cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2137
Views
0
Helpful
5
Replies

Cisco CSS > ACE question - SNAT

achrich
Level 1
Level 1

I just wondered if I could please ask a question I have in regards SNAT on the ACE modules that someone might have encountered elsewhere.

Scenrio is currently the CSS load balancers we use in one enviroment are being consolidated into a ACE module.

Current CSS handles a inbound VIP and a outbound source NAT for the same IP  and is placed directly infront of servers and we use the  service group rules on the CSS to SNAT

new ACE module will be installed 2 hops away from the servers and we can`t change the current IP/VIP due to extensive use with various 3rd party`s.

My question is relating to the Source NAT functions on the ACE.   Redirecting Inbound traffic flows to the VIP causes us no issues however due to the new location of the ACE module we would like the cleanest solution possible for the outbound SNAT. We intend to PBR the outbound traffic  into the ACE and route the traffic va the ACE - so the ACE owns the inbound and outbound IP/VIP.

From what I`ve read this seems it may be possible but I wondered if you`d seen this elsewhere/configured it previous etc to let us know if this is even fesiable as wondered how the ACE would handles the inbound client NAT alongside the outbound static source NAT.

Is it also possible to have a VIP IP without actually having any VLAN interfaces in the subnet other then the VIP IP`s ? Due to legacy constraints we have host route the above VIP into the ACE.

Thanks for any advice.

1 Accepted Solution

Accepted Solutions

Daniel Arrondo Ostiz
Cisco Employee
Cisco Employee

Good morning,

For your first question, I can confirm it's possible to do it, but your traffic flow is going to end up being a bit messy.

To keep things a bit more clear and facilitate the configuration, I would configure two different vlans on the ACE as you had on the CSS. One for the client side and one for the server. This way you can route the traffic to one or the other vlan depending on what you want to do with it (load-balance or nat)

For the second question, yes, it's fine to have a VIP on a vlan that is not defined on the ACE. As long as the traffic arrives to the ACE, it will be matched against all the VIPs associated with the incoming vlan, regardless of the IP range to which these VIPs belong.

Regards

Daniel

View solution in original post

5 Replies 5

Daniel Arrondo Ostiz
Cisco Employee
Cisco Employee

Good morning,

For your first question, I can confirm it's possible to do it, but your traffic flow is going to end up being a bit messy.

To keep things a bit more clear and facilitate the configuration, I would configure two different vlans on the ACE as you had on the CSS. One for the client side and one for the server. This way you can route the traffic to one or the other vlan depending on what you want to do with it (load-balance or nat)

For the second question, yes, it's fine to have a VIP on a vlan that is not defined on the ACE. As long as the traffic arrives to the ACE, it will be matched against all the VIPs associated with the incoming vlan, regardless of the IP range to which these VIPs belong.

Regards

Daniel

Hi,

Many thanks for your reply - its not an ideal scenrio but we have to work with various constraints and a complete uplift of the subnet was not possible. The alternative was splitting NAT onto various external firewalls which would have been a lot worse imho.

Cheers

Would apprieciate if someone could check the logic/config for the above scenerio ?

Traffic inbound and using the VIP will be routed into vlan 100 using a /32

Traffic outbound needing the static NAT will be PBR`ed into vlan 200 via a SVI on the same device.

I`m not sure about the default route or if I should be using static nat statement on the nat multimatch...only this generates a error when used.

Example  ( its not a http application just using for example )

access-list 10 line 8 extended permit ip any any

access-list 10 line 16 extended permit icmp any any

rserver host SERVER1

  ip address 192.168.1.1

rserver host SERVER2

  ip address 192.168.1.2

serverfarm host sf1

    rserver SERVER1

    rserver SERVER2

class-map match-any cm-nat-src

  2 match source-address 192.168.1.1 255.255.255.255

  3 match source-address 192.168.1.2 255.255.255.255

class-map match-any cm-lb-match

  2 match virtual-address 10.10.10.10 tcp eq 80

policy-map type loadbalance generic first-match pm-lb-match

  class class-default

    serverfarm sf1

policy-map multi-match pm-client-vips

  class cm-lb-match

    loadbalance vip inservice

    loadbalance policy pm-lb-match

    loadbalance vip icmp-reply

    nat dynamic 10 vlan 100

policy-map multi-match pm-source-nat

  class cm-nat-src

    nat dynamic 20 vlan 200

interface vlan 100

  description lb-vip

  access-group input 10

  ip address 10.1.1.1 255.255.255.0

  nat-pool 10 10.1.1.10 10.1.1.10 netmask 255.255.255.255 pat

  service-policy input pm-client-vips

interface vlan 200

  description src-nat

  access-group input 10

  ip address 10.2.1.1 255.255.255.0

  nat-pool 10 10.10.10.10 10.10.10.10 netmask 255.255.255.255

ip route 0.0.0.0 10.1.1.2 ( vlan 100..would this impact return traffic for the src nat but the external routing will force it in this way anyway )

This post suggests the above config is not valid...i.e using the src nat which is the same as the inbound VIP.

https://supportforums.cisco.com/message/452403#452403

If any one could please confirm

If any one else is looking for this solution ( server having a source NAT the same as a inbound VIP ) I actually located some documentation on Cisco TKL called  "ACE NAT design" and the configuration IS supported on A2(2.x) upwards and managed a test which worked - although using a single VLAN for in/out traffic.

Review Cisco Networking for a $25 gift card