Cisco ACE with F5 ASM

chenyokechuan · ‎02-21-2013

Hi All,

How can i divert traffic to F5 ASM (Web Application Firewall) before reach the real server?

access-list ANYONE line 8 extended permit ip any any

probe icmp ICMP
interval 2
faildetect 4
passdetect interval 4
passdetect count 4
probe tcp TCP_80
interval 2
faildetect 4
passdetect interval 4
passdetect count 4

rserver host F5_ASM_01
ip address 10.25.245.4
inservice
rserver host SSCP_01
ip address 10.26.74.21
inservice
rserver host SSCP_02
ip address 10.26.74.22
inservice

serverfarm host F5_ASM
transparent
failaction purge
predictor hash address source
probe ICMP
rserver F5_ASM_01
    inservice
serverfarm host Web_farm
failaction purge
predictor hash address source
probe TCP_80
rserver SSCP_01
    inservice
rserver SSCP_02
    inservice

class-map match-all F5_VIP
2 match virtual-address 10.25.245.1 tcp eq www
class-map type management match-any Mgmt_class
2 match protocol icmp any
3 match protocol snmp any
4 match protocol telnet any
5 match protocol ssh any
class-map match-all Web_80_class
2 match virtual-address 172.20.133.100 tcp eq www

policy-map type management first-match Mgmt_policy
class Mgmt_class
permit

policy-map type loadbalance first-match F5_ASM_policy
class class-default
serverfarm F5_ASM backup Web_farm
policy-map type loadbalance first-match Web_policy
class class-default
serverfarm Web_farm

policy-map multi-match Accel_SLB_policy
class Web_80_class
    loadbalance vip inservice
    loadbalance policy F5_ASM_policy
    loadbalance vip icmp-reply active
policy-map multi-match Web_SLB_policy
class F5_VIP
    loadbalance vip inservice
    loadbalance policy Web_policy
    loadbalance vip icmp-reply active

service-policy input Mgmt_policy
access-group input ANYONE

interface vlan 271
description ### Client side ###
ip address 172.20.133.27 255.255.255.0
no normalization
mac-sticky enable
service-policy input Accel_SLB_policy
no shutdown
interface vlan 281
description ### F5 ASM side ###
ip address 10.25.245.10 255.255.255.0
no normalization
mac-sticky enable
service-policy input Web_SLB_policy
no shutdown
interface vlan 291
description ### Server side ###
ip address 10.26.74.2 255.255.255.0
no normalization
mac-sticky enable
no shutdown

DR-ACE-01/PORTAL-TIER1#

DR-ACE-01/PORTAL-TIER1# sh conn address 172.20.133.88 netmask 255.255.255.255

conn-id    np dir proto vlan source                destination           state
----------+--+---+-----+----+---------------------+---------------------+------+
36750      1 in TCP   271 172.20.133.88:61234   172.20.133.100:80     ESTAB
35100      1 out TCP   281 172.20.133.100:80     172.20.133.88:61234   ESTAB

Missing in TCP 281 to out TCP 291....

F5 ASM point 10.25.245.1 (ACE VIP) as gateway.

Please help.

Thanks

YokeChuan

ajayku2 · ‎02-22-2013

Hi,

I would suggest to pass the traffic to F5 first and then to ACE. Why would you need to pass traffic from ACE twice.

So I would suggest this way :

Client traffic on VLAN 10 >> Web application firewall VLAN 10 >>>> screens the traffic >>>> Pass it to Vlan 11

>>> VLAN 11 is forwarded to ACE >>> ACE load balance the traffic >>>> Pass it to vlan 12 ( server vlan)

regards,

Ajay Kumar

chenyokechuan · ‎02-24-2013

Hi Ajay,

Thanks for the reply and suggestion.

Current client production network, ACE are perform VIP loadbalance for existing server farm.

Client don't plan to modify current network setup. That why F5 ASM are setup to attach with ACE.

Are ACE able to handle this kind setup? (traffic pass ACE twice)

Thanks

YokeChuan

ajayku2 · ‎02-25-2013

Hi Yoke,

It is possible. You just have to create two ACE context.

ACE context 1 -- Vlan 10 ( Client ) ---- Vlan 11 ( Web app firewall )

ACE context 2 -- VLAN 12 ( Web app firewall traffic ) --- Vlan 13 ( Serverfarm)

Also read the following :

By default, the ACE does not allow traffic from one context to another context over a transparent firewall. The ACE assumes that VLANs in different contexts are in different Layer 2 domains, unless it is a shared VLAN. The ACE allocates the same MAC address to the VLANs.

When you are using a firewall service module (FWSM) to bridge traffic between two contexts on the ACE, you must assign two Layer 3 VLANs to the same bridge domain. To support this configuration, these VLAN interfaces require different MAC addresses.

To enable the autogeneration of a MAC address on a VLAN interface, use the mac address autogenerate command in interface configuration mode. The syntax of this command is as follows:

mac address autogenerate

regards,

Ajay Kumar

chenyokechuan · ‎02-27-2013

Hi Ajay,

Thanks for the reply.

I have create 2 context as suggested, but i still confuse on WAF routing.

Below are configuration file for Portal-Teir1 and Web-Server context.

DR-ACE-01/PORTAL-TIER1# sh run
Generating configuration....

access-list ANYONE line 8 extended permit ip any any

probe icmp ICMP
interval 2
faildetect 4
passdetect interval 4
passdetect count 4

rserver host F5_ASM_01
ip address 10.25.245.4
inservice

serverfarm host F5_ASM
transparent
failaction purge
predictor hash address source
probe ICMP
rserver F5_ASM_01
inservice

class-map type management match-any Mgmt_class
2 match protocol icmp any
3 match protocol snmp any
4 match protocol telnet any
5 match protocol ssh any

class-map match-all Web_80_class
2 match virtual-address 172.20.133.100 tcp eq www

policy-map type management first-match Mgmt_policy
class Mgmt_class
permit

policy-map type loadbalance first-match F5_ASM_policy
class class-default
serverfarm F5_ASM

policy-map multi-match Accel_SLB_policy
class Web_80_class
    loadbalance vip inservice
    loadbalance policy F5_ASM_policy
    loadbalance vip icmp-reply active

service-policy input Mgmt_policy
access-group input ANYONE

interface vlan 271
description ### Client side ###
ip address 172.20.133.27 255.255.255.0
no normalization
mac-sticky enable
service-policy input Accel_SLB_policy
no shutdown
interface vlan 281
description ### F5 ASM side ###
ip address 10.25.245.10 255.255.255.0
no normalization
mac-sticky enable
mac-address autogenerate
no shutdown

DR-ACE-01/PORTAL-TIER1#

DR-ACE-01/WEB-Server# sh run
Generating configuration....

access-list ANYONE line 8 extended permit ip any any

probe tcp TCP_80
interval 2
faildetect 4
passdetect interval 4
passdetect count 4

rserver host SSCP_01
ip address 10.26.74.21
inservice

rserver host SSCP_02
ip address 10.26.74.22
inservice

serverfarm host Web_farm
failaction purge
predictor hash address source
probe TCP_80
rserver SSCP_01
inservice
rserver SSCP_02
inservice

class-map type management match-any Mgmt_class
2 match protocol icmp any
3 match protocol snmp any
4 match protocol telnet any
5 match protocol ssh any

class-map match-all Web_80_class
2 match virtual-address 10.26.75.100 tcp eq www

policy-map type management first-match Mgmt_policy
class Mgmt_class
permit

policy-map type loadbalance first-match Web_policy
class class-default
serverfarm Web_farm

policy-map multi-match Web_SLB_policy
class Web_80_class
    loadbalance vip inservice
    loadbalance policy Web_policy
    loadbalance vip icmp-reply active

service-policy input Mgmt_policy
access-group input ANYONE

interface vlan 291
ip address 10.26.74.2 255.255.255.0
no normalization
no shutdown
interface vlan 292
ip address 10.26.75.2 255.255.255.0
no normalization
mac-sticky enable
service-policy input Web_SLB_policy
no shutdown

DR-ACE-01/WEB-Server#

Do i still need a VIP for VLAN 292?

WAF should route to VLAN 292 VIP or just a normal routing to interface?

Do you have any sample for reference?

Thanks in advanced.

Thanks

YokeChuan

ajayku2 · ‎02-27-2013

Hi,

This should help you. The only thing which is different is you are not doing firewall load balancing. Rest everything will help you to configure in right way.

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/slb/guide/fwldbal.html

regards,

Ajay Kumar