ACE: Log in apache real server appear with nat ip address

Alvaro Perez Unzueta · ‎08-08-2011

Hello Friends,

I have configured Cisco ACE 4710 with multi-hop (Configure NAT) and it works OK. The real servers have apache up, but when i access to VIP 50.80.1.100 vi http://50.80.1.100 the logs in the real servers is about 50.70.1.20 (NAT IP Address), my customer want watch the source IP address, can i watch the source IP Address in the apache real servers?

Regards,

The config:

ace-demo/C1# sh run
Generating configuration....

logging enable
logging history 6

login timeout 0

access-list someone line 8 extended permit ip any any
access-list someone line 16 extended permit icmp any any

rserver host rsrv1
ip address 172.16.28.82
inservice
rserver host rsrv2
ip address 151.101.121.116
inservice

serverfarm host farm-demo
rserver rsrv1
    inservice
rserver rsrv2
    inservice
serverfarm host from-151.101.x.x
rserver rsrv2
    inservice
serverfarm host from-172.16.x.x
rserver rsrv1
    inservice

class-map type management match-any MGMT
2 match protocol icmp any
3 match protocol http any
4 match protocol https any
5 match protocol snmp any
6 match protocol telnet any
7 match protocol ssh any
class-map match-any VIP
2 match virtual-address 50.80.1.100 any
class-map type generic match-any from-151.101.x.x
2 match source-address 151.101.0.0 255.255.0.0
class-map type generic match-any from-172.16.x.x
2 match source-address 172.16.0.0 255.255.0.0

policy-map type management first-match mgmt
class MGMT
permit

policy-map type loadbalance first-match server-balance
class class-default
serverfarm farm-demo

policy-map type loadbalance generic first-match lb-server
class from-172.16.x.x
    serverfarm from-172.16.x.x
class from-151.101.x.x
    serverfarm from-151.101.x.x
class class-default
    serverfarm farm-demo

policy-map multi-match client-side
class VIP
    loadbalance vip inservice
    loadbalance policy lb-server
    loadbalance vip icmp-reply active
    nat dynamic 20 vlan 70

interface vlan 70
description side-server
ip address 50.70.1.10 255.255.255.0
access-group input someone
access-group output someone
nat-pool 20 50.70.1.20 50.70.1.20 netmask 255.255.255.0 pat
service-policy input mgmt
no shutdown
interface vlan 80
description side-client
ip address 50.80.1.10 255.255.255.0
access-group input someone
access-group output someone
service-policy input mgmt
service-policy input client-side
no shutdown

ip route 0.0.0.0 0.0.0.0 50.80.1.1
ip route 172.16.0.0 255.255.0.0 50.70.1.1
ip route 151.101.0.0 255.255.0.0 50.70.1.1

ace-demo/C1#

pablo.nxh · ‎08-08-2011

Hi Alvaro,

What you can do in this case is ask your client to enable the X-Forwarded-For header inspection on the Apache server, on your configuration you can instruct the ACE to insert the original client IP address with the command shown below.

policy-map type loadbalance generic first-match lb-server

class from-172.16.x.x

serverfarm from-172.16.x.x

insert-http X-Forwarded-For header-value "%is

class from-151.101.x.x

serverfarm from-151.101.x.x

insert-http X-Forwarded-For header-value "%is

class class-default

serverfarm farm-demo

insert-http X-Forwarded-For header-value "%is

Now if you check the packets arriving to the servers you would see a new header listed as "X-Forwarded-For" with the original client IP.

*Forgot to mention that this does not work for HTTPS traffic.

HTH

__ __

Pablo

laurent55 · ‎02-23-2012

do you think there's a workaround to get this for HTTPS traffic ?

thanks

Laurent

laurent55 · ‎02-23-2012

ok, here it is : it's not working in HTTPS since the packets are encrypted so appending a header can't work, unless the ACE itself does the encryption.

Here is some SSL encryption examples for the ACE

HTH

pablo.nxh · ‎02-23-2012

Hi Laurent,

The only workaround would be to do the SSL offloading first on the ACE and have it insert this header, then you can decide whether you want to send the traffic in clear text to the server or if you want to re-encrypt the traffic.

HTH

__ __

Pablo