How to disbale SNAT?

dfariborz · ‎10-24-2013

We want to use the ACE in a redundant two armed configuration but we don't want to use SNAT as the application needs to know the original sourc ip addresses. Is this possibe? and if so please include a sample configuration.

Thank You

Darius.Fariborz@cgi.com

Kanwaljeet Singh · ‎10-24-2013

Hi,

ACE doesn't source NAT the traffic unless it is configured to. So by default your client IP is preserved and sent to the server.

If you have ACE configured to source NAT then you can also x-forwarded-for to insert the client IP.

Let me know if you have any questions.

Regards,

Kanwal

dfariborz · ‎10-24-2013

Hi Kanwal

Thanks for your prompt reply, I shall confirm in a few months when they are in the newowk.

Can you provide some urls for configuring SNAT and x-forwarded-for.

Cheers

Darius.Fariborz@cgi.com

Kanwaljeet Singh · ‎10-24-2013

Hi Darius,

Here's an example:

login timeout 0

access-list ANYONE line 10 extended permit tcp any any

rserver host SERVER_01
  ip address 192.168.1.11
  inservice
rserver host SERVER_02
  ip address 192.168.1.12
  inservice
rserver host SERVER_03
  ip address 192.168.1.13
  inservice

serverfarm host REAL_SERVERS
  rserver SERVER_01
    inservice
  rserver SERVER_02
    inservice
  rserver SERVER_03
    inservice

class-map match-all VIP-30
  2 match virtual-address 172.16.51.30 any
class-map type management match-any REMOTE_ACCESS
  description remote-access-traffic-match
  2 match protocol telnet any
  3 match protocol ssh any
  4 match protocol icmp any

policy-map type management first-match REMOTE_MGT
  class REMOTE_ACCESS
    permit
policy-map type loadbalance first-match SLB_LOGIC
  class class-default
    serverfarm REAL_SERVERS
policy-map multi-match CLIENT_VIPS
  class VIP-30
    loadbalance vip inservice
    loadbalance policy SLB_LOGIC
    nat dynamic 1 vlan 451

interface vlan 251
  description Client vlan
  ip address 172.16.51.11 255.255.255.0
  access-group input ANYONE
  service-policy input REMOTE_MGT
  service-policy input CLIENT_VIPS
  no shutdown
interface vlan 451
  description Servers vlan
  ip address 192.168.1.1 255.255.255.0
  nat-pool 1 192.168.1.100 192.168.1.110 netmask 255.255.255.0 pat
  no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.51.1

 
 The above example is for configuring SNAT and below example is SNAT with x-forwarded-for.
 
 If you don't want SNAT, then don't use the BOLD lines in above configuration.

login timeout 0

access-list ANYONE line 10 extended permit tcp any any

rserver host SERVER_01
  ip address 192.168.1.11
  inservice
rserver host SERVER_02
  ip address 192.168.1.12
  inservice
rserver host SERVER_03
  ip address 192.168.1.13
  inservice

serverfarm host REAL_SERVERS
  rserver SERVER_01
    inservice
  rserver SERVER_02
    inservice
  rserver SERVER_03
    inservice

class-map match-all VIP-30
  2 match virtual-address 172.16.51.30 any
class-map type management match-any REMOTE_ACCESS
  description remote-access-traffic-match
  2 match protocol telnet any
  3 match protocol ssh any
  4 match protocol icmp any

policy-map type management first-match REMOTE_MGT
  class REMOTE_ACCESS
    permit
policy-map type loadbalance first-match SLB_LOGIC
  class class-default
    serverfarm REAL_SERVERS>

 insert-http X-Forwarded-For header-value "%is"  --->Use this config statement

when you have SNAT and you want to see the client IP.
 
 policy-map multi-match CLIENT_VIPS
  class VIP-30
    loadbalance vip inservice
    loadbalance policy SLB_LOGIC
    nat dynamic 1 vlan 451

interface vlan 251
  description Client vlan
  ip address 172.16.51.11 255.255.255.0
  access-group input ANYONE
  service-policy input REMOTE_MGT
  service-policy input CLIENT_VIPS
  no shutdown
interface vlan 451
  description Servers vlan
  ip address 192.168.1.1 255.255.255.0
  nat-pool 1 192.168.1.100 192.168.1.110 netmask 255.255.255.0 pat
  no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.51.1

Hope this helps.

Let me know if you have any questions.

Regards,

Kanwal