Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
361
Views
0
Helpful
3
Replies

Blocking some server pages for external IP space on a VIP (Cisco 4710)

Amandeep Mann
Beginner
Beginner

‎06-12-2014 02:08 PM

Any ideas how i can use the most optimum way to block external IP address to be able to access a page on our VIP

 

External IP Address : Non-RFC 1518 IP addresses
Internal: 10.0.0.0/8 (the following page should be available to an internal network 

URI to block: /serverpage.html from external network, but it should be available 

VIP is redirected to HTTPS 

 

I am able to block the pages from everywhere, but selective Subnet block does not seem to work..

 

class-map type http loadbalance match-all MATCH_TST-AP-SS  
20 match http url /.../serverpage.html

class-map type http loadbalance match-all MATCH_TST-AP-SS-int
  10 match http url /.../serverpage.html
  25 match source-address 10.0.0.0 255.0.0.0

 

policy-map type loadbalance first-match LBPOLICY_TST-AP

class MATCH_TST-AP-SS-int
  compress default-method gzip
    sticky-serverfarm STKYFRM_TEST-AP
    action HEADER_REWRITE_1
 

class MATCH_TST-AP-SS   
    drop

class class-default
   compress default-method gzip
    sticky-serverfarm STKYFRM_TEST-AP
    action HEADER_REWRITE_1

 

policy-map multi-match LBZ_TST_APP
  
class HTTPS-VIP-APP-TEST
    loadbalance vip inservice
    loadbalance policy LBPOLICY_TST-AP
    loadbalance vip icmp-reply active
    appl-parameter http advanced-options HTTP_PERSIST
    ssl-proxy server SSL_APP-TEST

 

 

If anybody have an idea of how to do it.. ?

 

 

Labels:
0 Helpful
3 Replies 3

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎06-12-2014 05:03 PM

Hi Aman,

So users from 10.0.0.0 are  getting access but so is everyone else, is what you want to say or  everyone is getting access but not 10.0.0.0?

Which class is getting hit? When user comes, do you see which L7 class is he getting a match on?

You can do show service-policy <policy name> <class name>.

According to the above configuration, any user other than subnet range 10.x.x.x should be dropped.

Regards,

Kanwal

0 Helpful

Amandeep Mann
Beginner
Beginner
In response to Kanwaljeet Singh

‎06-16-2014 10:53 AM

thanks Kanwal

 

It does not work... with the above configuration is not accessible from anywhere (that is good) but i want to have it accessible from 10.0.0.0/x network and not from external.  (more better)..

 

 

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to Amandeep Mann

‎06-16-2014 01:12 PM

Hi Aman,

Do you see which class is getting hit when you come from src 10.0.x.x network?  If you remove both the below classes, does it work?

class MATCH_TST-AP-SS   
    drop

class class-default
   compress default-method gzip
    sticky-serverfarm STKYFRM_TEST-AP
    action HEADER_REWRITE_1

 

Regards,

Kanwal

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents