Management traffic to the ACE

Similar Messages

• Management traffic load over the WAN

  Management process(include monitoring and security) with the central WCS system will cause Management traffic over the WAN links.
  Can you tell me more about the traffic load over the WAN links if we will use it as only as Wifi detection and prevention system(inclue location and not for wireless services..for now).
  We will use 150 air-AP1000(lwapp)on AIR-MONITOR mode over the WAN and 4400 controllers one in each remote sites(10 sites).

  I think the following documents might provide you with some good information.
  http://www.cisco.com/en/US/products/ps6305/products_configuration_guide_chapter09186a008059c98b.html
  http://www.cisco.com/en/US/products/ps6305/products_configuration_guide_chapter09186a008059ca16.html

• Waas traffic interseption with ace

  i will use ACE for waas traffic interception and i need help in:
  1. if i used ace so there is no need to wccp for traffic interception Right?
  2.if i used ace should i make 3 vlans vlan10 for clints(face wan) vlan12 for waes & vlan11 for datacenter
  make in 6500 interface vlan10 and give it ip 10.1.1.1 should i give interface vlan10 in ACE 10.1.1.1 (the same ip in 6500& ace) is taht logical to give same interafce vlan ip in two devices or will taht generate duplicated ip error
  3.if it right can i make static route in ACE to 6500 interface vlan10"ip route 0.0.0.0 0.0.0.0 10.1.1.1"?
  4.when i define access-list in ace to define traffic which could be routed through ACE if I deny certain network (permit only network that i wand to redirect to WAEs)will the other traffic routed through 6500 to core) i will use "transparent" in server farm & no ip normal. in other words can i consider access-list in ACE like access-list i'm using in wccp.
  5.the topology i have 2 6500 and i will install 2 ACE (1 ACE in each 6500) and i will attach 1 WAE in each 6500 switch one vlan for WAEs and i will make server farm and allocate 2 WAEs in it and i will define server farm in 2 ACEs and make default route in to ACEs to interface vlan 10.1.1.1 in this way will ACE load balance btween 2 WAEs and traffic interception work well or not?
  and finally i'm sorry for these many questions but i think i will find the answers.

  Usama,
  Here are the answers to your questions:
  1. Correct.
  2. You would not configure the same IP address on the ACE and MSFC. As far as how the VLANs should be configured, that somewhat depends on your deployment. What you have described would be common if you are deploying ACE in bridged mode. In routed mode, you can deploy ACE in a one-arm configuration.
  3. Yes.
  4. ACE does not pass traffic by default. You must explicitly permit the traffic you want to pass. Said differently, if you do not permit the traffic in your ACL, it will be dropped.
  5. If you are using a single context in ACE, they will be active/passive (i.e. only one ACE module will handle traffic at any given point in time). The configuration will automatically be synchronized between the active and passive modules.
  How are you planning to get traffic to the ACE module?
  Zach

• Traffic interception using ACE instead wccp

  Hi,
  I am probbing balancing the core WAEs with ACE. Most our servers are not balanced, their dft gw is not the ACE and we saw that when I am not using a VIP, the ACE does not do a nat and the traffic goes directly through 6500. The questions is: Can we use WAAS&ACE when the servers's company are not balanced by the ACE?
  Thank in advanced.
  Celeste

  Gilles.
  Do you have an example with ACE where traffic going to Datacenter is intercepted by a PBR (that PBR sends traffic to the ACE) and traffic going to the branch is intercepted with another PBR(that PBR sends traffic to the ACE too)?

• VLAN for Management Traffic

  Hello Everyone,
  I'm still learning cisco and networks in general but I need to separate management traffic from the regular network.  The switch is a cisco catalyst 5406-E.  My question is do I need to create a new subnet for the VLAN and how would I do that? The commands I have to create a VLAN and add the switch ports are
  Switch(config)# vlan 15
  switch(config-vlan)# name Management
  switch(config)# interface GigabitEthernet2/6
  switch(config-if)# switchport access vlan 15
  Now this creates vlan 15 and adds the GE 2/6 interface to vlan 15.  How do I add it to a new subnet?  Am I going in the right direction?

  In general, if you want to use separated VLAN for management, you can create VLAN + SVI (routed interface of the VLAN) with IP address + some access list on SVI and VTY (“SSH/telnet lines”) for better security.
  Example:
  ==== C4500 – L3 SWITCH CONFIG ====
  //create VLAN 15
  vlan 15
  name MGMT
  //create access list with ip addresses, from which management of all switches with SVI 15 will be accessible
  //Note: this access list (ACL) does not control access to management of L3 switch/router where the ACL is applied on SVI, only to all other switches in VLAN 15 that have default gateway set to ip address 10.0.15.1 (see next step)
  ip access-list extended MGMT_SWITCH
  remark ====ICMP====
  permit icmp any 10.0.15.0 0.0.0.255
  remark ====ADMIN====
  permit ip 10.0.1.0 0.0.0.255 10.0.15.0 0.0.0.255
  remark ====MONIORING-SERVERS====
  permit ip 10.0.100.0 0.0.0.255 10.0.15.0 0.0.0.255
  remark ====NTB-SERVICE====
  permit ip 10.0.200.0 0.0.0.255 10.0.15.0 0.0.0.255
  //create SVI/interface of the VLAN 15, add IP address and assign access list
  //Note: DO NOT assign empty access list to interface, it can make your router inaccessible!
  interface Vlan15
  description MGMT
  ip address 10.0.15.1 255.255.255.0
  ip access-group MGMT_SWITCH out
  //create ACL for VTY line of L3 switch/router; this ACL controls access only to management of L3 switch, access to all other switches with SVI 15 is controlled by previous ACL
  ip access-list standard VTY
  remark ====ADMIN====
  permit 10.0.1.0 0.0.0.255
  remark ====MONIORING-SERVERS====
  permit 10.0.100.0 0.0.0.255
  remark ====NTB-SERVICE====
  permit 10.0.200.0 0.0.0.255
  //assign ACL to vty lines
  line vty 0 4
  access-class VTY in
  ==== OTHER L2-ONLY SWITCHES CONFIG ====
  //create VLAN 15
  vlan 15
  name MGMT
  //create SVI 15
  interface Vlan15
  description MGMT
  ip address 10.0.15.50 255.255.255.0
  //set default gateway/default route to SVI of c4500
  ip default-gateway 10.0.15.1
  //some higher-level switches require use of following CLI parameters instead:
  ip routing
  ip route 0.0.0.0 0.0.0.0 10.0.15.1
  This is just one of many ways to do the management separation.

• ACE30 - Accessing the ACE Applicance Device Manager

  Hi...
  I've got basic connectivty to our ACE30 module and when I try connecting to the management IP address (attached to the Admin context), I see a very basic GUI which only lists the CSM to ACE config conversion tool.  I don't see a GUI as detailed in the document:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/device_manager/guide/UG_over.html#wp1072950
  How do I get the ACE Applicance Device Manager GUI working so that I can then configure real servers, serverfarms etc rather than via the GUI?
  Having read through copious amount of documentation I can't seem to find a refrence that would help here.  This should be a fairly straight forward exercise - do I need to install some other software to get the full fledged GUI working?
  thanks
  Sheldon

  Only the ACE 4710 appliances have the GUI.   If you are looking for a GUI for the ACE30 module you will need to use Cisco Application Network Manager (ANM)   It will provide the GUI for the ACE30 to be able to configure it.   As you have seen, only the conversion tool is available on the module.

• ACE not passing the traffic to the server.

  Hi Experts,
  Could you please help me on this issue:-
  The users are not able to access the palm application passing through the ACE module. The clients gets to the citrik server and from ther it goes to palm application. Now both external and internal users are not able to accpess the palm aapplication.
  Troubelshooting doen:-
  1) Connecting to the palm server by exluding the ACE it works.
  2) Servers are reachable from ACE module
  3) It was working fine before, but not now. There was no changes been made on ACE but still the issue.
  4) Checked the Palm context that seems to be okay. But still not able to get though.
  Any help would be great.
  Thanks
  Sum.

  Sniffer trace in front of ace and backend.
  Capture a failure.
  Before and after the connection failure also get the following command
  'show service-policy detail'
  See if you have connection hits.
  Gilles.

• I cannot ping any VIP from within the ACE or from rservers

  I cannot ping any VIP from within the ACE or from rservers.  Is this expected?  I have rservers in other serverfarms that need to be able to communicate with the VIP of other serverfarms.  Any help is greatly appreciated.

  Thanks for you reply.  here is the config.  I removed other rserver and serverfarm config that does not have to do with this issue.
  logging enable
  logging fastpath
  logging standby
  logging console 4
  logging timestamp
  logging trap 4
  logging history 4
  logging buffered 4
  logging persistent 4
  logging monitor 4
  logging device-id hostname
  logging host 172.26.254.185 udp/514
  logging host 172.26.221.25 udp/514
  access-list INBOUND line 8 extended permit ip any any
  access-list INBOUND line 16 extended permit icmp any any
  access-list INBOUND line 24 extended permit tcp any any
  access-list INBOUND line 32 extended permit udp any any
  access-list ORADB line 8 extended permit tcp any any
  probe http CITRIX
    interval 30
    passdetect interval 15
    passdetect count 6
    open 1
  probe tcp HYPERION
    port 19000
    interval 2
    faildetect 2
    passdetect interval 2
    passdetect count 2
    receive 2
    open 1
  probe icmp PROBE_SERVICE_ICMP
    interval 5
    passdetect interval 5
  probe tcp W15SPSWFET001_PROBE
    interval 5
    passdetect interval 5
    connection term forced
    open 1
  parameter-map type connection TIMEOUT
    set timeout inactivity 43200
  parameter-map type http test
    persistence-rebalance
    set header-maxparse-length 2006
  rserver host w0bairwatch003
    description MDM-SEG
    ip address 172.20.60.73
    inservice
  rserver host w0bairwatch004
    description MDM-SEG
    ip address 172.20.60.74
    inservice
  rserver host w0bairwatch005
    description MDM-DEVICE
    ip address 172.20.60.75
    inservice
  rserver host w0bairwatch006
    description MDM-DEVICE
    ip address 172.20.60.76
    inservice
  rserver host w0bhamobile001
    description Lotus Notes Traveler Server
    ip address 172.20.60.57
    inservice
  rserver host w0bhamobile002
    description Lotus Notes Traveler Server
    ip address 172.20.60.58
    inservice
  serverfarm host MDMDEVICE
    predictor leastconns
    probe PROBE_SERVICE_ICMP
    rserver w0bairwatch005
      inservice
    rserver w0bairwatch006
  serverfarm host MDMSEG
    predictor leastconns
    probe PROBE_SERVICE_ICMP
    rserver w0bairwatch003
      inservice
    rserver w0bairwatch004
      inservice
  serverfarm host TRAVLR
    predictor leastconns
    probe PROBE_SERVICE_ICMP
    rserver w0bhamobile001
      inservice
    rserver w0bhamobile002
      inservice
  class-map match-all MDMDEVICE-VIP
    2 match virtual-address 172.20.48.35 any
  class-map match-all MDMSEG-VIP
    2 match virtual-address 172.20.48.33 any
  class-map type management match-any REMOTE_ACCESS
    description Remote access traffic match
    201 match protocol ssh any
    202 match protocol telnet any
    203 match protocol icmp any
    204 match protocol https any
    205 match protocol http any
    206 match protocol xml-https any
    207 match protocol snmp any
  class-map match-all TRAVLR-VIP
    2 match virtual-address 172.20.48.34 any
  policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
    class REMOTE_ACCESS
      permit
  policy-map type loadbalance first-match MDMDEVICE
    class class-default
      serverfarm MDMDEVICE
  policy-map type loadbalance first-match MDMSEG
    class class-default
      serverfarm MDMSEG
  policy-map type loadbalance first-match TRAVLR
    class class-default
      serverfarm TRAVLR
  policy-map multi-match CLIENTS-VIPS
    class MDMDEVICE-VIP
      loadbalance vip inservice
      loadbalance policy MDMDEVICE
      loadbalance vip icmp-reply active
    class MDMSEG-VIP
      loadbalance vip inservice
      loadbalance policy MDMSEG
      loadbalance vip icmp-reply active
    class TRAVLR-VIP
      loadbalance vip inservice
      loadbalance policy TRAVLR
      loadbalance vip icmp-reply active
  interface vlan 48
    ip address 172.20.48.10 255.255.255.0
    access-group input INBOUND
    access-group output INBOUND
    service-policy input REMOTE_MGMT_ALLOW_POLICY
    service-policy input CLIENTS-VIPS
    no shutdown
  interface vlan 60
    ip address 172.20.60.10 255.255.255.0
    access-group input INBOUND
    access-group output INBOUND
    service-policy input REMOTE_MGMT_ALLOW_POLICY
    no shutdown
  ip route 0.0.0.0 0.0.0.0 172.20.48.1

• A problem with ACL in the class-map on the ACE module

                    Hi all,
  I configured the following on the ACE module:
  object-group network test
    host 192.168.1.21
    host 192.168.1.22
    host 192.168.1.23
  object-group service port
    tcp eq www
    tcp eq 8080
  access-list T line 8 extended permit object-group port object-group test any
  I tried to configure a class-map for matching this ACL:
  ACE-4710-2/Lab-OPT-11(config)# class-map match-any TEST_C
  ACE-4710-2/Lab-OPT-11(config-cmap)# match access-list T
  Error: Cannot associate acl having object-group ACEs in class-map.
  So couldn't I  configure the class-map by using ACL with object-groups involved? Is it the bug or the normal behaviour? Because the customer uses object-groups in ACLs and he has to configure ACL without object-groups for the traffic classification. It is horrible.
  Thank you
  Roman

  Hi Roman,
  I'm afraid it's the expected behavior. You cannot use an ACL with object-groups inside a class-map.
  Regards
  Daniel

• Slow TCP performance for traffic routed by ACE module

  Hi,
  the customer uses two ACE20 modules in active-standby mode. The ACE load-balances servers correctly. But there is a problem with communication between servers in the different ACE contexts. When the customer uses FTP from one server in one context to the other server in other context the throughput through ACE is about 23 Mbps. It is routed traffic in ACE:-(  See:
  server1: / #ftp server2
  Connected to server2.cent.priv.
  220 server2.cent.priv FTP server (Version 4.2 Wed Apr 2 15:38:27 CDT 2008) ready.
  Name (server2:root):
  331 Password required for root.
  Password:
  230 User root logged in.
  ftp> bin
  200 Type set to I.
  ftp> put "|dd if=/dev/zero bs=32k count=5000 " /dev/null
  200 PORT command successful.
  150 Opening data connection for /dev/null.
  5000+0 records in.
  5000+0 records out.
  226 Transfer complete.
  163840000 bytes sent in 6.612 seconds (2.42e+04 Kbytes/s)
  local: |dd if=/dev/zero bs=32k count=5000  remote: /dev/null
  ftp>
  The output from show resource usage doesn't show any drops:
  conc-connections              0          0     800000    1600000          0
    mgmt-connections             10         54      10000      20000          0
    proxy-connections             0          0     104858     209716          0
    xlates                        0          0     104858     209716          0
    bandwidth                     0      46228   50000000  225000000          0
      throughput                  0       1155   50000000  100000000          0
      mgmt-traffic rate           0      45073          0  125000000          0
    connections rate              0          9     100000     200000          0
    ssl-connections rate          0          0        500       1000          0
    mac-miss rate                 0          0        200        400          0
    inspect-conn rate             0          0        600       1200          0
    acl-memory                 7064       7064    7082352   14168883          0
    sticky                        6          6     419430          0          0
    regexp                       47         47     104858     209715          0
    syslog buffer            794624     794624     418816     431104          0
    syslog rate                   0         31      10000      20000          0
  There is parameter map configured with rebalance persistant for cookie insertion in the context.
  Do you know how can I increase performance for TCP traffic which is not load-balanced, but routed by ACE? Thank you very much.
  Roman

  Default inactivity timeouts used by ACE are
  icmp 2sec
  tcp 3600sec
  udp 120sec
  With your config you will change inactivity for every protocol to 7500sec.If you want to change TCP timeout to 7500sec and keep the
  other inactivity timeouts as they are now use following
  parameter-map type connection GLOBAL-TCP
  set timeout inactivity 600
  parameter-map type connection GLOBAL-UDP
  set timeout inactivity 120
  parameter-map type connection GLOBAL-ICMP
  set timeout inactivity 2
  class-map match-all ALL-TCP
  match port tcp any
  class-map match-all ALL-UDP
  match port tcp any
  class-map match-all ALL-ICMP
  match port tcp any
  policy-map multi-match TIMEOUTS
  class ALL-TCP
  connection advanced GLOBAL-TCP
  class ALL-UDP
  connection advanced GLOBAL-UDP
  class ALL-TCP
  connection advanced GLOBAL-ICMP
  and apply service-policy TIMEOUTS globally
  Syed Iftekhar Ahmed

• Copp and management traffic

  Good afternoon fellow Ciscorians.
  I have configured a Copp to rate limit ICMP traffic and fragmented traffic from saturating the RP via the control-plane and also ignore the same traffic class from our trusted IP addresses.  But i am wondering about management traffic such as telnet and SSH, we have an access list on the VTY lines dropping traffic from un-trusted sources on 22+23, i am wondering what the benefits are to employing a Copp policy as well as the access-list on the VTY lines?
  Could an attack still saturate the RP with an access-list dropping the un-trusted traffic on the VTY lines?  (6509-Sup720)
  Matthew.

  Hi Matthew,
  access-list applied on interface is applicable for all traffic, data traffic (transit traffic) and control-plane traffic (destined to router or punted to RP), while CoPP is only applicable to traffic punted to RP.
  Access list will either permit or drop but CoPP is service-policy and you can rate-limit the traffic. So if we take example of ICMP traffic, and requirement is we want to allow ICMP traffic to router (ICMP is useful tool to check reachability and latency) but not more than 500kbps (to avoid any DDOS attack), in this case blocking ICMP with ACL on interface will not solve the purpose but CoPP will do the job.
  If you are blocking some traffic via ACL, it should not saturate the RP.
  --Pls dont forget to rate helpful posts--
  Regards,
  Akash

• Cannot remove the access control entry object on the object because the ACE isn't present

  Hello,
  I am very new to using Powershell and Exchange Management Shell, and have no prior experience using either of these tools. However, the software I am installing requires me to use the EMS tool in order to set certain permissions for a user in Exchange, which
  will be like the admin account. 
  The command I am attempting to run follows as:
  Get-ExchangeServer | Remove-ADPermission -User $newusername -Deny -ExtendedRights Receive-As -Confirm:$False 
  This throws me an error saying:
  cannot remove the access control entry on the object because the ACE isn't present. I've done some research, and have found that this error is quite common, but the solutions do not apply to what I am specifically trying to accomplish. I am simply trying
  to remove the Receive-As permission for the admin user that I just created.
  Once again, I am very new to Exchange and Powershell, but if there is any advice anyone has, it would greatly appreciated.

  I ran this command, and a very long list was displayed, it looks like everything is there.
  The weird thing is that I was able to run a previous command which granted Receive-As access to the user I am creating: 
  Get-ExchangeServer | Add-ADPermission -User $newusername -accessrights GenericRead, GenericWrite -extendedrights Send-As, Receive-As, ms-Exch-Store-Admin -Confirm:$False 
  The description for the commands to run read to 'grant permissions and to revoke denies, if present'. I'm not sure what this means, but the second part of this pertains to the second command that I am having trouble with:
  Get-ExchangeServer | Remove-ADPermission -User $newusername -Deny -ExtendedRights Receive-As -Confirm:$False

• Splitting the app traffic from the cluster and admin traffic

  Hi,
  We currently have a 10.3.2.0 setup where an admin server is behind a firewall and is running on the Administration Port and is connected to two managed servers in front of a first firewall in the DMZ.
  On each managed server there is two network interfaces one for management and one for apps/DB connections.
  So I was wanting to know how to you get the managed server to split the traffic??
  If I set the managed servers listening address to the management interface then it starts up fine as that what the admin server behind the firewall can see, BUT it means app and JDBC Connections dont work and the server goes to ADMIN state first before you have to manually resume it.
  If I set the managed servers listening address to the app interface then it can't start up and the app interfaces address is block from the admin server to the managed server via the firewall.
  If I set the managed server to have no listening address and leave it blank in the interface field, it starts up and listens on all interfaces, BUT can't find a route to the admin server.
  So what is the answer, can you do something with Network Channels?? Or is it the case you just can't do it and just to have one interface and one listening address as the admin traffic is split by the default administration channel anyway.
  Would be get to know.
  Alistair.

  Are you using cellular data? If yes, try to use Wi-Fi and see if the app works better by using a faster data connection. If you have no problem using Wi-Fi and maps, see if you can have a faster cellular connection by switching to 3G, 4G to LTE service in Settings/Cellular.

• How the ACE handles rserver failures

  Hello
  I've got a question re: the ACE module.
  Lets say I have 2 web rservers and I have a probe interval for checking them from the ACE of 10 seconds.
  Lets say a probe just passed and it is 10 seconds before the next one. The ACE will think the rserver is ok. Then say the rserver httpd service is stopped at 3 seconds after the last successful probe, therefore leaving 7 seconds before the ACE is going to send another probe. The ACE will think it is still 'up' before the next probe is sent.
  Given the above, what happens to a) existing connections to the newly failed rserver and b) new connections if the failure occurs between probes?
  How does the ACE handle this situation?
  Are there any differences between how the ACE handles this between A1 and A2 versions of software?
  Thanks
  Cameron

  URL rewrite only comes into play when REAL Server (Rserver )sends a clear text redirect. Such as 302 for http://investor.nice360.com. If client recieves this 302 it will attempt the next request using HTTP.With Url rewrite feature we configure ACE to change these redirects from Http tp HTTPS.
  What you are looking for is a simple redirection of client request from port 80 to port 443. This can be achieved using redirect server farm and redirect rserver.
  You will need to create two sets of configs (class-maps, rserver, sfarm,policy map) for port 80 & port 443 traffic. Port 80 policy will simply redirect the port 80 request to port 443.
  Following example will give you some idea
  rserver redirect HTTP2HTTPS
  webhost-redirection https://%h%p 301
  inservice
  serverfarm redirect HTTP2HTTP-SF
  rserver HTTP2HTTPS
  inservice
  class-map match-all WEB-HTTP
  2 match virtual-address 172.25.250.245 tcp eq http
  class-map match-all WEB-HTTPS
  2 match virtual-address 172.25.250.245 tcp eq 443
  policy-map type loadbalance first-match HTTP2HTTPS-POLICY
  class class-default
  serverfarm HTTP2HTTPS-SF
  policy-map type loadbalance first-match L7-POLICY
  class class-default
  sticky-serverfarm STICKY_IP
  policy-map multi-match L4-POLICY
  class WEB-HTTP
  loadbalance vip inservice
  loadbalance policy HTTP2HTTPS-POLICY
  loadbalance vip icmp-reply
  class WEB-HTTPS
  loadbalance vip inservice
  loadbalance policy L7-POLICY
  loadbalance vip icmp-reply
  ssl-proxy server INVESTOR-CLIENT
  Syed

• I need to all icmp through the ACE to servers behind the ACE

  I have been trying to figure this out and I've made several attempts at a configuration that will work, but I just don't get it.  Here's what I have configured.  I'm trying to ping from a server outside of the ACE to a server on vlan 308.  I send my ICMP it should ingress through vlan 302 and hit the server on vlan 308.  Instead I get nothing and I see no traffic hits on my policy or from the show icmp statistics.  I am able to ping the IP addresses on vlan 302 but nothing on the inside.
  access-list icmp line 10 extended permit icmp any any
  class-map match-all icmp-allow-inspect
    2 match access-list icmp
  policy-map multi-match icmp-allow-inspect-mmpl
    class icmp-allow-inspect
      inspect icmp error
  interface vlan 302 --------- public facing VIPs- ingress
    ip address 71.113.93.37 255.255.255.224
    alias 71.113.93.36 255.255.255.224
    peer ip address 71.113.93.38 255.255.255.224
    service-policy input mgmt
    service-policy input icmp-allow-inspect-mmpl
    no shutdown
  interface vlan 308 ---------- server - L2
    ip address 10.60.22.130 255.255.255.192
    alias 10.60.22.129 255.255.255.192
    peer ip address 10.60.22.131 255.255.255.192
    service-policy input icmp-allow-inspect-mmpl
    no shutdown

  I ran a capture and I see the traffic hit the ingress interface of the ACE, but it never gets passed to the backend server vlan.  The icmp is recieved and the connection is closed, but then I get 4 more packets marked PKT_XMT then the packet is dropped.  The capture was done on the ingress vlan.  If I do a capture on the server side vlan I get nothng at all in the capture.
  0001: msg_type: PKT_RCV
  ace_id: 6809            action_flag: 0x13
  src_addr: 74.113.193.34            src_port: 53575
  dst_addr: 10.62.222.136            dst_port: 2048
  l3_protocol: 0          l4_protocol: 1
  0002: msg_type: CON_CLOSE
  con_id: 1345505684       out_con_id: 271763861
  src_addr: 74.113.193.34            src_port: 53575
  dst_addr: 10.62.222.136            dst_port: 2048
  l3_protocol: 0          l4_protocol: 1
  0003: msg_type: PKT_XMT
  con_id: 1345505684              other_con_id: 0
  0011: msg_type: PKT_XMT
  con_id: 1345505684              other_con_id: 0
  0019: msg_type: PKT_XMT
  con_id: 1345505684              other_con_id: 0
  0029: msg_type: PKT_XMT
  con_id: 1345505684              other_con_id: 0
  0037: msg_type: PKT_DROP
  con_id: 1345505684           reason: 0
  src_addr: 74.113.193.34            src_port: 53575
  dst_addr: 10.62.222.136            dst_port: 2048
  l3_protocol: 0          l4_protocol: 1
  This is my access list and its applied globally with the access-group input ALL command.  I also have my default gateway pointing back to my upstream router and there are no other routes on the ACE.  I can ping the ingress interface from my upstream router and I can ping my gateway from the ACE.  I can ping my backend server from the ACE, but not from anything outside the ACE.  I can not ping anything behind my ACE module.
  access-list ALL line 12 extended permit icmp any any
  access-list ALL line 18 extended permit ip any any