ā12-05-2013 07:01 AM
I'm using an Ace 4710 Appliance deployed in One-Armed mode, using Source NAT to loadbalance HTTP request to a couple of Proxy servers.
Everything is working fine, but the thing is that I can't see the Clients IP addresses on Proxy's logs, so I can't keep track of them.
The Interfaces and Nat configs are:
interface vlan 200
description Server-Side-VLAN
bridge-group 5
nat-pool 5 10.1.1.5 10.1.1.5 netmask 255.255.255.0 pat
service-policy input VIPS
interface vlan 300
description Client-Side-VLAN
bridge-group 5
interface bvi 5
ip address 10.1.1.3 255.255.248.0
description Client-Server-Virtual-Interface
ip route 0.0.0.0 0.0.0.0 10.1.1.1
and the policy map looks like this
policy-map multi-match VIPS
class Port80
loadbalance vip inservice
loadbalance policy Port80
nat dynamic 5 vlan 200
Resource assignment:
sticky ip-netmask 255.255.255.255 address both RESOURCE-CLASS
timeout 5
serverfarm Service80
Any suggestions will be appreciated,
Thanks
Solved! Go to Solution.
ā12-05-2013 07:15 AM
Hi,
You can use X-forwarded-for to insert the client IP address in Http header. Have a look at the link below:
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3041.shtml
Let me know if you have any questions.
Regards,
Kanwal
Sent from Cisco Technical Support iPhone App
ā12-05-2013 07:15 AM
Hi,
You can use X-forwarded-for to insert the client IP address in Http header. Have a look at the link below:
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3041.shtml
Let me know if you have any questions.
Regards,
Kanwal
Sent from Cisco Technical Support iPhone App
ā12-05-2013 07:24 AM
Hi Kanwal,
Thanks for your quick reply,
I've already tried this but it didn't work. The problem is that I don't manage the proxy servers so I rely on their skills to see the logs.
The Proxies are Squid. Do you know if they need to do something else on the servers to see that field of the HTTP header?
But I'll try again tomorrow and let you know how it goes.
Thank you again.
ā12-05-2013 08:33 AM
Hi Josh,
I don't know what to do on the servers but that's the way you can make ACE insert source IP and even additional information like port etc in the HTTP header and it works. You can check out with server team and check what exactly are they looking for and we can see if we can do that.
You can also share the configuration you did and it didn't work.
Did you check in pcaps if ACE did insert X-forwarded-for or not?
Regards,
Kanwal
ā01-17-2014 07:15 AM
Hi Kanwal sorry for the late answer!,
I had a typo on the policy to insert x-forwarded-for field at ACE,
In Squid we set the logs to show the xforward field and remove it to avoid our private IP addresses to be on the header of the packets heading Internet.
Thanks for your answer and sorry again for the delay!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide