SLB Acl issues

This topic contains 4 replies, has 2 voices, and was last updated by avatar diederik 2 weeks ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #12722
    avatar
    ar.65535
    Member

    I have an acl allowing access to SLB only from a specific hosts however i see that other IP’s can also access the SLB. can you please check and let me know if there is anything else required from config perspective for locking down the access.

    access-list 10 permit host 1.1.1.1
    access-list 10 permit host 2.2.2.2
    access-list 10 deny any

    slb virtual-server PROD_VIP 172.16.16.16/32
    port 7777 tcp
    name PROD_VIP_7777
    access-list 10 source-nat-pool PROD_VIP_26.26.26.0
    source-nat pool PROD_VIP_26.26.26.0
    service-group HTTP

    #12732
    avatar
    diederik
    Member

    The way you have set it up now, links the ACL to a source-nat-pool.

    In other words, you are telling the system to do NAT for the addresses specified.
    That does not influence if packets are allowed or not.

    just set it up like this to block/allow traffic:
    all the allowed traffic would still use the nat pool.

    
    slb virtual-server PROD_VIP 172.16.16.16/32
    port 7777 tcp
    name PROD_VIP_7777
    access-list 10
    source-nat pool PROD_VIP_26.26.26.0
    service-group HTTP
    
    #12742
    avatar
    ar.65535
    Member

    In the logs i see that the communication to server IP (not SLB IP) is getting denied using the same ACL ID however user says that he can retrieve complete data without any issue.
    So the initial configuration i pasted can cause these kind of issues ?

    #12752
    avatar
    ar.65535
    Member

    So, something like the below should also resolve this issue ?
    access-list 10 source-nat-pool PROD_VIP_26.26.26.0 sequence-number 1
    access-list 10 source-nat-pool PROD_VIP_26.26.26.0 sequence-number 2

    #12762
    avatar
    diederik
    Member

    No, why are you linking the source-nat-pool? you do not need to add “source-nat-pool PROD_VIP_26.26.26.0 sequence-number 1” just ommit that.

    When you link ACL to a nat pool, all you do is policy based NAT.

    As can be found in the CLI SBL manual:

    The following commands configure a standard ACL to deny traffic from subnet 10.10.10.x, and apply the ACL to the inbound traffic direction on virtual port 8080 on virtual server “slb1”:

    ACOS(config)# access-list 99 deny 10.10.10.0 0.0.0.255
    ACOS(config)# slb virtual-server vslb1
    ACOS(config-slb vserver)# port 8080 http
    ACOS(config-slb vserver-vport)# access-list 99

    The following commands configure policy-based source NAT, by binding ACLs to NAT pools on the virtual port.
    ACOS(config)# access-list 30 allow 192.168.1.0 0.0.0.255
    ACOS(config)# access-list 50 allow 192.168.2.0 0.0.0.255
    ACOS(config)# slb virtual-server vs1 10.10.10.100
    ACOS(config-slb virtual server)# port 80 tcp
    ACOS(config-slb vserver-vport)# access-list 30 source-nat-pool pool1
    ACOS(config-slb vserver-vport)# access-list 50 source-nat-pool pool2

    Policy-based source NAT does NOT deny/allow traffic, it only tells the system what NAT pool to use.

    • This reply was modified 2 weeks ago by avatar diederik.
Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

Comments are closed.