Re: OT:ACE 4710 SLB from eseosa on 2011-07-20 (Ccielab archives 07/2011)

From: eseosa <eseosa.ehiwe_at_gmail.com>
Date: Wed, 20 Jul 2011 13:31:20 +0100

Thanks Farhan ,
ACE is inline , so i expect default destination nat to kick in .
SLB is only done for port 25 .
When I ping 4.2.2.2 source from outside interface it works fine .
When i source ping to 4.2.2.2 servers default gateway it dosent work ,
i have checked routing in my infrastructure and the server subnet is
fully routable.
ACE Version : A4(2.0)

Rgds,
On 7/20/11, Farhan Anwar <farhan.anwar_at_gmail.com> wrote:
> Hi,
> You may need to configure SNAT on the ACE because if its not there and the
> ACE is not inline (default gw for servers) then the servers will reply to
> users directly using their configured default gw and since the firewall
> accepted the initial session over the VIP and there will be no established
> session for the server ip in its session state table, the firewall will drop
> it.
>
> When you configure source natting the request will be sourced by ace and the
> servers will reply back to ace for the application traffic, and ace will
> reply back to users.
>
> regards,
> Farhan.
>
> On Wed, Jul 20, 2011 at 2:12 PM, eseosa <eseosa.ehiwe_at_gmail.com> wrote:
>
>> Hello Gs,
>>
>> I have set up ace to do SLB for my servers on port 25 , i have
>> allowed ( ip any any from inside and outside interfaces using access
>> control lists , its that bad) :-) ) but i cant reach the subnet where
>> my servers are connected from the internet but i can reach the VIP of
>> the ACE from outside .
>>
>> I have checked routing within my infrastructure and everything looks fine
>> .
>>
>> Is there something i am missing with ACE configuration .
>>
>> Thanks
>> --
>> Warm Regards,
>>
>> Eseosa
>> CCIE #23782
>> You can learn anything just develop the right quantity of interest.
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> *--
> Farhan Anwar*
> *Infrastructure Solutions Architect*
> *CCIE#19871*
> www.farhananwar.com
>

-- 
Warm Regards,
Eseosa
CCIE #23782
You can learn anything just develop the right quantity of interest.
Blogs and organic groups at http://www.ccie.net

Received on Wed Jul 20 2011 - 13:31:20 ART

This archive was generated by hypermail 2.2.0 : Mon Aug 01 2011 - 06:30:06 ART