ACE - Backend server needs to talk through ACE without LB

mmertens · ‎08-25-2010

So I have my real server farm operational and client requests to port 80 are being load-balanced via the VIP; however, my back-end servers cannot initiate connections out to the internet. The servers live on the DMZ with the ACE, and use the ACE as its default gateway. Because of the inherint nature of the ACE to block connections, I've included access-groups which permit any any for troubleshooting, and I've also included a back-end policy at the instruction of TAC. I realize I might have some ASA rules that need to be in place, but want to get feedback on my ACE configuration- my understanding is still shaky on what is needed on the ACE configuration to allow non-loadbalanced data flows to occur through it.

THANKS.

access-list EVERYONE line 1 extended permit ip any any

class-map match-all forward_vip
2 match virtual-address 0.0.0.0 0.0.0.0 any

policy-map type management first-match Management
class Management
permit

policy-map type loadbalance first-match forward_vip_pol
policy-map multi-match BACKEND_POLICY
class forward_vip
    loadbalance vip inservice
    loadbalance policy forward_vip
    loadbalance vip icmp-reply active

interface vlan 2
description *** OUTSIDE 1 ***
ip address 192.168.50.249 255.255.255.0
access-group input EVERYONE
access-group output EVERYONE
service-policy input VLAN2-POLICY
no shutdown
interface vlan 3
description *** OUTSIDE 2 ***
ip address 192.168.51.249 255.255.255.0
nat-pool 30 192.168.51.225 192.168.51.225 netmask 255.255.255.0 pat
nat-pool 31 192.168.51.226 192.168.51.226 netmask 255.255.255.0 pat
nat-pool 32 192.168.51.227 192.168.51.227 netmask 255.255.255.0 pat
nat-pool 33 192.168.51.228 192.168.51.228 netmask 255.255.255.0 pat
access-group input EVERYONE
access-group output EVERYONE

no shutdown
interface vlan 4
description *** Inside ***
ip address 172.31.3.249 255.255.255.0
no normalization
no icmp-guard
access-group input EVERYONE
access-group output EVERYONE
nat-pool 40 172.31.3.225 172.31.3.225 netmask 255.255.255.0 pat
nat-pool 41 172.31.3.226 172.31.3.226 netmask 255.255.255.0 pat
service-policy input Management
service-policy input BACKEND_POLICY
no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.50.251

litrenta · ‎08-26-2010

If you want to go the forward route you need a class in the policy with forward currently you only have:

policy-map type loadbalance first-match forward_vip_pol

you need

policy-map type loadbalance first-match forward_vip_pol

class class-default

forward.

But you should not need this. What you need to ask yourself is if this server iniated traffic needs to be natted when it leaves the ace. If the default gateway at 192.168.50.251 does not have a route to for 172.31.3.0 netwrok pointing to 192.168.50.249 as the next hop for that network then you will need to nat the server initiated traffic as it goes out as follows:

class-map match-any serverinit
2 match source-address 172.31.3.0 255.255.255.0

realizing that the default route takes you out of the ace on vlan 2 you need a free address in that vlan to use as a nat address

interface vlan 2
description *** OUTSIDE 1 ***
ip address 192.168.50.249 255.255.255.0

nat-pool 1 192.168.50.x 192.168.50.x netmask 255.255.255.255.pat
access-group input EVERYONE
access-group output EVERYONE
service-policy input VLAN2-POLICY
no shutdown

policy-map multi-match SERVER_INIT
class serverinit
nat dynamic 1 vlan 2

then apply this on vlan 4

interface vlan 4

service-policy input SERVER_INIT

you should not need BACKEND_POLICY

mmertens · ‎09-06-2010

Just getting back to this now- ABSOLUTELY makes sense! Thanks for taking the time and thinking it out. I'll give it a whirl.

Thanks for the input!