06-08-2010 01:48 PM
Hi,
Is it possible, using "http header rewrite" ACE feature to replace the S-NAT ip address by the real ip source address in a http request.
Thanks
Solved! Go to Solution.
06-08-2010 09:01 PM
Hi Selim,
You can't rewrite the IP address of S-NAT because NAT would become useless and wouldn't make much sense have it in place... Tipically you configure S-NAT on one-arm mode configuration or also when the backend servers point their default gateway to a different L3 device that not necessarily needs to go through the ACE to send the response to the client, in a nutshell it avoids asymmetrical routing on the LB setup.
What you can do to preserve the real client IP address is have the ACE insert a new HTTP header usually called X-Forwarded-For, this is how the configuration should look like:
policy-map type loadbalance first-match HTTP
class class-default
serverfarm web
insert-http X-Forwarded-For header-value "%is"
Once you configured this the S-NAT ip address still is logged on the server but you also receive this new header with the original client ip address.
As per my experience there's no much problems to enable this logging on HTTP servers ( Apache) as you can enable it with a simple drop down but IIS needs to be configured with a ISAPI filter that you can find here
I hope this helps.
__ __
Pablo
Cisco TAC
06-08-2010 09:01 PM
Hi Selim,
You can't rewrite the IP address of S-NAT because NAT would become useless and wouldn't make much sense have it in place... Tipically you configure S-NAT on one-arm mode configuration or also when the backend servers point their default gateway to a different L3 device that not necessarily needs to go through the ACE to send the response to the client, in a nutshell it avoids asymmetrical routing on the LB setup.
What you can do to preserve the real client IP address is have the ACE insert a new HTTP header usually called X-Forwarded-For, this is how the configuration should look like:
policy-map type loadbalance first-match HTTP
class class-default
serverfarm web
insert-http X-Forwarded-For header-value "%is"
Once you configured this the S-NAT ip address still is logged on the server but you also receive this new header with the original client ip address.
As per my experience there's no much problems to enable this logging on HTTP servers ( Apache) as you can enable it with a simple drop down but IIS needs to be configured with a ISAPI filter that you can find here
I hope this helps.
__ __
Pablo
Cisco TAC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide