cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1572
Views
0
Helpful
7
Replies
CharlesM1
Beginner

ACE 4710 Resttrict traffic to HTTPS and SSH only

Working in new enviornment and need to confirm traffic restricted to only ssh and https


interface gigabitEthernet 1/1
  description REAL SERVERS SDE
  speed 1000M
  duplex FULL
  switchport access vlan 200
  no shutdown
interface gigabitEthernet 1/2
  no shutdown
interface gigabitEthernet 1/3
  shutdown
interface gigabitEthernet 1/4
  speed 1000M
  duplex FULL
  switchport access vlan 500
  no shutdown

access-list ALL line 8 extended permit ip any any
access-list ALL line 9 extended permit tcp any any
access-list ALL line 10 extended permit udp any any
access-list ALL line 11 extended permit icmp any any

probe icmp PING
  ip address 162.16.103.200 routed
probe icmp PING1
  ip address 162.16.103.201 routed

parameter-map type http cisco_avs_parametermap
  persistence-rebalance
  length-exceed continue

rserver host Arges
  ip address 162.16.103.200
  conn-limit max 4000000 min 4000000
  probe PING
  inservice
rserver host Brontes
  ip address 162.16.103.201
  conn-limit max 4000000 min 4000000
  probe PING1
  inservice

action-list type optimization http WEB-ACTION-LIST
  flashforward
action-list type optimization http cisco_avs_container_latency
  flashforward
action-list type optimization http cisco_avs_img_latency
  flashforward
action-list type optimization http cisco_avs_obj_latency
  flashforward

serverfarm host VIRTUAL-SERVER-FARM
  rserver Arges 80
    backup-rserver Brontes 80
    conn-limit max 4000000 min 4000000
    probe PING1
    probe PING
    inservice
  rserver Brontes 80
    conn-limit max 4000000 min 4000000
    probe PING
    probe PING1
    inservice

class-map match-any VIRTUAL-SERVER-11
  2 match virtual-address 10.10.10.11 tcp any
class-map match-any VIRTUAL-SERVER-20
  2 match virtual-address 10.10.10.20 tcp eq www
class-map match-any VIRTUAL-SERVER-21
  2 match any
class-map type http loadbalance match-all cisco_avs_container_latency
  2 match http url http://10.10.10.*/browser/*
class-map type http loadbalance match-any cisco_avs_img_latency
  2 match http url .*jpg
  3 match http url .*jpeg
  4 match http url .*jpe
  5 match http url .*png
  6 match http url .*aspx
  7 match http url .*aspd
  8 match http url .*axd
  9 match http url .*axs
  10 match http url .i*
class-map type http loadbalance match-any cisco_avs_obj_latency
  2 match http url .*gif
  3 match http url .*css
  4 match http url .*js
  5 match http url .*class
  6 match http url .*jar
  7 match http url .*cab
  8 match http url .*txt
  9 match http url .*ps
  10 match http url .*vbs
  11 match http url .*xsl
  12 match http url .*xml
  13 match http url .*pdf
  14 match http url .*swf
  15 match http url .*aspx
  16 match http url .*aspd
  17 match http url .*axd
  18 match http url .*axs
  19 match http url .*
class-map type management match-any remote_access
  2 match protocol xml-https any
  3 match protocol  any
  4 match protocol icmp any
  5 match protocol telnet any
  6 match protocol ssh any
  7 match protocol http any
  8 match protocol https any
  9 match protocol snmp any

policy-map type management first-match remote_mgmt_allow_policy
  class remote_access
    permit

policy-map type loadbalance first-match VIRTUAL-SERVER-11-l7slb
  class class-default
    serverfarm VIRTUAL-SERVER-FARM
policy-map type loadbalance first-match VIRTUAL-SERVER-20-l7slb
  class class-default
    serverfarm VIRTUAL-SERVER-FARM

policy-map type optimization http first-match VIRTUAL-SERVER-20-l7opt
  class cisco_avs_obj_latency
    action cisco_avs_obj_latency
  class cisco_avs_img_latency
    action cisco_avs_img_latency
  class cisco_avs_container_latency
    action cisco_avs_container_latency

policy-map multi-match int500
  class VIRTUAL-SERVER-20
    loadbalance vip inservice
    loadbalance policy VIRTUAL-SERVER-20-l7slb
    optimize http policy VIRTUAL-SERVER-20-l7opt
    loadbalance vip icmp-reply active
    appl-parameter http advanced-options cisco_avs_parametermap
  class VIRTUAL-SERVER-11
    loadbalance vip inservice
    loadbalance policy VIRTUAL-SERVER-11-l7slb
    loadbalance vip icmp-reply active

interface vlan 200
  description "REAL SERVERS"
  ip address 162.16.103.1 255.255.255.0
  service-policy input remote_mgmt_allow_policy
  no shutdown
interface vlan 500
  description ACE CLIENT VLANE_Client VLAN
  ip address 10.10.10.5 255.255.255.0
  access-group input ALL
  service-policy input remote_mgmt_allow_policy
  service-policy input int500
  no shutdown
interface vlan 820
  access-group input ALL
  service-policy input remote_mgmt_allow_policy
  no shutdown

ip route 0.0.0.0 0.0.0.0 10.10.10.1

snmp-server contact "CHARLES"
snmp-server location "DEP 2"
snmp-server community LM-DEP2 group Network-Monitor

snmp-server trap-source vlan 820

7 REPLIES 7
mwinnett
Participant

Can you clarify what you mean by "traffic restricted to ssh & https" ? Ie: do you mean only ssh & https mgmt traffic to the ace, only https and ssh towards the vip or only ssh & https through the box (not load balanced) ? Matthew