cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

592
Views
0
Helpful
2
Replies
atis
Beginner

Server side NAT on ACE4710

Hello,

  I have a little config issue...

  I have an ACE4710 loadbalancer, the load balancer have a public ip address on its uplink interface, and private address on its downlink interface.

  There is a server connected to the downlink interface, and this server wants to set up a connection to the Internet, so the ACE should perform a NAT.

  Somewhere I made a mistake or misunderstood something:

so first of all I created an access-list matched to the server ip address space:

access-list NAT_ACCESS line 10 extended permit ip <server ip address> any

then created a class-map matching to this ACL:

class-map match-any NAT_CLASS

   match access-list NAT_ACCESS

then created a policy-map, containing which vlan the nat will occur:

policy-map multi-match NAT_POLICY
  class NAT_CLASS
    nat dynamic 1 vlan 100

After this I defined the nat pool on interface Vlan100

interface vlan 100
  <uplink interface, connected to Internet>
  ip address <public address>/<mask>
  nat-pool 1  <public address_1> netmask <mask> pat
  no shutdown
Finally assigned the policy-map to the downlink interface:

interface vlan 150
 <Downlink interface, connected to servers>
 ip address <privát cím>
 service-policy input NAT_POLICY
 no shut


 
This config didn't do any NAT, so where did I make the mistake?
BR, Attila


2 REPLIES 2
chrhiggi
Participant

Hello Attila-

  You actually want static nat. It is a 1:1 nat in and out.  Remove everything and try this:

class-map match-any NAT_CLASS

2 match source-address 255.255.255.255

policy-map multi-match NAT_POLICY
 class NAT_CLASS
   nat static  netmask 255.255.255.255 vlan 100

interface vlan 150

ip address

service-policy input NAT_POLICY

no shut


Regards,

Chris Higgins

Later there will be more servers...

So I missed an interface acl on downlink interface:

access-list everyone extended permit ip any any

access-list everyone extended permit icmp any any

interface Vlan150

  access-group input everyone

And it is working as expected.

BR, Attila

Content for Community-Ad