ACE port redirection message to client
Hi,
I need to configure a new VIP so that if the requests come on port 80 it sends a redirection message to clients saying to try on port HTTPS://*:9443, is the configuration below correct?
rserver host server1
description host1
ip address 1.1.1.1
probe probe-http
inservice
rserver host server2
description host2
ip address 1.1.1.2
probe probe-http
inservice
serverfarm host sfarm1
rserver server1
inservice
rserver server2
inservice
rserver redirect sfarm1_redirect_9443
webhost-redirection https://%h:9443%p 301
inservice
serverfarm redirect sfarm_redirect_9443
rserver sfarm1_redirect_9443
inservice
class-map match-all VIP_HTTP
description Match HTTP
2 match virtual-address 2.2.2.2 tcp eq www
class-map match-all VIP_HTTPS
description Match HTTPS
2 match virtual-address 2.2.2.2 tcp eq 9443
policy-map type loadbalance first-match http_Redirect_Policy
class class-default
serverfarm sfarm_redirect_9443
policy-map type loadbalance first-match https_9443
class class-default
serverfarm sfarm1
policy-map multi-match VIPS
class VIP_HTTP
loadbalance vip inservice
loadbalance policy http_Redirect_Policy
loadbalance vip icmp-reply active
class VIP_HTTPS
loadbalance vip inservice
loadbalance policy https_9443
loadbalance vip icmp-reply active
Hi,
%h and %p are usually used when host and path remain same as is the case in redirection from http to https.
You can also use the actual hostname and path if the above doesn't work. I think it should work but i haven't tested it before.
You can try something like below:
webhost-redirection https://test.com:9443 301
Let me know how it goes.
Regards,
Kanwal
Similar Messages
-
I am using standard http port 80 in front end (between the end user and ACE module ) and I am using port 9080 for backend (between the ACE and servers).
I don't want the port number 9080 to show up in the url
http://www.Trading.com:9080/ANTOnline
how can i hide the port 9080 from the end userTry this config:
rserver host Server001
ip address 10.1.1.1
inservice
rserver host Server002
ip address 10.1.1.2
inservice
serverfarm host SF001
probe CHECK.HTML
rserver Server001 9080
inservice
rserver Server002 9080
inservice
class-map match-all R001
2 match virtual-address 1.1.1.1 tcp eq www
policy-map type loadbalance first-match P001
class class-default
serverfarm SV001
policy-map multi-match L4-LB
class R001
loadbalance vip inservice
loadbalance policy P001
loadbalance vip icmp-reply
It should solve your problems -
Hi,
I am configuring load balancing for my web server which running on port 3636. But for users I want to give only http://172.23.15.87. not http://172.23.15.87:3636
Earlier I was having CSS in which I am able to achive this by creating two content rules one for the port 80 and one for port 3636. But here I dont know how to achieve it.
rserver MOSS_1
ip address 192.168.200.38
inser
rserver MOSS_2
ip address 192.168.200.40
inservice
serverfarm host SF_MYEM
probe PROBE_3636
rserver MOSS_1
inservice
rserver MOSS_2
inservice
sticky ip-netmask 255.255.255.255 address source SF_MYEM_STICK
replicate sticky
serverfarm SF_MYEM
class-map match-any MYEM
2 match virtual-address 172.23.15.87 tcp eq 3636
policy-map type loadbalance first-match PM_LB_MYEM
class class-default
sticky-serverfarm SF_MYEM_STICK
policy-map multi-match PM_ENOC_Servers
class MYEM
loadbalance vip inservice
loadbalance policy PM_LB_MYEM
loadbalance vip icmp-reply active
Please let me know how to configure it so that users in the browser only put the VIP without the port 3636.Hi,
I have tried the configuration but only port 80 is working I am not able to open the page
on port 3636.
rserver host MOSS_1
ip address 192.168.200.38
inservice
rserver host MOSS_2
ip address 192.168.200.40
inservice
serverfarm host SF_EM
probe PROBE_3636
rserver MOSS_1 3636
inservice
rserver MOSS_2 3636
inservice
serverfarm host SF_MY
probe PROBE_TCP
rserver MOSS_1
inservice
rserver MOSS_2
inservice
sticky ip-netmask 255.255.255.255 address source SF_MY_STICK
replicate sticky
serverfarm SF_MY
sticky ip-netmask 255.255.255.255 address source SF_MYEM_STICK
replicate sticky
serverfarm SF_MYEM
class-map match-any MYEM
3 match virtual-address 172.23.15.87 tcp eq www
class-map match-any MY
2 match virtual-address 172.23.15.86 tcp eq www
policy-map type loadbalance first-match PM_LB_MYEM
class class-default
sticky-serverfarm SF_MYEM_STICK
policy-map type loadbalance first-match PM_LB_MY
class class-default
sticky-serverfarm SF_MY_STICK
policy-map multi-match PM_ENOC_Servers
class MYEM
loadbalance vip inservice
loadbalance policy PM_LB_MYENOC
loadbalance vip icmp-reply active
class MY
loadbalance vip inservice
loadbalance policy PM_LB_MYENOC
loadbalance vip icmp-reply active
interface vlan 200
service-policy input PM_ENOC_Servers
I can ping the VIP and I can telnet on port 3636 successfully. But Web page is not showing for port 3636 but the website on port 80 is working fine.
Please assist me what I am missing. -
ACE 4170 port redirection in Bridged mode
Hi Friends,
Is it possible to do port redirection on ACE while it is configured on Bridged Mode. For example. a user is accessing the Loadbalancer VIP on port 80 and this is redirected to port 8080 on backend servers?
I have attached a diagram for easier understanding. Is there a need to configure NAT in such cases?
Any help will be appreciated. Thanks in advance guys.Hi,
if you want to allow ping to the VIP address, you only need to apply this command in your L3-4 policy map:
loadbalance vip icmp-reply
example:
policy-map multi-match L4-TEST-VIPS
class WWW-TEST
loadbalance vip inservice
loadbalance policy WWW_POLICY
loadbalance vip icmp-reply
more info can be found here:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/classlb.html#wp1000929
If you want ICMP to pass through the ACE tp reach the real servers, you need to allow it in an ACL.
Hope this helps,
Dario -
SSL VPN message "This (client) machine does not have the web access privilege."
Hello!
I am trying to configure the SSL VPN (WebVPN) and I am almost done but when clicking on the URL's I configured in the bookmarks, I get the message "This (client) machine does not have the web access privilege. Please contact your SSLVPN provider for assistance." I looked through the many tutorials and guides in existence and none talks about such error and the fix for it. In fact, if I search the net for this error message I get only one match, in the Cisco website, where is say that "The client computer does not meet the security criteria of having web access functionality through the SSL VPN gateway." and as fix it gave this tip "Check the URL to the gateway or contact the administrator if it persists." So, nothing on the website about what this issue is and how to fix it. I will provide my IOS configuration and hopefully someone will spot the issue. Here it goes:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R1
boot-start-marker
boot-end-marker
logging message-counter syslog
no logging buffered
enable secret 5 $1$1LLX$u7aTc8XfNqPZhPVGwEF/J0
enable password xxxxxxxx
aaa new-model
aaa authentication login userAuthen local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization network groupauthor local
aaa session-id common
crypto pki trustpoint TP-self-signed-1279712955
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1279712955
revocation-check none
rsakeypair TP-self-signed-1279712955
crypto pki certificate chain TP-self-signed-1279712955
certificate self-signed 01
3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31323739 37313239 3535301E 170D3130 30333233 31313030
33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32373937
31323935 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A8EF 34E3E792 36660498 9801F934 E8A41865 3599EA35 B073AC91 D7A53AF4
A4390D2F CB3DB2DE 936B28F0 A25F3CE1 6F40FD9E E79096F2 F89620E0 B31A7B34
649BBA22 AE44CB55 9F38BF0C 2F2770CF 8380C167 C17D760C 380E28E4 FF7D6874
9EFC310A 2AA60835 F1AA384F CD1A0173 19C98192 EBFBD531 24CB9203 EA9E7D54
B2C30203 010001A3 62306030 0F060355 1D130101 FF040530 030101FF 300D0603
551D1104 06300482 02523130 1F060355 1D230418 30168014 0D9D62EC DA77EAF3
11ABF64D 933633F9 2BA362DC 301D0603 551D0E04 1604140D 9D62ECDA 77EAF311
ABF64D93 3633F92B A362DC30 0D06092A 864886F7 0D010104 05000381 81006853
48ED4E3E 5721C653 D9A2547C 36E4F0CB A6764B29 9AFFD30A 1B382C8C C6FDAA55
265BCF6C 51023F5D 4AF6E177 C76C4560 57DE5259 40DE4254 E79B3E13 ABD0A78D
7E0B623A 0F2D9C01 E72EF37D 5BAB72FF 65A176A1 E3709758 0229A66B 510F9AA2
495CBB4B 2CD721A7 D6F6EB43 65538BE6 B45550D7 A80A4504 E529D092 73CD
quit
dot11 syslog
ip source-route
ip dhcp excluded-address 192.168.0.1 192.168.0.10
ip dhcp pool myPOOL
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 87.216.1.65 87.216.1.66
ip cef
ip name-server 87.216.1.65
ip name-server 87.216.1.66
ip ddns update method mydyndnsupdate
HTTP
add http://username:[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 1 0 0 0
no ipv6 cef
multilink bundle-name authenticated
vpdn enable
vpdn-group pppoe
request-dialin
protocol pppoe
username cisco privilege 15 password 0 xxxxxxxx
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp fragmentation
crypto isakmp client configuration group vpnclient
key cisco123
domain selfip.net
pool ippool
acl 110
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
crypto map clientmap client authentication list userAuthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
archive
log config
