01-18-2013 03:25 AM
Hello, I have to change in configuration to not use NAT and have the client IP (transparent mode).
My configuration:
ssh maxsessions 1
access-list ANY line 8 extended permit icmp any any
access-list ANY line 16 extended permit ip any any
probe icmp PROBE_PING
interval 30
probe tcp PROBE_TCP
interval 30
rserver host WEB_1
ip address 172.16.10.11
conn-limit max 50000 min 40000
weight 1
inservice
rserver host WEB_1AND1
ip address 82.165.194.101
conn-limit max 50000 min 40000
inservice
rserver host WEB_2
ip address 172.16.10.10
conn-limit max 50000 min 40000
weight 1
inservice
serverfarm host FARM_HTTPS
transparent
predictor leastconns
probe PROBE_TCP
rserver WEB_1 443
inservice
rserver WEB_2 443
inservice
serverfarm host FARM_WEB
transparent
predictor leastconns
probe PROBE_TCP
rserver WEB_1
inservice
rserver WEB_2
inservice
serverfarm host FARM_WP
transparent
probe PROBE_TCP
rserver WEB_1
inservice
parameter-map type http HTTP_PARAMETER_MAP
no persistence-rebalance
class-map match-all FARM_HTTPS
2 match virtual-address 178.33.0.129 tcp eq https
class-map match-all L4-WEB-IP
2 match virtual-address 178.33.0.129 tcp eq www
class-map type management match-all PUBLIC_REMOTE
2 match protocol ssh source-address 82.165.194.101 255.255.255.255
class-map type management match-all REMOTE_ACCESS
2 match protocol ssh any
class-map type management match-any SECURE_HTTPS
2 match protocol https any
3 match protocol ssh any
class-map type http loadbalance match-all WP_BLOG
2 match http header Host header-value "www[.]WEB[.]com"
3 match http url /blog.*
class-map type http loadbalance match-all WP_ECO
2 match http header Host header-value "www[.]WEB[.]com"
3 match http url /eco.*
class-map type http loadbalance match-all WP_INFO
2 match http header Host header-value "www[.]WEB[.]com"
3 match http url /info.*
class-map match-all public_remote
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
policy-map type management first-match REMOTE_PUBLIC_MGMT
class PUBLIC_REMOTE
permit
class SECURE_HTTPS
permit
policy-map type management first-match SECURE_HTTPS_POLICY
class SECURE_HTTPS
permit
policy-map type loadbalance http first-match FARM_HTTPS_POLICY
class class-default
serverfarm FARM_HTTPS
insert-http x-forward header-value "%is"
policy-map type loadbalance http first-match WEB_L7_POLICY
class WP_ECO
serverfarm FARM_WP
insert-http x-forward header-value "%is"
class WP_INFO
serverfarm FARM_WP
insert-http x-forward header-value "%is"
class WP_BLOG
serverfarm FARM_WP
insert-http x-forward header-value "%is"
class class-default
serverfarm FARM_WEB
insert-http x-forward header-value "%is"
policy-map multi-match POLICY_HTTPS
class FARM_HTTPS
loadbalance vip inservice
loadbalance policy FARM_HTTPS_POLICY
loadbalance vip icmp-reply active
nat dynamic 1 vlan 2222
appl-parameter http advanced-options HTTP_PARAMETER_MAP
policy-map multi-match WEB-to-vIPs
class L4-WEB-IP
loadbalance vip inservice
loadbalance policy WEB_L7_POLICY
loadbalance vip icmp-reply active
nat dynamic 1 vlan 2222
appl-parameter http advanced-options HTTP_PARAMETER_MAP
access-group input ANY
interface vlan 1215
ip address 178.33.0.138 255.255.255.240
alias 178.33.0.137 255.255.255.240
peer ip address 178.33.0.139 255.255.255.240
service-policy input REMOTE_PUBLIC_MGMT
service-policy input WEB-to-vIPs
service-policy input SECURE_HTTPS_POLICY
service-policy input POLICY_HTTPS
no shutdown
interface vlan 2222
ip address 172.31.255.250 255.240.0.0
alias 172.31.255.249 255.240.0.0
peer ip address 172.31.255.251 255.240.0.0
nat-pool 1 172.31.255.248 172.31.255.248 netmask 255.240.0.0 pat
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
ft track interface VLAN1215
track-interface vlan 1215
peer track-interface vlan 1215
priority 50
peer priority 5
ip route 0.0.0.0 0.0.0.0 178.33.0.142
default-domain
Any idea??? Thanks
01-18-2013 06:43 AM
Hi Javier,
To me it looks like you are not doing SSL offload on ACE. So x-forward is not going to work. As ACE cannot look into the data.
I see that ACE is in routed mode. As server and VIP belongs to two different subnet.
So ideally if you can point the default gateway on servers to ACE Alias IP. You can remove the NAT without any issues.
In case if server is having dual nic make sure default gateway is only configured on the NIC facing ACE.
Hope that helps.
regards,
Ajay Kumar
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: