.

I used :

class-map match-any CM_NAME

2 match any

and even that did not get any hits. (I verified with the show service-policy POLICY_NAME)

Aside from that, my conf is pretty similar to yours.

Regards,

Thibault.

0 Helpful

Pablo
Cisco Employee
Cisco Employee
In response to ThibaultMean

‎11-04-2010 04:29 PM

Hi Thibault,


I don't think you want to NAT the returning traffic from your servers with a different IP other than the VIP,

and that is an action the ACE takes by default when the response comes back from your physical server.


I'm checking on my ACE books and can't find any possible config to do such a thing. Not sure how your app

works but most likely if this would've been possible the TCP connection will never complete as the client will receive

a response from a different source than the VIP which leads to drops the packet, exact same thing you see when facing assymetric routing issues.

If you're looking to NAT server initiated traffic that ACE can do ... for example TFTP/DNS server response.

HTH

__ __

Pablo

ThibaultMean
Level 1
Level 1
In response to Pablo

‎11-05-2010 01:39 AM

Hello Pablo,

Thanks for you answer.

It does not make sense to change the source IP for the returning traffic, it's just me playing with the ACE appliance and wireshark.

To be honest I'm surprised the class-map "match any" does not match the client's returning traffic on the server side interface.

I'd be curious to see how class-map / policy-maps work internally.

Regards,

Thibault.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card