Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACE bypass traffic

I am migrating from a CSS environment to an ACE module in a 6513. I have an ACE context between VLAN29 and VLAN30 that is a DMZ. VLAN29 faces the firewalls and VLAN30 the real servers. I can access the servers with a serverfarm and a "vip". I need to access the servers real address directly for management, and some of them need direct access to internal resources.

The route table looks like this:

Destination Gateway Interface Flags

------------------------------------------------------------------------

0.0.0.0 192.168.29.225 vlan29 S

192.168.0.0/16 192.168.29.225 vlan29 S

192.168.29.0/24 0.0.0.0 vlan29 IA

192.168.30.0/24 0.0.0.0 vlan30 IA

Is there a way to do this?

Currently I can see the traffic bouncing back and forth from the firewall to the ACE on VLAN29. The ACL on the ACE interfaces:

access-list Allow_All line 10 extended permit ip any any

7 REPLIES

Re: ACE bypass traffic

You just need appropriate access-list on ACE to access real servers behind ACE and corresponding inbound access-group allowing the session on the interface where the request is received.

Along with this routes on the upstream router are required to point to the ACE as next-hop to reach the Networks where Real Servers reside.

For Real server initiated connections again you need an ACL and inbound access group on server side interface. For return traffic You can either NAT these connections or define routes on upstream routers to point to the ACE as next-hop to reach the Networks where Real Servers reside.

Thanks

Syed Iftekhar Ahmed

New Member

Re: ACE bypass traffic

I would have thought the access list that Allow_All shown above would do that, but I will write a more specific one.

Re: ACE bypass traffic

You dont need a specific ACL.

IP any any should do.

Is it applied to both vlans?

Syed

New Member

Re: ACE bypass traffic

yes

does it need to be applied in both input and output directions on both vlans?

New Member

Re: ACE bypass traffic

no joy.

route table:

ACE-6513-1/DMZ# sh ip ro

Routing Table for Context DMZ (RouteId 1)

Codes: H - host, I - interface

S - static, N - nat

A - need arp resolve, E - ecmp

Destination Gateway Interface Flags

------------------------------------------------------------------------

0.0.0.0 192.168.29.225 vlan29 S

192.168.0.0/16 192.168.29.225 vlan29 S

192.168.29.0/24 0.0.0.0 vlan29 IA

192.168.30.0/24 0.0.0.0 vlan30 IA

Wireshark captures shows packets with same IPs but MACs reversing until TTL expires. Looks like traffic in 192.168.30.0/24 is forwarded to default route instead of out vlan30 interface. Wireshark on vlan30 never sees it.

Re: ACE bypass traffic

Why the following route

192.168.0.0/16 192.168.29.225 vlan29 S

when you have default route pointing to gateway.

Syed

New Member

Re: ACE bypass traffic

It is redundant, I put that in before the default, and never took it out.

I found the problem.

I had a load balance config for the firewalls and had applied it to the both interfaces. It only need to be on the vlan30 interface. I think I copied this from the example in the manual. I see now, its not a good idea.

415
Views
0
Helpful
7
Replies