Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
849
Views
0
Helpful
3
Replies

Cisco ACE - NAT bounce back rule for Oracle

CSCO11061734
Level 1
Level 1

‎03-07-2014 01:18 PM

Hello,

I have a VIP redirecting to 2 real servers 172.x.x.114 and 115 respectively.   The url to be accessed is http://ofrv.a.b/portal/page.    This has to be redirected to the 2 servers on ofr1.a.b and ofr2.a.b on port 8090.     This is where I have a problem.    I'm a newbie to ACE, so I'm lost with the configuration.    The current configuration was configured by someone else and since the guy is on a vacation I'm having to fix this port redirection.  Oracle support said it needs NAT bounce back rule on the cisco LBR.  Is this the same as the one in this post.  I'm not exactly sure how this is to be done.   Kindly help me figure out the problem with the configuration.  


Generating configuration....


resource-class COM
  limit-resource all minimum 10.00 maximum unlimited

boot system image:c4710ace-mz.A3_2_0.bin

hostname ACE
interface gigabitEthernet 1/1
  no shutdown
interface gigabitEthernet 1/2
  description Server-Side
  switchport access vlan 2
  no shutdown
interface gigabitEthernet 1/3
  qos trust cos
  no shutdown
interface gigabitEthernet 1/4
  shutdown

context Admin
  member COM

access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any

probe icmp ICMP_PROBE1
  description *** Probe for icmp health monitoring ***
  interval 5
  faildetect 2
  passdetect interval 10
  passdetect count 2


probe http OFR-HTTP3
  interval 15
  passdetect interval 60
  request method get url http://ofr1.a.b:8090
  expect status 200 201
  open 1
probe http OFR-HTTP4
  interval 15
  passdetect interval 60
  request method get url http://ofr2.a.b:8090
  expect status 200 201
  open 1

optimize
  appscope-log
  debug-level 5

rserver redirect OFR-Server-redirect
  webhost-redirection http://ofrv.a.b/portal/page 302
  inservice
rserver host OFR1-Server
  description Form& Reports Server
  ip address 172.x.x.114
  inservice
rserver host OFR2-Server
  description Form& Reports Server
  ip address 172.x.x.115
  inservice


serverfarm redirect OFR-Server_REDIRECT
  rserver OFR-Server-redirect
    inservice

serverfarm host Reports-SF2
  description Forms&Reports Services Farm
  rserver OFR1-Server 7001
    probe ICMP_PROBE1
    inservice
  rserver OFR2-Server 7001
    probe ICMP_PROBE1
    inservice
serverfarm host Reports-SF2-3
  rserver OFR1-Server 9002
    probe ICMP_PROBE1
    inservice
  rserver OFR2-Server 9002
    probe ICMP_PROBE1
    inservice
serverfarm host Reports-SF2-4
  rserver OFR1-Server 9003
    probe ICMP_PROBE1
    inservice
  rserver OFR2-Server 9003
    probe ICMP_PROBE1
    inservice
serverfarm host Reports-SF2-5
  probe OFR-HTTP3
  probe OFR-HTTP4
  rserver OFR1-Server 8090
    probe ICMP_PROBE1
    inservice
  rserver OFR2-Server 8090
    probe ICMP_PROBE1
    inservice
serverfarm host Reports-SF2-two
  rserver OFR1-Server 7002
    probe ICMP_PROBE1
    inservice
  rserver OFR2-Server 7002
    probe ICMP_PROBE1
    inservice

sticky http-cookie Reports HTTP-Cookie-Sticky
  cookie insert browser-expire
  timeout 720
  timeout activeconns
  serverfarm Reports-SF2
sticky http-cookie Reports HTTP-Cookie-Foram-two
  cookie insert browser-expire
  timeout 720
  timeout activeconns
  serverfarm Reports-SF2-two
sticky http-cookie Portal HTTP-Cookie-Portal
  cookie insert browser-expire
  timeout 720
  timeout activeconns
  serverfarm Portal-SF1
sticky http-cookie Portal HTTP-Cookie-Portal-two
  cookie insert browser-expire
  timeout 720
  timeout activeconns
  serverfarm Portal-SF1-two
sticky http-cookie Reports HTTP-Cookie-SF2-3
  cookie insert browser-expire
  timeout 720
  timeout activeconns
  serverfarm Reports-SF2-3
sticky http-cookie Reports HTTP-Cookie-SF2-4
  cookie insert browser-expire
  timeout 720
  timeout activeconns
  serverfarm Reports-SF2-4
sticky http-cookie INFR HTTP-Cooki-SF1
  cookie insert browser-expire
  timeout 720
  timeout activeconns
  serverfarm INFR-SF1
sticky http-cookie INFR HTTP-Cooki-SF2
  cookie insert browser-expire
  timeout 720
  timeout activeconns
  serverfarm INFR-SF2
sticky http-cookie INFR HTTP-Cooki-SF3
  cookie insert browser-expire
  timeout 720
  timeout activeconns
  serverfarm INFR-SF3
sticky http-cookie INFR HTTP-Cooki-SF4
  cookie insert browser-expire
  timeout 720
  timeout activeconns
  serverfarm INFR-SF4
sticky http-cookie Reports HTTP-Cookie-SF2-5
  cookie insert browser-expire
  timeout 720
  timeout activeconns
  serverfarm Reports-SF2-5

class-map match-any OFR-VIP
  4 match virtual-address 172.x.x.140 any
class-map match-any OFR-VIP-3
  2 match virtual-address 172.x.x.140 tcp eq 9002
class-map match-any OFR-VIP-4
  2 match virtual-address 172.x.x.140 tcp eq 9003
class-map match-any OFR-VIP-5
  2 match virtual-address 172.x.x.140 tcp eq 8090
  3 match virtual-address 172.x.x.140 tcp eq www
  4 match virtual-address 172.x.x.140 tcp eq https

class-map match-any OFR-VIP-two
  2 match virtual-address 172.x.x.140 tcp eq 7002
class-map type management match-any remote_access
  201 match protocol xml-https any
  202 match protocol icmp any
  203 match protocol telnet any
  204 match protocol ssh any
  205 match protocol http any
  206 match protocol https any
  207 match protocol snmp any

policy-map type management first-match remote_mgmt_allow_policy
  class remote_access
    permit


policy-map type loadbalance first-match OFR-Server_REDIRECT
  class class-default
    serverfarm OFR-Server_REDIRECT
policy-map type loadbalance first-match OFR-VIP-l7
  class class-default
    sticky-serverfarm HTTP-Cookie-SF2-3
policy-map type loadbalance first-match OFR-VIP-l7slb
  class class-default
    sticky-serverfarm HTTP-Cookie-Sticky
policy-map type loadbalance first-match OFR-VIP-l7slb-3
  class class-default
    sticky-serverfarm HTTP-Cookie-SF2-3
policy-map type loadbalance first-match OFR-VIP-l7slb-4
  class class-default
    sticky-serverfarm HTTP-Cookie-SF2-4
policy-map type loadbalance first-match OFR-VIP-l7slb-5
  class class-default
    sticky-serverfarm HTTP-Cookie-SF2-5
policy-map type loadbalance first-match OFR-VIP-l7slb-two
  class class-default
    sticky-serverfarm HTTP-Cookie-Foram-two

policy-map multi-match int2
  class OFR-VIP
    loadbalance vip inservice
    loadbalance policy OFR-VIP-l7slb
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 2
  class OFR-VIP-two
    loadbalance vip inservice
    loadbalance policy OFR-VIP-l7slb-two
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 2
  class OFR-VIP-3
    loadbalance vip inservice
    loadbalance policy OFR-VIP-l7slb-3
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 2
  class OFR-VIP-4
    loadbalance vip inservice
    loadbalance policy OFR-VIP-l7slb-4
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 2
 
  class OFR-VIP-5
    loadbalance vip inservice
    loadbalance policy OFR-Server_REDIRECT
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 2

interface vlan 2
  description MGT-Interface
  ip address 172.x.x.142 255.255.0.0
  access-group input ALL
  nat-pool 1 172.x.x.143 172.x.x.143 netmask 255.255.255.255 pat
  service-policy input remote_mgmt_allow_policy
  service-policy input int2
  no shutdown

ip route 0.0.0.0 0.0.0.0 172.x.x.1

Any help would be greatly appreciated.

Thanks and regards

Sbegum

Labels:
0 Helpful
3 Replies 3

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎03-07-2014 01:28 PM

Hi Sbegum,

I was about to reply you on other post in which you posted the question.

The above configuration doesn't seem to be right. First of all you don't need a class-map defining port 8090 since that is the backend port. If you will just define it in  the serverfarm for servers, ACE will automatically send the traffic to the server on that port unless you have a client who is going to come on that port (destination) after redirection.

Secondly, i don't see REDIRECT(OFR-Server_REDIRECT) policy being used anywhere? You should have bind it to a class-map for it to work. You can refer to the configuration i sent in that post. If you have any questions please feel free to ask me. I am caught up in something but i will reply as soon as possible. If nothing is clear i will try to create a sample configuration and send it out to you.

Have a good weekend.

Regards,

Kanwal

0 Helpful

CSCO11061734
Level 1
Level 1
In response to Kanwaljeet Singh

‎03-07-2014 07:32 PM

Hi Kanwal,

Thanks for your reply.

I have taken the serverfarm, class map and policy map configuration. Here it is..


ACE/Admin# sh run serverfarm
Generating configuration....

serverfarm host INFR-SF1
  description OID farm
  probe INFR-HTTP1
  probe INFR-HTTP2
  rserver INFR1 7777
    probe ICMP_PROBE1
    inservice
  rserver INFR2 7777
    probe ICMP_PROBE1
    inservice
serverfarm host INFR-SF2
  rserver INFR1 3060
    probe ICMP_PROBE1
    inservice
  rserver INFR2 3060
    probe ICMP_PROBE1
    inservice
serverfarm host INFR-SF3
  rserver INFR1 3061
    probe ICMP_PROBE1
    inservice
  rserver INFR2 3061
    probe ICMP_PROBE1
    inservice
serverfarm host INFR-SF4
  rserver INFR1 7002
    probe ICMP_PROBE1
    inservice
  rserver INFR2 7002
    probe ICMP_PROBE1
    inservice

serverfarm redirect OFR-Server_REDIRECT
  rserver OFR-Server-redirect
    inservice
serverfarm host Portal-SF1
  description Internet Portal Farm
  probe OIP-HTTP1
  probe OIP-HTTP2
  rserver OIP1 7777
    inservice
  rserver OIP2 7777
    inservice
serverfarm host Portal-SF1-two
  rserver OIP1 4001
    probe ICMP_PROBE1
    inservice
  rserver OIP2 4001
    probe ICMP_PROBE1
    inservice
serverfarm host Reports-SF2
  description Forms&Reports Services Farm
  rserver OFR1-Server 7001
    probe ICMP_PROBE1
    inservice
  rserver OFR2-Server 7001
    probe ICMP_PROBE1
    inservice
serverfarm host Reports-SF2-3
  rserver OFR1-Server 9002
    probe ICMP_PROBE1
    inservice
  rserver OFR2-Server 9002
    probe ICMP_PROBE1
    inservice
serverfarm host Reports-SF2-4
  rserver OFR1-Server 9003
    probe ICMP_PROBE1
    inservice
  rserver OFR2-Server 9003
    probe ICMP_PROBE1
    inservice
serverfarm host Reports-SF2-5
  probe OFR-HTTP3
  probe OFR-HTTP4
  rserver OFR1-Server 8090
    probe ICMP_PROBE1
    inservice
  rserver OFR2-Server 8090
    probe ICMP_PROBE1
    inservice
serverfarm host Reports-SF2-two
  rserver OFR1-Server 7002
    probe ICMP_PROBE1
    inservice
  rserver OFR2-Server 7002
    probe ICMP_PROBE1
    inservice

ACE/Admin# sh run class-map
Generating configuration....

class-map match-any OFR-VIP
  4 match virtual-address 172.x.x.140 any
class-map match-any OFR-VIP-3
  2 match virtual-address 172.x.x.140 tcp eq 9002
class-map match-any OFR-VIP-4
  2 match virtual-address 172.x.x.140 tcp eq 9003
class-map match-any OFR-VIP-5
  2 match virtual-address 172.x.x.140 tcp eq 8090
  3 match virtual-address 172.x.x.140 tcp eq www
  4 match virtual-address 172.x.x.140 tcp eq https
class-map match-any OFR-VIP-5-1
  2 match virtual-address 172.x.x.140 tcp eq www
class-map match-any OFR-VIP-5-2
  2 match virtual-address 172.x.x.140 tcp eq https
class-map match-any OFR-VIP-two
  2 match virtual-address 172.x.x.140 tcp eq 7002
class-map type management match-any remote_access
  201 match protocol xml-https any
  202 match protocol icmp any
  203 match protocol telnet any
  204 match protocol ssh any
  205 match protocol http any
  206 match protocol https any
  207 match protocol snmp any

COM-ACE/Admin# sh run policy-map
Generating configuration....

policy-map type management first-match remote_mgmt_allow_policy
  class remote_access
    permit

policy-map type loadbalance first-match INFR-VIP-l7slb
  class class-default
    sticky-serverfarm HTTP-Cooki-SF1
policy-map type loadbalance first-match INFR-VIP-l7slb-2
  class class-default
    sticky-serverfarm HTTP-Cooki-SF2
policy-map type loadbalance first-match INFR-VIP-l7slb-3
  class class-default
    sticky-serverfarm HTTP-Cooki-SF3
policy-map type loadbalance first-match INFR-VIP-l7slb-4
  class class-default
    sticky-serverfarm HTTP-Cooki-SF4
policy-map type loadbalance first-match OFR-Server_REDIRECT
  class class-default
    serverfarm OFR-Server_REDIRECT
policy-map type loadbalance first-match OFR-VIP-l7
  class class-default
    sticky-serverfarm HTTP-Cookie-SF2-3
policy-map type loadbalance first-match OFR-VIP-l7slb
  class class-default
    sticky-serverfarm HTTP-Cookie-Sticky
policy-map type loadbalance first-match OFR-VIP-l7slb-3
  class class-default
    sticky-serverfarm HTTP-Cookie-SF2-3
policy-map type loadbalance first-match OFR-VIP-l7slb-4
  class class-default
    sticky-serverfarm HTTP-Cookie-SF2-4
policy-map type loadbalance first-match OFR-VIP-l7slb-5
  class class-default
    sticky-serverfarm HTTP-Cookie-SF2-5
policy-map type loadbalance first-match OFR-VIP-l7slb-two
  class class-default
    sticky-serverfarm HTTP-Cookie-Foram-two

policy-map multi-match int2
  class OFR-VIP
    loadbalance vip inservice
    loadbalance policy OFR-VIP-l7slb
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 2
  class OFR-VIP-two
    loadbalance vip inservice
    loadbalance policy OFR-VIP-l7slb-two
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 2
  class OFR-VIP-3
    loadbalance vip inservice
    loadbalance policy OFR-VIP-l7slb-3
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 2
  class OFR-VIP-4
    loadbalance vip inservice
    loadbalance policy OFR-VIP-l7slb-4
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 2
  class INFR-VIP-1
    loadbalance vip inservice
    loadbalance policy INFR-VIP-l7slb
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 2
  class INFR-VIP-2
    loadbalance vip inservice
    loadbalance policy INFR-VIP-l7slb-2
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 2
  class INFR-VIP-3
    loadbalance vip inservice
    loadbalance policy INFR-VIP-l7slb-3
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 2
  class INFR-VIP-4
    loadbalance vip inservice
    loadbalance policy INFR-VIP-l7slb-4
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 2
  class OFR-VIP-5
    loadbalance vip inservice
    loadbalance policy OFR-Server_REDIRECT
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 2

ACE/Admin#

Ignore the INFR class maps and policy maps in the config.  My problem is only with the OFR part.

Have I missed the configuration for the Redirect here ? And I do not need this class map :

class-map match-any OFR-VIP-5

  2 match virtual-address 172.x.x.140 tcp eq 8090

  3 match virtual-address 172.x.x.140 tcp eq www

  4 match virtual-address 172.x.x.140 tcp eq https

Your help is much appreciated.

Thanks and regards

Sbegum

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to CSCO11061734

‎03-08-2014 07:20 AM

Hi Sbegum,

I have a VIP redirecting to 2 real servers 172.x.x.114 and 115 respectively. The url to be accessed is

http://ofrv.a.b/portal/page. This has to be redirected to the 2 servers on ofr1.a.b and ofr2.a.b on port 8090.

Few questions:

1) What is the initial URL client will come with?

2) Is it just going to redirect it to http://ofrv.a.b/portal/page or https://ofrv.a.b/portal/page?

What are the servers to which the traffic would be loadbalanced?

Is this the serverfarm?

serverfarm host Reports-SF2-5

  probe OFR-HTTP3

  probe OFR-HTTP4

  rserver OFR1-Server 8090

    probe ICMP_PROBE1

    inservice

  rserver OFR2-Server 8090

    probe ICMP_PROBE1

    inservice

Let me know and i will send a configuration sample.

Regards,

Kanwal

0 Helpful
Customers Also Viewed These Support Documents