cisco css filtering based on URL

gavin han · ‎02-01-2011

Hi,

this is very new to me. can we do filter based on url.

1) deny external users access to following:

ab.def.com:80

2) allow external users to have access to following:

ab.def.com:80/ex/servlet

can we do this? I'm kinda new this kind of filtering...

pls advise.

Francesco Casotto · ‎02-02-2011

Hello Gavin,

when you say "external users" I get to think that there might be also some "internal users" for which you might want to take different decisions like allowing the access to both sites.

Here is an example about how to allow access to some users to a certain URL but deny it to all others, you would have to adapt the URLs to your case and test it:

nql internal-users-list
ip address 192.168.33.140 255.255.255.255

owner frank

content http_public
    vip address 192.168.33.170
    port 80
    protocol tcp
    url "/*"
    add service my-server
    active

content http_urlrestricted
    port 80
    protocol tcp
    url "/restricted.html"
    vip address 192.168.33.170
    add service my-server
    active

acl 1
clause 3 permit any nql internal-users-list destination any
clause 5 deny any any destination content frank/http_urlrestricted
clause 7 permit any any destination any
apply circuit-(VLAN545)

acl 2
clause 5 permit any any destination any
apply circuit-(VLAN546)

In the example vlan 545 is my client vlan where all the client requests would arrive from. 546 is the server vlan, added only for completeness as is important to add ACLs to all vlan interfaces once the ACLs gets globally enabled ("acl enable") on the CSS ortherwise an implicit "deny any any" would cut all of your traffic.

If instead you do not have internal users for whom to allow broader access then the solution would be much simpler configuration wise, just let me know.

Hope it helps,

Francesco

PS: if my reply answers your question please mark the thread as answered.

[Edited to explain VLAN roles in my example]