ACE - Need to permit access to allow remote management to servers

Answered Question
Mar 17th, 2009
User Badges:

I am new to the ACE and having a problem figuring out how to allow the server team to manager their servers sitting behind the ACE modules. Load balancing is working great.


ex...


rserver1 = 172.17.252.10

rserver2 = 172.17.252.11


vip = 172.17.252.15


Currently, the server team is not able to use remote desktop, term services, etc... to manage the real servers...ie .10 and .11. My ACL permits everything and my multi-match policy map only permits access to the vip and applies load-balancing policies.


What do I need to configure to allow the server team to access their rserver IP addresses to manage each box?

Correct Answer by Syed Iftekhar Ahmed about 8 years 1 month ago

If ACLs are in place then you need to make sure that traffic from server team can be routed successfully to/from the real servers.


Upstream routing devices should have routes for your real servers pointing to the ACE.


HTH

Syed iftekhar Ahmed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Syed Iftekhar Ahmed Tue, 03/17/2009 - 10:46
User Badges:
  • Blue, 1500 points or more

If ACLs are in place then you need to make sure that traffic from server team can be routed successfully to/from the real servers.


Upstream routing devices should have routes for your real servers pointing to the ACE.


HTH

Syed iftekhar Ahmed

mcroberts Tue, 03/17/2009 - 11:32
User Badges:

all of the routing is in place and the the real servers gateways are the ACE. I think my issue lies within the policy map permitting traffic in to the real IP addresses, but I cant find a combination that will permit the required traffic to the real servers IP addresses.


access-list IB extended permit ip any any


class-map match-any VIP

match virtual-address 172.17.252.15 tcp eq 80

match virtual-address 172.17.252.15 tcp eq 443

policy-map multi-match client-vip

class VIP

loadbalance vip inservice

loadbalance policy slb

loadbalance vip icmp-reply


interface vlan 252

ip address 172.17.252.4 255.255.255.192

service-policy input client-vip

access-group input IB

Syed Iftekhar Ahmed Tue, 03/17/2009 - 13:05
User Badges:
  • Blue, 1500 points or more

Policy maps are not needed for "Direct server Access". you just need an ACL and appropriate routes.



Syed

dario.didio Wed, 03/18/2009 - 01:39
User Badges:
  • Silver, 250 points or more

Hi, make sure that you configure the IB ACL on VLAN interface of the serverVLAN too, otherwise your return traffic is blocked.


HTH


Kr,

Dario

Actions

This Discussion