07-25-2013 11:28 AM
I have confige a pair of Ace appliances with configuration provided by Cisco for this function, in that I have a Global IPv6 address x-lating to an IPv4 real server farm. I'm having no love. Does this functionality work with a static NAT IPv6 to IPv4? Also, the firewall in front of the Ace pair sees IPv6 traffic passing, but not reply. What would be the best capture command to see if the request (https) is actually reaching the Ace?
07-25-2013 11:53 PM
James,
http://www.cisco.com/en/US/prod/collateral/contnetw/ps5719/ps7027/product_bulletin_c25-687419.html
If you have an ACE30 you can get a 10gig captures on the switch.
If you have an ACE 4710 you need to take it in the switch directly connected to the ACE which faces the Client side
Jorge
07-26-2013 02:53 AM
Hi,
if you just want to verify whether the traffic is hitting ACE or not you can try the following :
create a access list with source as client IP address. ( here source is 10.10.10.10 in my example )
ace-4710-1/Admin(config)# access-list captureacl extended permit tcp 10.10.10.10 255.255.255.0 any eq 443
ace-4710-1/Admin# capture capturetest all access-list captureacl
ace-4710-1/Admin# capture capturetest start
Once it is done you can stop it by using
ace-4710-2/Admin# capture capturetest stop
Save the file to disk :
ace-4710-2/Admin# copy capture capturetest disk0: test.pcap
hope that helps.
regards,
Ajay Kumar
07-26-2013 02:59 AM
Hi,
I see you are willing to capture ipv6.
You can create ACL using ipv6 :
ace-4710-1/Admin(config)# access-list test extended permit ip
any Any source address and mask (Equiv of 0.0.0.0 0.0.0.0)
anyv6 Any source address and mask (Equiv of 0::0/0)
host Configure source host
object-group Network object-group for source address
see if that helps. Or else Span is a good option as suggested by Jorge.
regards,
Ajay Kumar
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: