Well, I tried something similar by specifying the source IP addresses I wish to DNAT out as the VIP and bound them to a policy-map. However, the configuration I implemented does not work as I thought it would.

class-map match-any DNS-NAT-Servers

2 match source-address 192.168.100.158 255.255.255.255

3 match source-address 192.168.100.157 255.255.255.255

policy-map multi-match NAT-POLICY

class DNS-NAT-Servers

nat dynamic 2 vlan 695

interface vlan 91

description Inside

ip address 192.168.100.1 255.255.255.0

access-group input 100

access-group output 101

service-policy input icmp_inspect

service-policy input NAT-POLICY

no shutdown

interface vlan 695

description Outside

ip address 172.16.5.26 255.255.255.0

access-group input 101

access-group output 100

nat-pool 2 192.168.100.163 192.168.100.163 netmask 255.255.255.255 pat

service-policy input REMOTE_MGMT_ALLOW_POLICY

service-policy input VIPS

service-policy input icmp_inspect

no shutdown

I wish for the 192.168.100.157 and 192.168.100.158 server addresses to DNAT out as the 192.168.100.163 VIP address.

Any thoughts?

Your config should work.

Did you check with a 'show service-policy detail' if you have any hit on your nat policy ?

Also do a 'show conn' and see if there are any connections from the servers and if they are nated.

How do you know it does not work ?

Did you take a sniffer trace ?

Gilles.

Thank you for your response Gilles! Glad to know that my configuration should work.

The reason I assume it does not work is due to the output given from a 'show service-policy NAT-POLICY detail'. There is no registered hit count on any of the counters when I would initiate a connection to the .163 VIP were it should balance to either the 192.168.100.158 or 192.168.100.157 IP addresses. I thought the outbound response would have incremented something within the service-policy output.

Status : ACTIVE

Description: -----------------------------------------

Interface: vlan 91

service-policy: NAT-POLICY

class: DNS-NAT-Servers

nat:

nat dynamic 2 vlan 695

curr conns : 0 , hit count : 0

dropped conns : 0

client pkt count : 0 , client byte count: 0

server pkt count : 0 , server byte count: 0

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

This is the reason I have not yet performed a packet capture.

I notice the connection establish just fine and the ACE forward/balance my connection to the correct destination server. However, looking at the me-stats for the connection ID I noticed it is not dynamically NAT'ing the response out.

ACE-12539-187036/spam# sho conn | i 64.39.0.40

150536 1 in TCP 695 64.39.0.40:56412 192.168.100.163:53 ESTAB

34566 1 out TCP 91 192.168.100.157:53 64.39.0.40:56412 ESTAB

Connection ID:seq: 34566[0x8706].5

Other ConnID : 150536[0x24c08].10

Proxy ConnID : 0[0x0].0

Next Q : 0[0x0]

192.168.100.157:53 -> 64.39.0.40:56412 [RX-NextHop: TX] [TX-NextHop: TX]

Flags: PAT: No DynNAT: No Implicit PAT: No On_Reuse: No

L3 Protocol : IPv4 L4 Protocol : 6

Inbound Flag : 0

Interface Match : Yes

Interface MatchID: 13

EncapsID:ver : 234:0 TCP ACK delta : 0x5194237d

MSS : 1380 TOS Stamp : 0

Repeat mode : No ARP Lookup : No

TOS Stamp : No TCP Window Check: No

ACE ID : 12898 NAT Policy ID : 0

Post NAT hop : 0

Packet Count : 1 Byte Count : 44

TCP Information: (State = 3)

Window size : 16384 Window scale : 0

FIN seen : No FIN/ACK seen : No

FIN/ACK exp : No Close initiator : No

FIN/ACK expval: 5b40000 Last seq : 79e90c16

timestamp_delta: 0 Last ack : 1

No Trigger : 0 Trigger Status : 0

Timestamp : 6279495f

TCP options negotiated:

Sack:Clear TS:Clear Windowscale: Clear

Reserved: Allow Exceed MSS: Deny Window var: Allow

Is the above connection output in the me-stats expected with my DNAT configuration? Would this DNAT configuration apply to only outbound connections initiated from the .158 or .157 IP addresses? I would assume it would work with the response traffic as well. I know I can setup dynamic NAT for a specific serverfarm. Do you think I should try that instead?

Thank you in advance!

- Jason

Thank you Gilles for clarifying that and verifying my configuration is correct!

Issue resolved.

- Jason Espino