cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
724
Views
0
Helpful
2
Replies

ACE: Problem with real servers in networks different and not connected directly ace

Hello I have a trouble with the ace, i am configuring this scenary with two real servers with different network rsrv1 (10.1.1.10) and rsrv2 (11.1.1.11), i have configured statics route in ACE, and i have created svi 10 and svi 20 on the switch core. i have configured too source-nat, but my configuration is not work. any idea for solution?

too actually exist svi 1 with network 10.1.1.1 and default gateway of rsrv1 is 10.1.1.1 and the rsrv2 is for routing.

The configuration:

access-list nat_access line 8 extended permit ip host 10.1.1.10 host 192.168.1.20
access-list nat_access line 16 extended permit ip host 11.1.1.11 host 192.168.1.20
access-list someone line 8 extended permit ip any any
access-list someone line 16 extended permit icmp any any

rserver host rsrv1
  ip address 10.1.1.10
  inservice
rserver host rsrv2
  ip address 11.1.1.11
  inservice

serverfarm host farm-demo
  rserver rsrv1
    inservice
  rserver rsrv2
    inservice

class-map type management match-any MGMT
  2 match protocol icmp any
  3 match protocol http any
  4 match protocol https any
  5 match protocol snmp any
  6 match protocol telnet any
  7 match protocol ssh any
class-map match-any VIP
  2 match virtual-address 192.168.1.10 any
class-map match-any nat_class
  2 match access-list nat_access

policy-map type management first-match mgmt
  class MGMT
    permit

policy-map type loadbalance first-match server-balance
  class class-default
    serverfarm farm-demo

policy-map multi-match client-side
  class VIP
    loadbalance vip inservice
    loadbalance policy server-balance
    loadbalance vip icmp-reply active
policy-map multi-match nat_policy
  class nat_class
    nat dynamic 1 vlan 10

interface vlan 20
  description side-server
  ip address 172.16.1.1 255.255.255.0
  access-group input someone
  access-group output someone
  service-policy input mgmt
  service-policy input nat_policy
  service-policy input client-side
  no shutdown
interface vlan 10
  description side-client
  ip address 192.168.1.1 255.255.255.0
  access-group input someone
  access-group output someone
  nat-pool 1 192.168.1.20 192.168.1.20 netmask 255.255.255.0 pat
  service-policy input mgmt
  service-policy input client-side
  no shutdown

ip route 10.1.1.10 255.255.255.255 172.16.1.100 (SVI Core)

ip route 11.1.1.11 255.255.255.255 172.16.1.100 (SVI Core)

ip route 0.0.0.0 0.0.0.0 192.168.1.100 (SVI Core)

the proof:

ace-demo/C1# sh conn

total current connections : 2

conn-id    np dir proto vlan source                destination           state
----------+--+---+-----+----+---------------------+---------------------+------+
5009       1  in  TCP   10   10.1.1.200:6244      192.168.1.10:22       SYNSEEN
5010       1  out TCP   20   10.1.1.10:22          10.1.1.200:6244  INIT
ace-demo/C1# sh xlate
ace-demo/C1#
ace-demo/C1# ping 10.1.1.10
Pinging 10.1.1.10 with timeout = 2, count = 5, size = 100 ....

Response from 10.1.1.10 :  seq 1 time 1.034 ms
Response from 10.1.1.10 :  seq 2 time 0.000 ms
Response from 10.1.1.10 :  seq 3 time 1.467 ms
Response from 10.1.1.10 :  seq 4 time 0.705 ms
Response from 10.1.1.10 :  seq 5 time 0.000 ms
5 packet sent, 5 responses received, 0% packet loss
ace-demo/C1# ping 11.1.1.11
Pinging 11.1.1.11 with timeout = 2, count = 5, size = 100 ....

Response from 11.1.1.11 :  seq 1 time 0.728 ms
Response from 11.1.1.11 :  seq 2 time 1.247 ms
Response from 11.1.1.11 :  seq 3 time 1.828 ms
Response from 11.1.1.11 :  seq 4 time 1.942 ms
Response from 11.1.1.11 :  seq 5 time 2.001 ms
5 packet sent, 5 responses received, 0% packet loss
ace-demo/C1#
ace-demo/C1# sh serverfarm farm-demo
serverfarm     : farm-demo, type: HOST
total rservers : 2
---------------------------------
                                                ----------connections-----------
       real                  weight state        current    total      failures
   ---+---------------------+------+------------+----------+----------+---------
   rserver: rsrv1
       10.1.1.10:0       8      OPERATIONAL  0          73         1082
   rserver: rsrv2
       11.1.1.11:0      8      OPERATIONAL  0          69         1084

1 Accepted Solution

Accepted Solutions

pablo.nxh
Level 3
Level 3

Hi Alvaro,

Key word seems to be NAT; at the moment you have a server VLAN and client VLAN configured then you're in a routed mode scenario; commonly you won't need NAT for routed mode just because rservers "should" be L2 adjacent to the ACE so asymmetic routing isn't possible but in your case your rservers are sitting on different networks than 172.16.1.X/24 so NAT is now a requirement, but it has to be configured with a pool from the server VLAN because that's the network your rservers are supposedly to have a route for. NAT that is in place won't work because your server will use their default gateway to reach 192.168.1.X, core switch then will do intervlan routing to move traffic from vlan 20 to 10 and back to ACE, ACE will end up seeing server return traffic from same interface it received initial client traffic.

Try something like this

interface vlan 20

  description side-server

  ip address 172.16.1.1 255.255.255.0

  access-group input someone

  access-group output someone

  service-policy input mgmt

  service-policy input nat_policy <---- This needs to be removed.

  service-policy input client-side <---- Unless you need to hit the VIP from the servers this can removed as well.  

  nat-pool 20 172.16.1.20 172.16.1.20 netmask 255.255.255.0 pat  <<<<<---- Use any available IP from 172.16.1.X/24

  no shutdown

policy-map multi-match client-side

  class VIP

    loadbalance vip inservice

    loadbalance policy server-balance

    loadbalance vip icmp-reply active

    nat dynamic 20 vlan 20  <--- This needs to be added.

* Not sure if you really need the multi-match "nat_policy" but if it was configured for this scenario you can safely delete it.

HTH

__ __

Pablo

View solution in original post

2 Replies 2

pablo.nxh
Level 3
Level 3

Hi Alvaro,

Key word seems to be NAT; at the moment you have a server VLAN and client VLAN configured then you're in a routed mode scenario; commonly you won't need NAT for routed mode just because rservers "should" be L2 adjacent to the ACE so asymmetic routing isn't possible but in your case your rservers are sitting on different networks than 172.16.1.X/24 so NAT is now a requirement, but it has to be configured with a pool from the server VLAN because that's the network your rservers are supposedly to have a route for. NAT that is in place won't work because your server will use their default gateway to reach 192.168.1.X, core switch then will do intervlan routing to move traffic from vlan 20 to 10 and back to ACE, ACE will end up seeing server return traffic from same interface it received initial client traffic.

Try something like this

interface vlan 20

  description side-server

  ip address 172.16.1.1 255.255.255.0

  access-group input someone

  access-group output someone

  service-policy input mgmt

  service-policy input nat_policy <---- This needs to be removed.

  service-policy input client-side <---- Unless you need to hit the VIP from the servers this can removed as well.  

  nat-pool 20 172.16.1.20 172.16.1.20 netmask 255.255.255.0 pat  <<<<<---- Use any available IP from 172.16.1.X/24

  no shutdown

policy-map multi-match client-side

  class VIP

    loadbalance vip inservice

    loadbalance policy server-balance

    loadbalance vip icmp-reply active

    nat dynamic 20 vlan 20  <--- This needs to be added.

* Not sure if you really need the multi-match "nat_policy" but if it was configured for this scenario you can safely delete it.

HTH

__ __

Pablo

Pablo, I configured how you say me and its work!!

Thank you

Alvaro

Review Cisco Networking for a $25 gift card