cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
647
Views
0
Helpful
3
Replies

NAT Pool question

tbone-111
Level 1
Level 1

I have a question on how NAT pools, or sNAT works with ACE in one-arm mode.

As I understand it, when the client sends the request to ACE, it changes the destination IP to a rServer and source IP to the sNAT address.  When the rServer responds, it sends traffic back through the ACE via the sNat.  How exactly does this work?  I can't ping the sNAT address I configured, so how is the sNAT associated with the ACE in any way?  How does traffic make it's way back to the ACE when the sNAT doesn't seem to be advertised externally in any way.  And one more quick question, should the sNAT be on the rServer subnet or the ACE subnet?  Just trying to understand so we can make good design decisions.

1 Accepted Solution

Accepted Solutions

Tbone,

You got it. If the server is local it will just arp to see what MAC owns the SNAT address and reply directly. If the server is not local routing will bring the reply back to the ACE. This is why it is important to use a local nat-pool address for the egress interface towards the rserver so the reply will come back to the same interface it left on.

Jim

View solution in original post

3 Replies 3

jsirstin
Level 1
Level 1

Tbone,

When you use SNAT you generally use a nat-pool address that will bring the traffic back to the ACE interface that the traffic left on. In a typical one-armed mode the Nat-pool would be in the same subnet as the ACE interface and rservers.

If the servers are local to the ACE you usually point the servers default gateway to the SVI or FW interface rather than the ACE. If SNAT is not used the client IP enters the ACE destined to the VIP. ACE will change the destination address to the rserver. Since the original client IP will be seen by the server it will reply to the default gateway. If the ACE does not get the server reply it cannot change the SYN ACK back to the VIP address that the client originally sent the connection to. This would result in a connection failure. When you use SNAT with a Nat-pool that is local to the server it will not use it's gateway but will reply directly back to the ACE since it owns this IP.

If the servers are not local to the ACE you would want to configure the nat-pool IPs to be local to the interface vlan the traffic egresses to get to the rserver. This way your routing will bring the server reply back to the ACE.

Let me know if this helps with your understanding or if you have more questions.

Best regards

Jim

Jim, thanks for the reply.

So if I understand correctly, when the packet arrives at the ACE appliance, it's source IP is changed to the SNAT and the destination is changed to the rServer.  As the packet leaves ACE, whatever switches are between it and the rServer will have their ARP entries updated with the SNAT coming from the ACE appliance. Does that sound correct? 

Tbone,

You got it. If the server is local it will just arp to see what MAC owns the SNAT address and reply directly. If the server is not local routing will bring the reply back to the ACE. This is why it is important to use a local nat-pool address for the egress interface towards the rserver so the reply will come back to the same interface it left on.

Jim

Review Cisco Networking for a $25 gift card