Tuesday, July 10, 2007

Static NAT on Cisco ACE

This one's simple. Here's how I managed my first NAT to make a load balanced dual armed farm exit through the ACE towards the Internet. I had to make all of the traffic NATted on a single ip in order to make firewalls' life easy.

Scenario :


Then the configuration :

rserver host SERVER-10.1
ip address 10.0.10.1
inservice

rserver host SERVER-10.2
ip address 10.0.10.2
inservice


serverfarm host FARM_20.1:80
failaction purge
rserver
SERVER-10.1 21
inservice
rserver SERVER-10.2 21
inservice


class-map match-any L4-MAP-NAT
2 match source address 10.0.10.1 255.255.255.255
3 match source address 10.0.10.2 255.255.255.255

class-map match-all L4-MAP-FARM_20.1:21
2 match virtual-address 10.0.20.1 tcp eq www


policy-map type loadbalance first-match L7-FARM_20.1:80
class class-default
serverfarm
FARM_20.1:80

policy-map multi-match L4-POLICYMAPMULTI-LOADBALANCE
class L4-MAP-FARM_20.1:21
loadbalance vip inservice
loadbalance policy
L7-FARM_20.1:80
loadbalance vip icmp-reply active

policy-map multi-match L4-POLICYMAPMULTI-NAT
class L4-MAP-NAT
nat static 10.0.21.1 netmask 255.255.255.255 vlan 151


service-policy input
L4-POLICYMAPMULTI-LOADBALANCE

interface vlan 101
description SERVERSIDE
ip address 10.0.10.199 255.255.255.0
service-policy input L4-POLICYMAPMULTI-NAT
no shutdown

interface vlan 151
description FIREWALLSIDE
ip address 10.0.0.2 255.255.255.240
no shutdown