Solved: Cisco CSS > ACE question - SNAT

achrich · ‎05-31-2011

I just wondered if I could please ask a question I have in regards SNAT on the ACE modules that someone might have encountered elsewhere.

Scenrio is currently the CSS load balancers we use in one enviroment are being consolidated into a ACE module.

Current CSS handles a inbound VIP and a outbound source NAT for the same IP and is placed directly infront of servers and we use the service group rules on the CSS to SNAT

new ACE module will be installed 2 hops away from the servers and we can`t change the current IP/VIP due to extensive use with various 3rd party`s.

My question is relating to the Source NAT functions on the ACE. Redirecting Inbound traffic flows to the VIP causes us no issues however due to the new location of the ACE module we would like the cleanest solution possible for the outbound SNAT. We intend to PBR the outbound traffic into the ACE and route the traffic va the ACE - so the ACE owns the inbound and outbound IP/VIP.

From what I`ve read this seems it may be possible but I wondered if you`d seen this elsewhere/configured it previous etc to let us know if this is even fesiable as wondered how the ACE would handles the inbound client NAT alongside the outbound static source NAT.

Is it also possible to have a VIP IP without actually having any VLAN interfaces in the subnet other then the VIP IP`s ? Due to legacy constraints we have host route the above VIP into the ACE.

Thanks for any advice.

Daniel Arrondo Ostiz · ‎06-01-2011

Good morning,

For your first question, I can confirm it's possible to do it, but your traffic flow is going to end up being a bit messy.

To keep things a bit more clear and facilitate the configuration, I would configure two different vlans on the ACE as you had on the CSS. One for the client side and one for the server. This way you can route the traffic to one or the other vlan depending on what you want to do with it (load-balance or nat)

For the second question, yes, it's fine to have a VIP on a vlan that is not defined on the ACE. As long as the traffic arrives to the ACE, it will be matched against all the VIPs associated with the incoming vlan, regardless of the IP range to which these VIPs belong.

Regards

Daniel

View solution in original post

Daniel Arrondo Ostiz · ‎06-01-2011

Good morning,

For your first question, I can confirm it's possible to do it, but your traffic flow is going to end up being a bit messy.

To keep things a bit more clear and facilitate the configuration, I would configure two different vlans on the ACE as you had on the CSS. One for the client side and one for the server. This way you can route the traffic to one or the other vlan depending on what you want to do with it (load-balance or nat)

For the second question, yes, it's fine to have a VIP on a vlan that is not defined on the ACE. As long as the traffic arrives to the ACE, it will be matched against all the VIPs associated with the incoming vlan, regardless of the IP range to which these VIPs belong.

Regards

Daniel

achrich · ‎06-01-2011

Hi,

Many thanks for your reply - its not an ideal scenrio but we have to work with various constraints and a complete uplift of the subnet was not possible. The alternative was splitting NAT onto various external firewalls which would have been a lot worse imho.

Cheers

achrich · ‎01-19-2012

Would apprieciate if someone could check the logic/config for the above scenerio ?

Traffic inbound and using the VIP will be routed into vlan 100 using a /32

Traffic outbound needing the static NAT will be PBR`ed into vlan 200 via a SVI on the same device.

I`m not sure about the default route or if I should be using static nat statement on the nat multimatch...only this generates a error when used.

Example ( its not a http application just using for example )

access-list 10 line 8 extended permit ip any any

access-list 10 line 16 extended permit icmp any any

rserver host SERVER1

ip address 192.168.1.1

rserver host SERVER2

ip address 192.168.1.2

serverfarm host sf1

rserver SERVER1

rserver SERVER2

class-map match-any cm-nat-src

2 match source-address 192.168.1.1 255.255.255.255

3 match source-address 192.168.1.2 255.255.255.255

class-map match-any cm-lb-match

2 match virtual-address 10.10.10.10 tcp eq 80

policy-map type loadbalance generic first-match pm-lb-match

class class-default

serverfarm sf1

policy-map multi-match pm-client-vips

class cm-lb-match

loadbalance vip inservice

loadbalance policy pm-lb-match

loadbalance vip icmp-reply

nat dynamic 10 vlan 100

policy-map multi-match pm-source-nat

class cm-nat-src

nat dynamic 20 vlan 200

interface vlan 100

description lb-vip

access-group input 10

ip address 10.1.1.1 255.255.255.0

nat-pool 10 10.1.1.10 10.1.1.10 netmask 255.255.255.255 pat

service-policy input pm-client-vips

interface vlan 200

description src-nat

access-group input 10

ip address 10.2.1.1 255.255.255.0

nat-pool 10 10.10.10.10 10.10.10.10 netmask 255.255.255.255

ip route 0.0.0.0 10.1.1.2 ( vlan 100..would this impact return traffic for the src nat but the external routing will force it in this way anyway )

achrich · ‎01-19-2012

This post suggests the above config is not valid...i.e using the src nat which is the same as the inbound VIP.

https://supportforums.cisco.com/message/452403#452403

If any one could please confirm

achrich · ‎01-29-2012

If any one else is looking for this solution ( server having a source NAT the same as a inbound VIP ) I actually located some documentation on Cisco TKL called "ACE NAT design" and the configuration IS supported on A2(2.x) upwards and managed a test which worked - although using a single VLAN for in/out traffic.