NAT Pool question
I have a question on how NAT pools, or sNAT works with ACE in one-arm mode.
As I understand it, when the client sends the request to ACE, it changes the destination IP to a rServer and source IP to the sNAT address. When the rServer responds, it sends traffic back through the ACE via the sNat. How exactly does this work? I can't ping the sNAT address I configured, so how is the sNAT associated with the ACE in any way? How does traffic make it's way back to the ACE when the sNAT doesn't seem to be advertised externally in any way. And one more quick question, should the sNAT be on the rServer subnet or the ACE subnet? Just trying to understand so we can make good design decisions.
Tbone,
When you use SNAT you generally use a nat-pool address that will bring the traffic back to the ACE interface that the traffic left on. In a typical one-armed mode the Nat-pool would be in the same subnet as the ACE interface and rservers.
If the servers are local to the ACE you usually point the servers default gateway to the SVI or FW interface rather than the ACE. If SNAT is not used the client IP enters the ACE destined to the VIP. ACE will change the destination address to the rserver. Since the original client IP will be seen by the server it will reply to the default gateway. If the ACE does not get the server reply it cannot change the SYN ACK back to the VIP address that the client originally sent the connection to. This would result in a connection failure. When you use SNAT with a Nat-pool that is local to the server it will not use it's gateway but will reply directly back to the ACE since it owns this IP.
If the servers are not local to the ACE you would want to configure the nat-pool IPs to be local to the interface vlan the traffic egresses to get to the rserver. This way your routing will bring the server reply back to the ACE.
Let me know if this helps with your understanding or if you have more questions.
Best regards
Jim
Similar Messages
-
NAT pool configuration question
Hi all,
I would like to know how can I compute for a wild card mask for this hosts?
10.1.1.5 /24 - 10.1.1.8 /24
I have created a nat pool that translates addresses above to 124.24.34.250/24 - 124.24.34.253/24
R3#show access-list
Extended IP access list traders
10 permit ip 10.1.1.0 0.0.0.5 any
R3#sh run | s nat
ip nat pool my_traders 124.24.34.250 124.24.34.253 prefix-length 24
ip nat inside source list traders pool my_traders
10.1.1.5 to 10.1.1.7 works, it's only .8 that doesn't, how can I cover it?
thanks all,Hi Seb,
I was able to resolve, although I would like to know if I can further aggregate or summarize acls?
R3#sh run | s users
ip nat pool users 124.24.34.249 124.24.34.249 prefix-length 24
ip nat inside source route-map my_users pool users overload
route-map my_users permit 10
match ip address lan
R3#show access-list lan
Extended IP access list lan
10 permit ip 10.1.1.16 0.0.0.15 any (2 matches)
20 permit ip 10.1.1.32 0.0.0.15 any (1 match)
30 permit ip 10.1.1.64 0.0.0.63 any
40 permit ip 10.1.1.128 0.0.0.127 any
Also should the prefix length in the NAT statement be equal to the subnet mask of the inside local address?
Thanks,
Thanks, -
Use of client nat pools on the CSM
Hi Guys,
Just a quick questions about the use of NAT POOLS, which the configuration guide is a little scant for information.
If a client NAT pool such as this is used (16 addresses):
natpool POOL1 10.1.5.0 10.1.5.15 netmask 255.255.255.240
I just want to make sure that port address translation (PAT) will be used by the CSM if the number of sessions exceed the number of IP addresses available in the NAT pool?
I hope this makes sense!
thanks
Sheldonthe CSM does PAT by default.
Gilles. -
ACE: Significance of mask in nat-pools configured for Source NAT
Hi guys
If I am using source nat in ACE (One IP address 10.10.10.200) used for all client address translations.
What would be the difference between the nat-pools configured with different netmask.
What is the recommended netmask for pat, 255.255.255.255 or Vlan interface's Mask (/24 in this case)
and why?
case1:
interface vlan 7
ip address 10.10.10.100 255.255.255.0
nat-pool 1 10.10.10.200 10.10.10.200 netmask 255.255.255.0 pat
service-policy input clientvips
no shutdown
case2:
interface vlan 7
ip address 10.10.10.100 255.255.255.0
nat-pool 1 10.10.10.200 10.10.10.200 netmask 255.255.255.255 pat
service-policy input clientvips
no shutdown
Thanks in Advance
A.Gilles
Thanks a lot. It makes more sense now.
I posted another question for an ACE design validation. Could you please validate this
I am planning to deploy ACE module in following manner:
> ACE will be in one arm mode ( Only one vlan connected to the ACE).
> Vips & Rservers (all serverfarms) will be in the same Vlan X.
> Default gateway on the ACE & Real servers will be the upstream router
> There will be Source NAT configured for all Serverfarms.
ACE --- Vlan X -------Router--- internet
.................|
.................|-- Sfarm 1
.................|
.................|-- Sfarm 2
.................|
.................|-- Sfarm n
I am pretty sure that it should work.
Just wanted an expert opinion.
Thanks -
ASA single outside IP address to an inbound NAT pool that round robins request to 2 web servers
How do I create a single outside IP address 1.2.3.4 to an inbound NAT pool that round robins request to 2 web servers?
I have 2 web server 10.0.0.1 and 10.0.0.2. They have the exact same content.
I think I start with defining the pool as an object group which contains 2 server 10.0.0.1 and 10.0.0.2
object-group network appservers
network-object host 10.0.0.1
network-object host 10.0.0.2
What to do next?
object-group network appservers
nat (inside,outside) static 1.2.3.4
gives me an error.No, unfortunately you can't configure round robin static inbound NAT for 2 internal web servers.
-
Hi good afternoon, I'm new using captivate 5 and I have a question of how to use the pool question, I have a question pool already created and used to create a test with ramdom question now my question is, how could I take the questions from this pool, selected them and put them in a new test ? can be this? I want use a few not all them ......!... Excuse the mess with the word question, but my English is a bit bad I hopeyou understand... gracias!!!
Just open your current project that contains the question pool and it's questions, then open the new project in another tab in Captivate 5.
Then you can just copy and paste question slides from one project to the other. -
I was troubleshooting a connectivity issue for a client and he kept asking me to check the 'NAT pool allocation' on the loadbalancer context. My company uses a ACE module running software version A5(2.2). I could find no command such as show nat or show allocation. Running show xlate does not give me a count but a list of all the translation.
Can someone explain to me what exactly my client is asking for?Hi,
Perhaps this:
switch/Admin# show np 1 me-stats -vsocm | include NAT
NAT[static mapped]: 0 0
NAT[static real]: 0 0
NAT[xlate alloc fail]: 0 0
NAT[xlate real hit]: 0 0
NAT[xlate mapped hit]: 0 0
NAT[invalid xlate]: 0 0
NAT[dump xlate]: 0 0
NAT[xlate release failed]: 0 0
NAT Pool Alloc [fail]: 0 0
NAT Pool Alloc [addr]: 0 0
NAT Pool Alloc [addr/port]: 0 0
NAT Pool Free [addr]: 0 0
NAT Pool Free [addr/port]: 0 0
NAT Pool Free [orphan IP]: 0 0
Drop [Need NAT IPv4-6]: 0 0
Drop [Need NAT IPv6-4]: 0 0
NAT free no xlate [real addr]: 0 0
NAT free no xlate [mapped addr]: 0 0
NAT Dynamic Xlate GC Reaped: 0 0
NAT Implicit PAT Alloc [fail]: 0 0
NAT Implicit PAT Alloc: 0 0
NAT Implicit PAT Free: 0 0
Based on model, np x can be 1, 2, 3 and 4.
Regards,
Kanwal
Note: Please mark answers if they are helpful. -
Hi,
Can we use Same Nat pool for 2 different Server farms in CSM? Does it work. Or will it create any issue
(For E.g)
natpool XYZ 10.0.0.63 10.0.0.63 netmask 255.255.255.128
serverfarm ABC
nat server
nat client XYZ
real name Real1
health probe TCP-3139
inservice
real name Real2
health probe TCP-3139
inservice
serverfarm QAZ
nat server
nat client XYZ
real name Real1
health probe HTTP-7779
inservice
real name Real2
health probe HTTP-7779
inserviceHi,
Yes, it's perfectly fine to use the same nat pool.
Regards
Daniel -
High CPU load on msfc sup720 while using nat pool
Hello,
On our 6509-E+switchblades with sup720/pfc3 and CSM module we noticed a considerable cpu load like:
#show processes cpu sorted
CPU utilization for five seconds: 85%/81%; one minute: 82%; five minutes: 41%
after some research i'm able to reproduce it, and basically its:
when sending traffic through the vlans defined on the msfc with nat inside and nat outside it's reproducable.
when unconfiguring NAT the cpu load drops (in lab) to 0%/0%.
we're using nat pools just to fix a internal application/service on 1 IP.
it's configured like:
ip nat pool DMZ-193 1.1.1.1 1.1.1.1 netmask 255.255.255.224
ip nat inside source list DMZ-193 pool DMZ-193 overload
ip access-list extended DMZ-193
<snip>
where the 1.1.1.1 the external (example) source IP is where it's S-natted to.
With this "feature" i can't get a higher rate then about 130Mbit/s (msfc cpu bound)
Has any one an idea why this gets executed in software and not in hardware like what the docu says?
Any idea or workaround is welcome.
additional note: i reviewed document:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00804916e0.shtml
which gave good ideas, but no solution yet.
Regards,
Arjan Filiusproblem solved, there where some empty ACL's which causes to use the cpu instead of hardware.
Regards, -
Dynamic IP Nat Pool with 3030 -- 3002 Tunnel
I currently use the 3002 HW Client at several ROBO/SOHO locations in Network Extension mode. This works great. Recently I have the need to establish the same type of connection, but I need to provide a dynamic IP NAT pool for the clients behind the 3002. Is a configuration like this possible using the 3030 & 3002, or will I need some other HW to replace the 3002. If other HW is needed please suggest low end options (i.e. I realize a L2L with another concentrator will work). And I asume the configuration is possible with a 1720(?).
Thanks in advance,
JohnHi,
If I understand you correctly, you want to NAT the ip addresses behind the VPN3002 to specific ip address when they go accross the IPSec tunnel to the VPN Server, so that the source ip address is different when the packet reaches the VPN Server.
This is not possible with the VPN3002 and you can try using PAT but this is only for many to one translation and also if you have a VOIP solution or a speficic reason for using NEM, then PAT will not work for you.
Regards,
Arul -
Above is the command ip nat pool no overload prefix 22
Does anyone know what the prefix 22 does and why it is added. I also and new at learning and currently studying and wanted to know any recommendations for taking the CCNA or CCNP and what online routers (emulators) can i play on to learn commands and prepare for examsHi,
It is just describing the prefix length for the network or Subnet Mask in general terms.
Check this:-
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr/command/ipaddr-cr-book/ipaddr-i3.html#wp6064781280
Thanks and Regards,
Vibhor Amrodia -
Cacti & Allocated IP NAT Pools
Hey,
We're using cacti for some monitoring tools. And i can easy get graphs for the Active NAT translations.
But we would like to have also a view on the allocated ip's for a nat pool. Is there an OID for this? Or do you've got an idea how we can check this?
OID that i'm using for the active NAT: 1.3.6.1.4.1.9.10.77.1.2.3.0Hi Carl
Do find the different default time out values associated with the translation and also the ways to tweak the same accordingly as per our requirement..
timeout Specifies that the timeout value applies to dynamic translations except for overload translations. Default is 86,400 seconds (24 hours).
udp-timeout Specifies that the timeout value applies to the User Datagram Protocol (UDP) port. Default is 300 seconds (5 minutes).
dns-timeout Specifies that the timeout value applies to connections to the Domain Name System (DNS). Default is 60 seconds.
tcp-timeout Specifies that the timeout value applies to the TCP port. Default is 86,400 seconds (24 hours).
finrst-timeout Specifies that the timeout value applies to Finish and Reset TCP packets, which terminate a connection. Default is 60 seconds.
icmp-timeout Specifies the timeout value for Internet Control Message Protocol (ICMP) flows. Default is 60 seconds.
pptp-timeout Specifies the timeout value for NAT Point-to-Point Tunneling Protocol (PPTP) flows. Default is 86,400 seconds (24 hours).
syn-timeout Specifies the timeout value for TCP flows immediately after a synchronous transmission (SYN) message that consists of digital signals that are sent with precise clocking. The default is 60 seconds.
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801d09f0.html
regds -
ASA5505 NAT CONFIG QUESTION? OPEN STATIC IP
8.2
HI ALL
Here is my scenerio and I have worked on this with TAC support over the last month, we finally made progress by getting our ISP to activate the 5 static IPs but here is my issue.
basically we have a VOIP phone that is "remote". This phone needs to come through the Public IP to an internal address of 192.168.10.57.
We tried only allowing certain "ports" to pass, such as SIP, RTP> but the remote phone still cannot reach the phone server at 192.168.10.57
So
I want to open it completely as this phone pc is the ONLY device on that public IP.
so my 2 questions are.
what do i need to config as a rule/ command to make this happen. were I want the public IP of 50.x.x.x to corelate directly and openly to the internal of 192.168.10.57?
Also what is the command to allow the public IP to be pingable? so i can just confirm that it is reachable. I know at the very end we turned it off with a sort of ICMP command.
Thank you all for your time and help. if you need more info please ask.Thank you very much for your help.
I applied
access-list out-in extended permit icmp any host 50.x.x.x
and now i can ping TY
But,
I applied
static (inside,outside) 50.245.59.98 192.168.10.57 netmask 255.255.255.255
ANd got this error:
ciscoasa(config)# static (inside,outside) 50.245.59.98 192.168.10.57 netmask 2$
ERROR: mapped-address conflict with existing static
inside:192.168.10.57 to outside:50.245.59.98 netmask 255.255.255.255
I just want this port "wide open" to see if the remote phone will connect to it.
here is my edited SH RUN
ASA Version 8.2(1)
hostname ciscoasa
enable password PfdcbR/f90Mel1yp encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 50.X.X.X 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
banner login
banner login &
banner login ~
banner login ***********Warning*******
banner login
banner login ^
ftp mode passive
access-list out-in extended permit tcp any host 50.X.X.X eq 3462
access-list out-in extended permit tcp any host 50.X.X.X eq sip
access-list out-in extended permit tcp any host 40.X.X.X eq ftp-data
access-list out-in extended permit tcp any host 40.X.X.X eq ftp
access-list out-in extended permit icmp any host 50.X.X.X
access-list split standard permit 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.169.169.0 255.255.255.0
access-list FTP remark Allow
access-list FTP extended permit tcp any eq ftp any eq ftp
access-list FTP extended permit tcp any any eq ftp-data
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ippool 192.169.169.1-192.169.169.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface ftp 192.168.10.2 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.10.2 ftp-data netmask 255.255.255.255
static (inside,outside) 50.X.X.X 192.168.10.57 netmask 255.255.255.255
access-group out-in in interface outside
route outside 0.0.0.0 0.0.0.0 50.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection timewait
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.10.50-192.168.10.100 inside
dhcpd dns 75.75.75.75 75.75.76.76 interface inside
dhcpd lease 86400 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-dart-win-2.5.3041-k9.pkg 1
svc enable
port-forward rdpfromsslvpn 5050 50.X.X.X 5050 remote desktop server from ssl vpn
tunnel-group-list enable
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
banner value *****************************WARNING**********************************
banner value Access Beyond This Point Requires Prior Authorization from your Network Administrator
banner value ****************************************************************************
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
webvpn
url-list none
svc ask enable default webvpn
username aalmonte password m7vzxUlfTDi05gS6 encrypted privilege 0
username aalmonte attributes
vpn-group-policy RemoteAccess
username mmaccormack password IWIdkIPCDtg4CmHR encrypted privilege 0
username mmaccormack attributes
vpn-group-policy RemoteAccess
username lmaccormack password qRsbIpdvRgZhIVS/ encrypted privilege 0
username lmaccormack attributes
vpn-group-policy RemoteAccess
username admin password V8ctuy0OtxmDU4HD encrypted privilege 15
username rdirkee password mHVkPntgw4LQyh.U encrypted
username rdirkee attributes
service-type remote-access
username wmaccormack password AhNi5Rk6JFlHU9Fy encrypted privilege 0
username wmaccormack attributes
vpn-group-policy RemoteAccess
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
username rickg password 46/GVMAZTuz4ywzs encrypted privilege 0
username rickg attributes
vpn-group-policy RemoteAccess
service-type remote-access
username jgoucher password fMhOfzHeEB1lu9z6 encrypted privilege 0
username jgoucher attributes
vpn-group-policy RemoteAccess
username smaccormack password LCkB1kwdtIbPmtQK encrypted privilege 0
username smaccormack attributes
vpn-group-policy RemoteAccess
username rmaccormack password JG98o0q2ozZeYYrv encrypted privilege 0
username rmaccormack attributes
vpn-group-policy RemoteAccess
username bmaccormack password JTx67mnIFw62G6kx encrypted privilege 0
username bmaccormack attributes
vpn-group-policy RemoteAccess
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool ippool
default-group-policy RemoteAccess
tunnel-group RemoteAccess webvpn-attributes
group-alias RemoteAccess enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
service-policy global_policy global
prompt hostname context
TYVM -
Easy JNDI + Connection Pool Question
This is an easy question:
Once I get the object represented by my connection pool from the
Weblogic JNDI tree, how do I get a connection from the returned object
of type weblogic.common.internal.ResourceAllocator?
I keep getting ClassCastExceptions. I have tried
ConnectionPoolDataSource, Connection, and DataSource.
String conPool = "weblogic.jdbc.connectionPool.demoPool";
try {
Object obj = ctx.lookup(conPool);
msg(DEBUG,"FROM LOOKUP" + obj.getClass().getName());
//DataSource ds = (DataSource)ctx.lookup(conPool);
//con = ds.getConnection();
} catch (NameNotFoundException e) {
// binding does not exist
msg(ERROR,"BINDING DOES NOT EXIST",e);
} catch (NamingException e) {
// a failure occurred
msg(ERROR,"NAMING FAILURE OCCURED",e);
} catch (Exception e) {
msg(ERROR,"SOME RANDOM ERROR",e);
Thanks,
-Jacob"Jacob Meushaw" wrote in message
Once I get the object represented by my connection pool from the
Weblogic JNDI tree, how do I get a connection from the returned object
of type weblogic.common.internal.ResourceAllocator?
I keep getting ClassCastExceptions.
DataSource ds = (DataSource)ctx.lookup(conPool);I think, you must use narrow operation:
Object reference = ctx.lookup(conPool);
DataSource ds =
(DataSource) PortableRemoteObject.narrow (ds,DataSource.class);
I haven't got time to check it, but I hope that works.
Wojtek -
Hi there,
I was previously using the jferner/node-oracle module with the "generic-pool" (https://github.com/coopernurse/node-pool) module for connection pooling.
I'm trying out a setup with connection pooling with node-oracledb and have a few questions:
* If an execute call fails with a connection i've retrieved from the pool, and I want to destroy that connection and remove it from the pool, how do I do that? Is it done implicitly for me?
* Is there any way to validate a connection before it's used? Or again, is this done implicitly? Is there a way to toggle it on and off for perf tuning?
* Is there any way to tune how frequently Oracle checks for idle connections? (In generic-pool this was called reapIntervalMillis)
* Is there any way to turn on any logging of how the connection pool behaves for development debugging? I just want to make sure my setup is behaving as I think it should be.
I'm making some good headway on getting the module working and it wasn't too difficult a conversion from node-oracle, either, that's good!
-MattYou should release() bad connections to the pool so the pool can replace them.
Validating connections is generally not worth it: between validation & use there could be a failure, so your executions need to handle errors anyway. Why reduce scalability and performance by doing an extra "round trip" for validation? Also you can use FAN which can proactively clean up idle sessions in the session pool that are affected by the DB instance disappearing (due to network glitches etc).
The client-side pool is handled by Oracle session pooling, so the algorithms are opaque.
Maybe you are looking for
-
Problems installing Acrobat 9 Pro as part of CS5 Web Premium
My boss uninstalled CS4 Web Premium, but Acrobat 9 did not uninstall, even though he selected uninstall 'all components'. He tried a couple of times and was eventually able to uninstall it. He then installed CS5, but Acrobat 9 would not install. We h
-
is there another way to save part of screen as jpg besides bitmapexporter (quasimondo)? i use as2. thanks
-
I have used the How To Paper for BPS Flat File update and it does not give me any error when I run, but I don't see the data in the cube, How can I validate if the data from the flat file was updated or inserted. Thanks Jagraj Dhillon
-
How to checkout from the batch script?
Hello All ! Does anybody knows how to maintain versioned files with the batch scripts? Particularly I'm talking about doing a checkout/checkin operations. Are any command-line utilities available? Is it possible at all? Regards, Sergey.
-
I get 3 beeps when I turn on my mini ipod what does that mean?
I have a mini ipod and I am getting 3 beeps when I turn it on what does that mean as I cannot get any music?