Table Of Contents
Configuring Network Address Translation
Overview of Network Address Translation
Maximum Number of NAT Statements
Configuring an Idle Timeout for NAT
Configuring Dynamic NAT and PAT
Dynamic NAT and PAT Configuration Quick Start
Creating a Global IP Address Pool for NAT
Configuring Dynamic NAT and PAT as a Policy-Map Action
Applying the Dynamic NAT and PAT Policy MAP to an Interface Using a Service Policy
Configuring Static NAT and Static Port Redirection
Static NAT Configuration Quick Start
Configuring an ACL for Static NAT and Port Redirection
Configuring Static NAT and Static Port Redirection as a Policy Action
Applying the Static NAT Policy Map on an Interface Using a Service Policy
Displaying NAT Configurations and Statistics
Displaying NAT and PAT Configurations
Displaying IP Address and Port Translations
Static Port Redirection (Static PAT)
Dynamic NAT and PAT (SNAT) Configurational Examples
Static Port Redirection (DNAT) Configurational Example
Example of SNAT with Cookie Load Balancing
Configuring Network Address Translation
This chapter describes network address translation (NAT) and how to configure it on the Cisco Application Control Engine (ACE) module. It contains the following major sections:
•
Overview of Network Address Translation
•
•
•
•
Overview of Network Address Translation
When a client attempts to access a server in a data center, the client incorporates its IP address in the IP header when it connects to the server. An ACE placed between the client and the server can either preserve the client IP address or translate that IP address to a routable address in the server network, based on a pool of reserved dynamic NAT addresses or a static NAT address mapping, and pass the request on to the server.
This IP address translation process is called network address translation (NAT) or source NAT (SNAT). The ACE keeps track of all SNAT mappings to ensure that response packets from the server are routed back to the client. If your application requires that the client IP address be preserved for statistical or accounting purposes, do not implement SNAT.
Destination NAT (DNAT) translates the IP address and port of an inside host so that it appears with a publicly addressable destination IP address to the rest of the world. Typically, you configure DNAT using static NAT and port redirection. You can use port redirection to configure servers hosting a service on a custom port (for example, servers hosting HTTP on port 8080).
To provide security for a server, you can map the server private IP address to a global routable IP address that a client can use to connect to the server. In this case, the ACE translates the global IP address to the server private IP address when sending data from the client to the server. Conversely, when a server responds to a client, the ACE translates the local server IP address to a global IP address for security reasons. This process is called DNAT.
You can also configure the ACE to translate TCP and UDP port numbers greater than 1024, and ICMP identifiers. This process is known as port address translation (PAT). The ACE provides 64 K minus 1 K ports for each IP address for PAT. Ports 0 through 1024 are reserved and cannot be used for PAT.
Some of the benefits of NAT are:
•
•
•
The ACE provides the following types of NAT and PAT:
•
•
•
•
This section contains the following subsections:
•
Dynamic NAT
Dynamic NAT, typically used for SNAT, translates a group of local source addresses to a pool of global source addresses that are routable on the destination network. The global pool can include fewer addresses than the local group. When a local host accesses the destination network, the ACE assigns the host an IP address from the global pool. Because translation times out after being idle for a user-configurable period of time, a given user does not keep the same IP address. Users on the destination network, therefore, cannot reliably initiate a connection to a host that uses dynamic NAT (even if the connection is allowed by an access control list (ACL)). Not only can you not predict the global IP address of the host, but the ACE does not create a translation at all unless the local host is the initiator. See the "Configuring Static NAT and Static Port Redirection" section for reliable access to hosts.
Note
Dynamic NAT has these disadvantages:
•
Use dynamic PAT if this event occurs often, because dynamic PAT provides over 64,000 translations using multiple ports of a single IP address.
•
•
The advantage of dynamic NAT is that some protocols cannot use dynamic PAT. Dynamic PAT does not work with some applications that have a data stream on one port and the control path on another, such as some multimedia applications.
Dynamic PAT
Dynamic PAT, also used for SNAT, translates multiple local source addresses and ports to a single global IP address and port that are routable on the destination network from a pool of IP addresses and ports reserved for this purpose. Specifically, the ACE translates the local address and local port for multiple connections and/or hosts to a single global address and a unique port starting with port numbers greater than 1024.
When a local host connects to the destination network on a given source port, the ACE assigns the global IP address to it and a unique port number. Each host receives the same IP address, but because the source port numbers are unique, the ACE sends the return traffic, which includes the IP address and port number as the destination, to the correct host.
The ACE supports over 64,000 ports for each unique local IP address. Because the translation is specific to the local address and local port, each connection, which generates a new source port, requires a separate translation. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026.
The translation remains in place only for the duration of the connection, so a given user does not keep the same global IP address and port number. Users on the destination network, therefore, cannot reliably initiate a connection to a host that uses dynamic PAT (even if the connection is allowed by an ACL). Not only can you not predict the local or global port number of the host, but the ACE does not create a translation at all unless the local host is the initiator. See the "Configuring Static NAT and Static Port Redirection" section for reliable access to hosts.
Dynamic PAT lets you use a single global address, thus conserving routable addresses. Dynamic PAT does not work with some multimedia applications that have a data stream on a port that is different from the control path port.
Static NAT
Static NAT, typically used for DNAT, translates each local address to a fixed global address. With dynamic NAT and PAT, each host uses a different address or port after the translation times out. Because the global address is the same for each consecutive connection with static NAT, and a persistent translation rule exists, static NAT allows hosts on the global network to initiate traffic to a local host (if there is an ACL that allows it).
The main differences between dynamic NAT and static NAT are:
•
•
Static Port Redirection
Static port redirection, also used for DNAT, performs the same function as static NAT and additionally translates TCP or UDP ports or ICMP identifiers for the local and global addresses. With static port redirection, you can use the same global address in multiple static NAT statements, provided that, along with the address, you use different port numbers.
For example, if you want to provide a single address for global users to access FTP, HTTP, and SMTP, but there are different servers for each protocol on the local network, you can specify static port redirection statements for each server that use the same global IP address, but different ports.
Maximum Number of NAT Statements
The ACE supports the following maximum numbers of nat, global, and static commands divided among all contexts:
•
•
•
Global Address Guidelines
When you translate the local address to a global address, you can use the following global addresses:
•
If you use addresses on the same network as the global interface (through which traffic exits the ACE), the ACE uses proxy ARP to answer any requests for translated addresses, and thus intercepts traffic destined for a local address. This solution simplifies routing, because the ACE does not have to be the gateway for any additional networks. However, this approach does put a limit on the number of available addresses used for translations.
You cannot use the IP address of the global interface for NAT or PAT.
•
If you need more addresses than are available on the global interface network, you can identify addresses on a different subnet. The ACE uses proxy ARP to answer any requests for translated addresses, so it intercepts traffic destined for a local address. You need to add a static route on the upstream router that sends traffic destined for the translated addresses on the ACE.
•
•
Configuring an Idle Timeout for NAT
To configure an idle timeout for NAT, use the timeout xlate command in configuration mode. The syntax of this command is:
timeout xlate seconds
For the seconds argument, enter an integer from 60 to 2147483. The default is 10800 seconds (3 hours). The seconds value determines how long the ACE waits to free up the Xlate slot after it becomes idle.
For example, to specify an idle timeout of 120 seconds (2 minutes), enter:
host1/Admin(config)# timeout xlate 120To reset the NAT idle timeout to the default value of 10800, enter:
host1/Admin(config)# no timeout xlate 120Configuring Dynamic NAT and PAT
This section describes how to configure dynamic NAT and PAT on an ACE for source NAT. It contains the following sections:
•
•
•
•
Dynamic NAT and PAT Configuration Quick Start
Table 5-1 provides a quick overview of the steps required to configure dynamic NAT and PAT. Each step includes the CLI command or a reference to the procedure required to complete the task. For a complete description of each feature and all the options associated with the CLI commands, see the sections following Table 5-1.
Configuring an ACL
Use a security access control list (ACL) to permit the traffic that requires NAT. For details about configuring an ACL, see Chapter 1, Configuring Security Access Control Lists.
To configure an ACL for dynamic NAT, use the access-list command in global configuration mode. The syntax of this command is:
access-list name [line number] extended {deny | permit}{protocol}{src_ip_address netmask | any | host src_ip_address} [operator port1 [port2]] {dest_ip_address netmask | any | host dest_ip_address} [operator port3 [port4]]
For example, enter:
host1/c1(config)# access-list NAT_ACCESS extended permit tcp 192.168.12.0 255.255.255.0 172.27.16.0 255.255.255.0 eq 80To delete the ACL from the configuration, enter:
host1/c1(config)# no access-list NAT_ACCESSCreating a Global IP Address Pool for NAT
Dynamic NAT uses a pool of global IP addresses that you specify. You can define either a single global IP address for a group of servers with PAT to differentiate between them, or a range of global IP addresses when using dynamic NAT only. To use a single IP address or a range of addresses, you assign an identifier to the address pool. You then associate the NAT pool with a VLAN interface.
Note
To create a pool of IP addresses for dynamic NAT, use the nat-pool command in interface configuration mode. The syntax of this command is:
nat-pool nat_id ip_address1 [ip_address2] netmask mask [pat]
The keywords, arguments, and options are:
•
Note
•
•
If you specify PAT, you can configure a maximum of 32 IP addresses in a NAT pool range. You cannot configure an IP address range across subnets. For example, the following command is not allowed and will generate an Invalid IP address! error: nat-pool 2 10.0.6.1 10.0.7.20 netmask 255.255.255.0
•
•
If the ACE runs out of IP addresses in a NAT pool, it can switch over to a PAT rule, if configured. For example, you can configure the following:
nat-pool 1 10.1.100.10 10.1.100.99 netmask 255.255.255.255nat-pool 1 10.1.100.100 10.1.100.100 netmask 255.255.255.255 patIf your network configuration has the following conditions:
•
•
•
•
then configure multiple PAT pools with a single IP address in each pool.
So instead of configuring:
host1/Admin(config)# nat-pool 1 3.3.3.3 3.3.3.5 netmask 255.255.255.255 patconfigure:
host1/Admin(config)# nat-pool 1 192.161.12.3 netmask 255.255.255.255 pathost1/Admin(config)# nat-pool 1 192.161.12.4 netmask 255.255.255.255 pathost1/Admin(config)# nat-pool 1 192.161.12.5 netmask 255.255.255.255 patTo configure a NAT pool consisting of a range of 32 (the maximum number of IP addresses per PAT pool) global IP addresses with PAT, enter:
host1/C1(config)# interface vlan 200host1/C1(config-if)# nat-pool 1 172.27.16.10 172.27.16.41 netmask 255.255.255.255 pat
Note
To remove a NAT pool from the configuration, enter:
host1/C1(config-if)# no nat-pool 1Configuring a Class Map
To configure a traffic class for dynamic NAT and PAT, use the class-map command in global configuration mode. For more information about class maps, refer to the Cisco Application Control Engine Module Administration Guide.
The syntax of this command is:
class-map match-any name
For the name argument, enter a unique identifier for the class map as an unquoted text string with a maximum of 64 alphanumeric characters.
For example, enter:
host1/C1(config)# class-map match-any NAT_CLASShost1/C1(config-cmap)#To remove a class-map from the configuration, enter:
host1/C1(config)# no class-map match-any NAT_CLASSEnter match criteria for the ACL or the client source address using the match command in class-map configuration mode. For example, enter:
host1/C1(config-cmap)# match access-list NAT_ACCESSorhost1/C1(config-cmap)# match source-address 192.168.12.15 255.255.255.0To remove a match statement from a class map, enter:
host1/C1(config-cmap)# no match access-list NAT_ACCESSConfiguring a Policy Map
To configure a traffic policy for dynamic NAT and PAT, use the policy-map command in global configuration mode. For more information about policy maps, refer to the Cisco Application Control Engine Module Administration Guide.
The syntax of this command is:
policy-map multi-match name
For example, enter:
host1/C1(config)# policy-map multi-match NAT_POLICYhost1/C1(config-pmap)#To remove a policy map from the configuration, enter:
host1/C1(config)# no policy-map multi-match NAT_POLICYAssociate the previously created class map with the policy map. For example, enter:
host1/C1(config-pmap)# class NAT_CLASShost1/C1(config-pmap-c)#To disassociate a class map from a policy map, enter:
host1/C1(config-pmap)# no class NAT_CLASSConfiguring Dynamic NAT and PAT as a Policy-Map Action
To configure dynamic NAT and PAT (SNAT) as an action in a policy map, use the nat dynamic command in policy-map class configuration mode. The ACE applies the dynamic NAT from the interface attached to the traffic policy (through the service-policy interface configuration command) to the interface specified in the nat command.
The syntax of this command is:
nat dynamic nat_id vlan number
The keywords, arguments, and options are:
•
•
Note
The following example specifies the nat command as an action for a dynamic NAT policy map.
host1/C1(config)# policy-map multi-action NAT_POLICYhost1/C1(config-pmap)# class NAT_CLASShost1/C1(config-pmap-c)# nat dynamic 1 vlan 200To remove a dynamic NAT action from a policy map, enter:
host1/C1(config-pmap-c)# no nat dynamic 1 vlan 200Applying the Dynamic NAT and PAT Policy MAP to an Interface Using a Service Policy
To activate the dynamic NAT and PAT policy map and associate it with an interface, use the service-policy command in interface configuration mode. For details about the service-policy command, refer to the Cisco Application Control Engine Module Administration Guide.
Note
The syntax of this command is:
service-policy input policy_name
For example, to apply a service policy to a specific interface, enter:
host1/C1(config)# interface vlan 100host1/C1(config-if)# mtu 1700host1/C1(config-if)# ip address 192.168.1.100 255.255.255.0host1/C1(config-if)# service-policy input NAT_POLICYTo apply a service policy globally to all interfaces in a context, enter:
host1/C1(config)# service-policy input NAT_POLICYTo remove a service policy from an interface, enter:
host1/C1(config-if)# no service-policy input NAT_POLICYTo remove a service policy globally from all interfaces in a context, enter:
host1/C1(config)# no service-policy input NAT_POLICYWhen you detach a traffic policy either:
•
•
the ACE automatically resets the associated service-policy statistics. The ACE performs this action to provide a new starting point for the service-policy statistics the next time you attach a traffic policy to a specific VLAN interface or globally to all VLAN interfaces in the same context.
Configuring Static NAT and Static Port Redirection
This section describes how to configure static NAT and static port redirection on an ACE for DNAT. It contains the following subsections:
•
•
•
•
Static NAT Configuration Quick Start
Table 5-2 provides a quick overview of the steps required to configure static port redirection. Each step includes the CLI command or a reference to the procedure required to complete the task. For a complete description of each feature and all the options associated with the CLI commands, see the sections following Table 5-2.
Configuring an ACL for Static NAT and Port Redirection
Use an access control list (ACL) to permit the traffic that requires static NAT and port redirection. For details about configuring an ACL, refer to the Cisco Application Control Engine Module Security Configuration Guide.
