Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
900
Views
0
Helpful
3
Replies

connection from behind one VIP to another

lni1
Level 1
Level 1

‎11-22-2013 06:04 AM

hello experts,

we have the following setup:

2 different contexts with the same VLAN's on the outside and on the inside.

context1

outside VLAN89 - VIP1 (in VLAN89) - rservers1-2 in VLAN36 (inside)

contect2

outside VLAN89 - VIP2 (inVLAN89) - rservers3-4 in VLAN36. (inside)

now, there is a need to reach an application on VIP2 from servers behind VIP1.

we do source natting on those servers and we can connect from rservers1-2 to ip's in VLAN89.

however, if we try to connect to VIP2: the connection fails. Is this some kind of security mechanism? and if so, is there a way to bypass it?

thanx in advance

Labels:
0 Helpful
3 Replies 3

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎11-22-2013 07:16 AM

hi,

Inter-context traffic is not permitted but there is a work around,


If a rserver S in vlan 10 of context A wants to communicate with vlan 20, VIP-B, you should configure context A with a static host route, pointing VIP-B to the default gateway. This default gateway will then forward the traffic to context B and for ACE it is like the connection comes from outside and not another context. Same for response. You need on context B a route for vlan 10 via the gateway

.

Please try and let me know.

Regards,

Kanwal

0 Helpful

lni1
Level 1
Level 1
In response to Kanwaljeet Singh

‎11-25-2013 04:18 AM

hi,

thank you for the quick response, but the solution don't work.

i have done the following:

contextA with public side in vlan89 end serverside in vlan 36:

*natting to hide requests from the rserver behind a public address in vlan89 (x.x.246.80)

*a static route to vipB via the DG (route x.x.246.53 255.255.255.255 x.x.246.254)

contextB with public side in vlan89 and serverside in vlan36

*a static route to vipA via DG (route x.x.246.80 255.255.255.255 x.x.246.254)

remark:

*both VIP's are in the same subnet, so no routing is done on the DG)

*when accessing another mazhine in the same subnet (but nog behind ACE° we see correctly the address x.x.246.80, so the outgoing NAT works...

any idea's?

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to lni1

‎11-25-2013 09:19 AM

Hi,

If you ping from rservers or trace route to the context B vip and vice-versa, is it going according to the routing you have configured? If yes,  then it should work fine.

Regards,

Kanwal

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card