How can I use a VS IP as a source NAT in WILDCARD VS

anfovar

Hi, guys.

I've observed instances in various clients where an SLB VS is configured alongside NHLD. When an internal client accesses the Internet, the SNAT is typically a pool or auto-NAT, based on our configuration. However, there are scenarios where exceptions are necessary, and an internal client must use the SLB VS IP address. For example:

SLB VS:

Name: test

IP: 8.8.8.8

Wildcard VS:

Client A:

Internal IP: 172.16.200.20

SNAT: Auto

Client B:

Internal IP: 172.16.200.30

SNAT: 8.8.8.8

How can I achieve this? I'm trying to do it with an Aflex."

dquinn

If I am understanding the question correctly

Try associating access-list(s) with nat pool(s) or group(s). Anything that doesn't match access list will use auto

access-list 123 8 permit ip host 172.16.200.30 any

ip nat pool xyz 8.8.8.8 8.8.8.8 netmask /24

port 80 http 

  access-list 123 source-nat-pool xyz 

  source-nat auto 

  service-group sg-1 

  sampling-enable all 

anfovar

Hi dquinn

The ip 8.8.8.8 is already used as slb virtual server for example let's say it has a https vport and in wildcard virtual server (0.0.0.0) client B (172.16.200.30) needs to use the ip 8.8.8.8 as snat and Client A (172.16.200.20) will use snat auto

mdunn

The access-list source-nat solution proposed by dquinn should fulfill your requirement. The high-level approach would be:

1. configure the access-list to match your internal clients that need VS SNAT IP (client B, etc)
2. configure the source-nat pool with IP address matching your VS IP (8.8.8.8)
3. configure the access-list source-nat under your Wildcard VIP's port 0 virtual ports.

Clients that match the ACL will receive VS SNAT IP. Clients who miss the ACL will receive SNAT auto IP.

anfovar

Thanks Guys

I did not know that we can use the VIP as pool nat so I finally made it