Showing results for 
Search instead for 
Did you mean: 

Destination NAT on ACE - overlap vip/NAT


I have a situation where we need a destination nat to happen on ACE for an outbound flow that is redirected into SSLM modules, then coming back to the ACE and forwarded outward. There is a requirement to keep the SSLM module redirection so will not be able to achieve the encryption for the outbound connection by using the ACE.

I have a conflict when trying to implement as the real destination VIP ( 443) is being matched on two “match-any” class-maps. One is needed to direct traffic to the destination VIP via the SSLMs, and the other class-map is required to “static nat” the destination address when the flow leaves the ACE.

Any suggestion how to achieve the destination natting in this case?


! redirect to/from ssl blades - (incoming to SSLM on port 80 - outgoing from SSLM on port 8443)

class-map match-any traffic-from-ssl-blade-cm

description match vip and Port 443

168 match virtual-address tcp eq 8443

class-map match-any traffic-to-ssl-blade-cm

168 match virtual-address tcp eq 80

! Match the destination address that will be natted for on port 443

access-list nat-test-srvr line 8 extended permit tcp host eq 443 any

class-map match-any nat-test-srvr-cm

2 match access-list nat-test-srvr

! Apply the static nat on the policy associated with the outside interface - natting to be triggered when packets

! leave the ACE

policy-map multi-match Dnat_policy

class nat-test-srvr-cm

nat static netmask tcp eq 8443 vlan 491

Error: Cannot overlap vip or NAT address configured in a shared interface

interface vlan 490

description Outside interface

bridge-group 4

service-policy input Dnat_policy

interface vlan 491

description Inside interface - flow from SSLM

bridge-group 4

service-policy input traffic-from-sslm


Cisco Employee

Re: Destination NAT on ACE - overlap vip/NAT

if you want to do a destination nat, simply configure loadbalancing with a single real.

So do a class-map to match virtual ip tcp eq 443.

Create a rserver with ip address

Add this rserver in a serverfarm.

And link everything together with a policy.


CreatePlease to create content
Ask the Expert- Webex Hybrid Services Solutions