hidekeys
interface Loopback0
ip address 10.11.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Loopback2
description SSL VPN Website IP address
ip address 10.10.10.1 255.255.255.0
interface Loopback1
description SSL DHCP Pool Gateway Address
ip address 192.168.250.1 255.255.255.0
interface FastEthernet0
description $ES_LAN$
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface BRI0
no ip address
encapsulation hdlc
shutdown
interface FastEthernet1
interface FastEthernet2
switchport access vlan 2
interface FastEthernet3
interface FastEthernet4
interface FastEthernet5
interface FastEthernet6
interface FastEthernet7
interface FastEthernet8
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
bundle-enable
dsl operating-mode auto
interface Vlan1
no ip address
interface Dialer1
ip ddns update hostname myserver.selfip.net
ip ddns update mydyndnsupdate host members.dyndns.org
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip policy route-map VPN-Client
dialer pool 1
ppp chap hostname xxx
ppp chap password 0 xxxx
ppp pap sent-username xxx password 0 xxxx
crypto map clientmap
ip local pool ippool 192.168.50.100 192.168.50.200
ip local pool sslvpnpool 192.168.250.2 192.168.250.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
ip http secure-server
ip nat inside source static tcp 192.168.0.2 21 interface Dialer1 790
ip nat inside source static tcp 192.168.0.15 21 interface Dialer1 789
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 10.10.10.1 443 interface Dialer1 443
ip nat inside source static tcp 10.10.10.1 80 interface Dialer1 80
access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 110 permit ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 144 permit ip 192.168.50.0 0.0.0.255 any
route-map VPN-Client permit 10
match ip address 144
set ip next-hop 10.11.0.2
control-plane
banner motd ^C
================================================================
UNAUTHORISED ACCESS IS PROHIBITED!!!
=================================================================
^C
line con 0
line aux 0
line vty 0 4
password mypassword
transport input telnet ssh
webvpn gateway MyGateway
ip address 10.10.10.1 port 443
http-redirect port 80
ssl trustpoint TP-self-signed-1279712955
inservice
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
webvpn install csd flash:/webvpn/sdesktop.pkg
webvpn context SecureMeContext
title "My SSL VPN Service"
secondary-color #C0C0C0
title-color #808080
ssl authenticate verify all
url-list "MyServers"
heading "My Intranet"
url-text "Cisco" url-value "http://192.168.0.2"
url-text "NetGear" url-value "http://192.168.0.3"
login-message "Welcome to My VPN"
policy group MyDefaultPolicy
url-list "MyServers"
functions svc-enabled
svc address-pool "sslvpnpool"
svc keep-client-installed
default-group-policy MyDefaultPolicy
aaa authentication list userAuthen
gateway MyGateway domain testvpn
max-users 100
csd enable
inservice
end
Thank you!Hi,
Please check SAP note:
2004579 - You cannot create a FR company from a Package
Thanks & Regards,
Nagarajan -
Load-balancing TNS redirect message to include IP instead hostname?
Is it possible to configure somehow (via Oracle or OS settings) that on a TNS redirect message (as resulting from server-side load balancing), the embedded connection string contains the target instance address as an IP address instead of a hostname? Thanks!
Ron wrote:
Is it possible to configure somehow (via Oracle or OS settings) that on a TNS redirect message (as resulting from server-side load balancing), the embedded connection string contains the target instance address as an IP address instead of a hostname? Thanks!My guess is that this is dependent on how the Listener was instructed to listen on a port. I posted about in message {message:id=9120517} - how specifying an IP address as a listener end point changes the behaviour when specifying a hostname as end point instead.
If instructed to use a specific IP address as listening end point, then it cannot really pass a hostname to the client as that hostname may resolve to another IP used by the server.
It should be relatively simple to set up a test case for this - what Oracle (4 digit) version are you using? -
Hi,
I have 2 services configured on my only CSS.
What I will like to do is , if both services become unavailable then it will display a message like " services down" we can host this message on diffrent web server.Please help me how to do this, does I have to add the ip address or URL of the server where this warning message host?
current config.
service test01
ip address 10.253.20.17
keepalive type tcp
keepalive port 443
active
service test02
ip address 10.253.20.18
keepalive type tcp
keepalive port 443
active
!*************************** OWNER ***************************
owner Hello
content Hello-SSL
vip address 10.253.20.14
add service test01
add service test02
advanced-balance sticky-srcip
sticky-inact-timeout 35
activeAll you need to do is create another service with a type of redirect as shown:
service test-down
type redirect
ip address x.x.x.x -some unused IP address
redirect-string "serverdown.com"
active
Then in your content rule just add this new service. The default behavior of the CSS is to send traffic to any services of type local (which is what the default service type is). And if all local services are down it will send the redirect to the client which will ofward them to a page of your choosing. -
ACE: URL redirect - not working
Hi,
I've to do url redirection from port 80 to port 443. I've following configured:
rserver redirect url.test.com-rd
webhost-redirection https://url.test.com/
inservice
serverfarm redirect url.test.com:80
description url.test.com - port 80 redirect ***
rserver url.test.com-rd
inservice
class-map match-any url.test.com:80
2 match virtual-address 192.168.1. tcp eq www
policy-map type loadbalance first-match url.test.com:80
class class-default
serverfarm url.test.com:80
policy-map multi-match LOAD_BALANCE
class url.test.com:80
loadbalance vip inservice
loadbalance policy url.test.com:80
loadbalance vip icmp-reply active
===
with above configuration, ACE is redirection port 80 to port 443 but it also rewrites the header. i.e. ACE send me to
"https://url.test.com/" if I type "http://url.test.com/abc" in the browser. It should have redirected to "https://url.test.com/abc" ( it shouldn't have removed "/abc")
could you advice how to accomplish it.
Thanks in advance...Hi,
thanks pablo. but that isn't expected response. redirected url shows the load balanced server. i.e. for the following serverfarm of port 443:
serverfarm host url.test.com:443
description url.test.com - Port 7777 ***
failaction purge
probe url.test.com:7777
rserver server1.test.com 7777
inservice
redirected url comes as "http://server1.test.com:7777/abc/" ...instead of what I expect .i.e. i expect "
https://url.test.com/abc/" -
Hello,
I am trying to redirect inbound connections from http://foo.com to http://foo.com/this/is/a/test 301. The relevant portion of the redirect config is as follows:
rserver redirect RD_QA_ANONYMOUS_LOGIN
description Redirect Inbound Connections to Anonymous Login Page
webhost-redirection https://foo.com/this/is/a/test 301
inservice
serverfarm redirect SF_QA_ANON_LOGIN
description Redirect Inbound Connections to Anonymous Login Page
rserver RD_QA_ANONYMOUS_LOGIN
inservice
parameter-map type http REDIRECT
description Redirect Inbound Connections to Anonymous Login Page
case-insensitive
persistence-rebalance
class-map match-any RD_PORTAL_QA_VIP_1
description ***VIP for QA Customer Portal***
2 match virtual-address 10.145.19.135 any
class-map type http loadbalance match-all RD_QA_ANON_01
2 match http header Host header-value ".*foo.com/"
policy-map type loadbalance first-match LB_RD_EXTPORTAL_QA_1
class RD_QA_ANON_01
serverfarm SF_QA_ANON_LOGIN
policy-map multi-match EXT_TEST_POLICY
class RD_PORTAL_QA_VIP_1
loadbalance vip inservice
loadbalance policy LB_RD_EXTPORTAL_QA_1
loadbalance vip icmp-reply active
appl-parameter http advanced-options REDIRECT
Right now, the client is not receiving the redirect message, only a FIN. I've tried several variations of the above config, with no success. Any ideas?
Thanks,
MichaelHello Kanwal,
Good question. The answer is yes, both. The first goal was to enable redirection without SSL. After that was working, then next goal was to enable SSL. Working with TAC, we came up with the following config, which enabled the redirection with SSL. BTW: The SSL config was already in place. I am adding the SSL config for the sake of completeness. Also we are re-writing headers in both directions:
crypto chaingroup CHAINGROUP
cert ROOT
cert WC_INTER_1
cert WC_INTER_2
rserver redirect RD_REDIRECT_SERVICE
webhost-redirection https://%h/this/is/a/test 301
inservice
rserver host RS_REAL_SERVER_01
ip address 10.10.10.10
inservice
serverfarm host SF_REAL_SERVERFARM_01
rserver RS_REAL_SERVICE_01 1000
inservice
serverfarm redirect SF_REDIRECT_SERVICE
rserver RD_REDIRECT_SERVICE
inservice
parameter-map type http REWRITE
description Enable Header Rewrites
persistence-rebalance
header modify per-request
parameter-map type ssl SSL_TERMINATION
cipher RSA_WITH_RC4_128_MD5
cipher RSA_WITH_RC4_128_SHA
cipher RSA_WITH_3DES_EDE_CBC_SHA
cipher RSA_WITH_AES_128_CBC_SHA
cipher RSA_WITH_AES_256_CBC_SHA
sticky ip-netmask 255.255.255.0 address both STICKY_SERVERFARM_01
timeout 600
replicate sticky
serverfarm SF_REAL_SERVERFARM_01
action-list type modify http MODIFY_HEADER_LIST
header rewrite response location header-value "http://inside[.]foo[.]net(.*)" replace "https://outside.foo.com%1"
header rewrite response location header-value "http://inside[.]foo[.]com(.*)" replace "https://outside.foo.com%1"
header rewrite request Host header-value "outside\.foo\.com" replace "inside.foo.com"
ssl url rewrite location "outside\.foo\.com%1"
ssl-proxy service SSL_WC_01
key WC_KEY
cert WC_CERT
chaingroup RAPID_SSL
ssl advanced-options SSL_TERMINATION
class-map match-any VIP_1
2 match virtual-address 10.10.10.210 any
class-map type http loadbalance match-any LB_L7
2 match http url /.*
class-map type http loadbalance match-all REDIRECT_01
2 match http url /
policy-map type loadbalance first-match LB_POLICYMAP_1
class REDIRECT_01
serverfarm SF_REDIRECT SERVICE
class LB_L7
sticky-serverfarm STICKY_SERVERFARM_01
action MODIFY_HEADER_LIST
policy-map multi-match MM_POLICY
class VIP_1
loadbalance vip inservice
loadbalance policy LB_POLICYMAP_1
loadbalance vip icmp-reply active
nat dynamic 1 vlan 60
appl-parameter http advanced-options REWRITE
ssl-proxy server SSL_WC_01 -
I have four servers in my network. Users access two web servers 192.168.200.161, 192.168.200.162 on Port 80.
These two servers communicate with back end servers APP1, APP2 192.168.200.165, 192.168.200.165 on port 3005.
I want whenever port 80 on Web server 1 or port 3005 on Application Server 1 goes down. Traffic redirect to Web server 2 and Application Server 2.
probe tcp ITSMWeb_PROBE_80
port 80
interval 15
passdetect interval 60
open 1
probe tcp ITSMAPP_PROBE_3005
port 3005
interval 15
passdetect interval 60
open 1
rserver host ITSMWeb_1
description ITSMWeb-1
ip address 192.168.200.161
inservice
rserver host ITSMWeb_2
description ITSMWeb-2
probe tcp ITSMWeb_PROBE_80
ip address 192.168.200.162
inservice
rserver host ITSMMAPP_1
description ITSMMAPP_1
probe tcp ITSMAPP_PROBE_3005
ip address 192.168.200.165
inservice
rserver host ITSMMAPP_2
description ITSMMAPP_2
ip address 192.168.200.166
inservice
serverfarm host SF_ITSM_Web_Server
rserver ITSMWeb_1
inservice
rserver ITSMWeb_2
inservice
serverfarm host SF_ITSM_MAPP_Server
rserver ITSMMAPP_1
inservice
rserver ITSMMAPP_2
inservice
class-map match-any ITSM_Web_Server
2 match virtual-address 172.23.15.163 any
class-map match-all clas-default
class-map match-any ITSM_MAPP_Server
2 match virtual-address 172.23.15.167 any
class-map match-all clas-default
policy-map type loadbalance first-match PM_LB_ITSM_Web_Server
class class-default
serverfarm SF_ITSM_Web_Server
policy-map type loadbalance first-match PM_LB_ITSM_MAPP_Server
class class-default
serverfarm SF_ITSM_MAPP_Server
policy-map multi-match PM_ITSM_Web_Server
class ITSM_Web_Server
loadbalance vip inservice
loadbalance policy PM_LB_ITSM_Web_Server
loadbalance vip icmp-reply active
interface vlan 200
service-policy input PM_ITSM_Web_Server
interface vlan 200
service-policy input PM_ITSM_MAPP_Server
interface vlan 300
service-policy input PM_ITSM_Web_Server
nat-pool 3 172.23.16.3 172.23.16.3 netmask 255.255.255.255 pat
interface vlan 300
service-policy input PM_ITSM_MAPP_Server
nat-pool 4 172.23.16.4 172.23.16.4 netmask 255.255.255.255 pat
Please let me know will that configuration will able to give me my goal. this is my production time and I will not have enough time to troubleshoot. This ACE is my core where all traffic is terminated. So this activity is critical for me. Please help me out. IF i am missing something.access-list acl-in remark ACCESS LIST FOR ACE-INSIDE
access-list acl-in line 1 extended permit ip any any
access-list acl-out remark ACCESS LIST FOR ACE-OUTSIDE
access-list acl-out line 1 extended permit ip any any
access-list acl-proxy remark ACCESS LIST FOR PROXY SEGMENT
access-list acl-proxy line 1 extended permit ip any any
access-list acl-wan remark ACCESS LIST FOR WAN SEGMENT
access-list acl-wan line 1 extended permit ip any any
access-list fax line 8 extended permit ip any host 192.168.200.65
access-list fax line 16 extended permit ip any host 192.168.200.66
access-list fax line 24 extended permit ip any host 192.168.200.67
probe tcp ITSMAPP_PROBE_30005
port 30005
interval 15
passdetect interval 60
open 1
probe tcp ITSMWeb_PROBE_80
port 80
interval 15
passdetect interval 60
open 1
probe tcp PROBE_5050
port 5050
interval 15
passdetect interval 60
open 1
probe tcp PROBE_5101
port 5101
interval 15
passdetect interval 60
open 1
probe tcp PROBE_TCP
port 80
interval 15
passdetect interval 60
open 1
parameter-map type http PARAMAP_CASE
case-insensitive
no persistence-rebalance
rserver host ITSMMAPP_1
description ITSMMAPP_1
ip address 192.168.200.165
inservice
rserver host ITSMMAPP_2
description ITSMMAPP_2
ip address 192.168.200.166
inservice
rserver host ITSMWeb_1
description ITSMWeb-1
ip address 192.168.200.161
inservice
rserver host ITSMWeb_2
description ITSMWeb-2
ip address 192.168.200.162
inservice
rserver host RS_BCPR01
ip address 192.168.0.103
inservice
rserver host RS_BCPR02
ip address 192.168.0.104
inservice
rserver host RT_fax1
description Right Fax Server-1
ip address 192.168.200.66
inservice
rserver host RT_fax2
description Right Fax Server-2
ip address 192.168.200.67
inservice
serverfarm host SF_BCPR
transparent
probe PROBE_5050
probe PROBE_5101
probe PROBE_TCP
rserver RS_BCPR01
inservice
rserver RS_BCPR02
inservice
serverfarm host SF_ITSM_MAPP_Server
probe ITSMAPP_PROBE_30005
rserver ITSMMAPP_1
inservice
rserver ITSMMAPP_2
inservice
serverfarm host SF_ITSM_Web_Server
probe ITSMWeb_PROBE_80
rserver ITSMWeb_1
inservice
rserver ITSMWeb_2
inservice
serverfarm host SF_RT_fax
rserver RT_fax1
inservice
rserver RT_fax2
inservice
sticky ip-netmask 255.255.255.255 address source STICKY-SOURCE
replicate sticky
serverfarm SF_BCPR
class-map type management match-any CM_ALL
2 match protocol snmp any
3 match protocol http any
4 match protocol https any
5 match protocol icmp any
6 match protocol telnet any
class-map match-any CM_BYPASS_FOR_LAN
3 match virtual-address 100.1.1.0 255.255.255.0 tcp eq www
8 match virtual-address 10.0.0.0 255.0.0.0 tcp eq www
9 match virtual-address 172.16.0.0 255.255.0.0 tcp eq www
10 match virtual-address 192.168.0.0 255.255.0.0 tcp eq www
11 match virtual-address 172.20.0.0 255.255.0.0 tcp eq www
12 match virtual-address 172.23.15.0 255.255.255.0 tcp eq www
class-map match-any CM_BYPASS_SUBNET
9 match virtual-address 100.0.0.0 255.0.0.0 tcp eq www
13 match virtual-address 10.0.0.0 255.0.0.0 tcp eq www
15 match virtual-address 192.168.0.0 255.255.0.0 tcp eq www
16 match virtual-address 172.20.0.0 255.255.0.0 tcp eq www
17 match virtual-address 172.16.0.0 255.255.0.0 tcp eq www
18 match virtual-address 172.23.15.0 255.255.255.0 tcp eq www
class-map match-any CM_IM
2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 5050
3 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 1080
4 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 5101
class-map match-all CM_SF_BCPR
255 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www
class-map match-any ITSM_MAPP_Server
2 match virtual-address 172.23.15.167 any
class-map match-any ITSM_Web_Server
2 match virtual-address 172.23.15.163 any
class-map match-any RT_FAX
2 match virtual-address 172.23.15.65 any
class-map match-all clas-default
policy-map type management first-match PM_ALL
class CM_ALL
permit
policy-map type loadbalance http first-match PM_L7_BYPASS_FOR_LAN_HTTP
class class-default
forward
policy-map type loadbalance http first-match PM_L7_BYPASS_HTTP
class class-default
forward
policy-map type loadbalance first-match PM_LB_ITSM_MAPP_Server
class class-default
serverfarm SF_ITSM_MAPP_Server
policy-map type loadbalance first-match PM_LB_ITSM_Web_Server
class class-default
serverfarm SF_ITSM_Web_Server
policy-map type loadbalance first-match PM_LB_RT_FAX
class class-default
serverfarm SF_RT_fax
policy-map type loadbalance http first-match PM_LB_SF_BCPROXY
class class-default
sticky-serverfarm STICKY-SOURCE
policy-map multi-match PM_BYPASS_FOR_LAN_HTTP
class CM_BYPASS_FOR_LAN
loadbalance vip inservice
loadbalance policy PM_L7_BYPASS_FOR_LAN_HTTP
policy-map multi-match PM_BYPASS_HTTP
class CM_BYPASS_SUBNET
loadbalance vip inservice
loadbalance policy PM_L7_BYPASS_HTTP
policy-map multi-match PM_ITSM_MAPP_Server
class ITSM_MAPP_Server
loadbalance vip inservice
loadbalance policy PM_LB_ITSM_MAPP_Server
loadbalance vip icmp-reply active
nat dynamic 4 vlan 300
policy-map multi-match PM_ITSM_Web_Server
class ITSM_Web_Server
loadbalance vip inservice
loadbalance policy PM_LB_ITSM_Web_Server
loadbalance vip icmp-reply active
nat dynamic 3 vlan 300
policy-map multi-match PM_MAIN_BCPROXY
class CM_SF_BCPR
loadbalance vip inservice
loadbalance policy PM_LB_SF_BCPROXY
loadbalance vip icmp-reply active
appl-parameter http advanced-options PARAMAP_CASE
class CM_IM
loadbalance vip inservice
loadbalance policy PM_LB_SF_BCPROXY
policy-map multi-match PM_RT_FAX
class RT_FAX
loadbalance vip inservice
loadbalance policy PM_LB_RT_FAX
loadbalance vip icmp-reply active
nat dynamic 1 vlan 300
service-policy input PM_ALL
interface vlan 100
description FW-INSIDE CONTEXT RACK1
ip address 192.168.0.5 255.255.255.224
alias 192.168.0.11 255.255.255.224
peer ip address 192.168.0.6 255.255.255.224
mac-address autogenerate
no icmp-guard
access-group input acl-out
no shutdown
interface vlan 200
description WAN-VLAN CONTEXT RACK1
ip address 192.168.0.33 255.255.255.224
alias 192.168.0.43 255.255.255.224
peer ip address 192.168.0.34 255.255.255.224
mac-address autogenerate
access-group input acl-wan
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
service-policy input PM_RT_FAX
service-policy input PM_ITSM_Web_Server
service-policy input PM_ITSM_MAPP_Server
no shutdown
interface vlan 300
description ACE-INSIDE CONTEXT RACK1
ip address 192.168.0.65 255.255.255.224
alias 192.168.0.73 255.255.255.224
peer ip address 192.168.0.66 255.255.255.224
mac-address autogenerate
access-group input acl-in
nat-pool 1 172.23.16.2 172.23.16.2 netmask 255.255.255.255 pat
nat-pool 3 172.23.16.3 172.23.16.3 netmask 255.255.255.255 pat
nat-pool 4 172.23.16.4 172.23.16.4 netmask 255.255.255.255 pat
service-policy input PM_BYPASS_FOR_LAN_HTTP
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
service-policy input PM_RT_FAX
service-policy input PM_ITSM_Web_Server
service-policy input PM_ITSM_MAPP_Server
no shutdown
interface vlan 301
description BC-VLAN CONTEXT RACK1
ip address 192.168.0.97 255.255.255.224
alias 192.168.0.107 255.255.255.224
peer ip address 192.168.0.98 255.255.255.224
mac-address autogenerate
access-group input acl-proxy
no shutdown
ft track interface TRACKING_FOR_FT_VLAN
track-interface vlan 300
peer track-interface vlan 300
priority 255
peer priority 255
My ACE is redirecting the port 80 traffic to my proxy server. But I have exclude teh VIP and real IP from this port 80 redirection towards. proxy server
Everything is fine except the port 80. I can do the RDP, ping, telnet on 30005. Please let me know what I am missing. -
Hi guys.
Recenty I see the following config.
rserver redirect REDIRECT-TO-HTTPS
webhost-redirection https://%h%p 301
inservice
serverfarm redirect REDIRECT-SERVERFARM
rserver REDIRECT-TO-HTTPS
inservice
I suspect this is a generic config to rewrite a redirection sent from rsever to client when it sends a http redirection and the client need to do a https conection.
My question is: this configuration will rewrite all redirect? What happens if the redirect sent from real server need to reach the client as http (not translated)
Thanks in advance.Hi David,
The above configuration is for ACE to redirect and not "Rserver". So if a user comes on http://xyz.com and you want ACE to redirect it to https"//xyz.com, you use above configuration. Now there will be a class-map condition as well as policy maps and hence ACE will redirect only those requests which will match the condition. Also, redirect and rewrite are two different functions. If you want the ACE to intercept server response and rewrite it, then you should have a look at "URL Rewrite as well as SSL rewrite" features. Again you will have proper configurations place for ACE to decide what to rewrite and what not.
Let me know if you have any questions.
Regards,
Kanwal -
I need to communicate with a datasocket through a firewall where I can open only 1 port. This article: http://digital.ni.com/public.nsf/websearch/FCF8A1464BD2F6D686256B59007C9A6F?opendocument&Submitted&&node=133020_US explains that datasocket client use, a random port in interval: 1024-65536. Do you know if exists a windows tool for port redirection (or other tricks...)?
Thank you,
paolo.I haven't tried this, but the first thing that comes to mind is specifing the port after the datasocket address. Something like this...
dstp://192.192.0.1/getdata:1024
You use this same format for URLs when you need to use a specific port.
Ed
Ed Dickens - Certified LabVIEW Architect - DISTek Integration, Inc. - NI Certified Alliance Partner
Using the Abort button to stop your VI is like using a tree to stop your car. It works, but there may be consequences. -
Using Oracle 9i on Linux with remote client connection, how does one force port redirection? Specifically we have the listener on port 1521 and want the server to respond to the client on a different port.
Thanks,
ChrisCreate another port on listner and
change port on tnsname files of client machine.
like
listner
LISTENER1 =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = pro400)(PORT = 1433))
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC6))
SID_LIST_LISTENER1 =
(SID_LIST =
(SID_DESC =
(SID_NAME = PLSExtProc)
(ORACLE_HOME = e:\ORA)
(PROGRAM = extproc)
(SID_DESC =
(GLOBAL_DBNAME = new8i)
(ORACLE_HOME = e:\Ora)
(SID_NAME = new8i)
tnsname of client
NEW8I =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = pro400)(PORT = 1433))
(CONNECT_DATA =
(SERVICE_NAME = new8i)
hope it will help you
kuljeet pal singh -
Dear All,
I have the following scenario that I need to configure on CSM 4.2(12) (Cisco 6513).
Scenario:
Real IPs: 10.10.10.3 & 10.10.10.4
VIP: 10.10.10.1
When users will access 10.10.10.1 on port 81, 82, 83, 84 & 85. I want to forward port (redirect) this request to port 80.
Is this possible.
Can someone please post the required configuration for the above scenario.
Client and Server vlans are in the same subnet.
Thanks in advance
Regards,
AnserThis is possible.
All you need is specify the port you want to use by the rserver and by the vserver.
for example
serverfarm MyFarm
rserver 10.10.10.3 80
inservice
rserver 10.10.10.4 80
inservice
vserver MYVIP81
virtual 10.10.10.1 tcp port 81
serverfarm MyFarm
inservice
Gilles. -
Hi,
How to configure the ACE to redirect a https request to different url.
For example
Clients requesting https://www.mycompany.com shall be redirected to https://www1.mycompany.com.
Please let me know.Thanks in AdvanceHi Gilles,
I am having the certificate and the key.
Please check the config and confirm whether this looks fine or not.
I am using GSS to resolve www.mycompany.com and www1.mycompany.com
probe http Server1
interval 15
passdetect interval 60
request method head url /keepAlive.html
expect status 200 202
open 10
parameter-map type ssl PARAMMAP_SSL_TERMINATION
cipher RSA_WITH_3DES_EDE_CBC_SHA
cipher RSA_WITH_AES_128_CBC_SHA priority 2
cipher RSA_WITH_AES_256_CBC_SHA priority 3
rserver redirect HTTPS-REDIRECT
conn-limit max 4000000 min 4000000
webhost-redirection https://www1.mycompany.com.au 301
inservice
serverfarm host SFARM_HTTPS
rserver Server1_http 80
inservice
serverfarm redirect https-redirect
rserver HTTPS-REDIRECT
inservice
ssl-proxy service SSL_PSERVICE
key MYKEY.PEM
cert ACE-SP2.CER
ssl advanced-options PARAMMAP_SSL_TERMINATION
class-map type http loadbalance match-any HTTPS1
2 match http header Host header-value "www[.]mycompany[.]com"
class-map type http loadbalance match-any HTTPS2
2 match http header Host header-value "www1[.]mycompany[.]com"
policy-map type loadbalance first-match HTTPS
class HTTPS1
serverfarm https-redirect
class HTTP2
serverfarm SFARM_HTTPS
class class-default
serverfarm SFARM_HTTPS
policy-map multi-match HTTPS-PM
class HTTPS-RED
loadbalance vip inservice
loadbalance policy HTTPS
loadbalance vip icmp-reply active
ssl-proxy server SSL_PSERVICE
Also let me know know if there is any another way to configure the redirection other than matching host header.
Thanks in Advance
Maybe you are looking for
-
I have a ipod 4th gen and it wont connect to my windows computer at all. I've tryed to reset it but its been 10 min and it wont go back to normal. I use the wall plug in to charge it. also it wont charge on my computer but other wise it works fine. I
-
Hi. I have a question about objects in session scope. I have created an object which holds a grid (a matrix of 2046 elements of HtmlnputText). At the beginning everything works ok, but later when several users create this matrix populating from datab
-
Hi, I need to print a pre printed stationary Report. I am using forms9i. Can I use reports 9i for the above requirement? If character mode printing supported in Reports 9i Thanks & Regards Sajan
-
How to validate the XSD files in Weblogic
Hi, i want to validate a xsd file in the weblogic. if anyone give me a solution then i'll greet u.
-
Syntax error on token "class", invalid Expression
Hai, i am new to java beans and i have written the following code which gives an error Code jsp: <%@ page contentType="text/html; charset=iso-8859-1" language="java" import="java.sql.*" errorPage="" %> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Tra