02-24-2010 10:29 AM
hello
how to get URL www.xyz.com to be accessed by all
and
www.xyz.com/abc allowed only to a certain subnet - say 10.1.100.0/24
mind you 10.1.100.0 should also access www.xyz.com
we have many exisitng URLs allowed to everybody
e.g www.xyz.com/pwc
below is some of the config, how do i create a source based list . this shdnt block anything existing
!*************************** OWNER ***************************
owner LAB
content PR-443
add service ssl
vip address 192.168.2.100
application ssl
protocol tcp
port 443
url "/*"
active
content PR-8443
add service prws1
add service prws2
vip address 192.168.2.100
advanced-balance arrowpoint-cookie
arrowpoint-cookie browser-expire
protocol tcp
port 8443
url "/*"
add service prws3
active
content PR-REDIRECT
vip address 192.168.2.100
url "/register"
protocol tcp
port 80
redirect "//xyz.com/index.html"
active
content vix
vip address 192.168.2.100
url "/site/*"
protocol tcp
port 8443
advanced-balance arrowpoint-cookie
arrowpoint-cookie browser-expire
add service prws6
add service prws7
add service prws8
add service prws9
arrowpoint-cookie name V
active
ssl-proxy-list ssl
ssl-server 1
ssl-server 1 vip address 192.168.2.100
ssl-server 1 cipher rsa-with-rc4-128-md5 192.168.2.100 8443 weight 1
ssl-server 1 unclean-shutdown
ssl-server 1 ssl-queue-delay 0
ssl-server 1 rsacert PR1
ssl-server 1 rsakey PR2
active
02-24-2010 10:41 AM
Hello,
You would need to use ACLs on the CSS to accomplish this. In the ACL applied to the incoming interface, you can specify your source information such as the IP subnet you want to permit, and the destination information such as the content rule.
Be very careful when globally enabling ACLs on the CSS. When you do so, an implied deny all ACL is applied to all interfaces, which will be painful. So be sure to configure your ACLs as desired first, and add a 'permit any any' ACL to the interfaces that don't need an ACL, then and only then, globally enable the ACLs.
You can find more details on how to use ACLs to control which source addresses can access a specific content rule by reading the section called Controlling CSS Network Traffic Through Access Control Lists.
Hope this helps,
Sean
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide