cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
687
Views
0
Helpful
2
Replies

Per-ServerFarm SNAT on ACE Module.

Dear all,

I hace an ACE Module configured in Multiple Routed Contexts.

My cust wants to configure some NAT Feature that prevents the real server IP Address appear outside the ACE. They want that the only IP address outside the ACE will be the Virtual IP Adress (VIP) that represents the serverfarm.

Also, the cust wants that different serverfarms comunicate each other within the same VLAN.

I was reading and the option that acomplish both tasks is Dynamic (PAT) Per-ServerFarm SNAT using the VIP address.

Is this correct?

The software version is A2(3,5).

Thanks a lot!

David

2 Replies 2

Borys Berlog
Cisco Employee
Cisco Employee

Hi David

Could you please calrify and maybe separate tasks you have ?

As I understand you have such tasks for now :

1) Don't show rserver IPs anywere outside ACE

2) Servers in the same VLAN should be able to communicate with serverfarm which is located in the same VLAN via VIP

First task is a little bit unclear. I mean - actually you have VIP outiside of ACE and all outiside clients communicate to serverfarm via VIP and don't need to know rserers IPs (e.g. they can even be private and VIP is public, if we're talking about Internet)

Or do you mean that rservers need to communicate with outside world through ACE but you want to NAT these flows too ?

2) Yes, it's possible. For such configuration you need to create a service policy, with the same VIP and configuration as you have for outside interface and put it on inside interface. The only one key difference is that you need to add NAT statement , because return traffic should go to ACE and as rservers and clients in this case are in the same VLAN, you need to use NAT.

E.g.

policy-map multi-match VIP_IN

class MY-CLASS

loadb vip ins

loadb policy MY-L7Policy

nat 1 dynamic vlan X << - inside interface

and then on inside interface

inter vlan X

nat-pool 1Y.Y.Y.Y netmask 255.255.255.255 pat

In this case it will work in this way : say you have servers in vlan 10. Servers #1 and #2 are rservers in your serverfarms and server #3 wants to connect to serverfarm through VIP. Let's say that vlan 10 has subnet 10.0.0.0/24 and VIP for this serverfarm is 8.8.8.8. When you confiure like I wrote above this will happen :

Server #3 connects to 8.8.8.8, traffic goes to ACE as a gateway, as you have a policy map on inside interface which catches traffic to 8.8.8.8 , ACE will catch it an proceed it. You have a SNAT statement there, so ACE will perform standard loadblanacing and replace source IP with NAT IP (say 10.0.0.100) , thus when server #1 which gets this loadbalanced traffic receives it , it will send return traffic to 10.0.0.100 , thus to ACE.

Hy Borys.

I'm going to try to explain you better.

CASE 1

--------------

As you say, I need that rserver IP address stay hidden outside ACE. The clients talks always with the VIP and they don't know anything about real IP addresses but there are situations when the rserver open a session outside ACE. In this case, the cust wants that every rserver appear whith outside ACE with the VIP that represents it. In other words, I need to user SNAT with the VIP address. This NAT will be different for each serverfarm.

CASE 2

------------

The cust wants to concentrate all rservers in one VLAN. Obviosly, in this VLAN will be different serverfarms and they need to communicate each other. Another time, I need SNAT to force the traffic pass through the ACE, but this NAT must be different for each serverfarm, because the cust want to use the VIP of every serverfarm to do the NAT.

I hope this will be more clear

Thank you!!!

Review Cisco Networking for a $25 gift card