Solved: ace module in bridged mode with client nat

f.makarenko · ‎04-16-2012

Could someone confirm whatever a NAT is supported for ACE-20 module, please?

Let me to explain technical details.

I do need to convert working CSM(SLB) config to ACE configuration and I am not quite sure

if the configuration below is correct. ACE module should be configured in bridge mode with two

vlans - vlan 36 (client) and vlan 436 (server) - bridged with interface bvi 36.

NAT on ACE configurad as "nat dynamic 1025 vlan 436" into corresponding

"policy-map type loadbalance"

Could you check two parts of configs and advise me if the ACE config is

properly converted from CSM and will be working in the same way (especialy for NAT).

Thank you in advance.

CSM config

=======

vlan 36 client

ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0

gateway 10.36.3.1

!

vlan 436 server

ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0

!

natpool WEB-MAIL 10.36.3.100 10.36.3.100 netmask 255.255.255.0

!

sticky 30 netmask 255.255.255.255 address source timeout 60

!

probe SHAREPOINT tcp

interval 30

failed 120

open 3

port 80

!

probe WEBMAIL-443 tcp

interval 5

failed 60

open 2

port 443

!

serverfarm WEBMAIL-443

nat server

nat client WEB-MAIL

predictor leastconns

real 10.36.3.101 443

inservice

real 10.36.3.102 443

inservice

probe WEBMAIL-443

!

serverfarm WEBMAIL-80

nat server

nat client WEB-MAIL

predictor leastconns

real 10.36.3.101 80

inservice

real 10.36.3.102 80

inservice

probe SHAREPOINT

!

vserver WEBMAIL-443

virtual 10.36.3.100 tcp https

serverfarm WEBMAIL-443

sticky 60 group 30

replicate csrp sticky

replicate csrp connection

persistent rebalance

inservice

!

vserver WEBMAIL-80

virtual 10.36.3.100 tcp www

serverfarm WEBMAIL-80

replicate csrp connection

persistent rebalance

inservice

ACE config

=======

probe tcp WEBMAIL-443

interval 5

open 2

passdetect interval 60

port 443

probe tcp SHAREPOINT

interval 30

open 3

passdetect interval 120

port 80

serverfarm host WEBMAIL-443

predictor leastconns

probe WEBMAIL-443

rserver 10-36-3-101 443

inservice

rserver 10-36-3-102 443

inservice

serverfarm host WEBMAIL-80

predictor leastconns

probe SHAREPOINT

rserver 10-36-3-101 80

inservice

rserver 10-36-3-102 80

inservice

class-map match-all WEBMAIL-80

match virtual-address 10.36.3.100 tcp eq www

class-map match-all WEBMAIL-443

match virtual-address 10.36.3.100 tcp eq https

sticky ip-netmask 255.255.255.255 address source 30

serverfarm WEBMAIL-443

replicate sticky

timeout 60

policy-map type loadbalance first-match WEBMAIL-80

class class-default

serverfarm WEBMAIL-80

nat dynamic 1025 vlan 436 serverfarm primary

policy-map type loadbalance first-match WEBMAIL-443

class class-default

sticky-serverfarm 30

nat dynamic 1025 vlan 436 serverfarm primary

parameter-map type http HTTP_ADV_OPT

persistence-rebalance

policy-map multi-match IFVLAN36-POLICY

class WEBMAIL-80

appl-parameter http advanced-options HTTP_ADV_OPT

loadbalance policy WEBMAIL-80

loadbalance vip inservice

loadbalance vip icmp-reply active

class WEBMAIL-443

appl-parameter http advanced-options HTTP_ADV_OPT

loadbalance policy WEBMAIL-443

loadbalance vip inservice

loadbalance vip icmp-reply active

interface vlan 36

bridge-group 36

service-policy input IFVLAN36-POLICY

mac-sticky enable

no shutdown

interface vlan 436

bridge-group 36

nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0

no shutdown

interface bvi 36

ip address 10.36.3.3 255.255.255.0

peer ip address 10.36.3.4 255.255.255.0

no shutdown

chrhiggi · ‎04-19-2012

Hello F.Makarenko-

You will want to use PAT while you do nat, so change the natpool configuration to this:

nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0 pat

You also need to apply the nat like this:

policy-map multi-match IFVLAN36-POLICY

class WEBMAIL-80

appl-parameter http advanced-options HTTP_ADV_OPT

loadbalance policy WEBMAIL-80

loadbalance vip inservice

loadbalance vip icmp-reply active

nat dynamic 1025 vlan 436

class WEBMAIL-443

appl-parameter http advanced-options HTTP_ADV_OPT

loadbalance policy WEBMAIL-443

loadbalance vip inservice

loadbalance vip icmp-reply active

nat dynamic 1025 vlan 436

If you are going to build out a lot of classes, you can instead do source nat like this:

policy-map multi-match IFVLAN36-POLICY

class WEBMAIL-80

appl-parameter http advanced-options HTTP_ADV_OPT

loadbalance policy WEBMAIL-80

loadbalance vip inservice

loadbalance vip icmp-reply active

class WEBMAIL-443

appl-parameter http advanced-options HTTP_ADV_OPT

loadbalance policy WEBMAIL-443

loadbalance vip inservice

loadbalance vip icmp-reply active

class class-default

nat dynamic 1025 vlan 436

Regards,

Chris Higgins

View solution in original post

chrhiggi · ‎04-19-2012

Hello F.Makarenko-

You will want to use PAT while you do nat, so change the natpool configuration to this:

nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0 pat

You also need to apply the nat like this:

policy-map multi-match IFVLAN36-POLICY

class WEBMAIL-80

appl-parameter http advanced-options HTTP_ADV_OPT

loadbalance policy WEBMAIL-80

loadbalance vip inservice

loadbalance vip icmp-reply active

nat dynamic 1025 vlan 436

class WEBMAIL-443

appl-parameter http advanced-options HTTP_ADV_OPT

loadbalance policy WEBMAIL-443

loadbalance vip inservice

loadbalance vip icmp-reply active

nat dynamic 1025 vlan 436

If you are going to build out a lot of classes, you can instead do source nat like this:

policy-map multi-match IFVLAN36-POLICY

class WEBMAIL-80

appl-parameter http advanced-options HTTP_ADV_OPT

loadbalance policy WEBMAIL-80

loadbalance vip inservice

loadbalance vip icmp-reply active

class WEBMAIL-443

appl-parameter http advanced-options HTTP_ADV_OPT

loadbalance policy WEBMAIL-443

loadbalance vip inservice

loadbalance vip icmp-reply active

class class-default

nat dynamic 1025 vlan 436

Regards,

Chris Higgins

f.makarenko · ‎04-24-2012

Hello Chris,

Thank you for your suggestion regarding source nat, I will try to implement it.