Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSS. Only permit certain sourceIP to content rule - redirect everone else ?

Hi, all servers for an application are to be downed for upgrades. During this time all clients are to be redirected to a "sorry" page, hosted on the web.

I don't have a problem with this.

My problem starts when the service is restored.

The redirect must stay in place for general users but the "application testers" must be allowed access (i.e. not redirected) based soley on their source IP address.

Rule VIP is the same and url is the same.

I'm thinking ACLs but don't know how to apply them (if I could apply them to content rules I would be sorted - but can't)

Does anybody have any Ideas how to work this out ?

Thanks

10 REPLIES
New Member

Re: CSS. Only permit certain sourceIP to content rule - redirect

Hi, I manage to fathom it out - so incase anybody else has similar difficulties, here's what I did (there maybe a neater way - which I would be interested in).

-------------------------------------------

Configured a redirect service called SORRY (with no keepalives)

Acl 1

Clause 10 Permit any x.x.x.x destination z.z.z.z

Clause 20 Permit any x.x.x.y destination z.z.z.z

*Clause 30 Permit any any destination z.z.z.z prefer SORRY*

Clause 50 permit any any destination any

Apply circuit-(VLAN1)

Acl 2

Clause 10 permit any any destination any

Apply circuit-(VLAN3)

Apply circuit-(VLAN2)

-------------------------------------------

New Member

Re: CSS. Only permit certain sourceIP to content rule - redirect

Hi, following my success in the lab I didn't have the same in live.

The only difference being that in live I was terminating SSL.

The part that didn't work was the ACL clause with the PREFER - is there any know reason why this could be ?

CSS is Version: sg0810106 (08.10.1.06)

with SSL mod

(LAB was the same ver without SSL)

Thanks

Cisco Employee

Re: CSS. Only permit certain sourceIP to content rule - redirect

you'll need to share your complete config.

This is a little bit trickier with the SSL module since the traffic from all clients must go to the SSL module first to be decrypted.

Then you can use ACL to send a redirect for some of them and the traffic needs then to be re-encrypted before being forwarded to the client.

Not sure what is your exact ACL and rules, so I can't tell you what you did worng.

Gilles.

New Member

Re: CSS. Only permit certain sourceIP to content rule - redirect

Hi Gilles, I couldn't work out how to get them to the redirect via the ssl module. Here's the config - attached.

Many Thanks

Graham

Cisco Employee

Re: CSS. Only permit certain sourceIP to content rule - redirect

Graham,

replace line 30 with :

clause 30 permit any any destination content OWN/PORTALS prefer OOSpage

Gilles.

New Member

Re: CSS. Only permit certain sourceIP to content rule - redirect

Thanks Gilles.

It'll be a long time before I get to try it.

Will this catch the traffic after traversing the SSL mod?

Graham

Cisco Employee

Re: CSS. Only permit certain sourceIP to content rule - redirect

yes. But it will also catch your normal HTTP traffic.

If you don't want to apply the same rule to both, you'll need to decrypt the ssl traffic to a different rule by changing the port number or the vip address.

Then create specific access-lists.

Gilles.

New Member

Re: CSS. Only permit certain sourceIP to content rule - redirect

Thanks Gilles.

I hadn't realised it behaved in this way - I was thinking that the acl was acting on data entering the vlan, as an access-list on a router would do with data arriving at an interface.

The idea was, all clients connect with a https://url...

General users would be redirected to the "out of service" page whilst a group of testers via proxies (ip addresses of those listed in the earlier clauses) would still get access to the application.

Graham

Cisco Employee

Re: CSS. Only permit certain sourceIP to content rule - redirect

Your understanding is actually correct.

The ACL is applied on inbound interface when the traffic comes in.

However, in the case of the SSL module, it is a little bit different.

There is no SSL-VLAN associated with the traffic coming out of the ssl module.

The traffic going in and out of the ssl module will keep the vlan tag they got when entering the CSS and the same ACL associated with that vlan will be applied again to the decrypted traffic.

Gilles.

New Member

Re: CSS. Only permit certain sourceIP to content rule - redirect

Well I never!

Thanks again Gilles - you're a star!

Graham

164
Views
5
Helpful
10
Replies