Showing results for 
Search instead for 
Did you mean: 

Hide external IPs for a pool of web servers?

Level 1
Level 1


I want to setup an ace  as a proxy for a pool of web server (tcp 80), Just to forward the URL requests without changing  or filtering them.

The idea is to hide external IP from the web servers, so when I issue:

"netstat -tapn" I should see (for connection to port 80) that only the ACE ( is generating the traffic, not the public ips of our customers (there are thousands !)

The configuration should be like this :

WEB server pool=(>10)------|CISCO ACE|-

Is that really called proxy ?

I have no idea how to do it. Any help is welcome.


9 Replies 9

Level 1
Level 1

Hi, you can use source NAT option to hide to client IP address reaching servers. generally NATing client IP address is used in one arm mode deployment so that all client request will seem to be emerge from ACE IP address, and reply from server will go to ACE. Below is the link for your refernce

Thanks the lik was very helpfull.

I am still looking for a better way to loadbalance the traffic to our web servers.

What I am looking for is a way to setup the ace as a Layer 7 proxy (filtring the url and sending the request to  the appropriate server)

Of course the IP source for the webserver is the VIP of the ACE not the clients' public IP.

If I can do that, the web servers will not have to wait the ack from the client for each http request. in other word the web server answer to the ace and close the query, and it's the ACE that take care of answering to the external clients.

Mu concern is that : with just a nat configuration the web server has to wait the answers (tcp protocol negociation) from the external clients even if it see the VIP IP insteed of the client's external IP

i guess ACE when deployed in layer 7 load balancing mode may help you in achiving your need. In this mode ACE will open two separate sessions front end (with client) and back end (with server). overall ACE will negotiate front end client TCP connection, will wait till client send Layer 7 information (like http get) and based on this information it choose the server. once server is chosen ACE open a seperate TCP session with server in backend. once TCP 3-way handshake finish, ACE will splice both front end and backend (tweaking, acknowledge etc.).


I tried to make a simple connfiguration for our two web servers to have this result:

1) Any traffic to tcp port 80


2) that contains * in the URL (i.e. all the urls)

3) Nat the source IP, so the web servers will see the http requests comming from

not there real IPs

Is this configuration correct ?

rserver host web01

  ip address


rserver host web02

  ip address


serverfarm host My-Web-Servers-pool

  rserver web01 80


  rserver web02 80


class-map match-all class_vip_web

  2 match virtual-address tcp eq www

policy-map type loadbalance first-match policy_vip_web

  class policy_url

    serverfarm My-Web-Servers-pool

class-map type loadbalance http first-match policy_url

2 match http url /*

policy-map multi-match policy_vip_web-multimatch

  class class_vip_web

    loadbalance vip inservice

    loadbalance policy policy_vip_web

    nat dynamic 1 vlan 50

service-policy input policy_vip_web-multimatch

interface vlan 50

  description "Client-Server VLAN"

  ip address

  access-group input everyone

  nat-pool 1 netmask pat

  no shutdown

Thanks in advance.

Configuration look perfect as per your need.


Since I 've never done the nat conf before,I want to be sure before applying tis :-)

is my 3rd note correct? the web servers will se the http requests comming from the ip pool not real IPs

Thanks again.

yes you understanding is correct, servers will only see connections from these IP's only. Also just small missing statement in your config, i.e. service-policy is not applied to interface.


I thought that when I add the line :

service-policy input policy_vip_web-multimatch

I don't need to add the policy in the interface section !


my mistake, i missed that statement from global mode config and was looking in interface.