cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
458
Views
0
Helpful
1
Replies

Need alternative port open for VIPs on ACE

mega5llc1
Level 1
Level 1

My ACE is almost completely configured - with VIPs, farms, real servers, redirects etc. Port 80 and 443 are working as expected and web requests are getting routed appropriately.

The need has arisen however, to allow a non-traditional port to be allowed/open to certain websites (to certain VIPs). (As some background - this is an SFTP style client based connection. ) 

My ACL configuration is open - ip any any - but i even created one specific to this port number. (let's just say it's 7777 for now). I've done captures on the firewall to make sure that traffic from external requests is getting through it, and when I try to connect to the real server address (either NATed or internally), it connects just fine. I am unable to see the connection attempts in the logging on the ACE and the error message that the client app gets is "connection refused"

               

I'm not good with policy maps or class maps, so I'm not sure if that's where I need to be looking. I suppose that the issue is at the VIP level though since the server IPs work fine, so I need to understand what gets processed via that IP that doesn't via the others.

So if I currently have websites on the ACE configured to accept, redirect, and loadbalance for port 80 and 443, but I now need them to do the same on port 7777, what changes need to be applied and where?

I can paste any config info if someone can help me. Thanks.

1 Reply 1

Daniel Arrondo Ostiz
Cisco Employee
Cisco Employee

Good afternoon,

This new port would be a completely new VIP, so, you would need to create a new class-map for it.

Daniel

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: