Client NAT - ACE

Similar Messages

• Use of client nat pools on the CSM

  Hi Guys,
  Just a quick questions about the use of NAT POOLS, which the configuration guide is a little scant for information.
  If a client NAT pool such as this is used (16 addresses):
  natpool POOL1 10.1.5.0 10.1.5.15 netmask 255.255.255.240
  I just want to make sure that port address translation (PAT) will be used by the CSM if the number of sessions exceed the number of IP addresses available in the NAT pool?
  I hope this makes sense!
  thanks
  Sheldon

  the CSM does PAT by default.
  Gilles.

• Client NAT and Source IP Sticky

  How can we implement client NAT and source IP sticky for the same server farm without running into issues? Our NAT pool is using IPs from the VIPs' subnet. Is this possible? This configuration is on Cat 6500 w/ CSM-S v. 2.1.1. Thanks.

  this is possible.
  The CSM will first determine the destination server based on the client ip and the sticky srcip table and then it will nat the client ip address using your pool.
  It does not matter which subnet is being used as long as the servers know to respond back to the CSM.
  Regards,
  Gilles.

• CSM - Client NAT for routable server subnet

  I have clients and servers that are outside of the vlans that are the defined ones for CSM. I am using a client NAT pool that is part of the server side address space and server NAT. I see in a packet capture that the server is replying to pings to one of the NAT pool addresses. The ping does not get back to the client. The CSM is acting like it is not listening to traffic for the client NAT address. I saw an article that talked about "Secure router mode" and doing "IP SLB MODE CSM". I am not in that mode. Do I need to be and what effect will that have on my current load balanced servers?

  Thanks. This is now working.
  I see that the NAT has to be in the client address space as that is where the default gateway for the CSM is. Made the following changes:
  no natpool CLIENTNAT1 10.200.0.230 10.200.0.232 netmask 255.255.255.0
  natpool CLIENTNAT1 10.200.250.230 10.200.250.232 netmask 255.255.255.0
  Noticed that a previous "show mod csm 5 arp" showed:
  10.200.2.100 -->10.200.250.1 0 REAL routed
  10.200.2.101 -->10.200.250.1 0 REAL routed
  10.200.2.102 -->10.200.250.1 0 REAL routed

• Client NAT in CSS11500

  Hi,
  I'm currently redesigning my portal infrastructure and as such, I need to redo a few things on my CSS. But I can't seem to find anything about Client-NAT on the CSS. I need to NAT/PAT external sessions to an inside RFC1918-address. The config below simply passes the original src.ip through and consequently the session is blocked by the firewall. So far I've been unsuccessfull in finding the proper documentation, so I'm hoping someone here can help me get started.
  owner BK019TF
  content BK019TF-SSL
  vip address a.b.c.d
  add service SSLMODULE1
  port 443
  protocol tcp
  active
  content BK019TF
  redundant-index 142
  advanced-balance sticky-srcip
  port 4433
  protocol tcp
  vip address a.b.c.d
  add service Misys-ben-3
  add service Misys-ben-4
  active
  Thanks
  /Ulrih

  Source groups are used on CSS to NAT the source ip addresses. There could be two scenarios
  1. A connection is open to the server.
  In this case you need 'add destination service'.
  2.The server opens the connection. In this case you need 'add service ...'
  Following example will give you some idea of how to implement src NAt with CSS
  http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080093dff.shtml
  Thanks
  Syed Iftekhar Ahmed

• Client nat in csm?

  in csm, we need client nat.
  I have a question about client nat.
  client nat is pat or nat?
  if that is pat, that is operated with rotary type?
  if client nat is just nat, we have problem.

  The PAT for FTP service setting vserver is 1025 - 8192.
  For others, the PAT range is 8193-65535.
  It start at 8193 and incrementing.
  PAT is always on.
  Gilles.

• Ace module in bridged mode with client nat

  Could someone confirm whatever a NAT is supported for ACE-20 module, please?
  Let me to explain technical details.
  I do need to convert working CSM(SLB) config to ACE configuration and I am not quite sure
  if the configuration below is correct. ACE module should be configured in bridge mode with two
  vlans - vlan 36 (client) and vlan 436 (server) - bridged with interface bvi 36.
  NAT on ACE configurad as "nat dynamic 1025 vlan 436" into corresponding
  "policy-map type loadbalance"
  Could you check two parts of configs and advise me if the ACE config is
  properly converted from CSM and will be working in the same way (especialy for NAT).
  Thank you in advance.
  CSM config
  =======
  vlan 36 client
    ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
    gateway 10.36.3.1
  vlan 436 server
    ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
  natpool WEB-MAIL 10.36.3.100 10.36.3.100 netmask 255.255.255.0
  sticky 30 netmask 255.255.255.255 address source timeout 60
  probe SHAREPOINT tcp
    interval 30
    failed 120
    open 3
    port 80
  probe WEBMAIL-443 tcp
    interval 5
    failed 60
    open 2
    port 443
  serverfarm WEBMAIL-443
    nat server
    nat client WEB-MAIL
    predictor leastconns
    real 10.36.3.101 443
     inservice
    real 10.36.3.102 443
     inservice
    probe WEBMAIL-443
  serverfarm WEBMAIL-80
    nat server
    nat client WEB-MAIL
    predictor leastconns
    real 10.36.3.101 80
     inservice
    real 10.36.3.102 80
     inservice
    probe SHAREPOINT
  vserver WEBMAIL-443
    virtual 10.36.3.100 tcp https
    serverfarm WEBMAIL-443
    sticky 60 group 30
    replicate csrp sticky
    replicate csrp connection
    persistent rebalance
    inservice
  vserver WEBMAIL-80
    virtual 10.36.3.100 tcp www
    serverfarm WEBMAIL-80
    replicate csrp connection
    persistent rebalance
    inservice
  ACE config
  =======
  probe tcp WEBMAIL-443
    interval 5
    open 2
    passdetect interval 60
    port 443
  probe tcp SHAREPOINT
    interval 30
    open 3
    passdetect interval 120
    port 80
  serverfarm host WEBMAIL-443
    predictor leastconns
    probe WEBMAIL-443
    rserver 10-36-3-101 443
      inservice
    rserver 10-36-3-102 443
      inservice
  serverfarm host WEBMAIL-80
    predictor leastconns
    probe SHAREPOINT
    rserver 10-36-3-101 80
      inservice
    rserver 10-36-3-102 80
      inservice
  class-map match-all WEBMAIL-80
    match virtual-address 10.36.3.100 tcp eq www
  class-map match-all WEBMAIL-443
    match virtual-address 10.36.3.100 tcp eq https
  sticky ip-netmask 255.255.255.255 address source 30
    serverfarm WEBMAIL-443
    replicate sticky
    timeout 60
  policy-map type loadbalance first-match WEBMAIL-80
    class class-default
      serverfarm WEBMAIL-80
      nat dynamic 1025 vlan 436 serverfarm primary
  policy-map type loadbalance first-match WEBMAIL-443
    class class-default
      sticky-serverfarm 30
      nat dynamic 1025 vlan 436 serverfarm primary
  parameter-map type http HTTP_ADV_OPT
    persistence-rebalance
  policy-map multi-match IFVLAN36-POLICY
  class WEBMAIL-80
      appl-parameter http advanced-options HTTP_ADV_OPT
      loadbalance policy WEBMAIL-80
      loadbalance vip inservice
      loadbalance vip icmp-reply active
    class WEBMAIL-443
      appl-parameter http advanced-options HTTP_ADV_OPT
      loadbalance policy WEBMAIL-443
      loadbalance vip inservice
      loadbalance vip icmp-reply active
  interface vlan 36
    bridge-group 36
    service-policy input IFVLAN36-POLICY
    mac-sticky enable
    no shutdown
  interface vlan 436
    bridge-group 36
    nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0
    no shutdown
  interface bvi 36
    ip address 10.36.3.3 255.255.255.0
    peer ip address 10.36.3.4 255.255.255.0
    no shutdown

  Hello F.Makarenko-
    You will want to use PAT while you do nat, so change the natpool configuration to this:
     nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0 pat
    You also need to apply the nat like this:
  policy-map multi-match IFVLAN36-POLICY
  class WEBMAIL-80
      appl-parameter http advanced-options HTTP_ADV_OPT
      loadbalance policy WEBMAIL-80
      loadbalance vip inservice
      loadbalance vip icmp-reply active
      nat dynamic 1025 vlan 436
    class WEBMAIL-443
      appl-parameter http advanced-options HTTP_ADV_OPT
      loadbalance policy WEBMAIL-443
      loadbalance vip inservice
      loadbalance vip icmp-reply active
      nat dynamic 1025 vlan 436
  If you are going to build out a lot of classes, you can instead do source nat like this:
  policy-map multi-match IFVLAN36-POLICY
  class WEBMAIL-80
      appl-parameter http advanced-options HTTP_ADV_OPT
      loadbalance policy WEBMAIL-80
      loadbalance vip inservice
      loadbalance vip icmp-reply active
  class WEBMAIL-443
      appl-parameter http advanced-options HTTP_ADV_OPT
      loadbalance policy WEBMAIL-443
      loadbalance vip inservice
      loadbalance vip icmp-reply active
  class class-default
      nat dynamic 1025 vlan 436
  Regards,
  Chris Higgins

• ACE 4710 client NAT (outgoing)

  Hi Experts,
       I have a ace 4710 set as load balancing http and https only, seems working fine.
       Now I have another requirment to NAT all real servers IP (server side internal network 10.8.8.0) to VIP (192.168.1.20).
  our configuration is as below,
  two real server ip are 10.8.8.2 and 10.8.8.3 connected to VLAN interface v500 (ip is 10.8.8.254)
  vlan v400 face to public, v400 interface ip 192.168.1.10, and one VIP 192.168.1.20, VIP is mapped to two real servers.
  I need to config: all outgoing trafic from network 10.8.8.0 to public to NAT the source IP to 192.168.1.20 (VIP, not the interface real IP 192.168.1.10).
  Thanks,
  BQ

  Here are a few things you could try
  1. nat-pool 5 192.168.1.20 192.168.1.20 netmask 255.255.255.0 pat
  changeto
  nat-pool 5 192.168.1.20 192.168.1.20 netmask 255.255.255.255 (/32 host)
  2.service-policy input remote-access
  do you have a management Vlan interface defined if so add to that interface
  3. The requirements are to LB http (80), and https (443). In this case you would need two seperate VIPS defined
  VIP1:
  class-map match-all slb-vip
    2 match virtual-address 192.168.1.20 eq tcp 80
  VIP2:
  class-map match-all slb-vip
    2 match virtual-address 192.168.1.20 eq tcp 443
  Is there a requirement to redirect http traffic ? If so you would need to define another class-map to redirect http traffic to https
  show service-policy client-vips detail   
  HTH

• How to see the Source IP Address of a client using ACE One-armed-mode to load balance HTTP proxy request

  I'm using an Ace 4710 Appliance deployed in One-Armed mode, using Source NAT to loadbalance HTTP request to a couple of Proxy servers.
  Everything is working fine, but the thing is that I can't see the Clients IP addresses on Proxy's logs, so I can't keep track of them.
  The Interfaces and Nat configs are:
  interface vlan 200
    description Server-Side-VLAN
    bridge-group 5
    nat-pool 5 10.1.1.5 10.1.1.5 netmask 255.255.255.0 pat
    service-policy input VIPS
  interface vlan 300
    description Client-Side-VLAN
    bridge-group 5
  interface bvi 5
    ip address 10.1.1.3 255.255.248.0
    description Client-Server-Virtual-Interface
  ip route 0.0.0.0 0.0.0.0 10.1.1.1
  and the policy map looks like this
  policy-map multi-match VIPS
    class Port80
      loadbalance vip inservice
      loadbalance policy Port80
      nat dynamic 5 vlan 200
  Resource assignment:
  sticky ip-netmask 255.255.255.255 address both RESOURCE-CLASS
    timeout 5
    serverfarm Service80
  Any suggestions will be appreciated,
  Thanks

  Hi Kanwal,
  Thanks for your quick reply,
  I've already tried this but it didn't work. The problem is that I don't manage the proxy servers so I rely on their skills to see the logs.
  The Proxies are Squid. Do you know if they need to do something else on the servers to see that field of the HTTP header?
  But I'll try again tomorrow and let you know how it goes.
  Thank you again.

• Destination NAT ACE

  Can someone provide some information on how you would setup 2 servers to proxy out as the VIP address?
  On the CSS I know you can accomplish this though the use of a group rule
  Ex:
  group Outbound_Proxy
  vip address 192.168.1.x
  add service web1
  add service web2
  active
  What would be the equivalent on the ACE? I am sure it would be a dynamic NAT configuration however, I am not to sure how to set that up.
  Can someone please provide some advice?
  Thank you in advance!

  Thank you for your response Gilles! Glad to know that my configuration should work.
  The reason I assume it does not work is due to the output given from a 'show service-policy NAT-POLICY detail'. There is no registered hit count on any of the counters when I would initiate a connection to the .163 VIP were it should balance to either the 192.168.100.158 or 192.168.100.157 IP addresses. I thought the outbound response would have incremented something within the service-policy output.
  Status : ACTIVE
  Description: -----------------------------------------
  Interface: vlan 91
  service-policy: NAT-POLICY
  class: DNS-NAT-Servers
  nat:
  nat dynamic 2 vlan 695
  curr conns : 0 , hit count : 0
  dropped conns : 0
  client pkt count : 0 , client byte count: 0
  server pkt count : 0 , server byte count: 0
  conn-rate-limit : 0 , drop-count : 0
  bandwidth-rate-limit : 0 , drop-count : 0
  This is the reason I have not yet performed a packet capture.
  I notice the connection establish just fine and the ACE forward/balance my connection to the correct destination server. However, looking at the me-stats for the connection ID I noticed it is not dynamically NAT'ing the response out.
  ACE-12539-187036/spam# sho conn | i 64.39.0.40
  150536 1 in TCP 695 64.39.0.40:56412 192.168.100.163:53 ESTAB
  34566 1 out TCP 91 192.168.100.157:53 64.39.0.40:56412 ESTAB
  Connection ID:seq: 34566[0x8706].5
  Other ConnID : 150536[0x24c08].10
  Proxy ConnID : 0[0x0].0
  Next Q : 0[0x0]
  192.168.100.157:53 -> 64.39.0.40:56412 [RX-NextHop: TX] [TX-NextHop: TX]
  Flags: PAT: No DynNAT: No Implicit PAT: No On_Reuse: No
  L3 Protocol : IPv4 L4 Protocol : 6
  Inbound Flag : 0
  Interface Match : Yes
  Interface MatchID: 13
  EncapsID:ver : 234:0 TCP ACK delta : 0x5194237d
  MSS : 1380 TOS Stamp : 0
  Repeat mode : No ARP Lookup : No
  TOS Stamp : No TCP Window Check: No
  ACE ID : 12898 NAT Policy ID : 0
  Post NAT hop : 0
  Packet Count : 1 Byte Count : 44
  TCP Information: (State = 3)
  Window size : 16384 Window scale : 0
  FIN seen : No FIN/ACK seen : No
  FIN/ACK exp : No Close initiator : No
  FIN/ACK expval: 5b40000 Last seq : 79e90c16
  timestamp_delta: 0 Last ack : 1
  No Trigger : 0 Trigger Status : 0
  Timestamp : 6279495f
  TCP options negotiated:
  Sack:Clear TS:Clear Windowscale: Clear
  Reserved: Allow Exceed MSS: Deny Window var: Allow
  Is the above connection output in the me-stats expected with my DNAT configuration? Would this DNAT configuration apply to only outbound connections initiated from the .158 or .157 IP addresses? I would assume it would work with the response traffic as well. I know I can setup dynamic NAT for a specific serverfarm. Do you think I should try that instead?
  Thank you in advance!
  - Jason

• RV042 Shrew soft client NAT-t new mapping

  Hi everyone,
  Since I had Quick VPN issue, so I tried the Shrew soft client hoping to get the IPSec tunnel with router RV042 in Client2gateway mode.
  On Shrew client, I got "Tunnel is activated" but got establised failed errors.
  On RV042 IPSec log, it ended with : NAT-T: x.x.x.x new mapping.
  What does it mean?
  Thanks for your answers.

  Hi Hdam,
  That's good :) 
  - Yes you can change the FQDN from remote.com to other domain name.
  - Why I don't select IP address as remote ? because from the router first when you select Group VPN automatically the VPN will be responder and waiting for a connection, also in that case we don't need to specify the Public or LAN network of the client because they can connect from anywhere. 
  Now from the client the local ID should be the same as remote ID in the router (remember when you configure VPN tunnel between two router the local address from site B should be the remote local on Site A is the same here with shrewVPN but using FQDN)
  - Just I want to clarify for RV0xx doesn't support VLAN's it's Port based Vlan and multiple Subnet BUT you can achieve what you need :)
  Please follow this steps : 
  Step 1 : I assume that you have already add additional subnet if not just add it under Setup --> Network and then add additional subnet and for better implementation for the subnet better to have like this example if you have the default network 192.168.1.1/24 add second subnet 192.168.2.1/24 in this case in the VPN setup we can do subnet summarization and will be 192.168.0.0/16 class B and all the PC connected to the router should have gateway 192.168.1.1 or 192.168.2.1 in my example of course
  Step 2 : Under VPN -- > summary --> edit the old configuration for VPN client and change the local network to 192.168.0.0 mask 255.255.0.0 
  Step 3 : on shrew VPN also under policy  --> Remote Network Resource change to 192.168.0.0 255.255.0.0 
  and should work :) 
  Please rate this post to help other Cisco Customer
  Greetings
  Mehdi

• Routed ACE but no NAT problem

  Hi,
  We have a VIP for an FTP service where we do not wish to lose the Client (Source) IP for auditing purposes. So we don't source NAT and force the return traffic back to the ACE with PBR. However the return flow still bypasses the ACE VIP and straight back to the client, diagram below. Is anyone aware of a technique where I can force the ACE to connect the return traffic to the incoming flow?

  Hi Mark,
  Check and compare the config with the example config.
  http://docwiki.cisco.com/wiki/FTP_Load_Balancing_on_ACE_in_One-Arm_Mode_Configuration_Example
  Avoid the NAT part of the config. Also make sure you are using something like below : ( which is there in the above Doc )
  ACE-1/onearm(config)# policy-map multi-match client-vips
  ACE-1/onearm(config-pmap)# class slb-vip
  ACE-1/onearm(config-pmap-c)# loadbalance vip inservice
  ACE-1/onearm(config-pmap-c)# loadbalance policy slb
  ACE-1/onearm(config-pmap-c)# inspect ftp  <<<<<<<  This will make difference
  Hope that helps.
  regards,
  Ajay Kumar

• ACE 4710 : Disable NAT

  Hi All,
  Currently Im using nat to translate client source ip address, nat pool is configured on server side vlan interface.
  but now I dont want to translate client source ip address:
  -I have changed real server gateway to ace interface ip.
  -I already remove nat configuration but now I cannot access to the vip using browser but I can ping vip.
  But now I cannot access to vip through browser, any idea?
  Design:
  client--------------CORE--------ACE------------------Real Server.
  Thanks

  Need help/advise regarding routing to make this method working.
  When I change server gateway to ace server vlan interface, my server cannot communicate with other vlans. From context, I can ping server vlan and other vlans.
  *Core interface -172.16.36.254 (server vlan),172.19.30.254(client vlan).
  *Lb interface - 172.16.36.70, 172.19.30.65
  *Real Server ip is using default gateway 172.16.36.70
  Routing what I have done:
  CORE- ip route 172.16.36.0 255.255.255.0 172.16.36.70
        ip route 172.19.30.0 255.255.255.0 172.19.30.65
  LB- ip route 0.0.0.0 0.0.0.0 172.19.30.254
  Can someone help me to verify this?
  Thanks

• ACE 4710 Client and Server hitting same VIP

  But the catch here is we are using IP's from server side VLAN's as opposed to from the Client side. If that were the case I would simply use SNAT and assign a pool but in this case that doesn't appear to work.
  So how do I get this to work?
  Mike

  And how do I do that? You say client nat, i hear source nat and think of this-
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6ef5.shtml
  this doesn't work because my VIP IP pool is the same as the server side vlan.
  We are using public IP on our servers as to not have to manage rfc1918 addresses.
  Mike

• ACE: Transparent NAT feasibility

  Is transparent NAT possible? The applications need to be aware of the source IP address to process. The only way I can see to do this is insert the source into the header. I seem to recall reading about transparent NAT, and no NAT, but I cannot find it now.
  All ideas welcome.

  BTW, I want to clarify that client nat is not on by default. You must have configure it and if you do so, you lose information about the client ip. The solution to insert the info into the http header is a good one.
  Gilles