Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

partial access to a page

Hi All,

I have a scenario where external users can access an URL called http://www.sm.com but at the same time, they cannot access http://www.sm.com/admin

Internal users can access any URL.

I am thinking of assigning 2 different VIPs and not open firewall for one of the VIP that belongs to admin page. I have the following config

service smweb01-80

port 80

keepalive frequency 10

ip address 10.20.20.11

keepalive type http

keepalive port 80

active

service smweb02-80

port 80

keepalive frequency 10

keepalive type http

keepalive port 80

ip address 10.20.20.12

active

content sm.com

vip address 10.10.16.22

add service smweb01-80

add service smweb02-80

protocol tcp

port 80

active

content sm.com-admin

vip address 10.10.16.23

add service smweb01-80

add service smweb02-80

protocol tcp

port 80

url "/admin/*"

active

Will this work? I want to make sure that I am on the right track.

thanks,

7 REPLIES
New Member

Re: partial access to a page

I realized that the above config will not work. DNS cannot resolve a single URL to 2 different VIPs.

Is it possible to redirect to a dummay page based on the source ip? If the source IP is from internal network, I would like to allow access to the admin page. If not, redirect them to a dummy page.

Re: partial access to a page

Acl on CSS can be used to select a particular service from content rule based on source ip

acl 1

clause 20 permit any destination content / prefer

Cisco Employee

Re: partial access to a page

you should do something like this

service unauthorized

ip x.x.x.x

port 80

active

vip address 10.10.16.22

add service smweb01-80

add service smweb02-80

protocol tcp

port 80

url "/*"

active

content sm.com-admin

vip address 10.10.16.22

add service smweb01-80

add service smweb02-80

protocol tcp

port 80

url "/admin/*"

active

acl 1

clause 10 permit any destination content

clause 20 permit any any destination content prefer unauthorized

clause 99 permit any any destination any

apply all

Where service unauthorized would be a server with a page displaying an error message.

This could also be a redirect to a url like

http://www.sm.com/error.html

Gilles.

New Member

Re: partial access to a page

Gilles,

The ACL works only when it is http. For example, when external users enter http://www.sm.com/portal/admin, they get redirected to the service which has the redirect string https://www.sm.com/portal. But if external users enter https://www.sm.com/portal/admin, they get to the correct page since the redirect service I have gets hit only when it is http.

Cisco Employee

Re: partial access to a page

for https, the css does not see the url as it is encrypted. You can use an ssl module to decrypt the traffic if you have the server key and certificate and then apply the same rule for http and https.

otherwise, for https, you can only loadbalance without knowing where the browser is going.

Gilles.

New Member

Re: partial access to a page

The traffic gets decrypted by the SSL module since the server listens only on port 80. But when the traffic is https, I do not have any redirect service and all I have is a generic content rule that serves the main page as well as the directories. Here is my config

service redirect-sm

type redirect

keepalive type none

ip address 1.1.1.1

no prepend-http

domain https://www.sm.com

active

service redirect-portal

type redirect

keepalive type none

ip address 1.1.1.1

no prepend-http

redirect-string "https://www.sm.com/portal"

active

service redirect-portal-admin

type redirect

keepalive type none

ip address 2.2.2.2

no prepend-http

redirect-string "https://www.sm.com/portal/admin"

active

content sm-portal-admin-redirect

add service redirect-portal-admin

vip address 10.10.16.22

protocol tcp

port 80

url "/portal/admin"

active

content sm-portal-redirect

add service redirect-portal

vip address 10.10.16.22

protocol tcp

port 80

url "/portal"

active

content sm-redirect

add service redirect-sm

vip address 10.10.16.22

protocol tcp

port 80

url "/*"

active

content www.sm.com-decrypt

vip address 10.10.16.22

add service smweb01-80

add service smweb02-80

protocol tcp

port 81

active

content ssl-sm

add service ssl_serv1

port 443

protocol tcp

vip address 10.10.16.22

application ssl

active

acl 1

clause 10 permit any 10.0.0.0 255.0.0.0 destination content secure-msg/sm-portal-admin-redirect

clause 20 permit any any destination content secure-msg/sm-portal-admin-redirect prefer redirect-portal

clause 99 permit any any destination any

apply all

New Member

Re: partial access to a page

I think I got the idea. I need to make the decrypt content rule as a layer 5 rule checking for specific URL

237
Views
0
Helpful
7
Replies