01-31-2013 02:43 PM
Dear Mister
I need to pass FTP through ACE, but the is not functioning.
The FTP is not functioning using VIP. It is a connection toward a NAT ip address. I have the next configuration:
class-map match-all NAT2020-PRUEBA
2 match source-address 10.40.20.20 255.255.255.255
interface vlan 401
description "Conexion a Servidores Reales CERT"
ip address 10.84.255.10 255.255.255.248
no shutdown
interface vlan 450
description "Conexion a FWSM-CERT"
ip address 10.40.150.3 255.255.255.128
service-policy input NATTEST
no shut
I need to do the NAT using the real IP 10.40.150.10.
policy-map multi-match NATTEST
class NAT2020-PRUEBA
nat static 10.40.150.10 netmask 255.255.255.255
In this scenary, the NAT is not functioning.
I tried to user the next:
switch/cert(config-pmap-c)# nat static 10.40.150.10 netmask 255.255.255.255 21 vlan 401
But send the next message.
Error: Invalid real port configured for NAT static
switch/cert(config-pmap-c)#
How I could fix this problem????
Some inspect???
Best Regards
02-06-2013 05:42 AM
Config is as follows. You need the 2 class-maops, one for vip and one for the servers. If not, then the PASV statement will not get the server IP translated
Matthew
rserver host 810
ip address 1.8.1.10
inservice
rserver host 811
ip address 1.8.1.11
inservice
serverfarm host 8xx rserver 810
inservice
rserver 811
inservice
class-map match-all ftp-source
2 match source-address 1.9.1.0 255.255.255.0
class-map match-all vip-ftp
10 match virtual-address 1.9.1.209 tcp eq ftp
policy-map type loadbalance first-match round-robin-8xx
class class-default
serverfarm 8xx
policy-map multi-match lb-vip
class vip-ftp
loadbalance vip inservice
loadbalance policy round-robin-8xx
loadbalance vip icmp-reply
inspect ftp
class ftp-source
nat dynamic 1 vlan 468
interface vlan 468
description Server vlan
ip address 1.8.1.201 255.255.255.0
nat-pool 1 1.8.1.208 1.8.1.208 netmask 255.255.255.255 pat
no shutdown
interface vlan 469
description Client vlan
ip address 1.9.1.201 255.255.255.0
service-policy input lb-vip
no shutdown
ip route 0.0.0.0 0.0.0.0 1.9.1.254
02-06-2013 07:19 AM
Thank mister
But at this point, a have static NAT. I put before just a one FTP Rserver, but really, are two.
In essence, I need two STATIC nat. I am not using PAT.
How could I do this?
Best Regards
02-06-2013 07:38 AM
Rodrigo, sorry I don't follow what you are trying to do. In terms of NAT, you have destination nat as the client connects to the VIP address. I assume that you have a problem with source nat - is that correct. Are you sayin that you have 2 clients and you want to static nat each one to different values ? Matthew
02-06-2013 07:59 AM
Thanks Mattew
My problem is with the FTP, using these NATs.
The reals IPs must to be see from the outside in this way:
10.40.20.20 ( Real Server) --> 10.40.150.20 (nop vip)
10.40.21.20 ( Real Server) --> 10.40.150.21 (nop vip)
In this scenary, the clients need to get and put files in this Servers FTP (10.40.150.20 and 21), without load balancing.
In this scenary, I connect to then servers, but when I try to do a "ls", or "dir" o get some file, is not functioning.
Best Regards
02-06-2013 08:22 AM
So you want the clients to access rserver 10.40.20.20,via ftp to 10.40.150.20 and rserver 10.40.21.20 via ftp to 10.40.150.21 ? The rservers expect to see the real client source address ? Matthew
02-06-2013 08:46 AM
Mattew
About that :
The rservers expect to see the real client source address ? Matthew
Yes, that is correct.
Maybe, I am not fully understan the functioning of FTP. Customer in appearance is making Passive FTP.
Regards
02-07-2013 05:41 AM
This should do what I think you want to do. THis also does source-nat. If you dont-t ewant this, then delect the class-maps ftp-810 & ftp-811 and the nat statements from vlan 468. Matthew
rserver host 810
ip address 1.8.1.10
inservice
rserver host 811
ip address 1.8.1.11
inservice
serverfarm host sf-810
rserver 810
inservice
serverfarm host sf-811
rserver 811
inservice
class-map match-all ftp-810
2 match virtual-address 1.9.1.209 tcp any
class-map match-all ftp-811
2 match virtual-address 1.9.1.208 tcp any
class-map match-all vip-ftp-10
10 match virtual-address 1.9.1.209 tcp eq ftp
class-map match-all vip-ftp-11
10 match virtual-address 1.9.1.208 tcp eq ftp
policy-map type loadbalance first-match pm-ftp-10
class class-default
serverfarm sf-810
policy-map type loadbalance first-match pm-ftp-11
class class-default
serverfarm sf-811
policy-map multi-match lb-vip-10
class vip-ftp-10
loadbalance vip inservice
loadbalance policy pm-ftp-10
loadbalance vip icmp-reply
inspect ftp
class ftp-810
nat dynamic 9 vlan 468
policy-map multi-match lb-vip-11
class vip-ftp-11
loadbalance vip inservice
loadbalance policy pm-ftp-11
loadbalance vip icmp-reply
inspect ftp
class ftp-811
nat dynamic 8 vlan 468
interface vlan 468
description Server vlan
ip address 1.8.1.201 255.255.255.0
nat-pool 9 1.8.1.209 1.8.1.209 netmask 255.255.255.255 pat
nat-pool 8 1.8.1.208 1.8.1.208 netmask 255.255.255.255 pat
service-policy input remote-access
interface vlan 469
description Client vlan
ip address 1.9.1.201 255.255.255.0
service-policy input lb-vip-10
service-policy input lb-vip-11
ip route 0.0.0.0 0.0.0.0 1.9.1.254
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide