Re: OT:ACE 4710 SLB from -Hammer- on 2011-07-20 (Ccielab archives 07/2011)

From: -Hammer- <bhmccie_at_gmail.com>
Date: Wed, 20 Jul 2011 09:47:31 -0500

sanitize the relevant config and dump it to the thread.

-Hammer-

"I was a normal American nerd"
-Jack Herer

On 07/20/2011 07:31 AM, eseosa wrote:
> Thanks Farhan ,
> ACE is inline , so i expect default destination nat to kick in .
> SLB is only done for port 25 .
> When I ping 4.2.2.2 source from outside interface it works fine .
> When i source ping to 4.2.2.2 servers default gateway it dosent work ,
> i have checked routing in my infrastructure and the server subnet is
> fully routable.
> ACE Version : A4(2.0)
>
> Rgds,
> On 7/20/11, Farhan Anwar<farhan.anwar_at_gmail.com> wrote:
>
>> Hi,
>> You may need to configure SNAT on the ACE because if its not there and the
>> ACE is not inline (default gw for servers) then the servers will reply to
>> users directly using their configured default gw and since the firewall
>> accepted the initial session over the VIP and there will be no established
>> session for the server ip in its session state table, the firewall will drop
>> it.
>>
>> When you configure source natting the request will be sourced by ace and the
>> servers will reply back to ace for the application traffic, and ace will
>> reply back to users.
>>
>> regards,
>> Farhan.
>>
>> On Wed, Jul 20, 2011 at 2:12 PM, eseosa<eseosa.ehiwe_at_gmail.com> wrote:
>>
>>
>>> Hello Gs,
>>>
>>> I have set up ace to do SLB for my servers on port 25 , i have
>>> allowed ( ip any any from inside and outside interfaces using access
>>> control lists , its that bad) :-) ) but i cant reach the subnet where
>>> my servers are connected from the internet but i can reach the VIP of
>>> the ACE from outside .
>>>
>>> I have checked routing within my infrastructure and everything looks fine
>>> .
>>>
>>> Is there something i am missing with ACE configuration .
>>>
>>> Thanks
>>> --
>>> Warm Regards,
>>>
>>> Eseosa
>>> CCIE #23782
>>> You can learn anything just develop the right quantity of interest.
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>> --
>> *--
>> Farhan Anwar*
>> *Infrastructure Solutions Architect*
>> *CCIE#19871*
>> www.farhananwar.com

Blogs and organic groups at http://www.ccie.net
Received on Wed Jul 20 2011 - 09:47:31 ART

This archive was generated by hypermail 2.2.0 : Mon Aug 01 2011 - 06:30:06 ART