cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2112
Views
0
Helpful
8
Replies

Ace Plattoform: dynamic nat in bridge mode

dinoantonucci
Level 1
Level 1

Hi,

I'm working with ACE10-6500-K9 plattform (Version A2(3.0) ) and customer needs to balance SMTP Application Server....

the request it's not so easy: the Ace load balance are working in bridge mode and if a rserver creates a SMTP new connection (such a client) to external network, it's doesn't use rserver ip address but VIP ip address that we are using for load balancing SMTP multimatch policy.

I attach a Network layout/ diagram flow and ace configuration  to explain better my request.

Regarding Cisco documentation i used dynamic NAT for this type of configuration:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/security/guide/nat.html#wp1087493

1.Is it possible use dynamic configuration NAT in Bridge mode enviroment?

2. Searching in ciscco support community, someone say that the request could be solved with DSR (direct server return) solution.What do you think ?

The issue is that  I cannot see xlate transaction and SMTP server exposes its ip address (rserver ip address).

In the txt file there are typical output that i use for troubleshooting problem (show xlate and show service policy).

Regards

Dino

8 Replies 8

gaursin2
Level 1
Level 1

just checked your config and diagram, one thing i found suspecting is nat-pool configured on wrong vlan. it should be configured on vlan 160 rather then vlan 161. you have configured NAt statement correctly but pool is created in wrong interface.

also attach a "show conn" outout with detail for a server intiated connection for further troublshooting.

Than you for response,

i modify the confguration as you suggest, but nothing is change.

I share "configuration modified" and show conn.

Bye.

Dino

can you again confirm from your configuration that "

nat-pool 199 10.161.1.199 10.161.1.199 netmask 255.255.0.0 pat" command is under vlan 160,

its not very clear from your updated configuration

Hi,

i confirm it.

What do you mean ?

Regards.

Dino

Hi Dino,

How does the traffic reach your ACE? I mean, does it have to pass through VLAN 161 first ( acting like client vlan) or via VLAN 160?

Where is the traffic supposed to start? From the servers to the VIP to go back to the servers? Start from the servers to go to the cloud? Coming from the cloud to go the servers?, based on what you are looking is how nat should be configured and more important where it should be configured.

Jorge

Hi Jorge,

as described in sequence number process, i'm working on outside flow: server smtp to cloud for sending notification mail.

So Customer requirements needs to nat rserver with VIP address when SMTP server send an email to internet client!

In summary there are two different type of flow:

1. Load balancing SMTP services : internet client to VIP STMP (we have no problem)!!!!

2. STMP Server (like a client) send an email notification to internet client. In this case outside  server request must be nat with VIP Address. (here there is the issue)!

Regards

Dino

Hi Dino,

From connection table and from your topolgy also, we can see server intiated connection comes in via vlan 161 and goes out via 160.  Also you nat policy saying "nat dynamic 199 vlan 160", thats why i asked for applying nat pool statement "nat-pool 199 10.161.1.199 10.161.1.199 netmask 255.255.0.0 pat" on vlan 160 rather then 161.

you have said that this has been done and added the modified configuration, but still there i couldn't see the same. thats why  i ask for your confirmation whether same has been done or not.

Also attach one more output for desire show service-policy detail.

Jorge Bejarano
Level 4
Level 4

Here you have a sample of servers initiation:

class-map match-all REAL_SERVERS

  2 match source-address 192.168.1.0 255.255.255.0

class-map match-all VIP-30

  2 match virtual-address 172.16.51.30 tcp eq www

=====================================

policy-map multi-match CLIENT_VIPS

  class VIP-30

    loadbalance vip inservice

    loadbalance policy SLB_LOGIC

    loadbalance vip icmp-reply active

  class REAL_SERVERS

    nat dynamic 10 vlan 251

=====================================

policy-map type loadbalance first-match SLB_LOGIC

  class class-default

    serverfarm REAL_SERVERS

=====================================

serverfarm host REAL_SERVERS

  rserver SERVER_01

    inservice

  rserver SERVER_02

    inservice

  rserver SERVER_03

    inservice

=====================================

rserver host SERVER_01

  ip address 192.168.1.11

  inservice

rserver host SERVER_02

  ip address 192.168.1.12

  inservice

rserver host SERVER_03

  ip address 192.168.1.13

  inservice

=====================================

interface vlan 251

  description Client vlan

  ip address 172.16.51.11 255.255.255.0

  access-group input ANYONE

  service-policy input REMOTE_MGT

  service-policy input CLIENT_VIPS

  nat-pool 10 172.16.51.10 172.16.51.10 netmask 255.255.255.0 pat

  no shutdown

=====================================

interface vlan 451

  description Servers vlan

  ip address 192.168.1.1 255.255.255.0

  access-group input ANYONE

  service-policy input CLIENT_VIPS

  nat-pool 1 192.168.1.10 192.168.1.10 netmask 255.255.255.0 pat

  no shutdown

Jorge

Review Cisco Networking for a $25 gift card