10-24-2013 05:16 AM
We want to use the ACE in a redundant two armed configuration but we don't want to use SNAT as the application needs to know the original sourc ip addresses. Is this possibe? and if so please include a sample configuration.
Thank You
10-24-2013 07:13 AM
Hi,
ACE doesn't source NAT the traffic unless it is configured to. So by default your client IP is preserved and sent to the server.
If you have ACE configured to source NAT then you can also x-forwarded-for to insert the client IP.
Let me know if you have any questions.
Regards,
Kanwal
10-24-2013 07:33 AM
Hi Kanwal
Thanks for your prompt reply, I shall confirm in a few months when they are in the newowk.
Can you provide some urls for configuring SNAT and x-forwarded-for.
Cheers
10-24-2013 07:45 AM
Hi Darius,
Here's an example:
login timeout 0 access-list ANYONE line 10 extended permit tcp any any rserver host SERVER_01 ip address 192.168.1.11 inservice rserver host SERVER_02 ip address 192.168.1.12 inservice rserver host SERVER_03 ip address 192.168.1.13 inservice serverfarm host REAL_SERVERS rserver SERVER_01 inservice rserver SERVER_02 inservice rserver SERVER_03 inservice class-map match-all VIP-30 2 match virtual-address 172.16.51.30 any class-map type management match-any REMOTE_ACCESS description remote-access-traffic-match 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmp any policy-map type management first-match REMOTE_MGT class REMOTE_ACCESS permit policy-map type loadbalance first-match SLB_LOGIC class class-default serverfarm REAL_SERVERS policy-map multi-match CLIENT_VIPS class VIP-30 loadbalance vip inservice loadbalance policy SLB_LOGIC nat dynamic 1 vlan 451 interface vlan 251 description Client vlan ip address 172.16.51.11 255.255.255.0 access-group input ANYONE service-policy input REMOTE_MGT service-policy input CLIENT_VIPS no shutdown interface vlan 451 description Servers vlan ip address 192.168.1.1 255.255.255.0 nat-pool 1 192.168.1.100 192.168.1.110 netmask 255.255.255.0 pat no shutdown ip route 0.0.0.0 0.0.0.0 172.16.51.1
The above example is for configuring SNAT and below example is SNAT with x-forwarded-for.
If you don't want SNAT, then don't use the BOLD lines in above configuration.
login timeout 0 access-list ANYONE line 10 extended permit tcp any any rserver host SERVER_01 ip address 192.168.1.11 inservice rserver host SERVER_02 ip address 192.168.1.12 inservice rserver host SERVER_03 ip address 192.168.1.13 inservice serverfarm host REAL_SERVERS rserver SERVER_01 inservice rserver SERVER_02 inservice rserver SERVER_03 inservice class-map match-all VIP-30 2 match virtual-address 172.16.51.30 any class-map type management match-any REMOTE_ACCESS description remote-access-traffic-match 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmp any policy-map type management first-match REMOTE_MGT class REMOTE_ACCESS permit policy-map type loadbalance first-match SLB_LOGIC class class-default serverfarm REAL_SERVERS>
insert-http X-Forwarded-For header-value "%is" --->Use this config statement
when you have SNAT and you want to see the client IP.
policy-map multi-match CLIENT_VIPS class VIP-30 loadbalance vip inservice loadbalance policy SLB_LOGIC nat dynamic 1 vlan 451 interface vlan 251 description Client vlan ip address 172.16.51.11 255.255.255.0 access-group input ANYONE service-policy input REMOTE_MGT service-policy input CLIENT_VIPS no shutdown interface vlan 451 description Servers vlan ip address 192.168.1.1 255.255.255.0 nat-pool 1 192.168.1.100 192.168.1.110 netmask 255.255.255.0 pat no shutdown ip route 0.0.0.0 0.0.0.0 172.16.51.1
Hope this helps.
Let me know if you have any questions.
Regards,
Kanwal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide