One of the feature of our application is that our Application Server initiate text message to our devices sourcing from UDP 1120 and device need to see the message come from a specific pubic IP (22.214.171.124) with UDP port 1120 and reply back with the same Public IP (126.96.36.199) with UDP port 1120.The problem is we can make that happen if we have only one server in our ACE Serverfarm when we do a SNAT the real servers with the VIP address (10.1.246.32) but it does not work when we have more than one server in the Serverfarm. Since we have 2 servers, i cannot nat the real servers with the VIP address, if I do a PAT, obviously it is changing the source port of the request.
Note: This setup is working fine with the Cisco Content Switch module running on chasis 6509. When I sniff the traffic initiated from the server coming the CSM load balancer, it is sourcing the traffic as the VIP and the source port remains the same by default but this is not the case with ACE 4710
Traffic flow as follows
ACE 4710 FWSM (Firewall static NAT) Device ( configured with 188.8.131.52:1120 (udp) to snd/rcv msg)
Rserver 1 - 10.1.104.80 10.1.246.32 10.1.246.32 < - > 184.108.40.206 220.127.116.11
Rserver 2 - 10.1.104.81c
----------------------------------------------------------> -------------------------------> - traffic flow from server to the device when we send msg
rserver host server1
ip address 10.1.104.80
rserver host server2
ip address 10.1.104.81
serverfarm host SFARM
access-list TEST-1120 line 8 extended permit udp host 10.1.104.80 eq 1120 any
access-list TEST-1120 line 16 extended permit udp host 10.1.104.81 eq 1120 any
parameter-map type connection UDP_TIMEOUT
set timeout inactivity 3600
sticky ip-netmask 255.255.255.255 address source STKY-SFARM
class-map match-all CLS-SFARM
2 match virtual-address 10.1.246.32 udp eq 1120
class-map match-all SERVERNAT
2 match access-list TEST-1120
policy-map type loadbalance first-match POL-SFARM
policy-map multi-match POL-LB
loadbalance vip inservice
loadbalance policy POL-SFARM
loadbalance vip icmp-reply active
connection advanced-options UDP_TIMEOUT
nat dynamic 1 vlan 244
int vlan 244
ip address 10.1.246.2 255.255.255.0
service-policy input POL-LB
nat-pool 1 10.1.246.32 10.1.246.32 netmask 255.255.255.255
interface vlan 2506
ip address 10.1.104.2 255.255.255.0
service-policy input POL-LB
If you are not using PAT then you would one more IP in the pool. If both servers need to communicate simultaneously we should have two IP's or we need to use PAT. This is how it is suppose to work.
Thank you for your reply. If I use the NAT with 2 ip address, I have the challenges to NAT it with the same public ip and same source port while it leaves the firewall.
In CSM, when the traffic leaves, it maintains the same source port and VIP address when the traffic egressess. Is there any way i can replicate in Ace 4710 ?
Do you know how the transparent command works with the serverfarm ?
Transparent command will mean that ACE will not do the destination NAT that it does by default when forwarding the packet to real server. It will not help in your scenario. For one server it should work in ACE 4710 as well but as you said when both servers will try to communicate it will be a problem.
If you look at it logically if both the servers use same IP and same src port to go out , when the traffic will come back, how will ACE differentiate which packet shall go to which real server? That can be differentiated if you have PAT because it will have different destination ports when the traffic comes back.
You are right. I understand that. I dont know what logic is been used by CSM to behave like this and why not. We are in the process of migrating everything from CSM to ACE 4710 due to EOL but knda stuck in the middle.
If you know of any alternate solution, please let me know... Thanks again for your help.
Thought about it but out of ideas:). May be someone else can throw some light on it but it is strange that it is working in CSM.
I see in CSS, they are able to nat the source ip address with VIP and port-mapping diabled. How do I implement
portmap disable in ACE 4710
Disabling Port Mapping
By default, the CSS NATs source IP addresses and PATs source ports for a configured source group. If you configure the portmap disablecommand in a source group, the CSS performs NAT on the source IP addresses but does not perform PAT on the source ports of UDP traffic that matches on that source group.
For UDP applications with high-numbered assigned ports (for example, SIP and WAP), we recommend that you preserve those port numbers by configuring destination services in source groups instead of using the portmap disable command. Destination services cause the CSS to NAT the client source ports, but not the destination ports. For information about configuring destination services,
This is the configuration I see in CSS, I will add the configurations from CSM as well later....
vip address 10.1.246.32
clause 10 permit udp 10.1.104.80 eq 1120 destination 18.104.22.168 255.0.0.0 sourcegroup VIP-NAT
clause 20 permit udp 10.1.104.81 eq 1120 destination 22.214.171.124 255.0.0.0 sourcegroup VIP-NAT
I don't see any option in ACE to disable port mapping. By default it doesn't do port mapping unless you define PAT. What is baffling here is that destination is same and when traffic comes back how does CSS or CSM decide to which server packet should be given unless that doesn't matter.
I would suggest to open a TAC case as well. If it works for CSM it should for ACE module/appliance. Since it is isn't it would be helpful to know why this functionality was removed or not given. May be they can add a new feature in future releases but with ACE phasing out i doubt it will happen.