Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
455
Views
0
Helpful
1
Replies

source based access-list on CSS

followurself
Level 1
Level 1

‎02-24-2010 10:29 AM

hello

how to get URL www.xyz.com to be accessed by all

and

www.xyz.com/abc allowed only to a certain subnet - say 10.1.100.0/24

mind you 10.1.100.0 should also access www.xyz.com

we have many exisitng URLs allowed to everybody

e.g www.xyz.com/pwc

below is some of the config, how do i create a source based list . this shdnt block anything existing

!*************************** OWNER ***************************
owner LAB

  content PR-443
    add service ssl
    vip address 192.168.2.100
    application ssl
    protocol tcp
    port 443
    url "/*"
    active

 
  content PR-8443
    add service prws1
    add service prws2
    vip address 192.168.2.100
    advanced-balance arrowpoint-cookie
    arrowpoint-cookie browser-expire
    protocol tcp
    port 8443
    url "/*"
    add service prws3
  
    active

  content PR-REDIRECT
    vip address 192.168.2.100
    url "/register"
    protocol tcp
    port 80
    redirect "//xyz.com/index.html"
    active

  content vix
    vip address 192.168.2.100
    url "/site/*"
    protocol tcp
    port 8443
    advanced-balance arrowpoint-cookie
    arrowpoint-cookie browser-expire
    add service prws6
    add service prws7
    add service prws8
    add service prws9
    arrowpoint-cookie name V
    active

ssl-proxy-list ssl
  ssl-server 1
  ssl-server 1 vip address 192.168.2.100
  ssl-server 1 cipher rsa-with-rc4-128-md5 192.168.2.100 8443 weight 1
  ssl-server 1 unclean-shutdown
  ssl-server 1 ssl-queue-delay 0
  ssl-server 1 rsacert PR1
  ssl-server 1 rsakey PR2
  active

Labels:
0 Helpful
1 Reply 1

Sean Merrow
Level 4
Level 4

‎02-24-2010 10:41 AM

Hello,

You would need to use ACLs on the CSS to accomplish this.  In the ACL applied to the incoming interface, you can specify your source information such as the IP subnet you want to permit, and the destination information such as the content rule.

Be very careful when globally enabling ACLs on the CSS.  When you do so, an implied deny all ACL is applied to all interfaces, which will be painful.  So be sure to configure your ACLs as desired first, and add a 'permit any any' ACL to the interfaces that don't need an ACL, then and only then, globally enable the ACLs.

You can find more details on how to use ACLs to control which source addresses can access a specific content rule by reading the section called Controlling CSS Network Traffic Through Access Control Lists.

Hope this helps,

Sean

0 Helpful
Customers Also Viewed These Support Documents