Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1186
Views
0
Helpful
1
Replies

Http header Rewrite ( Ip source address)

Go to solution
ssarsar08
Level 1
Level 1

‎06-08-2010 01:48 PM

Hi,

Is it possible, using "http header rewrite" ACE feature to replace the S-NAT ip address by the real ip source address in a http request.

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Pablo
Cisco Employee
Cisco Employee

‎06-08-2010 09:01 PM

Hi Selim,

You can't rewrite the IP address of S-NAT because NAT would become useless and wouldn't make much sense have it in place... Tipically you configure S-NAT on one-arm mode configuration or also when the backend servers point their default gateway to a different L3 device that not necessarily needs to go through the ACE to send the response to the client, in a nutshell it avoids asymmetrical routing on the LB setup.

What you can do to preserve the real client IP address is have the ACE insert a new HTTP header usually called X-Forwarded-For, this is how the configuration should look like:

policy-map type loadbalance first-match HTTP

  class class-default

    serverfarm web

   insert-http X-Forwarded-For header-value "%is"

Once you configured this the S-NAT ip address still is logged on the server but you also receive this new header with the original client ip address.

As per my experience there's no much problems to enable this logging on HTTP servers ( Apache)  as you can enable it with a simple drop down but IIS needs to be configured with a ISAPI filter that you can find here

http://devcentral.f5.com/weblogs/Joe/archive/2009/08/19/x_forwarded_for_log_filter_for_windows_servers.aspx

I hope this helps.

__ __

Pablo

Cisco TAC

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Pablo
Cisco Employee
Cisco Employee

‎06-08-2010 09:01 PM

Hi Selim,

You can't rewrite the IP address of S-NAT because NAT would become useless and wouldn't make much sense have it in place... Tipically you configure S-NAT on one-arm mode configuration or also when the backend servers point their default gateway to a different L3 device that not necessarily needs to go through the ACE to send the response to the client, in a nutshell it avoids asymmetrical routing on the LB setup.

What you can do to preserve the real client IP address is have the ACE insert a new HTTP header usually called X-Forwarded-For, this is how the configuration should look like:

policy-map type loadbalance first-match HTTP

  class class-default

    serverfarm web

   insert-http X-Forwarded-For header-value "%is"

Once you configured this the S-NAT ip address still is logged on the server but you also receive this new header with the original client ip address.

As per my experience there's no much problems to enable this logging on HTTP servers ( Apache)  as you can enable it with a simple drop down but IIS needs to be configured with a ISAPI filter that you can find here

http://devcentral.f5.com/weblogs/Joe/archive/2009/08/19/x_forwarded_for_log_filter_for_windows_servers.aspx

I hope this helps.

__ __

Pablo

Cisco TAC

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents