ACE - UDP loadbalancing without NAT
HI, I want to get source port of client from Real server, but it is changed by ACE
matched port of VIP set to 8070 same as RIP, it is fine.
I want to know is it posible to keep souce port unchanged when port translation is configured
any help will be appreciated
below is the config
probe udp udp-8070
port 8070
interval 5
rserver server01
ip address 192.168.1.15
inservice
rserver server02
ip address 192.168.1.16
inservice
serverfarm host sf-UDP-8070
failaction purge
probe udp-8070
rserver server01 8070
inservice
rserver server02 8070
inservice
policy-map type loadbalance first-match pL7-UDP-8070
class class-default
serverfarm sf-UDP-8070
class-map match-any c4-UDP-1270
match virtual-address 192.168.2.100 udp eq 1270
policy-map multi-match pL4-UDP
class c4-UDP-1270
loadbalance vip inservice
loadbalance policy pL7-UDP-8070
loadbalance vip icmp-reply
interface vlan 211
service-policy input pL4-UDP
Dears,
I had this issue with SIP traffic
to solve the Impicit PAT issue you may try the following,
1) Direct Server Return on ACE Configure servers with VIP address as a secondary IP address on interfaces
directly connected to the ACE (that is, interfaces which have an ARP entry
for the ACE.) Then configure the ACE to forward to that VIP address as a
transparent serverfarm.
or 2) Configure the "hw-module cde-same-port-hash" on the Admin context, this will disable Hashing based on Src. and Dst. port the ACE will use a new Hash method
Similar Messages
-
Example Config ACE routed mode with NAT
Hi all,
i have a two-arm loadbalancer (routed mode).
client ->vlan100->[VIP]Loadbalancer[NAT] ->vlan200-> serverfarm
But i have my problems to configure the NAT. Can anybody show me a example configuration of a two-arm loadbalancer with NAT?
Especially the access-list, class-map, policy-map and on which interface the NAT-Policy must be added.
BR
DominikHi Dominik,
Something like this:
access-list ANYONE line 10 extended permit ip any any
rserver host SERVER_01
ip address 10.198.16.2
inservice
rserver host SERVER_02
ip address 10.198.16.3
inservice
rserver host SERVER_03
ip address 10.198.16.4
inservice
serverfarm host REAL_SERVERS
rserver SERVER_01
inservice
rserver SERVER_02
inservice
rserver SERVER_03
inservice
class-map match-all VIP-30
2 match virtual-address 192.168.1.30 tcp eq www
class-map type management match-any REMOTE_ACCESS
description remote-access-traffic-match
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any
policy-map type management first-match REMOTE_MGT
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match SLB_LOGIC
class class-default
serverfarm REAL_SERVERS
policy-map multi-match CLIENT_VIPS
class VIP-30
loadbalance vip inservice
loadbalance policy SLB_LOGIC
loadbalance vip icmp-reply active
nat dynamic 1 vlan 452
interface vlan 451
ip address 192.168.1.2 255.255.255.0
access-group input ANYONE
service-policy input CLIENT_VIPS
no shutdown
interface vlan 452
description Servers vlan
ip address 10.198.16.1 255.255.255.0
access-group input ANYONE
nat-pool 1 10.198.16.5 10.198.16.5 netmask 255.255.255.0 pat
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.1.1
Cesar R
ANS Team -
Flow-state 53 udp flow-disable nat-enable impacts
After entering the subject command, should I expect to see flows still matching udp/53? I assumed the command would permit the passage of udp/53 and NAT the src/dst but not establish a flow. However, I am still seeing flows established. Any advice?
Thanks,
ChadYes, you are correct. This command will permit the passage of udp/53 and NAT the src/dst but not establish a flow. Can you post the configuration so that we can troubleshoot further?
-
Masking myself behind my VPS (without NAT)
Please help me get this working.
I have a VPS running Arch (while i finish my testing).
This VPS has one ether adapter ... its a VM box running on VMware virtualization. Ok so it works and there's no issues.
What I want to do: on my home PC i want to connect to the VPS and i'd like to think I am asking about bridging because essentially I want my PC to mask itself in the IP of the VPS.
I am trying to stay away from DHCP and NAT.
My brain is not coming up with a solution on
But then how would I connect to the VPS? i guess SSH tunneling? but thats limited. how do i make my whole windows pc proxy through that? only a browser and some program will accept a proxy config. (again without nat'ing)
Should I ask for another IP/ether port on my VPS, vpn into that and then output from the second adapter? But then again I am trying to stay away from NAT/DHCP and even worse openvpn which will slow me dramatically with this "encryption" ...
So... is what i am asking for do'able?
Please help!Gcool wrote:
twocows wrote:I want my PC to mask itself in the IP of the VPS.
twocows wrote:I am trying to stay away from DHCP and NAT.
So which is it? That's basically hide-NAT which you're describing there.
Other than that, take a look at tunneling all traffic through an ssh tunnel or Openvpn as you mentioned.
I suppose you're correct.
Hiding myself is considered nat. howabout we rephrase that.
lets say "sitting next to my IP and using it?"....
I already am aware of OpenVPN and i am using that on my VPS. its slow. and annoying.
SSH tunneling i am also very familiar with...
What about the idea of a second ether and a new IP on my VPS?
I am thinking maybe the VPS is getting screwed with only one adaptor taking traffic in, then outputting ... all from one source. -
ACE 4710 Loadbalancer Weblogic Issues
Hi Guys,
Having some issues with my Loadbalancer and weblogic. Eventually i want to SSL Forwarding and everything set up but as of now I can only access the VIP under port 7001 (default weblogic port.) How would i get it so I can access via HTTP. My Config is below.
PA-ACE-4700-SLB/Admin# changeto Prod-Support
PA-ACE-4700-SLB/Prod-Support# show run
Generating configuration....
access-list allow line 8 extended permit ip any any
probe icmp PROBE_SERVICE_ICMP
interval 5
passdetect interval 5
receive 5
probe tcp TCP443_PROBE
port 443
interval 5
passdetect interval 5
receive 5
connection term forced
open 2
probe tcp TCP7001_PROBE
port 7001
interval 5
passdetect interval 5
receive 3
connection term forced
open 2
probe tcp TCP80_PROBE
interval 5
passdetect interval 5
receive 3
connection term forced
open 2
rserver host 228-WLS11host1
ip address 192.168.211.228
inservice
rserver host 229-WLS11host2
ip address 192.168.211.229
inservice
serverfarm host WLS11-7001
probe TCP7001_PROBE
rserver 228-WLS11host1
inservice
rserver 228-WLS11host1 7001
rserver 229-WLS11host2
inservice
rserver 229-WLS11host2 7001
sticky http-cookie ACE_COOKIE-7001 7001_STICKY
cookie insert browser-expire
replicate sticky
serverfarm WLS11-7001
class-map type http loadbalance match-any L5
2 match http url .*
class-map match-all WLS11-7001-CLASS
2 match virtual-address 192.168.211.50 tcp any
policy-map type loadbalance first-match WLS11-7001-Policy
class L5
sticky-serverfarm 7001_STICKY
policy-map multi-match WLS11-SLB
class WLS11-7001-CLASS
loadbalance vip inservice
loadbalance policy WLS11-7001-Policy
loadbalance vip icmp-reply active
nat dynamic 1 vlan 1000
interface vlan 1000
ip address 192.168.211.226 255.255.255.0
access-group input allow
nat-pool 1 192.168.211.50 192.168.211.50 netmask 255.255.255.255 pat
service-policy input WLS11-SLB
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.211.235
Thanks for any help you can provide.Hummm,
Andy
1) Can you modify this?
class-map type http loadbalance match-any L5
2 match http url .*
to look like this:
class-map type http loadbalance match-any L5
2 match http url /.*
2)Can you do this:
serverfarm host WLS11-7001
probe TCP7001_PROBE
rserver 228-WLS11host1 7001
inservice
rserver 229-WLS11host2 7001
inservice
3)Can you clear all the browser´s cookies and/or open a new browser window? It might be possible that some clients are stuck to the servers with does not have hardcoded the port.
4)Can you do: clear stats loadbalance?(won´t affect anything)
5)Then generate traffic
6)Then get:
#show service-policy WLS11-SLB class-map WLS11-7001-CLASS detail
#show stat http
Jorge -
ACE: as firewall and NAT. inbound and outbound originals
Hi Team,
This time no load balancing is required.
Two servers inside (with private IP) need to communicate with clients and servers on the internet. ie, internet client originate inbound traffic to our servers, and also our servers originate connections to some internet servers.
Both of our servers will work indipendently for this purpose.
I have a few ideas to mix and match configs in the ACE. (This was originally working with FWSM setup). I would like to hear some sound ideas to acheive this using ACE only as firewall/router. No plan to load balance at present.
Regards to all
SSGilles,
Inbound traffic and the related reply traffic can be handled with normal class-map by defining a VIP with public IP.
The above real server with private IP is now going to make a different connection to the internet. ie,
outbound traffic and related reply traffic need handling. (no load balancing planned).
Detination NAT, Static NAT sounds interesting
Source NAT, Static NAT sounds interesting. Mixing these sound very interesting!! I'm looking for sample configs please.
SS -
ACE multiple loadbalancing policies help
Hi
I've configured my ACE to loadbalance all hits on a 2 servers farm. It's working, fine.
Now I want to loadbalance hits with a specific url on another farm, and it's not working (hits with the specific url are not logged in the new policy)
Here is what I've added :
1. A class-map to get my url :
class-map type http loadbalance match-all CLASSMAP_L7match http header Host header-value my.domain.com
2. A policy-map :
policy-map type loadbalance first-match POLICYMAP_L7 class CLASSMAP_L7 serverfarm FARM_2
3. A policy-map to get the L7 policy map :
policy-map multi-match POLICYMAP_L3L4 class L4-WEB-IP loadbalance vip inservice loadbalance policy POLICYMAP_L7 appl-parameter http advanced-options HTTP_PARAMETER_MAP
4. added the service policy on my interface
interface vlan 265 service-policy input ALREADY_EXISTING_POLICIES service-policy input POLICYMAP_L3L4
I have to precise my class-map L4-WEB-IP is defined as
class-map match-all L4-WEB-IP 2 match virtual-address 17x.xx.xxx.xxx tcp eq www
So basically, when I'm trying a show service-policy POLICYMAP_L3L4 summary, I've got 0 hits.
So the other service policy (implementing the same class L4-WEB-IP, of course) is taking all the traffic.
Any thoughts ? Thanks for the help.Hi Pablo
Thanks for the answer.
You're right, I'd deleted it since I was testing. I have put it back now, and... same result.
(loading subdomain.domain.com)
show service-policy POLICYMAP_L3L4 summary => Hit Count doesn't change
show service-policy WEB-to-vIPs summary => Hit Count increase
To be ok, here is the full configuration again, with the corrections.
probe tcp PROBE_TCP interval 30 passdetect interval 60rserver host 55LABS ip address 172.16.0.1 inservicerserver host MICHELINE ip address 172.16.0.2 inserviceserverfarm host FARM_55LABS predictor leastconns probe PROBE_TCP rserver 55LABS inservice rserver MICHELINE inserviceserverfarm host FARM_PHP predictor leastconns probe PROBE_TCP rserver MICHELINE inserviceparameter-map type http HTTP_PARAMETER_MAP persistence-rebalanceclass-map match-all CLASSMAP_L3L4 2 match virtual-address xxx.xxx.xxx.161 tcp eq wwwclass-map type http loadbalance match-all CLASSMAP_L7 2 match http header Host header-value "subdomain.domain.com"class-map match-all L4-HTTPS-IP 2 match virtual-address xxx.xxx.xxx.161 tcp eq httpsclass-map match-all L4-WEB-IP 2 match virtual-address xxx.xxx.xxx.161 tcp eq wwwclass-map type management match-all REMOTE_ACCESS 2 match protocol ssh anyclass-map type management match-all TEST 2 match protocol icmp anypolicy-map type management first-match REMOTE_MGMT_ALLOW_POLICY class REMOTE_ACCESS permitpolicy-map type management first-match TEST_ALLOW class TEST permitpolicy-map type loadbalance http first-match HTTPS_POLICY class class-default serverfarm FARM_55LABS insert-http x-forward header-value "%is"policy-map type loadbalance first-match POLICYMAP_L7 class CLASSMAP_L7 serverfarm FARM_PHPpolicy-map type loadbalance http first-match WEB_L7_POLICY class class-default serverfarm FARM_55LABS insert-http x-forward header-value "%is"policy-map multi-match POLICYMAP_L3L4 class CLASSMAP_L3L4 loadbalance vip inservice loadbalance policy POLICYMAP_L7 loadbalance vip icmp-reply active nat dynamic 1 vlan 2369 appl-parameter http advanced-options HTTP_PARAMETER_MAPpolicy-map multi-match WEB-to-vIPs class L4-WEB-IP loadbalance vip inservice loadbalance policy WEB_L7_POLICY loadbalance vip icmp-reply active nat dynamic 1 vlan 2369 appl-parameter http advanced-options HTTP_PARAMETER_MAP class L4-HTTPS-IP loadbalance vip inservice loadbalance policy HTTPS_POLICY loadbalance vip icmp-reply active nat dynamic 1 vlan 2369 appl-parameter http advanced-options HTTP_PARAMETER_MAPinterface vlan 265 ip address xxx.xxx.xxx.170 255.255.255.240 peer ip address xxx.xxx.xxx.171 255.255.255.240 access-group input ANY service-policy input REMOTE_MGMT_ALLOW_POLICY service-policy input WEB-to-vIPs service-policy input POLICYMAP_L3L4 class CLASSMAP_L3L4 loadbalance vip inservice loadbalance policy POLICYMAP_L7 loadbalance vip icmp-reply active nat dynamic 1 vlan 2369 appl-parameter http advanced-options HTTP_PARAMETER_MAPpolicy-map multi-match WEB-to-vIPs class L4-WEB-IP loadbalance vip inservice loadbalance policy WEB_L7_POLICY loadbalance vip icmp-reply active nat dynamic 1 vlan 2369 appl-parameter http advanced-options HTTP_PARAMETER_MAP class L4-HTTPS-IP loadbalance vip inservice loadbalance policy HTTPS_POLICY loadbalance vip icmp-reply active nat dynamic 1 vlan 2369 appl-parameter http advanced-options HTTP_PARAMETER_MAPinterface vlan 265 ip address xxx.xxx.xxx.170 255.255.255.240 peer ip address xxx.xxx.xxx.171 255.255.255.240 access-group input ANY service-policy input REMOTE_MGMT_ALLOW_POLICY service-policy input WEB-to-vIPs service-policy input POLICYMAP_L3L4 no shutdowninterface vlan 2369 ip address 172.31.255.250 255.240.0.0 alias 172.31.255.249 255.240.0.0 peer ip address 172.31.255.251 255.240.0.0 access-group input ANY nat-pool 1 172.31.255.248 172.31.255.248 netmask 255.240.0.0 pat service-policy input TEST_ALLOW no shutdownft track interface VLAN265 track-interface vlan 265 peer track-interface vlan 265 priority 50 peer priority 5
Thanks again.
Laurent -
ACE: 4710 Policy-Map NAT
Greets. I have a scenario where the rservers are located on two different VLAN's in One Arm Mode.
My question is, am I able to assign two different NAT commands in my policy map (as written below)? Will the NAT command only kick off for the selected rservers vlan?
policy-map multi-match PM_Loadbalance
class VIP_Farm
loadbalance vip inservice
loadbalance vip icmp-reply active
nat dynamic 7 vlan 7
nat dynamic 741 vlan 741
Thanks,
-bHello Brian-
You can apply 2 different NAT statements, yes.
The way it works:
1.) A client sends a SYN into a vlan where the vip is applied as a service-policy input.
2.) The ACE matches the SYN to the class in question, the loadbalance policy is checked, and eventually a server in the associated serverfarm is chosen.
3.) ACE prepares to forward the SYN out of the appropriate VLAN based on the route table.
4.) Before the packet leaves, if the packet will egress either vlan 7 or 741, the the packet would be source NATted by the group number mentioned in the statement. This occurs because the "vlan 7" and "vlan 741" in the NAT statements under the class are filters. If the destination matches either vlan, then the nat group for that statement is used.
i.e.
rserver host server_1
ip address 10.0.0.10
inservice
rserver host server_2
ip address 172.16.35.60
inservice
serverfarm host SF_1
rserver server_1
inservice
class-map match-any VIP_80
2 match virtual-address 172.16.35.80 tcp eq 80
policy map type loadbalance first-match LB
class class-default
serverfarm SF_1
policy map multi-match X
class VIP_80
loadbalance policy LB
loadbalance vip inservice
nat dynamic 5 vlan 7
nat dynamic 7 vlan 741
interface vlan 7
ip address 172.16.35.2 255.255.255.0
nat 5 172.16.35.100 172.16.35.100 netmask 255.255.255.0 pat
service-policy input X
Interface vlan 741
ip address 10.0.0.2 255.255.255.0
nat 7 10.0.0.100 10.0.0.100 netmask 255.255.255.0 pat
service-policy input X
If a packet comes into either vlan destine to 172.16.35.80 on port 80, it will be balanced to either 10.0.0.10 or 172.16.35.60. If 10.0.0.10 was chosen, then natpool 7 under vlan 741 would be used because 10.0.0.10 is layer 2 adjacent to vlan 741. If 172.16.35.60 was chosen, then natpool 5 would be chosen because that server is layer 2 adjacent to vlan 7.
Regards,
Chris Higgins -
Can anyone tell me what the best practice is for the ACE 4710 appliance. Should I deploy it in routed mode or source NAT mode. And what can be the pros and cons of each method....
The advantage of running SNAT is the ACE is deployed in a "one-arm" mode. In this deployment the advantage is the ACE does not have to process all traffic as oppossed to being directly in the transit path when deployed inline (routed).
In one arm mode you can use either PBR or SNAT for server return traffic. One arm mode also allows for direct server return butlimited to L4 load balance.
In routed mode the ACE acts as the server default gateway.
Routed mode is the easier of the two to configure. -
Second Subnet on UC520 without NAT.
Hi,
i'm using a UC520 for for our company internet connection. We got one ip address for our connection and i'm using nat overload for our internal clients.
Now our isp gave us an additional /29 subnet for our servers. My plan is to put the servers in a new vlan and use the subnet in this vlan. But i don't want to use nat for this vlan because every server got it's own public ip address. How can i do this? Is it enough to configure the vlan without any nat configuration and just put a static route on the UC520 that points to the vlan?
Thanks in advance.Hi,
i'm using a UC520 for for our company internet connection. We got one ip address for our connection and i'm using nat overload for our internal clients.
Now our isp gave us an additional /29 subnet for our servers. My plan is to put the servers in a new vlan and use the subnet in this vlan. But i don't want to use nat for this vlan because every server got it's own public ip address. How can i do this? Is it enough to configure the vlan without any nat configuration and just put a static route on the UC520 that points to the vlan?
Thanks in advance. -
I have a problem understanding how ACE handels the Firewall Loadbalancing.
In the Doumentation is an example for a secure side and an insecure side.
serverfarm INSEC_SF
transparent
predictor hash address source 255.255.255.255
rserver FW_INSEC_1
inservice
rserver FW_INSEC_2
inservice
rserver FW_INSEC_3
inservice
serverfarm SEC_SF
predictor hash address destination 255.255.255.255
transparent
rserver FW_SEC_1
inservice
rserver FW_SEC_2
inservice
rserver FW_SEC_3
inservice
The ACE on the insecure side makes a hash of the source IP and selects one of 3 firewalls.
The ACE on the secure side makes a hash of the destination IP and selects one of 3 firewalls.
On what Information the ACE makes the hash? IP Adress of the firewalls on secure/insecure side are different.
Names of the real server are also different.
Best Regards
SvenHi Gilles,
thanks for your reply. You are right. But my question was on what the Hash does match?
There are 3 Firewalls.
The ACE only knows the local IP Address and name of the Firewall.
So the ACE on the Secure side knows a different IP-Adress than the ACE on the insecure side.
The Names are also different on both sides!
So how does the ACE modules know that rserver FW_INSEC_1 and rserver FW_SEC_1 are the same Firewalldevice? So it is not clear on what the ACE does match the computed HASH Value for SRC or DST IP.
On CSS Systems it is clear. The CSS knows local and remote IP of Firewall + Firewall Index and can compute the hash for both sides to the same firewall.
But on the ACE System i can not see where the match is done.
Is it done by the order of Configuration in the serverfarm? -
Connect 2 ASA's together without NAT
I have a strange business case that requires us to use 2 ASA's to protect an internal system. I'm trying to figure out if there is a way to connect the 2 without using a NAT between them.
The setup looks like this, sorry for the crude drawing
right now there is a route on asa2 0.0.0.0 0.0.0.0 10.1.1.1 1
there is no need for users on asa1 to reach the system behind asa2.
I think i should be able to just have ACL's on ASA2 to allow ports and host to the system behind it. but my gut says that I need a NAT
thanks for any input.Yes, with the following assumptions:
- You have ACL of "permit ip any any log" on all of the lower level interface,
- Remove all of the inspect from the configuration,
Then your ASA will behave "almost" like router at that point -
ACE: RDP loadbalancing connection problem
I have a problem setting up RDP loadbalancing.
My setup is a WS-C6509-E with IOS 12.2(33)SXI5 and a ACE20-MOD-K9 running
A2(3.3).
I have the ACE in two-arm-mode, I can connect to the real servers via RDP. The
real servers use a MS Terminal Server Session Broker with routing tokens.
The serverfarm is operational:
# show serverfarm FARM-TSFARM1 det
serverfarm : FARM-TSFARM1, type: HOST
total rservers : 4
active rservers: 4
description : srv-f1-tsX.mydomain.de
state : ACTIVE
predictor : ROUNDROBIN
failaction : -
back-inservice : 0
partial-threshold : 0
num times failover : 0
num times back inservice : 1
total conn-dropcount : 0
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: RS-SRV-F1-TS1
10.7.43.201:0 8 OPERATIONAL 0 1 0
description : -
max-conns : 500 , out-of-rotation count : 0
min-conns : 500
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
rserver: RS-SRV-F1-TS2
10.7.43.202:0 8 OPERATIONAL 0 0 0
description : -
max-conns : 500 , out-of-rotation count : 0
min-conns : 500
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
rserver: RS-SRV-F1-TS3
10.7.43.203:0 8 OPERATIONAL 0 0 0
description : -
max-conns : 500 , out-of-rotation count : 0
min-conns : 500
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
rserver: RS-SRV-F1-TS4
10.7.43.204:0 8 OPERATIONAL 0 0 0
description : -
max-conns : 500 , out-of-rotation count : 0
min-conns : 500
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
The service policy is active, it shows an increasing hit count for the VIP
connections (47 as shown below), no drop-count, no dropped connections, but
zero bytes server packets and no hit counts for the L7 policy:
# show service-policy VIP-TSFARM1 detail
Status : ACTIVE
Description: -----------------------------------------
Interface: vlan 44
service-policy: VIP-TSFARM1
class: VIP-TSFARM1-RDP
VIP Address: Protocol: Port:
10.7.44.106 tcp eq 3389
loadbalance:
L7 loadbalance policy: VIP-TSFARM1-RDP-l7slb
VIP Route Metric : 77
VIP Route Advertise : ENABLED-WHEN-ACTIVE
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
curr conns : 0 , hit count : 47
dropped conns : 0
client pkt count : 221 , client byte count: 10996
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
L7 Loadbalance policy : VIP-TSFARM1-RDP-l7slb
class/match : class-default
LB action: :
primary serverfarm: FARM-TSFARM1
state: UP
backup serverfarm : -
hit count : 0
dropped conns : 0
I never get a "Built TCP connection" syslog message.
When I make a VIP with "policy-map type loadbalance generic" instead of
"policy-map type loadbalance rdp" everything works as expected, apart from the
fact that users cannot be redirected to the correct server if they have an
active session on one of them.
Here is the config of the rdp setup:
rserver host RS-SRV-F1-TS1
description srv-f1-ts1.mydomain.de
ip address 10.7.43.201
conn-limit max 500 min 500
rate-limit connection 10000
rate-limit bandwidth 12500000
probe PING_PROBE
inservice
rserver host RS-SRV-F1-TS2
description srv-f1-ts2.mydomain.de
ip address 10.7.43.202
conn-limit max 500 min 500
probe PING_PROBE
inservice
rserver host RS-SRV-F1-TS3
description srv-f1-ts3.mydomain.de
ip address 10.7.43.203
conn-limit max 500 min 500
probe PING_PROBE
inservice
rserver host RS-SRV-F1-TS4
description srv-f1-ts4.mydomain.de
ip address 10.7.43.204
conn-limit max 500 min 500
probe PING_PROBE
inservice
serverfarm host FARM-TSFARM1
description srv-f1-tsX.mydomain.de
rserver RS-SRV-F1-TS1
inservice
rserver RS-SRV-F1-TS2
inservice
rserver RS-SRV-F1-TS3
inservice
rserver RS-SRV-F1-TS4
inservice
class-map match-all VIP-TSFARM1-RDP
2 match virtual-address 10.7.44.106 tcp eq 3389
policy-map type loadbalance rdp first-match VIP-TSFARM1-RDP-l7slb
class class-default
serverfarm FARM-TSFARM1
policy-map multi-match VIP-TSFARM1
class VIP-TSFARM1-RDP
loadbalance vip inservice
loadbalance policy VIP-TSFARM1-RDP-l7slb
loadbalance vip icmp-reply active
loadbalance vip advertise active
interface vlan 44
service-policy input VIP-TSFARM1
Any ideas?Ralf,
You are running into the following defect:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtl63354
Workaround:
use a layer 4 loadbalance policy and configure source ip sticky.
Joel Lamousnery
Cisco TAC -
Hello,
I have a setup where i need users accessing 10.6.17.10:80 or 10.6.17.80:443 to be directed to 10.6.17.10:4443.
10.6.17.10 is a server behind an interface called "application"
requests will be coming from "outside" interface or i want this to work regardless of the source interface (any)
this outside interface is local, i mean source ip addresses will all be private, we're talking within the network.
my configuration is as below:
object network A10-Lync
host 10.6.17.10
nat (Application,any) static A10-Lync service tcp https 4443Hi Murali,
Your answer is very close, but not complete. I'm very familiar with the NAT Rule Order. I didn't think that was the problem. The actual problem is how Object NATs and Twice NATs are implemented. I didn't realize once a Twice NAT (manual nat) is matched no other rules are checked. Here is the information at this Link under How source and destination NAT is implemented. I was under the impression that Twice NAT were processed the same way Object NATs were.
So that was the problem, but what is the solution? That is for Cisco to allow parameters in nat statements. Otherwise we have to create 6 objects and two different nat statements in order to get this working. If they would allow parameters for port numbers, we would only use 3 object (like i have) and two nat statements. The other reason why Cisco needs to allow this, is because how ugly a "working" statement looks.
How to Port Forward to Hosts without a return route:
nat (outside,inside) source dynamic any NATTED_IP_OBJECT destination static interface SERVER1_OBJ service TCP_801_OBJ TCP_80_OBJ
Real. Translated.
Confused?!? You should be... I know what i'm trying to do is a very rare objective. That is get packets to a few hosts that do not have a return route (or default Gateway). But I personally wrote this statement just 2 days ago and it still doesn't look right, but it works. :) And works without translating all source IPs on traffic to hosts that do have a return route (aka NORMAL setup.. haha).
I hope someone finds this helpful. About 40 mins to find a working statement. -
How to configure DMZ access for ftp/https without NAT
I have a closed network that is not connnected to the internet, just other sites that we want to communicate with. We have a cisco router connected to the outside interface on an ASA5505 and a cisco router connected to the inside interface on the same ASA5505. I have an inside interface that connects our management LAN, five separate DMZ interfaces with a separate LAN (VLAN) on each DMZ interface and the outside interface that connects to the other sites. Data is not allowed to mingle between the five DMZ's.
Alll connections to the other separate nodes are handled with the router on the external interface. IPSEC GRE tunnels have been established between all sites and BGP routing has been verified. Pings are good between inside, dmz and external interfaces and between the DMZ's and the other sites, to include hosts on our local networks and hosts at the remote sites. Inter and intra traffic is enabled.
When a remote site attempts an https connection, the initial ACK handshake makes it through the ASA5505, but the return SYN/ACK is being knocked down and I don't understand why (it is not because of ACL's, they are any any at this point).
Looking for some ideas on why the return SYN/ACK to the remote site isn't getting through the ASA5505 outbound. Will probably have the same issue with FTP, but right now, just trying to solve one problem at a time.
ASA5505 is in routed mode, not looking to NAT since the IP addresses in the DMZ need to be reached by their real IP address.
Thanks,When I use the packet-trace in both directions with the endpoint IP's, it works, all phases show allowed. I see the hits against the ACL's that show the packet entry in to the outside interface of the ASA, the build up of the connection so the initial step of the external host ACK is reaching the webserver in the DMZ. I see the hits against the incoming DMZ interface from the web server and then the log shows that the SYN,ACK is not in the state table and drops the outgoing packet. Since no outgoing SYN/ACK, no three way handshake, not login prompt, no web page to the endpoint.
I even changed the security settings on the outside interface to match the DMZ, enabled the inter and intra connections and that didn't work. ACL's on the incoming and outgoing outside and DMZ interfaces have any any tcp and any any ip but still the same result.
DMZ hosts point to the ASA. ASA points to external router on the outside interface. Pings all work fine. Tried ACL's at the top with port 443, but no hits on that. Even tried bypass with the same result. The initial packet from the external host doesn't seem to enter the state table so that when the host sends the reply (SYN/ACK) the ASA knocks it down.
Also tried twice NAT with static source/destination/port so that what comes in should be what is sent to the DMZ.
If I understand this device, I should have a rule that lets traffic in the outside interface from the external networks, a rule that allows DMZ traffic out the outside interface, a rule that allows external traffic in the DMZ and a rule that allows DMZ internal traffic back out to the external interface.
Still fuzzy on exactly how the data goes between the outside and the DMZ interfaces.
Is there something else I need to do or define to use HTTPS? I see that HTTP is defined and also has inspection rules.
I can try the captures tomorrow at work.
Thanks, for any pointers you can provide me.
Peyton
This is my first, painful experience with the ASA.
Maybe you are looking for
-
Interactive froms in web dynpro ABAP
Hi All, Can you please help me in creating a table for input in an interactive form. Thanks & Regards Gaurav Jain
-
Problems syncing photos to iPad and AppleTV
Hi there, I have problems where only about half my photos ever show up on the Apple TV or get synced to my iPad. Before you say, "Click Update Previews" I should point out that yes, I know this will fix it - but why should my Aperture library be swel
-
Haven't updated the websites in awhile, the cyberduck ftp quit connecting a couple months back. all mac connections no longer connect on the mac leopard OS drive. works ok using parrallels, but don't want to play windows all day. Can't figure out why
-
SPA508G broken by firmware downgrade
For the purpose of debugging of secure provisioning I need to have a SPA508G with the "factory default" firmware, e.g. 7.4.3. So I got the one (with current 7.5.6 firmware) and downgraded it. The downgrade itself has been successful, but the phone do
-
Hi Experts, I want to learn IS-Retail. Can u suggest me what are the prerequisites to learn IS-Retail. Is there any coding in IS-Retail?? If u r help in this regards really apreciated... Regards, Federer.