Wednesday, December 12, 2007

Source NAT on Cisco ACE

I've already described the scenario for this issue here.


My first approach on Source NAT for this scenario was a little too CSS-minded, so wasting vip addresses and not considering some new features on the ACE.

For each serverfarm which had to be reached from the same subnet I created two vips, one for everybody, one for SNATted connections from the same subnet.

Now I changed approach, SNATting everything coming from the INTERNAL subnet, no matter which vip is looking for. This way I have not to use different vips depending on source address.




class-map match-all L4-MAP-SNAT-INTERNAL
2 match source address 10.0.11.0 255.255.255.0


class-map match-all L4-MAP-YELLOW-SERVERFARM_20.2:80
2 match virtual-address 10.0.20.2 tcp eq www


policy-map type loadbalance first-match L7-FARM_20.2:80
class class-default
serverfarm
YELLOW-SERVERFARM_20.2:80

policy-map multi-match L4-POLICYMAPMULTI-LOADBALANCE
class L4-MAP-SNAT-INTERNAL
nat dynamic 100 vlan 101

class L4-MAP-FARM_20.1:21
loadbalance vip inservice
loadbalance policy
L7-FARM_20.2:80
loadbalance vip icmp-reply active

service-policy input L4-POLICYMAPMULTI-LOADBALANCE

interface vlan 101
description SERVERSIDE
ip address 10.0.10.199 255.255.255.0
nat-pool 100 10.0.21.100 10.0.21.115 netmask 255.255.255.0 pat

no shutdown

interface vlan 151
description FIREWALLSIDE
ip address 10.0.0.2 255.255.255.240
no shutdown


In this scenario each connection coming from any server on the 10.0.11.x subnet is subnetted. Then, going down on the multimatch policy, it reaches the vip class which loadbalance on the real servers.
Note that the L4-MAP-SNAT-INTERNAL must be the first class defined in the policy for have things work well.