ACE 4710 Resttrict traffic to HTTPS and SSH only

CharlesM1 · ‎08-01-2013

Working in new enviornment and need to confirm traffic restricted to only ssh and https

interface gigabitEthernet 1/1
description REAL SERVERS SDE
speed 1000M
duplex FULL
switchport access vlan 200
no shutdown
interface gigabitEthernet 1/2
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
speed 1000M
duplex FULL
switchport access vlan 500
no shutdown

access-list ALL line 8 extended permit ip any any
access-list ALL line 9 extended permit tcp any any
access-list ALL line 10 extended permit udp any any
access-list ALL line 11 extended permit icmp any any

probe icmp PING
ip address 162.16.103.200 routed
probe icmp PING1
ip address 162.16.103.201 routed

parameter-map type http cisco_avs_parametermap
persistence-rebalance
length-exceed continue

rserver host Arges
ip address 162.16.103.200
conn-limit max 4000000 min 4000000
probe PING
inservice
rserver host Brontes
ip address 162.16.103.201
conn-limit max 4000000 min 4000000
probe PING1
inservice

action-list type optimization http WEB-ACTION-LIST
flashforward
action-list type optimization http cisco_avs_container_latency
flashforward
action-list type optimization http cisco_avs_img_latency
flashforward
action-list type optimization http cisco_avs_obj_latency
flashforward

serverfarm host VIRTUAL-SERVER-FARM
rserver Arges 80
    backup-rserver Brontes 80
    conn-limit max 4000000 min 4000000
    probe PING1
    probe PING
    inservice
rserver Brontes 80
    conn-limit max 4000000 min 4000000
    probe PING
    probe PING1
    inservice

class-map match-any VIRTUAL-SERVER-11
2 match virtual-address 10.10.10.11 tcp any
class-map match-any VIRTUAL-SERVER-20
2 match virtual-address 10.10.10.20 tcp eq www
class-map match-any VIRTUAL-SERVER-21
2 match any
class-map type http loadbalance match-all cisco_avs_container_latency
2 match http url http://10.10.10.*/browser/*
class-map type http loadbalance match-any cisco_avs_img_latency
2 match http url .*jpg
3 match http url .*jpeg
4 match http url .*jpe
5 match http url .*png
6 match http url .*aspx
7 match http url .*aspd
8 match http url .*axd
9 match http url .*axs
10 match http url .i*
class-map type http loadbalance match-any cisco_avs_obj_latency
2 match http url .*gif
3 match http url .*css
4 match http url .*js
5 match http url .*class
6 match http url .*jar
7 match http url .*cab
8 match http url .*txt
9 match http url .*ps
10 match http url .*vbs
11 match http url .*xsl
12 match http url .*xml
13 match http url .*pdf
14 match http url .*swf
15 match http url .*aspx
16 match http url .*aspd
17 match http url .*axd
18 match http url .*axs
19 match http url .*
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol any
4 match protocol icmp any
5 match protocol telnet any
6 match protocol ssh any
7 match protocol http any
8 match protocol https any
9 match protocol snmp any

policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit

policy-map type loadbalance first-match VIRTUAL-SERVER-11-l7slb
class class-default
serverfarm VIRTUAL-SERVER-FARM
policy-map type loadbalance first-match VIRTUAL-SERVER-20-l7slb
class class-default
serverfarm VIRTUAL-SERVER-FARM

policy-map type optimization http first-match VIRTUAL-SERVER-20-l7opt
class cisco_avs_obj_latency
    action cisco_avs_obj_latency
class cisco_avs_img_latency
    action cisco_avs_img_latency
class cisco_avs_container_latency
    action cisco_avs_container_latency

policy-map multi-match int500
class VIRTUAL-SERVER-20
    loadbalance vip inservice
    loadbalance policy VIRTUAL-SERVER-20-l7slb
    optimize http policy VIRTUAL-SERVER-20-l7opt
    loadbalance vip icmp-reply active
    appl-parameter http advanced-options cisco_avs_parametermap
class VIRTUAL-SERVER-11
    loadbalance vip inservice
    loadbalance policy VIRTUAL-SERVER-11-l7slb
    loadbalance vip icmp-reply active

interface vlan 200
description "REAL SERVERS"
ip address 162.16.103.1 255.255.255.0
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 500
description ACE CLIENT VLANE_Client VLAN
ip address 10.10.10.5 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
service-policy input int500
no shutdown
interface vlan 820
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown

ip route 0.0.0.0 0.0.0.0 10.10.10.1

snmp-server contact "CHARLES"
snmp-server location "DEP 2"
snmp-server community LM-DEP2 group Network-Monitor

snmp-server trap-source vlan 820

mwinnett · ‎08-09-2013

Can you clarify what you mean by "traffic restricted to ssh & https" ? Ie: do you mean only ssh & https mgmt traffic to the ace, only https and ssh towards the vip or only ssh & https through the box (not load balanced) ? Matthew

CharlesM1 · ‎08-09-2013

Hello Greatly appreciate your help.

The configuration is to allow only ssh and https through the 4710, and the config has been modified:

logging enable
logging timestamp
logging trap 5
logging buffered 6
logging persistent 5
logging monitor 5
logging queue 5000

hostname x86ACE03
interface gigabitEthernet 1/1
switchport access vlan 700
no shutdown
interface gigabitEthernet 1/2
switchport trunk allowed vlan 701,704
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
shutdown

access-list ACL_10 line 8 extended permit ip any host 10.22.6.117
access-list ACL_10 line 16 extended permit icmp any host 10.22.6.117
access-list ACL_10 line 24 extended permit ip any host 10.22.6.116
access-list ACL_10 line 32 extended permit icmp any host 10.22.6.116
access-list ACL_10 line 40 extended permit ip any host 10.22.6.119
access-list ACL_10 line 48 extended permit icmp any host 10.22.6.119
access-list ACL_20 line 8 extended permit ip any any
access-list ACL_20 line 16 extended permit icmp any any
access-list ACL_40 line 16 extended permit ip 10.22.7.2 255.255.255.224 any
access-list ACL_50 line 16 extended permit ip 10.22.7.34 255.255.255.224 any
access-list FILTER line 10 extended permit tcp any any eq https
access-list FILTER line 20 extended permit tcp any any eq www

probe icmp SERVICE_ICMP_PROBE
interval 10
passdetect interval 5

parameter-map type http CASE_PARAM
case-insensitive
persistence-rebalance
parameter-map type connection rule-vsuiteFrontEnd-A_CONN_PARAM
set timeout inactivity 6400
parameter-map type connection rule-vsuiteFrontEnd-CoreA_CONN_PARAM
set timeout inactivity 6400

rserver host vsuiteFrontEnd-A
ip address 10.22.7.2
probe SERVICE_ICMP_PROBE
inservice
rserver host vsuiteFrontEnd-CoreA
ip address 10.22.7.34
probe SERVICE_ICMP_PROBE
inservice

serverfarm host rule-vsuiteFrontEnd-A
rserver vsuiteFrontEnd-A
    conn-limit max 4000000 min 1
    inservice
serverfarm host rule-vsuiteFrontEnd-CoreA
rserver vsuiteFrontEnd-CoreA
    conn-limit max 4000000 min 1
    inservice

class-map type management match-any REMOTE_ACCESS_CLASS
description Enable remote management
2 match protocol xml-https any
4 match protocol icmp any
5 match protocol telnet any
6 match protocol ssh any
7 match protocol http any
8 match protocol https any
class-map match-any SERVERSOURCED
2 match access-list ACL_40
class-map match-any SERVERSOURCED-CoreA
2 match access-list ACL_50
class-map match-all rule-vsuiteFrontEnd-A_CLASS
2 match virtual-address 10.22.6.117 tcp eq https
class-map match-all rule-vsuiteFrontEnd-CoreA_CLASS
2 match virtual-address 10.22.6.119 tcp eq https

policy-map type management first-match REMOTE_ACCESS_POLICY
class REMOTE_ACCESS_CLASS
permit

policy-map type loadbalance first-match rule-vsuiteFrontEnd-A_POLICY
class class-default
serverfarm rule-vsuiteFrontEnd-A
policy-map type loadbalance first-match rule-vsuiteFrontEnd-CoreA_POLICY
class class-default
serverfarm rule-vsuiteFrontEnd-CoreA

