Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

CSSClient authentication

I have just had a requirement passed to me.

We have a CSS running a single VIP as far as this is concerned. A single SSL- proxy list but two services running behind that.

That is two content rules, one a layer 4, the other a layer 5. We want to restribct access to the later 5 rule to certain users.

As we are using the same SSL, and only splitting out between the two apps after we have decrypted the SSL I don't think the use of client ertificates will help, nor will access lists as they are on the same IP address.

Any suggestions?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: CSSClient authentication

You can use an acl like :

clause 10 deny any 1.1.1.1 destination content gdufour/SSL2

As you can see, you can specify the content rule - and not the destination ip.

I haven't tested, but it may work.

Gilles.

3 REPLIES
Cisco Employee

Re: CSSClient authentication

You can use an acl like :

clause 10 deny any 1.1.1.1 destination content gdufour/SSL2

As you can see, you can specify the content rule - and not the destination ip.

I haven't tested, but it may work.

Gilles.

Re: CSSClient authentication

Thanks for the suggestion - looks like it might just fly!

I'll give it a try in the LAB first though!

P.

Re: CSSClient authentication

Many thanks Gilles, that appears to do the trick!

Just in case anyone else finds this in a search, this is what I have in the access list. This is from the lab, so no problem being open!

acl 2

clause 11 permit any any destination content client/about

clause 30 permit any 10.1.199.3 255.255.255.255 destination content client/secure

clause 35 deny any any destination content client/secure

clause 40 permit tcp any destination any eq telnet

clause 200 permit tcp any destination 10.1.99.51 eq 80

apply circuit-(VLAN99)

This allows everyone to access the "about" content rule, a single IP to access "secure" and clause 200 is important - it lest the connection come up so that the request can be compared against content rules. A little caveat is that if there is a content rule (eg a L4 content rule) that would allow access to the restricted content, that may allow access.

155
Views
0
Helpful
3
Replies
CreatePlease to create content