11-10-2008 03:30 PM
We have a CSS that appears to be rewriting the client source IP for HTTP requests with its own IP. This is an issue as we're unable to log the real IPs of the clients requesting HTTP data.
The config is attached.
Any assistance would be appreciated.
11-10-2008 03:37 PM
11-10-2008 09:33 PM
Its doing it because you configured it to do so.
group commands in the configurations are translating the source IPs.
Since your services & VIPs are on the same subnet, source natting is required for clients sitting in the same subnet.
Syed Iftekhar Ahmed
11-11-2008 09:11 AM
We had just discovered this recently.
Is it possible to log the real source IPs?
Thanks for the input.
11-12-2008 12:52 PM
Seeing as the issue is with the group commands, is there any way to achieve local VIP access without the use of groups (different subnet?), or if not to export the real source IPs in the form of an X-Forwarded-For or other HTTP variable?
11-12-2008 09:30 PM
Its possible with ACE to insert headers but X-forwarded-for cannot be inserted for HTTP traffic on CSS.
The only option to get the Source IP is to redesign your topology such that its totally routed.
Your VIPs should be listening on a different Layer 3 network than the Services.
Syed Iftekhar Ahmed
11-14-2008 08:22 AM
Thanks Syed.
Do you have an example of how this would look in our situation? I'm having trouble locating Cisco documentation on this.
Much appreciated,
Mark
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: