Client NAT - ACE
Hi All,
We are trying to configure client NAT on ACE , I have tried with the following configuration.
I want to make sure the following things
1) Whether this is a right way or not or if this is possible?
2) If it is and any one is having ideas for that please do let me know so that I can send the topology diagram as well to get it understand easily.
class-map match-all CLIENT-TO-AVS-VIP
2 match virtual-address 172.16.30.110 tcp eq www
class-map match-all NAT
2 match source-address 0.0.0.0 0.0.0.0
3 match destination-address 172.16.30.110 255.255.255.255
policy-map multi-match MOON-POLICY
class CLIENT-TO-AVS-VIP
loadbalance vip inservice
loadbalance policy MOON_AVS_CLIENT
loadbalance vip icmp-reply
class NAT
nat dynamic 9 vlan 300
interface vlan 300
description Clentside interface
bridge-group 30
access-group input ALL
nat-pool 9 172.16.30.200 172.16.30.210 netmask 255.255.255.255 pat
service-policy input REMOTE-MGMT
service-policy input MOON-POLICY
no shutdown
Regards
Aslam...
Hi Aslam,
yes it's possible in a quite simple way, I see some errors in your configuration :
You don't need a second class map "NAT", the first one is sufficient. You can tell the ACE "When traffic matches CLIENT-TO-AVS-VIP, loadbalance AND nat client traffic".
To do so, simply insert the "nat dynamic 9 vlan 300" command inside the "class CLIENT-TO-AVS-VIP" mapping in the multi-match policy.
This should work as you want :
class-map match-all CLIENT-TO-AVS-VIP
2 match virtual-address 172.16.30.110 tcp eq www
policy-map multi-match MOON-POLICY
class CLIENT-TO-AVS-VIP
loadbalance vip inservice
loadbalance policy MOON_AVS_CLIENT
loadbalance vip icmp-reply
nat dynamic 9 vlan 300
remember that an instruction like
"2 match source-address 0.0.0.0 0.0.0.0" is a pleonasm, no instruction on source-address means match any source.
You can check some other scenarios on source nat here :
http://snippets101.blogspot.com/2007/12/source-nat-on-cisco-ace.html
Hope this helps.
Alberto
Similar Messages
-
Use of client nat pools on the CSM
Hi Guys,
Just a quick questions about the use of NAT POOLS, which the configuration guide is a little scant for information.
If a client NAT pool such as this is used (16 addresses):
natpool POOL1 10.1.5.0 10.1.5.15 netmask 255.255.255.240
I just want to make sure that port address translation (PAT) will be used by the CSM if the number of sessions exceed the number of IP addresses available in the NAT pool?
I hope this makes sense!
thanks
Sheldonthe CSM does PAT by default.
Gilles. -
Client NAT and Source IP Sticky
How can we implement client NAT and source IP sticky for the same server farm without running into issues? Our NAT pool is using IPs from the VIPs' subnet. Is this possible? This configuration is on Cat 6500 w/ CSM-S v. 2.1.1. Thanks.
this is possible.
The CSM will first determine the destination server based on the client ip and the sticky srcip table and then it will nat the client ip address using your pool.
It does not matter which subnet is being used as long as the servers know to respond back to the CSM.
Regards,
Gilles. -
CSM - Client NAT for routable server subnet
I have clients and servers that are outside of the vlans that are the defined ones for CSM. I am using a client NAT pool that is part of the server side address space and server NAT. I see in a packet capture that the server is replying to pings to one of the NAT pool addresses. The ping does not get back to the client. The CSM is acting like it is not listening to traffic for the client NAT address. I saw an article that talked about "Secure router mode" and doing "IP SLB MODE CSM". I am not in that mode. Do I need to be and what effect will that have on my current load balanced servers?
Thanks. This is now working.
I see that the NAT has to be in the client address space as that is where the default gateway for the CSM is. Made the following changes:
no natpool CLIENTNAT1 10.200.0.230 10.200.0.232 netmask 255.255.255.0
natpool CLIENTNAT1 10.200.250.230 10.200.250.232 netmask 255.255.255.0
Noticed that a previous "show mod csm 5 arp" showed:
10.200.2.100 -->10.200.250.1 0 REAL routed
10.200.2.101 -->10.200.250.1 0 REAL routed
10.200.2.102 -->10.200.250.1 0 REAL routed -
Hi,
I'm currently redesigning my portal infrastructure and as such, I need to redo a few things on my CSS. But I can't seem to find anything about Client-NAT on the CSS. I need to NAT/PAT external sessions to an inside RFC1918-address. The config below simply passes the original src.ip through and consequently the session is blocked by the firewall. So far I've been unsuccessfull in finding the proper documentation, so I'm hoping someone here can help me get started.
