07-22-2012 04:17 PM
Hi,
I want to setup an ace as a proxy for a pool of web server (tcp 80), Just to forward the URL requests without changing or filtering them.
The idea is to hide external IP from the web servers, so when I issue:
"netstat -tapn" I should see (for connection to port 80) that only the ACE (10.0.0.1) is generating the traffic, not the public ips of our customers (there are thousands !)
The configuration should be like this :
WEB server pool=(10.0.0.2-->10)------10.0.0.1-|CISCO ACE|-100.100.100.100------------INTERNET
Is that really called proxy ?
I have no idea how to do it. Any help is welcome.
Regards
07-22-2012 06:53 PM
Hi, you can use source NAT option to hide to client IP address reaching servers. generally NATing client IP address is used in one arm mode deployment so that all client request will seem to be emerge from ACE IP address, and reply from server will go to ACE. Below is the link for your refernce
07-24-2012 06:46 AM
Thanks the lik was very helpfull.
I am still looking for a better way to loadbalance the traffic to our web servers.
What I am looking for is a way to setup the ace as a Layer 7 proxy (filtring the url and sending the request to the appropriate server)
Of course the IP source for the webserver is the VIP of the ACE not the clients' public IP.
If I can do that, the web servers will not have to wait the ack from the client for each http request. in other word the web server answer to the ace and close the query, and it's the ACE that take care of answering to the external clients.
Mu concern is that : with just a nat configuration the web server has to wait the answers (tcp protocol negociation) from the external clients even if it see the VIP IP insteed of the client's external IP
07-24-2012 05:16 PM
i guess ACE when deployed in layer 7 load balancing mode may help you in achiving your need. In this mode ACE will open two separate sessions front end (with client) and back end (with server). overall ACE will negotiate front end client TCP connection, will wait till client send Layer 7 information (like http get) and based on this information it choose the server. once server is chosen ACE open a seperate TCP session with server in backend. once TCP 3-way handshake finish, ACE will splice both front end and backend (tweaking seq.no, acknowledge etc.).
07-25-2012 11:45 AM
Thanks.
I tried to make a simple connfiguration for our two web servers to have this result:
1) Any traffic to 100.100.100.101 tcp port 80
+
2) that contains * in the URL (i.e. all the urls)
3) Nat the source IP, so the web servers will see the http requests comming from 100.100.100.110-100.100.100.115
not there real IPs
Is this configuration correct ?
rserver host web01
ip address 10.0.0.1
inservice
rserver host web02
ip address 10.0.0.2
inservice
serverfarm host My-Web-Servers-pool
rserver web01 80
inservice
rserver web02 80
inservice
class-map match-all class_vip_web
2 match virtual-address 100.100.100.101 tcp eq www
policy-map type loadbalance first-match policy_vip_web
class policy_url
serverfarm My-Web-Servers-pool
class-map type loadbalance http first-match policy_url
2 match http url /*
policy-map multi-match policy_vip_web-multimatch
class class_vip_web
loadbalance vip inservice
loadbalance policy policy_vip_web
nat dynamic 1 vlan 50
service-policy input policy_vip_web-multimatch
interface vlan 50
description "Client-Server VLAN"
ip address 100.100.100.100 255.255.255.0
access-group input everyone
nat-pool 1 100.100.100.110 100.100.100.115 netmask 255.255.255.0 pat
no shutdown
Thanks in advance.
07-25-2012 07:29 PM
Configuration look perfect as per your need.
07-26-2012 07:08 AM
Thanks!
Since I 've never done the nat conf before,I want to be sure before applying tis :-)
is my 3rd note correct? the web servers will se the http requests comming from the ip pool 100.100.100.110-100.100.100.115 not real IPs
Thanks again.
07-28-2012 04:55 PM
yes you understanding is correct, servers will only see connections from these IP's only. Also just small missing statement in your config, i.e. service-policy is not applied to interface.
07-29-2012 09:38 AM
Thanks,
I thought that when I add the line :
service-policy input policy_vip_web-multimatch
I don't need to add the policy in the interface section !
Regards.
07-29-2012 07:21 PM
my mistake, i missed that statement from global mode config and was looking in interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide