02-07-2014 06:27 AM
Hi,
I've built a web application load balanced by an ACE module on a Catalyst 6509. I have some doubt to choose the ACE one-arm or two-arm routerd mode. Right now I've built the following architecture:
FWSM---------------------------------------
| | |
ACE VIP SERVERS
The ACE interface, VIP and real server are on the same vlan with the same subnet ip and servers have ACE as gateway. I would like to know if there is something wrong with this configuration. I read that in one arm mode there is a need to source nat to make server reply packet going to the ace, but in my case i set the server gateway directly on ACE. Is it correct?
Please any suggestion will be very appreciated.
Thanks in advance
regards
angelo
Solved! Go to Solution.
02-07-2014 06:32 AM
Hi Angelo,
If server default gateway is ACE then you don't need to do source NAT unless client is also in the same subnet. If client is in same subnet then real server will reply directly to client. If the client is from different subnet then no, you don't need to configure NAT.
Regards,
Kanwal
02-07-2014 06:32 AM
Hi Angelo,
If server default gateway is ACE then you don't need to do source NAT unless client is also in the same subnet. If client is in same subnet then real server will reply directly to client. If the client is from different subnet then no, you don't need to configure NAT.
Regards,
Kanwal
02-07-2014 06:52 AM
Hi Kanwal, fist of all thank you for your reply.
You answered that I expected so you assured me about my doubt, yes client there aren't on the same vlan, they are external coming from FWSM outside interface. So let me please clear this issue, what's happened then for traffic directed to real server from client outside? I mean for traffic not hitting the vip, not load balanced but for rserver destination? FWSM will forward this traffic directly to real server but server reply will first pass through the ACE who then will forward it to FWSM. Do you think that this situation could create a typical asymmetric routing scenario on FWSM with "Deny TCP (no connection) from .......... " ?
02-07-2014 07:08 AM
Hi Angelo,
Here's ACE won't be changing the IP address. FWSM will receive the traffic from real server src ip but L2 MAC would be different i.e of ACE. Does it matter to FWSM from where it receives the packet? Is it going to track the L2 information? If it is expecting the traffic from same MAC to which it gave the packet then it could be a problem otherwise not.
Regards,
Kanwal
02-07-2014 07:21 AM
Hi Kanwal,
do u mean that simply receving reply packet from different L2 MAC but same src ip doesn't interfere with default statefull inspection of FWSM?
02-07-2014 07:29 AM
Hi Angelo,
If it is not checking L2 then i don't think so it should matter but i will have to check with FWSM guy. Give me sometime.
Regards,
Kanwal
02-07-2014 07:33 AM
Ok Kanwal, thank you. i wil wait for your king reply.
Anyway I didn't make any special configuration on FWSM to check L2 information inside packet.
Regards
angelo
02-07-2014 07:41 AM
Hi Angelo,
While i am checking FWSM behavior i missed to mention that by default due to normalization ACE will drop the packet it will receive from real server since it didn't have any information corresponding connection. You will need to disable normalization for this to work from ACE perspective.
Regards,
Kanwal
02-07-2014 07:44 AM
Hi Angelo,
I just checked and it should not matter to FWSM from where the packet came as long as IP's are same.
Regards,
Kanwal
02-07-2014 07:58 AM
Thanks a lot Kanwal for your useful support.
Regardds normalization that you mentioned, is it true for all traffic passing through the ACE also for that traffic not load-balanced, and moreover, do I have to disable it on ACE interface applying under config-if "no normalization" command?
Regards
angelo
02-07-2014 08:48 AM
Hi Angelo,
Yes you will need to do it on the interface and it applies to all traffic. Normally disabling normalization is not suggested as it will expose your ACE to attacks but if you have FW taking care of the security you can do so.
Regards,
Kanwal
02-10-2014 05:52 AM
Hi Kanwal,
thank you very much for your kind collaboration.
Your support was very usefull.
thanks again
regards
angelo
02-10-2014 07:49 AM
Hi Angelo,
Glad to know that i was of help:)
Regards,
Kanwal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide