CSS: How to deny access to VIP except for configured service

Answered Question
Jul 15th, 2009
User Badges:

Let's suppose I have 2 web servers load balanced on a CSS with a configured service on port 443. Is there a way to drop all requests that are not for port 443? Or do I need to put the CSS behind a firewall to acheive this?

Correct Answer by dario.didio about 7 years 10 months ago

You can use an ACL to accomplish this:


VIP: 10.0.0.1

protocol: 443

client-side VLAN: 10


acl 1

clause 10 permit any any destination 10.0.0.1 eq 443

clause 20 deny any any destination 10.0.0.1

clause 30 permit any any destination any

apply circuit-VLAN10


This will

- allow 443 to the VIP from any source

- deny all the rest to the VIP

- allow any other traffic

- apply the ACL to the circuit VLAN10


don't forget to globally enable ACLs:


acl enable


HTH,

Dario


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
dario.didio Wed, 07/15/2009 - 03:26
User Badges:
  • Silver, 250 points or more

You can use an ACL to accomplish this:


VIP: 10.0.0.1

protocol: 443

client-side VLAN: 10


acl 1

clause 10 permit any any destination 10.0.0.1 eq 443

clause 20 deny any any destination 10.0.0.1

clause 30 permit any any destination any

apply circuit-VLAN10


This will

- allow 443 to the VIP from any source

- deny all the rest to the VIP

- allow any other traffic

- apply the ACL to the circuit VLAN10


don't forget to globally enable ACLs:


acl enable


HTH,

Dario


Actions

This Discussion