Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

how to configure ace to send the response as forbidden code or bad request based on the URL string

I have a requirement where ACE has to forbidden the HTTP access to the URL based on the strings in the URL  /admin/ or /console/ .  I believe I can match the traffic with the following class-map, but how to action on it to forbidden? example configurations? 

class-map type http loadbalance match-any Forbidden-admin-access
   2 match http url /admin/.*
   3 match http url /console/.*

 

Everyone's tags (2)
6 REPLIES
Cisco Employee

Hi Sven,ACE cannot give

Hi Sven,

ACE cannot give response but can allow, drop or reset the connection based on L7 information or you can make ACE to forward the traffic to servers which can send those responses after the above condition is matched. But surely can "Silently" drop or reset the connection as well. Pasting configuration below for your reference.

If you want to send a reset, then you would need to use 'inspect' as such:

 

class-map type http inspect match-all CM-INSPECT

2 match header Host header-value "private.example.com"

 

class-map match-all VIP_WWW

2 match virtual-address 10.86.178.167 tcp eq www

 

policy-map type inspect http all-match PM-INSPECT
class CM-INSPECT
reset

 

policy-map type loadbalance first-match WWW_SERVERS
class class-default
serverfarm SERVER_FARM


policy-map multi-match VIP
class VIP_WWW
loadbalance vip inservice
loadbalance policy WWW_SERVERS
inspect http policy PM-INSPECT
loadbalance vip icmp-reply

Now, if you would rather not send a RST, but just drop it, then you would use 'loadbalance' as such:

 

class-map type http loadbalance match-any CM-DROP
2 match http header Host header-value "private.example.com"

class-map match-all VIP_WWW

2 match virtual-address 10.86.178.167 tcp eq www

policy-map type loadbalance first-match WWW_SERVERS
class CM-DROP
drop


class class-default
serverfarm SERVER_FARM

policy-map multi-match VIP
class VIP_WWW
loadbalance vip inservice
loadbalance policy WWW_SERVERS
loadbalance vip icmp-reply

 

Regards,

Kanwal

New Member

Hi Kanwalsi,I'm facing the

Hi Kanwalsi,

I'm facing the same issue but with the following difference:

I'd like to permit everyone access to ie. www.abc.com but allow access to www.abc.com/admin only to specific ip adresses. Please let me know if you have any suggestion.

Regards

 

Cisco Employee

Hi,You should have L7 class

Hi,

You should have L7 class map statement like:

class-map type http inspect match-all CM-inspect
  2 match url /admin

And then call this class-map under policy map etc as shown above and check if it works fine. The action should be either DROP or RESET depending upon your preference.

Regards,

Kanwal

 

New Member

I guess it should work fine

I guess it should work fine as to drop requests for everybody but the problem that I'm facing is:

- Everybody can access url "www.example.com" through vip 70.10.10.11 to serverfarm EXAMPLE-80.

- but only the 2 adresses 23.22.21.2 /23 can access "www.example.com/admin"  ( same vip and serverfarm) and requests from other source Ip adresses are dropped.

Could you please be more specific in your suggestion.

Thanks.

 

Cisco Employee

Hi,I am sorry but i didn't

Hi,

I am sorry but i didn't get your question here. Are you saying that everyone who comes to www.example.com is getting access but only two users are being dropped when they go to www.example.com/admin? Are all other users getting access to /admin too? Can you share the configuration in place?

Regards,

Kanwal

New Member

Hi,In fact, no configurations

Hi,

In fact, no configurations have been made yet and what i described is what I want to accomplish. meaning:

Everybody should be permitted to access www.example.com

But only 2 source ip addresses should be permitted to access www.example.com/admin. All  requests coming from other IP addresses should be dropped for that specific url.

Regards.

 

83
Views
0
Helpful
6
Replies