owner BK019TF
content BK019TF-SSL
vip address a.b.c.d
add service SSLMODULE1
port 443
protocol tcp
active
content BK019TF
redundant-index 142
advanced-balance sticky-srcip
port 4433
protocol tcp
vip address a.b.c.d
add service Misys-ben-3
add service Misys-ben-4
active
Thanks
/UlrihSource groups are used on CSS to NAT the source ip addresses. There could be two scenarios
1. A connection is open to the server.
In this case you need 'add destination service'.
2.The server opens the connection. In this case you need 'add service ...'
Following example will give you some idea of how to implement src NAt with CSS
http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080093dff.shtml
Thanks
Syed Iftekhar Ahmed -
in csm, we need client nat.
I have a question about client nat.
client nat is pat or nat?
if that is pat, that is operated with rotary type?
if client nat is just nat, we have problem.The PAT for FTP service setting vserver is 1025 - 8192.
For others, the PAT range is 8193-65535.
It start at 8193 and incrementing.
PAT is always on.
Gilles. -
Ace module in bridged mode with client nat
Could someone confirm whatever a NAT is supported for ACE-20 module, please?
Let me to explain technical details.
I do need to convert working CSM(SLB) config to ACE configuration and I am not quite sure
if the configuration below is correct. ACE module should be configured in bridge mode with two
vlans - vlan 36 (client) and vlan 436 (server) - bridged with interface bvi 36.
NAT on ACE configurad as "nat dynamic 1025 vlan 436" into corresponding
"policy-map type loadbalance"
Could you check two parts of configs and advise me if the ACE config is
properly converted from CSM and will be working in the same way (especialy for NAT).
Thank you in advance.
CSM config
=======
vlan 36 client
ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
gateway 10.36.3.1
vlan 436 server
ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
natpool WEB-MAIL 10.36.3.100 10.36.3.100 netmask 255.255.255.0
sticky 30 netmask 255.255.255.255 address source timeout 60
probe SHAREPOINT tcp
interval 30
failed 120
open 3
port 80
probe WEBMAIL-443 tcp
interval 5
failed 60
open 2
port 443
serverfarm WEBMAIL-443
nat server
nat client WEB-MAIL
predictor leastconns
real 10.36.3.101 443
inservice
real 10.36.3.102 443
inservice
probe WEBMAIL-443
serverfarm WEBMAIL-80
nat server
nat client WEB-MAIL
predictor leastconns
real 10.36.3.101 80
inservice
real 10.36.3.102 80
inservice
probe SHAREPOINT
vserver WEBMAIL-443
virtual 10.36.3.100 tcp https
serverfarm WEBMAIL-443
sticky 60 group 30
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
vserver WEBMAIL-80
virtual 10.36.3.100 tcp www
serverfarm WEBMAIL-80
replicate csrp connection
persistent rebalance
inservice
ACE config
=======
probe tcp WEBMAIL-443
interval 5
open 2
passdetect interval 60
port 443
probe tcp SHAREPOINT
interval 30
open 3
passdetect interval 120
port 80
serverfarm host WEBMAIL-443
predictor leastconns
probe WEBMAIL-443
rserver 10-36-3-101 443
inservice
rserver 10-36-3-102 443
inservice
serverfarm host WEBMAIL-80
predictor leastconns
probe SHAREPOINT
rserver 10-36-3-101 80
inservice
rserver 10-36-3-102 80
inservice
class-map match-all WEBMAIL-80
match virtual-address 10.36.3.100 tcp eq www
class-map match-all WEBMAIL-443
match virtual-address 10.36.3.100 tcp eq https
sticky ip-netmask 255.255.255.255 address source 30
serverfarm WEBMAIL-443
replicate sticky
timeout 60
policy-map type loadbalance first-match WEBMAIL-80
class class-default
serverfarm WEBMAIL-80
nat dynamic 1025 vlan 436 serverfarm primary
policy-map type loadbalance first-match WEBMAIL-443
class class-default
sticky-serverfarm 30
nat dynamic 1025 vlan 436 serverfarm primary
parameter-map type http HTTP_ADV_OPT
persistence-rebalance
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-80
loadbalance vip inservice
loadbalance vip icmp-reply active
class WEBMAIL-443
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-443
loadbalance vip inservice
loadbalance vip icmp-reply active
interface vlan 36
bridge-group 36
service-policy input IFVLAN36-POLICY
mac-sticky enable
no shutdown
interface vlan 436
bridge-group 36
nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0
no shutdown
interface bvi 36
ip address 10.36.3.3 255.255.255.0
peer ip address 10.36.3.4 255.255.255.0
no shutdownHello F.Makarenko-
You will want to use PAT while you do nat, so change the natpool configuration to this:
nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0 pat
You also need to apply the nat like this:
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-80
loadbalance vip inservice
loadbalance vip icmp-reply active
nat dynamic 1025 vlan 436
class WEBMAIL-443
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-443
loadbalance vip inservice
loadbalance vip icmp-reply active
nat dynamic 1025 vlan 436
If you are going to build out a lot of classes, you can instead do source nat like this:
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-80
loadbalance vip inservice
loadbalance vip icmp-reply active
class WEBMAIL-443
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-443
loadbalance vip inservice
loadbalance vip icmp-reply active
class class-default
nat dynamic 1025 vlan 436
Regards,
Chris Higgins -
ACE 4710 client NAT (outgoing)
Hi Experts,
I have a ace 4710 set as load balancing http and https only, seems working fine.
Now I have another requirment to NAT all real servers IP (server side internal network 10.8.8.0) to VIP (192.168.1.20).
our configuration is as below,
two real server ip are 10.8.8.2 and 10.8.8.3 connected to VLAN interface v500 (ip is 10.8.8.254)
vlan v400 face to public, v400 interface ip 192.168.1.10, and one VIP 192.168.1.20, VIP is mapped to two real servers.
I need to config: all outgoing trafic from network 10.8.8.0 to public to NAT the source IP to 192.168.1.20 (VIP, not the interface real IP 192.168.1.10).
Thanks,
BQHere are a few things you could try
1. nat-pool 5 192.168.1.20 192.168.1.20 netmask 255.255.255.0 pat
changeto
nat-pool 5 192.168.1.20 192.168.1.20 netmask 255.255.255.255 (/32 host)
2.service-policy input remote-access
do you have a management Vlan interface defined if so add to that interface
3. The requirements are to LB http (80), and https (443). In this case you would need two seperate VIPS defined
VIP1:
class-map match-all slb-vip
2 match virtual-address 192.168.1.20 eq tcp 80
VIP2:
class-map match-all slb-vip
2 match virtual-address 192.168.1.20 eq tcp 443
Is there a requirement to redirect http traffic ? If so you would need to define another class-map to redirect http traffic to https
show service-policy client-vips detail
HTH -
I'm using an Ace 4710 Appliance deployed in One-Armed mode, using Source NAT to loadbalance HTTP request to a couple of Proxy servers.
Everything is working fine, but the thing is that I can't see the Clients IP addresses on Proxy's logs, so I can't keep track of them.
The Interfaces and Nat configs are:
interface vlan 200
description Server-Side-VLAN
bridge-group 5
nat-pool 5 10.1.1.5 10.1.1.5 netmask 255.255.255.0 pat
service-policy input VIPS
interface vlan 300
description Client-Side-VLAN
bridge-group 5
interface bvi 5
ip address 10.1.1.3 255.255.248.0
description Client-Server-Virtual-Interface
ip route 0.0.0.0 0.0.0.0 10.1.1.1
and the policy map looks like this
policy-map multi-match VIPS
class Port80
loadbalance vip inservice
loadbalance policy Port80
nat dynamic 5 vlan 200
Resource assignment:
sticky ip-netmask 255.255.255.255 address both RESOURCE-CLASS
timeout 5
serverfarm Service80
Any suggestions will be appreciated,
ThanksHi Kanwal,
Thanks for your quick reply,
I've already tried this but it didn't work. The problem is that I don't manage the proxy servers so I rely on their skills to see the logs.
The Proxies are Squid. Do you know if they need to do something else on the servers to see that field of the HTTP header?
But I'll try again tomorrow and let you know how it goes.
Thank you again. -
Can someone provide some information on how you would setup 2 servers to proxy out as the VIP address?
On the CSS I know you can accomplish this though the use of a group rule
Ex:
group Outbound_Proxy
vip address 192.168.1.x
add service web1
add service web2
active
What would be the equivalent on the ACE? I am sure it would be a dynamic NAT configuration however, I am not to sure how to set that up.
Can someone please provide some advice?
