Jeff Riechers Posted December 10, 2020 Posted December 10, 2020 I have a client that is using their adc as a layer 3 nat and acl router. Works great. They now want the adc to route certain ips to internal addresses without nating. Is this possible? So all layer 3, no virtual servers intercepting on the adc.
Marion Bauer1709159214 Posted December 14, 2020 Posted December 14, 2020 This should be possible via Policy based routing. Layer 3 mode needs to be enabled, if this is not already the case.
Johannes Norz Posted December 15, 2020 Posted December 15, 2020 ADC, by default, is a L3 router. It will simply rout traffic, if you don't add NAT rules. You may also use "load-balancing" to rout traffic. In case you do this, you also get some application logic. To preserve the user's IP you would need to use source IP mode.
Jeff Riechers Posted December 15, 2020 Author Posted December 15, 2020 32 minutes ago, Johannes Norz said: ADC, by default, is a L3 router. It will simply rout traffic, if you don't add NAT rules. You may also use "load-balancing" to rout traffic. In case you do this, you also get some application logic. To preserve the user's IP you would need to use source IP mode. Unfortunately they don't want the ADC to own any IPs for back end services, so presenting devices as load balancers is a no go, has to all be done with routes, ACLs and NATs. I have tried PBR, but still can't find a way to present the "back-end" ip to the front-end communication.
Johannes Norz Posted December 15, 2020 Posted December 15, 2020 4 minutes ago, Jeff Riechers1709152667 said: Unfortunately they don't want the ADC to own any IPs for back end services, so presenting devices as load balancers is a no go, has to all be done with routes, ACLs and NATs. I have tried PBR, but still can't find a way to present the "back-end" ip to the front-end communication. That's not right. If you use Source-IP mode (SIP mode), the ADC will proxy the connection, but instead of using it's SNIP, it fill "fake" the client IP. So the back-end server will "think", the packet came from the client. See here: https://docs.citrix.com/en-us/citrix-adc/current-release/networking/ip-addressing/enabling-use-source-ip-mode.html Cheers Johannes Norz
Jeff Riechers Posted December 15, 2020 Author Posted December 15, 2020 Yea 3 minutes ago, Johannes Norz said: That's not right. If you use Source-IP mode (SIP mode), the ADC will proxy the connection, but instead of using it's SNIP, it fill "fake" the client IP. So the back-end server will "think", the packet came from the client. See here: https://docs.citrix.com/en-us/citrix-adc/current-release/networking/ip-addressing/enabling-use-source-ip-mode.html Cheers Johannes Norz Yeah, saw that too. But using USIP was breaking their gateway connections so might need to do some more massaging of the config to make it happen.
Rhonda Rowland1709152125 Posted December 16, 2020 Posted December 16, 2020 22 hours ago, Jeff Riechers1709152667 said: Yeah, saw that too. But using USIP was breaking their gateway connections so might need to do some more massaging of the config to make it happen. Typically if USIP mode is enabled, you have to configure the backend servers with a default gateway of the ADC SNIP, so traffic for the client network returns through the ADC.
Johannes Norz Posted December 21, 2020 Posted December 21, 2020 On 12/16/2020 at 7:39 PM, Rhonda Rowland1709152125 said: Typically if USIP mode is enabled, you have to configure the backend servers with a default gateway of the ADC SNIP, so traffic for the client network returns through the ADC. Sure. But that's what he did, as he is currently using L3 mode. That's why I didn't mention it.
David Perez Pozuelo Posted June 7, 2021 Posted June 7, 2021 Hi, I'm not sure if I can help with my case, but I solved some asymetric routing using PBR in my NetScaler.: add ns pbr PBR_VLAN_XXX ALLOW -srcIP = VIP_IPs -destIP = VLAN_SNIP -nextHop DGW -protocol TCP I needed to return traffic to the client, that had an IP in the VLAN, where the LB had a SNIP too. Greetings.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now