SLB Acl issues

I have an acl allowing access to SLB only from a specific hosts however i see that other IP's can also access the SLB. can you please check and let me know if there is anything else required from config perspective for locking down the access.

access-list 10 permit host 1.1.1.1
access-list 10 permit host 2.2.2.2
access-list 10 deny any

slb virtual-server PROD_VIP 172.16.16.16/32
port 7777 tcp
name PROD_VIP_7777
access-list 10 source-nat-pool PROD_VIP_26.26.26.0
source-nat pool PROD_VIP_26.26.26.0
service-group HTTP

Comments

  • diederikdiederik Member
    edited September 2017
    The way you have set it up now, links the ACL to a source-nat-pool.

    In other words, you are telling the system to do NAT for the addresses specified.
    That does not influence if packets are allowed or not.

    just set it up like this to block/allow traffic:
    all the allowed traffic would still use the nat pool.
    slb virtual-server PROD_VIP 172.16.16.16/32
    port 7777 tcp
    name PROD_VIP_7777
    access-list 10
    source-nat pool PROD_VIP_26.26.26.0
    service-group HTTP
    
  • ar.65535ar.65535 Member
    edited September 2017
    In the logs i see that the communication to server IP (not SLB IP) is getting denied using the same ACL ID however user says that he can retrieve complete data without any issue.
    So the initial configuration i pasted can cause these kind of issues ?
  • ar.65535ar.65535 Member
    edited September 2017
    So, something like the below should also resolve this issue ?
    access-list 10 source-nat-pool PROD_VIP_26.26.26.0 sequence-number 1
    access-list 10 source-nat-pool PROD_VIP_26.26.26.0 sequence-number 2
  • diederikdiederik Member
    edited September 2017
    No, why are you linking the source-nat-pool? you do not need to add "source-nat-pool PROD_VIP_26.26.26.0 sequence-number 1" just ommit that.

    When you link ACL to a nat pool, all you do is policy based NAT.

    As can be found in the CLI SBL manual:

    The following commands configure a standard ACL to deny traffic from subnet 10.10.10.x, and apply the ACL to the inbound traffic direction on virtual port 8080 on virtual server “slb1”:

    ACOS(config)# access-list 99 deny 10.10.10.0 0.0.0.255
    ACOS(config)# slb virtual-server vslb1
    ACOS(config-slb vserver)# port 8080 http
    ACOS(config-slb vserver-vport)# access-list 99



    The following commands configure policy-based source NAT, by binding ACLs to NAT pools on the virtual port.
    ACOS(config)# access-list 30 allow 192.168.1.0 0.0.0.255
    ACOS(config)# access-list 50 allow 192.168.2.0 0.0.0.255
    ACOS(config)# slb virtual-server vs1 10.10.10.100
    ACOS(config-slb virtual server)# port 80 tcp
    ACOS(config-slb vserver-vport)# access-list 30 source-nat-pool pool1
    ACOS(config-slb vserver-vport)# access-list 50 source-nat-pool pool2


    Policy-based source NAT does NOT deny/allow traffic, it only tells the system what NAT pool to use.
Sign In or Register to comment.