2 webapp/planning servers behind an f5

Similar Messages

• PAT with a single public IP and several servers behind firewall

  Hi,
  New to the ASA 5505 8.4 software version, but here is what I'm trying to do:
  Single static public IP:  16.2.3.4
  Need to PAT several ports to three separate servers behind firewall
  One server houses email, pptp server, ftp server and web services: 10.1.20.91
  One server houses drac management (port 445): 10.1.20.92
  One server is the IP phone server using a range of ports: 10.1.20.156
  Basically, need to PAT the ports associated with each server to the respective servers behind the ASA 5505. 
  Here is what I have.  Is anything missing from this config? Do I need to include a global policy for PPTP and SMTP?
  ASA Version 8.4(4)1
  hostname kaa-pix
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.1.20.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 16.2.3.4 255.255.255.0
  ftp mode passive
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network server_smtp
  host 10.1.20.91
  object service Port_25
  service tcp source eq smtp
  object service Port_3389
  service tcp source eq 3389
  object service Port_1723
  service tcp source eq pptp
  object service Port_21
  service tcp source eq ftp
  object service Port_443
  service tcp source eq https
  object service Port_444
  service tcp source eq 444
  object network drac
  host 10.1.20.92
  object service Port_445
  service tcp source eq 445
  access-list acl-out extended permit icmp any any echo-reply
  access-list acl-out extended permit icmp any any
  access-list acl-out extended permit tcp any interface outside eq pptp
  access-list acl-out extended permit tcp any object server_smtp eq smtp
  access-list acl-out extended permit tcp any object server_smtp eq pptp
  access-list acl-out extended permit tcp any object server_smtp eq 3389
  access-list acl-out extended permit tcp any object server_smtp eq ftp
  access-list acl-out extended permit tcp any object server_smtp eq https
  access-list acl-out extended permit tcp any object server_smtp eq 444
  access-list acl-out extended permit tcp any object drac eq 445
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static server_smtp interface service Port_25 Port_25
  nat (inside,outside) source static server_smtp interface service Port_3389 Port_
  3389
  nat (inside,outside) source static server_smtp interface service Port_1723 Port_
  1723
  nat (inside,outside) source static server_smtp interface service Port_21 Port_21
  nat (inside,outside) source static server_smtp interface service Port_443 Port_4
  43
  nat (inside,outside) source static server_smtp interface service Port_444 Port_4
  44
  nat (inside,outside) source static drac interface service Port_445 Port_445
  object network obj_any
  nat (inside,outside) dynamic interface
  route outside 0.0.0.0 0.0.0.0 16.2.3.1 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  telnet timeout 5
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  prompt hostname context
  no call-home reporting anonymous

  Thanks Lcambron...I got PPTP to work.  Everything else works fine.  I can access email, access my web server, FTP server, and PPTP server.  However, from the above configuration, I cannot access my DRAC over the internet..The DRAC runs on a different internal server, and over port 445.  So I have th following lines:
  object network drac
  host 10.1.20.92
  object service Port_445
  service tcp source eq 445
  access-list acl-out extended permit tcp any object drac eq 445
  nat (inside,outside) source static drac interface service Port_445 Port_445
  Am I missing something here?  Internally, i can telnet to port 445 on 10.1.20.92, so I know it is listening.  However, externally, i cannot telnet to my external ip address of the ASA through port 445. 
  Thanks

• AAS showing incorrect server in list of Planning servers

  Hi. we are using 9.2.1 with weblogic 8.1
  When I open a business rule in AAS, and go to locations tab to select a location, the list of Planning servers shows a server that is not a planning server and thus if you click on it, it generates an error. I checked the server that is displayed and it does not have planning installed on it - only the planning adm drivers for reporting or the planning desktop. I checked the hbrserver.properties files on the servers and they don't even reference the erroneous server.
  This erroneous server does seem to disappear after a full services restart or restart of SQL, but it comes back over time. haven't been able to determine exactly how long.
  Anyone have any idea where AAS is getting the reference to this erroneous server?
  Thanks
  Wags

  Hi,
  Bit of a strange one, usually what happens is when you log into a planning app is it populates the AAS database table HBRPluginData, Then when in the business rule designer in AAS and choose outline for planning it should query the table (I think it really queries the cached table values), you can prove this by stopping AAS and enter dummy server details into the table and start AAS again when you go into business rules and expand the planning outline you should see your dummy server.
  I am not sure how a server which is not a planning server is being picked up though.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• NAT and Servers behind CSS 11501

  All,
  Please forgive my asking this question again. I was injured shortly after asking the last time and out of work for a long period of time.
  My problem stems from needing to allow my web servers to initiate traffic to the outside world from behind our CSS boxes.
  The web servers sit behind a pair of CSS 11501 content switches in Active-Passive ASR with fate sharing. We are only interested at this time with load balancing HTTP and HTTPS.
  Everything works inbound no problem.
  What I need to do is setup some type of NAT for my 3 web servers to initiate HTTP/HTTPS for patches, send SMTP from the web apps, and initiate HTTPS for credit card validation.
  I have setup NAT on PIX units and routers no problem, but I seem to be unable to do it on these boxes. :(
  In reality something as simple as a PAT translation on the outside of the CSS boxes should be sufficient.
  Is this possible with our setup? Does anyone have some code examples?
  Thanks in advance.
  Addresses changed to protect the innocent:
  Load Balancer 1:
  !*************************** GLOBAL ***************************
  bridge spanning-tree disabled
  sntp server 1.1.1.41 version 1
  snmp community noway read-only
  snmp community noway read-write
  app session 1.1.1.252
  app
  logging subsystem netman level info-6
  dns primary 2.2.2.41
  dns secondary 2.2.2.42
  ip route 0.0.0.0 0.0.0.0 1.1.1.1 1
  !************************* INTERFACE *************************
  interface e1
  phy 100Mbits-FD
  description "Connect to Primary DMZ 1 3550 Switch"
  interface e2
  bridge vlan 2
  phy 100Mbits-FD
  description "Connected to Primary LB Server Switch"
  interface e8
  description "Inter Switch Communication (ISC) Port"
  isc-port-one
  !************************** CIRCUIT **************************
  circuit VLAN1
  description "DMZ 1 Subnet (1.1.1.x/24)"
  ip address 1.1.1.251 255.255.255.0
  ip virtual-router 1 priority 254 preempt
  ip redundant-interface 1 1.1.1.250
  ip redundant-vip 1 1.1.1.161
  ip redundant-vip 1 1.1.1.162
  ip redundant-vip 1 1.1.1.70
  ip redundant-vip 1 1.1.1.71
  ip redundant-vip 1 1.1.1.72
  ip critical-service 1 upstream_downstream
  circuit VLAN2
  description "Load Balanced Servers Subnet"
  ip address 2.2.2.2 255.255.255.0
  ip virtual-router 2 priority 254 preempt
  ip redundant-interface 2 2.2.2.1
  ip critical-service 2 upstream_downstream
  Various Services, Owners and Content
  Load Balancer 2:
  !*************************** GLOBAL ***************************
  bridge spanning-tree disabled
  sntp server 1.1.1.41 version 1
  snmp community noway read-only
  snmp community noway read-write
  app session 1.1.1.251
  app
  logging subsystem netman level info-6
  dns primary 2.2.2.41
  dns secondary 2.2.2.42
  ip route 0.0.0.0 0.0.0.0 1.1.1.1 1
  !************************* INTERFACE *************************
  interface e1
  phy 100Mbits-FD
  description "Connect to Secondary DMZ 1 3550 Switch"
  interface e2
  bridge vlan 2
  phy 100Mbits-FD
  description "Connected to Secondary LB Server Switch"
  interface e8
  description "Inter Switch Communication (ISC) Port"
  isc-port-one
  !************************** CIRCUIT **************************
  circuit VLAN1
  description "DMZ 1 Subnet (1.1.1.x/24)"
  ip address 1.1.1.252 255.255.255.0
  ip virtual-router 1
  ip redundant-interface 1 1.1.1.250
  ip redundant-vip 1 1.1.1.161
  ip redundant-vip 1 1.1.1.162
  ip redundant-vip 1 1.1.1.70
  ip redundant-vip 1 1.1.1.71
  ip redundant-vip 1 1.1.1.72
  ip critical-service 1 upstream_downstream
  circuit VLAN2
  description "Load Balanced Servers Subnet"
  ip address 2.2.2.3 255.255.255.0
  ip virtual-router 2
  ip redundant-interface 2 2.2.2.1
  ip critical-service 2 upstream_downstream
  Various Services, Owners and Content.

  Gilles,
  I added the following commands, and things seem to be working.
  To circuit VLAN1
  ip redundant-vip 1 1.1.1.80
  !*************************** GROUP ***************************
  group natout
  vip address 1.1.1.80
  add service nat_web_servers
  active
  service nat_web_servers
  ip address 192.168.1.10 range 3
  active
  I do have a question about the above service commands.
  I have 3 servers behind the CSS. Let's call them 192.168.1.10, 192.168.1.11 and 192.168.1.12. Am I correct in my thinking that adding range 3 then allows a match on all 3 of those servers and the CSS will then PAT these servers from the VIP address assigned to the group?
  Otherwise, I think you have resolved this problem for us. Thank you.

• Best practice for web servers behind a router (NAT, ACL, policy-map, VLAN)

  Hi,
  I'm a new Network admin, and I have some configuration questions about my installation (see attachment).
  I have 3 web servers behind a router.
  Public interface: 3 public ip adresses
  Private interface: router on a stick config ( 3 sub-interfaces, 3 different networks, 3 VLAN)
  I would to know the best way to redirect http traffic to the right server.
  My idea is to map a public address to a private address, via NAT, but I'm not sure for the configuration.  I could also redirect via Policy-map and filter by url content.
  So if you have some advise for this case, it would be really appreciated.
  Thank you.
  Chris.

  Hello Christophe,
  As I understand you want 1st that ; 
  if somebody go to A.local.com from internet then he will redirect to 192.168.1.10 in your internal network. 
  That means, you need static mapping between your public @ip address and your local ip address. 
  for this example, your local interface is Fa0/0.1 and I dont your public interface because it is not mention in your diagram. I will suppose S0/0 for public interface. 
  that is the config for the Web Server1. You can do the same with the remaining servers:
  interface fa0/0.1 
  ip nat inside
  interface serial0/0
   ip nat outside
  ip nat inside source static 192.168.1.10 172.1.2.3 
  static mapping from local to public. 
  I suppose you have done the dns mapping in your network and the ISP have done the same in his network. 
  ip route 171.1.2.3 interface serial0/0 
  or 
  ip route 0.0.0.0 0.0.0.0 interface serial0/0. 
  After these step for each web server, you will get the mapping. 
  Now you can restrict access to this ip only to http or https protocol on your isp and after on your local network 
  like
  ip access-list extended ACL_WebServer1
  permit ip any 192.168.1.10 eq www
  deny ip any 192.168.1.10
  exit
  interface fa0/0.1
   ip acess-group ACL_WebServer1 in
  no shut
  exit
  That is the first step. 
  Second step : you want to filter traffic by url, that means layer 5 to 7 filtering. 
  I am not sure that it is possible using cisco router with (ZBF + Regex).
  Check the first step and let us know ! 
  Please rate and mark as correct if it is the case. 
  Regards,

• How to install licenses on 2 RDSH servers behind F5 load balancer

  I want to setup 2 separate RDSH servers behind a F5 load balancer.  The load balancer is there to spread out the compute load between 2 VM servers as the application the users are using are somewhat "heavy" in nature.  I have 10 users
  who will potentially need access all at the same time.  How do I install the 10 licenses?  Do I install 5 on each server, or do I install all 10 on only one of the servers?

  Hi,
  You would install all 10 licenses on your RD Licensing server and point your 2 RDSH servers to that.  You may installing RD Licensing on whichever server you want, for example, on your RD Connection Broker, or a DC, or on one of the 2 RDSH servers,
  etc.
  -TP

• Servers behind CSS Browse the Internet

  Can anyone show me how to configure on CSS for servers behind CSS 11000 browse the Internet ? I am using NAT.
  thanks in advance
  Andy

  if you need the CSS to nat the servers ip addresses when they go out to the Internet, all you need is a group.
  ie:
  service server1
  ip 10.x.x.x
  active
  servoce server2
  ip 10.x.x.x
  active
  group natservers
  vip address x.x.x.x
  add service server1
  add service server2
  active
  If you already had a group using these services, you will need something a little more tricky.
  Just start with the above and let us know if it works.
  Gilles.

• Can odi server and essbase/planning servers be on different machines if dat

  hi,
  1) Can odi server and essbase/planning servers be on different machines if data and metadata is to be loaded to essbase
  2)Does web services of odi works with tomcat instead of oc4j
  Pls help asaj
  Edited by: hyp big bee on Jul 7, 2009 5:09 AM

  Hi,
  1) Yes
  2) Yes
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Active/passive servers behind CSS

  Hi,
  I have 2 servers behind CSS, instead of doing load lancing , we need to work both servers as active/passive mode, mean if active server down then only second sever will serve.We can not move servers from behind css.
  Please advice if this can be possible.
  Regards,

  you will need to use the "sorry server" feature in CSS to acheive that
  Sample Config
  !********* SERVICE *****************
  service serverA
  ip address x.x.x.1
  active
  service serverB
  ip address x.x.x.2
  active
  !********** OWNER ****************
  owner SYED
  content EXAMPLE
  vip address 1.1.1.1
  port 80
  protocol tcp
  add service serverA
  primarySorryServer ServerB
  active
  HTH
  Syed Iftekhar Ahmed

• L2TP VPN for servers behind NAT

  I have two 2012 R2 servers, both behind NAT, which I'm trying to connect via VPN. I have no problem connecting them via PPTP, but when connecting them via L2TP (with shared key for testing), the dialing server never connects to other server.
  I assume that the problem is that they're both behind NAT.  In Windows Server 2008, you were able to set a registry value to get the L2TP connections to work under NAT, see
  http://support.microsoft.com/kb/926179 by setting the environment variable AssumeUDPEncapsulationContextOnSendRule.
  I tried using this with the two servers, but it didn't seem to help.  Is there some other way to get the L2TP connection for the two 2012 R2 servers working behind NAT?

  Hi,
  Thanks for your pointer and sorry for replying so late.
  I am sorry to say that I haven’t found any documents to ensure whether NAT-T is supported in Windows server 2012 R2 or not. In addition,
  VPN servers that are located behind NAT is not recommended. When a server is behind a network address translator, and the server uses NAT-T, unintended behavior might occur because
  of the way NAT translate network traffic.
  Best regards,
  Susie

• UCS C200 M2 Servers Behind Firewall ASA

  Hi,
  We have a requirements that a customer will deploy two UCS C200M2 servers and I need to know what is the best practice and the recommendation for putting a UCS server behind a firewall (ASA5545) or outside the firewall( bypass FW).
  Please advise.
  Thanks,
  Amr Sherif

  This something need to be discussed with the customer
  Ucs will be the server side and it's up to the requirements and security policy this server has to be places inside, outside or in the DMZ of a firewall
  Sent from Cisco Technical Support iPad App

• Can't connect to Adobe Servers behind Sonicwall TZ 200

  Since being behind a Sonicwall TZ 200 I can no longer connect to the Adobe servers. We have opened port 80, 443 and it was also suggested that we open ports 1935 and 8080 which we did but we still aren't able to make a connection. If we connect this Mac to a hot spot we can connect fine so we know it's the Sonicwall causing the issue.
  This is a Mac running OS X with no antivirus/firewall on and no proxy settings.
  Does anyone have any suggestions?
  Thanks,

  Thanks for the link John. I have actually read through that thread and a couple of links within it linking to the Adobe troubleshooting page and another thread. Still no success though. Adobe can't seem to figure it out either. I can't imagine what the issue is a Sonicwall is a widely used security appliance/router and our network isn't complex.
  Thanks

• How to connect to two servers behind a firewall

  Let's say I have a LAN with two independant servers, one at 192.168.2.10 and one at 192.168.2.20
  As it is now, I can fwd the 548 port to one server and it works.
  Is there a way i could connect to both servers, maybe having one and port 548 and one at 549, so if I connect using the default address, it will connect to server A and to the adress plus the port :549 it will connect to server B
  I tried forwarding port 548 to one server and port 549 but for now, my router/firewall complains that I have a port conflict.
  What's the simplest way to achieve what I would like.

  Oh man, I think I've seen the answer to that in these treads, but it'd be around 20-30 pages back... iirc it would involve editing Hosts' or hppd file... BIG Help I know... but perhaps a real expert will be along shortly!

• Time Capsule port mapping is broken for L2TP Servers behind NAT config.

  I'm hoping that someone here can refute the below bug assertion... am I missing something?
  There is a bug with Apple’s Time Capsule/Airport Express Base Station (TC/AEBS) rendering L2TP servers on the LAN unusable:
  When TC/AEBS is used as a router providing NAT services to the LAN, it will NOT under any circumstance provide port mapping services for 500/UDP, 1701/UDP, & 4500/UDP making L2TP VPN servers on the LAN side of TC/AEBS are unreachable from the WAN/Internet side.
  *The conditions for my tests*:
  3 different external networks used for all tests: MacBook Air at home on TWC network, the Air on AT&T mobile dongle, & CentOS server at ThePlanet.
  MobileMe configuration was removed from both the TC/AEBS & Snow Leopard Server on the LAN.
  I used port 501 for my control-test; spot checks of other ports worked as well, though they were all < 10000.
  Simultaneous local and server monitoring of port traffic using
  tcpdump -vvv -i en0 -s 0 -X port 500 or port 1701 or port 4500 or port 501
  The TC/AEBS was configured to forward UDP ports 501, 500, 1701, & 4500 received from the WAN interface to the Snow Leopard Server on the LAN.
  The port forwarding was accomplished both 1) manually via AirPort Utility, and 2) automatically via Snow Leopard Server’s Server Preferences utility. Each was tested separately.
  *The tests*:
  Netcat with the following commands, in turn, on the server:
  nc -l -u 501
  nc -l -u 500
  nc -l -u 1700
  nc -l -u 4500
  which causes traffic to the udp port specified to be dumped to std out. Provides a confirmation of the tcpdump output.
  On the various external networks, nc -u WAN-address-of-AEBS.example.com 501 to send UDP packets on port 501. The output of the nc -l 501 command and the server-run tcpdump confirmed that packets left the client and made it to the server as expected. Remember, 501 is the control-test.
  For each test permutation on ports 500, 1700, & 4500, no packets made it to the server.
  Based on some web research, I’m not the only one to have found trouble with this configuration, but I haven’t been able to find any conclusive tests.
  I’ve filed a bug with Apple (#7720101) and encourage you to do the same.
  Message was edited by: WebMarc

  Confirmed here. This only seems to be a problem with Airport 7.5.x firmware though - I find the older TCs running 7.4.2 work as expected even with BTMM / MobileMe services active.
  I'm so glad you posted this - I haven't found it mentioned anywhere else and was beginning to feel very alone with this problem. I also found that having two TC 7.5s in the mix - one at both ends - also results in no response to SSH or Remote Desktop ports.

• Can 2 separate Planning Servers be running on the same machine?

  Dear All,
  We are trying to setup Hyperion DEV and SIT environments into the same AIX server. We have
  Shared Services
  Essbase
  EAS
  APS
  Financial Reporting
  Planning
  Oracle Application Server 10g
  Oracle 10g DB
  We use 2 separate user accounts and different HYPERION_HOME and ORACLE_HOME.
  Everything seems fine except the Business Rule. When trying to pick the Planning locations, it's always pointing to the first instance of the Planning server.
  I think it is related to the RMI registry service which is used to establish a communication between Planning, Essbase and HBR/EAS.
  I am also running 2 RMI registry services on two different port. However, how can we tell the Planning, HBR/EAS to use which one for communication.
  Any idea?

  I found that the table HEAS.HBRPLUGINDATA contains the correct Planning RMI Port. It seems that EAS is talking with the correct RMI and Essbase Server.
  I can submit business rule in Planning. However, I still can't submit business rule in EAS. Any idea?