ACE Source NAT
Hi Team,
I have ACE implemented in the routed mode.We have 2 servers and 2 users in the same vlan.
2 of the servers are getting loadbalanced.Now the other 2(users) which are not getting load balanced want to access the severs using in VIP for the load balanced servers.
Now the issue is all the servers are having the same subnet, How should i proceed in this can i have the sample configuration regarding this.
Hi,
configuration example that may be helpful for u.
class-map match-all SNAT
2 match source-address 10.10.10.0 255.255.255.0
policy-map multi-match L4
class HTTP-SFARM
loadbalance vip inservice
loadbalance policy WEB-PM
loadbalance vip icmp-reply
class SNAT
nat dynamic 100 vlan 31
interface vlan 31(Server Vlan)
ip address 10.10.10.2 255.255.255.0
alias 10.10.10.1 255.255.255.0
peer ip address 10.10.10.4 255.255.255.0
mac-sticky enable
access-group input 1
nat-pool 100 1.1.1.100 1.1.1.100 netmask 255.255.255.255 pat
service-policy input L4
no shutdown
ACE1/SP1# sh xlate
TCP PAT from vlan31:10.10.10.10/1149 to vlan31:1.1.1.100/1025
Regards,
Rajesh
Similar Messages
-
ACE: Significance of mask in nat-pools configured for Source NAT
Hi guys
If I am using source nat in ACE (One IP address 10.10.10.200) used for all client address translations.
What would be the difference between the nat-pools configured with different netmask.
What is the recommended netmask for pat, 255.255.255.255 or Vlan interface's Mask (/24 in this case)
and why?
case1:
interface vlan 7
ip address 10.10.10.100 255.255.255.0
nat-pool 1 10.10.10.200 10.10.10.200 netmask 255.255.255.0 pat
service-policy input clientvips
no shutdown
case2:
interface vlan 7
ip address 10.10.10.100 255.255.255.0
nat-pool 1 10.10.10.200 10.10.10.200 netmask 255.255.255.255 pat
service-policy input clientvips
no shutdown
Thanks in Advance
A.Gilles
Thanks a lot. It makes more sense now.
I posted another question for an ACE design validation. Could you please validate this
I am planning to deploy ACE module in following manner:
> ACE will be in one arm mode ( Only one vlan connected to the ACE).
> Vips & Rservers (all serverfarms) will be in the same Vlan X.
> Default gateway on the ACE & Real servers will be the upstream router
> There will be Source NAT configured for all Serverfarms.
ACE --- Vlan X -------Router--- internet
.................|
.................|-- Sfarm 1
.................|
.................|-- Sfarm 2
.................|
.................|-- Sfarm n
I am pretty sure that it should work.
Just wanted an expert opinion.
Thanks -
Can anyone tell me what the best practice is for the ACE 4710 appliance. Should I deploy it in routed mode or source NAT mode. And what can be the pros and cons of each method....
The advantage of running SNAT is the ACE is deployed in a "one-arm" mode. In this deployment the advantage is the ACE does not have to process all traffic as oppossed to being directly in the transit path when deployed inline (routed).
In one arm mode you can use either PBR or SNAT for server return traffic. One arm mode also allows for direct server return butlimited to L4 load balance.
In routed mode the ACE acts as the server default gateway.
Routed mode is the easier of the two to configure. -
Source Nat and Destination Nat
Is any of the above working in the ACE OR CSM module by default?
What is an advantage of configuring destination NAT on the ACE Box?Hello,
On both the CSM and ACE, destination NAT (a.k.a. server nat) is enabled by default in a serverfarm. Source NAT needs to be manually configured on both devices, as it is not a default configuration.
In server load balancing, destination NAT is very common. When clients connect to a VIP on the load balancer, the load balancer will then choose a real server the send the connection to. The destination IP address of the client-to-server traffic will be NAT'd from the virtual IP address (VIP) to the real server's IP address. The server's reply will be sourced with the real server's IP address, initially. The load balancer will again perform NAT to change the source IP address from the real server's IP address back to the VIP address prior to forwarding the response back to the client. This way, the client only knows about the VIP address, and not the real server's IP address.
Best regards,
Sean -
Dynamic Source NAT for multiple POOLS
I am setting up Dynamic Source NAT with a few Pools and Access-list to translate according to the Access-list. However when configure some ACL don't work anything. And the ACL don't "match" any. I know that the correct way would be to apply the ACL about interface with "ip access-group <ACL-name> in/out" however in this case would be impossible to apply more one ACL with ip access-group command.
FurthermoreI have tested to creating a route-map named TEST with all ACLs; but cannot to create all "ip nat inside source route-map... " with the same route-map name. Also checked the cisco example: http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13739-nat-routemap.html...
Attach the all configurations.
I need your help,
Thanks in advance!Oh my God!! Already works fine! I hadn't thought that "log" would be a painful
Thanks John Marshall!
Attach my troubleshooting:
INET#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 195.77.205.33:49529 10.55.0.1:49529 4.2.2.2:22 4.2.2.2:22
tcp 200.200.200.1:62978 10.55.1.1:62978 4.2.2.2:4343 4.2.2.2:4343
tcp 195.77.205.20:13493 181.70.12.18:13493 195.47.200.32:443 195.47.200.32:443
Furthermore we can to check the "rotary option also works!"
"INET#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 195.77.205.33:57238 10.55.0.1:57238 4.2.2.2:22 4.2.2.2:22
tcp 195.77.205.33:16393 10.55.1.1:16393 4.2.2.2:22 4.2.2.2:22"
Thanks again! -
Hi,
I have CSS in single arm deploymenet model. I am trying to do the exchange server load balancing. But I am facing problem
with the soruce NAT. I dont want to NAT the client IP in VIP.
Exchange team dont want to have Client IP address to be NATTED. They want real Client IP to appear in Exchange so that they can track exact
user IP address for mail replying and tracking.
Please let me know is there any way bypass the source NAT for specific VIP.Hi,
I need something like that, I need to hide all servers behind the CSS11501. So, any client will contact the server as follows:
1- Client initiates the traffic to the VIP which will be forwarded to the servers. Then the server will replay to the client, from VIP to the client. In this case, I need to configure service and content.
2- Server initiates traffic to the client, the source will be VIP, the destination is client IP. In this case, I need to configure service and group.
Q1: Is that right?
I am facing a problem because some client applications discovered the server IP not VIP, the make failure..
Q2: Where is the problem? -
Source NAT for specific servers in a rule
Hello,
I am trying to achieve source NATing on the CSS and want to confirm if below configuration is good.
VIP address: 61.61.61.61
Services: 10.1.1.1, 10.1.1.2, 20.1.1.1 and 20.1.1.2
Front-end circuit IP: 61.61.61.1 (Same subnet as 61.61.61.61)
Back-end circuit: 10.1.1.10 (Same subnet as 10.1.1.1 or .2)
service AAAA
ip address 10.1.1.1
active
service BBBB
ip address 10.1.1.2
active
service XXXX
ip address 20.1.1.1
active
service YYYY
ip address 20.1.1.2
active
owner Gateway
content Gateway1
vip address 61.61.61.61
add service 10.1.1.1
add service 10.1.1.2
add service 20.1.1.2
add service 20.1.1.1
active
As the two servers 20.1.1.1 and 20.1.1.2 are not in the same subnet, we configured the below to source NAT specifically to these two servers.
group Gateway
vip address 61.61.61.61
add destination service 20.1.1.1
add destination service 20.1.1.2
active
In the past this configuration didn't work. We are going to try it again. Is there anything missing and what else should we check to get it to work.
Appreciate any help.Using 'add destination service' in the group rule NATs the original client IP as the VIP (in your case), and ensures that return traffic from the remote 20.x.x.x servers flows back to the CSS and then to the client instead of directly to the client (which would reject the traffic). There's no need to worry about any kind of load balancing loop being created. The downside to implementing this is that your servers will see all traffic as originating from the VIP and not the unique client IPs, and since the CSS doesn't support the x-forwarded-for header you're kinda stuck with that side effect.
Also, it's my understanding that the group rule must match the content rule in terms of VIP address and services within it to be effective. You would need to change your group rule to the following for it to work:
FROM:
group Gateway
vip address 61.61.61.61
add destination service 20.1.1.1
add destination service 20.1.1.2
active
TO:
group Gateway
vip address 61.61.61.61
add destination service 10.1.1.1
add destination service 10.1.1.2
add destination service 20.1.1.1
add destination service 20.1.1.2
active
Good luck!
James -
Issues with source NAT configuration in VNMC
Before coming to the questions/doubts let me explain the ASA 1000v setup that I have
ASA 1000v
- inside interface with ip 10.1.1.1 (attached to a network with subnet 10.1.1.0/24 and vlan 515)
- outside interface with ip 10.147.30.236 (attached to a network with subnet 10.147.30.0/24 and vlan 30)
On ASA running ‘show route’ outputs following:
C 10.1.1.0 255.255.255.0 is directly connected, esp-in
C 10.147.28.0 255.255.255.0 is directly connected, management
C 10.147.30.0 255.255.255.0 is directly connected, esp-out
S* 0.0.0.0 0.0.0.0 [1/0] via 10.147.30.1 via esp-out
On VNMC I created edge firewall with inside interface as ‘esp_in’ (10.1.1.1) and outside as ‘esp_out’ (10.147.30.236)
Now I want to configure the following scenarios through VNMC:
1. Source NAT : 10.1.1.0/24 -> 10.147.30.236. While trying to configure this I see the following error in VNMC
ERROR: Executing CLI returned error message: object network pe_internal_net_obj_range_10.1.1.2_10.1.1.254;range 10.1.1.2
10.1.1.254;object-group network NSONOg:source-nat:source-nat-rule@esp-out;network-object object
pe_internal_net_obj_range_10.1.1.2_10.1.1.254;nat (esp-out,any) 1 source static NSONOg: source-nat:source-nat-rule@esp-out interface;
ERROR: interface keyword is not allowed when translated interface is any;
2. I created another NAT rule from 10.1.1.0/24 -> 10.147.30.237. I also created ACL rule for allowing outbout ssh traffic. This working for me initially and I was able to ssh from a VM attached to subnet 10.1.1.0/24 to an outside VM. But after I did a re-assign with the same ASA appliance this stopped working and there was a configuration error:
ERROR: Executing CLI returned error message: service-policy mpf-sp0001 interface sp0001; ^;ERROR: % Invalid input detected at ^ marker;
ERROR: Executing CLI returned error message: service-policy mpf-esp-out interface esp-out; ^;ERROR: % Invalid input detected at ^ marker;
Version details
VNMC 2.0
ASA 1000v version
Cisco Adaptive Security Appliance Software Version 8.7(1)1
Device Manager Version 6.7(1)
Questions:
- Can anyone let me know what is the correct configuration for setting up source NAT as mentioned above. Why am I getting the errors mentioned and how to fix them?
- Why is there an error on reassigning asa 1000v to the edge firewall
- How to enabling logging/debugging on ASA or VNMC to see packet details and how rules are getting applied?
Thanks,
KoushikHello Arseny,
How did you resolve this issue?
We are still facing the same problem in WebI 4.1 SP5 Patch 4.
The issue is still under SAP investigation with KBA 2131762.
Regards,
Mirko -
Is it possible to source NAT health checks?
I am source natting the data traffic to the back end servers using a source group but I notice the health checks are not affected and they use the interface physical address. The way I found out is the service is down and the firewall was dropping the health checks. Does anyone know a way to source nat health checks? Either that or have them source from the redundant VIP address that is configured on the interface and not the "real" address. CCO and google produced nothing... thanks!
you can't nat probes.
The CSS will use its outgoing interface ip address as the source ip.
Just make sure your firewall allows this traffic.
Gilles. -
ACE One-Arm Source-NAT HTTP Header Insert
Hellow ACE Gurus,
This is probably a dumb question but I'm looking for info on HTTP Header Insert for SSL sessions. Does the HTTP header re-write action list work for SSL traffic? I guess I'm not clear on whether or not the header is encrypted and if the ACE can modify on an HTTPS session. Any input would be greatly appreciated.
/r
RobHi Rob,
When using HTTPS, all the data is encrypted, including the HTTP headers.
In such a situation, if you want to insert headers (or do any other kind of L7 processing), you will have to configure the ACE to do SSL termination. Once the connection is decrypted, the ACE can do any processing it needs before sending the connection towards the server either in clear text or again using HTTPS.
I would recommend you to have a look at the link below. This is an example of how to configure an ACE for end-to-end SSL (so, HTTPS on both sides of the ACE). In the example, the only L7 processing that is being done is matching on the URL, but it would be enough to replace that part with whatever header insertion commands you need
http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml
If you still need more help to understand any of the points involved in the process, please, do not hesitate to contact me again.
Regards
Daniel -
Hello
I have a configuration in the ACE module to NOT perform NAT with the command transparent in a serverfarm configuration mode, but it is not working.
rserver host MXMTYIPR
ip address 172.19.127.131
inservice
serverfarm host _Front
transparent
rserver MXMTYIPR 443
inservice
sticky ip-netmask 255.255.255.255 address source STICKY_FR
timeout 10
timeout activeconns
replicate sticky
serverfarm _Front
class-map match-all CLASS_LYN
2 match virtual-address 172.19.127.1 tcp eq https
policy-map type management first-match POLICY-ADMIN
class CLASS-ADMIN
permit
policy-map type loadbalance first-match POLICY_FR
class class-default
sticky-serverfarm STICKY_FR
policy-map multi-match PM_FR
class CLASS_LYN
loadbalance vip inservice
loadbalance policy POLICY_FR
loadbalance vip icmp-reply
interface vlan 550
ip address 172.18.50.139 255.255.255.240
alias 172.18.50.141 255.255.255.240
peer ip address 172.18.50.140 255.255.255.240
service-policy input PM_FR
no shutdown
Does anybody have any recommendation to this?
