cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
936
Views
4
Helpful
8
Replies

ACE Configuration (urgent)

wasiimcisco
Level 1
Level 1

I am facing problem with ACE configuration. I want to redirect 443 traffic to my Proxy Server.

But I am not able to do this. I want to redirect only subnet 192.168.80.0/24


I have the following configuration

access-list BC line 8 extended permit tcp host 192.168.80.89 any eq https

access-list BC line 16 extended permit tcp host 192.168.80.62 any eq https


probe tcp PROBE_TCP_443
  port 443
  interval 15
  passdetect interval 60
  open 1


serverfarm host SF_BCPR_https
  transparent
  probe PROBE_TCP_443
  rserver RS_BCPR01
    inservice
  rserver RS_BCPR02
    inservice


sticky ip-netmask 255.255.255.255 address source STICKY-SOURCE-HTTPS
  replicate sticky
  serverfarm SF_BCPR_https

class-map match-all CM_SF_BCPR_HTTPS
  2 match access-list BC

policy-map type loadbalance http first-match PM_LB_SF_BCPROXY_https
  class class-default
    sticky-serverfarm STICKY-SOURCE-HTTPS


==================================================================================
policy-map multi-match PM_MAIN_BCPROXY
    class CM_SF_BCPR_HTTPS
    loadbalance vip inservice
    loadbalance policy PM_LB_SF_BCPROXY_https
    loadbalance vip icmp-reply active
    appl-parameter http advanced-options PARAMAP_CASE
==================================================================================
interface vlan 300
  description ACE-INSIDE CONTEXT RACK1
  ip address 192.168.0.65 255.255.255.224
  alias 192.168.0.73 255.255.255.224
  peer ip address 192.168.0.66 255.255.255.224
  no normalization
  mac-address autogenerate
  no icmp-guard
  access-group input acl-in

access-list BC line 8 extended permit tcp host 192.168.80.89 any eq https
access-list BC line 16 extended permit tcp host 192.168.80.62 any eq https

  service-policy input PM_MAIN_BCPROXY
  no shutdown

I am getting error.

DC-ACE01/Rack1(config-cmap)# 10 match access-list BC

Error: Class-map is being used for virtual server definition

=======================================================================

Only if I am putting

class-map match-all CM_SF_BCPR_HTTPS
  2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq https

Then only it is working but I dont have to have this policy to be applied on all the users only one subnet I want to have under HTTPS policy.

Please let me know how can I apply the policy only on specific subnet so that port 443 traffic can be redirect and rest of all subnets can go direclty to Internet.

Waiting for reply.

Thanks in Advance.

8 Replies 8

Borys Berlog
Cisco Employee
Cisco Employee

Hi

You can try to do like this :

Leave your class map with 0.0.0.0 0.0.0.0 tcp eq https - it will match  all destination IPs, then in layer 7 policy map :

policy-map type loadbalance http first-match PM_LB_SF_BCPROXY_https

match NAME source-address 192.168.80.0 255.255.255.0

    sticky-serverfarm STICKY-SOURCE-HTTPS

It will match only connections from 192.168.80.0/24

However be aware, that if you put this class map with 0.0.0.0 0.0.0.0 eq https - it will catch all traffic from any source to any destination to port 443, so you should be careful, not to overlap with some other classes in your configuration.

Hi,

Thanks for the reply but still it is not working for me. It is still redirecting all the traffic for HTTPS

policy-map type loadbalance http first-match PM_LB_SF_BCPROXY_https

  match IT source-address 192.168.80.64 255.255.255.0

  match GIT source-address 192.168.80.62 255.255.255.0

  class class-default

    sticky-serverfarm STICKY-SOURCE-HTTPS

class-map match-all CM_SF_BCPR_HTTPS

  2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq https

Can you please let me know how I can redirect only specific subnets.

Hi, if this is your current configuration in last message - it's wrong, should be :

class-map match-all CM_SF_BCPR_HTTPS

  2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq https

policy-map type loadbalance http first-match PM_LB_SF_BCPROXY_https

  match IT source-address 192.168.80.0 255.255.255.0  <----- If you want to redirect 192.168.80.0/24

    sticky-serverfarm STICKY-SOURCE-HTTPS

And then in Layer 4 (multi-match policy)

policy-map multi-match PM_MAIN_BCPROXY

    class CM_SF_BCPR_HTTPS

    loadbalance vip inservice

    loadbalance policy PM_LB_SF_BCPROXY_https

    loadbalance vip icmp-reply active

    appl-parameter http advanced-options PARAMAP_CASE

However you need to be aware - with such configuration all other traffic to port 443 will be dropped.

The one of the options can be to add forward action to class default in Layer 7 map , like this :

policy-map type loadbalance http first-match PM_LB_SF_BCPROXY_https

  match IT source-address 192.168.80.0 255.255.255.0  <----- If you want to redirect 192.168.80.0/24

    sticky-serverfarm STICKY-SOURCE-HTTPS

class class-default  <--- additional configuration

forward

In this case traffic to port 443 from other than 192.168.80.0/24 sources won't be dropped but will be just forwarded to destination.

Hi,

The below is the full configuration that I am doing But Unable to redirect specific subnets. 

rserver host RS_BCPR01

  ip address 192.168.0.103

  inservice

rserver host RS_BCPR02

  ip address 192.168.0.104

  inservice

sticky ip-netmask 255.255.255.255 address source STICKY-SOURCE-HTTPS

  replicate sticky

  serverfarm SF_BCPR_https

class-map match-all CM_SF_BCPR_HTTPS

  2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq https

policy-map type loadbalance http first-match PM_LB_SF_BCPROXY_https

  match IT source-address 192.168.80.64 255.255.255.0

  match GIT source-address 192.168.80.62 255.255.255.0

  class class-default

    sticky-serverfarm STICKY-SOURCE-HTTPS

interface vlan 300

policy-map multi-match PM_MAIN_BCPROXY

class CM_SF_BCPR_HTTPS

    loadbalance vip inservice

    loadbalance policy PM_LB_SF_BCPROXY_https

    loadbalance vip icmp-reply active

    appl-parameter http advanced-options PARAMAP_CASE class CM_SF_BCPR_HTTPS
    loadbalance vip inservice
    loadbalance policy PM_LB_SF_BCPROXY_https
    loadbalance vip icmp-reply active
    appl-parameter http advanced-options PARAMAP_CASE

Yes, as I wrote above :

This one :

policy-map type loadbalance http first-match PM_LB_SF_BCPROXY_https

  match IT source-address 192.168.80.64 255.255.255.0

  match GIT source-address 192.168.80.62 255.255.255.0

  class class-default

    sticky-serverfarm STICKY-SOURCE-HTTPS

is wrong.

You need to specify action under match statement. And if you don't want to redirect everything - you need either to remove classs default at all or put somethinge different in action under it (e.g. forward)

Please see my previous message.

Hi,

policy-map type loadbalance http first-match PM_LB_SF_BCPROXY_https

    match GIT source-address 192.168.80.0 255.255.255.0

sticky-serverfarm STICKY-SOURCE-HTTPS

  class class-default

forward

  

After above modification Only one Subnet is started working but If I am adding any other host or subnet in teh same Policy MAP it is not working.

match WAP source-address 192.168.51.0 255.255.255.0

Is it name speicific or there is a limitation of only one Match in a policy MAP.

I need to allow subnets which will be on daily basis so I need to have a configuration in which I can add multiple subnets in the class.

Hi

How do you add it ?

It again should be like this :

policy-map type loadbalance http first-match PM_LB_SF_BCPROXY_https

match XXX source-address YYYY  <-- match statement

sticky-serverfarm XXX <--- action

Hi,

Thanks for the continous reply, It is working for me now I will get back to you once I will go for the production.

Review Cisco Networking for a $25 gift card