cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2008
Views
10
Helpful
6
Replies

ACE: (r)server access to own VIP = NAT?

Roble Mumin
Level 3
Level 3

We are currently in a scenario where a Server (located on the server side) needs to access the VIP on the client side network. The VIP loadbalances to adjacent LDAP rservers and the regarding server needs to access this loadbalanced service. Is it correct that i need NAT (SNAT) the traffic from the accessing server to a dedicated IP in the client side vlan?

I made quick drawing which hopefully explains my question better.

Thanks for reading

Roble

1 Accepted Solution

Accepted Solutions

Robble,

if the destination ip address is a vip, the outgoing interface is not vlan 10 (where the vip address belongs) but vlan 192 where the rservers are located.

So, you will need a natpool in the rserver vlan 192 and modify your nat dynamic command to point at this natpool.

Gilles.

View solution in original post

6 Replies 6

Gilles Dufour
Cisco Employee
Cisco Employee

Robble,

happy new year.

Your assumption is correct.  You need snat for servers to access the vip.

But the nat address can be anything.  It does not have to be from the client side.  Easiest solution is to use an ip address for the server subnet so that the servers can simply access it with an arp request.

Gilles.

Hey Gilles and happy new year,

i am not really sure if i understood it correctly regarding the above scenario. Would following config snippet make sure that traffic originating from 192.168.10.0/24 gets translated to 10.20.30.230 when accessing any resource within 10.20.30.0/24?

Is it correct that the nat pool defined in vlan 10 could be anything eg. (nat-pool 69 1.2.3.4 1.2.3.4 netmask 255.255.255.0 pat) as long as that address does not need to be routed?

Thanks for reading

Roble

---

access-list NAT-Definition line 10 extended permit tcp 192.168.10.0 255.255.255.0 10.20.30.0 255.255.255.0

!

class-map match-any NAT_CLASS

match access-list NAT-Definition

!

policy-map multi-match NAT-Policy

class NAT_CLASS

  nat dynaymic 69 vlan 10

!

policy-map multi-match LB-POLICY

class foo

[...]

class foobar

[...]

!

interface vlan 192

description Server_Side_VLAN

ip address 192.168.10.254 255.255.255.0

service-policy input NAT-Policy

no shut

!

interface vlan 10

description Client_Side_VLAN

ip address 10.20.30.254 255.255.255.0

nat-pool 69 10.20.30.230 10.20.30.230 netmask 255.255.255.0 pat

service-policy input LB-POLICY

no shut

Robble,

if the destination ip address is a vip, the outgoing interface is not vlan 10 (where the vip address belongs) but vlan 192 where the rservers are located.

So, you will need a natpool in the rserver vlan 192 and modify your nat dynamic command to point at this natpool.

Gilles.

Hi Gilles,

i think i get it now. Because the NAT'ed IP stays local to the ACE it can be anything and the initial issue is with the returning traffic from the Real Server not flowing back through the ACE but directly being send to the requesting host.

Is that and the according config snippet correct?

access-list NAT-Definition line 10 extended permit tcp 192.168.10.0 255.255.255.0 10.20.30.0 255.255.255.0
!
class-map match-any NAT_CLASS
match access-list NAT-Definition
!
policy-map multi-match NAT-Policy
description NAT-Policy´
class NAT_CLASS
  nat dynaymic 1 vlan 192
!
interface vlan 192
description Server Side VLAN
ip address 192.168.10.254 255.255.255.0
nat-pool 1 172.16.32.1 172.16.32.1 netmask 255.255.255.0 pat
service-policy input NAT-Policy
no shut

Roble

your understanding is correct.

You need to avoid the rserver responding directly to the client sitting on the same subnet (the client would not accept the answer since it is expecting a response from the vip=ACE).

The config looks good.

Gilles.

Hey Gilles,

thanks again for the clarification. The configuration worked out problem solved!

Roble

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: