ACE bypass traffic

bofawcett · ‎06-26-2008

I am migrating from a CSS environment to an ACE module in a 6513. I have an ACE context between VLAN29 and VLAN30 that is a DMZ. VLAN29 faces the firewalls and VLAN30 the real servers. I can access the servers with a serverfarm and a "vip". I need to access the servers real address directly for management, and some of them need direct access to internal resources.

The route table looks like this:

Destination Gateway Interface Flags

------------------------------------------------------------------------

0.0.0.0 192.168.29.225 vlan29 S

192.168.0.0/16 192.168.29.225 vlan29 S

192.168.29.0/24 0.0.0.0 vlan29 IA

192.168.30.0/24 0.0.0.0 vlan30 IA

Is there a way to do this?

Currently I can see the traffic bouncing back and forth from the firewall to the ACE on VLAN29. The ACL on the ACE interfaces:

access-list Allow_All line 10 extended permit ip any any

Syed Iftekhar Ahmed · ‎06-26-2008

You just need appropriate access-list on ACE to access real servers behind ACE and corresponding inbound access-group allowing the session on the interface where the request is received.

Along with this routes on the upstream router are required to point to the ACE as next-hop to reach the Networks where Real Servers reside.

For Real server initiated connections again you need an ACL and inbound access group on server side interface. For return traffic You can either NAT these connections or define routes on upstream routers to point to the ACE as next-hop to reach the Networks where Real Servers reside.

Thanks

Syed Iftekhar Ahmed

bofawcett · ‎06-26-2008

I would have thought the access list that Allow_All shown above would do that, but I will write a more specific one.

Syed Iftekhar Ahmed · ‎06-26-2008

You dont need a specific ACL.

IP any any should do.

Is it applied to both vlans?

Syed

bofawcett · ‎06-26-2008

yes

does it need to be applied in both input and output directions on both vlans?

bofawcett · ‎06-26-2008

no joy.

route table:

ACE-6513-1/DMZ# sh ip ro

Routing Table for Context DMZ (RouteId 1)

Codes: H - host, I - interface

S - static, N - nat

A - need arp resolve, E - ecmp

Destination Gateway Interface Flags

------------------------------------------------------------------------

0.0.0.0 192.168.29.225 vlan29 S

192.168.0.0/16 192.168.29.225 vlan29 S

192.168.29.0/24 0.0.0.0 vlan29 IA

192.168.30.0/24 0.0.0.0 vlan30 IA

Wireshark captures shows packets with same IPs but MACs reversing until TTL expires. Looks like traffic in 192.168.30.0/24 is forwarded to default route instead of out vlan30 interface. Wireshark on vlan30 never sees it.

Syed Iftekhar Ahmed · ‎06-26-2008

Why the following route

192.168.0.0/16 192.168.29.225 vlan29 S

when you have default route pointing to gateway.

Syed

bofawcett · ‎06-26-2008

It is redundant, I put that in before the default, and never took it out.

I found the problem.

I had a load balance config for the firewalls and had applied it to the both interfaces. It only need to be on the vlan30 interface. I think I copied this from the example in the manual. I see now, its not a good idea.