09-02-2009 08:19 AM
I have just had a requirement passed to me.
We have a CSS running a single VIP as far as this is concerned. A single SSL- proxy list but two services running behind that.
That is two content rules, one a layer 4, the other a layer 5. We want to restribct access to the later 5 rule to certain users.
As we are using the same SSL, and only splitting out between the two apps after we have decrypted the SSL I don't think the use of client ertificates will help, nor will access lists as they are on the same IP address.
Any suggestions?
Solved! Go to Solution.
09-03-2009 01:40 AM
You can use an acl like :
clause 10 deny any 1.1.1.1 destination content gdufour/SSL2
As you can see, you can specify the content rule - and not the destination ip.
I haven't tested, but it may work.
Gilles.
09-03-2009 01:40 AM
You can use an acl like :
clause 10 deny any 1.1.1.1 destination content gdufour/SSL2
As you can see, you can specify the content rule - and not the destination ip.
I haven't tested, but it may work.
Gilles.
09-03-2009 07:06 AM
Thanks for the suggestion - looks like it might just fly!
I'll give it a try in the LAB first though!
P.
09-04-2009 02:25 AM
Many thanks Gilles, that appears to do the trick!
Just in case anyone else finds this in a search, this is what I have in the access list. This is from the lab, so no problem being open!
acl 2
clause 11 permit any any destination content client/about
clause 30 permit any 10.1.199.3 255.255.255.255 destination content client/secure
clause 35 deny any any destination content client/secure
clause 40 permit tcp any destination any eq telnet
clause 200 permit tcp any destination 10.1.99.51 eq 80
apply circuit-(VLAN99)
This allows everyone to access the "about" content rule, a single IP to access "secure" and clause 200 is important - it lest the connection come up so that the request can be compared against content rules. A little caveat is that if there is a content rule (eg a L4 content rule) that would allow access to the restricted content, that may allow access.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: