Cisco Application Control Engine (ACE) Troubleshooting Guide -- Troubleshooting Network Address Translation

From DocWiki

Latest revision as of 21:31, 11 March 2011

This article describes ACE network address translation (NAT), how to configure it, and how to troubleshoot issues with NAT that you may encounter.

Overview of ACE Network Address Translation

You can configure the ACE to translate a client source IP address to a routable address in the server's network. This process is called source NAT (SNAT). If you want to preserve the client source IP address, do not configure SNAT.

You can also configure the ACE to translate the private address of a server to a global IP address that is accessible to clients. This process is called destination NAT (DNAT) and protects the server by hiding its real IP address from the Internet.

Besides translating IP addresses, you can configure the ACE to translate TCP and UDP ports. This process is called port address translation (PAT).

The ACE provides the following types of NAT and PAT:

• Interface-based dynamic NAT
• Interface-based dynamic PAT
• Server farm-based dynamic NAT
• Static NAT
• Static port redirection

NAT Configuration Guidelines and Restrictions

When you configure NAT and PAT on your ACE, keep in mind the following NAT and PAT guidelines and restrictions:

• If a packet egresses an interface that you have not configured for NAT, the ACE transmits the packet untranslated.
• You can configure dynamic NAT or static NAT as an input service policy only; you cannot configure it as an output service policy.
• When you remove a traffic policy from the last VLAN interface on which you applied the service policy, the ACE automatically resets the associated service-policy statistics. The ACE performs this action to provide a new starting point for the service-policy statistics the next time that you attach a traffic policy to a specific VLAN interface.

Configuring Dynamic NAT and PAT

Dynamic NAT is typically used for SNAT. When you configure dynamic NAT and PAT, be sure to configure an interface for the client-side VLAN and an interface for the server-side VLAN.

The following SNAT configuration example shows the commands that you use to configure dynamic NAT and PAT on your ACE. In this SNAT example, packets that ingress the ACE from the 192.168.12.0 network are translated to one of the IP addresses in the NAT pool defined on VLAN 200 by the nat-pool command. The pat keyword indicates that ports higher than 1024 are also translated.

Note:

If you are operating the ACE in one-arm mode, omit the client-side interface VLAN 100 and configure the service policy on interface VLAN 200.

access-list NAT_ACCESS line 10 extended permit tcp 192.168.12.0 255.255.255.0 172.27.16.0 255.255.255.0 eq http

class-map match-any NAT_CLASS
  match access-list NAT_ACCESS

policy-map multi-match NAT_POLICY
  class NAT_CLASS
    nat dynamic 1 vlan 200

interface vlan 100
  mtu 1500
  ip address 192.168.1.100 255.255.255.0
  service-policy input NAT_POLICY
  no shutdown

interface vlan 200
  mtu 1500
  ip address 172.27.16.2 255.255.255.0
  nat-pool 1 172.27.16.15 172.27.16.24 netmask 255.255.255.0 pat
  no shutdown

Configuring Server-Farm Based Dynamic NAT

The following SNAT configuration example shows the commands that you use to configure server farm-based dynamic NAT on your ACE. In this SNAT example, real server addresses on the 172.27.16.0 network are translated to one of the IP addresses in the NAT pool defined on VLAN 200 by the nat-pool command.

Note:

If you are operating the ACE in one-arm mode, omit interface VLAN 100 and configure the service policy on interface VLAN 200.

access-list NAT_ACCESS line 10 extended permit tcp 192.168.12.0 255.255.255.0 172.27.16.0 255.255.255.0 eq http

rserver SERVER1
  ip address 172.27.16.3
  inservice
rserver SERVER2
  ip address 172.27.16.4
  inservice

serverfarm SFARM1
  rserver SERVER1
    inservice
  rserver SERVER2
    inservice
class-map type http loadbalance match-any L7_CLASS
  match http content .*cisco.com
class-map match-any NAT_CLASS
  match access-list NAT_ACCESS

policy-map type loadbalance http first-match L7_POLICY
  class L7_CLASS
    serverfarm SFARM1
    nat dynamic 1 vlan 200 serverfarm primary
policy-map multi-match NAT_POLICY
  class NAT_CLASS
    loadbalance policy L7_POLICY
    loadbalance vip inservice

interface vlan 100
  mtu 1500
  ip address 192.168.1.100 255.255.255.0
  service-policy input NAT_POLICY
  no shutdown

interface vlan 200
  mtu 1500
  ip address 172.27.16.2 255.255.255.0
  nat-pool 1 172.27.16.15 172.27.16.24 netmask 255.255.255.0
  no shutdown

Configuring Static NAT and Port Redirection

The following DNAT configuration example shows those sections of the running configuration that are related to the commands necessary to configure static NAT and port redirection on your ACE. Typically, this configuration is used for DNAT, where HTTP packets that are destined to 192.0.0.0/8 and ingress the ACE on VLAN 101 are translated to 10.0.0.0/8 and port 8080. In this example, the servers are hosting HTTP on custom port 8080.

access-list acl1 line 10 extended permit tcp 10.0.0.0 255.0.0.0 eq 8080 any
 
class-map match-any NAT_CLASS
  match access-list acl1

policy-map multi-match NAT_POLICY
  class NAT_CLASS
    nat static 192.0.0.0 255.0.0.0 80 vlan 101
 
interface vlan 100
  mtu 1500
  ip address 192.168.1.100 255.255.255.0
  service-policy input NAT_POLICY
  no shutdown

interface vlan 101
  mtu 1500
  ip address 172.27.16.100 255.255.255.0
  no shutdown

Configuring SNAT with Cookie and Load Balancing

The following configuration example shows those commands necessary to configure SNAT (dynamic NAT) with cookie load balancing. Any source host that sends traffic to the VIP 20.11.0.100 is translated to one of the free addresses in the NAT pool in the range 30.11.100.1 to 30.11.200.1, inclusive. If you want to use PAT instead of NAT, replace nat dynamic 1 vlan 2021 with nat dynamic 2 vlan 2021 in the L7SLBCookie policy map.

server host http
  ip address 30.11.0.10
  inservice
serverfarm host httpsf
  rserver http
    inservice

class-map match-any vip4
  2 match virtual-address 20.11.0.100 tcp eq www
class-map type http loadbalance match-any L7SLB_Cookie
  3 match http cookie JG cookie-value “.*”

policy-map type loadbalance first-match L7SLB_Cookie
  class L7SLB_Cookie
    serverfarm httpsf
policy-map multi-match L7SLBCookie
  class vip4
    loadbalance vip inservice
    loadbalance L7SLB_Cookie
    nat dynamic 1 vlan 2021 

interface vlan 2020
  ip address 20.11.0.2 255.255.0.0
  alias 20.11.0.1 255.255.0.0
  peer ip address 20.11.0.3 255.255.0.0
  service-policy input L7SLBCookie 
  no shutdown
interface vlan 2021
  ip address 30.11.0.2 255.255.0.0
  alias 30.11.0.1 255.255.0.0
  peer ip address 30.11.0.3 255.255.0.0
  fragment min-mtu 68
  nat-pool 2 30.11.201.1 30.11.201.1 netmask 255.255.255.255 pat
  nat-pool 3 30.11.202.1 30.11.202.3 netmask 255.255.255.255
  nat-pool 1 30.11.100.1 30.11.200.1 netmask 255.255.255.255 
  no shutdown

Troubleshooting ACE NAT and PAT

To verify your NAT and PAT configurations and make any necessary corrections, follow these steps:

1. Display your NAT and PAT configurations by entering the following commands:

ACE_module5/Admin# show running-config class-map

class-map match-any L4_CLASS
  2 match access-list ACL1

ACE_module5/Admin# show running-config policy-map

policy-map multi-match NAT_POLICY
  class NAT_CLASS
    nat dynamic 1 vlan 200

ACE_module5/Admin# show service-policy NAT_POLICY

Status     : ACTIVE
-----------------------------------------
Interface: vlan 100
  service-policy: NAT_POLICY
    class: NAT_CLASS
      nat:
        nat dynamic 1 vlan 200
        curr conns       : 0         , hit count        : 0
        dropped conns    : 0
        client pkt count : 0         , client byte count: 0
        server pkt count : 0         , server byte count: 0
        conn-rate-limit      : 0         , drop-count : 0
        bandwidth-rate-limit : 0         , drop-count : 0

ACE_module5/Admin# show running-config interface

interface vlan 100
  ip Address 192.168.12.2
  mtu 1500
  service-policy input NAT_POLICY
  no shutdown
interface vlan 200
  ip address 172.27.16.2 255.255.255.0
  mtu 1500
  access-group input acl1
  nat-pool 1 172.27.16.15 172.27.16.24 netmask 255.255.255.0 pat
  no shutdown

2. Use the show xlate command to verify that dynamic NAT and PAT, and static NAT and port redirection, are taking place properly.

Dynamic NAT Example

The following example output of the show xlate command shows dynamic NAT (SNAT in this example). When you use Telnet from IP address 172.27.16.5 in VLAN 2020, the ACE translates it to IP address 192.168.100.1 in VLAN 2021.

host1/Admin# show xlate global 192.168.100.1 192.168.100.10

NAT from vlan2020:172.27.16.5 to vlan2021:192.168.100.1 count:1

Dynamic PAT Example

The following example shows dynamic PAT. When you use Telnet from IP address 172.27.16.5 port 38097 in VLAN 2020, the ACE translates it to IP address 192.168.201.1 port 1025 in VLAN 2021.

host1/Admin# show xlate

TCP PAT from vlan2020:172.27.16.5/38097 to vlan2021:192.168.201.1/1025

Static NAT Example

The following example shows static NAT. The ACE maps real IP address 172.27.16.5 to IP address 192.168.210.1.

host1/Admin# show xlate

NAT from vlan2020:172.27.16.5 to vlan2021:192.168.210.1 count:1

host1/Admin# show conn

total current connections : 2

conn-id    dir prot vlan source           destination      state
----------+---+----+----+----------------+----------------+----------+
7          in  TCP  2020 172.27.16.5      192.168.100.1    ESTAB
6          out TCP  2021 192.168.100.1    192.168.210.1    ESTAB

Static Port Redirection (Static PAT) Example

The following example shows static port redirection (DNAT in this example). A host at IP address 192.168.0.10:37766 uses Telnet to connect to IP address 192.168.211.1:3030 on VLAN 2021 on the ACE. The ACE maps IP address 172.27.0.5:23 on VLAN 2020 to IP address 192.168.211.1:3030 on VLAN 2021.

host1/Admin# show xlate

TCP PAT from vlan2020:172.27.0.5/23 to vlan2021:192.168.211.1/3030
Mar 24 2006 20:05:41 : %ACE-7-111009: User 'admin' executed cmd: show xlate

host1/Admin# show conn

total current connections : 2

conn-id    dir prot vlan source           destination        state
----------+---+----+----+------------------+------------------+------+
6          in  TCP  2021 192.168.0.10:37766 192.168.211.1:3030 ESTAB
7          out TCP  2020 172.27.0.5:23      192.168.0.10:1025  ESTAB

3. To display the NAT policy and pool information for the current context, enter the show nat-fabric command. The syntax of this command is as follows:

show nat-fabric {policies | src-nat policy_id mapped_if | dst-nat static_xlate_id | nat-pools | implicit-pat| global-static}

policies -- Displays the NAT policies.

src-nat policy_id mapped_if -- Displays the specified source NAT policy information. To obtain the values for the policy_id and mapped_if arguments, view the policy_id and mapped_if fields displayed by the show nat-fabric policies command.

dst-nat static_xlate_id -- Displays the static address translation for the specified static XLATE ID. To obtain the value for the static_xlate_id argument, view the static_xlate_id field displayed by the show nat-fabric policies command.

nat-pools -- Displays NAT pool information for a dynamic NAT policy.

implicit-pat -- Displays the implicit PAT policies.

global-static -- Displays global static NAT information when the static command in global configuration mode is configured.

ACE_module5/Admin# show nat-fabric policies

Nat objects:

NAT object Hash Bucket: 9
        NAT object ID:2 mapped_if:8 policy_id:1 type:DYNAMIC nat_pool_id:4
                Pool ID:4 PAT:1 pool_id:1 mapped_if:8 Ref_count:1 ixp_binding:in all IXPs
                lower:172.27.16.15 upper:172.27.16.24 Bitmap-ID:40
                List of NAT object IDs: 2