One Armed nat to multiple ports on a single server

Unanswered Question
Jun 29th, 2010

Basically I want to do PAT to multiple ports on a single server.  The problem that I am seeing is that regular IP load-balancing is not forwarding http requests to specific directories.  We can overcome this with a redirect to the appropriate directory but the IP and port is not being masked.

So the vip is X.X.X.1:15000 and we are trying to load-balance to X.X.X.2 on ports 80 81 82 to a directory X.X.X.2/TEST.  How can I NAT and load-balance to multiple ports while masking the rserver IP address?

I have seen multiple examples, but nothing with this combination.

If I put:

rserver host TEST1

ip address X.X.X.2 80

inservice

rserver host TEST2

ip address X.X.X.2 81

inservice

rserver host TEST3

ip address X.X.X.2 82

inservice

The traffic is load-balanced and nat'd, but the directories are not reachable.  If I do the redirect, the destination IP and port are not masked.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Sean Merrow Tue, 06/29/2010 - 08:14

Hello,

I'm assuming that the client is coming into the VIP as http://www.example.com/ and you want them to be load balanced to the server on one of the three ports, but to http://www.example.com/test

Is this correct?

If so, then you would configure a redirect that would have the ACE redirect the client to come back to the same VIP but with the /test at the end of their URL.  Now the ACE will load balance the connection to the rserver on one of the ports configure, perform NAT, and the client's request will have the /test at the end of the URL.

Is this what you're looking for?

Sean

aweaver7 Tue, 06/29/2010 - 08:25

More or less.  The problem is that when I do the redirect the %h doesn't seem to work?  Or I am not understanding how to implement it.  We are currently working with IPs and not FQDNs.

So how do I apply the redirect and still load-balance to the same IP port 80 81 and 82 while masking the destination?  Do you have some sample code?

Sean Merrow Tue, 06/29/2010 - 08:48

I'm not sure I understand what you mean by "masking the destination".  Below is a sample config that will take a request from a client for http://10.10.10.100/ and redirect the client to connect to http://10.10.10.100/test/  After the client connects to the new URL on the same VIP and port, the ACE will load balance the client to the rserver on one of the three configured ports and to the /test URL.  It will also perform source NAT on the one-armed config.

rserver redirect REDIRECT-TO-TEST-DIR
webhost-redirection http://10.10.10.100/test/ 301
inservice

rserver host SERVER_01
  ip address 10.10.10.20
  inservice

serverfarm redirect REDIRECT-SERVERFARM
rserver REDIRECT-TO-TEST-DIR
inservice

serverfarm host REAL_SERVERS
  probe HTTP-KEEPALIVE
  rserver SERVER_01 80
    inservice
  rserver SERVER_01 81
    inservice
  rserver SERVER_01 82
    inservice

class-map match-all HTTP-VIP
  2 match virtual-address 10.10.10.100 tcp eq http

class-map type http loadbalance match-any ROOT
  2 match http url /

policy-map type loadbalance first-match SLB-LOGIC
  class ROOT
    serverfarm REDIRECT-SERVERFARM
  class class-default
    serverfarm REAL-SERVERS

policy-map multi-match WEB-TRAFFIC
  class HTTP-VIP
    loadbalance vip inservice
    loadbalance policy SLB-LOGIC
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 10

interface vlan 10
  description Servers vlan
  ip address 10.10.10.2 255.255.255.0
  access-group input ANYONE
  service-policy input WEB-TRAFFIC
  nat-pool 1 10.10.10.10 10.10.10.10 netmask 255.255.255.0 pat
  no shutdown

ip route 0.0.0.0 0.0.0.0 10.10.10.1

Does this help?

Sean

aweaver7 Tue, 06/29/2010 - 09:24

Sean,

I think this is what I was looking for, this seems to tie everything together.  I will do some testing today and see how it works out?  We have 1 6.3a is that a problem?

Thanks!

Sean Merrow Tue, 06/29/2010 - 09:29

I would highly encourage you to upgrade to A2(3.1) before you get started.  The code you are on is very old and many, many bugs have been fixed since then.  We have also added a lot of popular features since then..

Sean

aweaver7 Tue, 06/29/2010 - 10:31

would X.X.X.X/test work the same as well?  I can't figure out why it's not working, must be the code and not the configs   What if the server is doing the redirecting?  Should that matter?

Sean Merrow Tue, 06/29/2010 - 10:42

So with the example I gave it would work like this:

  1. Client connects to http://10.10.10.100/ or http://www.example.com/ (assuming DNS will resolve www.example.com to the VIP)
  2. ACE redirects the client to http://10.10.10.100/test/
  3. Client connects to http://10.10.10.100/test/
  4. ACE load balances client connection to the server on one of the three ports

If you wanted, you could change the string '10.10.10.100' in the relocation string to www.example.com, as long as www.example.com will resolve to the VIP.  Or, as long as DNS will resolve www.example.com to the VIP, then you could change the host from 10.10.10.100 to %h in the relocation string.  In that case, it would be http://%h/test/

It is fine if the server is sending a redirect, as long as the host in the redirect Location header is either the VIP or an FQDN that resolves to the VIP.

Hope this helps,

Sean

Actions

This Discussion