09-14-2010 01:06 AM
Hi All,
I've been trying to do SNAT on ACE but for some weird reason its not happning. We have 6 ACE 4710 appliances, except on 1 SNAT is working fine with similar config on other ace appliances.
Please help as the customer needs this application asap. Here is the config.
rserver host SPB-37
ip address 172.18.128.37
inservice
rserver host SPB-38
ip address 172.18.128.38
inservice
serverfarm host SPB-SRVFARM
predictor leastconns
probe TCP-7001
rserver SPB-37 7001
inservice
rserver SPB-38 7001
inservice
serverfarm host SPB-SRVFARM-30389
probe ICMP-ICMP-Probe
probe TCP-30389
rserver SPB-37 30389
inservice
rserver SPB-38 30389
inservice
class-map match-any SPB-30389-VIP
2 match virtual-address 172.18.133.25 tcp eq 30389
class-map match-any SPB-VIP
2 match virtual-address 172.18.133.25 tcp eq 7001
policy-map type loadbalance first-match SPB-30389-l7slb
class class-default
serverfarm SPB-SRVFARM-30389
policy-map type loadbalance first-match SPB-l7slb
class class-default
serverfarm SPB-SRVFARM
policy-map multi-match All_Policy_Maps
class SPB-VIP
loadbalance vip inservice
loadbalance policy SPB-l7slb
loadbalance vip icmp-reply
nat dynamic 28 vlan 128
class SPB-30389-VIP
loadbalance vip inservice
loadbalance policy SPB-30389-l7slb
loadbalance vip icmp-reply
nat dynamic 28 vlan 128
interface vlan 98
description *** Server Vlan ***
ip address 10.105.98.180 255.255.255.0
alias 10.105.98.181 255.255.255.0
peer ip address 10.105.98.182 255.255.255.0
access-group input ALL
nat-pool 98 172.18.133.128 172.18.133.128 netmask 255.255.255.255 pat // This works fine.
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 128
description *** Server Vlan ***
ip address 172.18.128.8 255.255.255.0
alias 172.18.128.7 255.255.255.0
peer ip address 172.18.128.9 255.255.255.0
access-group input ALL
nat-pool 28 172.18.135.165 172.18.135.165 netmask 255.255.255.255 pat // This doesnt work.
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 133
description *** Client vlan ***
ip address 172.18.133.5 255.255.255.128
peer ip address 172.18.133.6 255.255.255.128
access-group input ALL
service-policy input Service-Policy-IDAM-7777
service-policy input SDP-SE
service-policy input Service-Policy-SDP-NT-8001
service-policy input Service-Policy-SDP-Deliver-7002
service-policy input Service-Policy-SDP-Deliver-7007
service-policy input Service-Policy-SDP-Deliver-7006
service-policy input Service-Policy-SDP-RE
service-policy input Service-Policy-SDP-SE-7002
service-policy input Service-Policy-SDP-SE-7101
service-policy input Service-Policy-SDP-RE-7101
service-policy input All_Policy_Maps
no shutdown
Solved! Go to Solution.
09-14-2010 01:41 AM
the problem is this :
policy-map multi-match Service-Policy-SDP-NT-8001
class SNAT-Outside
nat dynamic 98 vlan 98
This policy shows up before the one you identified
interface vlan 133
description *** Client vlan ***
ip address 172.18.133.5 255.255.255.128
peer ip address 172.18.133.6 255.255.255.128
access-group input ALL
service-policy input Service-Policy-IDAM-7777
service-policy input SDP-SE
service-policy input Service-Policy-SDP-NT-8001
service-policy input Service-Policy-SDP-Deliver-7002
service-policy input Service-Policy-SDP-Deliver-7007
service-policy input Service-Policy-SDP-Deliver-7006
service-policy input Service-Policy-SDP-RE
service-policy input Service-Policy-SDP-SE-7002
service-policy input Service-Policy-SDP-SE-7101
service-policy input Service-Policy-SDP-RE-7101
service-policy input All_Policy_Maps
The class SNAT-Outside is a match 0.0.0.0/0 so it will match all your traffic.
Therefore, the nat action will be : nat dynamic 98 vlan 98.
Since traffic goes out vlan 128, there is no rule to nat the traffic.
Multiple solutions.
1/ remove Service-Policy-SDP-NT-8001 and add it after All_Policy_Maps
2/ add "nat dynamic 28 vlan 128" under Service-Policy-SDP-NT-8001
policy-map multi-match Service-Policy-SDP-NT-8001
class SNAT-Outside
nat dynamic 98 vlan 98
nat dynamic 28 vlan 128
Gilles.
09-14-2010 01:41 AM
the problem is this :
policy-map multi-match Service-Policy-SDP-NT-8001
class SNAT-Outside
nat dynamic 98 vlan 98
This policy shows up before the one you identified
interface vlan 133
description *** Client vlan ***
ip address 172.18.133.5 255.255.255.128
peer ip address 172.18.133.6 255.255.255.128
access-group input ALL
service-policy input Service-Policy-IDAM-7777
service-policy input SDP-SE
service-policy input Service-Policy-SDP-NT-8001
service-policy input Service-Policy-SDP-Deliver-7002
service-policy input Service-Policy-SDP-Deliver-7007
service-policy input Service-Policy-SDP-Deliver-7006
service-policy input Service-Policy-SDP-RE
service-policy input Service-Policy-SDP-SE-7002
service-policy input Service-Policy-SDP-SE-7101
service-policy input Service-Policy-SDP-RE-7101
service-policy input All_Policy_Maps
The class SNAT-Outside is a match 0.0.0.0/0 so it will match all your traffic.
Therefore, the nat action will be : nat dynamic 98 vlan 98.
Since traffic goes out vlan 128, there is no rule to nat the traffic.
Multiple solutions.
1/ remove Service-Policy-SDP-NT-8001 and add it after All_Policy_Maps
2/ add "nat dynamic 28 vlan 128" under Service-Policy-SDP-NT-8001
policy-map multi-match Service-Policy-SDP-NT-8001
class SNAT-Outside
nat dynamic 98 vlan 98
nat dynamic 28 vlan 128
Gilles.
09-14-2010 02:16 AM
Hi Gilles,
Thanks for the solution. I was expecting a reply from you only.
Have a wonderful day.
Cheers.!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide