03-11-2010 02:46 AM
Hi,
I have configured normal ACE 4710 in bridge mode and I have statically natted ACE VIP in firewall. But when I am doing FTP to ACE natted IP from outside network I can connect to any of the virtual server but when I run "ls", directly listing is not working.
Below is my ACE configuration.
access-list bpdu-fixup ethertype permit bpdu
access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
rserver host srv1
ip address 172.16.20.1
inservice
rserver host srv2
ip address 172.16.20.2
inservice
serverfarm host srv
rserver srv1
inservice
rserver srv2
inservice
sticky ip-netmask 255.255.255.255 address both SG1
timeout 120
serverfarm srv
class-map type management match-any remote-mgmt
201 match protocol snmp any
202 match protocol ssh any
203 match protocol icmp any
204 match protocol http any
205 match protocol https any
206 match protocol xml-https any
class-map match-all slb-vip
2 match virtual-address 172.16.20.10 any
policy-map type management first-match remote-mgmt
class remote-mgmt
permit
policy-map type loadbalance first-match slb
class class-default
sticky-serverfarm SG1
policy-map multi-match client-vips
class slb-vip
loadbalance vip inservice
loadbalance policy slb
loadbalance vip icmp-reply
interface vlan 20
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
no shutdown
interface vlan 23
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
service-policy input remote-mgmt
service-policy input client-vips
no shutdown
interface bvi 1
ip address 172.16.20.9 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.20.254
What could be the reason of this issue?
Thanksm
Pawan
Solved! Go to Solution.
03-11-2010 07:15 AM
Hi Pawan,
Ideally, you want to accomplish your desired operation without using the any keyword. The any keyword allows clients to connect to your rservers through the VIP via any protocol, which could be considered a security risk. You should always try to lock your VIPs down to only the protocols that you intend to be load balanced. So if you want to load balance only HTTP and FTP traffic on this VIP, then your config would look something like this:
class-map match-all ftp-vip
2 match virtual-address 172.16.20.10 tcp eq ftp
class-map match-all www-vip
2 match virtual-address 172.16.20.10 tcp eq www
policy-map type loadbalance first-match slb
class class-default
sticky-serverfarm SG1
policy-map multi-match client-vips
class ftp-vip
loadbalance vip inservice
loadbalance policy slb
loadbalance vip icmp-reply
inspect ftp <-- note that ftp inspection is only applied to FTP traffic
class www-vip
loadbalance vip inservice
loadbalance policy slb
loadbalance vip icmp-reply
You could always add the any class-maps back in and put it at the bottom of your multi-match policy to catch "other" protocols, but you should only do this if necessary.
Does this make sense?
Sean
03-11-2010 06:27 AM
Hi Pawan,
At the moment you type "ls", the data connection will be opened. Usually ftp clients default to active ftp which means server will open the conenction.
I am not seeing NATing on the ACE: is the real able to reach the client?
Does it also fail with passive ftp?
Can you use a CLI ftp client and copy/paste what you get on console when trying to FTP to VIP?
Michael
03-11-2010 06:30 AM
Hello,
I think this should work fine if you are using Passive FTP, so you might be using Active FTP. If this is the case, you would need to use inspect ftp so the ACE can perform the needed fix-ups:
You Currently Have:
class-map match-all slb-vip
2 match virtual-address 172.16.20.10 any
policy-map type loadbalance first-match slb
class class-default
sticky-serverfarm SG1
policy-map multi-match client-vips
class slb-vip
loadbalance vip inservice
loadbalance policy slb
loadbalance vip icmp-reply
Add the Blue Highlighted Parts Below, and Test
class-map match-all ftp-vip
2 match virtual-address 172.16.20.10 tcp eq ftp
class-map match-all slb-vip
2 match virtual-address 172.16.20.10 any
policy-map type loadbalance first-match slb
class class-default
sticky-serverfarm SG1
policy-map multi-match client-vips
class ftp-vip
loadbalance vip inservice
loadbalance policy slb
loadbalance vip icmp-reply
inspect ftp <-- note that ftp inspection is only applied to FTP traffic
class slb-vip
loadbalance vip inservice
loadbalance policy slb
loadbalance vip icmp-reply
Hope this helps,
Sean
03-11-2010 07:05 AM
Thanks Sean it's working. But with my previous configuration I tried both the modes active and passive, nothing was working.
If I use whatever you suggested in that case can I use two different classes i.e. one for FTP and another for Web server (class ftp-vip & class-slb-vip)? If yes, the I have to put 2 match virtual-address 172.16.20.10 any I am not sure which will work for FTP too.
Pls. suggest.
Thanks,
Pawan
03-11-2010 07:15 AM
Hi Pawan,
Ideally, you want to accomplish your desired operation without using the any keyword. The any keyword allows clients to connect to your rservers through the VIP via any protocol, which could be considered a security risk. You should always try to lock your VIPs down to only the protocols that you intend to be load balanced. So if you want to load balance only HTTP and FTP traffic on this VIP, then your config would look something like this:
class-map match-all ftp-vip
2 match virtual-address 172.16.20.10 tcp eq ftp
class-map match-all www-vip
2 match virtual-address 172.16.20.10 tcp eq www
policy-map type loadbalance first-match slb
class class-default
sticky-serverfarm SG1
policy-map multi-match client-vips
class ftp-vip
loadbalance vip inservice
loadbalance policy slb
loadbalance vip icmp-reply
inspect ftp <-- note that ftp inspection is only applied to FTP traffic
class www-vip
loadbalance vip inservice
loadbalance policy slb
loadbalance vip icmp-reply
You could always add the any class-maps back in and put it at the bottom of your multi-match policy to catch "other" protocols, but you should only do this if necessary.
Does this make sense?
Sean
03-11-2010 07:22 AM
Thanks Sean. You clarified my doubts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide