ACE : Source NAT

AJAZ NAWAZ · ‎07-20-2011

Does the IP pool used for server side srcNAT need to be configured in the way of an SVI on the ACE?.

thank you

Patrick Colbeck · ‎07-20-2011

If by SVI you mean the sever side vlan interface then yes. Siomething like this:

interface vlan 200

description "Real Server Interface"

ip address 10.1.1.2 255.255.255.0

nat-pool 10 10.1.11 10.1.1.20 netmask 255.255.255.0 pat

no shutdown

Then on the VIP interface you need a client policy that tells the ACE to use this for source NAT

interface vlan 100

description "VIP Interface"

ip address 10.0.0.2 255.255.255.0

access-group input VIPs

service-policy input Client-Policy

no shutdown

policy-map multi-match Client-Policy

class WebServer

loadbalance vip inservice

loadbalance policy WebServer-l7slb

nat dynamic 10 vlan 200

Regards

Pat

AJAZ NAWAZ · ‎07-20-2011

The NAT pool being used is outside of the VIP range. Its a separate subnet on its own vlan. The question is does this pool need to exist on an SVI if it is not in the VIP range?

thanks

Patrick Colbeck · ‎07-20-2011

Yes you can use a NAT pool that is an address range where the ACE does not have an interface in that range. For example:

interface vlan 200

description "Real Server Interface"

ip address 10.1.1.2 255.255.255.0

nat-pool 10 172.16.1.11 172.16.1.20 netmask 255.255.255.0 pat

no shutdown

The issue you have then is routing on the rest of the newtork. The point of SNAT on an ACE is to drag the reply traffic from teh real servers back through the ACE. You would need to make sure that the rest of the newtork had it's routing setup so that the IP range you used for the NAT pool was routed via the real server interface on the ACE.