06-26-2008 10:00 AM
I am migrating from a CSS environment to an ACE module in a 6513. I have an ACE context between VLAN29 and VLAN30 that is a DMZ. VLAN29 faces the firewalls and VLAN30 the real servers. I can access the servers with a serverfarm and a "vip". I need to access the servers real address directly for management, and some of them need direct access to internal resources.
The route table looks like this:
Destination Gateway Interface Flags
------------------------------------------------------------------------
0.0.0.0 192.168.29.225 vlan29 S
192.168.0.0/16 192.168.29.225 vlan29 S
192.168.29.0/24 0.0.0.0 vlan29 IA
192.168.30.0/24 0.0.0.0 vlan30 IA
Is there a way to do this?
Currently I can see the traffic bouncing back and forth from the firewall to the ACE on VLAN29. The ACL on the ACE interfaces:
access-list Allow_All line 10 extended permit ip any any
06-26-2008 10:11 AM
You just need appropriate access-list on ACE to access real servers behind ACE and corresponding inbound access-group allowing the session on the interface where the request is received.
Along with this routes on the upstream router are required to point to the ACE as next-hop to reach the Networks where Real Servers reside.
For Real server initiated connections again you need an ACL and inbound access group on server side interface. For return traffic You can either NAT these connections or define routes on upstream routers to point to the ACE as next-hop to reach the Networks where Real Servers reside.
Thanks
Syed Iftekhar Ahmed
06-26-2008 10:40 AM
I would have thought the access list that Allow_All shown above would do that, but I will write a more specific one.
06-26-2008 10:44 AM
You dont need a specific ACL.
IP any any should do.
Is it applied to both vlans?
Syed
06-26-2008 11:12 AM
yes
does it need to be applied in both input and output directions on both vlans?
06-26-2008 11:24 AM
no joy.
route table:
ACE-6513-1/DMZ# sh ip ro
Routing Table for Context DMZ (RouteId 1)
Codes: H - host, I - interface
S - static, N - nat
A - need arp resolve, E - ecmp
Destination Gateway Interface Flags
------------------------------------------------------------------------
0.0.0.0 192.168.29.225 vlan29 S
192.168.0.0/16 192.168.29.225 vlan29 S
192.168.29.0/24 0.0.0.0 vlan29 IA
192.168.30.0/24 0.0.0.0 vlan30 IA
Wireshark captures shows packets with same IPs but MACs reversing until TTL expires. Looks like traffic in 192.168.30.0/24 is forwarded to default route instead of out vlan30 interface. Wireshark on vlan30 never sees it.
06-26-2008 01:24 PM
Why the following route
192.168.0.0/16 192.168.29.225 vlan29 S
when you have default route pointing to gateway.
Syed
06-26-2008 01:48 PM
It is redundant, I put that in before the default, and never took it out.
I found the problem.
I had a load balance config for the firewalls and had applied it to the both interfaces. It only need to be on the vlan30 interface. I think I copied this from the example in the manual. I see now, its not a good idea.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: