03-09-2012 04:34 PM
I am configuring the ACE for bridged mode. However, the real server is seeing VIP IP but not Client IPs. Our business requires that the real server must see client IPs. Do you have any idea how to set that up?
I tried to turn ON/OFF normalization but it is still not working.
Thanks,
Vincent
==============================
Here is my configuration:
rserver host 192.168.71.71
ip address 192.168.71.71
inservice
serverfarm host WEB_FARM
failaction purge
probe ICMP
rserver 192.168.71.71
inservice
access-list PERMIT-BPDU ethertype permit bpdu
access-list ALL line 8 extended permit ip any any
sticky ip-netmask 255.255.255.255 address source WEB_FARM_Sticky
timeout 180
replicate sticky
serverfarm WEB_FARM
class-map match-all WEB_FARM_VIP
2 match virtual-address 192.168.71.154 tcp eq 80
class-map type management match-any remote_access
2 match protocol xml-https any
4 match protocol icmp any
5 match protocol telnet any
6 match protocol ssh any
7 match protocol http any
8 match protocol https any
9 match protocol snmp any
policy-map type loadbalance first-match WEB_FARM_Policy
class class-default
sticky-serverfarm WEB_FARM_Sticky
policy-map multi-match WEB_VIPS
class WEB_FARM_VIP
loadbalance vip inservice
loadbalance policy WEB_FARM_Policy
loadbalance vip icmp-reply active
nat dynamic 6 vlan 31
nat dynamic 5 vlan 21
interface vlan 21
description Client VLAN
bridge-group 171
no normalization
mac-sticky enable
access-group input PERMIT-BPDU
access-group input ALL
service-policy input WEB_VIPS
nat-pool 5 192.168.71.154 192.168.71.154 netmask 255.255.255.255 pat
interface vlan 31
description Server VLAN
bridge-group 171
no normalization
mac-sticky enable
access-group input PERMIT-BPDU
access-group input ALL
service-policy input WEB_VIPS
nat-pool 6 192.168.71.154 192.168.71.154 netmask 255.255.255.255 pat
no shutdown
interface bvi 171
ip address 192.168.71.3 255.255.255.0
no shutdown
03-09-2012 05:45 PM
The reason you aren't seeing the client IPs is because of these NAT statements.
interface vlan 21
description Client VLAN
bridge-group 171
no normalization
mac-sticky enable
access-group input PERMIT-BPDU
access-group input ALL
service-policy input WEB_VIPS
nat-pool 5 192.168.71.154 192.168.71.154 netmask 255.255.255.255 pat
interface vlan 31
description Server VLAN
bridge-group 171
no normalization
mac-sticky enable
access-group input PERMIT-BPDU
access-group input ALL
service-policy input WEB_VIPS
nat-pool 6 192.168.71.154 192.168.71.154 netmask 255.255.255.255 pat
no shutdown
This is telling the ACE to Source NAT to these addresses. You shouldn't need either of these unless you need the source NATing for your rservers to connect outbound to other servers from the VIP address. At minimum you should be able to remove the NAT statement from the vlan 31 interface.
03-09-2012 06:11 PM
If I removed the nat-pool statements <nat-pool 6 192.168.71.154 192.168.71.154 netmask 255.255.255.255 pat >, the service is not working right away. Any idea?
03-09-2012 10:08 PM
Do you have a default route on the ACE and the rservers? Are they all pointing to the same IP? I have the same configuration. An ACE 4710 in transparent mode, but I have no NATing and my rservers are able to see the original client IPs (security requirement).
Here is part of my config for one serverfarm
rserver host RS_MIDTIER_220
description
ip address 172.31.0.131
inservice
rserver host RS_MIDTIER_221
description
ip address 172.31.0.132
inservice
rserver host RS_MIDTIER_222
description
ip address 172.31.0.133
inservice
rserver redirect RS_SSL_Redirects
webhost-redirection https://%h/%p 301
inservice
!
action-list type modify http SSL_URL_REWRITE
ssl url rewrite location ".*"
!
serverfarm redirect SF_SSL_Redirects
predictor leastconns
rserver RS_SSL_Redirects
inservice
serverfarm host SF_Midtier_Prod
description Midtier Production
predictor leastconns
probe APACHE
probe ICMP
rserver RS_MIDTIER_220 80
inservice
rserver RS_MIDTIER_221 80
inservice
rserver RS_MIDTIER_222 80
inservice
!
ssl-proxy service SSL_PSERVICE_MIDTIER_PROD
key
cert
chaingroup EntrustChainGroup
!
sticky http-cookie JSESSIONID Sticky_Jsession_Cookie_Midtier_Prod
timeout 90
serverfarm SF_Midtier_Prod
!
class-map type management match-any REMOTE_MGT_ACCESS
description remote access traffic match
2 match protocol ssh source-address
4 match protocol https source-address
5 match protocol snmp source-address
!
class-map match-any VS_Midtier_Prod_L3SLB
description Midtier Prod IPs
2 match virtual-address 172.31.0.46 tcp eq https
3 match virtual-address 172.31.0.47 tcp eq https
!
class-map match-any VS_SSL_Redirects
description Redirects any http VIPS to https
5 match virtual-address 172.31.0.46 tcp eq www
6 match virtual-address 172.31.0.47 tcp eq www
!
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_MGT_ACCESS
permit
!
policy-map type loadbalance http first-match Midtier_Prod_L4SLB
class class-default
sticky-serverfarm Sticky_Jsession_Cookie_Midtier_Prod
action SSL_URL_REWRITE
!
policy-map type loadbalance first-match SSL_Redirect_L4SLB
class class-default
serverfarm SF_SSL_Redirects
!
policy-map multi-match Farm_VIPS
class VS_SSL_Redirects
loadbalance vip inservice
loadbalance policy SSL_Redirect_L4SLB
class VS_Midtier_Prod_L3SLB
loadbalance vip inservice
loadbalance policy Midtier_Prod_L4SLB
loadbalance vip icmp-reply active
ssl-proxy server SSL_PSERVICE_MIDTIER_PROD
!
interface vlan 100
description DMZ ACE frontside
bridge-group 1
access-group input BPDUALLOW
access-group input ALL
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input Farm_VIPS
no shutdown
interface vlan 110
description DMZ ACE backside
bridge-group 1
access-group input BPDUALLOW
access-group input ALL
no shutdown
!
interface bvi 1
ip address 172.31.0.150 255.255.255.0
no shutdown
rserver redirect RS_SSL_Redirects
webhost-redirection https://%h/%p
301
inservice
!
domain
ip route 0.0.0.0 0.0.0.0 172.31.0.1
03-09-2012 10:19 PM
I have the default route 0.0.0.0 0.0.0.0 192.168.1.1 which is management VLAN. I dont have any default route on rservers. Can I have a copy of your configuration? My email is vtnguyen@gmail.com. I am deeply appreciated your help.
03-09-2012 10:20 PM
I think if you add a default route on your rservers they should start working. With the source NAT in place they never need to go outside the local subnet. When you remove the source NAT they can't get back to the client because they don't have a default gateway. The default route on the ACE should be in the same subnet as the BVI interface.
Did you also remove these lines:
policy-map multi-match WEB_VIPS
class WEB_FARM_VIP
loadbalance vip inservice
loadbalance policy WEB_FARM_Policy
loadbalance vip icmp-reply active
nat dynamic 6 vlan 31
nat dynamic 5 vlan 21
03-09-2012 10:58 PM
Yes, I removed those 2 nat dynamic 5 and 6 lines. It is still not working. I am going through my configuration now.
03-09-2012 11:57 PM
For rservers, what is the gateway you using, 172.31.0.1 or 172.31.0.150?
03-10-2012 06:24 AM
Yes, the ACE and the rservers are all on the same subnet and therefore are using the same default gateway 172.31.0.1
03-12-2012 12:28 PM
David,
Do you have only < ip route 0.0.0.0 0.0.0.0 172.31.0.1 > in your ACE or you have more than ip route statement for each different subnet if you have servers are running on different VLAN/subnets?
Thanks,
03-12-2012 01:02 PM
All my rservers and VIPs are on the same subnet and the default gateway is a firewall so I only have the one route on the ACE.
03-12-2012 01:11 PM
Vincent,
Can you issue the command "show arp" from the ACE context. Pay attention to what vlan the gateway and servers are in. My suspicion is that your servers are on the same vlan as the gateway where they should be in the vlan behind the ACE. The servers default gateway should still be pointing to the FW address but this server needs to be physically behind the ACE not in front of it. If your servers are in the opposite vlan as the gateway then this is not your problem.
Hope this helps
Jim
03-12-2012 01:16 PM
Hi Jim,
I am using Bridged mode that both Client and Server VLAN are on the same subnet. Your suggestion is Routed mode I think.
Thanks,
Vincent
03-12-2012 01:24 PM
Vincent,
the difference between routed and bridge mode is in routed mode The two vlans are in different subnets. In bridge mode both vlans are in the same subnet. If your servers are showing up in the same vlan as the gateway then you are in a one-armed mode not bridged. The ACE by default does server nat. Client to vip entering the ACE client to server ip when leaving. If the reply from the server does not pass back through the ACE it cannot change the server IP back to the vip that the client talked to.
In bridge mode you have the servers on the vlan behind the ACE so the reply has to pass back through the ACE.
Regards
Jim
03-12-2012 01:29 PM
Jim,
Can you tell me David's setup is in bridged mode or one-armed mode? Since I have identical with his setup. My Client VLAN, Server VLAN, BVI and Real Server IP are on the same subnet and all are using default gateway on the ASA firewall.
Thanks,
Vincent
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide