02-21-2012 09:36 AM
I have a question on how NAT pools, or sNAT works with ACE in one-arm mode.
As I understand it, when the client sends the request to ACE, it changes the destination IP to a rServer and source IP to the sNAT address. When the rServer responds, it sends traffic back through the ACE via the sNat. How exactly does this work? I can't ping the sNAT address I configured, so how is the sNAT associated with the ACE in any way? How does traffic make it's way back to the ACE when the sNAT doesn't seem to be advertised externally in any way. And one more quick question, should the sNAT be on the rServer subnet or the ACE subnet? Just trying to understand so we can make good design decisions.
Solved! Go to Solution.
02-21-2012 12:07 PM
Tbone,
You got it. If the server is local it will just arp to see what MAC owns the SNAT address and reply directly. If the server is not local routing will bring the reply back to the ACE. This is why it is important to use a local nat-pool address for the egress interface towards the rserver so the reply will come back to the same interface it left on.
Jim
02-21-2012 11:06 AM
Tbone,
When you use SNAT you generally use a nat-pool address that will bring the traffic back to the ACE interface that the traffic left on. In a typical one-armed mode the Nat-pool would be in the same subnet as the ACE interface and rservers.
If the servers are local to the ACE you usually point the servers default gateway to the SVI or FW interface rather than the ACE. If SNAT is not used the client IP enters the ACE destined to the VIP. ACE will change the destination address to the rserver. Since the original client IP will be seen by the server it will reply to the default gateway. If the ACE does not get the server reply it cannot change the SYN ACK back to the VIP address that the client originally sent the connection to. This would result in a connection failure. When you use SNAT with a Nat-pool that is local to the server it will not use it's gateway but will reply directly back to the ACE since it owns this IP.
If the servers are not local to the ACE you would want to configure the nat-pool IPs to be local to the interface vlan the traffic egresses to get to the rserver. This way your routing will bring the server reply back to the ACE.
Let me know if this helps with your understanding or if you have more questions.
Best regards
Jim
02-21-2012 11:45 AM
Jim, thanks for the reply.
So if I understand correctly, when the packet arrives at the ACE appliance, it's source IP is changed to the SNAT and the destination is changed to the rServer. As the packet leaves ACE, whatever switches are between it and the rServer will have their ARP entries updated with the SNAT coming from the ACE appliance. Does that sound correct?
02-21-2012 12:07 PM
Tbone,
You got it. If the server is local it will just arp to see what MAC owns the SNAT address and reply directly. If the server is not local routing will bring the reply back to the ACE. This is why it is important to use a local nat-pool address for the egress interface towards the rserver so the reply will come back to the same interface it left on.
Jim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide