Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
670
Views
0
Helpful
7
Replies

partial access to a page

mchockalingam
Level 1
Level 1

‎03-14-2007 08:25 PM

Hi All,

I have a scenario where external users can access an URL called http://www.sm.com but at the same time, they cannot access http://www.sm.com/admin

Internal users can access any URL.

I am thinking of assigning 2 different VIPs and not open firewall for one of the VIP that belongs to admin page. I have the following config

service smweb01-80

port 80

keepalive frequency 10

ip address 10.20.20.11

keepalive type http

keepalive port 80

active

service smweb02-80

port 80

keepalive frequency 10

keepalive type http

keepalive port 80

ip address 10.20.20.12

active

content sm.com

vip address 10.10.16.22

add service smweb01-80

add service smweb02-80

protocol tcp

port 80

active

content sm.com-admin

vip address 10.10.16.23

add service smweb01-80

add service smweb02-80

protocol tcp

port 80

url "/admin/*"

active

Will this work? I want to make sure that I am on the right track.

thanks,

Labels:
0 Helpful
7 Replies 7

mchockalingam
Level 1
Level 1

‎03-14-2007 09:26 PM

I realized that the above config will not work. DNS cannot resolve a single URL to 2 different VIPs.

Is it possible to redirect to a dummay page based on the source ip? If the source IP is from internal network, I would like to allow access to the admin page. If not, redirect them to a dummy page.

0 Helpful

Syed Iftekhar Ahmed
Level 8
Level 8
In response to mchockalingam

‎03-15-2007 12:46 AM

Acl on CSS can be used to select a particular service from content rule based on source ip

acl 1

clause 20 permit any destination content / prefer

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee

‎03-15-2007 01:37 AM

you should do something like this

service unauthorized

ip x.x.x.x

port 80

active

vip address 10.10.16.22

add service smweb01-80

add service smweb02-80

protocol tcp

port 80

url "/*"

active

content sm.com-admin

vip address 10.10.16.22

add service smweb01-80

add service smweb02-80

protocol tcp

port 80

url "/admin/*"

active

acl 1

clause 10 permit any destination content

clause 20 permit any any destination content prefer unauthorized

clause 99 permit any any destination any

apply all

Where service unauthorized would be a server with a page displaying an error message.

This could also be a redirect to a url like

http://www.sm.com/error.html

Gilles.

0 Helpful

mchockalingam
Level 1
Level 1
In response to Gilles Dufour

‎06-05-2007 07:20 PM

Gilles,

The ACL works only when it is http. For example, when external users enter http://www.sm.com/portal/admin, they get redirected to the service which has the redirect string https://www.sm.com/portal. But if external users enter https://www.sm.com/portal/admin, they get to the correct page since the redirect service I have gets hit only when it is http.

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to mchockalingam

‎06-06-2007 01:38 AM

for https, the css does not see the url as it is encrypted. You can use an ssl module to decrypt the traffic if you have the server key and certificate and then apply the same rule for http and https.

otherwise, for https, you can only loadbalance without knowing where the browser is going.

Gilles.

0 Helpful

mchockalingam
Level 1
Level 1
In response to Gilles Dufour

‎06-06-2007 02:10 AM

The traffic gets decrypted by the SSL module since the server listens only on port 80. But when the traffic is https, I do not have any redirect service and all I have is a generic content rule that serves the main page as well as the directories. Here is my config

service redirect-sm

type redirect

keepalive type none

ip address 1.1.1.1

no prepend-http

domain https://www.sm.com

active

service redirect-portal

type redirect

keepalive type none

ip address 1.1.1.1

no prepend-http

redirect-string "https://www.sm.com/portal"

active

service redirect-portal-admin

type redirect

keepalive type none

ip address 2.2.2.2

no prepend-http

redirect-string "https://www.sm.com/portal/admin"

active

content sm-portal-admin-redirect

add service redirect-portal-admin

vip address 10.10.16.22

protocol tcp

port 80

url "/portal/admin"

active

content sm-portal-redirect

add service redirect-portal

vip address 10.10.16.22

protocol tcp

port 80

url "/portal"

active

content sm-redirect

add service redirect-sm

vip address 10.10.16.22

protocol tcp

port 80

url "/*"

active

content www.sm.com-decrypt

vip address 10.10.16.22

add service smweb01-80

add service smweb02-80

protocol tcp

port 81

active

content ssl-sm

add service ssl_serv1

port 443

protocol tcp

vip address 10.10.16.22

application ssl

active

acl 1

clause 10 permit any 10.0.0.0 255.0.0.0 destination content secure-msg/sm-portal-admin-redirect

clause 20 permit any any destination content secure-msg/sm-portal-admin-redirect prefer redirect-portal

clause 99 permit any any destination any

apply all

0 Helpful

mchockalingam
Level 1
Level 1
In response to mchockalingam

‎06-06-2007 08:06 PM

I think I got the idea. I need to make the decrypt content rule as a layer 5 rule checking for specific URL

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents