cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1573
Views
0
Helpful
7
Replies
CharlesM1
Beginner

ACE 4710 Resttrict traffic to HTTPS and SSH only

Working in new enviornment and need to confirm traffic restricted to only ssh and https


interface gigabitEthernet 1/1
  description REAL SERVERS SDE
  speed 1000M
  duplex FULL
  switchport access vlan 200
  no shutdown
interface gigabitEthernet 1/2
  no shutdown
interface gigabitEthernet 1/3
  shutdown
interface gigabitEthernet 1/4
  speed 1000M
  duplex FULL
  switchport access vlan 500
  no shutdown

access-list ALL line 8 extended permit ip any any
access-list ALL line 9 extended permit tcp any any
access-list ALL line 10 extended permit udp any any
access-list ALL line 11 extended permit icmp any any

probe icmp PING
  ip address 162.16.103.200 routed
probe icmp PING1
  ip address 162.16.103.201 routed

parameter-map type http cisco_avs_parametermap
  persistence-rebalance
  length-exceed continue

rserver host Arges
  ip address 162.16.103.200
  conn-limit max 4000000 min 4000000
  probe PING
  inservice
rserver host Brontes
  ip address 162.16.103.201
  conn-limit max 4000000 min 4000000
  probe PING1
  inservice

action-list type optimization http WEB-ACTION-LIST
  flashforward
action-list type optimization http cisco_avs_container_latency
  flashforward
action-list type optimization http cisco_avs_img_latency
  flashforward
action-list type optimization http cisco_avs_obj_latency
  flashforward

serverfarm host VIRTUAL-SERVER-FARM
  rserver Arges 80
    backup-rserver Brontes 80
    conn-limit max 4000000 min 4000000
    probe PING1
    probe PING
    inservice
  rserver Brontes 80
    conn-limit max 4000000 min 4000000
    probe PING
    probe PING1
    inservice

class-map match-any VIRTUAL-SERVER-11
  2 match virtual-address 10.10.10.11 tcp any
class-map match-any VIRTUAL-SERVER-20
  2 match virtual-address 10.10.10.20 tcp eq www
class-map match-any VIRTUAL-SERVER-21
  2 match any
class-map type http loadbalance match-all cisco_avs_container_latency
  2 match http url http://10.10.10.*/browser/*
class-map type http loadbalance match-any cisco_avs_img_latency
  2 match http url .*jpg
  3 match http url .*jpeg
  4 match http url .*jpe
  5 match http url .*png
  6 match http url .*aspx
  7 match http url .*aspd
  8 match http url .*axd
  9 match http url .*axs
  10 match http url .i*
class-map type http loadbalance match-any cisco_avs_obj_latency
  2 match http url .*gif
  3 match http url .*css
  4 match http url .*js
  5 match http url .*class
  6 match http url .*jar
  7 match http url .*cab
  8 match http url .*txt
  9 match http url .*ps
  10 match http url .*vbs
  11 match http url .*xsl
  12 match http url .*xml
  13 match http url .*pdf
  14 match http url .*swf
  15 match http url .*aspx
  16 match http url .*aspd
  17 match http url .*axd
  18 match http url .*axs
  19 match http url .*
class-map type management match-any remote_access
  2 match protocol xml-https any
  3 match protocol  any
  4 match protocol icmp any
  5 match protocol telnet any
  6 match protocol ssh any
  7 match protocol http any
  8 match protocol https any
  9 match protocol snmp any

policy-map type management first-match remote_mgmt_allow_policy
  class remote_access
    permit

policy-map type loadbalance first-match VIRTUAL-SERVER-11-l7slb
  class class-default
    serverfarm VIRTUAL-SERVER-FARM
policy-map type loadbalance first-match VIRTUAL-SERVER-20-l7slb
  class class-default
    serverfarm VIRTUAL-SERVER-FARM

policy-map type optimization http first-match VIRTUAL-SERVER-20-l7opt
  class cisco_avs_obj_latency
    action cisco_avs_obj_latency
  class cisco_avs_img_latency
    action cisco_avs_img_latency
  class cisco_avs_container_latency
    action cisco_avs_container_latency

policy-map multi-match int500
  class VIRTUAL-SERVER-20
    loadbalance vip inservice
    loadbalance policy VIRTUAL-SERVER-20-l7slb
    optimize http policy VIRTUAL-SERVER-20-l7opt
    loadbalance vip icmp-reply active
    appl-parameter http advanced-options cisco_avs_parametermap
  class VIRTUAL-SERVER-11
    loadbalance vip inservice
    loadbalance policy VIRTUAL-SERVER-11-l7slb
    loadbalance vip icmp-reply active

interface vlan 200
  description "REAL SERVERS"
  ip address 162.16.103.1 255.255.255.0
  service-policy input remote_mgmt_allow_policy
  no shutdown
interface vlan 500
  description ACE CLIENT VLANE_Client VLAN
  ip address 10.10.10.5 255.255.255.0
  access-group input ALL
  service-policy input remote_mgmt_allow_policy
  service-policy input int500
  no shutdown
interface vlan 820
  access-group input ALL
  service-policy input remote_mgmt_allow_policy
  no shutdown

ip route 0.0.0.0 0.0.0.0 10.10.10.1

snmp-server contact "CHARLES"
snmp-server location "DEP 2"
snmp-server community LM-DEP2 group Network-Monitor

snmp-server trap-source vlan 820

7 REPLIES 7
mwinnett
Participant

Can you clarify what you mean by "traffic restricted to ssh & https" ? Ie: do you mean only ssh & https mgmt traffic to the ace, only https and ssh towards the vip or only ssh & https through the box (not load balanced) ? Matthew

Hello Greatly appreciate your help.

The configuration is to allow only ssh and https through the 4710, and the config has been modified:

logging enable
logging timestamp
logging trap 5
logging buffered 6
logging persistent 5
logging monitor 5
logging queue 5000


hostname x86ACE03
interface gigabitEthernet 1/1
  switchport access vlan 700
  no shutdown
interface gigabitEthernet 1/2
  switchport trunk allowed vlan 701,704
  no shutdown
interface gigabitEthernet 1/3
  shutdown
interface gigabitEthernet 1/4
  shutdown

access-list ACL_10 line 8 extended permit ip any host 10.22.6.117
access-list ACL_10 line 16 extended permit icmp any host 10.22.6.117
access-list ACL_10 line 24 extended permit ip any host 10.22.6.116
access-list ACL_10 line 32 extended permit icmp any host 10.22.6.116
access-list ACL_10 line 40 extended permit ip any host 10.22.6.119
access-list ACL_10 line 48 extended permit icmp any host 10.22.6.119
access-list ACL_20 line 8 extended permit ip any any
access-list ACL_20 line 16 extended permit icmp any any
access-list ACL_40 line 16 extended permit ip 10.22.7.2 255.255.255.224 any
access-list ACL_50 line 16 extended permit ip 10.22.7.34 255.255.255.224 any
access-list FILTER line 10 extended permit tcp any any eq https
access-list FILTER line 20 extended permit tcp any any eq www

probe icmp SERVICE_ICMP_PROBE
  interval 10
  passdetect interval 5

parameter-map type http CASE_PARAM
  case-insensitive
  persistence-rebalance
parameter-map type connection rule-vsuiteFrontEnd-A_CONN_PARAM
  set timeout inactivity 6400
parameter-map type connection rule-vsuiteFrontEnd-CoreA_CONN_PARAM
  set timeout inactivity 6400



rserver host vsuiteFrontEnd-A
  ip address 10.22.7.2
  probe SERVICE_ICMP_PROBE
  inservice
rserver host vsuiteFrontEnd-CoreA
  ip address 10.22.7.34
  probe SERVICE_ICMP_PROBE
  inservice


serverfarm host rule-vsuiteFrontEnd-A
  rserver vsuiteFrontEnd-A
    conn-limit max 4000000 min 1
    inservice
serverfarm host rule-vsuiteFrontEnd-CoreA
  rserver vsuiteFrontEnd-CoreA
    conn-limit max 4000000 min 1
    inservice

class-map type management match-any REMOTE_ACCESS_CLASS
  description Enable remote management
  2 match protocol xml-https any
  4 match protocol icmp any
  5 match protocol telnet any
  6 match protocol ssh any
  7 match protocol http any
  8 match protocol https any
class-map match-any SERVERSOURCED
  2 match access-list ACL_40
class-map match-any SERVERSOURCED-CoreA
  2 match access-list ACL_50
class-map match-all rule-vsuiteFrontEnd-A_CLASS
  2 match virtual-address 10.22.6.117 tcp eq https
class-map match-all rule-vsuiteFrontEnd-CoreA_CLASS
  2 match virtual-address 10.22.6.119 tcp eq https

policy-map type management first-match REMOTE_ACCESS_POLICY
  class REMOTE_ACCESS_CLASS
    permit

policy-map type loadbalance first-match rule-vsuiteFrontEnd-A_POLICY
  class class-default
    serverfarm rule-vsuiteFrontEnd-A
policy-map type loadbalance first-match rule-vsuiteFrontEnd-CoreA_POLICY
  class class-default
    serverfarm rule-vsuiteFrontEnd-CoreA

policy-map multi-match POLICY
  class rule-vsuiteFrontEnd-A_CLASS
    loadbalance vip inservice
    loadbalance policy rule-vsuiteFrontEnd-A_POLICY
    loadbalance vip icmp-reply active
    connection advanced-options rule-vsuiteFrontEnd-A_CONN_PARAM
policy-map multi-match POLICY-CoreA
  class rule-vsuiteFrontEnd-CoreA_CLASS
    loadbalance vip inservice
    loadbalance policy rule-vsuiteFrontEnd-CoreA_POLICY
    loadbalance vip icmp-reply active
    connection advanced-options rule-vsuiteFrontEnd-CoreA_CONN_PARAM
policy-map multi-match SERVERSOURCED
  class SERVERSOURCED
    nat dynamic 1 vlan 700
policy-map multi-match SERVERSOURCED-CoreA
  class SERVERSOURCED-CoreA
    nat dynamic 2 vlan 700

service-policy input POLICY
service-policy input POLICY-CoreA

interface vlan 700
  ip address 10.22.6.116 255.255.255.224
  no icmp-guard
  access-group input ACL_10
  nat-pool 1 10.22.6.117 10.22.6.117 netmask 255.255.255.255 pat
  nat-pool 2 10.22.6.119 10.22.6.119 netmask 255.255.255.255 pat
  service-policy input REMOTE_ACCESS_POLICY
  no shutdown
interface vlan 701
  ip address 10.22.7.2 255.255.255.224
  no icmp-guard
  access-group input ACL_20
  service-policy input SERVERSOURCED
  no shutdown
interface vlan 704
  ip address 10.22.7.34 255.255.255.224
  no icmp-guard
  access-group input ACL_20
  service-policy input SERVERSOURCED-CoreA
  no shutdown

ip route 0.0.0.0 0.0.0.0 10.22.6.1

Hello Charles,

is not clear what you want to accomplish here.

Do you need to restrict access to the ACE to only SSH and HTTPS?

Do you need to restrict routed traffic thru the ACE to permit only SSH and HTTPS?

Are you going to loadbalance SSH and HTTPS servers?

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team

Charles, I would do this with the interface access-list. You will need to explicitly permit the traffic to be load balanced, mgmt traffic and all https/ssh and deny everything else. Matthew

Hi Matthew
I'm not very familar with the commands and syntax used with this device, I'd like someone to guide me with the particular commands needed to make this occur.

Greatly appreciated.

Charles

You need to sit down and determine what traffic you  want to permit into the device. There is an implicit "deny ip any any"  at the end of each acl. The access-lists below permit

- anyone external to reach the vips for https

- anyone local (ie: vlans 701 & 702) to reach the vips for https

- anyone local to initiate ssh/https to anyone remote

access-list ACL_701 line  8 extended permit tcp  10.22.7.0 255.255.255.224 any eq ssh
access-list ACL_701 line 16 extended permit tcp  10.22.7.0 255.255.255.224 any eq https

access-list ACL_702 line  8 extended permit tcp  10.22.7.32 255.255.255.224 any eq ssh
access-list ACL_702 line 16 extended permit tcp  10.22.7.32 255.255.255.224 any eq https

access-list ACL_700 line  8 extended permit tcp  any host 10.22.7.2 eq https
access-list ACL_700 line 16 extended permit tcp  any host 10.22.7.34 eq https

Not  sure if the following lines are required to permit the return traffic  for local to remote ssh/https. Don't have lab access to test.

access-lisy ACL_700 line 24 extended permit tcp any eq ssh 10.22.7.0 255.255.255.224

access-lisy ACL_700 line 32 extended permit tcp any eq ssh 10.22.7.0 255.255.255.224

access-lisy ACL_700 line 40 extended permit tcp any eq https 10.22.7.32 255.255.255.224

access-lisy ACL_700 line 48 extended permit tcp any eq https 10.22.7.32 255.255.255.224

Apply ACL_700 to vlan 700 in etc.

When you implement the changes, make sure that you have independent access to the console in case you block yourself.

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/security/guide/acl.html

Matthew

Thank you Matthew,I'll give this a go, and let you know, really appreciate the help..