ACE - Need to permit access to allow remote management to servers

Answered Question
Mar 17th, 2009

I am new to the ACE and having a problem figuring out how to allow the server team to manager their servers sitting behind the ACE modules. Load balancing is working great.

ex...

rserver1 = 172.17.252.10

rserver2 = 172.17.252.11

vip = 172.17.252.15

Currently, the server team is not able to use remote desktop, term services, etc... to manage the real servers...ie .10 and .11. My ACL permits everything and my multi-match policy map only permits access to the vip and applies load-balancing policies.

What do I need to configure to allow the server team to access their rserver IP addresses to manage each box?

I have this problem too.
0 votes
Correct Answer by Syed Iftekhar Ahmed about 7 years 8 months ago

If ACLs are in place then you need to make sure that traffic from server team can be routed successfully to/from the real servers.

Upstream routing devices should have routes for your real servers pointing to the ACE.

HTH

Syed iftekhar Ahmed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Syed Iftekhar Ahmed Tue, 03/17/2009 - 10:46

If ACLs are in place then you need to make sure that traffic from server team can be routed successfully to/from the real servers.

Upstream routing devices should have routes for your real servers pointing to the ACE.

HTH

Syed iftekhar Ahmed

mcroberts Tue, 03/17/2009 - 11:32

all of the routing is in place and the the real servers gateways are the ACE. I think my issue lies within the policy map permitting traffic in to the real IP addresses, but I cant find a combination that will permit the required traffic to the real servers IP addresses.

access-list IB extended permit ip any any

class-map match-any VIP

match virtual-address 172.17.252.15 tcp eq 80

match virtual-address 172.17.252.15 tcp eq 443

policy-map multi-match client-vip

class VIP

loadbalance vip inservice

loadbalance policy slb

loadbalance vip icmp-reply

interface vlan 252

ip address 172.17.252.4 255.255.255.192

service-policy input client-vip

access-group input IB

Syed Iftekhar Ahmed Tue, 03/17/2009 - 13:05

Policy maps are not needed for "Direct server Access". you just need an ACL and appropriate routes.

Syed

dario.didio Wed, 03/18/2009 - 01:39

Hi, make sure that you configure the IB ACL on VLAN interface of the serverVLAN too, otherwise your return traffic is blocked.

HTH

Kr,

Dario

Actions

This Discussion