Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
923
Views
0
Helpful
6
Replies

Routed ACE but no NAT problem

MARK HILLIARD
Level 1
Level 1

‎03-11-2013 06:51 AM

Hi,

We have a VIP for an FTP service where we do not wish to lose the Client (Source) IP for auditing purposes. So we don't source NAT and force the return traffic back to the ACE with PBR. However the return flow still bypasses the ACE VIP and straight back to the client, diagram below. Is anyone aware of a technique where I can force the ACE to connect the return traffic to the incoming flow?

Tumbleweed NAT prob.jpg

Labels:
0 Helpful
6 Replies 6

Cesar Roque
Level 4
Level 4

‎03-11-2013 02:57 PM

Hi Mark,

is this for passive or active FTP?

Please share your current configuration

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team
0 Helpful

MARK HILLIARD
Level 1
Level 1
In response to Cesar Roque

‎03-12-2013 02:33 AM

Hi Cesar,

It's passive mode. So the client makes an initial connection on port 21, the result of which is the 'sh conn' output in the diagram. We don't get any further than the initial attempted TCP SYN on port 21. So the ACE forwards the client TCP SYN to one of the FTP servers, the server reply to the client IP gets PBR'd towards the ACE via a handoff and the ACE is then forwarding directly to the client without linking to the original connection, understandably maybe!

We do have this setup working but in that case, we don't use handoff networks to connect the ACE to the network; the VIP and 'SNAT' networks are directly connected to the L3 network.

Thanks for your help

Mark

0 Helpful

ajayku2
Cisco Employee
Cisco Employee
In response to MARK HILLIARD

‎03-12-2013 05:00 AM

Hi Mark,

Check and compare the config with the example config.

http://docwiki.cisco.com/wiki/FTP_Load_Balancing_on_ACE_in_One-Arm_Mode_Configuration_Example

Avoid the NAT part of the config. Also make sure you are using something like below : ( which is there in the above Doc ) 

ACE-1/onearm(config)# policy-map multi-match client-vips
ACE-1/onearm(config-pmap)# class slb-vip
ACE-1/onearm(config-pmap-c)# loadbalance vip inservice
ACE-1/onearm(config-pmap-c)# loadbalance policy slb
ACE-1/onearm(config-pmap-c)# inspect ftp  <<<<<<<  This will make difference

Hope that helps.

regards,

Ajay Kumar

0 Helpful

MARK HILLIARD
Level 1
Level 1
In response to ajayku2

‎03-12-2013 05:48 AM

Hi Ajay,

We are using inspect on both the FW and the ACE. As you imply, this is needed for the PASV port negotiation to work via these devices.

Obviously, we are in a Routed, Two-armed mode so slightly different to the scenario on docwiki.cisco.com. Although, maybe the PBR could be modified to push the traffic down the top/VIP handoff and see if the ACE will join the flows up. Worth a try.

Thanks

Mark

0 Helpful

Cesar Roque
Level 4
Level 4
In response to MARK HILLIARD

‎03-12-2013 06:28 PM

Hi Mark,

Please send me the rest of the configuration to review it

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team
0 Helpful

samir ahmed
Level 1
Level 1

‎03-20-2013 06:59 AM

Dont need to use PBR, with SNAT also you can achive this.

Use below mentioned command under service policy below the serverfarm you have configured.

insert-http X-Forwarded-For header-value "%is"

policy-map type loadbalance first-match

class    

serverfarm  

insert-http X-Forwarded-For header-value "%is"


using this command you will be able to track the real ip address of the requestor on ftp server.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card