CSS. Only permit certain sourceIP to content rule - redirect everone else ?

grahamlewis · ‎06-27-2008

Hi, all servers for an application are to be downed for upgrades. During this time all clients are to be redirected to a "sorry" page, hosted on the web.

I don't have a problem with this.

My problem starts when the service is restored.

The redirect must stay in place for general users but the "application testers" must be allowed access (i.e. not redirected) based soley on their source IP address.

Rule VIP is the same and url is the same.

I'm thinking ACLs but don't know how to apply them (if I could apply them to content rules I would be sorted - but can't)

Does anybody have any Ideas how to work this out ?

Thanks

grahamlewis · ‎06-27-2008

Hi, I manage to fathom it out - so incase anybody else has similar difficulties, here's what I did (there maybe a neater way - which I would be interested in).

-------------------------------------------

Configured a redirect service called SORRY (with no keepalives)

Acl 1

Clause 10 Permit any x.x.x.x destination z.z.z.z

Clause 20 Permit any x.x.x.y destination z.z.z.z

*Clause 30 Permit any any destination z.z.z.z prefer SORRY*

Clause 50 permit any any destination any

Apply circuit-(VLAN1)

Acl 2

Clause 10 permit any any destination any

Apply circuit-(VLAN3)

Apply circuit-(VLAN2)

-------------------------------------------

grahamlewis · ‎06-27-2008

Hi, following my success in the lab I didn't have the same in live.

The only difference being that in live I was terminating SSL.

The part that didn't work was the ACL clause with the PREFER - is there any know reason why this could be ?

CSS is Version: sg0810106 (08.10.1.06)

with SSL mod

(LAB was the same ver without SSL)

Thanks

Gilles Dufour · ‎06-30-2008

you'll need to share your complete config.

This is a little bit trickier with the SSL module since the traffic from all clients must go to the SSL module first to be decrypted.

Then you can use ACL to send a redirect for some of them and the traffic needs then to be re-encrypted before being forwarded to the client.

Not sure what is your exact ACL and rules, so I can't tell you what you did worng.

Gilles.

grahamlewis · ‎06-30-2008

Hi Gilles, I couldn't work out how to get them to the redirect via the ssl module. Here's the config - attached.

Many Thanks

Graham

Gilles Dufour · ‎06-30-2008

Graham,

replace line 30 with :

clause 30 permit any any destination content OWN/PORTALS prefer OOSpage

Gilles.

grahamlewis · ‎06-30-2008

Thanks Gilles.

It'll be a long time before I get to try it.

Will this catch the traffic after traversing the SSL mod?

Graham

Gilles Dufour · ‎06-30-2008

yes. But it will also catch your normal HTTP traffic.

If you don't want to apply the same rule to both, you'll need to decrypt the ssl traffic to a different rule by changing the port number or the vip address.

Then create specific access-lists.

Gilles.

grahamlewis · ‎06-30-2008

Thanks Gilles.

I hadn't realised it behaved in this way - I was thinking that the acl was acting on data entering the vlan, as an access-list on a router would do with data arriving at an interface.

The idea was, all clients connect with a https://url...

General users would be redirected to the "out of service" page whilst a group of testers via proxies (ip addresses of those listed in the earlier clauses) would still get access to the application.

Graham

Gilles Dufour · ‎07-01-2008

Your understanding is actually correct.

The ACL is applied on inbound interface when the traffic comes in.

However, in the case of the SSL module, it is a little bit different.

There is no SSL-VLAN associated with the traffic coming out of the ssl module.

The traffic going in and out of the ssl module will keep the vlan tag they got when entering the CSS and the same ACL associated with that vlan will be applied again to the decrypted traffic.

Gilles.

grahamlewis · ‎07-01-2008

Well I never!

Thanks again Gilles - you're a star!

Graham