02-06-2014 11:10 AM
One of the feature of our application is that our Application Server initiate text message to our devices sourcing from UDP 1120 and device need to see the message come from a specific pubic IP (2.2.2.2) with UDP port 1120 and reply back with the same Public IP (2.2.2.2) with UDP port 1120.The problem is we can make that happen if we have only one server in our ACE Serverfarm when we do a SNAT the real servers with the VIP address (10.1.246.32) but it does not work when we have more than one server in the Serverfarm. Since we have 2 servers, i cannot nat the real servers with the VIP address, if I do a PAT, obviously it is changing the source port of the request.
Note: This setup is working fine with the Cisco Content Switch module running on chasis 6509. When I sniff the traffic initiated from the server coming the CSM load balancer, it is sourcing the traffic as the VIP and the source port remains the same by default but this is not the case with ACE 4710
Traffic flow as follows
===============
ACE 4710 FWSM (Firewall static NAT) Device ( configured with 2.2.2.2:1120 (udp) to snd/rcv msg)
VIP
Rserver 1 - 10.1.104.80 10.1.246.32 10.1.246.32 < - > 2.2.2.2 1.1.1.1
Rserver 2 - 10.1.104.81c
----------------------------------------------------------> -------------------------------> - traffic flow from server to the device when we send msg
Configs:
======
rserver host server1
ip address 10.1.104.80
inservice
rserver host server2
ip address 10.1.104.81
inservice
serverfarm host SFARM
failaction purge
probe ICMP
rserver server1
inservice
rserver server2
inservice
access-list TEST-1120 line 8 extended permit udp host 10.1.104.80 eq 1120 any
access-list TEST-1120 line 16 extended permit udp host 10.1.104.81 eq 1120 any
parameter-map type connection UDP_TIMEOUT
set timeout inactivity 3600
sticky ip-netmask 255.255.255.255 address source STKY-SFARM
serverfarm SFARM
timeout 180
replicate sticky
class-map match-all CLS-SFARM
2 match virtual-address 10.1.246.32 udp eq 1120
class-map match-all SERVERNAT
2 match access-list TEST-1120
policy-map type loadbalance first-match POL-SFARM
class class-default
sticky-serverfarm STKY-SFARM
policy-map multi-match POL-LB
class CLS-SFARM
loadbalance vip inservice
loadbalance policy POL-SFARM
loadbalance vip icmp-reply active
connection advanced-options UDP_TIMEOUT
class SERVERNAT
nat dynamic 1 vlan 244
int vlan 244
ip address 10.1.246.2 255.255.255.0
service-policy input POL-LB
nat-pool 1 10.1.246.32 10.1.246.32 netmask 255.255.255.255
mac-sticky enable
no icmp-guard
no shut
interface vlan 2506
ip address 10.1.104.2 255.255.255.0
service-policy input POL-LB
mac-sticky enable
no icmp-guard
no shut
02-06-2014 12:35 PM
Hi Ethen,
If you are not using PAT then you would one more IP in the pool. If both servers need to communicate simultaneously we should have two IP's or we need to use PAT. This is how it is suppose to work.
Regards,
Kanwal
02-06-2014 01:15 PM
Hi Kanwal,
Thank you for your reply. If I use the NAT with 2 ip address, I have the challenges to NAT it with the same public ip and same source port while it leaves the firewall.
In CSM, when the traffic leaves, it maintains the same source port and VIP address when the traffic egressess. Is there any way i can replicate in Ace 4710 ?
Do you know how the transparent command works with the serverfarm ?
Thanks,
Ethen
02-06-2014 01:21 PM
Hi Ethen,
Transparent command will mean that ACE will not do the destination NAT that it does by default when forwarding the packet to real server. It will not help in your scenario. For one server it should work in ACE 4710 as well but as you said when both servers will try to communicate it will be a problem.
Regards,
Kanwal
02-06-2014 01:23 PM
Hi Ethen,
If you look at it logically if both the servers use same IP and same src port to go out , when the traffic will come back, how will ACE differentiate which packet shall go to which real server? That can be differentiated if you have PAT because it will have different destination ports when the traffic comes back.
Regards,
Kanwal
02-06-2014 01:27 PM
Hi Kanwal,
You are right. I understand that. I dont know what logic is been used by CSM to behave like this and why not. We are in the process of migrating everything from CSM to ACE 4710 due to EOL but knda stuck in the middle.
If you know of any alternate solution, please let me know... Thanks again for your help.
Regards,
Ethen
02-06-2014 02:30 PM
Hi Ethen,
Thought about it but out of ideas:). May be someone else can throw some light on it but it is strange that it is working in CSM.
Regards,
Kanwal
02-06-2014 03:05 PM
I see in CSS, they are able to nat the source ip address with VIP and port-mapping diabled. How do I implement
portmap disable in ACE 4710
Disabling Port Mapping
By default, the CSS NATs source IP addresses and PATs source ports for a configured source group. If you configure the portmap disablecommand in a source group, the CSS performs NAT on the source IP addresses but does not perform PAT on the source ports of UDP traffic that matches on that source group.
For UDP applications with high-numbered assigned ports (for example, SIP and WAP), we recommend that you preserve those port numbers by configuring destination services in source groups instead of using the portmap disable command. Destination services cause the CSS to NAT the client source ports, but not the destination ports. For information about configuring destination services,
02-06-2014 05:40 PM
Hi Ethen,
Can you paste the configuration done in CSM which you say is working?
Regards,
Kanwal
02-07-2014 08:49 AM
Hi Kanwal,
This is the configuration I see in CSS, I will add the configurations from CSM as well later....
group VIP-NAT
vip address 10.1.246.32
portmap disable
active
acl 15
clause 10 permit udp 10.1.104.80 eq 1120 destination 1.0.0.0 255.0.0.0 sourcegroup VIP-NAT
clause 20 permit udp 10.1.104.81 eq 1120 destination 1.0.0.0 255.0.0.0 sourcegroup VIP-NAT
apply circuit-(VLANX)
Regards,
Ethen
02-07-2014 09:02 AM
Hi Ethen,
I don't see any option in ACE to disable port mapping. By default it doesn't do port mapping unless you define PAT. What is baffling here is that destination is same and when traffic comes back how does CSS or CSM decide to which server packet should be given unless that doesn't matter.
I would suggest to open a TAC case as well. If it works for CSM it should for ACE module/appliance. Since it is isn't it would be helpful to know why this functionality was removed or not given. May be they can add a new feature in future releases but with ACE phasing out i doubt it will happen.
Regards,
Kanwal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide