ACE - VIP address on different subnet

Hello,
Is it possible to configure a VIP address that is different from the VLAN subnet where it is applied on?
Fe:
VIP is 10.10.10.1/24 on VLAN 10
Interface of ACE in VLAN 10 is 192.168.1.1/24
On the upstream routers, a static route points to the VIP address (subnet) with next-hop the ACE address?
Thanks.

Unfortunately I dont have a test environment either to verify this.
I dont think you will see arp entries as the address doesnt belong to an interface.
You should see the VIPs active (sh service policy detail) for these non-interface VIPs.
If those are active then I think once client request hits the ACE it should take care of it.
I have deployed such solution with FWSM (no VIPs there but used Natted addresses not belonging to any attached interface ) and as per that experience I think it should work.
But yes you need actual clients to test this scenario.
Syed

Similar Messages

ACE load balancing servers on different subnets...

Hello,
I have the following issue.... need to load balance traffic between two servers already working in two different subnets (vlans), at this point is highly desirable to avoid changing IP addresses. Is it possible to accomplish this goal using ACE? routed or bridged mode? is it strictly necessary to have all servers belonging to a serverfarm in the same subnet?
Thanks in advanced for your support.

Hi,
You can do this, but you have to use client-NAT (Source-NAT) to force the return traffic to pass back through the ACE. You also then need static routes in the ACE context to point at each server. PBR is an alternative approach but I have not implemented that in a live network. The important thing is that the ACE sees both sides of the conversation.
The following extract from a configuration shows the basic principle:
rserver host master
ip address 10.199.95.2
inservice
rserver host slave
ip address 10.199.38.68
inservice
serverfarm host FARM-web2-Master
description Serverfarm Master
probe PROBE-web2
rserver master
inservice
serverfarm host FARM-web2-Slave
description Serverfarm Slave
probe PROBE-web2
rserver slave
inservice
class-map match-any L4VIPCLASS
2 match virtual-address 10.199.80.12 tcp eq www
3 match virtual-address 10.199.80.12 tcp eq https
policy-map type management first-match REMOTE-MGMT-ALLOW-POLICY
class REMOTE-ACCESS
permit
policy-map type loadbalance first-match LB-POLICY
class class-default
serverfarm FARM-web2-Master backup FARM-web2-Slave
policy-map multi-match L4POLICY
class L4VIPCLASS
loadbalance vip inservice
loadbalance policy LB-POLICY
loadbalance vip icmp-reply active
loadbalance vip advertise
nat dynamic 1 vlan 384
service-policy input L4POLICY
interface vlan 383
description ACE-web2-Clientside
ip address 10.199.80.13 255.255.255.248
alias 10.199.80.12 255.255.255.248
peer ip address 10.199.80.14 255.255.255.248
access-group input ACL-IN
access-group output PERMIT-ALL
no shutdown
interface vlan 384
description ACE-web2-Serverside
ip address 10.199.80.18 255.255.255.240
alias 10.199.80.17 255.255.255.240
peer ip address 10.199.80.19 255.255.255.240
access-group input PERMIT-ALL
access-group output PERMIT-ALL
nat-pool 1 10.199.80.20 10.199.80.20 netmask 255.255.255.240 pat
no shutdown
ip route 0.0.0.0 0.0.0.0 10.199.80.9
ip route 10.199.95.2 255.255.255.255 10.199.80.21
ip route 10.199.38.68 255.255.255.255 10.199.80.21
HTH
Cathy

Cisco ACE can rserver use it's own VIP address ?

we've configured a serverfarm with a real server and a VIP.
The serverfarm can be reached and is functioning well.
Now we want the rserver to be able to reach it's own VIP address.
This is needed because the rserver has multiple websites which need each other
and we want to have load balancing.
Is this a supported configuration ?
regards,
Sebastian

you can simply add a new policy to match the servers ip addresses and then configure nat.
ie:
class-map match-all servers
2 match source-address 192.168.30.48 255.255.255.255
policy-map multi-match client-nat
class servers
nat dynamic 1 vlan 30
interface vlan 20
ip address 192.168.20.121 255.255.255.0
alias 192.168.20.124 255.255.255.0
peer ip address 192.168.20.123 255.255.255.0
no normalization
mac-sticky enable
access-group input PERMIT-ANY
service-policy input ALLOW-ALL
service-policy input client-nat
service-policy input SLB1
no shutdown
interface vlan 30
bridge-group 30
no normalization
mac-sticky enable
access-group input PERMIT-ANY
nat-pool 1 10.10.20.1 10.10.20.100 netmask 255.255.255.0
In this case I nat the to an address in 10.10.20.0/24 subnet and I have a static route on the servers pointing this subnet to ACE.
You could also use a free ip from the same server subnet and no static route would be required.
Also if ACE is already the default gateway for the servers, no specific static route is required.
Also, in this example, I'm not really nating a server. But the idea is the same. The only difference is that in your case, the outgoing interface will be the same as the incoming interface. Me I have everything in vlan 20 and vlan 30. You will have everything in vlan X and only vlan X.
Gilles.

Multiple VIPs in Different Subnets

Is there any way to setup the CSS with VIPs in different subnets. If we were using an inline configuration, I don't see how this would be possible.
Let's assume three subnets A, B, and C. We would like to have a VIP in subnet A pointing to all the web servers in subnet A. Same for subnets B and C.
I guess we could configure a trunk port with a CIRCUIT interface in each of the subnets A, B, and C. This would allow clients to route to the VIP in each subnet. My concern is the return traffic. With only one default route in the CSS, all return traffic would traverse one CIRCUIT interface. Am I correct, or am I misunderstanding something?
Thanks!
Tom

I believe you are correct. We have practically the same scenario working here. I have a /29 allocated to the front-end of the CSS and the upstream HSRP routers (call that vlan 10). Then I have multiple subnets for backend servers behind the CSS setup as an 802.1q trunk vlans (call them VLAN 100, 101, 102, etc). I route for those subnets belonging to VLANs 101, 102, etc on the upstream routers to point to the VRRP address of the CSS (the VRRP address of the CSS in VLAN 10). I also route whatever IP used as a virtual to the CSS VRRP address as well. So my upstream routes will have routes to the VIPs and the backend VLANs all pointing to the CSS's VRRP address.
Casey

CSM Is it possible to have the vserver (VIP) IP in a different subnet range

CSM - Is it possible to have the vserver (VIP) IP in a different subnet range than the real IP addresses in the serverfarm that is bound to it?
In other words, as an example a typical bridge configuration is like this:
vlan 221 client
ip address 10.20.220.2 255.255.255.0
gateway 10.20.220.1
vlan 220 server
ip address 10.20.220.2 255.255.255.0
<<<<<<<<<<<<Two VLANs with the same IP address are bridged together>>>>>>>>>>>>>>>>>.
serverfarm WEBFARM
nat server
no nat client
real 10.20.220.10
inservice
real 10.20.220.20
inservice
vserver WEB
virtual 10.20.220.100 tcp www
serverfarm WEBFARM
persistent rebalance
inservice
==================================================================================
NOW:
=====
Is it possible to do something like this:
==================================================================================
vlan 221 client
ip address 10.20.220.2 255.255.255.0
gateway 10.20.220.1
vlan 220 server
ip address 10.20.220.2 255.255.255.0
<<<<<<<<<<<<Two VLANs with the same IP address are bridged together>>>>>>>>>>>>>>>>>.
serverfarm WEBFARM
nat server
no nat client
real 10.20.220.10
inservice
real 10.20.220.20
inservice
vserver WEB
virtual 50.40.220.99 tcp www <<<<<<<<<< Place the IP address in a different subnet than the IP's in the serverfarm >>>>>>>>>>>>>>>
serverfarm WEBFARM
persistent rebalance
inservice
<<<<<<<<On the MSFC place a static route to route the 50.40.220.99 address towards the CSM IP on vlan 221>>>>>>>>>.
ip route 50.40.220.99 255.255.255.255 10.20.220.2
Please if somebody knows if this is or is not possible it would be highly appreciated to hear your feedback.

Pointers to examples - much appreciated.

ASA5510 RA VPN, ACS assigned address different subnet than inside interface

Currently we have our RA tunnels set up with IP Address pools that are in the same subnet as the ASA inside interface and that works to give the clients connectivity.
I have seen that this is not the best way to go with this and also have seen some config snippets.
But I have not seen exactly how this should be done, and I don't really see anything in the config examples.
For example, If my ASA is 10.10.10.1 and I want to assign each person a specific IP Address in an address pool and I want each group to be in a different subnet:
Eng = 192.168.100.0
Bob = 192.168.100.1
Bill = 192.168.100.2
Sales = 192.168.200.0
Sue = 192.168.200.1
Sam = 192.168.200.2
I have two core switches with the SVIs configured for these subnets.
But, I don't see how the routing is accomplised in the ASA.
Also, I can configure the ACS to give each person an IP Address, but not sure what is needed in the ASA.
Do the pools still need to be configured in the ASA and the ACS hands the client an address that I specify in that pool?

Better to reset an IP pool and reclaim all its IP addresses:
Use this User Guide for Cisco Secure Access Control Server 4.1 System Configuration: Advanced
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/SCAdv.html

How to create more than one VIP use the same IP address and different port(e.g. 80 and 443)

Hi,
I use SCVMM LB Provider deploy network. I want to create 2 VIP use the same virtual IP but use the different port.
for example:   VIP address 1.1.1.123   use port 80 for HTTP   and port 443 for HTTPS
However,
the following problems encountered, when I create the second VIP.
PS C:\Windows\system32> New-SCLoadBalancerVIP -Name "vip11" -LoadBalancer $LB -IPAddress "1.1.1.123" -LoadBalancerVIPTemplate $VIPTemplate1 -LoadBalancerProtocol $Protocol1 -LoadBalancerHealthMonitor $HM1
New-SCLoadBalancerVIP : A virtual IP (VIP) address with the specified name (vip11) or
address (1.1.1.123) already exists on the load balancer (xxx). (Error ID: 13691)
Specify a different name or IP address and try again.
To restart the job, run the following command:
PS> Restart-Job -Job (Get-VMMServer localhost | Get-Job | where { $_.ID -eq
"{b41a77eb-ae0b-490a-8948-662a529b1d8c}"})
At line:1 char:1
+ New-SCLoadBalancerVIP -Name "vip11" -LoadBalancer $LB -IPAddress "1.1.1.123" -Lo ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ReadError: (:) [New-SCLoadBalancerVIP], CarmineException
    + FullyQualifiedErrorId : 13691,Microsoft.SystemCenter.VirtualMachineManager.Cmdlets.Ne
   wSCLoadBalancerVIPCmdlet
PS C:\Windows\system32>
any suggestions ?
Thank you in advance !

I really don't know DDE very well. It is usually recommended that you switch to using ActiveX. You may not be correctly configuring the netDDE server. There is an example in the reource library that shows how to do this. You may also want to look at the DDE advise examples that came with LabVIEW 5.1 and earlier.

IP and VIP adresses temporary on different subnets

I was wondering if it's possible to add a third node temporary on a different subnet ?
I mean.. now my two nodes have these IP: XXX.XXX.0.5 and XXX.XXX.0.6 , VIP are: XXX.XXX.7.15 and XXX.XXX.7.16
Is it possible to add a third node with IP YYY.YYY.0.7 and VIP YYY.YYY.7.17 ?
Of course they can ping each other and successfully use ssh equivalence...
Thanks.

Unfortunately not, the nature of the way VIPs work means that that must be on the same subnet throughout the cluster

RAC 11.2: VIP on different subnet?

Hi all,
i searched over the 11.2 docs, but I can't find anything.
It seems to me that the previous restriction on having vips on the same subnet ad interface of the rac's "public" one is gone in 11.2
When trying to add a rac listener I get a list of defined subnet.
Anyone have tried to add a listener on a subnet different than the public one?
PS:
I think it's related to the new "listener_networks" initialization parameter... I'm trying to understand the meaning of this parameter in a rac env.
Regards,
Roberto
Edited by: user627529 on Oct 12, 2009 6:11 AM

user627529 wrote:
I host a database which client are on different network.
Eg: one rac database is on the private (not in rac terminology, but "internal") network, and another database hosted on the cluster had to be accessed from another, public network (firewalled).
I have 3 options at this point
1) oracle conn. gw
2) nat from fw (which is the current cfg)
3) define another subnet on the rac and create listener on them, registering the db with the second listenerWould also have used the 2 ^nd^ option - not too comfortable with the idea of having a node directly wired to a public network, despite firewalls. I would want that to be DMZ'ed and access "proxied" from the public network to the server node using NAT...
Also.. why direct database access? Usually in such a case (from a public network) access will be via a web based application. In which case you can reverse proxy the public web calls to an Oracle Apache server and have it connect to the server node.

Hyperion Servers on Different Subnets

Our network engineers have designed a new scheme for our networkwhereby there will be different subnets for the web servers,application servers, and database servers. We are onHyperion System 9, our web server contains the Hyperion WASservices (planning, reporting, shared services, openldap, etc); ouressbase db and license server are on one database server, and SQLand the reports server (communications, scheduler, etc) are onanother server. In this new network scheme, the Hyperion webserver will be on a different subnet than the two database servers. Does anyone see any issues or know of any issues with thissetup? Thanks,Candy

Hi,
You can do this, but you have to use client-NAT (Source-NAT) to force the return traffic to pass back through the ACE. You also then need static routes in the ACE context to point at each server. PBR is an alternative approach but I have not implemented that in a live network. The important thing is that the ACE sees both sides of the conversation.
The following extract from a configuration shows the basic principle:
rserver host master
ip address 10.199.95.2
inservice
rserver host slave
ip address 10.199.38.68
inservice
serverfarm host FARM-web2-Master
description Serverfarm Master
probe PROBE-web2
rserver master
inservice
serverfarm host FARM-web2-Slave
description Serverfarm Slave
probe PROBE-web2
rserver slave
inservice
class-map match-any L4VIPCLASS
2 match virtual-address 10.199.80.12 tcp eq www
3 match virtual-address 10.199.80.12 tcp eq https
policy-map type management first-match REMOTE-MGMT-ALLOW-POLICY
class REMOTE-ACCESS
permit
policy-map type loadbalance first-match LB-POLICY
class class-default
serverfarm FARM-web2-Master backup FARM-web2-Slave
policy-map multi-match L4POLICY
class L4VIPCLASS
loadbalance vip inservice
loadbalance policy LB-POLICY
loadbalance vip icmp-reply active
loadbalance vip advertise
nat dynamic 1 vlan 384
service-policy input L4POLICY
interface vlan 383
description ACE-web2-Clientside
ip address 10.199.80.13 255.255.255.248
alias 10.199.80.12 255.255.255.248
peer ip address 10.199.80.14 255.255.255.248
access-group input ACL-IN
access-group output PERMIT-ALL
no shutdown
interface vlan 384
description ACE-web2-Serverside
ip address 10.199.80.18 255.255.255.240
alias 10.199.80.17 255.255.255.240
peer ip address 10.199.80.19 255.255.255.240
access-group input PERMIT-ALL
access-group output PERMIT-ALL
nat-pool 1 10.199.80.20 10.199.80.20 netmask 255.255.255.240 pat
no shutdown
ip route 0.0.0.0 0.0.0.0 10.199.80.9
ip route 10.199.95.2 255.255.255.255 10.199.80.21
ip route 10.199.38.68 255.255.255.255 10.199.80.21
HTH
Cathy

ACE VIP & ACL

Hi,
The ace config contains more than 20 service-policy and many VIP addresses. The ace works in L3 mode.
We have to restrict one of VIP traffic to 6 node only from public side.
How can i restrict the traffic with ACL in the L3 class map.
different policies use the   servers on server side VLAN thus we would not like to use general traffic ACL under server VLAN configuration.
Unfortunetly, only one entry are permitted in Class L3 map !
However, this one entry is the virtual-address row.
What is the smart solution in this case. ( VIP & ACL together )
Regards,

Hi,
I think the easier way that you can do this is using a HTTP class-map (regardless of the load balanced protocol, weird eh?)
Instead of an ACL you would use the match source-address command to specify the source allowed to make it to the servers.
Here is how it looks like:
class-map type http loadbalance match-any Hosts
10 match source-address 192.168.10.20 255.255.255.255
11 match source-address 192.168.10.21 255.255.255.255
12 match source-address 192.168.10.22 255.255.255.255
class-map match-any Internet
2 match virtual-address 192.168.20.15 tcp eq www
policy-map type loadbalance first-match Internet-FMP
class Hosts
    serverfarm Backend
policy-map multi-match CLIENT-VIPS
class Internet
    loadbalance vip inservice
    loadbalance policy Internet-FMP
    loadbalance vip icmp-reply active
Hope this helps!
Pablo

ASA 5505: VPN Access to Different Subnets

Hi All-
I'm trying to figure out how to configure our ASA so that remote users can have VPN access to two different subnets (office LAN and phone LAN). Currently, I have 3 VLANs setup -- VLAN 1 (inside), VLAN 2 (outside), VLAN 13 (phone LAN). Essentially, remote users should be able to access their PC (192.168.1.0 /24) and also access the office phone system (192.168.254.0 /24). Is this even possible? Below is the configurations on our ASA,
Thanks in advance:
ASA Version 8.2(5)
names
name 10.0.1.0 Net-10
name 20.0.1.0 Net-20
name 192.168.254.0 phones
name 192.168.254.250 PBX
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 13
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.98 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address X.X.139.79 255.255.255.224
interface Vlan3
no nameif
security-level 50
ip address 192.168.5.1 255.255.255.0
interface Vlan13
nameif phones
security-level 100
ip address 192.168.254.200 255.255.255.0
ftp mode passive
object-group service RDP tcp
port-object eq 3389
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp eq ssh
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 192.168.1.0 255.255.255.0
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 phones 255.255.255.0
access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list inside_access_in extended permit ip any any
access-list Split_Tunnel_List standard permit Net-10 255.255.255.224
access-list phones_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host Mac any
pager lines 24
logging enable
logging timestamp
logging monitor errors
logging history errors
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu phones 1500
ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 1 interface
global (phones) 20 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 access-list vpn_nat_inside outside
nat (phones) 0 access-list phones_nat0_outbound
nat (phones) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.139.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=pas-asa.null
keypair pasvpnkey
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
vpn-sessiondb max-session-limit 10
telnet timeout 5
ssh 192.168.1.100 255.255.255.255 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh Mac 255.255.255.255 outside
ssh timeout 60
console timeout 0
dhcpd auto_config inside
dhcpd address 192.168.1.222-192.168.1.223 inside
dhcpd dns 64.238.96.12 66.180.96.12 interface inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
wins-server none
dns-server value 64.238.96.12 66.180.96.12
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
ipv6-vpn-filter none
vpn-tunnel-protocol svc
group-lock value PAS-SSL-VPN
default-domain none
vlan none
nac-settings none
webvpn
svc mtu 1200
svc keepalive 60
svc dpd-interval client none
svc dpd-interval gateway none
svc compression none
group-policy DfltGrpPolicy attributes
dns-server value 64.238.96.12 66.180.96.12
vpn-tunnel-protocol IPSec svc webvpn
tunnel-group DefaultRAGroup general-attributes
address-pool SSLClientPool-10
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group PAS-SSL-VPN type remote-access
tunnel-group PAS-SSL-VPN general-attributes
address-pool SSLClientPool-10
default-group-policy SSLClientPolicy
tunnel-group PAS-SSL-VPN webvpn-attributes
group-alias PAS_VPN enable
group-url https://X.X.139.79/PAS_VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous

Hi Jouni-
Yes, with the current configs remote users only have access to the 'inside' LAN (192.168.1.0). The digital PBX on the 'phone' LAN (192.168.254.0) is not reachable through their VPN session.
Per you recommendation, I removed the following configs from my ASA:
global (phones) 20 interface
... removing this configuration didn't make a difference -- I was still able to ping the inside LAN, but not the phone LAN.
global (inside) 10 interface
nat (outside) 10 access-list vpn_nat_inside outside
.... removing these two configurations caused the inside LAN to be unreachable. The phone LAN was not reachable, either. So, I put the '10' configurations back.
The ASDM syslog is showing the following when I try to ping the PBX (192.168.254.250) through the VPN session:
"portmap translation creation failed for icmp src outside:10.0.1.1 dest phones:PBX (type 8, code 0)"
What do you think?
Thanks!

Can members in a pool be on different subnets using CSM

Hello. We have recently been investigating load balancing devices, and were almost set on F5. We then overhauled our core network, including replacing one 4507R with 2 6500's, outfitted with Sup720's and FWSM modules.
Now, we are seriously thinking about investing in the CSM or ACE module instead of the F5. I was wondering if the servers in my virtual pool can be on different subnets?
For example, the user is looking for a web server with an IP of 192.168.110.1. This virtual ip is setup on the CSM module, and contains three physical servers, 192.168.110.10, 192.168.110.20, and 10.10.10.1 (server in a different data center, only to be used if the two primary servers go down). Will this work, or do all members in the pool need to be on the same subnet?
Thanks.

I would recommend the following test results published by veritest
http://www.lionbridge.com/NR/rdonlyres/5518CDEC-0D57-446E-8E3D-2AE73DCB7EEF/0/csm_comparison.pdf
Gilles.

WRV200 IPSEC VPN to a remote site with 2 different subnets

Hi,
My old WRV54G had no problem with this! I'm trying to connect an IPSEC tunnel back to a router at my main office, there are two Subnets there 192.168.0.0/24 and 10.171.131.0/24. In my old router I would set up two tunnels to the same gateway with different subnets and everything would work fine.
When I do this with the WRV200 both tunnels come up but in the view of the VPN status they both have the remote network listed as 192.168.0.0 /24 and I can't seem to get them both to work. If I delete the 192.168.0.0/24 tunnel (tunnel #A) and just use the tunnel#B I can connect to the 10 network.
Anyone been able to get this working?

Hi,
Ok, so the first thing you will have to think about is the encryption domain of the existing L2L VPN. Since your aim is to publish a Web server from another site through a L2L VPN connections you have to consider what the source addresses for the Web server connections can be?
It might be that you would need to have the source address for the L2L VPN in DC1 as "any" and naturally on DC2 the destination would be "any".
Though in that case it would probably cause problems if the Web server would need to use the DC2 Internet connections for something. This is because we would have now defined that traffic from the Web server to "any" destination IP address should be tunneled to the L2L VPN.
One other option might be that you actually configure DC1 site so that all incoming traffic from the Internet towards the 111.111.111.111 will have their source address translated to a single IP address (to be decided) before entering the L2L VPN. This would eliminate the need to use the "any" in the L2L VPN configurations because the Web server would see all connections come from a single IP address and therefore would not cause problems for the DC2 Web server IF it needs to access or be accessed through the local DC2 Internet connection.
Judging by your examples it would seem that you are using a 8.2 or older software level. Would you be willing to share some current configurations (with masked public IP addresses) or should I just give you some example configurations?
Most important ones would naturally be current NAT configurations and configuration related to the L2L VPN connection.
- Jouni

Using a interface in a sparse-root zone on a different subnet

Hello,
is it possible to use interface ce0 for the global zone and configure interface ce1 for the non-global zone, but the interfaces are on a different subnet?
ce0 ... 10.5.5.18 / global zone
ce1 ... 192.168.5.18 / non-global zone
using Solaris 5.10 Generic_125100-10
I configured ce0 in the global zone (of course)
and I plumbed ce1 also in the global zone - but configured ce1 in the zones definition
zonecfg:oem> add net
zonecfg:oem:net> set physical=ce1
zonecfg:oem:net> set address=192.168.5.18The zone boots without any problems and it looks like this:
[global zone]
# ifconfig -a
ce0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
 inet 10.5.5.18 netmask ffffff00 broadcast 10.5.5.255
 ether 0:3:ba:b0:53:39
ce1: flags=1000842<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 7
 inet 0.0.0.0 netmask 0
 ether 0:3:ba:b0:53:39
ce1:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 7
 zone oem
 inet 192.168.5.18 netmask ffffff00 broadcast 192.168.5.255[non-global zone]
# ifconfig -a
ce1:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 7
 inet 192.168.5.18 netmask ffffff00 broadcast 192.168.5.255I've read this is solved with GLDv3 drivers and exclusive IP instances mentioned in the blog http://blogs.sun.com/stw/entry/what_s_up_ce_doc -
so the system shows
# dladm show-link
ce0 type: legacy mtu: 1500 device: ce0
ce1 type: legacy mtu: 1500 device: ce1I get weird results even if I ping between the zones, I get "ICMP Destination unreachable"
Can this be solved with a full-root zone ...?
-- Nick

here are my current settings:
*[global zone]*
# netstat -nr
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
10.5.5.0 10.5.5.18 U 1 10864 ce0
224.0.0.0 10.5.5.18 U 1 0 ce0
default 10.5.5 .1 UG 1 42839
127.0.0.1 127.0.0.1 UH 2 619817 lo0
# ifconfig -a
ce0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
 inet 10.5.5.18 netmask ffffff00 broadcast 10.5.5.255
 ether 0:3:ba:b0:53:39
ce1: flags=1000842<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 7
 inet 0.0.0.0 netmask 0
 ether 0:3:ba:b0:53:39
ce1:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 7
 zone oem
 inet 192.168.5.18 netmask ffffff00 broadcast 192.168.5.255
! root@elba2:/ # route get 192.168.5.18
 route to: 192.168.5.18
destination: 192.168.5.18
 mask: 255.255.255.255
interface: ce1:1
 flags: <UP,DONE>
recvpipe sendpipe ssthresh rtt,ms rttvar,ms hopcount mtu expire
 0 0 0 0 0 0 8232 0 *[sparse-root zone]*
# netstat -nr
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
192.168.5.0 192.168.5.18 U 1 83 ce1:1
224.0.0.0 192.168.5.18 U 1 0 ce1:1
127.0.0.1 127.0.0.1 UH 19 86105 lo0:1
# ifconfig -a
ce1:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 7
 inet 192.168.5.18 netmask ffffff00 broadcast 192.168.1.255
# route get 10.5.5.18
 route to: 10.5.5.18
destination: 10.5.5.18
 mask: 255.255.255.255
interface: ce0
 flags: <UP,DONE>
recvpipe sendpipe ssthresh rtt,ms rttvar,ms hopcount mtu expire
 0 0 0 0 0 0 8232 0 Thank you for your time !
-- Nick

ACE - VIP address on different subnet

Similar Messages

Maybe you are looking for