cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1185
Views
0
Helpful
1
Replies
smhussain
Beginner

Cisco ACE - Firewall load balancing

I am using two sets of ACE load balancers for load balancing traffic across two firewalls (firewall load balancing).

The solution works fine. I have a virtual address of 0.0.0.0 in either direction to match traffci going from the internal users to the internet and vice versa.

The problem is that when I try to manage the load-balanced firewalls (either using SSH (or) HTTPS) from outside, then that connection also gets load balanced and when I try to connect to FW1 then sometimes this connection ends up on FW2 and vice versa and the connection gets dropped. I have a workaround in place where i am using a virtual address per firewall to connect to the real IP address of the firewall.

Is there any other way of managing firewalls (which are defined as real-servers) in a FWLB setup.

Attached is the configuration of the external ACE which has the two firewalls defined as the real-servers.

access-list ALL line 8 extended permit ip any any

probe icmp ICMP-Probe
  interval 15
  passdetect interval 60

rserver host FW1-ASA
  ip address 10.11.71.10
  inservice
rserver host FW2
  ip address 10.11.71.11
  inservice

serverfarm host Firewalls
  transparent
  predictor leastconns
  rserver FW1-ASA
    inservice
  rserver FW2
    inservice
serverfarm host Firewalls-NO-LB
  rserver FW1-ASA
    inservice
serverfarm host Firewalls-NO-LB1
  rserver FW2
    inservice

sticky ip-netmask 255.255.255.255 address source new-sticky
  timeout activeconns
  serverfarm Firewalls

-----------------------------------------------------------------------------------
This is my workaround for connection to the IP address of the firewalls (for management)

class-map match-any FW-Real
  2 match virtual-address 10.11.71.254 any
class-map match-any FW-Real2
  2 match virtual-address 10.11.71.253 any

---------------------------------------------------------------------------------
class-map type management match-any Remote-Access
  201 match protocol telnet any
  202 match protocol http any
  203 match protocol https any
  204 match protocol ssh any
  205 match protocol snmp any
  206 match protocol icmp any
class-map match-any fwlb
  2 match virtual-address 0.0.0.0 0.0.0.0 any

policy-map type management first-match Remote-Management-Policy
  class Remote-Access
    permit

-------------------------------------------------------------------------------

policy-map type loadbalance first-match FWLB-No-LB
  class class-default
    serverfarm Firewalls-NO-LB
policy-map type loadbalance first-match FWLB-No-LB1
  class class-default
    serverfarm Firewalls-NO-LB1

------------------------------------------------------------------------------
policy-map type loadbalance first-match FWLB-l7slb
  class class-default
    serverfarm Firewalls

policy-map multi-match Firewall-No-LB
  class FW-Real
    loadbalance vip inservice
    loadbalance policy FWLB-No-LB
policy-map multi-match Firewall-No-LB1
  class FW-Real2
    loadbalance vip inservice
    loadbalance policy FWLB-No-LB1
policy-map multi-match int70
  class fwlb
    loadbalance vip inservice
    loadbalance policy FWLB-l7slb

interface vlan 70
  description "Client side"
  ip address 10.11.70.2 255.255.255.0
  no icmp-guard
  access-group input ALL
  access-group output ALL
  service-policy input Remote-Management-Policy
  service-policy input Firewall-No-LB --> connect to the real IP address of the firewall for management
  service-policy input Firewall-No-LB1  --> connect to the real IP address of the firewall for management
  service-policy input int70
  no shutdown
interface vlan 71
  description "Firewall side"
  ip address 10.11.71.2 255.255.255.0
  mac-sticky enable
  no icmp-guard
  access-group input ALL
  access-group output ALL
  service-policy input Remote-Management-Policy
  no shutdown

1 REPLY 1
lacirasella
Beginner

Hello,

as i know, there is no others ways.

You can only reduce your configuration by puting all your class undert the same policy-map:

policy-map multi-match int70

  class FW-Real
    loadbalance vip inservice
    loadbalance policy FWLB-No-LB

  class FW-Real2
    loadbalance vip inservice
    loadbalance policy FWLB-No-LB1
  class fwlb
    loadbalance vip inservice
    loadbalance policy FWLB-l7slb

interface vlan 70

  description "Client side"

  ip address 10.11.70.2 255.255.255.0

  no icmp-guard

  access-group input ALL

  access-group output ALL

  service-policy input Remote-Management-Policy

  service-policy input int70

  no shutdown

Content for Community-Ad
This widget could not be displayed.