02-17-2012 02:54 AM
I am facing problem with ACE configuration. I want to redirect 443 traffic to my Proxy Server.
But I am not able to do this. I want to redirect only subnet 192.168.80.0/24
I have the following configuration
access-list BC line 8 extended permit tcp host 192.168.80.89 any eq https
access-list BC line 16 extended permit tcp host 192.168.80.62 any eq https
probe tcp PROBE_TCP_443
port 443
interval 15
passdetect interval 60
open 1
serverfarm host SF_BCPR_https
transparent
probe PROBE_TCP_443
rserver RS_BCPR01
inservice
rserver RS_BCPR02
inservice
sticky ip-netmask 255.255.255.255 address source STICKY-SOURCE-HTTPS
replicate sticky
serverfarm SF_BCPR_https
class-map match-all CM_SF_BCPR_HTTPS
2 match access-list BC
policy-map type loadbalance http first-match PM_LB_SF_BCPROXY_https
class class-default
sticky-serverfarm STICKY-SOURCE-HTTPS
==================================================================================
policy-map multi-match PM_MAIN_BCPROXY
class CM_SF_BCPR_HTTPS
loadbalance vip inservice
loadbalance policy PM_LB_SF_BCPROXY_https
loadbalance vip icmp-reply active
appl-parameter http advanced-options PARAMAP_CASE
==================================================================================
interface vlan 300
description ACE-INSIDE CONTEXT RACK1
ip address 192.168.0.65 255.255.255.224
alias 192.168.0.73 255.255.255.224
peer ip address 192.168.0.66 255.255.255.224
no normalization
mac-address autogenerate
no icmp-guard
access-group input acl-in
access-list BC line 8 extended permit tcp host 192.168.80.89 any eq https
access-list BC line 16 extended permit tcp host 192.168.80.62 any eq https
service-policy input PM_MAIN_BCPROXY
no shutdown
I am getting error.
DC-ACE01/Rack1(config-cmap)# 10 match access-list BC
Error: Class-map is being used for virtual server definition
=======================================================================
Only if I am putting
class-map match-all CM_SF_BCPR_HTTPS
2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq https
Then only it is working but I dont have to have this policy to be applied on all the users only one subnet I want to have under HTTPS policy.
Please let me know how can I apply the policy only on specific subnet so that port 443 traffic can be redirect and rest of all subnets can go direclty to Internet.
Waiting for reply.
Thanks in Advance.
02-17-2012 03:35 AM
Hi
You can try to do like this :
Leave your class map with 0.0.0.0 0.0.0.0 tcp eq https - it will match all destination IPs, then in layer 7 policy map :
policy-map type loadbalance http first-match PM_LB_SF_BCPROXY_https
match NAME source-address 192.168.80.0 255.255.255.0
sticky-serverfarm STICKY-SOURCE-HTTPS
It will match only connections from 192.168.80.0/24
However be aware, that if you put this class map with 0.0.0.0 0.0.0.0 eq https - it will catch all traffic from any source to any destination to port 443, so you should be careful, not to overlap with some other classes in your configuration.
02-17-2012 07:46 AM
Hi,
Thanks for the reply but still it is not working for me. It is still redirecting all the traffic for HTTPS
policy-map type loadbalance http first-match PM_LB_SF_BCPROXY_https
match IT source-address 192.168.80.64 255.255.255.0
match GIT source-address 192.168.80.62 255.255.255.0
class class-default
sticky-serverfarm STICKY-SOURCE-HTTPS
class-map match-all CM_SF_BCPR_HTTPS
2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq https
Can you please let me know how I can redirect only specific subnets.
02-17-2012 07:52 AM
Hi, if this is your current configuration in last message - it's wrong, should be :
class-map match-all CM_SF_BCPR_HTTPS
2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq https
policy-map type loadbalance http first-match PM_LB_SF_BCPROXY_https
match IT source-address 192.168.80.0 255.255.255.0 <----- If you want to redirect 192.168.80.0/24
sticky-serverfarm STICKY-SOURCE-HTTPS
And then in Layer 4 (multi-match policy)
policy-map multi-match PM_MAIN_BCPROXY
class CM_SF_BCPR_HTTPS
loadbalance vip inservice
loadbalance policy PM_LB_SF_BCPROXY_https
loadbalance vip icmp-reply active
appl-parameter http advanced-options PARAMAP_CASE
However you need to be aware - with such configuration all other traffic to port 443 will be dropped.
The one of the options can be to add forward action to class default in Layer 7 map , like this :
policy-map type loadbalance http first-match PM_LB_SF_BCPROXY_https
match IT source-address 192.168.80.0 255.255.255.0 <----- If you want to redirect 192.168.80.0/24
sticky-serverfarm STICKY-SOURCE-HTTPS
class class-default <--- additional configuration
forward
In this case traffic to port 443 from other than 192.168.80.0/24 sources won't be dropped but will be just forwarded to destination.
02-17-2012 08:11 AM
Hi,
The below is the full configuration that I am doing But Unable to redirect specific subnets.
rserver host RS_BCPR01
ip address 192.168.0.103
inservice
rserver host RS_BCPR02
ip address 192.168.0.104
inservice
sticky ip-netmask 255.255.255.255 address source STICKY-SOURCE-HTTPS
replicate sticky
serverfarm SF_BCPR_https
class-map match-all CM_SF_BCPR_HTTPS
2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq https
policy-map type loadbalance http first-match PM_LB_SF_BCPROXY_https
match IT source-address 192.168.80.64 255.255.255.0
match GIT source-address 192.168.80.62 255.255.255.0
class class-default
sticky-serverfarm STICKY-SOURCE-HTTPS
interface vlan 300
policy-map multi-match PM_MAIN_BCPROXY
class CM_SF_BCPR_HTTPS
loadbalance vip inservice
loadbalance policy PM_LB_SF_BCPROXY_https
loadbalance vip icmp-reply active
appl-parameter http advanced-options PARAMAP_CASE class CM_SF_BCPR_HTTPS
loadbalance vip inservice
loadbalance policy PM_LB_SF_BCPROXY_https
loadbalance vip icmp-reply active
appl-parameter http advanced-options PARAMAP_CASE
02-17-2012 08:14 AM
Yes, as I wrote above :
This one :
policy-map type loadbalance http first-match PM_LB_SF_BCPROXY_https
match IT source-address 192.168.80.64 255.255.255.0
match GIT source-address 192.168.80.62 255.255.255.0
class class-default
sticky-serverfarm STICKY-SOURCE-HTTPS
is wrong.
You need to specify action under match statement. And if you don't want to redirect everything - you need either to remove classs default at all or put somethinge different in action under it (e.g. forward)
Please see my previous message.
02-17-2012 09:15 AM
Hi,
policy-map type loadbalance http first-match PM_LB_SF_BCPROXY_https
match GIT source-address 192.168.80.0 255.255.255.0
sticky-serverfarm STICKY-SOURCE-HTTPS
class class-default
forward
After above modification Only one Subnet is started working but If I am adding any other host or subnet in teh same Policy MAP it is not working.
match WAP source-address 192.168.51.0 255.255.255.0
Is it name speicific or there is a limitation of only one Match in a policy MAP.
I need to allow subnets which will be on daily basis so I need to have a configuration in which I can add multiple subnets in the class.
02-20-2012 12:02 AM
Hi
How do you add it ?
It again should be like this :
policy-map type loadbalance http first-match PM_LB_SF_BCPROXY_https
match XXX source-address YYYY <-- match statement
sticky-serverfarm XXX <--- action
02-20-2012 04:10 AM
Hi,
Thanks for the continous reply, It is working for me now I will get back to you once I will go for the production.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide