cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1334
Views
0
Helpful
1
Replies

Config no NAT, Transparent client IP

Fco.Javier
Level 1
Level 1

Hello, I have to change in configuration to not use NAT and have the client IP (transparent mode).

My configuration:

ssh maxsessions 1

access-list ANY line 8 extended permit icmp any any

access-list ANY line 16 extended permit ip any any

probe icmp PROBE_PING

  interval 30

probe tcp PROBE_TCP

  interval 30

rserver host WEB_1

  ip address 172.16.10.11

  conn-limit max 50000 min 40000

  weight 1

  inservice

rserver host WEB_1AND1

  ip address 82.165.194.101

  conn-limit max 50000 min 40000

  inservice

rserver host WEB_2

  ip address 172.16.10.10

  conn-limit max 50000 min 40000

  weight 1

  inservice

serverfarm host FARM_HTTPS

  transparent

  predictor leastconns

  probe PROBE_TCP

  rserver WEB_1 443

    inservice

  rserver WEB_2 443

    inservice

serverfarm host FARM_WEB

  transparent

  predictor leastconns

  probe PROBE_TCP

  rserver WEB_1

    inservice

  rserver WEB_2

    inservice

serverfarm host FARM_WP

  transparent

  probe PROBE_TCP

  rserver WEB_1

    inservice

parameter-map type http HTTP_PARAMETER_MAP

  no persistence-rebalance

class-map match-all FARM_HTTPS

  2 match virtual-address 178.33.0.129 tcp eq https

class-map match-all L4-WEB-IP

  2 match virtual-address 178.33.0.129 tcp eq www

class-map type management match-all PUBLIC_REMOTE

  2 match protocol ssh source-address 82.165.194.101 255.255.255.255

class-map type management match-all REMOTE_ACCESS

  2 match protocol ssh any

class-map type management match-any SECURE_HTTPS

  2 match protocol https any

  3 match protocol ssh any

class-map type http loadbalance match-all WP_BLOG

  2 match http header Host header-value "www[.]WEB[.]com"

  3 match http url /blog.*

class-map type http loadbalance match-all WP_ECO

  2 match http header Host header-value "www[.]WEB[.]com"

  3 match http url /eco.*

class-map type http loadbalance match-all WP_INFO

  2 match http header Host header-value "www[.]WEB[.]com"

  3 match http url /info.*

class-map match-all public_remote

policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY

  class REMOTE_ACCESS

    permit

policy-map type management first-match REMOTE_PUBLIC_MGMT

  class PUBLIC_REMOTE

    permit

  class SECURE_HTTPS

    permit

policy-map type management first-match SECURE_HTTPS_POLICY

  class SECURE_HTTPS

    permit

policy-map type loadbalance http first-match FARM_HTTPS_POLICY

  class class-default

    serverfarm FARM_HTTPS

    insert-http x-forward header-value "%is"

policy-map type loadbalance http first-match WEB_L7_POLICY

  class WP_ECO

    serverfarm FARM_WP

    insert-http x-forward header-value "%is"

  class WP_INFO

    serverfarm FARM_WP

    insert-http x-forward header-value "%is"

  class WP_BLOG

    serverfarm FARM_WP

    insert-http x-forward header-value "%is"

  class class-default

    serverfarm FARM_WEB

    insert-http x-forward header-value "%is"

policy-map multi-match POLICY_HTTPS

  class FARM_HTTPS

    loadbalance vip inservice

    loadbalance policy FARM_HTTPS_POLICY

    loadbalance vip icmp-reply active

    nat dynamic 1 vlan 2222

    appl-parameter http advanced-options HTTP_PARAMETER_MAP

policy-map multi-match WEB-to-vIPs

  class L4-WEB-IP

    loadbalance vip inservice

    loadbalance policy WEB_L7_POLICY

    loadbalance vip icmp-reply active

    nat dynamic 1 vlan 2222

    appl-parameter http advanced-options HTTP_PARAMETER_MAP

access-group input ANY

interface vlan 1215

  ip address 178.33.0.138 255.255.255.240

  alias 178.33.0.137 255.255.255.240

  peer ip address 178.33.0.139 255.255.255.240

  service-policy input REMOTE_PUBLIC_MGMT

  service-policy input WEB-to-vIPs

  service-policy input SECURE_HTTPS_POLICY

  service-policy input POLICY_HTTPS

  no shutdown

interface vlan 2222

  ip address 172.31.255.250 255.240.0.0

  alias 172.31.255.249 255.240.0.0

  peer ip address 172.31.255.251 255.240.0.0

  nat-pool 1 172.31.255.248 172.31.255.248 netmask 255.240.0.0 pat

  service-policy input REMOTE_MGMT_ALLOW_POLICY

  no shutdown

ft track interface VLAN1215

  track-interface vlan 1215

  peer track-interface vlan 1215

  priority 50

  peer priority 5

ip route 0.0.0.0 0.0.0.0 178.33.0.142

default-domain

Any idea??? Thanks

1 Reply 1

ajayku2
Cisco Employee
Cisco Employee

Hi Javier,

To me it looks like you are not doing SSL offload on ACE. So x-forward is not going to work. As ACE cannot look into the data.

I see that ACE is in routed mode. As server and VIP belongs to two different subnet.

So ideally if you can point the default gateway on servers to ACE Alias IP. You can remove the NAT without any issues.

In case if server is having dual nic make sure default gateway is only configured on the NIC facing ACE.

Hope that helps.

regards,

Ajay Kumar