Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

15501 CSS rewrites client source IP address with its own

We have a CSS that appears to be rewriting the client source IP for HTTP requests with its own IP. This is an issue as we're unable to log the real IPs of the clients requesting HTTP data.

The config is attached.

Any assistance would be appreciated.

6 REPLIES
New Member

Re: 15501 CSS rewrites client source IP address with its own

Configuration

Re: 15501 CSS rewrites client source IP address with its own

Its doing it because you configured it to do so.

group commands in the configurations are translating the source IPs.

Since your services & VIPs are on the same subnet, source natting is required for clients sitting in the same subnet.

Syed Iftekhar Ahmed

New Member

Re: 15501 CSS rewrites client source IP address with its own

We had just discovered this recently.

Is it possible to log the real source IPs?

Thanks for the input.

New Member

Re: 15501 CSS rewrites client source IP address with its own

Seeing as the issue is with the group commands, is there any way to achieve local VIP access without the use of groups (different subnet?), or if not to export the real source IPs in the form of an X-Forwarded-For or other HTTP variable?

Re: 15501 CSS rewrites client source IP address with its own

Its possible with ACE to insert headers but X-forwarded-for cannot be inserted for HTTP traffic on CSS.

The only option to get the Source IP is to redesign your topology such that its totally routed.

Your VIPs should be listening on a different Layer 3 network than the Services.

Syed Iftekhar Ahmed

New Member

Re: 15501 CSS rewrites client source IP address with its own

Thanks Syed.

Do you have an example of how this would look in our situation? I'm having trouble locating Cisco documentation on this.

Much appreciated,

Mark

248
Views
7
Helpful
6
Replies
CreatePlease to create content