12-05-2012 07:35 AM
I have typical router based serveriron loadbalancing setup to balance virtual server VIP which is in one (external) network to pool of real servers in another (internal) network. everything is working fine from the external network but I obviously cannot access the VIP from the internal network as the response of the real server goes back to the client directly and not via the balancer. I understand I could solve it using SNAT but the strange thing to me is that SNAT needs to be configured on the real servers. But then even the main traffic from the external network would be SNATted and I can't have that.
Is there a way to access the virtual server from the network of the real servers without using SNAT in the real server configs?
12-05-2012 12:33 PM
There is an option to do 'source-nat access-list' under the real server. You can permit only your internal traffic to be source-nat'ed and all external traffic to go without source-nat.
By default, if you configure the ServerIron ADX to apply source NAT for a real server, it is applied to
all traffic for the real server. You can configure the ServerIron ADX to apply source NAT for a real
server to traffic from specified source IP addresses.
To do this, you create an ACL, then specify the ACL in the source NAT configuration of the real
server. When a flow is sent to the VIP, if the ACL specifies a permit action for the flow’s source IP
address, then source NAT is performed on traffic in the flow.
ServerIronADX(config)# access-list 1 permit 192.168.0.0 255.255.0.0
ServerIronADX(config)# access-list 1 deny any
The source-nat access-list <acl-id> command configures source NAT on a real
server to be performed on traffic whose source IP address is permitted by ACL 1.
ServerIronADX(config)# server real r1 10.10.10.10
ServerIronADX(config-rs-r1)# source-nat access-list 1
12-05-2012 01:39 PM
thanks Arunbk, very helpful indeed, works as a charm.
is there by any chance something similar when running in switch mode? I have one another environment with older unit:
SW: Version 07.5.00T12 Copyright (c) 1996-2002 Foundry Networks, Inc.
Compiled on Mar 17 2005 at 12:08:20 labeled as SLB07500
(1570406 bytes) from Primary SLB07500.bin
HW: ServerIron Switch, serial number 10b0a4
and in this version/mode the source-nat command on the real server doesn't have the option to specify the acl...