Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

connection from behind one VIP to another

hello experts,

we have the following setup:

2 different contexts with the same VLAN's on the outside and on the inside.

context1

outside VLAN89 - VIP1 (in VLAN89) - rservers1-2 in VLAN36 (inside)

contect2

outside VLAN89 - VIP2 (inVLAN89) - rservers3-4 in VLAN36. (inside)

now, there is a need to reach an application on VIP2 from servers behind VIP1.

we do source natting on those servers and we can connect from rservers1-2 to ip's in VLAN89.

however, if we try to connect to VIP2: the connection fails. Is this some kind of security mechanism? and if so, is there a way to bypass it?

thanx in advance

  • Application Networking
3 REPLIES
Cisco Employee

connection from behind one VIP to another

hi,

Inter-context traffic is not permitted but there is a work around,


If a rserver S in vlan 10 of context A wants to communicate with vlan 20, VIP-B, you should configure context A with a static host route, pointing VIP-B to the default gateway. This default gateway will then forward the traffic to context B and for ACE it is like the connection comes from outside and not another context. Same for response. You need on context B a route for vlan 10 via the gateway

.

Please try and let me know.

Regards,

Kanwal

New Member

connection from behind one VIP to another

hi,

thank you for the quick response, but the solution don't work.

i have done the following:

contextA with public side in vlan89 end serverside in vlan 36:

*natting to hide requests from the rserver behind a public address in vlan89 (x.x.246.80)

*a static route to vipB via the DG (route x.x.246.53 255.255.255.255 x.x.246.254)

contextB with public side in vlan89 and serverside in vlan36

*a static route to vipA via DG (route x.x.246.80 255.255.255.255 x.x.246.254)

remark:

*both VIP's are in the same subnet, so no routing is done on the DG)

*when accessing another mazhine in the same subnet (but nog behind ACE° we see correctly the address x.x.246.80, so the outgoing NAT works...

any idea's?

Cisco Employee

connection from behind one VIP to another

Hi,

If you ping from rservers or trace route to the context B vip and vice-versa, is it going according to the routing you have configured? If yes,  then it should work fine.

Regards,

Kanwal

349
Views
0
Helpful
3
Replies
This widget could not be displayed.