Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1150
Views
0
Helpful
1
Replies

ACE VIP FTP Server Farm and Outgoing NAT

jameskipwade
Level 1
Level 1

‎07-05-2010 11:48 AM

We have an ACE-20 module for the 6500.

Our organization has an FTP Server Farm with a VIP setup on the ACE for Incoming Connections

within a DMZ in order to load balance across multiple FTP servers. This is working just fine.

However, for Outgoing connections in the DMZ, we would like the outgoing NAT IP address to be the same

as the VIP IP address. This is so that we can give a single IP address to vendors for opening up firewall

ports.

Does the ACE-20 module for the 6500 support configuring the envrionment to allow any outgoing

connections from the FTP servers to utilize the same NAT IP address as the VIP?

Would this cause load balancing across the servers to stop working in any form?

Thanks....JW

Labels:
0 Helpful
1 Reply 1

david.stout
Level 1
Level 1

‎07-06-2010 02:50 AM

Hi James,

  Firstly you'd need to configure an outbound PAT statement (not a NAT) and this can co-exist with an inbound VIP configuration. Secondly I'd recommend two interfaces for simplicity.

  To configure both of these features would require two service-policies being configured. The service-policy being applied to the customer facing interface would require the VIP service-policy and the server facing service-policy would have the PAT configuration.

For example.

access-list OUTSIDE_ACL line 10 extended permit ip any any
access-list INSIDE_ACL line 10 extended permit ip any any
access-list INSIDE-HOSTS-PAT_ACL line 10 extended permit ip host 10.20.7.1 any
access-list INSIDE-HOSTS-PAT_ACL line 20 extended permit ip host 10.20.7.2 any

probe ftp FTP-PROBE
  interval 2
  expect status 220 220

rserver host 10-20-7-1
  ip address 10.20.7.1
  inservice
rserver host 10-20-7-2
  ip address 10.20.7.2
  inservice

serverfarm host FTP-21-SF
  probe FTP-PROBE
  rserver 10-20-7-1
    inservice
  rserver 10-20-7-2
    inservice

sticky ip-netmask 255.255.255.255 address source 40
  timeout 60
  replicate sticky
  serverfarm FTP-21-SF

class-map match-all FTP-21-CM
  2 match virtual-address 10.20.6.200 tcp eq ftp
class-map match-any INSIDE-HOSTS-PAT-cm
  2 match access-list INSIDE-HOSTS-PAT_ACL

policy-map type loadbalance first-match FTP-21-PM
  class class-default
    sticky-serverfarm 40

policy-map multi-match OUTSIDE-INTERFACE-POLICY
  class FTP-21-CM
    loadbalance vip inservice
    loadbalance policy FTP-21-PM
    loadbalance vip icmp-reply active
    inspect ftp

policy-map multi-match INSIDE-INTERFACE-POLICY
  class INSIDE-HOSTS-PAT-cm
    nat dynamic 1 vlan 100

interface vlan 100
  description Customer Facing Interface
  ip address 10.20.6.2 255.255.255.0
  alias 10.20.6.1 255.255.255.0
  peer ip address 10.20.6.3 255.255.255.0
  access-group input OUTSIDE_ACL
  nat-pool 1 10.20.6.200 10.20.6.200 netmask 255.255.255.255 pat
  service-policy input OUTSIDE-INTERFACE-POLICY
  no shutdown
interface vlan 101
  description Server Facing Interface
  ip address 10.20.7.2 255.255.255.0
  alias 10.20.7.1 255.255.255.0
  peer ip address 10.20.7.3 255.255.255.0
  access-group input INSIDE_ACL
  service-policy input INSIDE-INTERFACE-POLICY
  no shutdown

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card