September 8, 2017 at 6:01 am #12722
I have an acl allowing access to SLB only from a specific hosts however i see that other IP’s can also access the SLB. can you please check and let me know if there is anything else required from config perspective for locking down the access.
access-list 10 permit host 188.8.131.52
access-list 10 permit host 184.108.40.206
access-list 10 deny any
slb virtual-server PROD_VIP 172.16.16.16/32
port 7777 tcp
access-list 10 source-nat-pool PROD_VIP_220.127.116.11
source-nat pool PROD_VIP_18.104.22.168
service-group HTTPSeptember 8, 2017 at 6:24 am #12732
The way you have set it up now, links the ACL to a source-nat-pool.
In other words, you are telling the system to do NAT for the addresses specified.
That does not influence if packets are allowed or not.
just set it up like this to block/allow traffic:
all the allowed traffic would still use the nat pool.
slb virtual-server PROD_VIP 172.16.16.16/32 port 7777 tcp name PROD_VIP_7777 access-list 10 source-nat pool PROD_VIP_22.214.171.124 service-group HTTPSeptember 8, 2017 at 6:34 am #12742
In the logs i see that the communication to server IP (not SLB IP) is getting denied using the same ACL ID however user says that he can retrieve complete data without any issue.
So the initial configuration i pasted can cause these kind of issues ?September 8, 2017 at 6:46 am #12752
So, something like the below should also resolve this issue ?
access-list 10 source-nat-pool PROD_VIP_126.96.36.199 sequence-number 1
access-list 10 source-nat-pool PROD_VIP_188.8.131.52 sequence-number 2September 8, 2017 at 6:50 am #12762
No, why are you linking the source-nat-pool? you do not need to add “source-nat-pool PROD_VIP_184.108.40.206 sequence-number 1” just ommit that.
When you link ACL to a nat pool, all you do is policy based NAT.
As can be found in the CLI SBL manual:
The following commands configure a standard ACL to deny traffic from subnet 10.10.10.x, and apply the ACL to the inbound traffic direction on virtual port 8080 on virtual server “slb1”:
ACOS(config)# access-list 99 deny 10.10.10.0 0.0.0.255
ACOS(config)# slb virtual-server vslb1
ACOS(config-slb vserver)# port 8080 http
ACOS(config-slb vserver-vport)# access-list 99
The following commands configure policy-based source NAT, by binding ACLs to NAT pools on the virtual port.
ACOS(config)# access-list 30 allow 192.168.1.0 0.0.0.255
ACOS(config)# access-list 50 allow 192.168.2.0 0.0.0.255
ACOS(config)# slb virtual-server vs1 10.10.10.100
ACOS(config-slb virtual server)# port 80 tcp
ACOS(config-slb vserver-vport)# access-list 30 source-nat-pool pool1
ACOS(config-slb vserver-vport)# access-list 50 source-nat-pool pool2
Policy-based source NAT does NOT deny/allow traffic, it only tells the system what NAT pool to use.
- This reply was modified 9 months, 2 weeks ago by diederik.
You must be logged in to reply to this topic.