Hi Richard,

Richard Tapp · ‎05-19-2017

I have run src NAT from one VLAN to other VLAN on the ACE OK for years. Now I need to ensure the outbound flow (to internet destination) from two servers is src natted. The inbound LB flow to the VIP (of the two servers) 10.100.60.10 tcp/25 is fine.

This is how I would normally do it, but it is not nating the real IPs.

access-list XX-XCH2010-EDGE line 20 extended permit ip any any

access-list XX-ACEDMZ-VIP line 10 extended permit ip any any

class-map match-all XX-XCH2010-EDGE

2 match virtual-address 10.100.60.10 tcp eq smtp

class-map match-any XX-XCH2010-EDGE-REALS

2 match source-address 10.100.72.10 255.255.255.255

3 match source-address 10.100.72.11 255.255.255.255

policy-map type loadbalance first-match XX-XCH2010-EDGE

class class-default

serverfarm XCH2010-EDGE-Servers

policy-map multi-match XX-ACEDMZ-VIPS

class XX-XCH2010-EDGE-REALS

nat dynamic 1 vlan 172

class XX-XCH2010-EDGE

loadbalance vip inservice

loadbalance policy XX-XCH2010-EDGE

loadbalance vip icmp-reply

interface vlan 160

description XX-ACEDMZ-VIPS

ip address 10.100.60.4 255.255.254.0

access-group input XX-ACEDMZ-VIP

service-policy input XX-ACEDMZ-VIPS

interface vlan 172

description XX-XCH2010-EDGE

ip address 10.100.72.4 255.255.254.0

access-group input XX-XCH2010-EDGE

nat-pool 1 10.100.60.10 10.100.60.10 netmask 255.255.254.0 pat

service-policy input XX-ACEDMZ-VIPS

Amjad Hashim · ‎06-20-2017

Hi Richard,

As far as i understand the src NAT in ACE is applied to outbound interface, so i think you should move your nat pool statement to VLAN 160 and also change your nat application under service policy to vlan 160. Hopefully that will resolve the issue for you.

Amjad Hashim.

Cisco ACE 30 src NAT issue