Thank you in advance!Thank you for your response Gilles! Glad to know that my configuration should work.
The reason I assume it does not work is due to the output given from a 'show service-policy NAT-POLICY detail'. There is no registered hit count on any of the counters when I would initiate a connection to the .163 VIP were it should balance to either the 192.168.100.158 or 192.168.100.157 IP addresses. I thought the outbound response would have incremented something within the service-policy output.
Status : ACTIVE
Description: -----------------------------------------
Interface: vlan 91
service-policy: NAT-POLICY
class: DNS-NAT-Servers
nat:
nat dynamic 2 vlan 695
curr conns : 0 , hit count : 0
dropped conns : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
This is the reason I have not yet performed a packet capture.
I notice the connection establish just fine and the ACE forward/balance my connection to the correct destination server. However, looking at the me-stats for the connection ID I noticed it is not dynamically NAT'ing the response out.
ACE-12539-187036/spam# sho conn | i 64.39.0.40
150536 1 in TCP 695 64.39.0.40:56412 192.168.100.163:53 ESTAB
34566 1 out TCP 91 192.168.100.157:53 64.39.0.40:56412 ESTAB
Connection ID:seq: 34566[0x8706].5
Other ConnID : 150536[0x24c08].10
Proxy ConnID : 0[0x0].0
Next Q : 0[0x0]
192.168.100.157:53 -> 64.39.0.40:56412 [RX-NextHop: TX] [TX-NextHop: TX]
Flags: PAT: No DynNAT: No Implicit PAT: No On_Reuse: No
L3 Protocol : IPv4 L4 Protocol : 6
Inbound Flag : 0
Interface Match : Yes
Interface MatchID: 13
EncapsID:ver : 234:0 TCP ACK delta : 0x5194237d
MSS : 1380 TOS Stamp : 0
Repeat mode : No ARP Lookup : No
TOS Stamp : No TCP Window Check: No
ACE ID : 12898 NAT Policy ID : 0
Post NAT hop : 0
Packet Count : 1 Byte Count : 44
TCP Information: (State = 3)
Window size : 16384 Window scale : 0
FIN seen : No FIN/ACK seen : No
FIN/ACK exp : No Close initiator : No
FIN/ACK expval: 5b40000 Last seq : 79e90c16
timestamp_delta: 0 Last ack : 1
No Trigger : 0 Trigger Status : 0
Timestamp : 6279495f
TCP options negotiated:
Sack:Clear TS:Clear Windowscale: Clear
Reserved: Allow Exceed MSS: Deny Window var: Allow
Is the above connection output in the me-stats expected with my DNAT configuration? Would this DNAT configuration apply to only outbound connections initiated from the .158 or .157 IP addresses? I would assume it would work with the response traffic as well. I know I can setup dynamic NAT for a specific serverfarm. Do you think I should try that instead?
Thank you in advance!
- Jason -
RV042 Shrew soft client NAT-t new mapping
Hi everyone,
Since I had Quick VPN issue, so I tried the Shrew soft client hoping to get the IPSec tunnel with router RV042 in Client2gateway mode.
On Shrew client, I got "Tunnel is activated" but got establised failed errors.
On RV042 IPSec log, it ended with : NAT-T: x.x.x.x new mapping.
What does it mean?
Thanks for your answers.Hi Hdam,
That's good :)
- Yes you can change the FQDN from remote.com to other domain name.
- Why I don't select IP address as remote ? because from the router first when you select Group VPN automatically the VPN will be responder and waiting for a connection, also in that case we don't need to specify the Public or LAN network of the client because they can connect from anywhere.
Now from the client the local ID should be the same as remote ID in the router (remember when you configure VPN tunnel between two router the local address from site B should be the remote local on Site A is the same here with shrewVPN but using FQDN)
- Just I want to clarify for RV0xx doesn't support VLAN's it's Port based Vlan and multiple Subnet BUT you can achieve what you need :)
Please follow this steps :
Step 1 : I assume that you have already add additional subnet if not just add it under Setup --> Network and then add additional subnet and for better implementation for the subnet better to have like this example if you have the default network 192.168.1.1/24 add second subnet 192.168.2.1/24 in this case in the VPN setup we can do subnet summarization and will be 192.168.0.0/16 class B and all the PC connected to the router should have gateway 192.168.1.1 or 192.168.2.1 in my example of course
Step 2 : Under VPN -- > summary --> edit the old configuration for VPN client and change the local network to 192.168.0.0 mask 255.255.0.0
Step 3 : on shrew VPN also under policy --> Remote Network Resource change to 192.168.0.0 255.255.0.0
and should work :)
Please rate this post to help other Cisco Customer
Greetings
Mehdi -
Hi,
We have a VIP for an FTP service where we do not wish to lose the Client (Source) IP for auditing purposes. So we don't source NAT and force the return traffic back to the ACE with PBR. However the return flow still bypasses the ACE VIP and straight back to the client, diagram below. Is anyone aware of a technique where I can force the ACE to connect the return traffic to the incoming flow?Hi Mark,
Check and compare the config with the example config.
http://docwiki.cisco.com/wiki/FTP_Load_Balancing_on_ACE_in_One-Arm_Mode_Configuration_Example
Avoid the NAT part of the config. Also make sure you are using something like below : ( which is there in the above Doc )
ACE-1/onearm(config)# policy-map multi-match client-vips
ACE-1/onearm(config-pmap)# class slb-vip
ACE-1/onearm(config-pmap-c)# loadbalance vip inservice
ACE-1/onearm(config-pmap-c)# loadbalance policy slb
ACE-1/onearm(config-pmap-c)# inspect ftp <<<<<<< This will make difference
Hope that helps.
regards,
Ajay Kumar -
Hi All,
Currently Im using nat to translate client source ip address, nat pool is configured on server side vlan interface.
but now I dont want to translate client source ip address:
-I have changed real server gateway to ace interface ip.
-I already remove nat configuration but now I cannot access to the vip using browser but I can ping vip.
But now I cannot access to vip through browser, any idea?
Design:
client--------------CORE--------ACE------------------Real Server.
ThanksNeed help/advise regarding routing to make this method working.
When I change server gateway to ace server vlan interface, my server cannot communicate with other vlans. From context, I can ping server vlan and other vlans.
*Core interface -172.16.36.254 (server vlan),172.19.30.254(client vlan).
*Lb interface - 172.16.36.70, 172.19.30.65
*Real Server ip is using default gateway 172.16.36.70
Routing what I have done:
CORE- ip route 172.16.36.0 255.255.255.0 172.16.36.70
ip route 172.19.30.0 255.255.255.0 172.19.30.65
LB- ip route 0.0.0.0 0.0.0.0 172.19.30.254
Can someone help me to verify this?
Thanks -
ACE 4710 Client and Server hitting same VIP
But the catch here is we are using IP's from server side VLAN's as opposed to from the Client side. If that were the case I would simply use SNAT and assign a pool but in this case that doesn't appear to work.
So how do I get this to work?
MikeAnd how do I do that? You say client nat, i hear source nat and think of this-
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6ef5.shtml
this doesn't work because my VIP IP pool is the same as the server side vlan.
We are using public IP on our servers as to not have to manage rfc1918 addresses.
Mike -
ACE: Transparent NAT feasibility
Is transparent NAT possible? The applications need to be aware of the source IP address to process. The only way I can see to do this is insert the source into the header. I seem to recall reading about transparent NAT, and no NAT, but I cannot find it now.
All ideas welcome.BTW, I want to clarify that client nat is not on by default. You must have configure it and if you do so, you lose information about the client ip. The solution to insert the info into the http header is a good one.
Gilles
Maybe you are looking for
-
Need Information on PeopleSoft Licence
Dear Friends, My Client has taken licence for PeopleTools 8.51 and Campus Solutions 9.0. The licence is valid for next 5 years He is Interested in upgrading the tools. Can he upgrade to PeopleSoft 8.52 with the same licence or he has to buy another l
-
How to create search function (af:query) using method in java
hi All..:) i got problem with search custom (af:query), how to create search function/ af:query using method in java class? anyone help me.... thx agungdmt
-
Why do my bullet points turn into numbers once the HTML is open in a browser?
I have some HTML code that I am using as the body of an email. It has bullet points throughout it but once I open or view it in an internet browser so that I can copy and paste it into the body of my email, the bullet points have all become ( 1. ). T
-
How to give linux partition mackbook's drivers
my problem is that I got a partition with linux and I CAN'T install drivers from installation Cd becouse there's no way to open .exe files by ubuntu... I would like to know HOW can I install macdrivers into linux partition.
-
Premeir element 10 bug src/ticktime.cpp-351
impossible d'ouvrir mes projets... des semaines de travail de perdus... besoin d'aide toujours erreur src/ticktime.cpp-35 et par la suite projet endommagés... et rien ne s'ouvre. Même chose dans les sauvegardes premier element 10, Windows 7