ACE on a DMZ

Unanswered Question
Apr 9th, 2009
User Badges:

Hello, I'm having a setup where ACE is deployed on a DMZ and is doing SSL offloading from clients connecting from the outside interface to an authorization server in the inside.

ACE is connected through one leg on a switch in the DMZ.

The problem is that when the client initiate the connection from the outside, it arrives to the ACE but the ACE isn't able to offload the connection to the server in the inside.

I have reviewed all the nat on the ASA and I'm positive the problem isn't there. IS there any additional inspection to be done on the ASA or any other hint?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
dario.didio Thu, 04/09/2009 - 23:46
User Badges:
  • Silver, 250 points or more

Can you post your config because it's hard to make a picture of your setup?


Is it an SSL problem? Do you see hits on your VIP (sh service-policy detail)?

Routed or Bridged mode?

Are all VLANs added to the trunk?


More info is needed.


k.abillama Thu, 04/09/2009 - 23:52
User Badges:

The config is confidential; it's not mine :)

However, I can provide you with all the needed info.

The mode is routed, there are hits on the VIP and there is no trunk, the switchport is assigned to vlan 2.

Is this enough?


dario.didio Fri, 04/10/2009 - 00:00
User Badges:
  • Silver, 250 points or more

Normally you should have a VLAN connected to the outside (client-VLAN) and a VLAN connected to the inside (server-VLAN).


like you said, the ACE is connected through one leg with a DMZ switch. I assume nothing else is connected on the ACE (no servers, no ASA)?


When a connection hits the VIP via the client-vlan, the ACE should loadbalance and send it to a server on the server VLAN.


This is not the case when working in one-arm mode, which you are not as you stated.


If the ACE is connected through one leg, both the client- and server-vlan need to pass this link, thus a trunk between the ACE and the DMZ switch is needed.


I assume your vlan2 is the client VLAN (outside VLAN)?


HTH,

Dario

k.abillama Fri, 04/10/2009 - 00:34
User Badges:

The ACE is indeed connected through one leg on the DMZ of the ASA, I meant by outside and inside( outside and inside zones of the ASA)

Both server and client request are passing though this link indeed.

I'm attaching the config, it's easier :)



Attachment: 
dario.didio Fri, 04/10/2009 - 00:45
User Badges:
  • Silver, 250 points or more

Hi,


you are using one-arm mode, not routed :-) (thanks for the config ;)


For the ACE to work properly, you need to make sure that traffic to the server and return traffic follow the same path.


In your case, the request hits the VIP, the ACE loadbalances correctly, but the server sees that the source address is elsewhere and replys to its default gateway, and not to the ACE.


For one armed mode to work, you should implement sourceNAT on the ace, so that the soure address is NATed to the ACE its adres. This way, the server will reply to the ACE, and ACE replies to the client.


Refer to this example about one-armed mode:


http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_One_Arm_Mode_with_Source_NAT_on_the_Cisco_Application_Control_Engine_Configuration_Example


HTH,

Dario

k.abillama Fri, 04/10/2009 - 01:16
User Badges:

Hi Dario,


Thanks for the clarification especially because I'm new to ACE.

However, in my setup i'm using only the SSL offloading feature( not the load balancing), I guess it should apply also.

Another thing, Since i didn't know we can configure SNAT on the the ACE, I did it on the ASA( Could it be a workaround) or is it a must to configure SNAT on the ACE?

dario.didio Fri, 04/10/2009 - 02:35
User Badges:
  • Silver, 250 points or more

Hi,


you are doing loadbalancing, but over only 1 server ;-)


It is mandatory to configure it on the ACE.


Like it is now, SNAT on ASA:


Packet from client arrives on ASA ==> ASA does SNAT to its own internal address in vlan 2 ==> sends packet to VIP on ACE ==> VIP chooses a server and sends it to that server ==> server processes and replies to source of the packet: server answers to ASA bypassing the ACE.


That's why the server needs to see the ACE address as source, so it can answer to the ACE, which in his turn answers to the ASA.


HTH,

Dario

Actions

This Discussion