ACE for layer 4 redirection

Unanswered Question
Sep 21st, 2008
User Badges:


I've asked a part of this question before, but need further clarifications. Hope some one can help.

We are trying to deploy an ACE to transparently re-direct http traffic to a set of proxy servers, that are also doing some content filtering. following is the expected high level setup.

clients -----[ACE] ---- internet





| | |

[proxy 1] [proxy 2] [proxy 3]

The proxy servers have to go through the ACE again to access the internet. The returning traffic should also go back through the ACE to the same proxy server that catered for the forward traffic. As the proxy does not modify the source IP of the forward traffic (source IP of the packets going to the internet remians to be the actual client IP) , this appears to be a problem. Would you be able to suggest a solution ?

Many thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Mon, 09/22/2008 - 00:19
User Badges:
  • Cisco Employee,

That should not be a problem because the vlans are different and the vlan is part of the flow matching function.

So the response from the internet to the client will come on a different vlan than the response from the proxy to the client.

The vlan being different, ACE is able to distinugish between the 2 flows.


thedinuka Mon, 09/22/2008 - 00:48
User Badges:

hi thanks for the response, but I don't think I understand you fully. when the internet traffic is coming back to the ACE, how do i match that traffic so that those can be sent back to the proxy server farm. And then how do I send that traffic to the same proxy which originated that http request on behalf of the client to the internet. ?

So sorry if I'm missing your point here.


Gilles Dufour Mon, 09/22/2008 - 02:47
User Badges:
  • Cisco Employee,

You don't have to worry about the response.

Ace will setup the return flow automatically when the request comes in.


thedinuka Mon, 09/22/2008 - 03:01
User Badges:

yes, but two problems.

1.) Since the return packet from the internet has actual client (not the proxy) IP address as the destination IP, will that traffic go back to the proxy rather than directly to client?

2.) Even if it can be sent back to the proxy server farm, how can I ensure that it will go to the same proxy that originated the http request/etc. ?

Sorry to bother you this much

thanks again



This Discussion