source based access-list on CSS

Unanswered Question
Feb 24th, 2010
User Badges:


how to get URL to be accessed by all

and allowed only to a certain subnet - say

mind you should also access

we have many exisitng URLs allowed to everybody


below is some of the config, how do i create a source based list . this shdnt block anything existing

!*************************** OWNER ***************************
owner LAB

  content PR-443
    add service ssl
    vip address
    application ssl
    protocol tcp
    port 443
    url "/*"

  content PR-8443
    add service prws1
    add service prws2
    vip address
    advanced-balance arrowpoint-cookie
    arrowpoint-cookie browser-expire
    protocol tcp
    port 8443
    url "/*"
    add service prws3

  content PR-REDIRECT
    vip address
    url "/register"
    protocol tcp
    port 80
    redirect "//"

  content vix
    vip address
    url "/site/*"
    protocol tcp
    port 8443
    advanced-balance arrowpoint-cookie
    arrowpoint-cookie browser-expire
    add service prws6
    add service prws7
    add service prws8
    add service prws9
    arrowpoint-cookie name V

ssl-proxy-list ssl
  ssl-server 1
  ssl-server 1 vip address
  ssl-server 1 cipher rsa-with-rc4-128-md5 8443 weight 1
  ssl-server 1 unclean-shutdown
  ssl-server 1 ssl-queue-delay 0
  ssl-server 1 rsacert PR1
  ssl-server 1 rsakey PR2

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Sean Merrow Wed, 02/24/2010 - 10:41
User Badges:
  • Silver, 250 points or more


You would need to use ACLs on the CSS to accomplish this.  In the ACL applied to the incoming interface, you can specify your source information such as the IP subnet you want to permit, and the destination information such as the content rule.

Be very careful when globally enabling ACLs on the CSS.  When you do so, an implied deny all ACL is applied to all interfaces, which will be painful.  So be sure to configure your ACLs as desired first, and add a 'permit any any' ACL to the interfaces that don't need an ACL, then and only then, globally enable the ACLs.

You can find more details on how to use ACLs to control which source addresses can access a specific content rule by reading the section called Controlling CSS Network Traffic Through Access Control Lists.

Hope this helps,



This Discussion