Re: Serveriron NAT ?

All hosts use the virtual interface 10.4.20.1 on the SI XL.

 

I solved the problem by making the following changes:

 

·         server router-ports 1 (removed ve 2)

·         ip nat pool OutAdds 10.99.1.3 10.99.1.4 netmask 255.255.255.0 (NAT apparently only works with at least 2 ip addresses in the global pool)

 

So, here is my working-good config (for the benefit of those with similar problems, Active-Standby, ip routing & NAT all work now)

 

Current configuration:

!

ver 07.5.00fT12

global-protocol-vlan

!

!

server backup ethe 13 00e0.5201.0c72 vlan-id 2

server backup-preference 5

server backup-group 1

 

server port 3389

 tcp

server router-ports 1

!

server real test1 10.4.20.11

 port 3389

!

server virtual test1 10.99.1.11

 port 3389

 bind 3389 test1 3389

!

vlan 1 name DEFAULT-VLAN by port

 no spanning-tree

!

vlan 2 by port

 untagged ethe 13

 no spanning-tree

!

vlan 11 by port

 untagged ethe 1

  router-interface ve 1

!

vlan 12 by port

 untagged ethe 2

  router-interface ve 2

!

ip forward

ip address 10.99.1.5 255.255.255.0

ip nat inside

ip nat inside source list 1 pool OutAdds overload

ip nat pool OutAdds 10.99.1.3 10.99.1.4 netmask 255.255.255.0

ip default-gateway 10.99.1.1

ip dns domain-name xxxxx.com

ip policy 1 cache tcp 0 global

ip policy 2 cache udp 0 global

interface e 13

 no spanning-tree

!

interface ve 1

 ip standby-address 10.99.1.2 255.255.255.0

!

interface ve 2

 ip standby-address 10.4.20.1 255.255.255.0

!

access-list 1 permit 10.4.20.0 0.0.0.255

!

end

 

 

 

Looking at the config below I am pretty sure this is not a configuration problem. I guess it is more a problem of the traffic flow. You have mentioned that the private address space is 10.4.20.0/24. Clients out of this subnet want to communicate with the outside world and this is the traffic you would like to NAT - the traffic needs to pass the SI XL to get NAT'ed - so what is the default gateway of the clients out of the 10.4.20.x subnet? Is it possible that the traffic is just bypassing the XL which would imply that it is not going to get NAT'ed?

R, Oliver

At 21:56 20.03.2008, Gregori Parker wrote:

I really need some help here - I am a Cisco/F5 engineer that has been
thrown into a situation with a pair of Foundry Serveriron XLs, and I
have little to no knowledge or resources for configuring them.

I have a test environment that can be simplified to this:

[/24 public]----[SI XL Active / NAT]----[/24 private]


Public address space is 10.99.1.0/24, with the Active LB acting as a
default gateway (10.4.20.1)

Private address space is 10.4.20.0/24, with cisco 3560s doing HSRP to
act
as a default gateway (10.99.1.1)

I have a test VIP going, and it works fine - but I cant get outgoing NAT
to work. ; I want to be able to simply initiate a connection from private
address space, NAT to a single overloaded address on the LB, and
interact with a 'public' address.  Here is my configuration from the
Active LB, I appreciate any guidance.


Current configuration:
!
ver 07.4.00T12
global-protocol-vlan
!
!
server backup ethe 13 00e0.5201.0c72
server backup-preference 5
server backup-group 1
!
server port 3389
 tcp
!
server router-ports 1 2
!
!
server real test01 10.4.20.11
 port 3389
!
server virtual vtest01 10.99.1.11
 port 3389
 bind 3389 test01 3389
!
!
vlan 1 name DEFAULT-VLAN by port
 no spanning-tree
!
vlan 2 by port
 untagged ethe 13
 ;no spanning-tree
!
vlan 11 by port
 untagged ethe 1
  router-interface ve 1
!
vlan 12 by port
 untagged ethe 2
  router-interface ve 2
!
hostname TESTLB01
ip forward
ip address 10.99.1.3 255.255.255.0
ip nat inside
ip nat inside source list 1 pool OutAdds overload
ip nat pool OutAdds 10.99.1.2 10.99.1.2 netmask 255.255.255.0
ip default-gateway 10.99.1.1
ip policy 1 cache tcp 0 global
ip policy 2 cache udp 0 global
interface e 13
 ;no spanning-tree
!
interface ve 1
 ip standby-address 10.99.1.2 255.255.255.0
!
interface ve 2
 ip standby-address 10.4.20.1 255.255.255.0
!
access-list 1 permit 10.4.20.0 0.0.0.255



_______________________________________________
foundry-nsp mailing list
foundry-nsppuck.nether.net
http://puck.nether.net/mailman/listinfo/foundry-nsp