policy-map multi-match POLICY
class rule-vsuiteFrontEnd-A_CLASS
    loadbalance vip inservice
    loadbalance policy rule-vsuiteFrontEnd-A_POLICY
    loadbalance vip icmp-reply active
    connection advanced-options rule-vsuiteFrontEnd-A_CONN_PARAM
policy-map multi-match POLICY-CoreA
class rule-vsuiteFrontEnd-CoreA_CLASS
    loadbalance vip inservice
    loadbalance policy rule-vsuiteFrontEnd-CoreA_POLICY
    loadbalance vip icmp-reply active
    connection advanced-options rule-vsuiteFrontEnd-CoreA_CONN_PARAM
policy-map multi-match SERVERSOURCED
class SERVERSOURCED
    nat dynamic 1 vlan 700
policy-map multi-match SERVERSOURCED-CoreA
class SERVERSOURCED-CoreA
    nat dynamic 2 vlan 700

service-policy input POLICY
service-policy input POLICY-CoreA

interface vlan 700
ip address 10.22.6.116 255.255.255.224
no icmp-guard
access-group input ACL_10
nat-pool 1 10.22.6.117 10.22.6.117 netmask 255.255.255.255 pat
nat-pool 2 10.22.6.119 10.22.6.119 netmask 255.255.255.255 pat
service-policy input REMOTE_ACCESS_POLICY
no shutdown
interface vlan 701
ip address 10.22.7.2 255.255.255.224
no icmp-guard
access-group input ACL_20
service-policy input SERVERSOURCED
no shutdown
interface vlan 704
ip address 10.22.7.34 255.255.255.224
no icmp-guard
access-group input ACL_20
service-policy input SERVERSOURCED-CoreA
no shutdown

ip route 0.0.0.0 0.0.0.0 10.22.6.1

Cesar Roque · ‎08-09-2013

Hello Charles,

is not clear what you want to accomplish here.

Do you need to restrict access to the ACE to only SSH and HTTPS?

Do you need to restrict routed traffic thru the ACE to permit only SSH and HTTPS?

Are you going to loadbalance SSH and HTTPS servers?

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team

mwinnett · ‎08-12-2013

Charles, I would do this with the interface access-list. You will need to explicitly permit the traffic to be load balanced, mgmt traffic and all https/ssh and deny everything else. Matthew

CharlesM1 · ‎08-12-2013

Hi Matthew
I'm not very familar with the commands and syntax used with this device, I'd like someone to guide me with the particular commands needed to make this occur.

Greatly appreciated.

mwinnett · ‎08-15-2013

Charles

You need to sit down and determine what traffic you want to permit into the device. There is an implicit "deny ip any any" at the end of each acl. The access-lists below permit

- anyone external to reach the vips for https

- anyone local (ie: vlans 701 & 702) to reach the vips for https

- anyone local to initiate ssh/https to anyone remote

access-list ACL_701 line 8 extended permit tcp 10.22.7.0 255.255.255.224 any eq ssh
access-list ACL_701 line 16 extended permit tcp 10.22.7.0 255.255.255.224 any eq https

access-list ACL_702 line 8 extended permit tcp 10.22.7.32 255.255.255.224 any eq ssh
access-list ACL_702 line 16 extended permit tcp 10.22.7.32 255.255.255.224 any eq https

access-list ACL_700 line 8 extended permit tcp any host 10.22.7.2 eq https
access-list ACL_700 line 16 extended permit tcp any host 10.22.7.34 eq https

Not sure if the following lines are required to permit the return traffic for local to remote ssh/https. Don't have lab access to test.

access-lisy ACL_700 line 24 extended permit tcp any eq ssh 10.22.7.0 255.255.255.224

access-lisy ACL_700 line 32 extended permit tcp any eq ssh 10.22.7.0 255.255.255.224

access-lisy ACL_700 line 40 extended permit tcp any eq https 10.22.7.32 255.255.255.224

access-lisy ACL_700 line 48 extended permit tcp any eq https 10.22.7.32 255.255.255.224

Apply ACL_700 to vlan 700 in etc.

When you implement the changes, make sure that you have independent access to the console in case you block yourself.

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/security/guide/acl.html

Matthew

CharlesM1 · ‎08-15-2013

Thank you Matthew,I'll give this a go, and let you know, really appreciate the help..