cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2189
Views
0
Helpful
4
Replies

ACE: Log in apache real server appear with nat ip address

Hello Friends,

I have configured Cisco ACE 4710 with multi-hop (Configure NAT) and it works OK. The real servers have apache up, but when i access to VIP 50.80.1.100 vi http://50.80.1.100 the logs in the real servers is about 50.70.1.20 (NAT IP Address), my customer want watch the source IP address, can i watch the  source IP Address in the apache real servers?

Regards,

The config:

ace-demo/C1# sh run
Generating configuration....


logging enable
logging history 6


login timeout 0

access-list someone line 8 extended permit ip any any
access-list someone line 16 extended permit icmp any any

rserver host rsrv1
  ip address 172.16.28.82
  inservice
rserver host rsrv2
  ip address 151.101.121.116
  inservice


serverfarm host farm-demo
  rserver rsrv1
    inservice
  rserver rsrv2
    inservice
serverfarm host from-151.101.x.x
  rserver rsrv2
    inservice
serverfarm host from-172.16.x.x
  rserver rsrv1
    inservice

class-map type management match-any MGMT
  2 match protocol icmp any
  3 match protocol http any
  4 match protocol https any
  5 match protocol snmp any
  6 match protocol telnet any
  7 match protocol ssh any
class-map match-any VIP
  2 match virtual-address 50.80.1.100 any
class-map type generic match-any from-151.101.x.x
  2 match source-address 151.101.0.0 255.255.0.0
class-map type generic match-any from-172.16.x.x
  2 match source-address 172.16.0.0 255.255.0.0

policy-map type management first-match mgmt
  class MGMT
    permit

policy-map type loadbalance first-match server-balance
  class class-default
    serverfarm farm-demo

policy-map type loadbalance generic first-match lb-server
  class from-172.16.x.x
    serverfarm from-172.16.x.x
  class from-151.101.x.x
    serverfarm from-151.101.x.x
  class class-default
    serverfarm farm-demo

policy-map multi-match client-side
  class VIP
    loadbalance vip inservice
    loadbalance policy lb-server
    loadbalance vip icmp-reply active
    nat dynamic 20 vlan 70

interface vlan 70
  description side-server
  ip address 50.70.1.10 255.255.255.0
  access-group input someone
  access-group output someone
  nat-pool 20 50.70.1.20 50.70.1.20 netmask 255.255.255.0 pat
  service-policy input mgmt
  no shutdown
interface vlan 80
  description side-client
  ip address 50.80.1.10 255.255.255.0
  access-group input someone
  access-group output someone
  service-policy input mgmt
  service-policy input client-side
  no shutdown

ip route 0.0.0.0 0.0.0.0 50.80.1.1
ip route 172.16.0.0 255.255.0.0 50.70.1.1
ip route 151.101.0.0 255.255.0.0 50.70.1.1

ace-demo/C1#   

4 Replies 4

pablo.nxh
Level 3
Level 3

Hi Alvaro,

What you can do in this case is ask your client to enable the X-Forwarded-For header inspection on the Apache server, on your configuration you can instruct the ACE to insert the original client IP address with the command shown below.

policy-map type loadbalance generic first-match lb-server

  class from-172.16.x.x

    serverfarm from-172.16.x.x

     insert-http X-Forwarded-For header-value "%is

  class from-151.101.x.x

    serverfarm from-151.101.x.x

     insert-http X-Forwarded-For header-value "%is

  class class-default

    serverfarm farm-demo

     insert-http X-Forwarded-For header-value "%is

Now if you check the packets arriving to the servers you would see a new header listed as "X-Forwarded-For" with the original client IP.

*Forgot to mention that this does not work for HTTPS traffic.

HTH

__ __

Pablo

do you think there's a workaround to get this for HTTPS traffic ?

thanks

Laurent

ok, here it is : it's not working in HTTPS since the packets are encrypted so appending a header can't work, unless the ACE itself does the encryption.

Here is some SSL encryption examples for the ACE

HTH

Hi Laurent,

The only workaround would be to do the SSL offloading first on the ACE and have it insert this header, then you can decide whether you want to send the traffic in clear text to the server or if you want to re-encrypt the traffic.

HTH

__ __

Pablo

Review Cisco Networking for a $25 gift card