03-06-2012 02:01 PM
Hi, I need that one server can communicate with the VIP of other servers that are in the same subnet. I know that the solution is trough NAT, but at the moment I don’t have success.
Can anyone help me?
rserver host REAL1
ip address 172.16.20.100
inservice
rserver host REAL2
ip address 172.16.20.101
inservice
rserver host FW_SEC_1
ip address 172.16.20.102
inservice
rserver host FW_SEC_2
ip address 172.16.20.103
inservice
serverfarm SEC_20_SF
rserver REAL1
inservice
rserver REAL2
inservice
serverfarm SEC_SF
rserver FW_SEC_1
inservice
rserver FW_SEC_2
inservice
class-map match-any SEC_20_VS
10 match virtual-address 172.16.10.18 eq https
class-map match-any FW_SEC_VIP
10 match virtual-address 172.16.10.19 eq http
class-map match-any C-NAT
10 match source-address 172.16.20.0 255.255.255.0
policy-map multi-match POL_SEC_20
class SEC_20_VS
loadbalance vip inservice
loadbalance policy …
policy-map multi-match POL_SEC_FW
class FW_SEC_VIP
loadbalance vip inservice
loadbalance policy …
policy.map multi-match POL-NAT
class C-NAT
nat dynamic 1 vlan 20
interface vlan 10
ip address 172.16.10.5 255.255.255.0
alias …
service-policy input POL_SEC_20
service-policy input POL_SEC_FW
no shutdown
interface vlan 20
ip address 172.16.20.5 255.255.255.0
alias …
service-policy input POL-NAT
nat-pool 1 172.16.10.200 172.16.10.210 netmask 255.255.255.0 pat
no shutdown
thank you
Solved! Go to Solution.
03-06-2012 02:40 PM
Hi Green,
You need to add the "POL_SEC_20 and POL_SEC_FW" policies also under the interface VLAN 20. Please note you don't need to remove them from the vlan 10 you just need to add them under vlan 20 as well in order to ARP for the VIP addresses through that SVI.
interface vlan 20
ip address 172.16.20.5 255.255.255.0
alias …
service-policy input POL-NAT
service-policy input POL_SEC_20
service-policy input POL_SEC_FW
nat-pool 1 172.16.10.200 172.16.10.210 netmask 255.255.255.0 pat
no shutdown
HTH
__ __
Pablo
03-06-2012 02:40 PM
Hi Green,
You need to add the "POL_SEC_20 and POL_SEC_FW" policies also under the interface VLAN 20. Please note you don't need to remove them from the vlan 10 you just need to add them under vlan 20 as well in order to ARP for the VIP addresses through that SVI.
interface vlan 20
ip address 172.16.20.5 255.255.255.0
alias …
service-policy input POL-NAT
service-policy input POL_SEC_20
service-policy input POL_SEC_FW
nat-pool 1 172.16.10.200 172.16.10.210 netmask 255.255.255.0 pat
no shutdown
HTH
__ __
Pablo
03-07-2012 02:10 AM
Hi Pablo,
Perfect, it’s all functioning.
Thanks for the help.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide