Nat IP FIRE
Nat IP FIRE
Nat IP FIRE
Note
The information in this chapter applies to both the ACE module and the ACE
appliance unless otherwise noted.
This chapter contains the following major sections which describe how to
configure NAT on the Cisco ACE Application Control Engine:
Clearing Xlates
5-1
Chapter 5
Note
(ACE module only) Implicit PAT is also performed for the same
source/destination port and port redirection scenarios to ensure that the server
response returns to the same network processor.
5-2
OL-25329-01
Chapter 5
Note
(ACE module only) You can also disable implicit PAT and preserve the source
port when the source and destination ports are the same by using the hw-module
cde-same-port-hash in configuration mode. For details, see the Server
Load-Balancing Guide, Cisco ACE Application Control Engine.
The ACE supports the translation of IPv6 host or VIP addresses to IPv4 server
addresses and the opposite for load balancing HTTP and HTTPS. This translation
allow you to provide IPv6 functionality while maintaining an IPv4-only or an
IPv6-only server farm or a server farm with a combination of the two protocols.
Some of the benefits of NAT are as follows:
You can use private addresses on your inside networks. Private addresses are
not routable on the Internet.
NAT hides the local addresses from other networks, so attackers cannot learn
the real address of a server in the data center.
Static NAT
Dynamic NAT
Dynamic PAT
Static NAT
5-3
Chapter 5
Dynamic NAT
Dynamic NAT, which is typically used for SNAT, translates a group of local
source addresses to a pool of global source addresses that are routable on the
destination network. The global pool can include fewer addresses than the local
group. When a local host accesses the destination network, the ACE assigns an IP
address from the global pool to the host.
Because the translation times out after being idle for a user-configurable period
of time, a given user does not keep the same IP address. For this reason, users on
the destination network cannot reliably initiate a connection to a host that uses
dynamic NAT (even if the connection is allowed by an access control list [ACL]).
Not only can you not predict the global IP address of the host, but the ACE does
not create a translation unless the local host is the initiator. See the Configuring
Static NAT and Static Port Redirection section for details about reliable access
to hosts.
Note
For the duration of the translation, a global host can initiate a connection to the
local host if an ACL allows it. Because the address is unpredictable, a connection
to the host is unlikely. However, in this case, you can rely on the security of the
ACL.
Dynamic NAT has these disadvantages:
If the global address pool has fewer addresses than the local group, you could
run out of addresses if the amount of traffic is greater than expected.
Use dynamic PAT if this event occurs often, because dynamic PAT provides
over 64,000 translations using multiple ports of a single IP address.
If you need to use a large number of routable addresses in the global pool and
the destination network requires registered addresses (for example, the
Internet), you may encounter a shortage of usable addresses.
5-4
OL-25329-01
Chapter 5
Note
The ACE allows you to configure a virtual IP (VIP) address in the NAT pool for
dynamic NAT and PAT. This action is useful when you want to source NAT real
server originated connections (bound to the client) using the VIP address. This
feature is specifically useful when there are a limited number of real world IP
addresses on the client-side network. To perform PAT for different real servers
that are source-NATed to the same IP address (VIP), you must configure the pat
keyword in the nat-pool command.
The advantage of dynamic NAT is that some protocols cannot use dynamic PAT.
Dynamic PAT does not work with some applications that have a data stream on
one port and the control path on another, such as some multimedia applications.
Dynamic PAT
Dynamic PAT, which is also used for Source Network Address Translation
(SNAT), translates multiple local source addresses and ports to a single global IP
address and port that are routable on the destination network from a pool of IP
addresses and ports reserved for this purpose. The ACE translates the local
address and local port for multiple connections and/or hosts to a single global
address and a unique port starting with port numbers greater than 1024.
When a local host connects to the destination network on a given source port, the
ACE assigns a global IP address to it and a unique port number. Each host receives
the same IP address but, because the source port number is unique, the ACE sends
the return traffic, which includes the IP address and port number as the
destination, to the correct host.
The ACE supports over 64,000 ports for each unique local IP address. Because the
translation is specific to the local address and local port, each connection, which
generates a new source port, requires a separate translation. For example,
10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026.
The translation is valid only for the duration of the connection, so a user does not
keep the same global IP address and port number. For this reason, users on the
destination network cannot reliably initiate a connection to a host that uses
dynamic PAT (even if the connection is allowed by an ACL). Not only can you not
predict the local or global port number of the host, but the ACE does not create a
translation unless the local host is the initiator. See the Configuring Static NAT
and Static Port Redirection section for details about reliable access to hosts.
5-5
Chapter 5
Dynamic PAT allows you to use a single global address, which helps to conserve
routable addresses. Dynamic PAT does not work with some multimedia
applications that have a data stream on a port that is different from the control path
port.
The ACE is configured in one-arm mode, that is, there is only one VLAN
between the ACE and the Cisco Systems 6500 and 7600 Series Catalyst
MSFC that is used for both client and server traffic. Both the primary and
backup server farms are in the internal customer network (reachable from the
same VLAN or from different VLANs), the primary server farm is Layer
2-attached, and the backup server farm is several Layer 3 hops away. In this
case, perform NAT only for the backup server farm and never for the primary
server farm.
The ACE is configured in one-arm mode, the primary server farm is local, and
the backup server farm is remote and reachable from the public, external
network. In this case, use a private pool of IP addresses for SNAT of the
primary server farm and a public, externally routable set of IP addresses for
the backup server farm.
You want to perform source NAT based on a Layer 7 rule or the selected
server farm.
For details about configuring server farm-based dynamic NAT, see the
Configuring Server Farm-Based Dynamic NAT section.
5-6
OL-25329-01
Chapter 5
Static NAT
Static NAT, which is typically used for Destination NAT (DNAT), translates each
local address to a fixed global address. With dynamic NAT and PAT, each host
uses a different address or port after the translation times out. Because the global
address is the same for each consecutive connection with static NAT, and a
persistent translation rule exists, static NAT allows hosts on the global network to
initiate traffic to a local host (if there is an ACL that allows it).
The main differences between dynamic NAT and static NAT are as follows:
With static NAT, you need an equal number of global IP addresses and local
IP addresses. With dynamic NAT, you can have a pool of fewer global
addresses than local addresses.
5-7
Chapter 5
This IPv6 implementation is useful for load balancing packets from an IPv6-only
network to a an IPv4-only server farm or an IPv4-only network to an IPv6-only
server farm. Be sure to configure the insertion of the X-Forwarded-For HTTP
header field with the source address to ensure that the servers of one protocol can
log the client addresses of the other protocol. For more information, see the
Configuring NAT for IPv6 to IPv4 Load Balancing section and the
Configuring NAT for IPv4 to IPv6 Load Balancing section.
nat command8192
nat-pool command8192
Addresses on the same network as the global interfaceIf you use addresses
on the same network as the global interface (through which traffic exits the
ACE), the ACE uses proxy ARP to answer any requests for translated
addresses and thus intercepts traffic destined for a local address. This solution
simplifies routing, because the ACE does not need to be the gateway for any
additional networks. However, this approach does put a limit on the number
of available addresses used for translations.
Note
You cannot use the IP address of the global interface for NAT or PAT.
5-8
OL-25329-01
Chapter 5
You cannot configure global IP address ranges across subnets. For example,
the following command is not allowed and will generate an Invalid IP address
error: nat-pool 2 10.0.6.1 10.0.7.20 netmask 255.255.255.0.
For IPv4, you must configure a netmask when you configure a NAT pool. A
netmask of 255.255.255.255 instructs the ACE to use all the IP addresses in
the range.
For IPv6, you must configure a prefix length when you configure a NAT pool.
For example, /64.
To reset the NAT idle timeout to the default value of 10800 seconds, enter:
host1/Admin(config)# no timeout xlate 120
Configuring an ACL
5-9
Chapter 5
Applying the Dynamic NAT and PAT Policy Map to an Interface Using a
Service Policy
If you are operating in multiple contexts, observe the CLI prompt to verify
that you are operating in the desired context. If necessary, change to the
correct context.
host1/Admin# changeto C1
host1/C1#
The rest of the examples in this table use the C1 user context, unless
otherwise specified. For details on creating contexts, see the Virtualization
Guide, Cisco ACE Application Control Engine.
2.
3.
5-10
OL-25329-01
Chapter 5
Table 5-1
5.
6.
Configure a class map and define a match statement for the ACL that you
configured in Step 3 for the client source address.
host1/C1(config)# class-map match-any NAT_CLASS
host1/C1(config-cmap)# match access-list NAT_ACCESS
host1/C1(config-cmap)# exit
7.
Configure a policy map and associate the class map with the policy map.
host1/C1(config)# policy-map multi-match NAT_POLICY
host1/C1(config-pmap)# class NAT_CLASS
host1/C1(config-pmap-c)#
8.
9.
Activate the policy on the client interface using a service policy. If you are
operating the ACE in one-arm mode, configure the service-policy
command on the interface specified in Step 10.
host1/C1(config)# interface vlan 100
host1/C1(config-if)# service-policy input NAT_POLICY
host1/C1(config-if)# ctrl-z
5-11
Chapter 5
Table 5-1
configure dynamic PAT, include the pat keyword in the nat-pool command.
host1/C1(config)# interface vlan 200
host1/C1(config-if)# nat-pool 1 2001:DB8:1::10 2001:DB8:1::41 pat
host1/C1(config-if)# Ctrl-Z
or
host1/C1(config)# interface vlan 200
host1/C1(config-if)# nat-pool 1 172.27.16.10 172.27.16.41 netmask
255.255.255.0 pat
host1/C1(config-if)# Ctrl-Z
12. Display and verify your dynamic NAT and PAT configuration.
host1/C1# show running-config class-map
host1/C1# show running-config policy-map
host1/C1# show running-config service-policy
Configuring an ACL
You can use a security access control list (ACL) to permit the traffic that requires
NAT. For details about configuring an ACL, see Chapter 1, Configuring Security
Access Control Lists.
IPv6 Syntax and Examples
5-12
OL-25329-01
Chapter 5
5-13
Chapter 5
Note
If a packet egresses an interface that you have not configured for NAT, the ACE
transmits the packet untranslated.
To create a pool of IP addresses for dynamic NAT, use the nat-pool command in
interface configuration mode.
IPv6 Syntax and Examples
Note
If you configure more than one NAT pool with the same ID, the ACE
uses the last-configured NAT pool first, and then the other NAT pools.
5-14
OL-25329-01
Chapter 5
Note
If the ACE runs out of IP addresses in a NAT pool, it can switch over to a PAT
rule, if configured. For example, you can configure the following:
host1/Admin(config-if)# nat-pool 1 2001:DB8:1::10/64 2001:DB8:1::99/64
host1/Admin(config-if)# nat-pool 1 2001:DB8:1::100/64
2001:DB8:1::100/64 pat
If your network configuration has the following conditions, you should configure
multiple PAT pools with a single IP address in each pool:
So instead of configuring:
host1/Admin(config-if)# nat-pool 1 2001:DB8:1::3 2001:DB8:1::5 pat
configure:
host1/Admin(config-if)# nat-pool 1 2001:DB8:1::3/64 pat
host1/Admin(config-if)# nat-pool 1 2001:DB8:1::4/64 pat
host1/Admin(config-if)# nat-pool 1 2001:DB8:1::5/64 pat
5-15
Chapter 5
Note
Before you can remove a NAT pool from an interface, you must remove the
service policy and the policy map associated with the NAT pool.
To remove a NAT pool from the configuration, enter:
host1/C1(config-if)# no nat-pool 1
Note
If you configure more than one NAT pool with the same ID, the ACE
uses the last-configured NAT pool first, and then the other NAT pools.
5-16
OL-25329-01
Chapter 5
Note
netmask maskSpecifies the subnet mask for the IP address pool. Enter a
mask in dotted-decimal notation (for example, 255.255.255.255). A network
mask of 255.255.255.255 instructs the ACE to use all the IP addresses in the
specified range.
If the ACE runs out of IP addresses in a NAT pool, it can switch over to a PAT
rule, if configured. For example, you can configure the following:
host1/Admin(config-if)# nat-pool 1 10.1.100.10 10.1.100.99 netmask
255.255.255.255
host1/Admin(config-if)# nat-pool 1 10.1.100.100 10.1.100.100 netmask
255.255.255.255 pat
If your network configuration has the following conditions, you should configure
multiple PAT pools with a single IP address in each pool:
So instead of configuring:
host1/Admin(config-if)# nat-pool 1 3.3.3.3 3.3.3.5 netmask
255.255.255.255 pat
configure:
host1/Admin(config-if)# nat-pool 1 192.161.12.3 netmask
255.255.255.255 pat
5-17
Chapter 5
Note
Before you can remove a NAT pool from an interface, you must remove the
service policy and the policy map associated with the NAT pool.
To remove a NAT pool from the configuration, enter:
host1/C1(config-if)# no nat-pool 1
5-18
OL-25329-01
Chapter 5
Enter match criteria for the ACL or the client source address using the match
command in class-map configuration mode. For example, to set the match criteria
to an existing ACL, enter the following command:
host1/C1(config-cmap)# match access-list NAT_ACCESS
or
For IPv6, enter:
host1/C1(config-cmap)# match source-address 2001:DB8:1::10/64
5-19
Chapter 5
Associate the previously created class map with the policy map. For example,
enter:
host1/C1(config-pmap)# class NAT_CLASS
host1/C1(config-pmap-c)#
Note
The loadbalance vip inservice command is not valid with a match access-list or
a match source-address class map.
For passive FTP, associate the FTP_NAT_CLASS class map (see the Configuring
a Class Map for Passive FTP section) with the Layer 4 policy map. For example,
enter the following commands in policy map configuration mode:
host1/C1(config)# policy-map multi-match NAT_POLICY
host1/C1(config-pmap)# class FTP_NAT_CLASS
If you are using passive FTP, proceed with the following section and configure the
nat dynamic command as a policy action under the FTP class map. Otherwise,
configure the nat dynamic command as a policy action under the NAT_CLASS
class map.
5-20
OL-25329-01
Chapter 5
Note
vlan numberSpecifies the server interface for the global IP address. This
interface must be different from the interface that the ACE uses to filter and
receive traffic that requires NAT, unless the network design operates in
one-arm mode. In that case, the VLAN number is the same.
If a packet egresses an interface that you have not configured for NAT, the ACE
transmits the packet untranslated.
The following example specifies the nat command as an action for a dynamic
NAT Layer 3 and Layer 4 policy map:
host1/C1(config)# policy-map multi-action NAT_POLICY
host1/C1(config-pmap)# class NAT_CLASS
host1/C1(config-pmap-c)# nat dynamic 1 vlan 200
5-21
Chapter 5
Note
You can configure dynamic NAT as an input service policy only, not as an output
service policy. You cannot apply the same NAT policy both locally and globally.
The syntax of this command is as follows:
service-policy input policy_name
The keywords and arguments are as follows:
IPv6 Example
5-22
OL-25329-01
Chapter 5
IPv4 Example
Note
When you detach a traffic policy either individually from the last VLAN interface
on which you applied the service policy or globally from all VLAN interfaces in
the same context, the ACE automatically resets the associated service-policy
statistics. The ACE performs this action to provide a new starting point for the
service-policy statistics the next time that you attach a traffic policy to a specific
VLAN interface or globally to all VLAN interfaces in the same context.
5-23
Chapter 5
address, you must configure the X-Forwarded-For: HTTP header on the ACE. For
example, the following configuration shows how to implement NAT IPv6 to IPv4
load balancing:
access-list ALL line 8 extended permit ip any any
access-list V6-ANY line 8 extended permit ip anyv6 anyv6
rserver host
ip address
inservice
rserver host
ip address
inservice
RS1
10.1.1.21
RS2
10.1.1.22
match-any L4_V6_HTTP-1
virtual-address 2001:2001:2001:2001::2011/64 tcp eq www
type management match-all V6-MGMT
protocol icmpv6 anyv6
type management match-any MANAGEMENT
protocol ssh any
protocol https any
protocol icmp any
protocol http any
protocol telnet any
protocol snmp any
5-24
OL-25329-01
Chapter 5
v6_rs1
2001:DB6:1::10
v6_rs2
2001:DB6:1::11
5-25
Chapter 5
rserver v6_rs2
inservice
class-map
2 match
class-map
2 match
3 match
4 match
5 match
6 match
8 match
match-any L4_HTTP-1
virtual-address 192.168.12.20 tcp eq www
type management match-any management
protocol ssh any
protocol https any
protocol icmp any
protocol http any
protocol telnet any
protocol snmp any
5-26
OL-25329-01
Chapter 5
Applying the Layer 3 and Layer 4 Policy Map to an Interface Using a Service
Policy
5-27
Chapter 5
Table 5-2
If you are operating in multiple contexts, observe the CLI prompt to verify
that you are operating in the desired context. If necessary, change to the
correct context.
host1/Admin# changeto C1
host1/C1#
The rest of the examples in this table use the C1 user context, unless
otherwise specified. For details on creating contexts, see the Virtualization
Guide, Cisco ACE Application Control Engine.
2.
3.
5-28
OL-25329-01
Chapter 5
Table 5-2
Configure real servers with an IPv4 or an IPv6 address and a server farm for
load balancing. The nat dynamic command in Step 9 references this server
farm.
host1/C1(config)# rserver SERVER1
host1/C1(config-rserver-host)# ip address 2001:DB8:2::201/64
or
host1/C1(config-rserver-host)# ip address 172.27.16.201/64
host1/C1(config-rserver-host)# inservice
host1/C1(config-rserver-host)# exit
host1/C1(config)# rserver SERVER2
host1/C1(config-rserver-host)# ip address 2001:DB8:2::202/64
or
host1/C1(config-rserver-host)# ip address 172.27.16.202
host1/C1(config-rserver-host)# inservice
host1/C1(config-rserver-host)# exit
host1/C1(config)# serverfarm SF1
host1/C1(config-sfarm-host)# rserver SERVER1 3000
host1/C1(config-sfarm-host-rs)# inservice
host1/C1(config-sfarm-host-rs)# exit
host1/C1(config-sfarm-host)# rserver SERVER2 3001
host1/C1(config-sfarm-host-rs)# inservice
host1/C1(config-sfarm-host-rs)# exit
host1/C1(config-sfarm-host)# exit
5.
Configure a local interface (client VLAN) to filter and receive client traffic.
If you are operating the ACE in one-arm mode, omit this step.
host1/C1(config)# interface vlan 100
host1/C1(config-if)# mtu 1500
host1/C1(config-if)# ip address 2001:DB8:3::100/64
or
host1/C1(config-if)# ip address 192.168.12.100 255.255.255.0
host1/C1(config-if)# no shutdown
host1/C1(config-if)# exit
5-29
Chapter 5
Table 5-2
7.
8.
Configure a Layer 7 load-balancing policy map and associate the class map
with the policy map.
host1/C1(config)# policy-map type loadbalance http first-match
L7_POLICY
host1/C1(config-pmap-lb)# class L7_CLASS
host1/C1(config-pmap-lb-c)#
9.
10. Configure a Layer 3 and Layer 4 class map and define match criteria.
host1/C1(config)# class-map match-any SLB_CLASS
host1/C1(config-cmap)# match virtual-address 2001:DB8:2::/64 tcp
eq http
host1/C1(config-cmap)# exit
5-30
OL-25329-01
Chapter 5
Table 5-2
13. Activate the policy on the client interface using a service policy. If you are
16. Display and verify your server farm-based dynamic NAT configuration.
host1/C1# show running-config class-map
host1/C1# show running-config policy-map
host1/C1# show running-config service-policy
5-31
Chapter 5
Note
If a packet egresses an interface that you have not configured for NAT, the ACE
transmits the packet untranslated.
To create a pool of IPv6 addresses for dynamic NAT, use the nat-pool command
in interface configuration mode.
Note
If you plan to apply both IPv6 and IPv4 addresses under the same NAT pool
because your configuration includes a mixed mode server farm (a mixture of IPv6
and IPv4 servers), also refer to the Configuring a Mixed Mode (IPv6 and IPv4)
Server Farm section for additional configuration information.
5-32
OL-25329-01
Chapter 5
Note
If you configure more than one NAT pool with the same ID, the ACE
uses the last-configured NAT pool first, and then the other NAT pools.
Note
5-33
Chapter 5
Note
Before you can remove a NAT pool from an interface, you must remove the
service policy and the policy map associated with the NAT pool.
To remove a NAT pool from the configuration, enter:
host1/C1(config-if)# no nat-pool 1
To create a pool of IP addresses for dynamic NAT, use the nat-pool command in
interface configuration mode. The syntax of this command is as follows:
nat-pool pool_id ip_address1 ip_address2 netmask mask
The keywords, arguments, and options are as follows:
Note
If you configure more than one NAT pool with the same ID, the ACE
uses the last-configured NAT pool first, and then the other NAT pools.
5-34
OL-25329-01
Chapter 5
Note
netmask maskSpecifies the subnet mask for the IP address pool. Enter a
mask in dotted-decimal notation (for example, 255.255.255.255). A network
mask of 255.255.255.255 instructs the ACE to use all the IP addresses in the
specified range.
Note
Before you can remove a NAT pool from an interface, you must remove the
service policy and the policy map associated with the NAT pool.
To remove a NAT pool from the configuration, enter:
host1/C1(config-if)# no nat-pool 1
5-35
Chapter 5
Enter match criteria as required using the match command in class-map load
balancing configuration mode. For example, enter:
host1/C1(config-cmap-http-lb)# match http content .*cisco.com
5-36
OL-25329-01
Chapter 5
To associate the previously created class map with the policy map. For example,
enter:
host1/C1(config-pmap-lb)# class L7_CLASS
host1/C1(config-pmap-lb-c)#
5-37
Chapter 5
Note
Note
If you configure more than one NAT pool with the same ID, the ACE
uses the last-configured NAT pool first, and then the other NAT pools.
vlan numberSpecifies the server interface for the global IP address. This
interface must be different from the interface that the ACE uses to filter and
receive traffic that requires NAT, unless the network design operates in
one-arm mode. In that case, the VLAN number is the same.
If a packet egresses an interface that you have not configured for NAT, the ACE
transmits the packet untranslated.
The following SNAT server farm-based dynamic NAT example specifies the nat
command as an action for a Layer 7 policy map:
host1/C1(config)# policy-map type loadbalance http first-match
L7_POLICY
host1/C1(config-pmap-lb)# class L7_CLASS
host1/C1(config-pmap-lb-c)# nat dynamic serverfarm primary 1 vlan 200
To remove a server farm-based dynamic NAT action from a policy map, enter:
host1/C1(config-pmap-lb-c) no nat dynamic serverfarm primary 1
vlan 200
5-38
OL-25329-01
Chapter 5
or
For IPv6, enter:
host1/C1(config-cmap)# match source-address 2001:DB8:1::10/64
5-39
Chapter 5
The name argument is the name assigned to the policy map. Enter an unquoted
text string with no spaces and a maximum of 64 alphanumeric characters.
For example, enter:
host1/C1(config)# policy-map multi-match NAT_POLICY
host1/C1(config-pmap)#
To associate the previously created class map with the policy map. For example,
enter:
host1/C1(config-pmap)# class NAT_CLASS
host1/C1(config-pmap-c)#
Note
You can configure dynamic NAT as an input service policy only, not as an output
service policy. You cannot apply the same NAT policy both locally and globally.
The syntax of this command is as follows:
service-policy input policy_name
The keywords and arguments are as follows:
5-40
OL-25329-01
Chapter 5
Note
When you remove a traffic policy from the last VLAN interface on which you
applied the service policy, the ACE automatically resets the associated
service-policy statistics. The ACE performs this action to provide a new starting
point for the service-policy statistics the next time that you attach a traffic policy
to a specific VLAN interface.
If using an IPv4 VIP and you associate a mixed mode server farm with this
VIP under a load-balancing policy map, create a NAT pool that converts IPv4
addresses to IPv6 addresses in case the ACE selects the IPv6 real server as
part of the load-balancing process (see Creating a Global IP Address Pool
for Dynamic NAT).
For packets being sent to IPv4 real servers, you may want to optionally apply
a NAT policy. In this case:
a. Create an IPv4 NAT pool.
b. Configure both the IPv4 and IPv6 NAT pools under the interface that is
5-41
Chapter 5
Included below is a sample configuration for a mixed mode server farm. It builds
on the procedures outlined in this section to configure server farm-based dynamic
NAT.
rserver host
ip address
inservice
rserver host
ip address
inservice
rserver host
ip address
inservice
rserver host
ip address
inservice
rserver host
ip address
inservice
rserver host
ip address
inservice
rserver host
ip address
inservice
v6
2001:500:407::25
v6_1
2001:500:407::26
v6_2
2001:500:407::27
v4
40.0.7.25
v4_1
40.0.7.26
v4_2
40.0.7.27
v4_3
40.0.7.28
5-42
OL-25329-01
Chapter 5
class vip
loadbalance
loadbalance
loadbalance
nat dynamic
vip inservice
policy l7
vip icmp-reply
1 vlan 407
Applying the Static NAT and Static Port Redirection Policy Map to an
Interface Using a Service Policy
5-43
Chapter 5
Note
The ACE supports static NAT only for IPv6 to IPv6 and IPv4 to IPv4 translations.
Mixed mode is not supported.
Table 5-3
If you are operating in multiple contexts, observe the CLI prompt to verify
that you are operating in the desired context. If necessary, change to the
correct context.
host1/Admin# changeto C1
host1/C1#
The rest of the examples in this table use the C1 user context, unless
otherwise specified. For details on creating contexts, see the Virtualization
Guide, Cisco ACE Application Control Engine.
2.
3.
5-44
OL-25329-01
Chapter 5
Table 5-3
Configure a local interface to filter and receive traffic that requires NAT.
host1/C1(config)# interface vlan 100
host1/C1(config-if)# mtu 1500
host1/C1(config-if)# ip address 2001:DB8:3::100/64
or
host1/C1(config-if)# ip address 192.168.1.100 255.255.255.0
host1/C1(config-if)# no shutdown
host1/C1(config-if)# exit
5.
6.
7.
Configure a policy map and associate the class map with the policy map.
host1/C1(config)# policy-map multi-match NAT_POLICY
host1/C1(config-pmap)# class NAT_CLASS
host1/C1(config-pmap-c)#
5-45
Chapter 5
Table 5-3
9.
11. Display and verify your static NAT and static port redirection configuration.
host1/C1# show running-config class-map
host1/C1# show running-config policy-map
5-46
OL-25329-01
Chapter 5
or
host1/C1(config-cmap)# match source address 192.168.12.15
5-47
Chapter 5
The name argument is the name assigned to the policy map. Enter an unquoted
text string with no spaces and a maximum of 64 alphanumeric characters.
For example, enter:
host1/C1(config)# policy-map multi-match NAT_POLICY
host1/C1(config-pmap)#
To associate the previously created class map with the policy map. For example,
enter:
host1/C1(config-pmap)# class NAT_CLASS
host1/C1(config-pmap-c)#
5-48
OL-25329-01
Chapter 5
Note
The ACE supports static NAT only for IPv6 to IPv6 and IPv4 to IPv4
translations. Mixed mode is not supported.
netmask maskSpecifies the subnet mask for the static IP address. Enter a
subnet mask in dotted-decimal notation (for example, 255.255.255.0).
port1Global TCP or UDP port for static port redirection. Enter an integer
from 0 to 65535.
Table 5-4
Keyword
Port Number
Description
ftp
21
http
80
https
443
irc
194
matip-a
350
nntp
119
pop2
109
pop3
110
rtsp
554
smtp
25
telnet
23
Telnet
5-49
Chapter 5
Table 5-5
Keyword
Port Number
Description
dns
53
wsp
9200
wsp-wtls
9202
wsp-wtp
9201
Connection-based WSP
wsp-wtp-wtls
9203
Note
If a packet egresses an interface that you have not configured for NAT, the ACE
transmits the packet untranslated.
The following DNAT static port redirection example specifies the nat static
command as an action for a static NAT policy map:
host1/C1(config)# policy-map multi-action NAT_POLICY
host1/C1(config-pmap)# class NAT_CLASS
host1/C1(config-pmap-c)# nat static 2001:DB8:1::/64 80 vlan 101
or
host1/C1(config-pmap-c)# nat static 192.168.12.0 255.255.255.0 80
vlan 101
5-50
OL-25329-01
Chapter 5
Applying the Static NAT and Static Port Redirection Policy Map
to an Interface Using a Service Policy
You can activate the static NAT and port redirection policy and assign it to an
interface by using the service-policy command in interface configuration mode.
For details about the service-policy command, see the Administration Guide,
Cisco ACE Application Control Engine.
Note
You can configure static NAT as an input service policy only; you cannot
configure it as an output service policy.
The syntax of this command is as follows:
service-policy input policy_name
The keywords and arguments are as follows:
Note
When you remove a traffic policy from the last VLAN interface on which you
applied the service policy, the ACE automatically resets the associated
service-policy statistics. The ACE performs this action to provide a new starting
point for the service-policy statistics the next time that you attach a traffic policy
to a specific VLAN interface.
5-51
Chapter 5
5-52
OL-25329-01
Chapter 5
5-53
Chapter 5
You can also use the show conn command to display NAT information. See the
examples in the following sections.
This section contains the following topics:
When you use Telnet from 2001:DB8:1::5 in VLAN 2020, the ACE translates it
to 2001:DB8:2::1 in VLAN 2021.
host1/Admin# show xlate global 2001:DB8:1::1 2001:DB8:1::10
NAT from vlan2020:2001:DB8:1::5 to vlan2021:2001:DB8:2::1 count:1
IPv4 Example
When you use Telnet from 172.27.16.5 in VLAN 2020, the ACE translates it to
192.168.100.1 in VLAN 2021.
host1/Admin# show xlate global 192.168.100.1 192.168.100.10
5-54
OL-25329-01
Chapter 5
When you use Telnet from 2001:DB8:1::5 in VLAN 2020, the ACE translates it
to 2001:DB8:2::1 in VLAN 2021.
host1/Admin# show xlate
TCP PAT from vlan2020:2001:DB8:1::5/38097 to
vlan2021:2001:DB8:2::1/1025
IPv4 Example
When you use Telnet from 172.27.16.5 in VLAN 2020, the ACE translates it to
192.168.201.1 in VLAN 2021.
host1/Admin# show xlate
TCP PAT from vlan2020:172.27.16.5/38097 to vlan2021:192.168.201.1/1025
5-55
Chapter 5
IPv4 Example
IPv4 Example
5-56
OL-25329-01
Chapter 5
Clearing Xlates
You can clear the global address-to-local address mapping information based on
the global address, the global port, the local address, the local port, the interface
address as the global address, and the NAT type by using the clear xlate command
in Exec mode. When you enter this command, the ACE releases sessions that are
using the translations (Xlates).
IPv6 Syntax and Examples
OL-25329-01
5-57
Chapter 5
Clearing Xlates
Note
start_portA single global port number or the starting global or local port
number in a range of ports.
If you configured redundancy, then you need to explicitly clear Xlates on both the
active and the standby ACEs. Clearing Xlates on the active ACE alone will leave
the standby ACEs Xlates at the old mappings.
For example, to clear all static translations, enter:
host1/Admin# clear xlate state static
5-58
OL-25329-01
Chapter 5
Note
start_portA single global or local port number or the starting port number
in a range of global or local port numbers.
If you configured redundancy, then you need to explicitly clear Xlates on both the
active and the standby ACEs. Clearing Xlates on the active ACE alone will leave
the standby ACEs Xlates at the old mappings.
For example, to clear all static translations, enter:
host1/Admin# clear xlate state static
5-59
Chapter 5
5-60
OL-25329-01
Chapter 5
rserver SERVER1
ip address 172.27.16.3
inservice
rserver SERVER2
ip address 172.27.16.4
inservice
serverfarm SFARM1
rserver SERVER1
inservice
rserver SERVER2
inservice
class-map type http loadbalance match-any L7_CLASS
match http content .*cisco.com
class-map match-any NAT_CLASS
match access-list NAT_ACCESS
policy-map type loadbalance http first-match L7_POLICY
class L7_CLASS
serverfarm SFARM1
nat dynamic 1 vlan 200 serverfarm primary
policy-map multi-match NAT_POLICY
class NAT_CLASS
loadbalance policy L7_POLICY
loadbalance vip inservice
interface vlan 100
mtu 1500
ip address 192.168.1.100 255.255.255.0
service-policy input NAT_POLICY
no shutdown
interface vlan 200
mtu 1500
ip address 172.27.16.2 255.255.255.0
nat-pool 1 172.27.16.15 172.27.16.24 netmask 255.255.255.0
no shutdown
5-61
Chapter 5
HTTP packets that are destined to 192.0.0.0/8 and ingressing the ACE on VLAN
101 are translated to 10.0.0.0/8 and port 8080. In this example, the servers are
hosting HTTP on custom port 8080.
access-list acl1 line 10 extended permit tcp 10.0.0.0 255.0.0.0
eq 8080 any
class-map match-any NAT_CLASS
match access-list acl1
policy-map multi-match NAT_POLICY
class NAT_CLASS
nat static 192.0.0.0 255.0.0.0 80 vlan 101
interface vlan 100
mtu 1500
ip address 192.168.1.100 255.255.255.0
service-policy input NAT_POLICY
no shutdown
interface vlan 101
mtu 1500
ip address 172.27.16.100 255.255.255.0
no shutdown
5-62
OL-25329-01
Chapter 5
5-63
Chapter 5
5-64
OL-25329-01