ACE router or source NAT
Can anyone tell me what the best practice is for the ACE 4710 appliance. Should I deploy it in routed mode or source NAT mode. And what can be the pros and cons of each method....
The advantage of running SNAT is the ACE is deployed in a "one-arm" mode. In this deployment the advantage is the ACE does not have to process all traffic as oppossed to being directly in the transit path when deployed inline (routed).
In one arm mode you can use either PBR or SNAT for server return traffic. One arm mode also allows for direct server return butlimited to L4 load balance.
In routed mode the ACE acts as the server default gateway.
Routed mode is the easier of the two to configure.
Similar Messages
-
Example Config ACE routed mode with NAT
Hi all,
i have a two-arm loadbalancer (routed mode).
client ->vlan100->[VIP]Loadbalancer[NAT] ->vlan200-> serverfarm
But i have my problems to configure the NAT. Can anybody show me a example configuration of a two-arm loadbalancer with NAT?
Especially the access-list, class-map, policy-map and on which interface the NAT-Policy must be added.
BR
DominikHi Dominik,
Something like this:
access-list ANYONE line 10 extended permit ip any any
rserver host SERVER_01
ip address 10.198.16.2
inservice
rserver host SERVER_02
ip address 10.198.16.3
inservice
rserver host SERVER_03
ip address 10.198.16.4
inservice
serverfarm host REAL_SERVERS
rserver SERVER_01
inservice
rserver SERVER_02
inservice
rserver SERVER_03
inservice
class-map match-all VIP-30
2 match virtual-address 192.168.1.30 tcp eq www
class-map type management match-any REMOTE_ACCESS
description remote-access-traffic-match
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any
policy-map type management first-match REMOTE_MGT
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match SLB_LOGIC
class class-default
serverfarm REAL_SERVERS
policy-map multi-match CLIENT_VIPS
class VIP-30
loadbalance vip inservice
loadbalance policy SLB_LOGIC
loadbalance vip icmp-reply active
nat dynamic 1 vlan 452
interface vlan 451
ip address 192.168.1.2 255.255.255.0
access-group input ANYONE
service-policy input CLIENT_VIPS
no shutdown
interface vlan 452
description Servers vlan
ip address 10.198.16.1 255.255.255.0
access-group input ANYONE
nat-pool 1 10.198.16.5 10.198.16.5 netmask 255.255.255.0 pat
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.1.1
Cesar R
ANS Team -
ACE One-Arm Source-NAT HTTP Header Insert
Hellow ACE Gurus,
This is probably a dumb question but I'm looking for info on HTTP Header Insert for SSL sessions. Does the HTTP header re-write action list work for SSL traffic? I guess I'm not clear on whether or not the header is encrypted and if the ACE can modify on an HTTPS session. Any input would be greatly appreciated.
/r
RobHi Rob,
When using HTTPS, all the data is encrypted, including the HTTP headers.
In such a situation, if you want to insert headers (or do any other kind of L7 processing), you will have to configure the ACE to do SSL termination. Once the connection is decrypted, the ACE can do any processing it needs before sending the connection towards the server either in clear text or again using HTTPS.
I would recommend you to have a look at the link below. This is an example of how to configure an ACE for end-to-end SSL (so, HTTPS on both sides of the ACE). In the example, the only L7 processing that is being done is matching on the URL, but it would be enough to replace that part with whatever header insertion commands you need
http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml
If you still need more help to understand any of the points involved in the process, please, do not hesitate to contact me again.
Regards
Daniel -
ACE: Significance of mask in nat-pools configured for Source NAT
Hi guys
If I am using source nat in ACE (One IP address 10.10.10.200) used for all client address translations.
What would be the difference between the nat-pools configured with different netmask.
What is the recommended netmask for pat, 255.255.255.255 or Vlan interface's Mask (/24 in this case)
and why?
case1:
interface vlan 7
ip address 10.10.10.100 255.255.255.0
nat-pool 1 10.10.10.200 10.10.10.200 netmask 255.255.255.0 pat
service-policy input clientvips
no shutdown
case2:
interface vlan 7
ip address 10.10.10.100 255.255.255.0
nat-pool 1 10.10.10.200 10.10.10.200 netmask 255.255.255.255 pat
service-policy input clientvips
no shutdown
Thanks in Advance
A.Gilles
Thanks a lot. It makes more sense now.
I posted another question for an ACE design validation. Could you please validate this
I am planning to deploy ACE module in following manner:
> ACE will be in one arm mode ( Only one vlan connected to the ACE).
> Vips & Rservers (all serverfarms) will be in the same Vlan X.
> Default gateway on the ACE & Real servers will be the upstream router
> There will be Source NAT configured for all Serverfarms.
ACE --- Vlan X -------Router--- internet
.................|
.................|-- Sfarm 1
.................|
.................|-- Sfarm 2
.................|
.................|-- Sfarm n
I am pretty sure that it should work.
Just wanted an expert opinion.
Thanks -
ACE: as firewall and NAT. inbound and outbound originals
Hi Team,
This time no load balancing is required.
Two servers inside (with private IP) need to communicate with clients and servers on the internet. ie, internet client originate inbound traffic to our servers, and also our servers originate connections to some internet servers.
Both of our servers will work indipendently for this purpose.
I have a few ideas to mix and match configs in the ACE. (This was originally working with FWSM setup). I would like to hear some sound ideas to acheive this using ACE only as firewall/router. No plan to load balance at present.
Regards to all
SSGilles,
Inbound traffic and the related reply traffic can be handled with normal class-map by defining a VIP with public IP.
The above real server with private IP is now going to make a different connection to the internet. ie,
outbound traffic and related reply traffic need handling. (no load balancing planned).
Detination NAT, Static NAT sounds interesting
Source NAT, Static NAT sounds interesting. Mixing these sound very interesting!! I'm looking for sample configs please.
SS -
ACE: 4710 Policy-Map NAT
Greets. I have a scenario where the rservers are located on two different VLAN's in One Arm Mode.
My question is, am I able to assign two different NAT commands in my policy map (as written below)? Will the NAT command only kick off for the selected rservers vlan?
policy-map multi-match PM_Loadbalance
class VIP_Farm
loadbalance vip inservice
loadbalance vip icmp-reply active
nat dynamic 7 vlan 7
nat dynamic 741 vlan 741
Thanks,
-bHello Brian-
You can apply 2 different NAT statements, yes.
The way it works:
1.) A client sends a SYN into a vlan where the vip is applied as a service-policy input.
2.) The ACE matches the SYN to the class in question, the loadbalance policy is checked, and eventually a server in the associated serverfarm is chosen.
3.) ACE prepares to forward the SYN out of the appropriate VLAN based on the route table.
4.) Before the packet leaves, if the packet will egress either vlan 7 or 741, the the packet would be source NATted by the group number mentioned in the statement. This occurs because the "vlan 7" and "vlan 741" in the NAT statements under the class are filters. If the destination matches either vlan, then the nat group for that statement is used.
i.e.
rserver host server_1
ip address 10.0.0.10
inservice
rserver host server_2
ip address 172.16.35.60
inservice
serverfarm host SF_1
rserver server_1
inservice
class-map match-any VIP_80
2 match virtual-address 172.16.35.80 tcp eq 80
policy map type loadbalance first-match LB
class class-default
serverfarm SF_1
policy map multi-match X
class VIP_80
loadbalance policy LB
loadbalance vip inservice
nat dynamic 5 vlan 7
nat dynamic 7 vlan 741
interface vlan 7
ip address 172.16.35.2 255.255.255.0
nat 5 172.16.35.100 172.16.35.100 netmask 255.255.255.0 pat
service-policy input X
Interface vlan 741
ip address 10.0.0.2 255.255.255.0
nat 7 10.0.0.100 10.0.0.100 netmask 255.255.255.0 pat
service-policy input X
If a packet comes into either vlan destine to 172.16.35.80 on port 80, it will be balanced to either 10.0.0.10 or 172.16.35.60. If 10.0.0.10 was chosen, then natpool 7 under vlan 741 would be used because 10.0.0.10 is layer 2 adjacent to vlan 741. If 172.16.35.60 was chosen, then natpool 5 would be chosen because that server is layer 2 adjacent to vlan 7.
Regards,
Chris Higgins -
Routing Experts please help with below LAN routing issue with NAT
Hello Experts,
I have a weird situation and requirement.
The existing setup is -
We have email/ticketing server hosted in the LAN which is reachable on the publicly NAT'ed IP with respective port numbers of 89 & 443. We have LAN & servers on the same subnet. The internet is with public DHCP IP assigned by ISP (/29). We use linksys router GUI for NAT settings (attached).We are using the same public IP for the server NAT & user NAT.
We tried to refresh our network by separating the subnets for LAN users & servers. We used the Cisco 3845 router to create sub-interfaces in the LAN and configure respective subnets. Now both user subnet and server subnet are connecting to the Internet with same public IP (static NAT for servers & dynamic for users). We can connect to the server IP from the Internet and it resolves fine. However user LAN subnet cannot connect to the server if we try the URL. Users can access the Internet fine.
Please find attached short diagram and below configuration and please give your inputs to solve this.
Cisco 3845 router
access-list 1 permit 10.155.60.0 0.0.0.255
access-list 2 permit 10.155.61.0 0.0.0.255
access-list 3 permit 10.155.62.0 0.0.0.255
ip nat inside source list 1 int g0/0 overload
ip nat inside source list 2 int g0/0 overload
ip nat inside source list 3 int g0/0 overload
int g0/0
ip add 8.8.8.8 255.255.255.248
ip nat outside
no shut
int g0/1
description Trunk-to-Switch
no shut
int g0/1.60
description User vlan
ip add 10.155.60.1 255.255.255.0
encapsulation dot1q 60
ip nat inside
int g0/1.62
description Server vlan
ip add 10.155.62.1 255.255.255.0
encapsulation dot1q 62
ip nat inside
exit
aaa new-model
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authorization network vpn_group_ml_1 local
aaa session-id common
acl 120
max-users 10
exit
!access-list 120 remark ==[Cisco VPN Users]==
access-list 120 permit ip any host 192.168.0.10
access-list 120 permit ip any host 192.168.0.11
access-list 120 permit ip any host 192.168.0.12
access-list 120 permit ip any host 192.168.0.13
access-list 120 permit ip any host 192.168.0.14
access-list 120 permit ip any host 192.168.0.15
access-list 120 permit ip any host 192.168.0.16
access-list 120 permit ip any host 192.168.0.17
access-list 120 permit ip any host 192.168.0.18
access-list 120 permit ip any host 192.168.0.19
no access-list 100
access-list 100 remark [Deny NAT for VPN Clients]=-
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.10
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.11
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.12
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.13
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.14
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.15
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.16
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.17
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.18
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.19
access-list 100 remark
access-list 100 remark -=[Internet NAT Service]=-
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
exit
ip nat inside source static tcp 10.155.62.55 21 8.8.8.8 21
ip nat inside source static tcp 10.155.62.55 88 8.8.8.8 88
ip nat inside source static udp 10.155.62.55 88 8.8.8.8 88
ip nat inside source static tcp 10.155.62.84 3389 8.8.8.8 3389
ip nat inside source static udp 10.155.62.84 3389 8.8.8.8 3389
ip nat inside source static tcp 10.155.62.98 80 8.8.8.8 80
ip nat inside source static udp 10.155.62.98 80 8.8.8.8 80
ip nat inside source static tcp 10.155.62.98 443 8.8.8.8 443
ip nat inside source static udp 10.155.62.98 443 8.8.8.8 443
ip nat inside source static tcp 10.155.62.98 25 8.8.8.8 25
ip nat inside source static udp 10.155.62.98 25 8.8.8.8 25
ip nat inside source static tcp 10.155.62.84 8080 8.8.8.8 89
ip nat inside source static udp 10.155.62.84 8080 8.8.8.8 89
ip nat inside source static tcp 10.155.62.84 9005 8.8.8.8 9005
ip nat inside source static udp 10.155.62.84 9005 8.8.8.8 9005
ip nat inside source static tcp 10.155.62.84 135 8.8.8.8 135
ip nat inside source static udp 10.155.62.84 135 8.8.8.8 135
ip nat inside source static tcp 10.155.62.84 139 8.8.8.8 139
ip nat inside source static udp 10.155.62.84 139 8.8.8.8 139
ip nat inside source static tcp 10.155.62.84 445 8.8.8.8 445
ip nat inside source static udp 10.155.62.84 445 8.8.8.8 445
ip nat inside source static tcp 10.155.62.84 90 8.8.8.8 465
ip nat inside source static udp 10.155.62.84 90 8.8.8.8 465
ip nat inside source static tcp 10.155.62.143 3381 8.8.8.8 3381
ip nat inside source static udp 10.155.62.143 3381 8.8.8.8 3381
ip nat inside source static tcp 10.155.62.46 8081 8.8.8.8 91
ip nat inside source static udp 10.155.62.46 8081 8.8.8.8 91
ip http server
ip http authentication local
no ip http secure-server
ip http path flash:/cme-gui-7.1.0.1
file privilege 0
telephony-service
dn-webedit
time-webedit
transport input ssh
line con 0
line vty 0 15
login local
ntp server ntp.first2know.net
clock timezone gmt 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
ntp update-calendar
ntp master
=========================================================================================================================================
Cisco 3750 Config;
vlan 60
name User
vlan 61
name Voice
vlan 62
name Server
exit
interface g1/0/1
description Trunk-to-Router
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast trunk
interface vlan 60
description User Vlan
ip add 10.155.60.2 255.255.255.0
interface vlan 61
description Voice Vlan
ip add 10.155.61.2 255.255.255.0
interface vlan 62
description Server Vlan
ip add 10.155.62.2 255.255.255.0
service dhcp
ip dhcp pool Users
network 10.155.60.0 255.255.255.0
default-router 10.155.60.1
dns server 4.2.2.2
ip dhcp pool Voice
network 10.155.61.0 255.255.255.0
dns server 4.2.2.2
exit
ip dhcp excluded-address 10.155.60.1 10.155.60.2 10.155.60.3
ip dhcp excluded-address 10.155.61.1 10.155.61.2
interface range g1/0/2 - 1/0/21
switchport mode access
switchport access vlan 60
switchport access vlan 61
exit
exit
interface range g1/0/22 - 1/0/26
switchport mode access
switchport access vlan 62
exit
Thanks,
DeepakOne more thing I should clarify the route I am putting into the 10.10.1.9 server is
route add 10.1.6.0 mask 255.255.255.0 10.10.1.250 which tells the server to bypass the ASA and go directly to the ISP router.(then i can successfully tracert everything). The big question here is how to make the inside ASA connection 10.10.1.1 to force all traffic to 10.10.1.250.
Thanks in advance. -
Dynamic Source NAT for multiple POOLS
I am setting up Dynamic Source NAT with a few Pools and Access-list to translate according to the Access-list. However when configure some ACL don't work anything. And the ACL don't "match" any. I know that the correct way would be to apply the ACL about interface with "ip access-group <ACL-name> in/out" however in this case would be impossible to apply more one ACL with ip access-group command.
FurthermoreI have tested to creating a route-map named TEST with all ACLs; but cannot to create all "ip nat inside source route-map... " with the same route-map name. Also checked the cisco example: http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13739-nat-routemap.html...
Attach the all configurations.
I need your help,
Thanks in advance!Oh my God!! Already works fine! I hadn't thought that "log" would be a painful
Thanks John Marshall!
Attach my troubleshooting:
INET#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 195.77.205.33:49529 10.55.0.1:49529 4.2.2.2:22 4.2.2.2:22
tcp 200.200.200.1:62978 10.55.1.1:62978 4.2.2.2:4343 4.2.2.2:4343
tcp 195.77.205.20:13493 181.70.12.18:13493 195.47.200.32:443 195.47.200.32:443
Furthermore we can to check the "rotary option also works!"
"INET#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 195.77.205.33:57238 10.55.0.1:57238 4.2.2.2:22 4.2.2.2:22
tcp 195.77.205.33:16393 10.55.1.1:16393 4.2.2.2:22 4.2.2.2:22"
Thanks again! -
ACE Routed mode - cannot see serverside network
Hi all,
I'm having a problem with the first context I've set up in pure routed mode without NAT. Taking advice from this forum I've defined the interface for the serverside VLAN only in the ACE context. Trouble is this doesn't seem to have propagted into the routing table.
The ACE can see the servers - they are in the ARP cache and can be PINGed from the context.
A show IP route on the 6500 doesn't find the serverside subnet in the routing table.
Am I missing something obvious. I've attached the config if that helps.
Thank you
CathyI am not sure what your question is
Are you not seeing the VIPs in 6500 routing table? If its about vip the RHI (Route health injection (loadbalance vip advertise) should take care of it.
Or you want to see the Server vlan in the routing table of 6500?.
If thats the case then that is not going to happen. You will have to add static routes and redistribute them in the network (on upstream router).
Syed Iftekhar Ahmed -
Issues with source NAT configuration in VNMC
Before coming to the questions/doubts let me explain the ASA 1000v setup that I have
ASA 1000v
- inside interface with ip 10.1.1.1 (attached to a network with subnet 10.1.1.0/24 and vlan 515)
- outside interface with ip 10.147.30.236 (attached to a network with subnet 10.147.30.0/24 and vlan 30)
On ASA running ‘show route’ outputs following:
C 10.1.1.0 255.255.255.0 is directly connected, esp-in
C 10.147.28.0 255.255.255.0 is directly connected, management
C 10.147.30.0 255.255.255.0 is directly connected, esp-out
S* 0.0.0.0 0.0.0.0 [1/0] via 10.147.30.1 via esp-out
On VNMC I created edge firewall with inside interface as ‘esp_in’ (10.1.1.1) and outside as ‘esp_out’ (10.147.30.236)
Now I want to configure the following scenarios through VNMC:
1. Source NAT : 10.1.1.0/24 -> 10.147.30.236. While trying to configure this I see the following error in VNMC
ERROR: Executing CLI returned error message: object network pe_internal_net_obj_range_10.1.1.2_10.1.1.254;range 10.1.1.2
10.1.1.254;object-group network NSONOg:source-nat:source-nat-rule@esp-out;network-object object
pe_internal_net_obj_range_10.1.1.2_10.1.1.254;nat (esp-out,any) 1 source static NSONOg: source-nat:source-nat-rule@esp-out interface;
ERROR: interface keyword is not allowed when translated interface is any;
2. I created another NAT rule from 10.1.1.0/24 -> 10.147.30.237. I also created ACL rule for allowing outbout ssh traffic. This working for me initially and I was able to ssh from a VM attached to subnet 10.1.1.0/24 to an outside VM. But after I did a re-assign with the same ASA appliance this stopped working and there was a configuration error:
ERROR: Executing CLI returned error message: service-policy mpf-sp0001 interface sp0001; ^;ERROR: % Invalid input detected at ^ marker;
ERROR: Executing CLI returned error message: service-policy mpf-esp-out interface esp-out; ^;ERROR: % Invalid input detected at ^ marker;
Version details
VNMC 2.0
ASA 1000v version
Cisco Adaptive Security Appliance Software Version 8.7(1)1
Device Manager Version 6.7(1)
Questions:
- Can anyone let me know what is the correct configuration for setting up source NAT as mentioned above. Why am I getting the errors mentioned and how to fix them?
- Why is there an error on reassigning asa 1000v to the edge firewall
- How to enabling logging/debugging on ASA or VNMC to see packet details and how rules are getting applied?
Thanks,
KoushikHello Arseny,
How did you resolve this issue?
We are still facing the same problem in WebI 4.1 SP5 Patch 4.
The issue is still under SAP investigation with KBA 2131762.
Regards,
Mirko -
Packets not hitting the route-map's NAT access-list
Hi Everyone,
I've been struggling with this issue for two days, I have couple of VPN tunnels on a router and all are working fine with NAT because I created route-maps for nat to deny the packets that are going to the tunnel from getting NATed, I have the same config for all the tunnels but the issue is with xxx_NAT access-list that is not even being hit by the packets so my xxx tunnel wont come up. I am positive that the problem is NAT because when I remove NAT from the 0/1.102 interface it starts to work. here is my config :
interface GigabitEthernet0/1.102
description "xxx"
encapsulation dot1Q 102
ip address 10.300.301.1 255.255.255.0
ip access-group xxx_ACL in
ip nat inside
ip virtual-reassembly
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat pool ???_POOL ??
ip nat pool ???_POOL ??
ip nat pool ???_POOL ??
ip nat pool xxx_POOL ??
ip nat inside source route-map ??? pool ???_POOL overload
ip nat inside source route-map ??? pool ???_POOL overload
ip nat inside source route-map xxx pool xxx_POOL overload
ip nat inside source route-map ??? pool ???_POOL overload
ip access-list extended xxx-VPN
remark VPN to xxx
permit ip 10.300.301.0 0.0.0.255 192.168.45.0 0.0.0.255
permit ip 192.168.45.0 0.0.0.255 10.300.301.0 0.0.0.255
ip access-list extended xxx_ACL
deny ip 10.300.301.0 0.0.0.255 192.168.56.0 0.0.0.255
permit ip any any
ip access-list extended xxx_NAT
deny ip 10.300.301.0 0.0.0.255 110.110.2.0 0.0.0.255
deny ip 10.300.301.0 0.0.0.255 192.168.45.0 0.0.0.255
permit ip 10.300.301.0 0.0.0.255 any
route-map ??? permit 10
match ip address ???_NAT
route-map xxx permit 10
match ip address xxx_NAT
route-map ??? permit 10
match ip address NAT_???
route-map ??? permit 10
match ip address ???_NAT
control-plane
banner motd ^CAs that is probably *not* the config you are having problems with (or are your route-maps really named ???, xxx etc. ?) it is hard to help.
So just a guess:
The "ip nat inside source route-map-"staements are processed in a lexical order. The naming of your route-maps has to reflect the order you want to achieve. If you have the wrong order your traffic will end in the wrong translation which you should see with "show ip nat translation".
HTH, Karsten -
Source Nat and Destination Nat
Is any of the above working in the ACE OR CSM module by default?
What is an advantage of configuring destination NAT on the ACE Box?Hello,
On both the CSM and ACE, destination NAT (a.k.a. server nat) is enabled by default in a serverfarm. Source NAT needs to be manually configured on both devices, as it is not a default configuration.
In server load balancing, destination NAT is very common. When clients connect to a VIP on the load balancer, the load balancer will then choose a real server the send the connection to. The destination IP address of the client-to-server traffic will be NAT'd from the virtual IP address (VIP) to the real server's IP address. The server's reply will be sourced with the real server's IP address, initially. The load balancer will again perform NAT to change the source IP address from the real server's IP address back to the VIP address prior to forwarding the response back to the client. This way, the client only knows about the VIP address, and not the real server's IP address.
Best regards,
Sean -
How to configure a RV220W in normal routing mode (No NAT)
Hi,
I have been very busy the last few days in trying to configure this router in normal routing mode. I do not want to have double NAT in my network. This is my setup:
C class IP network connected to the internet via a Fritzbox router. I need this router becasue of the VOIP services it provides. I want to use the RV220W to isolate certain users from the rest of the network. When I configure the router in WAN (NAT) it partially works, e.g. I can browse, send email but cant make a connection to a apple fileserver which is on the base network. When I try to operate in normal routing mode I cant get it to work. I am sure I am doing something wrong with the static routes.
Setup:
Internet <-> Fritzbox (192.168.12.0/24) network <-> RV220W <-> LAN 1 (192.168.1.0/24) users to be isolated.
On the 192.168.12..0/24 network the printer, fileserver and PBX are connected.
Please help me in configuring this.
The firmware is the latest 1.0.5.8.
Thanks in advance!
PeterHello Peter,
Sorry for the late reply, but I figured I would post anyone in case anyone else has this question.
You can put the router in what is called router mode by logging into the admin page and going to Networking >> Routing >> Routing Mode and selecting Router.
I am only looking at an emulator, but I believe this will cause a reboot. Once in router mode NAT and the firewall are disabled, however access rules do still work.
You will still need a static route from your Fritzbox to the 192.168.1.0/24 network on the RV220W, and the RV220W should have the Fritzbox as it's default gateway on it's WAN interface. You may also need to create an ACL to allow traffic from the Fritzbox network through the RV's WAN port.
Some Apple devices depend on the Bonjour protocol to work properly, which doesn't always traverse subnets well, so if after all of that it still doesn't work you may have an issue with Apple.
Thank you for choosing Cisco,
Christopher Ebert
Network Support Engineer - Cisco Small Business Support Center -
Hi,
I have CSS in single arm deploymenet model. I am trying to do the exchange server load balancing. But I am facing problem
with the soruce NAT. I dont want to NAT the client IP in VIP.
Exchange team dont want to have Client IP address to be NATTED. They want real Client IP to appear in Exchange so that they can track exact
user IP address for mail replying and tracking.
Please let me know is there any way bypass the source NAT for specific VIP.Hi,
I need something like that, I need to hide all servers behind the CSS11501. So, any client will contact the server as follows:
1- Client initiates the traffic to the VIP which will be forwarded to the servers. Then the server will replay to the client, from VIP to the client. In this case, I need to configure service and content.
2- Server initiates traffic to the client, the source will be VIP, the destination is client IP. In this case, I need to configure service and group.
Q1: Is that right?
I am facing a problem because some client applications discovered the server IP not VIP, the make failure..
Q2: Where is the problem? -
Source NAT for specific servers in a rule
Hello,
I am trying to achieve source NATing on the CSS and want to confirm if below configuration is good.
VIP address: 61.61.61.61
Services: 10.1.1.1, 10.1.1.2, 20.1.1.1 and 20.1.1.2
Front-end circuit IP: 61.61.61.1 (Same subnet as 61.61.61.61)
Back-end circuit: 10.1.1.10 (Same subnet as 10.1.1.1 or .2)
service AAAA
ip address 10.1.1.1
active
service BBBB
ip address 10.1.1.2
active
service XXXX
ip address 20.1.1.1
active
service YYYY
ip address 20.1.1.2
active
owner Gateway
content Gateway1
vip address 61.61.61.61
add service 10.1.1.1
add service 10.1.1.2
add service 20.1.1.2
add service 20.1.1.1
active
As the two servers 20.1.1.1 and 20.1.1.2 are not in the same subnet, we configured the below to source NAT specifically to these two servers.
group Gateway
vip address 61.61.61.61
add destination service 20.1.1.1
add destination service 20.1.1.2
active
In the past this configuration didn't work. We are going to try it again. Is there anything missing and what else should we check to get it to work.
Appreciate any help.Using 'add destination service' in the group rule NATs the original client IP as the VIP (in your case), and ensures that return traffic from the remote 20.x.x.x servers flows back to the CSS and then to the client instead of directly to the client (which would reject the traffic). There's no need to worry about any kind of load balancing loop being created. The downside to implementing this is that your servers will see all traffic as originating from the VIP and not the unique client IPs, and since the CSS doesn't support the x-forwarded-for header you're kinda stuck with that side effect.
Also, it's my understanding that the group rule must match the content rule in terms of VIP address and services within it to be effective. You would need to change your group rule to the following for it to work:
FROM:
group Gateway
vip address 61.61.61.61
add destination service 20.1.1.1
add destination service 20.1.1.2
active
TO:
group Gateway
vip address 61.61.61.61
add destination service 10.1.1.1
add destination service 10.1.1.2
add destination service 20.1.1.1
add destination service 20.1.1.2
active
Good luck!
James
Maybe you are looking for
-
Advanced certification in ABAP
Hi All I am a ABAP programmer with 3 yrs of ABAP experience and currently working on EDI / IDOC technologies. I wanted to go for ABAP certification but I was advised by many not to do it as exam has got very simple ABAP questions, mainly on Basic ABA
-
Error while opening Workbook:variables for characteristic cannot be process
Hi all, When I try to open the workbook for a particular query, I am getting the following error. Kindly suggest me in rectifying this information message. "Variables for characteristic [ZDVCODE]Dealer code cannot be processed" Regards, Steve
-
How to include KONV and KONP in a join?
Hi, I am trying to create a sales order report using SQVI. In addition to the sales order and billing document information I also need the PR00 condition price from KONV (KONV-KBETR) and the old list price from KONP (KONP-KBETR). I know I can use the
-
Domain name and iweb not working 100%
I'm a real novice.I made a site using iweb 09.with a domain name bought from fasthosts.co.uk.I pointed fasthosts at webme.com,but I can only see my site if I type nigeljames.net if I type http://www.nigeljames.net I get nothing,probably something sim
-
InDesign asking for serial number
Can't get InDesign CC to work. The one year cc subscription has been activated. I have been trying to get it to work since the 15th. talked to tech support last night for 90 min. Went through al the steps and no luck. They were escalating the is