cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1077
Views
0
Helpful
2
Replies
Nick Cutting
Beginner

An ace confiuration with statics, 3 types of sources and NAT / PAT

Good day experts

I have 3 places a client will enter the network

I have a transparent ACE context running in a 6500 A2 v3.4

We have 2 Servers they we need balanced on the outside server ace vlan. I have a vip for this on the ace.

(1) Sourced from the internet, and D-Nat'ed at the perimiter of the network, then Source Nat'ed again by the TMG firewall which is a windows load balanced cluster.  As far as the ace is concerned it will get one of two source addresses, from either of the TMG's, which in this example are 192.168.250.50 and 51 in the static client source command.

TMG firewall cluster VLAN-> 700 ACE VLAN--- |ACEMODULE| --- 800 server ACE VLAN

(2) Normal User VLAN -> 700 ACE VLAN--- |ACEMODULE| --- 800 server ACE VLAN (no problems here)

(3) Citrix User VLAN (SAME vlan 800 server Vlan -> Source PAT --- |ACE| --- 800 Server ACE VLAN we have to nat this traffic to force it throught the ace.

I think I am on the right track but would like some advice on the below config:

In order to load balance from different Citrix servers that are in the same vlan as the servers that are to blanced by the ace can I use a since nat address useing PAT or do I need a Pool like I have configured below? does the ACE see that nated address as one source? Or is it smart enough to relaise that it is performing the NAT itself and look at the original client requests for balancing before NAT.

probe echo tcp TCP80

interval 5

passdetect interval 60

passdetect count 2

rserver host SERVERV01

  ip address 192.168.245.134

  probe ICMP

  inservice

rserver host SERVERV02

  ip address 192.168.245.135

  probe ICMP

  inservice

sticky ip-netmask 255.255.255.255 address source SERVER-BAL-stickygroup

  timeout 480

  replicate sticky

  serverfarm SERVER-BAL-FARM

  32 static client source 192.168.250.50 rserver SERVERV01

  40 static client source 192.168.250.51 rserver SERVERV02

serverfarm host SERVER-BAL-FARM

  predictor leastconns

  probe TCP80

  rserver SERVERV01

    inservice

  rserver SERVERV01

    inservice

class-map match-any SERVER-BAL-C-MAP

  10 match virtual-address 192.168.245.104 any

  policy-map type loadbalance first-match SERVER-BAL-P-MAP

  class class-default

    sticky-serverfarm SERVER-BAL-stickygroup

policy-map multi-match loadbalanced-traffic

    class SERVER-BAL-C-MAP

    loadbalance vip inservice

    loadbalance policy SERVER-BAL-P-MAP

    loadbalance vip icmp-reply

policy-map multi-match loadbalance-inside-srv

    class SERVER-BAL-C-MAP

    loadbalance vip inservice

    loadbalance policy SERVER-BAL-P-MAP

    loadbalance vip icmp-reply

    nat dynamic 6 vlan 800

interface vlan 800

  nat-pool 6 192.168.245.224 10.140.245.239 netmask 255.255.255.224 ?

OR

nat-pool 6 192.168.245.224 10.140.245.224 netmask 255.255.255.255 pat

1 ACCEPTED SOLUTION

Accepted Solutions
chrhiggi
Participant

Nick-

  You can use a single NAT IP with PAT, just keep in mind that you get about 64k translations per IP, so if you are planning on having more than 64k simultaneous connections, you will need more than 1 IP in the pool.  If you want to NAT only the traffic coming from the citrux servers, then apply a policy map with the nat statement to the vlan 800 interface and apply a separate policy map to vlan 700 which has no nat statement in it. (which is what it looks like you were doing inherintly aboce, but I don't see vlan 700.)

Regards,

Chris Higgins

View solution in original post

2 REPLIES 2
chrhiggi
Participant

Nick-

  You can use a single NAT IP with PAT, just keep in mind that you get about 64k translations per IP, so if you are planning on having more than 64k simultaneous connections, you will need more than 1 IP in the pool.  If you want to NAT only the traffic coming from the citrux servers, then apply a policy map with the nat statement to the vlan 800 interface and apply a separate policy map to vlan 700 which has no nat statement in it. (which is what it looks like you were doing inherintly aboce, but I don't see vlan 700.)

Regards,

Chris Higgins

View solution in original post

Nick Cutting
Beginner

Thanks very much - I am glad the single Nat ip will work, yes you are correct about the vlan 700.

Content for Community-Ad
This widget could not be displayed.