Showing results for 
Search instead for 
Did you mean: 

Cisco Community Designated VIP Class of 2020


ACE Source NAT

Trying to implement Source NAT for a vlan 400(subnet 10.1.4.x/24)which contains both the servers & the vips.

Servers - Default Gateway is the VLAN 400 INterface on the 6500 (which populates the ace module inside) and not the vlan 400 interface on the ACE module (tried using ACE interface, but it doesnt work)..

ACL - Configured for Server to VIP Connectivity

Class Map - COnfigured to match ACL

Policy Map

Matching class map and Nat dynamic statement

Service policy for the above configured policy map.

Nat pool <ip similar to the 10.1.4.x subnet> on the vlan interface.

Test Results:-

Connection attempted from server to vip could see the connection coming in for the vip from the Server to the vip..But dont see a connection going out..I am sure the Server is trying to return the packet to the vip, searching it locally rather than reaching the ACE. Am i Missing something here..

Cisco Employee

Re: ACE Source NAT

Could you pls send the config? Remember that the nat-pool has to reside on the outgoing IF of ACE (if you have 2 IF on ACE). Not sure about which topology you're talking about.


Cisco Employee

Re: ACE Source NAT

send us the config and a sniffer trace.

Also get a 'show conn detail' and 'show service-policy detail' just after opening a connection from the server.



Re: ACE Source NAT

sh conn output


ACE1/Admin# sh conn | include

438 2 in TCP 400 SYNSEEN


The above output clearly shows the ACK packet is not send back to the ACE..Will get back with more info soon..

Config Enclosed..

Cisco Employee

Re: ACE Source NAT

I do not think your natting works.

The natpool on vlan 400 which is the server vlan has natpool id 40 not 100 as you have configured in the nat policy.

policy-map multi-match nat

class nat

nat dynamic 1 vlan 700

nat dynamic 100 vlan 400 <===

nat dynamic 300 vlan 300



Re: ACE Source NAT

Sorry..Gave you the old config..I had done so many changes on the config for testing, that i gave you the wrong one..

This is the latest..

Cisco Employee

Re: ACE Source NAT


Did you verify that nating was working ??

Maybe get a sniffer trace.



Re: ACE Source NAT

With this config, it didnt work..I am going to change the gateway of the servers directly to the ACE interface rather than the VLAN interface on the MSFC to get more control on the return traffic..Hopefully it will assist me to capture packets at granular level when compared to packets captured at the MSFC for the entire vlan that span across the ACE & other CSS boxes..

Thanks for your help Giles. I will definitely come back with more results and queries..


CreatePlease to create content
Content for Community-Ad
FusionCharts will render here