topic Hide external IPs for a pool of web servers? in Application Networking

Hide external IPs for a pool of web servers?

neo.hauxx — Sun, 22 Jul 2012 23:17:31 GMT

Hi,

I want to setup an ace as a proxy for a pool of web server (tcp 80), Just to forward the URL requests without changing or filtering them.

The idea is to hide external IP from the web servers, so when I issue:

"netstat -tapn" I should see (for connection to port 80) that only the ACE (10.0.0.1) is generating the traffic, not the public ips of our customers (there are thousands !)

The configuration should be like this :

WEB server pool=(10.0.0.2-->10)------10.0.0.1-|CISCO ACE|-100.100.100.100------------INTERNET

Is that really called proxy ?

I have no idea how to do it. Any help is welcome.

Regards

Hide external IPs for a pool of web servers?

gaursin2 — Mon, 23 Jul 2012 01:53:28 GMT

Hi, you can use source NAT option to hide to client IP address reaching servers. generally NATing client IP address is used in one arm mode deployment so that all client request will seem to be emerge from ACE IP address, and reply from server will go to ACE. Below is the link for your refernce

http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_One_Arm_Mode_with_Source_NAT_on_the_Cisco_Application_Control_Engine_Configuration_Example

Hide external IPs for a pool of web servers?

neo.hauxx — Tue, 24 Jul 2012 13:46:12 GMT

Thanks the lik was very helpfull.

I am still looking for a better way to loadbalance the traffic to our web servers.

What I am looking for is a way to setup the ace as a Layer 7 proxy (filtring the url and sending the request to the appropriate server)

Of course the IP source for the webserver is the VIP of the ACE not the clients' public IP.

If I can do that, the web servers will not have to wait the ack from the client for each http request. in other word the web server answer to the ace and close the query, and it's the ACE that take care of answering to the external clients.

Mu concern is that : with just a nat configuration the web server has to wait the answers (tcp protocol negociation) from the external clients even if it see the VIP IP insteed of the client's external IP

Hide external IPs for a pool of web servers?

gaursin2 — Wed, 25 Jul 2012 00:16:54 GMT

i guess ACE when deployed in layer 7 load balancing mode may help you in achiving your need. In this mode ACE will open two separate sessions front end (with client) and back end (with server). overall ACE will negotiate front end client TCP connection, will wait till client send Layer 7 information (like http get) and based on this information it choose the server. once server is chosen ACE open a seperate TCP session with server in backend. once TCP 3-way handshake finish, ACE will splice both front end and backend (tweaking seq.no, acknowledge etc.).

Hide external IPs for a pool of web servers?

neo.hauxx — Wed, 25 Jul 2012 18:45:32 GMT

Thanks.

I tried to make a simple connfiguration for our two web servers to have this result:

1) Any traffic to 100.100.100.101 tcp port 80

2) that contains * in the URL (i.e. all the urls)

3) Nat the source IP, so the web servers will see the http requests comming from 100.100.100.110-100.100.100.115

not there real IPs

Is this configuration correct ?

rserver host web01

ip address 10.0.0.1

inservice

rserver host web02

ip address 10.0.0.2

inservice

serverfarm host My-Web-Servers-pool

rserver web01 80

inservice

rserver web02 80

inservice

class-map match-all class_vip_web

2 match virtual-address 100.100.100.101 tcp eq www

policy-map type loadbalance first-match policy_vip_web

class policy_url

serverfarm My-Web-Servers-pool

class-map type loadbalance http first-match policy_url

2 match http url /*

policy-map multi-match policy_vip_web-multimatch

class class_vip_web

loadbalance vip inservice

loadbalance policy policy_vip_web

nat dynamic 1 vlan 50

service-policy input policy_vip_web-multimatch

interface vlan 50

description "Client-Server VLAN"

ip address 100.100.100.100 255.255.255.0

access-group input everyone

nat-pool 1 100.100.100.110 100.100.100.115 netmask 255.255.255.0 pat

no shutdown

Thanks in advance.

Hide external IPs for a pool of web servers?

gaursin2 — Thu, 26 Jul 2012 02:29:21 GMT

Configuration look perfect as per your need.

Hide external IPs for a pool of web servers?

neo.hauxx — Thu, 26 Jul 2012 14:08:31 GMT

Thanks!

Since I 've never done the nat conf before,I want to be sure before applying tis 🙂

is my 3rd note correct? the web servers will se the http requests comming from the ip pool 100.100.100.110-100.100.100.115 not real IPs

Thanks again.

Hide external IPs for a pool of web servers?

gaursin2 — Sat, 28 Jul 2012 23:55:05 GMT

yes you understanding is correct, servers will only see connections from these IP's only. Also just small missing statement in your config, i.e. service-policy is not applied to interface.

Hide external IPs for a pool of web servers?

neo.hauxx — Sun, 29 Jul 2012 16:38:11 GMT

Thanks,

I thought that when I add the line :

service-policy input policy_vip_web-multimatch

I don't need to add the policy in the interface section !

Regards.

Hide external IPs for a pool of web servers?

gaursin2 — Mon, 30 Jul 2012 02:21:41 GMT

my mistake, i missed that statement from global mode config and was looking in interface.