ACE on a DMZ

Hello, I'm having a setup where ACE is deployed on a DMZ and is doing SSL offloading from clients connecting from the outside interface to an authorization server in the inside.
ACE is connected through one leg on a switch in the DMZ.
The problem is that when the client initiate the connection from the outside, it arrives to the ACE but the ACE isn't able to offload the connection to the server in the inside.
I have reviewed all the nat on the ASA and I'm positive the problem isn't there. IS there any additional inspection to be done on the ASA or any other hint?

Hi,
you are using one-arm mode, not routed :-) (thanks for the config ;)
For the ACE to work properly, you need to make sure that traffic to the server and return traffic follow the same path.
In your case, the request hits the VIP, the ACE loadbalances correctly, but the server sees that the source address is elsewhere and replys to its default gateway, and not to the ACE.
For one armed mode to work, you should implement sourceNAT on the ace, so that the soure address is NATed to the ACE its adres. This way, the server will reply to the ACE, and ACE replies to the client.
Refer to this example about one-armed mode:
http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_One_Arm_Mode_with_Source_NAT_on_the_Cisco_Application_Control_Engine_Configuration_Example
HTH,
Dario

Similar Messages

Firewall Load Balance using bridged mode ACE

Dear Folks,
I 'd like to load balance 2 ASA using 3 ACE [ Inside,outside,dmz network zone]
I 've seen sample configuration, all of them are running the ACE in the route mode, and asa are running in route mode
Would it be possible to run the ACE in the bridge Mode, because the ip subneted problem, We don't have enough to split,,
by the way if possible,All server that install behind ACE, what is default gateway should Server Point to [ in our case we have 2 independent firewall ] should I create the VIP for both firewall ? or should I just simply set the server's gateway to BVI interface, ?
Please Help Thanks

Thank you very much Gilles,
You 're the man. ;-)
Another question in my case I try to load balance 3 interface firewall [inside,outside,dmz] in order to make the packet return the same firewall it has passed earlier,
What kind of hashing technique do I need to use and Do i need to use mac sticky command ???
I tried to find some configuration sample from cisco website , but i only found with only 2 interface with ACE running source hash and destination hash in each ends,
Thank you very much

ACE bypass traffic

I am migrating from a CSS environment to an ACE module in a 6513. I have an ACE context between VLAN29 and VLAN30 that is a DMZ. VLAN29 faces the firewalls and VLAN30 the real servers. I can access the servers with a serverfarm and a "vip". I need to access the servers real address directly for management, and some of them need direct access to internal resources.
The route table looks like this:
Destination Gateway Interface Flags
0.0.0.0 192.168.29.225 vlan29 S
192.168.0.0/16 192.168.29.225 vlan29 S
192.168.29.0/24 0.0.0.0 vlan29 IA
192.168.30.0/24 0.0.0.0 vlan30 IA
Is there a way to do this?
Currently I can see the traffic bouncing back and forth from the firewall to the ACE on VLAN29. The ACL on the ACE interfaces:
access-list Allow_All line 10 extended permit ip any any

no joy.
route table:
ACE-6513-1/DMZ# sh ip ro
Routing Table for Context DMZ (RouteId 1)
Codes: H - host, I - interface
S - static, N - nat
A - need arp resolve, E - ecmp
Destination Gateway Interface Flags
0.0.0.0 192.168.29.225 vlan29 S
192.168.0.0/16 192.168.29.225 vlan29 S
192.168.29.0/24 0.0.0.0 vlan29 IA
192.168.30.0/24 0.0.0.0 vlan30 IA
Wireshark captures shows packets with same IPs but MACs reversing until TTL expires. Looks like traffic in 192.168.30.0/24 is forwarded to default route instead of out vlan30 interface. Wireshark on vlan30 never sees it.

ACE: load balancing servers using DMZ ports on FWSM

devices; (2 core with the ff config)
6500
fwsm
idsm
msfc
SETUP;
Servers are connected to the dmzs on the core
REQUIREMENT;
to load balance the servers
QUESTION;
Using the ACE module, is it possibe to load balance the servers which are connected to the port which is configured as DMZ?
Thanks

does not matter where the servers are connected.
However, be aware that the flows from client to server needs to go through the loadbalancer BUT also the flows server to client.
So, you should be careful where you attach the ACE module.
The easier would be to attach to the DMZ as well between the FW and the servers.
Gilles.

Design help related to ACE to Switch connectivity using Port-Channel

Hi,
I have a Cisco ACE 4710 configured in One-Arm mode. This ACE is getting connected with 2 3750 switches. These 2 3750 switches connected in trunk mode.
ACE is connected to these 3750 switches using Port-channel.
ACE Config:
================================
interface gigabitEthernet 1/1
description One-arm mode port to DMZ Switch 1 port 20
channel-group 1
no shutdown
interface gigabitEthernet 1/2
description One-arm mode port to DMZ Switch 2 port 20
channel-group 1
no shutdown
interface port-channel 1
switchport access vlan 51
port-channel load-balance src-dst-ip
no shutdown
interface vlan 51
ip address 10.40.56.131 255.255.255.128
access-group input everyone
access-group output everyone
nat-pool 1 10.40.56.215 10.40.56.215 netmask 255.255.255.255 pat
service-policy input LB
service-policy input remote-access
no shutdown
===========================================================
The problem is that 3750 switches are not stacked.
Application is working fine. But i am getting a lot of MAC flapping messages..
kindly suggest whether this design is OK or something needs to be done to rectify it...
Attached a small diagram..

Hello acharyr123,
I don't think this design is ok, and it would cause mac flapping since the two indepedendent 3750 switches will learn the ace mac addresses off of two different interfaces. The 3750s would have to be stacked so that they would act as one switch then this should work correctly.
Thanks
Joel Lamousnery
TAC CSE

Load balancing imbalance in ACE

We are facing slowness an http application which is due to connection imbalance. This setup has one set of Load balancer and a proxy in DMZ where the connections gets terminated from the users and a load balancer inside LAN which load balances between the end point servers. All user connections terminate on the DMZ load balancer / proxy and proxy connects back to the internal load balancer VIP. (By collating a number of connections to very few - default proxy behavior) . Internal load balancer VIP does load balancing based on the number of connections in a least loaded manner and this load balancer doesn’t see how many sessions are beneath each connections and it distributes each connection to server underneath. Thus if one connection has around 100 sessions, another may have only a few and each of this gets forwarded to the end server causing the imbalance.
Is there a way that this imbalance can be tackled in this setup.
Users --> Proxy ---> Load balancer (Cisco ACE) --> Server 1
Server 2
Server 3
Least Connections predictor
HTTP Cookie insert sticky

Hi,
Persistance rebalance should solve the issue for you.
The persistent-rebalance function is required if you have proxy users and the proxy shares one TCP connection between multiple users.
With this behavior, inside a single connection you will see different cookies. Therefore, for each cookie, ACE needs to first detect the new cookie and then loadbalance to the appropriate server.
this is from the admin Guide :
The following example specifies the parameter-map type http command to enable HTTP persistence after it has been disabled:
host1/Admin(config)# parameter-map type http http_parameter_map
Host1/Admin(config-parammap-http)# persistence-rebalance
Please refer the following link for more info :
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA4_2_0/configuration/slb/guide/classlb.html#wp1062907
hope that helps,
Ajay Kumar

ACE 4710 and load balancing with sticky cookie

Configuring load balancing with SSL termination and stickiness for a couple of citrix xenapp servers. I'm doing a source-NAT as the ACE resides in the DMZ and these particular servers reside on the inside arm of the firewall. The ACE is in bridged mode to load balance web servers that reside in the DMZ. Everything seems to work just fine, but the cookie stickiness does not seem to be working.

Hi David,
As you may know, using Wireshark to look at an HTTPS capture is only useful if you've installed the server SSL key.This is why I find it easier to use something like LiveHTTPHeaders or HTTPWatch.
When using cookie-insert, the ACE will not create any dynamic cookie entries. It will simply create one static entry for each rserver with a cookie value, such as R3911631338, and any client that gets load balanced to that rserver will receive a cookie with that value. So what you see there is what is expected.
You are correct in that when using location cookies that the server supplies, the ACE will create a dynamic entry when it sees the server response with the cookie. The cookie is included in the server's response, and the ACE will look for the value as configured. The cookie will also be sent to the client. If the cookie is not in the server's first response, you will need enable persistence-rebalance so that it will look in subsequent server responses. If the browser opens new connections with that cookie, then the ACE will stick to the same server.
My suggestion would be to get sticky working with cookie-insert first. Then if that meets your needs, go with that permanently. If you need to use server cookies, then once cookie insert is working, migrate your sticky to cookie location.
Sean

ACE Exception during conversation

After upgrading ACE module from A2(3.1) to A2(3.2) we started getting complaints about the ablity to upload a file in one of our applications. We are able to recreate the problem and noticed that when there is a failure, the ACE sends a TCP RST in both directions and closes the connection with the Exception reason. This is in the middle of a prefectly good conversation and there does not appear to be an external reason for it. I noticed a couple of other discussions with a similar problem but with no conclusions. Looking at the caveats in the release notes does not give any clues to this being a known bug. Has anyone else dealt with this problem and found a fix?
Here is some information to illustrate.
Sep 16 2010 13:48:27 Core-FWSM : %FWSM-6-302013: Built outbound TCP connection 145057001608450058 for inside:10.3.66.209/3605 (10.3.66.209/3605) to Burnet_dmz:10.2.0.56/443 (10.2.0.56/443)
Sep 16 2010 13:48:26 DMZ: %ACE-6-302022: Built TCP connection 0x21280c for vlan120:10.3.66.209/3605 (10.3.66.209/3605) to vlan130:10.2.0.56/443 (10.2.0.151/443)
Sep 16 2010 13:49:22 DMZ: %ACE-6-302023: Teardown TCP connection 0x21280c for vlan120:10.3.66.209/3605 (10.3.66.209/3605) to vlan130:10.2.0.56/443 (10.2.0.151/443) duration 0:00:55 bytes 2554818 Exception
Sep 16 2010 13:49:22 Core-FWSM : %FWSM-6-302014: Teardown TCP connection 145057001608450058 for inside:10.3.66.209/3605 to Burnet_dmz:10.2.0.56/443 duration 0:00:55 bytes 2641677 TCP Reset-O
ACE error message 302023
Error Message    %ACE-6-302023: Teardown TCP connection id for interface:real-address/real-port to interface:real-address/real-port duration hh:mm:ss bytes bytes [reason]
Explanation    This informational message is logged when a TCP connection slot between two hosts is terminated.
The reason variable presents the action that causes the connection to terminate. Table 2-1 lists the TCP termination causes.
Table 2-1 TCP Termination Reasons
Reason                Description
TCP FINs             Normal close down sequence.
TCP Reset           A TCP reset is received.
Idle Timeout         TCP connection is timed out.
FIN Timeout         TCP FIN timeout.
SYN Timeout       TCP SYN timeout.
Exception            Connection setup error.
Policy Close        A policy closes the TCP connection.
Voluntary Close   TCP connection is closed voluntarily by a user.
Rebalance           HTTP rebalance.
Reuse Conn.        Connection is reused.
Reap Conn.          Connection is closed due to control plane reap messages.
Xlate clear           Connection is closed due to execution of a clear xlate command.
Conn clear            Connection is closed due to execution of a clear conn command.
Recommended Action    None required.

Thanks for the reply Joel. You are correct we were experincing the noted bug. We opened a TAC case and worked with Jim Sirstin to identify that this was our problem. We implemented the suggested work around and it solved the problem. Here is the detail for the bug, which is in the ACE release notes.
Symptom:
ACE resets TCP based client connection in case there is packet loss from client end and ACE is waiting to re-assemble client traffic.
Conditions:
In an environment where:
(1) ACE is configured with a L7 load-balance policy where ACE proxies the client side TCP connection before making a load-balancing decision,
(2) Client side connection experiences packet loss and
(3) "TCP TX racing messages (data) " counter from ACE CLI command "show np X me-stats -stcp" output is incrementing.
Note: This problem can also occur with secure (SSL) terminated connections.
Workaround:
Configure an "empty" connection parameter-map and add it to multi-match policy-map under class-map configured for the VIP experiencing the problem.
Example:
parameter-map type connection TCPReassembly
policy-map multi-match MultiMatch_PolicyMap
       class HTTP_VIP_80
          loadbalance vip inservice
          loadbalance policy L7_HTTP_PolicyMap
          loadbalance vip icmp-reply active
          connection advanced-options TCPReassembly

Real Servers not connected to ACE VLAN and Real Servers are clients accessing the VIP

Hi,
I have a very strange set up and need some help to get my config working
I have a ASA firewall with three VLANs
VLAN 1 = Internet
VLAN 2 = DMZ
VLAN 3 = Goes to ACE
On the ACE I have four VLANs
VLAN 3 = Goes to ASA
VALN 4 = Web Server Tier
VALN 5 = DB Tier
VALN 6 = VIPs
Our Application team have asked us to create a New VIP on the ACE with real servers in DMZ (Server A and Server B)
And they have told us that the cleints accessing the VIP will be Server A and Server B
I have always created VIPs with real servers directly connected to the ACE but not connected elsewhere.
I belive I have a big challenge of opening ports on the firewall etc to get this set up working. Also, should i use some sort of NAT / SNAT?
Could anyone guide me on this setup please?
Raj

Hi Raj,
First of all it is possible to add servers in ACE which are HOP away from ACE interfaces. Here servers are HOP away but there VIP is part of ACE interface subnet. The only need is that servers return traffic towards client should be passed through ACE (so that ACE can manitain states and chage the source IP of the reply packet from server IP to VIP on which client has requested the connection).
When servers are HOP away and ACE do not come in path between server and client then we have to to do SNAT for intial client request. This configuration will force the return traffic from server to ACE (as server will NAT IP as client IP).
In your case DMZ-VIP which is created for two real servers A and B, will be accesses by these servers only. So it is a situation of server accessing there own VIP. For this scenario to work we have to have SNAT (no matter whether servers are directly connected or HOP away). So best solution here is VIP in VLAN 3, Rserevrs for this VIP in DMZ, and SNAT client request, using free IP in VLAN 3.
Also you have to open ports on firewall for both "real server Probes" and actual application ports, moreover policies modification on firewall for allowing traffic from DMZ to ACE VIP, DMZ to NAT IP and there vice versa traffic.

[ACE] What makes a sticky reset?

Hi,
Our websites are loadbalanced thru our ACE modules and we are using the sticky feature.
Sticky is needed so that the customers session will retain the content of its shopping basket.
About 10% of our customers complain that the basket is emptied during a session, forcing them to start over. In our logs we indeed see that some users are balanced to another server during a session. Apparently in these cases the sticky feature is ignored somehow.
My question is, what are the possible triggers that the ACE uses to dismiss the sticky for a given session and start a new one?
Could it for example be caused by an html-page containing a link to another vip than the vip the page is originally served from?
Or could a simple spelling-error in a link be the trigger?
Looking forward to any answer.
Kind regards,
Anthony van Harten

Hi, I've a similar scenario with a Cisco 4710 in a dmz, running a vip that end users are hitting from behind proxy and nat.
I enabled Cookie-Insert and its pushing down a cookie to the browser now, just wondering if I need to add persistence-rebalance when you are using cookie-insert. from the command reference it seems like all user sessions would end up on one rserver if i did that. Looking to ensure the round-robin is still used.
Usage Guidelines
With persistence rebalance enabled, when successive GET requests result in load balancing that chooses the same policy, the ACE sends the request to the real server used for the last GET request. This behavior prevents the ACE from load balancing every request and recreating the server-side connection on every GET request, producing less overhead and better performance.
Another effect of persistence rebalance is that header insertion and cookie insertion, if enabled, occur for every request instead of only the first request.
thanks
John W.

Basic L2 bridge troubleshooting ACE

Hi,
I have a strange behaviour on new ace module :
I have a Dmz in bridge mode, I have installed a server on it with a simple web server, I first try to simple connect to this web server just being bridge between client and server.
Sometimes it works just fine, sometimes the tcp connection to 80 doesn't work.
When it doesn't work, the ACE does a icmp echo resquest to the source using it's IP.
The ping always works well.
Do you see anything in the config that is wrong or that I shoud add ?
here is the config :
interface bvi 1
ip address a.a.a.a 255.255.255.224
peer ip address a.a.a.b 255.255.255.224
description Bridge address for Dmz
no shutdown
interface vlan 454
bridge-group 1
no normalization
mac-sticky enable
no icmp-guard
access-group input Any
service-policy input PM_MM_454_VIP
service-policy input TCP_Connection_Timeout
no shutdown
interface vlan 554
bridge-group 1
no normalization
no icmp-guard
access-group input Any
service-policy input TCP_Connection_Timeout
no shutdown
Thanks

Hello Gilles,
If in a context you have many bridge group, how can you configure a route for each ?
on the csm, there was the gateway command, I though here the mac-sticky replaced that.
here is the arp table on the context :
85.91.161.65 00.50.5a.5b.a1.41 vlan454 LEARNED 17 9121 sec up IS the DG
85.91.161.70 00.08.02.94.9d.27 vlan554 LEARNED 24 9121 sec up Is the server
I tried now and even if the mac is in the arp table it doesn't work.
I have upgraded the blade to 3.0.0_A1_6_3b
I will look at the arp table when it works.
And here I am simply trying to connect to the server, there is no service defined on the ACE for LB and ICMP is sent to the server correctly.
Also the mac address table doesn't change even if it works for someone else.
so PC1 - server on port 80 ok
pc2 - server on port 80 nok
and then for no reason it doesn't work anymore for the first too.
Thanks,
Luc

Status-Tracking on ACE

Hello
On the CSM there was a feature called status tracking, it's description:
Router(config-module-csm)# vserver
dependent_virtserver_name
Identifies the dependent virtual server and enters the virtual server configuration mode.
Router(config-slb-vserver)#
virtual ip-address [ip-mask]
protocol port-number [service {ftp
| rtsp | termination}]
Sets the IP address for the dependent virtual server optional port number or name and the connection coupling and type2. The protocol value is tcp, udp, any (no port number is required), or a number value (no port number is required).
Router(config-slb-vserver)#
status-tracking
tracked_virtserver_name
Identifies the tracked virtual server. When this virtual server is taken out of service or fails, the dependent virtual server identified in Step 1 is automatically taken out of service.
From http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csm/4.2.x/configuration/guide/mapolcy.html
I am wondering if anyone knows of a similar feature in ACE?
The additional complexity is now the dependant vserver and tracked vserver are in different ACE contexts, does anybody know if there is way to track vservers in a different context?
Got to admit I'm relatively new to ACE but hope this makes sense.
Thanks for any replies in advance
Martin

Hi Ulrich
Thanks for the reply. I'm not sure I was clear on my question, the PROBE would allow me to check the first service is up. What I want to do is make the internal server unavalaible if the external is not PROBING correctly or vice versa. I recognise now this is not identical to status-tracking which operates at a VIP level.
In an example I have two FTP servers which are dual homed with internal and external interfaces in a DMZ both of which are load balanced using the ACE. If the external interface goes down I would want the internal real server to be marked out of service so as FTP traffic is no longer sent there and vice versa if the internal went down I would want to mark the external as down. The configuration in this case is there are different contexts for the internal and external - not saying that's ideal from a security perspective but you can only play with the cards your dealt!.
Thanks
Martin
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}

ACE Problem after restarting Application

Hi,
we have an ACE20 and have set it up to balance 4 Containers on a Oracle Application Server. Every time we stop all Containers at the same time for longer than an hour it takes forever (hours) until the Load Balancer starts balancing the Containers again. I can see that the ACE Module is checking the Containers in the Apache Logfiles on the Application Server and gets a 200, but still we can't access the Application for a few hours. If I connect direct to the Container it also works fine... just the ACE does not work. Like it has a timeout and is waiting.
Any idea how to give it a kick?
While accessing the Application I can see that it connects, but nothing happens...
sh conn detail
total current connections : 2
conn-id    np dir proto vlan source                destination           state
----------+--+---+-----+----+---------------------+---------------------+------+
68155      2 in TCP   191 10.200.101.73:35777   10.200.101.64:80      ESTAB
          [ idle time   : 00:00:18,   byte count : 888        ]
          [ elapsed time: 00:00:18,   packet count: 3          ]
68156      2 out TCP   195 10.200.105.33:80      10.200.101.73:35777   INIT
          [ conn in reuse pool : FALSE]
          [ idle time   : 00:00:18,   byte count : 0          ]
          [ elapsed time: 00:00:18,   packet count: 0          ]
Thanks for any help!
Jason

Hi,
I'm still having problems with the ACE Laodbalancer. At the moment it doesn't seem to recover after having restarted the Application the last time.
Can someone look at the Config and tell me if they see a mistake in it?
I have three instances accesst, accesst2 and accesst3. Each instance has 4 Oracle Application Server Containers Deployed on 2 different Apllication Servers. The Site is split between 2 DMZ which are seperated by a Firewall. The Cisco Ace has one leg in each vlan (191 and 195). We always had a problem after taking the Applcation Servers down Updates that it takes forever untill the ACE Server starts blancing agian. For the last 4 Days it hasn't started reblancing yet. As far as I know nothing has changed in the Configuration of the Server or of the ACE. The Firewall Admin said he tried t find a problem, but didn't change anything.
Do I maybe have a mistake in the ACE Config? Am I missing something here?
MS4_ACE_PU/MY-APP# sh running-config
Generating configuration....
logging buffered 7
access-list anyone line 8 extended permit ip any any
probe http HEAD_1
port 7791
interval 10
faildetect 15
passdetect interval 15
receive 2
request method head url /APPLICATION/images/probe.gif
expect status 200 200
open 2
probe http HEAD_2
port 7792
interval 5
faildetect 15
passdetect interval 15
receive 2
request method head url /APPLICATION/images/probe.gif
expect status 200 200
open 2
probe http HEAD_3
port 7793
interval 5
faildetect 15
passdetect interval 15
receive 2
request method head url /APPLICATION/images/probe.gif
expect status 200 200
open 2
probe http HEAD_4
port 7794
interval 5
faildetect 15
passdetect interval 15
receive 2
request method head url /APPLICATION/images/probe.gif
expect status 200 200
open 2
probe http HEAD_5
port 7795
interval 5
faildetect 15
passdetect interval 15
receive 2
request method head url /APPLICATION/images/probe.gif
expect status 200 200
open 2
probe http HEAD_6
port 7796
interval 5
faildetect 15
passdetect interval 15
receive 2
request method head url /APPLICATION/images/probe.gif
expect status 200 200
open 2
probe http HEAD_7
port 7797
interval 5
faildetect 15
passdetect interval 15
receive 2
request method head url /APPLICATION/images/probe.gif
expect status 200 200
open 2
probe http HEAD_8
port 7798
interval 5
faildetect 15
passdetect interval 15
receive 2
request method head url /APPLICATION/images/probe.gif
expect status 200 200
open 2
parameter-map type http PERSIST-REBALANCE
persistence-rebalance
action-list type modify http LOCATION-RW-VIP-2
header rewrite response location header-value "http://accesst3.my-site.de:.....(.*)" replace "https://accesst3.my-site.de/%1"
header rewrite response content-lokation header-value "http://accesst3.my-site.de:.....(.*)" replace "https://accesst3.my-site.de/%1"
action-list type modify http LOCATION-RW-VIP-1
header rewrite response content-lokation header-value "http://accesst2.my-site.de:.....(.*)" replace "https://accesst2.my-site.de/%1"
header rewrite response location header-value "http://accesst2.my-site.de:.....(.*)" replace "https://accesst2.my-site.de/%1"
action-list type modify http LOCATION-RW-VIP
header rewrite response location header-value "http://accesst.my-site.de:.....(.*)" replace "https://accesst.my-site.de/%1"
header rewrite response content-lokation header-value "http://accesst.my-site.de:.....(.*)" replace "https://accesst.my-site.de/%1"
rserver host server103
description KS ApplicationServer
ip address 10.200.105.33
inservice
rserver host server104
description KS ApplicationServer
ip address 10.200.105.34
inservice
serverfarm host HTTP-APPL
rserver server103 7791
      probe HEAD_1
    inservice
rserver server103 7792
    probe HEAD_2
    inservice
rserver server104 7791
    probe HEAD_1
    inservice
rserver server104 7792
    probe HEAD_2
    inservice
serverfarm host HTTP-APPL-1
rserver server103 7795
    probe HEAD_5
    inservice
rserver server103 7796
    probe HEAD_6
    inservice
rserver server104 7795
    probe HEAD_5
    inservice
rserver server104 7796
    probe HEAD_6
    inservice
serverfarm host HTTP-APPL-2
rserver server103 7797
    probe HEAD_7
    inservice
rserver server103 7798
    probe HEAD_8
    inservice
rserver server104 7797
    probe HEAD_7
    inservice
rserver server104 7798
    probe HEAD_8
    inservice
sticky http-header TranSON_Cert_Subject group1
replicate sticky
serverfarm HTTP-APPL
sticky http-header TranSON_Cert_Subject group2
replicate sticky
serverfarm HTTP-APPL-1
sticky http-header TranSON_Cert_Subject group3
replicate sticky
serverfarm HTTP-APPL-2
class-map type http inspect match-any HTTP-INS-VIP
2 match header Host header-value "accesst.my-site.de"
class-map type http inspect match-any HTTP-INS-VIP-1
2 match header Host header-value "accesst2.my-site.de"
class-map type http inspect match-any HTTP-INS-VIP-2
2 match header Host header-value "accesst3.my-site.de"
class-map match-all HTTP-VIP
2 match virtual-address 10.200.101.64 tcp eq www
class-map match-all HTTP-VIP-1
2 match virtual-address 10.200.101.68 tcp eq www
class-map match-all HTTP-VIP-2
2 match virtual-address 10.200.101.69 tcp eq www
policy-map type loadbalance first-match HTTP-SF
class class-default
    sticky-serverfarm group1
    action LOCATION-RW-VIP
policy-map type loadbalance first-match HTTP-SF-1
class class-default
    sticky-serverfarm group2
    action LOCATION-RW-VIP-1
policy-map type loadbalance first-match HTTP-SF-2
class class-default
    sticky-serverfarm group3
    action LOCATION-RW-VIP-2
policy-map type inspect http all-match INS-PM-VIP
class HTTP-INS-VIP
    permit
policy-map type inspect http all-match INS-PM-VIP-1
class HTTP-INS-VIP-1
    permit
policy-map type inspect http all-match INS-PM-VIP-2
class HTTP-INS-VIP-2
    permit
policy-map multi-match SLB-logic
class HTTP-VIP
    loadbalance vip inservice
    loadbalance policy HTTP-SF
    loadbalance vip icmp-reply active
    loadbalance vip advertise active
    appl-parameter http advanced-options PERSIST-REBALANCE
class HTTP-VIP-1
    loadbalance vip inservice
    loadbalance policy HTTP-SF-1
    loadbalance vip icmp-reply active
    loadbalance vip advertise active
    appl-parameter http advanced-options PERSIST-REBALANCE
class HTTP-VIP-2
    loadbalance vip inservice
    loadbalance policy HTTP-SF-2
    loadbalance vip icmp-reply active
    loadbalance vip advertise active
    appl-parameter http advanced-options PERSIST-REBALANCE
interface vlan 191
ip address 10.200.101.65 255.255.255.0
alias 10.200.101.67 255.255.255.0
peer ip address 10.200.101.66 255.255.255.0
access-group input anyone
service-policy input SLB-logic
no shutdown
interface vlan 195
ip address 10.200.105.65 255.255.255.0
alias 10.200.105.63 255.255.255.0
peer ip address 10.200.105.66 255.255.255.0
access-group input anyone
no shutdown
Destination         Gateway          Interface         Flags
10.200.101.0/24     0.0.0.0          vlan191           IA [0x30]
10.200.105.0/24     0.0.0.0          vlan195           IA [0x30]

ACE and static NAT

Hello
I had pix+CSM on 6500. I've changed it to new ACE module on 6500.
I've made loadbalancing which was done on CSM. Now i wanted to connect dmz which was connected to pix and make static DNAT.
I used configuration guide/examples from: http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/security/guide/nat.html
I need to make static DNAT, but i can't figure how it works. There are many errors in this document including incorrect (old?) syntax (for example: nat static 192.0.0.0 255.0.0.0 80 vlan 101)
I analyzed three examples at the and of this document. My questions:
1. how do i choose if it's source or destination NAT ?
2. do i always apply service-policy to vlan interface which receives packets which should be natted ?
3. What is class-map(it's ACL) choosing ? Incoming traffic which destination address should be changed ?
4. is in command: "nat static A netmask netmaskA vlan B" A is outside ip address before translation to inside address ?
5. Could anybody give me a simple example of static DNAT ? (or any links?)
Thanx

Destination nat is equivalent to loadbalancing to one server.
I would therefore configure a vip being the inbound destination address, and a rserver which would be the outbound nated destination ip address.
Then create a policy-map to link the 2 together and apply the policy-map to the incoming vlan, or you can apply it globally.
For the reverse connections, where you then need to nat the source ip back to the 'VIP' you use the static nat config that you have found in the document.
By the way, I don't see anything wrong with it.
Those commands are in A1 and also the new A2 release.
ACE is really a loadbalancer with some firewall features and not the opposite.
This is why pure nating functions are not straightfoward to configure.
Gilles.

ACE access-list best practice

Hi,
I was wondering what was the best practice for the access-list's on the Cisco ACE.
Should we permit Any in the access-list, and classify the traffic in the class-maps as seen in a brief example:
access-list ANY line 10 extended permit ip any any
access-list EXCH-DMZ-INTERNET-OUT line 10 extended permit tcp 10.134.10.0 255.255.254.0 any eq www
access-list EXCH-DMZ-INTERNET-OUT line 15 extended permit tcp 10.134.10.0 255.255.254.0 any eq https
class-map match-all EXCH-DMZ-INTERNET-OUT
2 match access-list EXCH-DMZ-INTERNET-OUT
policy-map multi-match EXCH-DMZ-OUT
class EXCH-DMZ-INTERNET-OUT
nat dynamic 1 vlan 1001
interface vlan 756
description VLAN 744 EXCH DMZ BE
ip address 10.134.11.253 255.255.255.0
alias 10.134.11.254 255.255.255.0
peer ip address 10.134.11.252 255.255.255.0
access-group input ANY
service-policy input EXCH-DMZ-OUT
Or should we also also the access-list for the access-group in the interface as seen bellow:
access-list EXCH-DMZ-INTERNET-OUT line 10 extended permit tcp 10.134.10.0 255.255.254.0 any eq www
access-list EXCH-DMZ-INTERNET-OUT line 15 extended permit tcp 10.134.10.0 255.255.254.0 any eq https
class-map match-all EXCH-DMZ-INTERNET-OUT
2 match access-list EXCH-DMZ-INTERNET-OUT
policy-map multi-match EXCH-DMZ-OUT
class EXCH-DMZ-INTERNET-OUT
nat dynamic 1 vlan 1001
interface vlan 756
description VLAN 744 EXCH DMZ BE
ip address 10.134.11.253 255.255.255.0
alias 10.134.11.254 255.255.255.0
peer ip address 10.134.11.252 255.255.255.0
access-group input EXCH-DMZ-INTERNET-OUT
service-policy input EXCH-DMZ-OUT
Regards,

Hello,
I don't think you'll find a "best practice" for this scenario. It really just comes down to meeting your needs. The first example you have a far and away the more commonly seen configuration, as you'll only NAT the traffic matching the EXCH-DMZ-INTERNET-OUT, but all other traffic will be forwarded by the ACE whether it is load balanced or not. The second way will only allow NAT'd traffic, and deny all others.
Hope this helps,
Sean

ACE on a DMZ

Similar Messages

Maybe you are looking for