ACE bypass traffic

Unanswered Question
Jun 26th, 2008
User Badges:

I am migrating from a CSS environment to an ACE module in a 6513. I have an ACE context between VLAN29 and VLAN30 that is a DMZ. VLAN29 faces the firewalls and VLAN30 the real servers. I can access the servers with a serverfarm and a "vip". I need to access the servers real address directly for management, and some of them need direct access to internal resources.

The route table looks like this:

Destination Gateway Interface Flags

------------------------------------------------------------------------

0.0.0.0 192.168.29.225 vlan29 S

192.168.0.0/16 192.168.29.225 vlan29 S

192.168.29.0/24 0.0.0.0 vlan29 IA

192.168.30.0/24 0.0.0.0 vlan30 IA


Is there a way to do this?

Currently I can see the traffic bouncing back and forth from the firewall to the ACE on VLAN29. The ACL on the ACE interfaces:

access-list Allow_All line 10 extended permit ip any any

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Syed Iftekhar Ahmed Thu, 06/26/2008 - 10:11
User Badges:
  • Blue, 1500 points or more

You just need appropriate access-list on ACE to access real servers behind ACE and corresponding inbound access-group allowing the session on the interface where the request is received.


Along with this routes on the upstream router are required to point to the ACE as next-hop to reach the Networks where Real Servers reside.


For Real server initiated connections again you need an ACL and inbound access group on server side interface. For return traffic You can either NAT these connections or define routes on upstream routers to point to the ACE as next-hop to reach the Networks where Real Servers reside.


Thanks

Syed Iftekhar Ahmed

bofawcett Thu, 06/26/2008 - 10:40
User Badges:

I would have thought the access list that Allow_All shown above would do that, but I will write a more specific one.

Syed Iftekhar Ahmed Thu, 06/26/2008 - 10:44
User Badges:
  • Blue, 1500 points or more

You dont need a specific ACL.

IP any any should do.

Is it applied to both vlans?


Syed

bofawcett Thu, 06/26/2008 - 11:12
User Badges:

yes

does it need to be applied in both input and output directions on both vlans?


bofawcett Thu, 06/26/2008 - 11:24
User Badges:

no joy.

route table:

ACE-6513-1/DMZ# sh ip ro


Routing Table for Context DMZ (RouteId 1)


Codes: H - host, I - interface

S - static, N - nat

A - need arp resolve, E - ecmp


Destination Gateway Interface Flags

------------------------------------------------------------------------

0.0.0.0 192.168.29.225 vlan29 S

192.168.0.0/16 192.168.29.225 vlan29 S

192.168.29.0/24 0.0.0.0 vlan29 IA

192.168.30.0/24 0.0.0.0 vlan30 IA


Wireshark captures shows packets with same IPs but MACs reversing until TTL expires. Looks like traffic in 192.168.30.0/24 is forwarded to default route instead of out vlan30 interface. Wireshark on vlan30 never sees it.

Syed Iftekhar Ahmed Thu, 06/26/2008 - 13:24
User Badges:
  • Blue, 1500 points or more


Why the following route

192.168.0.0/16 192.168.29.225 vlan29 S

when you have default route pointing to gateway.


Syed

bofawcett Thu, 06/26/2008 - 13:48
User Badges:

It is redundant, I put that in before the default, and never took it out.

I found the problem.

I had a load balance config for the firewalls and had applied it to the both interfaces. It only need to be on the vlan30 interface. I think I copied this from the example in the manual. I see now, its not a good idea.


Actions

This Discussion