11-04-2010 12:06 PM
Hello,
I would like to configure NAT on the returning traffic from the rservers.
So far I'vebeen able to nat traffic from client side to server side ok but for some reason i am unavailable to nat the returning traffic from the reals to the clients.
I want to retruning traffic to show a dummy source ip address when sent from the ace to the client hence the 10.10.106.31 ip address.
My problem is that even though I've got this "match any" statement with my NAT class map it does not seem to match anything.
Same thing I 've configured an access-list on the server interface to deny the returning traffic and it did not block anything on vlan 999.
Traffic obviously flows through vlan 999 but I don't know why it does not trigger the class-map statement or event the access-list I've applied before.
It seem the only way to have a hit on both the class map or the access-list is to apply it on the client side or globally.
Configuration I've tried is :
access-list PERMIT_ALL line 10 extended permit ip any any
rserver host SRV01
ip address 192.168.1.10
inservice
rserver host SRV02
ip address 192.168.1.11
inservice
class-map match-any CM_L4_NAT_TEST
2 match any
policy-map multi-match PM_L4_NAT_TEST
class CM_L4_NAT_TEST
nat dynamic 1 vlan 2000
interface vlan 999
description SERVER SIDE / INSIDE INTERFACE
ip address 192.168.1.252 255.255.255.0
alias 192.168.1.254 255.255.255.0
peer ip address 192.168.1.253 255.255.255.0
no icmp-guard
service-policy input PM_L4_NAT_TEST
no shutdown
interface vlan 1999
description CLIENT SIDE VLAN
ip address 192.168.48.28 255.255.255.224
alias 192.168.48.30 255.255.255.224
peer ip address 192.168.48.29 255.255.255.224
no icmp-guard
access-group input PERMIT_ALL
access-group output PERMIT_ALL
nat-pool 1 10.10.106.31 10.10.106.31 netmask 255.255.255.255 pat
service-policy input PM_L4_ICMP_POLICY
no shutdown
>> Any idea on how to nat source ip address for returning traffic?
Regards,
Thibault.
11-04-2010 12:39 PM
Here is what I do if I am going to NAT for the RServers...
class-map match-all REAL_31
2 match source-address a.b.c.31 255.255.255.255
class-map match-all REAL_32
2 match source-address a.b.c.32 255.255.255.255
class-map match-all REAL_33
2 match source-address a.b.c.33 255.255.255.255
class-map match-all REAL_34
2 match source-address a.b.c.34 255.255.255.255
class-map match-all REAL_41
2 match source-address a.b.c.41 255.255.255.255
class-map match-all REAL_42
2 match source-address a.b.c.42 255.255.255.255
class-map match-all REAL_43
2 match source-address a.b.c.43 255.255.255.255
class-map match-all REAL_44
2 match source-address a.b.c.44 255.255.255.255
policy-map multi-match src-nat-servers
class REAL_31
nat static a.b.c.131 netmask 255.255.255.255 vlan 311
class REAL_32
nat static a.b.c.132 netmask 255.255.255.255 vlan 311
class REAL_33
nat static a.b.c.133 netmask 255.255.255.255 vlan 311
class REAL_41
nat static a.b.c.141 netmask 255.255.255.255 vlan 311
class REAL_42
nat static a.b.c.142 netmask 255.255.255.255 vlan 311
class REAL_43
nat static a.b.c.143 netmask 255.255.255.255 vlan 311
class REAL_34
nat static a.b.c.134 netmask 255.255.255.255 vlan 311
class REAL_44
nat static a.b.c.144 netmask 255.255.255.255 vlan 311
interface vlan 310
description WEB FE VLAN (RSEVERS ARE ON THIS INTERFACE)
service-policy input src-nat-servers
interface vlan 311
description TO_ASA (VIPS are Mapped here)
Hope this helps
11-04-2010 01:59 PM
Thanks for your answer.
As I explained ealier on, the problem I have is that no match statements seem to.... "match" the traffic returning to the client from the rservers.
I used :
class-map match-any CM_NAME
2 match any
and even that did not get any hits. (I verified with the show service-policy POLICY_NAME)
Aside from that, my conf is pretty similar to yours.
Regards,
Thibault.
11-04-2010 04:29 PM
Hi Thibault,
I don't think you want to NAT the returning traffic from your servers with a different IP other than the VIP,
and that is an action the ACE takes by default when the response comes back from your physical server.
I'm checking on my ACE books and can't find any possible config to do such a thing. Not sure how your app
works but most likely if this would've been possible the TCP connection will never complete as the client will receive
a response from a different source than the VIP which leads to drops the packet, exact same thing you see when facing assymetric routing issues.
If you're looking to NAT server initiated traffic that ACE can do ... for example TFTP/DNS server response.
HTH
__ __
Pablo
11-05-2010 01:39 AM
Hello Pablo,
Thanks for you answer.
It does not make sense to change the source IP for the returning traffic, it's just me playing with the ACE appliance and wireshark.
To be honest I'm surprised the class-map "match any" does not match the client's returning traffic on the server side interface.
I'd be curious to see how class-map / policy-maps work internally.
Regards,
Thibault.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide