Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4527
Views
5
Helpful
10
Replies

Web Server load balancing and ASA

Go to solution
Zayar Win
Level 1
Level 1

‎12-22-2015 06:29 PM - edited ‎03-08-2019 03:12 AM

Dear All,

                In this Case, I will make load balancing the two web server. How should I do?

My Requirement is I need load balance to two web server from Load balancer. I think ASA should not do NAT in this case. ASA only need to pass transparent. How do you think?

Thanks 

Labels:
Preview file
176 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni

‎12-22-2015 07:38 PM

Hello,

As I see in your topology, your load balancer is translating your public IP addresses to private IP addresses on your web servers.  In this case, ASA only need to allow HTTP traffic from external security zone to DMZ(from any to your web servers). It does not need to translate(NAT) one more time.

Hope it helps,

Masoud

View solution in original post

0 Helpful

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to Zayar Win

‎12-23-2015 06:32 PM

Hello,

1- You need to assign the server IP addresses on your load balancer.

something like this

Server farm = 172.16.10.30 and 172.16.10.31

Public IP>>> server farm

2- You also need to configure route toward ASA on your load balancer if you did not before

I am not familiar with your load balancer. I am using Cisco command instead

On your load balancer

ip route 172.16.10.30 255.255.255.255 192.168.100.1

ip route 172.16.10.31 255.255.255.255 192.168.100.1

3- permit HTTP traffic from any to 172.16.10.30 and 172.16.10.31  on ASA

Hope it helps,

Masoud

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni

‎12-22-2015 07:38 PM

Hello,

As I see in your topology, your load balancer is translating your public IP addresses to private IP addresses on your web servers.  In this case, ASA only need to allow HTTP traffic from external security zone to DMZ(from any to your web servers). It does not need to translate(NAT) one more time.

Hope it helps,

Masoud

0 Helpful

Go to solution
Zayar Win
Level 1
Level 1
In response to Masoud Pourshabanian

‎12-23-2015 06:21 PM

Hi Masoud,

              Yes, you I am same to you. In this case,  two web server are not directly connected to load balancer .There are two network behind the Load balancer. So , which  address should assign in load balancer? DMZ network is 172.16.x.x and Between ASA and F5 is 192.168.x.x  . Therefore I am still confusing .

Thanks

zayar

0 Helpful

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to Zayar Win

‎12-23-2015 06:32 PM

Hello,

1- You need to assign the server IP addresses on your load balancer.

something like this

Server farm = 172.16.10.30 and 172.16.10.31

Public IP>>> server farm

2- You also need to configure route toward ASA on your load balancer if you did not before

I am not familiar with your load balancer. I am using Cisco command instead

On your load balancer

ip route 172.16.10.30 255.255.255.255 192.168.100.1

ip route 172.16.10.31 255.255.255.255 192.168.100.1

3- permit HTTP traffic from any to 172.16.10.30 and 172.16.10.31  on ASA

Hope it helps,

Masoud

0 Helpful

Go to solution
Zayar Win
Level 1
Level 1
In response to Masoud Pourshabanian

‎12-28-2015 06:56 PM

Hi,

      My network is a little bit complected so, I will make Static NAT in ASA ,

192.168.100.21 => 172.16.10.31 (web server real ip)

192.168.100.22 => 172.16.10.31 (web server real ip)

Please let me have the command for ASA to make Static NAT and to open port 80 to DMZ for outside.

Thanks

0 Helpful

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to Zayar Win

‎12-28-2015 06:59 PM

What is your ASA OS version?

What are names of your ASA interfaces? Inside, outside and DMZ?

0 Helpful

Go to solution
Zayar Win
Level 1
Level 1
In response to Masoud Pourshabanian

‎12-28-2015 07:02 PM

ASA-5510  OS 8.4

ASA interfaces - Inside , outside and DMZ , yes right.

0 Helpful

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to Zayar Win

‎12-28-2015 07:10 PM

Your original post was

192.168.100.21 => 172.16.10.31 (web server real ip)

192.168.100.22 => 172.16.10.31 (web server real ip)

I changed the real server IP in my configuration.

Add this configuration and check to see if you get error. I will give you the access-list in the following post.


object network STATIC_NAT_SERVER1
 host 172.16.10.30
 nat (DMZ,outside) static 192.168.100.21


object network STATIC_NAT_SERVER2
 host 172.16.10.31
 nat (DMZ,outside) static 192.168.100.22

Go to solution
Zayar Win
Level 1
Level 1
In response to Masoud Pourshabanian

‎12-28-2015 07:20 PM

Thanks you, and give me next access list command  to open some specific port (outsite to DMZ web server  ) especially port 80 for this case.

0 Helpful

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to Zayar Win

‎12-28-2015 07:29 PM

access-list web-servers extended permit tcp any host 172.16.10.31 eq www
access-list web-servers extended permit tcp any host 172.16.10.30 eq www
access-group web-servers in interface outside

0 Helpful

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to Zayar Win

‎12-28-2015 07:20 PM

Check my previous comment for NAT. This one is for access-list.

access-list web-servers extended permit tcp any host 172.16.10.31 eq www
access-list web-servers extended permit tcp any host 172.16.10.30 eq www
access-group web-servers in interface outside

Hope it help,

Masoud

0 Helpful
Customers Also Viewed These Support Documents