Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

[ACE] Real servers and VIP in the same VLAN

Hello.

I´m facing an issue because the real servers and the VIP address are in the same VLAN, when a request comes from an external client to the VIP (crossing an ASA firewall) , the ACK gets back using the IP of one of the real servers instead of the VIP so this traffic is blocked by our WAN firewall probably due the inspection rules.

My question is if there is some way make the VIP the address who ACK´s that requests? Creating a new VLAN would be complicated because there are other services already running on those real servers.

Thanks a lot,

Miquel

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

[ACE] Real servers and VIP in the same VLAN

Hi Miquel,

Please do source nat on ACE so that return traffic gets sent to ACE and not FW. Pasting an example for you.

     ==========================================================================
     One-Armed Load Balancing with VIP, Servers, & NAT Pool on the Same Subnet
     ==========================================================================


login timeout 0

access-list ANYONE line 10 extended permit ip any any

rserver host SERVER_01
  ip address 192.168.1.11
  inservice
rserver host SERVER_02
  ip address 192.168.1.12
  inservice
rserver host SERVER_03
  ip address 192.168.1.13
  inservice

serverfarm host REAL_SERVERS
  rserver SERVER_01
    inservice
  rserver SERVER_02
    inservice
  rserver SERVER_03
    inservice

class-map match-all VIP-30
  2 match virtual-address 192.168.1.30 tcp eq www

class-map type management match-any REMOTE_ACCESS
  description remote-access-traffic-match
  2 match protocol telnet any
  3 match protocol ssh any
  4 match protocol icmp any

policy-map type management first-match REMOTE_MGT
  class REMOTE_ACCESS
    permit

policy-map type loadbalance first-match SLB_LOGIC
  class class-default
    serverfarm REAL_SERVERS

policy-map multi-match CLIENT_VIPS
  class VIP-30
    loadbalance vip inservice
    loadbalance policy SLB_LOGIC
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 451

interface vlan 451
  description Servers vlan
  ip address 192.168.1.2 255.255.255.0
  access-group input ANYONE
  service-policy input CLIENT_VIPS
  nat-pool 1 192.168.1.10 192.168.1.10 netmask 255.255.255.0 pat
  no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.1.1

Let me know if you have any question.

Regards,

Kanwal

Cisco Employee

[ACE] Real servers and VIP in the same VLAN

Hi Miquel,

No, it shouldn't. The users here will match a different class-map, different policy and a different nat-pool. It should not have impact on existing NAT services.

Regards,

Kanwal

5 REPLIES
Cisco Employee

[ACE] Real servers and VIP in the same VLAN

Hi Miquel,

Please do source nat on ACE so that return traffic gets sent to ACE and not FW. Pasting an example for you.

     ==========================================================================
     One-Armed Load Balancing with VIP, Servers, & NAT Pool on the Same Subnet
     ==========================================================================


login timeout 0

access-list ANYONE line 10 extended permit ip any any

rserver host SERVER_01
  ip address 192.168.1.11
  inservice
rserver host SERVER_02
  ip address 192.168.1.12
  inservice
rserver host SERVER_03
  ip address 192.168.1.13
  inservice

serverfarm host REAL_SERVERS
  rserver SERVER_01
    inservice
  rserver SERVER_02
    inservice
  rserver SERVER_03
    inservice

class-map match-all VIP-30
  2 match virtual-address 192.168.1.30 tcp eq www

class-map type management match-any REMOTE_ACCESS
  description remote-access-traffic-match
  2 match protocol telnet any
  3 match protocol ssh any
  4 match protocol icmp any

policy-map type management first-match REMOTE_MGT
  class REMOTE_ACCESS
    permit

policy-map type loadbalance first-match SLB_LOGIC
  class class-default
    serverfarm REAL_SERVERS

policy-map multi-match CLIENT_VIPS
  class VIP-30
    loadbalance vip inservice
    loadbalance policy SLB_LOGIC
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 451

interface vlan 451
  description Servers vlan
  ip address 192.168.1.2 255.255.255.0
  access-group input ANYONE
  service-policy input CLIENT_VIPS
  nat-pool 1 192.168.1.10 192.168.1.10 netmask 255.255.255.0 pat
  no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.1.1

Let me know if you have any question.

Regards,

Kanwal

New Member

[ACE] Real servers and VIP in the same VLAN

Thank you Kanwal for your kind feedback.

We have a NAT policy already running on the same interface, this could impact to the existing services?

policy-map multi-match NAT-POLICY

  class NAT-CLASS

    nat static X.X.X.X netmask 255.255.255.0 vlan 102

  class SLPGMS-SSL

    loadbalance vip inservice

    loadbalance policy SLPGMS-SSL-l7slb

    ssl-proxy server SLPGMS-Proxy

interface vlan 102

  description SLHP ACE VLAN

  ip address X:X:X:X 255.255.255.0

  alias X:X:X:X 255.255.255.0

  peer ip address X:X:X:X 255.255.255.0

  no normalization

  access-group input ALL

  service-policy input int102

  service-policy input remote_mgmt_allow_policy

  service-policy input NAT-POLICY

  no shutdown

Thank you one more time.

Miquel

Cisco Employee

[ACE] Real servers and VIP in the same VLAN

Hi Miquel,

No, it shouldn't. The users here will match a different class-map, different policy and a different nat-pool. It should not have impact on existing NAT services.

Regards,

Kanwal

New Member

[ACE] Real servers and VIP in the same VLAN

Finally, we had a bad static route on the servers, removing that route the traffic back is sent to the ACE so we solved the problem, anyway I marked your answer as valid because coud be useful for others.

Thanks a lot.

Miquel Santiveri

Cisco Employee

[ACE] Real servers and VIP in the same VLAN

Hi Miquel,

Oh i read the question again:) Since the client is external there is no need for server to send traffic to FW but ACE(if ace is the default gateway) or according to the route which in your case was not right. I read the question wrongly that client is also in same subnet. My bad.

Regards,

Kanwal

381
Views
0
Helpful
5
Replies