Cisco ACE 4710 NAT All Traffic to VIP Address

daniel.carlton · ‎08-22-2013

I know that the ACE will NAT all return traffic to the VIP address, but what I need to do is to NAT traffic sourced from the real server that does not match an existing flow. Traffic like outbound connection initiated from the real servers, ICMP, etc. For information the real servers use the ACE as the Gateway for this traffic.

I tried a NAT pool without luck. Anyone have any luck doing this?

rserver host server1

ip address 192.156.241.64

inservice

rserver host server2

ip address 192.156.241.65

inservice

serverfarm host FARM

failaction purge

predictor leastconns slowstart 15

rserver server1

conn-limit max 4000000 min 4000000

inservice

rserver server2

conn-limit max 4000000 min 4000000

inservice

class-map match-all VIP

2 match virtual-address 192.156.246.255 any

class-map type management match-any minimal-diag

2 match protocol icmp any

class-map type management match-any remote-access

2 match protocol icmp any

3 match protocol ssh any

4 match protocol telnet any

policy-map type loadbalance first-match VIP-POLICY

class class-default

serverfarm FARM

policy-map multi-match VIPS

class VIP

loadbalance vip inservice

loadbalance policy VIP-POLICY

loadbalance vip icmp-reply active primary-inservice

nat dynamic 1 vlan 241

interface vlan 241

description POS

ip address 192.156.241.245 255.255.255.0

alias 192.156.241.250 255.255.255.0

peer ip address 192.156.241.246 255.255.255.0

access-group input all

access-group output all

nat-pool 1 192.156.246.255 192.156.246.255 netmask 255.255.255.255 pat

service-policy input VIPS

no shutdown

ip route 192.156.245.0 255.255.255.0 192.156.241.7

ip route 0.0.0.0 0.0.0.0 192.156.241.7

Jorge Bejarano · ‎08-22-2013

Daniel,

Basically, you want to do something which is called: "server initiation traffic" where the servers are the ones which will start the connections to the ACE.

You said you do not want to match any VIP (virtual IP address) and just NAT the traffic to send it to the outbound side (Internet for example) , correct? or you want to start traffic from a server to hit a VIP to send it to another serverfarm?

Jorge

daniel.carlton · ‎08-23-2013

Hi...

For the traffic I want to NAT, the server will send it to an outside address (not a VIP) and I want the ACE to NAT the source of the traffic so it appears to be coming from the VIP.

Dan

Cesar Roque · ‎08-30-2013

Hi Daniel

You need something like this:

class-map match-all SERVERNAT
  2 match source-address x.x.x.x 255.255.255.255

 
policy-map multi-match NAT
  class SERVERNAT
    nat dynamic 1 vlan XX


interface vlan XX  ------fron side VLAN
  ip address 192.168.50.15 255.255.255.0
  mac-sticky enable
  access-group input Allow_all_traffic
  access-group output Allow_all_traffic
  natpool 1 x.x.x.x netmask 255.255.255.0 pat
  no shutdown

 interface vlan XX-------Server VLAN
  ip address 208.50.107.109 255.255.255.192
  mac-sticky enable
  access-group input Allow_all_traffic
  access-group output Allow_all_traffic
  service-policy input NAT
  no shutdown

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team

Fernando Bello · ‎09-03-2013

Cesar, Jorge,

I've go something similar to this situation.

I've got several serverfarms. Each serverfarm relates to an app that is reached via a VIP in 10.11.12.0/24. Actually that subnet is used to provide VIPs for all apps in 3 different contexts.

Sometimes, a client needs to access VIP 10.11.12.100. It is loadbalanced against 5 realservers. Sometimes one of those realservers need to query another app that is reached via VIP 10.11.12.101 that is in the another context. How can I do that?

And if the realserver needed to query another app that is reached via VIP 10.11.12.102 that is in the same context, what should I do?

thanks in advance,

jasmina27s · ‎09-05-2013

Hi Fernando,

It is not quite similar to the NAT problem

You need server-to-server load balancing.

Basically, you need appropriate routing and to provide that ACE can see both traffic directions. Otherwise it is the same as client-server. Server should just go to a destination VIP of another serverfarm.

If the traffic is routed between two ACE contexts, you sould not have a problem, it should work same as client-server traffic, and relevant ACE context (the one in charge for VIP) will see both directions of a connecton. Another context will just route the traffic. You just have to provide appropriate routing towards VIP address, and towards source server real IP address (ACE does not NAT source IP by default).

Situation is more complicated if you have two serverfarms with real server addresses on the same context in the same subnet (If they are in separate subnets, behavior is similar as above -> just routing). In case of real servers in a same subnet you have to force returning traffic to go via ACE. By default, destination server will see a real source IP of source server and will try to respond directly and avoid ACE. Only in that case you need source NAT to hide IP of a source server to force returning traffic to the ACE.

All above is if you have configured routed mode on ACE contexts...

If your scenario is more complicated, please give more details about your config.

Best regards,

Jasmina

Fernando Bello · ‎09-12-2013

Thanks for the answer. It was just what I was looking for.

Thanks!

Cesar Roque · ‎09-09-2013

Hi Fernando,

You need to configure the service-policy in the server VLAN and probably SNAT will be needed.

Do you have the configuration?

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team

Fernando Bello · ‎09-12-2013

Thanks Cesar, Jasmine and you gave the necesary answer to the problem that I was facing.

Thanks!!!