ā12-28-2011 03:52 AM
Hi,
Any experience configuring ACE to NAT and forward SNA Enterprise Extender traffic?
Thanks in advance.
ā01-13-2012 08:36 AM
Fernando
I set this up in the lab and I can't get the EE peers to connect. EE uses UDP 12000-12005. The initial XID exchange uses UDP 12000. Connecting from the EE client to the vip, you can see that the ACE NATs the dest-ip towards the rserver, it also takes a source port from the ephemeral range. Client is 1.2.1.1, vip 1.9.1.209, rserver 1.3.1.5. Note that the EE server responds to port 12000 (not 28192)
cdn-ace-1/mwinnett# cap msw start
17:17:31.733579 0:13:60:30:fe:89 0:b:fc:fe:1b:cc 0800 45: 1.2.1.1.12000 > 1.9.1.209.12000: [udp sum ok] udp 3 [tos 0xc0] (ttl 254, id 43876, len 31)
17:17:31.733751 0:b:fc:fe:1b:cc 0:13:60:30:fe:89 0800 45: 1.2.1.1.28192 > 1.3.1.5.12000: [bad udp cksum c191!] udp 3 [tos 0xc0] (ttl 254, id 43876, len 31, bad cksum bcd!)
17:17:31.736979 0:13:60:30:fe:89 0:b:fc:fe:1b:cc 0800 45: 1.3.1.5.12000 > 1.2.1.1.12000: [udp sum ok] udp 3 [tos 0xc0] (ttl 254, id 1815, len 31)
17:17:31.737134 0:b:fc:fe:1b:cc 0:13:60:30:fe:89 0800 45: 1.3.1.5.12000 > 1.2.1.1.12000: [udp sum ok] udp 3 [tos 0xc0] (ttl 254, id 1815, len 31)
However, when I check back at the EE client, you can see that the source IP address is not natted
*Jan 13 17:25:30.407 METDST: IP: tableid=0, s=1.3.1.5 (Tunnel99), d=1.2.1.1 (Tunnel99), routed via RIB
*Jan 13 17:25:30.411 METDST: IP: s=1.3.1.5 (Tunnel99), d=1.2.1.1 (Tunnel99), len 31, rcvd 3
4420A410: 45C0001F 08160000 FC11B1ED 01030105 E@......|.1m....
4420A420: 01020101 2EE02EE0 000BDB07 0405BF .....`.`..[...?
The issue is that the EE server does not respect the incoming source port and uses 12000 instead. This means that the ACE will not NAT the response.
Can you give more details of what you are trying to achieve ?
Matthew
ā01-23-2012 03:45 AM
Hi Matthew,
Thanks for your answer. Could you send me the configuration you used on your lab?
Fernando
ā01-23-2012 04:32 AM
Fernando
Nothing really magic here. I uses Cisco snasw routers as client and server and the issues that I encountered relating to port usage are probably specific to how we implement EE. Bearing mind that the basis of our Snasw implementation is the same as that used by the MS Sna server, its likely that any other implementation will have the same issues.
If you want to share more details of what you are trying to achieve, maybe I can help further.
Matthew
access-list anyany line 10 extended permit ip any any
probe icmp ping-test
interval 20
faildetect 2
passdetect interval 20
passdetect count 2
rserver host dymock
ip address 1.3.1.5
inservice
rserver host kilcot
ip address 1.3.1.1
inservice
serverfarm host snas-serverfarm
probe ping-test
rserver dymock
inservice
rserver kilcot
inservice
class-map type management match-any remote-mgmt
10 match protocol ssh any
20 match protocol telnet any
30 match protocol icmp any
40 match protocol http any
50 match protocol https any
class-map match-all snasw-class
10 match virtual-address 1.9.1.209 any
policy-map type management first-match remote-access
class remote-mgmt
permit
policy-map type loadbalance first-match round-robin-snasw
class class-default
serverfarm snas-serverfarm
policy-map multi-match lb-vip
class snasw-class
loadbalance vip inservice
loadbalance policy round-robin-snasw
loadbalance vip icmp-reply
interface vlan 468
description Server vlan
ip address 1.8.1.201 255.255.255.0
alias 1.8.1.200 255.255.255.0
peer ip address 1.8.1.202 255.255.255.0
access-group input anyany
service-policy input remote-access
no shutdown
interface vlan 469
description Client vlan
ip address 1.9.1.201 255.255.255.0
alias 1.9.1.200 255.255.255.0
peer ip address 1.9.1.202 255.255.255.0
access-group input anyany
service-policy input remote-access
service-policy input lb-vip
no shutdown
ip route 1.2.1.0 255.255.255.0 1.9.1.211
ip route 1.3.1.0 255.255.255.0 1.8.1.211
ā01-23-2012 06:39 AM
Hi Matthew,
Below you can see our configuration. As you can see, we perform a NAT for the connections exiting vlans 61 and 150.
The SNA traffic is load balanaced, bu it's extremely slow, making impossible to work with the application:
probe icmp ICMP_SARA
interval 20
faildetect 2
passdetect interval 20
passdetect count 2
rserver host ls60ca
ip address 172.20.1.221
inservice
serverfarm host CL4_udp_SARA
probe ICMP_SARA
rserver ls60ca
inservice
class-map match-any sal_ls60ca
2 match source-address 172.20.1.221 255.255.255.255
class-map match-any vip_CL4_udp_SARA
4 match virtual-address 10.25.23.221 any
policy-map type loadbalance first-match LB_CL4_udp_SARA
class class-default
serverfarm CL4_udp_SARA
policy-map multi-match INT_150
class vip_CL4_udp_SARA insert-before FW1_SEC_VIP
loadbalance vip inservice
loadbalance policy LB_CL4_udp_SARA
loadbalance vip icmp-reply active
loadbalance vip advertise active
policy-map multi-match INT_61
class vip_CL4_udp_SARA insert-before FW1_SEC_VIP
loadbalance vip inservice
loadbalance policy LB_CL4_udp_SARA
loadbalance vip icmp-reply active
loadbalance vip advertise active
policy-map multi-match SNATS_150
class sal_ls60ca
nat dynamic 73 vlan 61
nat dynamic 75 vlan 150
interface vlan 61
service-policy input INT_61
nat-pool 73 10.25.23.221 10.25.23.221 netmask 255.255.255.255
interface vlan 150
service-policy input INT_150
nat-pool 75 10.25.23.221 10.25.23.221 netmask 255.255.255.255
Any suggestions,
Thank you very much in advance.
Nando
ā01-30-2012 07:35 AM
Best to open a case and we can take a close look. If you can email me the case number (mwinnett@cisco.com), I'll pick it up.
ā01-30-2012 08:43 AM
Hi Matthew,
Nowadays, the contract that we have with our Cisco supplier do not includes this kind of issues, it's just a hardware replacement contract. Anyway, I'm gonna try to convince them to open the case.
As soon as I have any feedback, I'll inform you.
Thanks!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide