ACE Source NAT

Similar Messages

• ACE: Significance of mask in nat-pools configured for Source NAT

  Hi guys
  If I am using source nat in ACE (One IP address 10.10.10.200) used for all client address translations.
  What would be the difference between the nat-pools configured with different netmask.
  What is the recommended netmask for pat, 255.255.255.255 or Vlan interface's Mask (/24 in this case)
  and why?
  case1:
  interface vlan 7
  ip address 10.10.10.100 255.255.255.0
  nat-pool 1 10.10.10.200 10.10.10.200 netmask 255.255.255.0 pat
  service-policy input clientvips
  no shutdown
  case2:
  interface vlan 7
  ip address 10.10.10.100 255.255.255.0
  nat-pool 1 10.10.10.200 10.10.10.200 netmask 255.255.255.255 pat
  service-policy input clientvips
  no shutdown
  Thanks in Advance
  A.

  Gilles
  Thanks a lot. It makes more sense now.
  I posted another question for an ACE design validation. Could you please validate this
  I am planning to deploy ACE module in following manner:
  > ACE will be in one arm mode ( Only one vlan connected to the ACE).
  > Vips & Rservers (all serverfarms) will be in the same Vlan X.
  > Default gateway on the ACE & Real servers will be the upstream router
  > There will be Source NAT configured for all Serverfarms.
  ACE --- Vlan X -------Router--- internet
  .................|
  .................|-- Sfarm 1
  .................|
  .................|-- Sfarm 2
  .................|
  .................|-- Sfarm n
  I am pretty sure that it should work.
  Just wanted an expert opinion.
  Thanks

• ACE router or source NAT

  Can anyone tell me what the best practice is for the ACE 4710 appliance. Should I deploy it in routed mode or source NAT mode. And what can be the pros and cons of each method....

  The advantage of running SNAT is the ACE is deployed in a "one-arm" mode. In this deployment the advantage is the ACE does not have to process all traffic as oppossed to being directly in the transit path when deployed inline (routed).
  In one arm mode you can use either PBR or SNAT for server return traffic. One arm mode also allows for direct server return butlimited to L4 load balance.
  In routed mode the ACE acts as the server default gateway.
  Routed mode is the easier of the two to configure.

• Source Nat and Destination Nat

  Is any of the above working in the ACE OR CSM module by default?
  What is an advantage of configuring destination NAT on the ACE Box?

  Hello,
  On both the CSM and ACE, destination NAT (a.k.a. server nat) is enabled by default in a serverfarm. Source NAT needs to be manually configured on both devices, as it is not a default configuration.
  In server load balancing, destination NAT is very common. When clients connect to a VIP on the load balancer, the load balancer will then choose a real server the send the connection to. The destination IP address of the client-to-server traffic will be NAT'd from the virtual IP address (VIP) to the real server's IP address. The server's reply will be sourced with the real server's IP address, initially. The load balancer will again perform NAT to change the source IP address from the real server's IP address back to the VIP address prior to forwarding the response back to the client. This way, the client only knows about the VIP address, and not the real server's IP address.
  Best regards,
  Sean

• Dynamic Source NAT for multiple POOLS

  I am setting up Dynamic Source NAT with a few Pools and Access-list to translate according to the Access-list. However when configure some ACL don't work anything. And the ACL don't "match" any. I know that the correct way would be to apply the ACL about interface with "ip access-group <ACL-name> in/out" however in this case would be impossible to apply more one ACL with ip access-group command.
  FurthermoreI have tested to creating a route-map named TEST with all ACLs; but cannot to create all "ip nat inside source route-map... " with the same route-map name. Also checked the cisco example: http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13739-nat-routemap.html...
  Attach the all configurations.
  I  need your help, 
  Thanks in advance!

  Oh my God!! Already works fine! I hadn't thought that "log"  would be a painful 
  Thanks John Marshall! 
  Attach my troubleshooting:
  INET#show ip nat translations
  Pro Inside global      Inside local       Outside local      Outside global
  tcp 195.77.205.33:49529 10.55.0.1:49529   4.2.2.2:22         4.2.2.2:22
  tcp 200.200.200.1:62978 10.55.1.1:62978   4.2.2.2:4343       4.2.2.2:4343
  tcp 195.77.205.20:13493 181.70.12.18:13493 195.47.200.32:443 195.47.200.32:443
  Furthermore we can to check the "rotary option also works!"
  "INET#show ip nat translations
  Pro Inside global      Inside local       Outside local      Outside global
  tcp 195.77.205.33:57238 10.55.0.1:57238   4.2.2.2:22         4.2.2.2:22
  tcp 195.77.205.33:16393 10.55.1.1:16393   4.2.2.2:22         4.2.2.2:22"
  Thanks again!

• CSS Source NAT

  Hi,
  I have CSS in single arm deploymenet model. I am trying to do the exchange server load balancing. But I am facing problem
  with the soruce NAT. I dont want to NAT the client IP in VIP.
  Exchange team dont want to have Client IP address to be NATTED. They want real Client IP to appear in Exchange so that they can track exact
  user IP address for mail replying and tracking.
  Please let me know is there any way bypass the source NAT for specific VIP.

  Hi,
  I need something like that, I need to hide all servers behind the CSS11501. So, any client will contact the server as follows:
  1-          Client initiates the traffic to the VIP which will be forwarded to the servers. Then the server will replay to the client, from VIP to the client. In this case, I need to configure service and content.
  2-          Server initiates traffic to the client, the source will be VIP, the destination is client IP. In this case, I need to configure service and group.
  Q1: Is that right?
  I am facing a problem because some client applications discovered the server IP not VIP, the make failure..
  Q2: Where is the problem?

• Source NAT for specific servers in a rule

  Hello,
  I am trying to achieve source NATing on the CSS and want to confirm if below configuration is good.
  VIP address: 61.61.61.61
  Services: 10.1.1.1, 10.1.1.2, 20.1.1.1 and 20.1.1.2
  Front-end circuit IP: 61.61.61.1 (Same subnet as 61.61.61.61)
  Back-end circuit: 10.1.1.10 (Same subnet as 10.1.1.1 or .2)
  service AAAA
  ip address 10.1.1.1
  active
  service BBBB
  ip address 10.1.1.2
  active
  service XXXX
  ip address 20.1.1.1
  active
  service YYYY
  ip address 20.1.1.2
  active
  owner Gateway
  content Gateway1
  vip address 61.61.61.61
  add service 10.1.1.1
  add service 10.1.1.2
  add service 20.1.1.2
  add service 20.1.1.1
  active
  As the two servers 20.1.1.1 and 20.1.1.2 are not in the same subnet, we configured the below to source NAT specifically to these two servers.
  group Gateway
  vip address 61.61.61.61
  add destination service 20.1.1.1
  add destination service 20.1.1.2
  active
  In the past this configuration didn't work. We are going to try it again. Is there anything missing and what else should we check to get it to work.
  Appreciate any help.

  Using 'add destination service' in the group rule NATs the original client IP as the VIP (in your case), and ensures that return traffic from the remote 20.x.x.x servers flows back to the CSS and then to the client instead of directly to the client (which would reject the traffic). There's no need to worry about any kind of load balancing loop being created. The downside to implementing this is that your servers will see all traffic as originating from the VIP and not the unique client IPs, and since the CSS doesn't support the x-forwarded-for header you're kinda stuck with that side effect.
  Also, it's my understanding that the group rule must match the content rule in terms of VIP address and services within it to be effective. You would need to change your group rule to the following for it to work:
  FROM:
  group Gateway
    vip address 61.61.61.61
    add destination service 20.1.1.1
    add destination service 20.1.1.2
    active
  TO:
  group Gateway
    vip address 61.61.61.61
    add destination service 10.1.1.1
    add destination service 10.1.1.2
    add destination service 20.1.1.1
    add destination service 20.1.1.2
    active
  Good luck!
  James

• Issues with source NAT configuration in VNMC

  Before coming to the questions/doubts let me explain the ASA 1000v setup that I have
  ASA 1000v
  -          inside interface with ip 10.1.1.1 (attached to a network with subnet 10.1.1.0/24 and vlan 515)
  -          outside interface with ip 10.147.30.236 (attached to a network with subnet 10.147.30.0/24 and vlan 30)
  On ASA running ‘show route’ outputs following:
  C             10.1.1.0 255.255.255.0 is directly connected, esp-in
  C             10.147.28.0 255.255.255.0 is directly connected, management
  C             10.147.30.0 255.255.255.0 is directly connected, esp-out
  S*           0.0.0.0 0.0.0.0 [1/0] via 10.147.30.1 via esp-out
  On VNMC I created edge firewall with inside interface as ‘esp_in’ (10.1.1.1) and outside as ‘esp_out’ (10.147.30.236)
  Now I want to configure the following scenarios through VNMC:
  1.       Source NAT : 10.1.1.0/24 -> 10.147.30.236. While trying to configure this I see the following error in VNMC
  ERROR: Executing CLI returned error message: object network pe_internal_net_obj_range_10.1.1.2_10.1.1.254;range 10.1.1.2
  10.1.1.254;object-group network NSONOg:source-nat:source-nat-rule@esp-out;network-object object
  pe_internal_net_obj_range_10.1.1.2_10.1.1.254;nat (esp-out,any) 1 source static NSONOg: source-nat:source-nat-rule@esp-out interface;
  ERROR:  interface keyword is not allowed when translated interface is any;
  2.       I created another NAT rule from 10.1.1.0/24 -> 10.147.30.237. I also created ACL rule for allowing outbout ssh traffic. This working for me initially and I was able to ssh from a VM attached to subnet 10.1.1.0/24 to an outside VM. But after I did a re-assign with the same ASA appliance this stopped working and there was a configuration error:
  ERROR: Executing CLI returned error message: service-policy mpf-sp0001 interface sp0001;         ^;ERROR: % Invalid input detected at ^ marker;
  ERROR: Executing CLI returned error message: service-policy mpf-esp-out interface esp-out;     ^;ERROR: % Invalid input detected at ^ marker;
  Version details
  VNMC 2.0
  ASA 1000v version
  Cisco Adaptive Security Appliance Software Version 8.7(1)1
  Device Manager Version 6.7(1)
  Questions:
  -          Can anyone let me know what is the correct configuration for setting up source NAT as mentioned above. Why am I getting the errors mentioned and how to fix them?
  -      Why is there an error on reassigning asa 1000v to the edge firewall
  -          How to enabling logging/debugging on ASA or VNMC to see packet details and how rules are getting applied?
  Thanks,
  Koushik

  Hello Arseny,
  How did you resolve this issue?
  We are still facing the same problem in WebI 4.1 SP5 Patch 4.
  The issue is still under SAP investigation with KBA 2131762.
  Regards,
  Mirko

• Is it possible to source NAT health checks?

  I am source natting the data traffic to the back end servers using a source group but I notice the health checks are not affected and they use the interface physical address. The way I found out is the service is down and the firewall was dropping the health checks. Does anyone know a way to source nat health checks? Either that or have them source from the redundant VIP address that is configured on the interface and not the "real" address. CCO and google produced nothing... thanks!

  you can't nat probes.
  The CSS will use its outgoing interface ip address as the source ip.
  Just make sure your firewall allows this traffic.
  Gilles.

• ACE One-Arm Source-NAT HTTP Header Insert

  Hellow ACE Gurus,
  This is probably a dumb question but I'm looking for info on HTTP Header Insert for SSL sessions.  Does the HTTP header re-write action list work for SSL traffic?  I guess I'm not clear on whether or not the header is encrypted and if the ACE can modify on an HTTPS session.  Any input would be greatly appreciated.
  /r
  Rob

  Hi Rob,
  When using HTTPS, all the data is encrypted, including the HTTP headers.
  In such a situation, if you want to insert headers (or do any other kind of L7 processing), you will have to configure the ACE to do SSL termination. Once the connection is decrypted, the ACE can do any processing it needs before sending the connection towards the server either in clear text or again using HTTPS.
  I would recommend you to have a look at the link below. This is an example of how to configure an ACE for end-to-end SSL (so, HTTPS on both sides of the ACE). In the example, the only L7 processing that is being done is matching on the URL, but it would be enough to replace that part with whatever header insertion commands you need
  http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml
  If you still need more help to understand any of the points involved in the process, please, do not hesitate to contact me again.
  Regards
  Daniel

• ACE withot NAT

  Hello
  I have a configuration in the ACE module to NOT perform NAT with the command transparent in a serverfarm configuration mode, but it is not working.
  rserver host MXMTYIPR
    ip address 172.19.127.131
    inservice
  serverfarm host _Front
    transparent
    rserver MXMTYIPR 443
      inservice
  sticky ip-netmask 255.255.255.255 address source STICKY_FR
    timeout 10
    timeout activeconns
    replicate sticky
    serverfarm _Front
  class-map match-all CLASS_LYN
    2 match virtual-address 172.19.127.1 tcp eq https
  policy-map type management first-match POLICY-ADMIN
    class CLASS-ADMIN
      permit
  policy-map type loadbalance first-match POLICY_FR
    class class-default
      sticky-serverfarm STICKY_FR
  policy-map multi-match PM_FR
    class CLASS_LYN
      loadbalance vip inservice
      loadbalance policy POLICY_FR
      loadbalance vip icmp-reply
  interface vlan 550
    ip address 172.18.50.139 255.255.255.240
    alias 172.18.50.141 255.255.255.240
    peer ip address 172.18.50.140 255.255.255.240
    service-policy input PM_FR
    no shutdown
  Does anybody have any recommendation to this?
  Thanks for your help.
  Regards

  Hi,
  You should disable normalization on client side interface and also configure server so that it returns the traffic with VIP as the source IP. Please visit the below link for more details:
  https://supportforums.cisco.com/document/91121/configure-ace-direct-server-return-mode
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• ACE source IP based predictor

  Hi
  I know that if we use source IP based predictors, the ACE would use a hash of the source IP to load balance the traffic. Is there is capability to make this process deterministic. In other words, I have tthree client subnets accessing the web servers on the same VIP. I want the traffic from subnet 1 to go to server 1 and traffic from subnets 2 and 3 to be loadbalanced to the rest of the servers
  any idea on how to get this done ?

  HI Dinuka,
  Session persistence (stickiness) based on client source IP address or HTTP cookies are recommended to be configured on the Cisco ACE for this flow.
  IP Address Stickiness
  You can use the source IP address, the destination IP address, or both to uniquely identify individual clients and their requests for stickiness purposes based on their IP netmask. However, if an enterprise or a service provider uses a megaproxy to establish client connections to the Internet, the source IP address no longer is a reliable indicator of the true source of the request. In this case, you can use cookies or one of the other sticky methods to ensure session persistence.
  Here can be the sample configuration:
  resource-class websrv
  limit-resource all minimum 0.00 maximum unlimited
  limit-resource sticky minimum 20.00 maximum equal-to-min
  rserver host webserver1
  ip address 10.10.10.1
  inservice
  rserver host webserver2
  ip address 10.10.10.2
  inservice
  rserver host webserver3
  ip address 10.10.10.3
  inservice
  serverfarm host werbsrv1only
  probe websrv
  rserver webserver1 1000
  inservice
  serverfarm host werbsrv123
  probe websrv
  rserver webserver1 1000
  inservice
  rserver webserver2 1000
  inservice
  rserver webserver3 1000
  inservice
  ACE receives requests to the VIP on port 80 and translates them to port 1000 using the server farm configuration shown above.
  The link to the websrv home page is http://websrv:1000/index.html. A probe to this link is configured on ACE as follows:
  probe http websrv
  port 1000
  interval 2
  faildetect 2
  passdetect interval 2
  request method get url /index.html
  expect status 200 200
  Session persistence can be established by tying the session to an IP address, that uniquely identifies the client.
  Create a sticky-group
  sticky ip-netmask 255.255.255.255 address source Client_subnet_1
  timeout 10
  serverfarm werbsrv1only
  Change the server farm to the sticky-group:
  policy-map type loadbalance first-match basic-slb
  class class-default
  sticky-serverfarm werbsrv1only
  sticky ip-netmask 255.255.255.255 address source Client_subnet_2
  timeout 10
  serverfarm werbsrv123
  sticky ip-netmask 255.255.255.255 address source Client_subnet_3
  timeout 10
  serverfarm werbsrv123
  Here you can find the details in the below url :
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/sticky.html#wp1004411
  I have also attached a jpeg for your reference.
  Hope you will get the idea how to use the sticky based on IP address.
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/sticky.html#wp1004411
  Here you can find sample config of similar type:
  http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6906/prod_white_paper0900aecd804edab0.html
  Thanks and regards,
  Sachin Garg
  Senior Specialist Security
  HCL Comnet Ltd.
  http://www.hclcomnet.co.in
  A-10, Sector 3, Noida- 201301
  INDIA
  Mob: +91-9911757733
  Email: [email protected]

• ACE: Transparent NAT feasibility

  Is transparent NAT possible? The applications need to be aware of the source IP address to process. The only way I can see to do this is insert the source into the header. I seem to recall reading about transparent NAT, and no NAT, but I cannot find it now.
  All ideas welcome.

  BTW, I want to clarify that client nat is not on by default. You must have configure it and if you do so, you lose information about the client ip. The solution to insert the info into the http header is a good one.
  Gilles

• Ace and NAT...

  Hi all,
  a couple of question..
  how is the logic of nat on ace? i put the pool on interface 'outside' and a policy on interface inside?
  server farm nat how it works? i've not understood well...
  last one :)
  ace with two interface <server side> & <outside>
  topology is ace with above 2 interface, gw of ace a FW with 3 interface, toward internet, toward ace e toward internal network (10.0.0.0)
  flows:
  first one
  SRC 1.1.1.1, 1.1.1.2 --> VIP 5.5.5.5 --> real --> 1.1.1.3, 1.1.1.4 in this situation i put a pool nat on <server side> interface and a nat statement on a <server side> interface, is easy.
  2
  src 1.1.1.1 --> dst 10.0.0.0 i have not to nat
  3 src 1.1.1.1 --> dst internet port 443,80,25 i have to nat 1.1.1.1
  rule 2 and 3 may overlap, 'cause i could contact also on intranet ports 80 and 443 and for this flow i havo not to nat
  idea is
  1 flows not problem, is just a simple server to server nat hitting the VIP, with server on same subnet
  2 flows server farm in transparent mode with VIP 10.0.0.0 255.0.0.0 and rserver is the FW
  3 flows src NAT hitting destination port 80 and 443...
  is right? lookup of policy on ACE permit IT? i mean when ace see a packet with destination 10.0.0.0 forward packet without NAT if see also port 80,443?
  i want to put load balancing rule in a different policy and put it before NAT statement.
  tnx
  Dan

  Hi Gilles,
  first of all thx very much.
  1 if i put loadbalance vip inservice in a policy MM with a class that has destination-address and not virtual-address this error appears:
  Error: LB action requires match vip command!
  2 with configuration that i've posted before (below reported) forward clause are matched but parsing of policy carry on and match also NAT statement.
  I expected that after first match (forward) no match was done on second statement. Stuff that happens is that if i telnet ip 4.4.4.1 (inside the range of 4.0.0.0/8 virtual-address) comunication is natted. so not just forward policy is hitted. In fact i can see counters incrementing in both service policy
  class-map match-all CM_forward
  2 match virtual-address 4.0.0.0 255.0.0.0 any (is not possible to put destination address in class map that is associated to a multi match)
  class-map match-any C_Nat_SRVtoInternet
  2 match port tcp eq telnet
  policy-map type loadbalance first-match L7_P_forward_internal
  class class-default
  forward
  policy-map multi-match testdanilo_be
  class CM_forward
  loadbalance vip inservice
  loadbalance policy L7_P_forward_internal
  class C_Nat_SRVtoInternet
  nat dynamic 108 vlan 903
  interface vlan 901
  description BE_server_side
  ip address 172.18.1.254 255.255.255.0
  no icmp-guard
  access-group input BE
  service-policy input P_MNGT_POLICY
  service-policy input testdanilo_be
  service-policy input P_MM_NatSRVtoSrvBeViaVIP
  no shutdown
  interface vlan 903
  description FE
  ip address 192.168.0.162 255.255.255.0
  mac-sticky enable
  no icmp-guard
  access-group input FE
  nat-pool 108 192.168.0.254 192.168.0.254 netmask 255.255.255.255 pat
  service-policy input P_MNGT_POLICY
  no shutdown
  thx
  Dan

• Best practice for Source NATTING ?

  Is there a general design rule for configuring source NATing ? Is it best to configure the CSS is one/two armed mode.
  What are the perfomance limitations in doing this ?
  Can soure NATed and non source NATed content rules be configured on the CSS with no impact ?
  Cheers, Mike

  Source groups translate the source address of packets from back-end services before forwarding them. When a flow is originated from the back-end server with a private address, the request appears to come from the public Virtual IP (VIP) of the source group. You can also use source groups (with Access Lists (ACLs)) to translate clients' private IP addresses (which reside on the back-end of the CSS) to a public IP address (the VIP).
  The use of this type of source group is useful when setting up a one-armed configuration where client and server traffic flows through the same CSS switch. For more information read the following document.
  http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a0080093dfc.shtml