Thanks for your help.
RegardsHi,
You should disable normalization on client side interface and also configure server so that it returns the traffic with VIP as the source IP. Please visit the below link for more details:
https://supportforums.cisco.com/document/91121/configure-ace-direct-server-return-mode
Regards,
Kanwal
Note: Please mark answers if they are helpful. -
Hi
I know that if we use source IP based predictors, the ACE would use a hash of the source IP to load balance the traffic. Is there is capability to make this process deterministic. In other words, I have tthree client subnets accessing the web servers on the same VIP. I want the traffic from subnet 1 to go to server 1 and traffic from subnets 2 and 3 to be loadbalanced to the rest of the servers
any idea on how to get this done ?HI Dinuka,
Session persistence (stickiness) based on client source IP address or HTTP cookies are recommended to be configured on the Cisco ACE for this flow.
IP Address Stickiness
You can use the source IP address, the destination IP address, or both to uniquely identify individual clients and their requests for stickiness purposes based on their IP netmask. However, if an enterprise or a service provider uses a megaproxy to establish client connections to the Internet, the source IP address no longer is a reliable indicator of the true source of the request. In this case, you can use cookies or one of the other sticky methods to ensure session persistence.
Here can be the sample configuration:
resource-class websrv
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 20.00 maximum equal-to-min
rserver host webserver1
ip address 10.10.10.1
inservice
rserver host webserver2
ip address 10.10.10.2
inservice
rserver host webserver3
ip address 10.10.10.3
inservice
serverfarm host werbsrv1only
probe websrv
rserver webserver1 1000
inservice
serverfarm host werbsrv123
probe websrv
rserver webserver1 1000
inservice
rserver webserver2 1000
inservice
rserver webserver3 1000
inservice
ACE receives requests to the VIP on port 80 and translates them to port 1000 using the server farm configuration shown above.
The link to the websrv home page is http://websrv:1000/index.html. A probe to this link is configured on ACE as follows:
probe http websrv
port 1000
interval 2
faildetect 2
passdetect interval 2
request method get url /index.html
expect status 200 200
Session persistence can be established by tying the session to an IP address, that uniquely identifies the client.
Create a sticky-group
sticky ip-netmask 255.255.255.255 address source Client_subnet_1
timeout 10
serverfarm werbsrv1only
Change the server farm to the sticky-group:
policy-map type loadbalance first-match basic-slb
class class-default
sticky-serverfarm werbsrv1only
sticky ip-netmask 255.255.255.255 address source Client_subnet_2
timeout 10
serverfarm werbsrv123
sticky ip-netmask 255.255.255.255 address source Client_subnet_3
timeout 10
serverfarm werbsrv123
Here you can find the details in the below url :
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/sticky.html#wp1004411
I have also attached a jpeg for your reference.
Hope you will get the idea how to use the sticky based on IP address.
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/sticky.html#wp1004411
Here you can find sample config of similar type:
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6906/prod_white_paper0900aecd804edab0.html
Thanks and regards,
Sachin Garg
Senior Specialist Security
HCL Comnet Ltd.
http://www.hclcomnet.co.in
A-10, Sector 3, Noida- 201301
INDIA
Mob: +91-9911757733
Email: [email protected] -
ACE: Transparent NAT feasibility
Is transparent NAT possible? The applications need to be aware of the source IP address to process. The only way I can see to do this is insert the source into the header. I seem to recall reading about transparent NAT, and no NAT, but I cannot find it now.
All ideas welcome.BTW, I want to clarify that client nat is not on by default. You must have configure it and if you do so, you lose information about the client ip. The solution to insert the info into the http header is a good one.
Gilles -
Ace and NAT...
Hi all,
a couple of question..
how is the logic of nat on ace? i put the pool on interface 'outside' and a policy on interface inside?
server farm nat how it works? i've not understood well...
last one :)
ace with two interface <server side> & <outside>
topology is ace with above 2 interface, gw of ace a FW with 3 interface, toward internet, toward ace e toward internal network (10.0.0.0)
flows:
first one
SRC 1.1.1.1, 1.1.1.2 --> VIP 5.5.5.5 --> real --> 1.1.1.3, 1.1.1.4 in this situation i put a pool nat on <server side> interface and a nat statement on a <server side> interface, is easy.
2
src 1.1.1.1 --> dst 10.0.0.0 i have not to nat
3 src 1.1.1.1 --> dst internet port 443,80,25 i have to nat 1.1.1.1
rule 2 and 3 may overlap, 'cause i could contact also on intranet ports 80 and 443 and for this flow i havo not to nat
idea is
1 flows not problem, is just a simple server to server nat hitting the VIP, with server on same subnet
2 flows server farm in transparent mode with VIP 10.0.0.0 255.0.0.0 and rserver is the FW
3 flows src NAT hitting destination port 80 and 443...
is right? lookup of policy on ACE permit IT? i mean when ace see a packet with destination 10.0.0.0 forward packet without NAT if see also port 80,443?
i want to put load balancing rule in a different policy and put it before NAT statement.
tnx
DanHi Gilles,
first of all thx very much.
1 if i put loadbalance vip inservice in a policy MM with a class that has destination-address and not virtual-address this error appears:
Error: LB action requires match vip command!
2 with configuration that i've posted before (below reported) forward clause are matched but parsing of policy carry on and match also NAT statement.
I expected that after first match (forward) no match was done on second statement. Stuff that happens is that if i telnet ip 4.4.4.1 (inside the range of 4.0.0.0/8 virtual-address) comunication is natted. so not just forward policy is hitted. In fact i can see counters incrementing in both service policy
class-map match-all CM_forward
2 match virtual-address 4.0.0.0 255.0.0.0 any (is not possible to put destination address in class map that is associated to a multi match)
class-map match-any C_Nat_SRVtoInternet
2 match port tcp eq telnet
policy-map type loadbalance first-match L7_P_forward_internal
class class-default
forward
policy-map multi-match testdanilo_be
class CM_forward
loadbalance vip inservice
loadbalance policy L7_P_forward_internal
class C_Nat_SRVtoInternet
nat dynamic 108 vlan 903
interface vlan 901
description BE_server_side
ip address 172.18.1.254 255.255.255.0
no icmp-guard
access-group input BE
service-policy input P_MNGT_POLICY
service-policy input testdanilo_be
service-policy input P_MM_NatSRVtoSrvBeViaVIP
no shutdown
interface vlan 903
description FE
ip address 192.168.0.162 255.255.255.0
mac-sticky enable
no icmp-guard
access-group input FE
nat-pool 108 192.168.0.254 192.168.0.254 netmask 255.255.255.255 pat
service-policy input P_MNGT_POLICY
no shutdown
thx
Dan -
Best practice for Source NATTING ?
Is there a general design rule for configuring source NATing ? Is it best to configure the CSS is one/two armed mode.
What are the perfomance limitations in doing this ?
Can soure NATed and non source NATed content rules be configured on the CSS with no impact ?
Cheers, MikeSource groups translate the source address of packets from back-end services before forwarding them. When a flow is originated from the back-end server with a private address, the request appears to come from the public Virtual IP (VIP) of the source group. You can also use source groups (with Access Lists (ACLs)) to translate clients' private IP addresses (which reside on the back-end of the CSS) to a public IP address (the VIP).
The use of this type of source group is useful when setting up a one-armed configuration where client and server traffic flows through the same CSS switch. For more information read the following document.
http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a0080093dfc.shtml
Maybe you are looking for
-
Attachments in Mail Downloads folder
I found a folder Home>Library>Mail Downloads which was loaded with about every attachment I have ever received using Mail. I was trying to figure out why. In Mail prefs, there is an option to select a folder, I have chosen Home>Downloads pretty much
-
How do I view Migrate Data errors - Access 2003 - Oracle 10g
I'm trying to use the SQL Developer to migrate data from an Access 2003 database to an Oracle 10g database. I followed the instructions found here: http://www.oracle.com/technology/tech/migration/workbench/files/omwb_getstarted.html I was able to com
-
Ac adapter for box where can i buy one. want charge and it with cord that plugs into the wall
Where can i buy a a/c adapter( to plug into the wall and play an charge) for HMDX Jam wireless speaker...model HX-P230E. Its a 5VDC 500 ma
-
How do I up grade my OS X 10.5.8 to 10.6.8?
I have a new iphone 5 and have had to download the latest itunes onto my mac to be compatable with my new phone. However the latest itunes needs OS X 10.6.8. Can I download an upgrade to do this?
-
signed.applets.codebase_principal_support is set true but I always get error like Error: A script from «https://127.0.0.1:8080 <https://127.0.0.1:8080/> » was denied UniversalXPConnect privileges. On linux it works well. May be I need to change somet