Re: Ace Plattoform: dynamic nat in bridge mode

dinoantonucci · ‎05-18-2012

Hi,

I'm working with ACE10-6500-K9 plattform (Version A2(3.0) ) and customer needs to balance SMTP Application Server....

the request it's not so easy: the Ace load balance are working in bridge mode and if a rserver creates a SMTP new connection (such a client) to external network, it's doesn't use rserver ip address but VIP ip address that we are using for load balancing SMTP multimatch policy.

I attach a Network layout/ diagram flow and ace configuration to explain better my request.

Regarding Cisco documentation i used dynamic NAT for this type of configuration:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/security/guide/nat.html#wp1087493

1.Is it possible use dynamic configuration NAT in Bridge mode enviroment?

2. Searching in ciscco support community, someone say that the request could be solved with DSR (direct server return) solution.What do you think ?

The issue is that I cannot see xlate transaction and SMTP server exposes its ip address (rserver ip address).

In the txt file there are typical output that i use for troubleshooting problem (show xlate and show service policy).

Regards

Dino

gaursin2 · ‎05-20-2012

just checked your config and diagram, one thing i found suspecting is nat-pool configured on wrong vlan. it should be configured on vlan 160 rather then vlan 161. you have configured NAt statement correctly but pool is created in wrong interface.

also attach a "show conn" outout with detail for a server intiated connection for further troublshooting.

dinoantonucci · ‎05-20-2012

Than you for response,

i modify the confguration as you suggest, but nothing is change.

I share "configuration modified" and show conn.

Bye.

Dino

gaursin2 · ‎05-20-2012

can you again confirm from your configuration that "

nat-pool 199 10.161.1.199 10.161.1.199 netmask 255.255.0.0 pat" command is under vlan 160,

its not very clear from your updated configuration

dinoantonucci · ‎05-21-2012

Hi,

i confirm it.

What do you mean ?

Regards.

Dino

Jorge Bejarano · ‎05-21-2012

Hi Dino,

How does the traffic reach your ACE? I mean, does it have to pass through VLAN 161 first ( acting like client vlan) or via VLAN 160?

Where is the traffic supposed to start? From the servers to the VIP to go back to the servers? Start from the servers to go to the cloud? Coming from the cloud to go the servers?, based on what you are looking is how nat should be configured and more important where it should be configured.

Jorge

dinoantonucci · ‎05-22-2012

Hi Jorge,

as described in sequence number process, i'm working on outside flow: server smtp to cloud for sending notification mail.

So Customer requirements needs to nat rserver with VIP address when SMTP server send an email to internet client!

In summary there are two different type of flow:

1. Load balancing SMTP services : internet client to VIP STMP (we have no problem)!!!!

2. STMP Server (like a client) send an email notification to internet client. In this case outside server request must be nat with VIP Address. (here there is the issue)!

Regards

Dino

gaursin2 · ‎05-22-2012

Hi Dino,

From connection table and from your topolgy also, we can see server intiated connection comes in via vlan 161 and goes out via 160. Also you nat policy saying "nat dynamic 199 vlan 160", thats why i asked for applying nat pool statement "nat-pool 199 10.161.1.199 10.161.1.199 netmask 255.255.0.0 pat" on vlan 160 rather then 161.

you have said that this has been done and added the modified configuration, but still there i couldn't see the same. thats why i ask for your confirmation whether same has been done or not.

Also attach one more output for desire show service-policy detail.

Jorge Bejarano · ‎05-23-2012

Here you have a sample of servers initiation:

class-map match-all REAL_SERVERS

2 match source-address 192.168.1.0 255.255.255.0

class-map match-all VIP-30

2 match virtual-address 172.16.51.30 tcp eq www

=====================================

policy-map multi-match CLIENT_VIPS

class VIP-30

loadbalance vip inservice

loadbalance policy SLB_LOGIC

loadbalance vip icmp-reply active

class REAL_SERVERS

nat dynamic 10 vlan 251

=====================================

policy-map type loadbalance first-match SLB_LOGIC

class class-default

serverfarm REAL_SERVERS

=====================================

serverfarm host REAL_SERVERS

rserver SERVER_01

inservice

rserver SERVER_02

inservice

rserver SERVER_03

inservice

=====================================

rserver host SERVER_01

ip address 192.168.1.11

inservice

rserver host SERVER_02

ip address 192.168.1.12

inservice

rserver host SERVER_03

ip address 192.168.1.13

inservice

=====================================

interface vlan 251

description Client vlan

ip address 172.16.51.11 255.255.255.0

access-group input ANYONE

service-policy input REMOTE_MGT

service-policy input CLIENT_VIPS

nat-pool 10 172.16.51.10 172.16.51.10 netmask 255.255.255.0 pat

no shutdown

=====================================

interface vlan 451

description Servers vlan

ip address 192.168.1.1 255.255.255.0

access-group input ANYONE

service-policy input CLIENT_VIPS

nat-pool 1 192.168.1.10 192.168.1.10 netmask 255.255.255.0 pat

no shutdown

Jorge