Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
764
Views
0
Helpful
3
Replies

Regarding NAT

lingaraj19
Level 1
Level 1

‎07-24-2012 11:13 PM

Hi All,

We have deployed the ACE 4710 in single arm mode and servers default gate way is LB.

Now problem is if the client machine is in the same segment where servers are hosted than I could not able to access the application.

I believe, to reslve the issue we need to configure the NAT hence can any one explain me which NAT do i need to do over here and how to configure it.

Thaks in Advance...

Regards,

Lingaraj 

Labels:
0 Helpful
3 Replies 3

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎07-24-2012 11:26 PM

Hi Lingaraj,

Please go through the below configuration example. Let me know if you have any questions. This should meet your requirement.

     ==========================================================================
     One-Armed Load Balancing with VIP, Servers, & NAT Pool on the Same Subnet
     ==========================================================================


login timeout 0

access-list ANYONE line 10 extended permit ip any any

rserver host SERVER_01
  ip address 192.168.1.11
  inservice
rserver host SERVER_02
  ip address 192.168.1.12
  inservice
rserver host SERVER_03
  ip address 192.168.1.13
  inservice

serverfarm host REAL_SERVERS
  rserver SERVER_01
    inservice
  rserver SERVER_02
    inservice
  rserver SERVER_03
    inservice

class-map match-all VIP-30
  2 match virtual-address 192.168.1.30 tcp eq www

class-map type management match-any REMOTE_ACCESS
  description remote-access-traffic-match
  2 match protocol telnet any
  3 match protocol ssh any
  4 match protocol icmp any

policy-map type management first-match REMOTE_MGT
  class REMOTE_ACCESS
    permit

policy-map type loadbalance first-match SLB_LOGIC
  class class-default
    serverfarm REAL_SERVERS

policy-map multi-match CLIENT_VIPS
  class VIP-30
    loadbalance vip inservice
    loadbalance policy SLB_LOGIC
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 451

interface vlan 451
  description Servers vlan
  ip address 192.168.1.2 255.255.255.0
  access-group input ANYONE
  service-policy input CLIENT_VIPS
  nat-pool 1 192.168.1.10 192.168.1.10 netmask 255.255.255.0 pat
  no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.1.1


Regards,

Kanwal

0 Helpful

lingaraj19
Level 1
Level 1
In response to Kanwaljeet Singh

‎07-25-2012 11:10 AM

Hi Kanwal,

Thanks for you reply...

Here it is not required to mention the Source IP Range...? If yes, then how ACE will identify that, it should NAT for the perticular IP range....?

will ACE does the NAT, if source IP is different network or subnet or VLAN from where rservers are hosted....? 

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎07-25-2012 05:42 PM

Hi,

Any traffic that hits the policy with which you have binded the NAT will get natted. So traffic hitting the VIP for that policy will get natted before it is forwarded to the rservers.

ACE will do nat if source IP is different network or subnet or vlan. In some cases customer may want to hide the source IP of client so in those cases you can use NAT. It doesn't matter if client is in same subnet or not.

In single ARM mode you have to apply NAT to ensure that traffic is sent by ACE to rserver and when rserver has to send traffic back , it comes to ACE since ACE will answer ARP for it. In single ARM mode, if you don't do NAT and you throw traffic at VIP, ACE will forward it to rserver but then rserver will reply directly to the client which will break the connection.

I hope it helps.

Let me know if you have any questions.

Please mark question as answered if it helped.

Regards,

Kanwal

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card