To configure an ACL for static NAT, use the access-list command in global configuration mode. The syntax of this command is:
access-list name [line number] extended {deny | permit}{protocol}{src_ip_address netmask | any | host src_ip_address} [operator port1 [port2]] {dest_ip_address netmask | any | host dest_ip_address} [operator port3 [port4]]
For example, enter:
host1/c1(config)# access-list acl1 line 10 extended permit tcp 10.0.0.0 255.0.0.0 eq 8080 anyTo delete the ACL from the configuration, enter:
host1/c1(config)# no access-list nat_accessConfiguring a Class Map
To configure a traffic class for static NAT and port redirection, use the class-map command in global configuration mode. The syntax of this command is:
class-map match-any name
For the name argument, enter a unique identifier for the class map as an unquoted text string with a maximum of 64 alphanumeric characters.
For example, enter:
host1/C1(config)# class-map match-any NAT_CLASShost1/C1(config-cmap)#To remove a class-map from the configuration, enter:
host1/C1(config)# no class-map match-any NAT_CLASSEnter match criteria as required using the match command in class-map configuration mode. For example, enter:
host1/C1(config-cmap)# match access-list NAT_ACCESSor
host1/C1(config-cmap)# match source address 192.168.12.15To remove a match statement from a class map, enter:
host1/C1(config-cmap)# no match access-list NAT_ACCESSConfiguring a Policy Map
To configure a traffic policy for NAT, use the policy-map command in global configuration mode. The syntax of this command is:
policy-map multi-match name
For example, enter:
host1/C1(config)# policy-map multi-match NAT_POLICYhost1/C1(config-pmap)#To remove a policy map from the configuration, enter:
host1/C1(config)# no policy-map multi-match NAT_POLICYAssociate the previously created class map with the policy map. For example, enter:
host1/C1(config-pmap)# class NAT_CLASShost1/C1(config-pmap-c)#To disassociate a class map from a policy map, enter:
host1/C1(config-pmap)# no class NAT_CLASSConfiguring Static NAT and Static Port Redirection as a Policy Action
To configure static NAT and static port redirection in a policy map, use the nat static command in policy-map class configuration mode. Typically, you use static NAT and port redirection for DNAT. Static NAT allows you to identify local traffic for address translation by specifying the source and destination addresses in an extended ACL, which is referenced as part of the class map traffic classification. The ACE applies static NAT from the interface to which the traffic policy is attached (through the service-policy interface configuration command) to the interface specified in the nat static command.
The syntax of this command is:
nat static ip_address netmask mask {port1 | tcp eq port2 | udp eq port3} vlan number
The keywords, arguments, and options are:
•
•
•
•
•
•
Note
The following DNAT static port redirection example specifies the nat static command as an action for a static NAT policy map.
host1/C1(config)# access-list acl1 line 10 extended permit tcp 10.0.0.0 255.0.0.0 eq 8080 anyhost1/C1(config)# class-map match-any NAT_CLASShost1/C1(config-cmap)# match access-list acl1host1/C1(config-cmap)# exithost1/C1(config)# policy-map multi-action NAT_POLICYhost1/C1(config-pmap)# class NAT_CLASShost1/C1(config-pmap-c)# nat static 192.168.12.0 255.255.255.0 80 vlan 101To remove a NAT action from a policy map, enter:
host1/C1(config-pmap-c) no nat static 192.168.12.15 255.255.255.0 vlan 200Applying the Static NAT Policy Map on an Interface Using a Service Policy
To activate the static NAT and port redirection policy and assign it to an interface, use the service-policy command in interface configuration mode. For details about the service-policy command, refer to the Cisco Application Control Engine Module Administration Guide.
Note
The syntax of this command is:
service-policy input policy_name
For example, enter:
host1/C1(config)# interface vlan 100host1/C1(config-if)# mtu 1700host1/C1(config-if)# ip address 192.168.1.100 255.255.255.0host1/C1(config-if)# service-policy input NAT_POLICYTo remove a service policy from an interface, enter:
host1/C1(config-if)# no service-policy input NAT_POLICY
Note
Displaying NAT Configurations and Statistics
The following sections describe the commands used to display dynamic and static NAT and PAT configurations and statistics:
•
•
•
Displaying NAT and PAT Configurations
To display NAT and PAT configurations, use the show running-config class-map and show running-config policy-map commands in Exec mode.
For example, enter:
host1/C1# show running-config class-maphost1/C1# show running-config policy-mapDisplaying IP Address and Port Translations
To display IP address and port translation (Xlate) information, use the show xlate command in Exec mode. The syntax of this command is:
show xlate [global {ip_address1 [ip_address2 [netmask mask1]]}] [local {ip_address3 [ip_address4 [netmask mask2]]}] [gport port1 [port2]] [lport port1 [port2]]
The keywords, arguments, and options are:
•
•
•
•
•
For example, enter:
host1/Admin# show xlate global 172.27.16.3 172.27.16.10 netmask 255.255.255.0 gport 100 200You can also use the show conn command to display NAT information. See the examples in the following sections.
Dynamic NAT Example
The following example output of the show xlate command illustrates dynamic NAT (SNAT in this example). When a user Telnets from 172.27.16.5 in VLAN 2020, the ACE translates it to 192.168.100.1 in VLAN 2021.
host1/Admin# sh xlate global 192.168.100.1 192.168.100.10NAT from vlan2020:172.27.16.5 to vlan2021:192.168.100.1 count:1Dynamic PAT Example
The following example illustrates dynamic PAT. When a user Telnets from 172.27.16.5 in VLAN 2020, the ACE translates it to 192.168.201.1 in VLAN 2021.
host1/Admin# sh xlateTCP PAT from vlan2020:172.27.16.5/38097 to vlan2021:192.168.201.1/1025Static NAT Example
The following example illustrates static NAT. The ACE maps a real IP address (172.27.16.5) to 192.168.210.1.
host1/Admin# show xlateNAT from vlan2020:172.27.16.5 to vlan2021:192.168.210.1 count:1host1/Admin# show conntotal current connections : 2conn-id dir prot vlan source destination state----------+---+----+----+----------------+----------------+----------+7 in TCP 2020 172.27.16.5 192.168.100.1 ESTAB6 out TCP 2021 192.168.100.1 192.168.210.1 ESTABStatic Port Redirection (Static PAT)
The following example illustrates static port redirection (DNAT in this example). A host at 192.168.0.10:37766 telnets to 192.168.211.1:3030 on VLAN 2021 on the ACE. The ACE maps 172.27.0.5:23 on VLAN 2020 to 192.168.211.1:3030 on VLAN 2021.
host1/Admin# sh xlateTCP PAT from vlan2020:172.27.0.5/23 to vlan2021:192.168.211.1/3030Mar 24 2006 20:05:41 : %ACE-7-111009: User 'admin' executed cmd: sh xlatehost1/Admin# show conntotal current connections : 2conn-id dir prot vlan source destination state----------+---+----+----+------------------+------------------+------+6 in TCP 2021 192.168.0.10:37766 192.168.211.1:3030 ESTAB7 out TCP 2020 172.27.0.5:23 192.168.0.10:1025 ESTABClearing Xlates
To clear global address to local address mapping information based on global address, global port, local address, local port, interface address as global address, and NAT type, use the clear xlate command in Exec mode. When you enter this command, the ACE releases sessions that are using the translations (Xlates). The syntax of this command is:
clear xlate [{global | local} start_ip [end_ip [netmask netmask]]] [{gport | lport} start_port [end_port]] [interface vlan number] [state static] [portmap]
The keyword, arguments, and options are:
•
•
•
•
•
•
•
•
•
•
•
•
Note
For example, to clear all static translations, enter:
host1/Admin# clear xlate state staticNAT Configurational Examples
The following sections show typical scenarios that use dynamic and static NAT solutions:
•
•
Dynamic NAT and PAT (SNAT) Configurational Examples
The following SNAT configurational example provides the commands necessary to configure dynamic NAT and PAT on your ACE. In this SNAT example, packets ingressing the ACE from the 19.168.12.0 network are translated to one of the IP addresses in the NAT pool defined on VLAN 200 by the nat-pool command. The pat keyword in this command line indicates that ports higher than 1024 are also translated.
access-list NAT_ACCESS line 10 extended permit tcp 192.168.12.0 255.255.255.0 1 72.27.16.0 255.255.255.0 eq httpclass-map match-any NAT_CLASSmatch access-list NAT_ACCESSpolicy-map multi-match NAT_POLICYclass NAT_CLASSnat dynamic 1 vlan 200interface vlan 100mtu 1500ip address 192.168.1.100 255.255.255.0service-policy input NAT_POLICYno shutdowninterface vlan 200mtu 1500ip address 172.27.16.2 255.255.255.0nat-pool 1 172.27.16.15 172.27.16.24 netmask 255.255.255.0 patno shutdownStatic Port Redirection (DNAT) Configurational Example
The following DNAT configurational example shows those sections of the running configuration related to the commands necessary to configure static port redirection on your ACE. Typically, this configuration is used for DNAT, where HTTP packets that are destined to 192.0.0.0/8 and ingressing the ACE on VLAN 101 are translated to 10.0.0.0/8 and port 8080. In this example, the servers are hosting HTTP on custom port 8080.
access-list acl1 line 10 extended permit tcp 10.0.0.0 255.0.0.0 eq 8080 anyclass-map match-any NAT_CLASSmatch access-list acl1policy-map multi-match NAT_POLICYclass NAT_CLASSnat static 192.0.0.0 255.0.0.0 80 vlan 101interface vlan 100mtu 1500ip address 192.168.1.100 255.255.255.0service-policy input NAT_POLICYno shutdowninterface vlan 101mtu 1500ip address 172.27.16.100 255.255.255.0no shutdownExample of SNAT with Cookie Load Balancing
The following configurational example shows those sections of the running configuration related to the commands necessary to configure SNAT (dynamic NAT) with cookie load balancing. Any source host sending traffic to the VIP 20.11.0.100 is translated to one of the free addresses in the NAT pool in the range of30.11.100.1 to 30.11.200.1, inclusive. If you want to use PAT instead of NAT, replace "nat dynamic 1 vlan 2021" with "nat dynamic 2 vlan 2021" in the L7SLBCookie policy map.
server host httpip address 30.11.0.10inserviceserverfarm host httpsfrserver httpinserviceclass-map match-any vip42 match virtual-address 20.11.0.100 tcp eq wwwclass-map type http loadbalance match-any L7SLB_Cookie3 match http cookie JG cookie-value ".*"policy-map type loadbalance first-match L7SLB_Cookieclass L7SLB_Cookieserverfarm httpsfpolicy-map multi-match L7SLBCookieclass vip4loadbalance vip inserviceloadbalance L7SLB_Cookienat dynamic 1 vlan 2021 <<<<<<<<<<interface vlan 2020ip address 20.11.0.2 255.255.0.0alias 20.11.0.1 255.255.0.0peer ip address 20.11.0.3 255.255.0.0service-policy input L7SLBCookie <<<<<<<<<<<<<<<<no shutdowninterface vlan 2021ip address 30.11.0.2 255.255.0.0alias 30.11.0.1 255.255.0.0peer ip address 30.11.0.3 255.255.0.0fragment min-mtu 68nat-pool 2 30.11.201.1 30.11.201.1 netmask 255.255.255.255 patnat-pool 3 30.11.202.1 30.11.202.3 netmask 255.255.255.255nat-pool 1 30.11.100.1 30.11.200.1 netmask 255.255.255.255 <<<<<<<<<no shutdown
