cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1262
Views
0
Helpful
1
Replies

Http header Rewrite ( Ip source address)

ssarsar08
Level 1
Level 1

Hi,

Is it possible, using "http header rewrite" ACE feature to replace the S-NAT ip address by the real ip source address in a http request.

Thanks

1 Accepted Solution

Accepted Solutions

Pablo
Cisco Employee
Cisco Employee

Hi Selim,

You can't rewrite the IP address of S-NAT because NAT would become useless and wouldn't make much sense have it in place... Tipically you configure S-NAT on one-arm mode configuration or also when the backend servers point their default gateway to a different L3 device that not necessarily needs to go through the ACE to send the response to the client, in a nutshell it avoids asymmetrical routing on the LB setup.

What you can do to preserve the real client IP address is have the ACE insert a new HTTP header usually called X-Forwarded-For, this is how the configuration should look like:

policy-map type loadbalance first-match HTTP

  class class-default

    serverfarm web

   insert-http X-Forwarded-For header-value "%is"

Once you configured this the S-NAT ip address still is logged on the server but you also receive this new header with the original client ip address.

As per my experience there's no much problems to enable this logging on HTTP servers ( Apache)  as you can enable it with a simple drop down but IIS needs to be configured with a ISAPI filter that you can find here

http://devcentral.f5.com/weblogs/Joe/archive/2009/08/19/x_forwarded_for_log_filter_for_windows_servers.aspx

I hope this helps.

__ __

Pablo

Cisco TAC

View solution in original post

1 Reply 1

Pablo
Cisco Employee
Cisco Employee

Hi Selim,

You can't rewrite the IP address of S-NAT because NAT would become useless and wouldn't make much sense have it in place... Tipically you configure S-NAT on one-arm mode configuration or also when the backend servers point their default gateway to a different L3 device that not necessarily needs to go through the ACE to send the response to the client, in a nutshell it avoids asymmetrical routing on the LB setup.

What you can do to preserve the real client IP address is have the ACE insert a new HTTP header usually called X-Forwarded-For, this is how the configuration should look like:

policy-map type loadbalance first-match HTTP

  class class-default

    serverfarm web

   insert-http X-Forwarded-For header-value "%is"

Once you configured this the S-NAT ip address still is logged on the server but you also receive this new header with the original client ip address.

As per my experience there's no much problems to enable this logging on HTTP servers ( Apache)  as you can enable it with a simple drop down but IIS needs to be configured with a ISAPI filter that you can find here

http://devcentral.f5.com/weblogs/Joe/archive/2009/08/19/x_forwarded_for_log_filter_for_windows_servers.aspx

I hope this helps.

__ __

Pablo

Cisco TAC

Review Cisco Networking for a $25 gift card