topic Re: CSS acl and proxy-list in Application Networking

CSS acl and proxy-list

henry.saravia — Mon, 06 Dec 2010 18:02:11 GMT

I need to filter a url, (An url public and private), but the acls is not worknig

#############################################

interface e1

bridge vlan 2

#############################################

circuit VLAN2

redundancy

ip address 172.19.2.102 255.255.255.0

#############################################

ssl-proxy-list ssl-ssl

ssl-server 2

ssl-server 2 vip address 172.19.2.5

ssl-server 2 rsakey asrsakey2

ssl-server 2 rsacert asrsacert2

ssl-server 2 ssl-queue-delay 0

ssl-server 2 tcp server nagle disable

ssl-server 2 tcp server ack-delay 0

ssl-server 2 tcp virtual ack-delay 0

ssl-server 2 cipher rsa-with-rc4-128-sha 172.19.2.50 80

ssl-server 2 tcp server inactivity-timeout 600

ssl-server 2 tcp virtual inactivity-timeout 600

active

#############################################

service secure-ssl

type ssl-accel

slot 2

add ssl-proxy-list ssl-ssl

active

service serv1

ip address 172.19.2.32

protocol tcp

port 80

active

service serv2

ip address 172.19.2.35

protocol tcp

port 80

active

#############################################

content PUBLIC

add service serv1

add service serv2

vip address 172.19.2.50

protocol tcp

port 80

url "/public/*"

active

content PRIVATE

add service serv2

add service serv1

vip address 172.19.2.50

port 80

protocol tcp

url "/private/*"

active

#############################################

group GROUP

add destination service serv2

add destination service serv1

vip address 172.19.2.50

active

#############################################

acl 26

clause 10 permit any 172.16.0.0 255.255.0.0 destination content OWN/PRIVATE

clause 20 permit any 172.19.0.0 255.255.0.0 destination content OWN/PRIVATE

clause 50 deny any any destination content OWN/PRIVATE

clause 99 permit any any destination any

Any Idea?

Re: CSS acl and proxy-list

Kristopher Martinez — Mon, 06 Dec 2010 18:09:38 GMT

Henry,

Did you apply the ACL to a circuit and enable the ACLs? CSS requires that you enable ACLs after youconfigure them in order to take affect. Take a look at the quick start guide for ACLs below.

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/security/guide/Access.html#wp1134054

Kris

Re: CSS acl and proxy-list

pablo.nxh — Mon, 06 Dec 2010 18:12:11 GMT

Howdy Henry,

To get ACL's working on the CSS is a 2 steps process, Apply the ACL to a circuit and then enable ACL globally on the box.

You need to make sure all your circuit VLAN's have an ACL configured even if needs to be permit any any otherwise the traffic

for that VLAN will be blocked.

In your case seems like you only have circuit VLAN 2 so the config would be like this:

acl 26

clause 10 permit any 172.16.0.0 255.255.0.0 destination content OWN/PRIVATE

clause 20 permit any 172.19.0.0 255.255.0.0 destination content OWN/PRIVATE

clause 50 deny any any destination content OWN/PRIVATE

clause 99 permit any any destination any

apply circuit-(VLAN2)

Then go to config t mode and enter:

CSS(config)# acl enable

HTH

__ __

Pablo

Re: CSS acl and proxy-list

henry.saravia — Mon, 06 Dec 2010 20:30:38 GMT

Yes, I did the "apply circuit-(VLAN2)" and the "acl enable " but all traffic is permited, no filter is applied!

I see in the log of the server that is only the ip 172.19.2.50 is accesing to the physical server.

172.19.26.50 -> 172.19.26.32 HTTP GET / HTTP/1.1

172.19.26.50 -> 172.19.26.32 HTTP GET /favicon.ico HTTP/1.1

172.19.26.50 -> 172.19.26.32 HTTP GET / HTTP/1.1

No the original source 172.16.0.0 255.255.0.0 or 172.19.0.0 255.255.0.0

Any Idea?

Re: CSS acl and proxy-list

henry.saravia — Mon, 06 Dec 2010 20:41:58 GMT

Sorry this is the log

172.19.2.50 -> 172.19.2.32 HTTP GET / HTTP/1.1

172.19.2.50 -> 172.19.2.32 HTTP GET /favicon.ico HTTP/1.1

172.19.2.50 -> 172.19.2.32 HTTP GET / HTTP/1.1

Re: CSS acl and proxy-list

pablo.nxh — Mon, 06 Dec 2010 20:44:24 GMT

Oh OK it isn't a ACL problem but a NAT issue.

The fact that you're seeing only requests from 172.19.2.50 is because you configured a source group to NAT incoming request

to content rules where these services were configured under. S-NAT avoids asymmetric routing issues in a one-armed design like yours.

group GROUP

add destination service serv2

add destination service serv1

vip address 172.19.2.50

active

ACLs should be working fine and traffic different than 172.16.0.0/16 or 172.19.0.0/16 will not have access to the rule in question.

HTH

__ __

Pablo

Re: CSS acl and proxy-list

henry.saravia — Mon, 06 Dec 2010 21:20:29 GMT

I have the group config like this:

group GROUP

add destination service serv1

add destination service serv2

vip address 172.19.2.50

active

Im not clear about what your recommendation is?

Thanks

Re: CSS acl and proxy-list

pablo.nxh — Mon, 06 Dec 2010 21:56:17 GMT

Hey Henry,

It was not a recommendation, I was trying to explain why all the logs on your server are

coming from a single source (172.19.2.50).

On the CSS ACL matching happens before NAT so when a packet comes in CSS checks against your ACL, if doesn't belong

to 172.16 or 172.19 networks packet is discarded.

If the packet comes from one of these networks it would be permitted and then NAT'd using the source group so regardless if

it comes from .16 or .19 all the requests will seem to be sourced from 172.19.2.50.

You can't get rid of the source group in one-armed design unless you make sure the response of your servers has no way

to get to the client other than going through the CSS.

HTH

__ __

Pablo.

Re: CSS acl and proxy-list

henry.saravia — Fri, 10 Dec 2010 15:12:56 GMT

Hi pablo I want restate my question

I have a content rule like this one:

content SSL-J2EE

vip address 172.19.6.5

add service ssl

application ssl

advanced-balance ssl

protocol tcp

port 443

active

service ssl

type ssl-accel

slot 2

add ssl-proxy-list ssl-bfa

keepalive type none

active

I need to do something like this:

content SSL-J2EE

vip address 172.19.6.5

add service ssl

application ssl

advanced-balance ssl

protocol tcp

port 443

url "/private/*"

active

content SSL-J2EE

vip address 172.19.6.5

add service ssl

application ssl

advanced-balance ssl

protocol tcp

port 443

url "/public/*"

active

and filter based in source IP (some IP can access to /private and another to /public). The problem is that https is encrypted and I can not see the path to distingish if is a public connection or private.

Any Idea?

Thanks

Re: CSS acl and proxy-list

pablo.nxh — Fri, 10 Dec 2010 16:38:34 GMT

Hi Henry,

Based on your config and specially on the service shown below, it means that you're offloading the SSL traffic on the CSS so

the URL filter will be configured on the clear text rules and the ACL will be pointing to those instead.

service ssl

type ssl-accel

slot 2

add ssl-proxy-list ssl-bfa

keepalive type none

active

If you don't mind you can share a sanitized copy of the following outputs and I'll give you a hand with the ACL config.

CSS# show run ssl

CSS# show run owner

CSS# show run acl

Regards

__ __

Pablo

Re: CSS acl and proxy-list

henry.saravia — Fri, 10 Dec 2010 23:38:52 GMT

it is the config:

Re: CSS acl and proxy-list

pablo.nxh — Mon, 13 Dec 2010 18:37:27 GMT

Hello Henry,

Your config looks in good shape The only thing that seems to be missing is the line that denies further access to "PRIVATE"

content rule.

acl 26
  clause 10 permit any 172.16.0.0 255.255.0.0 destination content ONE/PRIVATE
  clause 20 permit any 172.19.0.0 255.255.0.0 destination content ONE/PRIVATE
  clause 21 deny any any destination content ONE/PRIVATE
  clause 30 deny any any destination content BFA/PRIVATE
  clause 40 permit any 172.16.2.0 255.255.255.0 destination any
  clause 50 permit any any destination content BFA/PUBLIC
  clause 99 permit any any destination any
  apply circuit-(VLAN26)

Not sure if clause 30 was supposed to be the line that blocks that traffic.

Regards.

__ __

Pablo

Re: CSS acl and proxy-list

henry.saravia — Mon, 13 Dec 2010 20:05:19 GMT

Hi Pablo

The ACL is applied like this

acl 26

clause 10 permit any 172.16.0.0 255.255.0.0 destination content ONE/PRIVATE

clause 20 permit any 172.19.0.0 255.255.0.0 destination content ONE/PRIVATE

clause 30 deny any any destination content ONE/PRIVATE

clause 40 permit any 172.16.2.0 255.255.255.0 destination any

clause 50 permit any any destination content ONE/PUBLIC

clause 99 permit any any destination any

apply circuit-(VLAN26)

But the client access by https to the content

content SECURE

vip address 172.19.2.5

add service secure

application ssl

advanced-balance ssl

protocol tcp

port 443

active

The SSL proxy access to the ONE/PRIVATE or ONE/PUBLIC content, not the client directly!

How does the CSS do to distinguish if customer want to access to PRIVATE or PUBLIC content?

For example a customer access to https://172.19.2.5/PRIVATE from an IP add 200.200.200.200. What clause match in the ACL?

Thanks