Network Address Translation for SLB

This chapter describes Network Address Translation (NAT) and how to configure it. NAT translates the source or destination IP address of a packet before forwarding the packet.

ACOS uses NAT to perform SLB.

NOTE:                               This chapter does not include information about Carrier Grade NAT (CGN) or other NAT features for IPv6 migration. 

Overview

ACOS devices can perform source and destination NAT on client-VIP SLB traffic.

SLB Destination NAT

ACOS devices automatically perform destination NAT for client-VIP SLB traffic. Figure 37 shows an example.

NOTE:                               Destination NAT is disabled for virtual ports on which Direct Server Return (DSR) is enabled.

FIGURE 37         SLB NAT

NAT_for_SLB.png

 

By default, SLB NAT works as follows.

     Before forwarding a client packet to a real server, the ACOS device translates the destination IP address from the vir­tual server IP address (VIP) to the IP address of the real server.

     ACOS reverses the translation before sending the server reply to the client. The source IP address is translated from the real server’s IP address to the VIP address.

The default SLB NAT behavior does not translate the client’s IP address.

SLB Source NAT

SLB source NAT is disabled by default. There are some cases where SLB Source NAT is applicable:

     Connection reuse. (See Connection Reuse.)

     The VIP and real servers are in different subnets. In cases where real servers are in a different subnet than the VIP, source NAT ensures that reply traffic from a server will pass back through the ACOS device. (See Source NAT for Servers in Other Subnets.)

Connection Reuse

Connection reuse enables you to reuse TCP connections between the ACOS device and real servers for multiple client ses­sions. When you enable this feature, the ACOS device does not tear down a TCP connection with the real server each time a client ends its session. Instead, the ACOS device leaves the TCP connection established, and reuses the connection for the next client that uses the real server.

Connection reuse requires SLB source NAT. Since the TCP connection with the real server needs to remain established after a client’s session ends, the client’s IP address cannot be used as the source address for the connection, Instead, the source address must be an IP address from a NAT pool or pool group configured on the ACOS device.

To configure connection reuse:

1.     Configure a NAT pool or set of pools to specify the IP addresses to use as source addresses for the reusable connections with the real servers.

     To use a single, contiguous range of addresses, only one pool is needed.

     To use a non-contiguous range of addresses, configure a separate pool for each contiguous portion of the range, then configure a pool group that contains the pools.

The addresses within an individual pool still must be contiguous, but you can have gaps between the ending address in one pool and the starting address in another pool. You also can use pools that are in different subnets.

2.     Configure a connection reuse template.

3.     If you plan to use policy-based source NAT, to select from among multiple pools based on source IP address, configure an ACL for each of the client address ranges that will use its own pool.

4.     Enable source NAT on the virtual service port and specify the pool or pool group to use for the source addresses. If you are configuring policy-based source NAT, bind each ACL to its pool.

5.     Add the connection reuse template to the service port.

NOTE:                               These steps apply specifically to configuration of connection reuse. A complete SLB con­figuration also requires the standard SLB configuration steps, including configuration of the real servers and service group, and so on.

Using the GUI

1.     To configure a pool of addresses:

a.     Select ADC > IP Source NAT.

b.     Click Create. The Create IPv4 Pool window appears.

c.     Enter a name for the pool.

d.     Enter the start and end addresses.

e.     Enter the netmask.

f.       If the ACOS device is deployed in transparent mode, enter the default gateway to use for NATted traffic.

g.     To use session synchronization for NAT translations, enter the VRRP-A VRID number.

h.     Click Create.

2.     To configure a connection reuse template:

a.     Select ADC > Templates.

b.     Select Application from the menu bar.

c.     Click Create, and from the drop-down menu that appears, select Connection Re-Use.

The Create Connection Re-Use Template appears.

d.     Enter a name for the template.

e.     Edit the other parameters or leave them at their default settings.

f.       Click Create. The template appears in the connection reuse template table.

3.     To enable source NAT on the virtual port:

a.     Select ADC > SLB.

b.     Select the Virtual Servers tab from the menu bar.

c.     Select the virtual server name to edit an existing virtual server, or click Create to add a new virtual server.

d.     If you are adding a new virtual server, enter the general server settings.

e.     In the Virtual Port section, click Create.

The Create Virtual Port window appears.

f.       Enter or select the port settings, if the port is new.

g.     Do one of the following:

     To use a single pool or pool group for all source addresses, select the Source NAT checkbox.

     Click the pool drop-down list and select the desired pool.

     To use separate pools based on source addresses, use the ACL binding fields to bind each ACL to its pool.

For each binding, select the ACL ID/Name from the Access List drop-down list, select the pool from the Source NAT Pool drop-down list, and select the desired sequence number from the ACL Sequence Number drop-down list, and then click Add.

4.     Under the Templates section (near bottom of Virtual Port window), select the “Click here to bind!” link.

5.     From the window that appears, click the Template Type drop-down menu and select Connection reuse.

6.     From the Templates drop-down, select the name of the specific conn-reuse template to be bound to the virtual port.

7.     Click Bind.

8.     Click Create Virtual Port.

Using the CLI

Use the access-list command to configure standard ACLs that match on different client addresses:

ACOS(config)#access-list 30 permit ip 192.168.1.1 /24

ACOS(config)#access-list 50 permit ip 192.168.20.69 /24

 

Use the ip nat pool command configure source NAT pools:

ACOS(config)#ip nat pool pool1 10.10.10.200 10.10.10.100 netmask /16

ACOS(config)#ip nat pool pool2 10.10.10.200 10.10.10.200 netmask /16

 

The following commands configure a real server “s1” and a service group “group80” with server “s1” as a member:

ACOS(config)#slb server s1 192.168.19.48

ACOS(config-real server)#port 80 tcp

ACOS(config-real server-node port)#exit

ACOS(config-real server)#exit

ACOS(config)#slb service-group group80 tcp

ACOS(config-slb svc group)#method weighted-rr

ACOS(config-slb svc group)#member s1 80

ACOS(config-slb svc group-member:80)#exit

 

The following commands configure policy-based source NAT, by binding ACLs to NAT pools on the virtual port.

ACOS(config)#slb virtual-server vs1 10.10.10.100

ACOS(config-slb vserver)#port 80 tcp

ACOS(config-slb vserver-vport)#access-list 30 source-nat-pool pool1

ACOS(config-slb vserver-vport)#access-list 50 source-nat-pool pool2

 

Source NAT for Servers in Other Subnets

ACOS allows source NAT to be enabled on a virtual port. In cases where real servers are in a different subnet than the VIP, source NAT ensures that reply traffic from a server will pass back through the ACOS device.

You can enable source NAT on a virtual port in either of the following ways:

     Use the source-nat option to bind a single IP address pool or pool group to the virtual port. This option is applicable if all the real servers are in the same subnet.

     Use sets of ACL-pool pairs, one for each real server subnet. You must use this method if the real servers are in multiple subnets. This section describes how to use this method.

For the real server to be able to send replies back through the ACOS device, use an extended ACL. The source IP address must match on the client address. The destination IP address must match on the real server address. The action must be per­mit.

The ACL should not match on the virtual IP address (unless the virtual IP address is in the same subnet as the real servers, in which case source NAT is probably not required). FIGURE 38    shows an example.

FIGURE 38         Multiple NAT Pools Bound to a Virtual Port

NAT_pools_bound_to_vports.png

 

In this example, a service group has real servers that are located in two different subnets. The VIP is not in either of the sub­nets. To ensure that reply traffic from a server will pass back through the ACOS device, the ACOS device uses IP source NAT.

To implement IP source NAT, two pairs of ACL and IP address pool are bound to the virtual port. Each ACL-pool pair contains the following:

     An extended ACL whose source IP address matches on client addresses and whose destination IP address matches on the real server’s subnet.

     An IP address pool or pool group containing translation addresses in the real server’s subnet.

For example, if SLB selects a real server in the 10.10.10.x subnet, then the source IP address is translated from the client’s address to an address in pool 1. When the server replies, it replies to the address from pool 1.

NOTE:                               In most cases, destination NAT does not need to be configured for SLB. ACOS automati­cally translates the VIP address into a real server address before forwarding a request to the server.

CLI Example

The following commands implement the source NAT configuration shown in FIGURE 38   .

First, the ACLs are configured. In each ACL, “any” is used to match on all clients. The destination address is the subnet where the real servers are located.

ACOS(config)#access-list 100 permit any 10.10.10.0 /24

ACOS(config)#access-list 110 permit any 10.10.20.0 /24

The following commands configure the IP address pools. Each pool contains addresses in one of the real server subnets.

ACOS(config)#ip nat pool pool1 10.10.10.100 10.10.10.101 netmask /24

ACOS(config)#ip nat pool pool2 10.10.20.100 10.10.20.101 netmask /24

The following commands bind the ACLs and IP address pools to a virtual port on the VIP:

ACOS(config)#slb virtual-server vip1 192.168.1.100

ACOS(config-slb vserver)#port 80 tcp

ACOS(config-slb vserver-vport)#access-list 100 source-nat-pool pool1

ACOS(config-slb vserver-vport)#access-list 110 source-nat-pool pool2

Direct Server Return

You can disable destination NAT on a virtual port, to enable Direct Server Return (DSR). DSR enables a real server to respond to clients directly instead of going through the ACOS device. The ACOS is not required to return the server’s response traffic to clients, so there is no need to un-NAT traffic.

This type of NAT is especially useful for applications that have intensive payload transfers, such as FTP and streaming media.

When DSR is enabled, only the destination MAC address is translated from the VIP’s MAC address to the real server’s MAC address. The destination IP address is still the VIP.

To use DSR, the ACOS device and the real servers must be in the same Layer 2 subnet. The VIP address must be configured as a loopback address on the real servers.

To enable DSR on a virtual port, use the following method(s).

NOTE:                               The current release does not support external health monitoring for DSR deployments. To configure health checking for DSR, see Configuring Health Monitoring of Virtual IP Addresses in DSR Deployments.

NOTE:                               For examples of DSR configurations, see Direct Server Return (DSR) SLB Deployment.

Using the GUI

1.     Select ADC > SLB.

2.     Make sure the Virtual Servers tab is selected on the menu bar.

3.     Select the virtual server name of an existing virtual server, or click Create to add a new virtual server.

4.     If you are adding a new virtual server, enter the basic settings, such as name and address.

5.     In the Virtual Port section of the window, click Create.

The Create Virtual Port window appears.

6.     Enter a name for the virtual port, select the desired protocol (UDP or TCP), and enter the port number.

7.     Click on General Fields to display them.

8.     Select Enabled next to No Dest NAT.

9.     Click Create.

10.  Click Update to complete the virtual server configuration.

Using the CLI

Enter the following CLI command at the configuration level for the virtual port:

no-dest-nat

IP NAT Support for VIPs

ACOS supports IP NAT for VIPs. This feature allows clients in a private network to connect to outside VIP servers, without revealing the IP addresses of the clients to the servers. Dynamic NAT and static NAT are both supported.

NOTE:                               The current release does not support this feature for FTP or RTSP traffic.

Priority for Source IP NAT Configurations on Individual Virtual Ports

Source IP NAT can be configured on a virtual port in the following ways:

1.     ACL-based source NAT (access-list command at virtual port level)

2.     VIP source NAT (slb snat-on-vip command at global configuration level)

3.     aFleX policy (aflex command at virtual port level)

4.     Non-ACL source NAT (source-nat command at virtual port level)

These methods are used in the order shown above. For example, if IP source NAT is configured using an ACL on the virtual port, and the slb snat-on-vip command is also used, then a pool assigned by the ACL is used for traffic that is permitted by the ACL. For traffic that is not permitted by the ACL, VIP source NAT can be used instead.

Configuration

To configure IP NAT for VIPs:

1.     Configure a pool, range list, or static inside source NAT mapping, that includes the real IP address(es) of the inside cli­ents.

2.     Enable inside NAT on the interface connected to the inside clients.

3.     Enable outside NAT on the interface connected to the external VIP servers

You can enable this feature globally or on individual virtual ports:

To globally configure IP NAT support for VIPs, use the following commands:

slb common

snat-on-vip

Enter the slb common command from the global configuration level, to access the configuration level for system-wide SLB parameters. Then enter the snat-on-vip command.

To configure IP NAT support for an individual virtual port, use the command at the configuration level for the virtual port instead of at the global level.

Using IP Pool Default Gateways To Forward Traffic from Real Servers

ACOS provides an option to use the default gateway of an IP source NAT pool to forward traffic from a real server.

When this option is enabled, the ACOS device checks the configured IP NAT pools for an IP address range that includes the server IP address (the source address of the traffic). If the address range in a pool does include the server’s IP address, and a default gateway is defined for the pool, the ACOS device forwards the server traffic through the pool’s default gateway.

This feature is disabled by default. To enable it, use the following commands:

ACOS(config)#slb common

ACOS(config-common)#snat-gwy-for-l3

Smart NAT for Virtual Ports

Smart NAT provides source NAT for virtual ports. The IP addresses that Smart NAT uses to create the mappings depend on whether VRRP-A high availability is enabled and floating-IP addresses are configured:

     With VRRP-A high availability – If VRRP-A high availability is configured, Smart NAT uses configured floating IP addresses as NAT addresses.

     Without VRRP-A high availability – If VRRP-A high availability is not configured, then Smart NAT uses IP address(es) on the ACOS interface connected to the real server.

In VRRP-A high availability deployments, if session synchronization is enabled, sessions created by Smart NAT are synchro­nized to the backup device.

Notes

     If you use VRRP-A high availability, it is recommended to bind a given service group to only a single virtual port. If you do bind a service group to multiple virtual ports, it is highly recommended to assign all the virtual servers to the same VRRP-A VRID.

     When a service group is bound to a virtual port, the Smart NAT resources are created for all the servers belonging to that service group. port. If the selected server does not have Smart NAT resources, then they are dynamically created. In this case, some initial connections may be dropped.

     Smart NAT applies only to ACOS devices deployed in route mode (also called “gateway” mode). The feature is not applicable to devices deployed in transparent mode.

     Smart NAT uses protocol ports 20032-65535.

     Smart NAT is not supported on SIP, SIP-TCP, or SIPS virtual ports.

     You can configure a virtual port to use both Smart NAT and a configured NAT pool. By default, the configured pool addresses are used first. In this case, Smart NAT is used only when there are no more available mappings in the config­ured pool.

Optionally, you can configure Smart NAT to take precedence over the configured NAT pool. In this case, the configured pool is used only when there are no more available mappings using Smart NAT.

     If you do not use VRRP-A, real server IP addresses are used for the Smart NAT mappings. Up to 45 K mappings per real server port are supported. ACOS can use the same ACOS interface IP address and port for more than one server con­nection. The combination of ACOS IP address and port number (source) and server IP address and port (destination) uniquely identifies each mapping. Smart NAT uses only the primary IP address on an interface, even if multiple addresses are configured on the interface.

Configure Smart NAT Using the GUI

Assuming you have an existing virtual server named vs1::

1.     Navigate to the ADC >> SLB >> Virtual Servers >> vs1 >> Virtual Port >> Create page.

2.     Expand the General Fields section.

3.     Select the checkbox in the Source NAT Auto field.

4.     If you want Smart NAT to be used before a pool is used, also select the Precedence checkbox.

5.     Click Create to save your changes.

Configure Smart NAT Using the CLI

The commands in this example configure two virtual ports. Smart NAT is enabled on each virtual port.

To begin, the following commands configure the data interfaces:

ACOS(config)#vlan 10

ACOS(config-vlan:10)#tagged ethernet 1

ACOS(config-vlan:10)#router-interface ve 10

ACOS(config-vlan:10)#vlan 20

ACOS(config-vlan:20)#tagged ethernet 2

ACOS(config-vlan:20)#router-interface ve 20

ACOS(config-vlan:20)#interface ethernet 3

ACOS(config-if:ethernet:3)#ip address 20.20.20.1 255.255.255.0

ACOS(config-if:ethernet:3)#interface ve 10

ACOS(config-if:ve10)#ip address 110.110.110.1 255.255.255.0

ACOS(config-if:ve10)#interface ve 20

ACOS(config-if:ve20)#ip address 160.160.160.1 255.255.255.0

 

The following commands configure a source NAT pool, then return to the global configuration level:

ACOS(config-if:ve20)#ip nat pool snat-pool1 160.160.160.200 160.160.160.200 netmask /24

ACOS(config-if:ve20)#exit

 

The following commands configure a real server “s1” with two TCP ports (80 and 21), and a service group for each port:

ACOS(config)#slb server s1 160.160.160.160

ACOS(config-real server)#port 80 tcp

ACOS(config-real server-node port)#port 21 tcp

ACOS(config-real server-node port)#exit

ACOS(config-real server)#exit

ACOS(config)#slb service-group sg1-http tcp

ACOS(config-slb svc group)#member s1 80

ACOS(config-slb svc group-member:80)#exit

ACOS(config-slb svc group)#exit

ACOS(config)#slb service-group sg2-ftp tcp

ACOS(config-slb svc group)#member s1 21

 

The following commands configure the VIP. Smart NAT is enabled on each virtual port.

ACOS(config)#slb virtual-server vip1 160.160.160.150

ACOS(config-slb vserver)#port 21 ftp

ACOS(config-slb vserver-vport)#source-nat auto precedence

ACOS(config-slb vserver-vport)#source-nat pool snat-pool1

 

On the FTP virtual port, the precedence option is used with Smart NAT. This means Smart NAT is used first, and the NAT pool is used only if all Smart NAT mappings are in use.

On the TCP virtual port, the precedence option is omitted. In this case, the source NAT pool is used first. Smart NAT is used only if no more mappings are available using the pool.

The following command shows Smart NAT statistics:

ACOS(config-slb vserver-vport)#show slb server auto-nat-stats

Service        VRID Nat Address      Port Usage   Total Used   Total Freed  Failed

---------------------------------------------------------------------------------------

s1:80/tcp       0        160.160.160.1    5             1513        1508         0

s1:21/tcp       0        160.160.160.1    0             0           0            0

In this example, both virtual ports are using Smart NAT. The Nat Address, Port Usage, Total Used, Total Freed, and Failed col­umns show the same information shown in show ip nat pool statistics output. (See the Command Line Interface Reference.)

The Service column lists the server, protocol port, and Layer 4 protocol. The VRID column lists the VRRP-A VRID, if applicable. In this example, the ACOS device is deployed as a standalone device, so “0” is shown in this column.

Virtual-port TCP Maximum Segment Life for NATted Sessions

You can customize the maximum Segment Life (MSL) for source-NAT connections virtual ports.

The MSL is the maximum number of seconds a TCP segment (packet) is allowed to remain in the network. When one of the endpoints in a TCP connection sends a FIN to close the connection, that endpoint then enters the TIME-WAIT state.

During the TIME-WAIT state, the endpoint is not allowed to accept any new TCP connections. This behavior is meant to ensure that the TCP endpoint does not receive a segment belonging to a previous connection after the endpoint enters a new connection.

The TIME-WAIT state lasts up to twice the MSL. On some older TCP/IP stacks, this can result in a wait of up to 240 seconds (4 minutes) after a FIN before the endpoint can enter a new connection.

To help reduce the time between connections for these endpoints, you can set the MSL for individual virtual ports, to 1-1800 seconds.

Using the GUI

On the configuration page for the virtual port template, enter the desired value in the SNAT MSL field. Apply the template to the virtual port.

Using the CLI

Use the snat-msl command to configure a custom MSL value for a virtual port. The following example configures a source-NAT MSL of 18 seconds:

ACOS(config)#ip nat pool natintf 192.168.20.48 192.168.20.48 netmask /24

ACOS(config)#slb template virtual-port ronvport

ACOS(config-vport)#snat-msl 18

ACOS(config-vport)#exit

ACOS(config)#slb virtual-server ronvip2 192.168.20.103

ACOS(config-slb vserver)#port 81 tcp

ACOS(config-slb vserver-vport)#service-group web

ACOS(config-slb vserver-vport)#source-nat pool natintf

ACOS(config-slb vserver-vport)#template virtual-port ronvport

 

Table of Contents

Index

Glossary

-Search-

Back