Hi Fnu,

             no problem. Follow now in english.

            I need to make a SNAT from my servers to the VIP address of the ACE (address where the users request balanced service). Does anyone know what is the best way to implement this? Has anyone done this? I ask because this configuration was operating in a CSM module.

Need to protect the actual addresses of the servers because it also initiate connections to towards internet

ACE module is in routed mode

Topology attached.

Hi,

The below example is little different but idea is same. It shows how to NAT the real servers to the VIP.

- Clients coming in on VLAN 251 connect to the VIP and are load balanced without source NAT.
- Servers connecting to the VIP on VLAN 451 are load balanced AND source NAT'd because they match both class-maps.



login timeout 0

access-list ANYONE line 10 extended permit ip any any

rserver host SERVER_01
  ip address 192.168.1.11
  inservice
rserver host SERVER_02
  ip address 192.168.1.12
  inservice
rserver host SERVER_03
  ip address 192.168.1.13
  inservice

serverfarm host REAL_SERVERS
  rserver SERVER_01
    inservice
  rserver SERVER_02
    inservice
  rserver SERVER_03
    inservice

class-map match-all REAL_SERVERS
  2 match source-address 192.168.1.0 255.255.255.0
class-map match-all VIP-30
  2 match virtual-address 172.16.51.30 tcp eq www
class-map type management match-any REMOTE_ACCESS
  description remote-access-traffic-match
  2 match protocol telnet any
  3 match protocol ssh any
  4 match protocol icmp any

policy-map type management first-match REMOTE_MGT
  class REMOTE_ACCESS
    permit
policy-map type loadbalance first-match SLB_LOGIC
  class class-default
    serverfarm REAL_SERVERS
policy-map multi-match CLIENT_VIPS
  class VIP-30
    loadbalance vip inservice
    loadbalance policy SLB_LOGIC
    loadbalance vip icmp-reply active
  class REAL_SERVERS
    nat dynamic 1 vlan 451

interface vlan 251
  description Client vlan
  ip address 172.16.51.11 255.255.255.0
  access-group input ANYONE
  service-policy input REMOTE_MGT
  service-policy input CLIENT_VIPS
  no shutdown
interface vlan 451
  description Servers vlan
  ip address 192.168.1.1 255.255.255.0
  access-group input ANYONE
  service-policy input CLIENT_VIPS
  nat-pool 1 192.168.1.10 192.168.1.10 netmask 255.255.255.0 pat
  no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.51.1

Let me know if you have any further questions.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Good Morning Fnu ,

                  More one question. Is possible create groups nat to each group of ServerFarm? 

                   I try put more one group of nats in same interface and ACE not allow.

You can put it under the serverfarm. Like this

policy-map type loadbalance http first-match L7_POLICY
  class L7_CLASS
    serverfarm SFARM1
    nat dynamic 1 vlan 2xx serverfarm primary
policy-map multi-match NAT_POLICY
  class NAT_CLASS
    loadbalance policy L7_POLICY
    loadbalance vip inservice

interface vlan 1xx
  mtu 1500
  ip address 192.168.1.100 255.255.255.0
  service-policy input NAT_POLICY
  no shutdown

interface vlan 2xx
  mtu 1500
  ip address a.b.c.2 255.255.255.0
  nat-pool 1 a.b.c.15 a.b.c.24 netmask 255.255.255.0
  no shutdown

Thx

Venky

Hello,

  I did the setup for both vlan 16 as for vlan 17 on purpose with the same pool address. I did it because I wanted to see if it worked in some direction. Evidence that does not work is the wireshark screen captured and that this attached. So I'm thinking that might be more missing something I'm not seeing.

Fnu,

            I try this configuration and not works. You have idea what is wrong?

access-list EVERYONE line 10 extended permit icmp any any 
access-list EVERYONE line 20 extended permit ip any any 
access-list EVERYONE line 28 extended permit udp any any 
access-list EVERYONE line 36 extended permit tcp any any 
access-list EVERYONE line 44 extended permit esp any any 
access-list EVERYONE line 52 extended permit gre any any 
access-list EVERYONE line 60 extended permit ip-in-ip any any 
access-list EVERYONE line 68 extended permit ah any any 

probe icmp TESTE_PING
  interval 5
  passdetect interval 5

rserver host 10-10-197-114
  ip address 10.10.197.114
  inservice

serverfarm host SIGA
  predictor leastconns
  probe TESTE_PING

serverfarm host TESTE_NAT
  probe TESTE_PING
  rserver 10-10-197-114
    inservice

class-map match-all VIP-TESTE-NAT
  2 match virtual-address 10.10.196.14 any

policy-map type loadbalance first-match TESTE-NAT
  class class-default
    serverfarm TESTE_NAT
    nat dynamic 1 vlan 16 serverfarm primary

policy-map multi-match VIP_NAT
  class VIP-TESTE-NAT
    loadbalance vip inservice
    loadbalance policy TESTE-NAT
    loadbalance vip icmp-reply

interface vlan 16
  description SERVERs
  ip address 10.10.196.66 255.255.255.224
  alias 10.10.196.65 255.255.255.224
  peer ip address 10.10.196.67 255.255.255.224
  access-group input EVERYONE
  nat-pool 1 10.10.196.10 10.10.196.16 netmask 255.255.255.224
  service-policy input VIP_NAT
  no shutdown

interface vlan 17
  description CLIENTS
  ip address 10.10.196.4 255.255.255.224
  alias 10.10.196.3 255.255.255.224
  peer ip address 10.10.196.5 255.255.255.224
  access-group input EVERYONE
  nat-pool 1 10.10.196.10 10.10.196.16 netmask 255.255.255.224
  service-policy input TO-CP-POLICY
  service-policy input VIP_Servicos_NFe
  service-policy input VIP_NAT
  no shutdown

            I put my machine with IP 10.10.196.20 and server with 10.10.197.114

            I get any service when access server 10.10.197.114 and all communication is fine because the client only know 10.10.197.114. But when server start communication  to the client the real IP is showed to the client how you can see with print screen of wireshark in annex. 

             I apllied configuration in both direction because I want see results of tests, but only in vlan 16 is orriginally was apllied.

When you initiate the connection from the server 10.10.197.114 then you need to apply the nat on vlan 17 and not 16. The nat is applied on the egress interface.

nat dynamic 1 vlan 16 is for traffic destined on vlan 16. before it leaves it will source nat the traffice.

For vlan 17 you need to have nat pool on 17 and get it going like that.

hope this helps

Hello,

  I did the setup for both vlan 16 as for vlan 17 on purpose with the same pool address. I did it because I wanted to see if it worked in some direction. Evidence that does not work is the wireshark screen captured and that this attached. So I'm thinking that might be more missing something I'm not seeing.