How to configure ACE bypass traffic from Servers to Internet

haducbinh · ‎01-02-2013

Hi all,

I'm looking for a way to configure Cisco ACE4710 loadbalancer to bypass traffic that is initiated from server side to Internet?

Are there any way to configure this, so that the loadbalancer will not maintain session for this bypass traffic to maximize throughput?

Thanks,

rodolphoxt · ‎01-08-2013

Haducbinh,

If I unterstand well your issue, the most sensible thing to do in this case is to create a Source NAT on Cisco ACE 4710 to keep all returned sessions from Source(Internet or Local Network) to your Destination(VIP) through the Cisco ACE, and too keep the defaul gateway of these servers directly configured to your firewall ou router with access to the Internet (The point here is not to have the Cisco ACE as default gateway).

In this way, you will have all incoming traffic from Client Side destinated to your VIP(And after your Phy Server) returning to the Cisco ACE (Here Cisco ACE and your Phy Server will speaking with no routing on the same subnet). The main goal of this solution is to have all initiaded traffic from the "Phy Server" going to the "internet" passing directly to your router ou firewall instead of the Cisco ACE.

This is the simplest and most effective solution, trust me my friend i'v been through many deployments of Cisco ACE with the same problem.

Best Regards.

dolphinfitness · ‎09-17-2013

I am quite new to the Cisco ACE 4710 and having the same situation with my configurations as this moment.

The current configuration seems to work perfectly fine if the ACE is set as the default gateway for our webservers, but when I change the default gateway on our webserver to another firewall our e-commrce site (behind the ACE) does't come up anymore. AM I doing something wrong?

rodolphoxt · ‎09-18-2013

Hi Ali,

Can you send for us your config?. I'll be happy to assistance you.

Many thanks!

dolphinfitness · ‎09-18-2013

Thank you very much for the kind offer,

I really appreciate your help. Here is the current configuration on the Cisco ACE 4710. It does work but only as long as the ACE is set as the default gateway for the webservers, and as mentioned I am hoping to be able to have a separate default gateway for the webservers and so to keep the link the ACE free for the e-commerce based communication.

Once again thank you. Here is the full config:

----

crypto chaingroup CertChain_DPH

cert dph-2012-int-a-crt

cert dph-2012-int-b-crt

access-list INBOUND line 8 extended permit ip any any

access-list INBOUND line 16 extended permit icmp any any

probe http Probe_DPH_HTTP

interval 10

passdetect interval 10

request method get url /ping-ok.html

expect status 200 200

open 1

probe http Probe_DPH_TCP

interval 15

passdetect interval 60

open 1

rserver host Web_Server_01

description Web Server 01

ip address 192.168.100.101

inservice

rserver host Web_Server_02

description Web Server 02

ip address 192.168.100.102

inservice

rserver host Web_Server_03

description Web Server 03

ip address 192.168.100.103

inservice

serverfarm host DPH_Web_Servers

probe Probe_DPH_HTTP

rserver Web_Server_01 80

inservice

rserver Web_Server_02 80

inservice

rserver Web_Server_03 80

inservice

ssl-proxy service SSL_Proxy_DPH

key dph-2012-key

cert dph-2012-crt

chaingroup CertChain_DPH

class-map match-all VIP_Website_DPH_HTTP

2 match virtual-address 192.168.1.100 tcp eq www

class-map match-all VIP_Website_DPH_HTTPS

2 match virtual-address 192.168.1.100 tcp eq https

policy-map type loadbalance http first-match LoadBalance_DPH_HTTP

class class-default

serverfarm DPH_Web_Servers

policy-map type loadbalance http first-match LoadBalance_DPH_HTTPS

class class-default

serverfarm DPH_Web_Servers

policy-map multi-match Public_Policies

class VIP_Website_DPH_HTTP

loadbalance vip inservice

loadbalance policy LoadBalance_DPH_HTTP

class VIP_Website_DPH_HTTPS

loadbalance vip inservice

loadbalance policy LoadBalance_DPH_HTTPS

interface vlan 100

ip address 192.168.1.2 255.255.255.0

access-group input INBOUND

service-policy input Public_Policies

no shutdown

interface vlan 101

ip address 192.168.100.1 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.1.1

----

rodolphoxt · ‎09-18-2013

Ali,

First thing to keep in mind is to deploy a "Source-NAT" (This feature will provide for you a translation of Client IP Address accessing the Webserver), necessary to the returned IP traffic from Webservers back to the ACE.

May be a exemple a client accessing the "VIP_Website_DPH_HTTP" or "VIP_Website_DPH_HTTPS" (From example source address 172.16.1.1) destinated to 192.168.1.100 and the ACE performing a translation of Source Address to 192.168.100.254 (Most common deploy this S-NAT Address in the same subnet that the Application Servers).

To accomplish this setting, we need the following:

-> int vlan 101

nat-pool 1 192.168.100.254 192.168.100.254 netmask 255.255.255.255 pat

-> policy-map multi-match Public_Policies

class VIP_Website_DPH_HTTP

nat dynamic 1 vlan 101

class VIP_Website_DPH_HTTPS

nat dynamic 1 vlan 101

Note: Ensures that the IP 192.168.100.254 is not used for any device on network 192.168.100.0/24, change if necessary. After this configuration, you can change the DG of Server to another address.

Test and give me a feedback.

Best Regards.

dolphinfitness · ‎09-19-2013

That worked beautifully, just added the lines as suggested above, and life is good again!

Thank you very much for that, great to talk to a professional...

Best regards.

dolphinfitness · ‎10-12-2013

Using this method all client requests arrive to the webservers as the nat 192.168.100.254 allocated on vlan 101; is there anyway for the real servers to be passed on the client IP addresses?

ajayku2 · ‎09-19-2013

Hi,

Please refer the following link :

https://supportforums.cisco.com/thread/132052

You just need server nat and that will help you to fix the issue.

regards,

Ajay Kumar

dolphinfitness · ‎09-19-2013

Thank you Ajay,

I very much apprecaie your response.