08-01-2013 06:26 AM
Working in new enviornment and need to confirm traffic restricted to only ssh and https
interface gigabitEthernet 1/1
description REAL SERVERS SDE
speed 1000M
duplex FULL
switchport access vlan 200
no shutdown
interface gigabitEthernet 1/2
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
speed 1000M
duplex FULL
switchport access vlan 500
no shutdown
access-list ALL line 8 extended permit ip any any
access-list ALL line 9 extended permit tcp any any
access-list ALL line 10 extended permit udp any any
access-list ALL line 11 extended permit icmp any any
probe icmp PING
ip address 162.16.103.200 routed
probe icmp PING1
ip address 162.16.103.201 routed
parameter-map type http cisco_avs_parametermap
persistence-rebalance
length-exceed continue
rserver host Arges
ip address 162.16.103.200
conn-limit max 4000000 min 4000000
probe PING
inservice
rserver host Brontes
ip address 162.16.103.201
conn-limit max 4000000 min 4000000
probe PING1
inservice
action-list type optimization http WEB-ACTION-LIST
flashforward
action-list type optimization http cisco_avs_container_latency
flashforward
action-list type optimization http cisco_avs_img_latency
flashforward
action-list type optimization http cisco_avs_obj_latency
flashforward
serverfarm host VIRTUAL-SERVER-FARM
rserver Arges 80
backup-rserver Brontes 80
conn-limit max 4000000 min 4000000
probe PING1
probe PING
inservice
rserver Brontes 80
conn-limit max 4000000 min 4000000
probe PING
probe PING1
inservice
class-map match-any VIRTUAL-SERVER-11
2 match virtual-address 10.10.10.11 tcp any
class-map match-any VIRTUAL-SERVER-20
2 match virtual-address 10.10.10.20 tcp eq www
class-map match-any VIRTUAL-SERVER-21
2 match any
class-map type http loadbalance match-all cisco_avs_container_latency
2 match http url http://10.10.10.*/browser/*
class-map type http loadbalance match-any cisco_avs_img_latency
2 match http url .*jpg
3 match http url .*jpeg
4 match http url .*jpe
5 match http url .*png
6 match http url .*aspx
7 match http url .*aspd
8 match http url .*axd
9 match http url .*axs
10 match http url .i*
class-map type http loadbalance match-any cisco_avs_obj_latency
2 match http url .*gif
3 match http url .*css
4 match http url .*js
5 match http url .*class
6 match http url .*jar
7 match http url .*cab
8 match http url .*txt
9 match http url .*ps
10 match http url .*vbs
11 match http url .*xsl
12 match http url .*xml
13 match http url .*pdf
14 match http url .*swf
15 match http url .*aspx
16 match http url .*aspd
17 match http url .*axd
18 match http url .*axs
19 match http url .*
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol any
4 match protocol icmp any
5 match protocol telnet any
6 match protocol ssh any
7 match protocol http any
8 match protocol https any
9 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match VIRTUAL-SERVER-11-l7slb
class class-default
serverfarm VIRTUAL-SERVER-FARM
policy-map type loadbalance first-match VIRTUAL-SERVER-20-l7slb
class class-default
serverfarm VIRTUAL-SERVER-FARM
policy-map type optimization http first-match VIRTUAL-SERVER-20-l7opt
class cisco_avs_obj_latency
action cisco_avs_obj_latency
class cisco_avs_img_latency
action cisco_avs_img_latency
class cisco_avs_container_latency
action cisco_avs_container_latency
policy-map multi-match int500
class VIRTUAL-SERVER-20
loadbalance vip inservice
loadbalance policy VIRTUAL-SERVER-20-l7slb
optimize http policy VIRTUAL-SERVER-20-l7opt
loadbalance vip icmp-reply active
appl-parameter http advanced-options cisco_avs_parametermap
class VIRTUAL-SERVER-11
loadbalance vip inservice
loadbalance policy VIRTUAL-SERVER-11-l7slb
loadbalance vip icmp-reply active
interface vlan 200
description "REAL SERVERS"
ip address 162.16.103.1 255.255.255.0
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 500
description ACE CLIENT VLANE_Client VLAN
ip address 10.10.10.5 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
service-policy input int500
no shutdown
interface vlan 820
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ip route 0.0.0.0 0.0.0.0 10.10.10.1
snmp-server contact "CHARLES"
snmp-server location "DEP 2"
snmp-server community LM-DEP2 group Network-Monitor
snmp-server trap-source vlan 820
08-09-2013 05:37 AM
Can you clarify what you mean by "traffic restricted to ssh & https" ? Ie: do you mean only ssh & https mgmt traffic to the ace, only https and ssh towards the vip or only ssh & https through the box (not load balanced) ? Matthew
08-09-2013 05:43 AM
Hello Greatly appreciate your help.
The configuration is to allow only ssh and https through the 4710, and the config has been modified:
logging enable
logging timestamp
logging trap 5
logging buffered 6
logging persistent 5
logging monitor 5
logging queue 5000
hostname x86ACE03
interface gigabitEthernet 1/1
switchport access vlan 700
no shutdown
interface gigabitEthernet 1/2
switchport trunk allowed vlan 701,704
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
shutdown
access-list ACL_10 line 8 extended permit ip any host 10.22.6.117
access-list ACL_10 line 16 extended permit icmp any host 10.22.6.117
access-list ACL_10 line 24 extended permit ip any host 10.22.6.116
access-list ACL_10 line 32 extended permit icmp any host 10.22.6.116
access-list ACL_10 line 40 extended permit ip any host 10.22.6.119
access-list ACL_10 line 48 extended permit icmp any host 10.22.6.119
access-list ACL_20 line 8 extended permit ip any any
access-list ACL_20 line 16 extended permit icmp any any
access-list ACL_40 line 16 extended permit ip 10.22.7.2 255.255.255.224 any
access-list ACL_50 line 16 extended permit ip 10.22.7.34 255.255.255.224 any
access-list FILTER line 10 extended permit tcp any any eq https
access-list FILTER line 20 extended permit tcp any any eq www
probe icmp SERVICE_ICMP_PROBE
interval 10
passdetect interval 5
parameter-map type http CASE_PARAM
case-insensitive
persistence-rebalance
parameter-map type connection rule-vsuiteFrontEnd-A_CONN_PARAM
set timeout inactivity 6400
parameter-map type connection rule-vsuiteFrontEnd-CoreA_CONN_PARAM
set timeout inactivity 6400
rserver host vsuiteFrontEnd-A
ip address 10.22.7.2
probe SERVICE_ICMP_PROBE
inservice
rserver host vsuiteFrontEnd-CoreA
ip address 10.22.7.34
probe SERVICE_ICMP_PROBE
inservice
serverfarm host rule-vsuiteFrontEnd-A
rserver vsuiteFrontEnd-A
conn-limit max 4000000 min 1
inservice
serverfarm host rule-vsuiteFrontEnd-CoreA
rserver vsuiteFrontEnd-CoreA
conn-limit max 4000000 min 1
inservice
class-map type management match-any REMOTE_ACCESS_CLASS
description Enable remote management
2 match protocol xml-https any
4 match protocol icmp any
5 match protocol telnet any
6 match protocol ssh any
7 match protocol http any
8 match protocol https any
class-map match-any SERVERSOURCED
2 match access-list ACL_40
class-map match-any SERVERSOURCED-CoreA
2 match access-list ACL_50
class-map match-all rule-vsuiteFrontEnd-A_CLASS
2 match virtual-address 10.22.6.117 tcp eq https
class-map match-all rule-vsuiteFrontEnd-CoreA_CLASS
2 match virtual-address 10.22.6.119 tcp eq https
policy-map type management first-match REMOTE_ACCESS_POLICY
class REMOTE_ACCESS_CLASS
permit
policy-map type loadbalance first-match rule-vsuiteFrontEnd-A_POLICY
class class-default
serverfarm rule-vsuiteFrontEnd-A
policy-map type loadbalance first-match rule-vsuiteFrontEnd-CoreA_POLICY
class class-default
serverfarm rule-vsuiteFrontEnd-CoreA
policy-map multi-match POLICY
class rule-vsuiteFrontEnd-A_CLASS
loadbalance vip inservice
loadbalance policy rule-vsuiteFrontEnd-A_POLICY
loadbalance vip icmp-reply active
connection advanced-options rule-vsuiteFrontEnd-A_CONN_PARAM
policy-map multi-match POLICY-CoreA
class rule-vsuiteFrontEnd-CoreA_CLASS
loadbalance vip inservice
loadbalance policy rule-vsuiteFrontEnd-CoreA_POLICY
loadbalance vip icmp-reply active
connection advanced-options rule-vsuiteFrontEnd-CoreA_CONN_PARAM
policy-map multi-match SERVERSOURCED
class SERVERSOURCED
nat dynamic 1 vlan 700
policy-map multi-match SERVERSOURCED-CoreA
class SERVERSOURCED-CoreA
nat dynamic 2 vlan 700
service-policy input POLICY
service-policy input POLICY-CoreA
interface vlan 700
ip address 10.22.6.116 255.255.255.224
no icmp-guard
access-group input ACL_10
nat-pool 1 10.22.6.117 10.22.6.117 netmask 255.255.255.255 pat
nat-pool 2 10.22.6.119 10.22.6.119 netmask 255.255.255.255 pat
service-policy input REMOTE_ACCESS_POLICY
no shutdown
interface vlan 701
ip address 10.22.7.2 255.255.255.224
no icmp-guard
access-group input ACL_20
service-policy input SERVERSOURCED
no shutdown
interface vlan 704
ip address 10.22.7.34 255.255.255.224
no icmp-guard
access-group input ACL_20
service-policy input SERVERSOURCED-CoreA
no shutdown
ip route 0.0.0.0 0.0.0.0 10.22.6.1
08-09-2013 03:13 PM
Hello Charles,
is not clear what you want to accomplish here.
Do you need to restrict access to the ACE to only SSH and HTTPS?
Do you need to restrict routed traffic thru the ACE to permit only SSH and HTTPS?
Are you going to loadbalance SSH and HTTPS servers?
---------------------
Cesar R
ANS Team
08-12-2013 03:27 AM
Charles, I would do this with the interface access-list. You will need to explicitly permit the traffic to be load balanced, mgmt traffic and all https/ssh and deny everything else. Matthew
08-12-2013 05:03 AM
Hi Matthew
I'm not very familar with the commands and syntax used with this device, I'd like someone to guide me with the particular commands needed to make this occur.
Greatly appreciated.
08-15-2013 02:45 AM
Charles
You need to sit down and determine what traffic you want to permit into the device. There is an implicit "deny ip any any" at the end of each acl. The access-lists below permit
- anyone external to reach the vips for https
- anyone local (ie: vlans 701 & 702) to reach the vips for https
- anyone local to initiate ssh/https to anyone remote
access-list ACL_701 line 8 extended permit tcp 10.22.7.0 255.255.255.224 any eq ssh
access-list ACL_701 line 16 extended permit tcp 10.22.7.0 255.255.255.224 any eq https
access-list ACL_702 line 8 extended permit tcp 10.22.7.32 255.255.255.224 any eq ssh
access-list ACL_702 line 16 extended permit tcp 10.22.7.32 255.255.255.224 any eq https
access-list ACL_700 line 8 extended permit tcp any host 10.22.7.2 eq https
access-list ACL_700 line 16 extended permit tcp any host 10.22.7.34 eq https
Not sure if the following lines are required to permit the return traffic for local to remote ssh/https. Don't have lab access to test.
access-lisy ACL_700 line 24 extended permit tcp any eq ssh 10.22.7.0 255.255.255.224
access-lisy ACL_700 line 32 extended permit tcp any eq ssh 10.22.7.0 255.255.255.224
access-lisy ACL_700 line 40 extended permit tcp any eq https 10.22.7.32 255.255.255.224
access-lisy ACL_700 line 48 extended permit tcp any eq https 10.22.7.32 255.255.255.224
Apply ACL_700 to vlan 700 in etc.
When you implement the changes, make sure that you have independent access to the console in case you block yourself.
Matthew
08-15-2013 05:43 AM
Thank you Matthew,I'll give this a go, and let you know, really appreciate the help..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide