Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
335
Views
0
Helpful
3
Replies

CSSClient authentication

Go to solution
paul.matthews
Level 5
Level 5

‎09-02-2009 08:19 AM

I have just had a requirement passed to me.

We have a CSS running a single VIP as far as this is concerned. A single SSL- proxy list but two services running behind that.

That is two content rules, one a layer 4, the other a layer 5. We want to restribct access to the later 5 rule to certain users.

As we are using the same SSL, and only splitting out between the two apps after we have decrypted the SSL I don't think the use of client ertificates will help, nor will access lists as they are on the same IP address.

Any suggestions?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎09-03-2009 01:40 AM

You can use an acl like :

clause 10 deny any 1.1.1.1 destination content gdufour/SSL2

As you can see, you can specify the content rule - and not the destination ip.

I haven't tested, but it may work.

Gilles.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎09-03-2009 01:40 AM

You can use an acl like :

clause 10 deny any 1.1.1.1 destination content gdufour/SSL2

As you can see, you can specify the content rule - and not the destination ip.

I haven't tested, but it may work.

Gilles.

0 Helpful

Go to solution
paul.matthews
Level 5
Level 5
In response to Gilles Dufour

‎09-03-2009 07:06 AM

Thanks for the suggestion - looks like it might just fly!

I'll give it a try in the LAB first though!

P.

0 Helpful

Go to solution
paul.matthews
Level 5
Level 5
In response to Gilles Dufour

‎09-04-2009 02:25 AM

Many thanks Gilles, that appears to do the trick!

Just in case anyone else finds this in a search, this is what I have in the access list. This is from the lab, so no problem being open!

acl 2

clause 11 permit any any destination content client/about

clause 30 permit any 10.1.199.3 255.255.255.255 destination content client/secure

clause 35 deny any any destination content client/secure

clause 40 permit tcp any destination any eq telnet

clause 200 permit tcp any destination 10.1.99.51 eq 80

apply circuit-(VLAN99)

This allows everyone to access the "about" content rule, a single IP to access "secure" and clause 200 is important - it lest the connection come up so that the request can be compared against content rules. A little caveat is that if there is a content rule (eg a L4 content rule) that would allow access to the restricted content, that may allow access.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents