Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
519
Views
0
Helpful
1
Replies

Real Servers not connected to ACE VLAN and Real Servers are clients accessing the VIP

raj.pat77
Level 1
Level 1

‎02-25-2012 08:54 PM

Hi,

I have a very strange set up and need some help to get my config working

I have a ASA firewall with three VLANs

VLAN 1 = Internet

VLAN 2 = DMZ

VLAN 3 = Goes to ACE

On the ACE I have four VLANs

VLAN 3 = Goes to ASA

VALN 4 = Web Server Tier

VALN 5 = DB Tier

VALN 6 = VIPs

Our Application team have asked us to create a New VIP on the ACE with real servers in DMZ (Server A and Server B)

And they have told us that the cleints accessing the VIP will be Server A and Server B

I have always created VIPs with real servers directly connected to the ACE but not connected elsewhere.

I belive I have a big challenge of opening ports on the firewall etc to get this set up working. Also, should i use some sort of NAT / SNAT? 

Could anyone guide me on this setup please?

Raj

Labels:
0 Helpful
1 Reply 1

gaursin2
Level 1
Level 1

‎03-06-2012 05:56 PM

Hi Raj,

First of all it is possible to add servers in ACE which are HOP away from ACE interfaces. Here servers are HOP away but there VIP is part of ACE interface subnet. The only need is that servers return traffic towards client should be passed through ACE (so that ACE can manitain states and chage the source IP of the reply packet from server IP to VIP on which client has requested the connection).

When servers are HOP away and ACE do not come in path between server and client then we have to to do SNAT for intial client request. This configuration will force the return traffic from server to ACE (as server will NAT IP as client IP).

In your case DMZ-VIP which is created for two real servers A and B, will be accesses by these servers only. So it is a situation of server accessing there own VIP. For this scenario to work we have to have SNAT (no matter whether servers are directly connected or HOP away). So best solution here is VIP in VLAN 3, Rserevrs for this VIP in DMZ, and SNAT client request, using free IP in VLAN 3.

Also you have to open ports on firewall for both "real server Probes" and actual application ports, moreover policies modification on firewall for allowing traffic from DMZ to ACE VIP, DMZ to NAT IP and there vice versa traffic.

0 Helpful
Customers Also Viewed These Support Documents