Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2019
Views
0
Helpful
12
Replies

CSS acl and proxy-list

henry.saravia
Level 1
Level 1

‎12-06-2010 10:02 AM

I need to filter a url, (An url public and private), but the acls is not worknig

#############################################

interface e1

  bridge vlan 2

#############################################

circuit VLAN2

  redundancy

  ip address 172.19.2.102 255.255.255.0

#############################################

ssl-proxy-list ssl-ssl

  ssl-server 2

  ssl-server 2 vip address 172.19.2.5

  ssl-server 2 rsakey asrsakey2

  ssl-server 2 rsacert asrsacert2

  ssl-server 2 ssl-queue-delay 0

  ssl-server 2 tcp server nagle disable

  ssl-server 2 tcp server ack-delay 0

  ssl-server 2 tcp virtual ack-delay 0

  ssl-server 2 cipher rsa-with-rc4-128-sha 172.19.2.50 80

  ssl-server 2 tcp server inactivity-timeout 600

  ssl-server 2 tcp virtual inactivity-timeout 600

  active

#############################################

service secure-ssl

  type ssl-accel

  slot 2

  add ssl-proxy-list ssl-ssl

  active

service serv1

  ip address 172.19.2.32

  protocol tcp

  port 80

  active

service serv2

  ip address 172.19.2.35

  protocol tcp

  port 80

  active

#############################################

content PUBLIC

    add service serv1

    add service serv2

    vip address 172.19.2.50

    protocol tcp

    port 80

    url "/public/*"

    active

  content PRIVATE

    add service serv2

    add service serv1

    vip address 172.19.2.50

    port 80

    protocol tcp

    url "/private/*"

    active

#############################################

group GROUP

  add destination service serv2

  add destination service serv1

  vip address 172.19.2.50

  active

#############################################

acl 26

  clause 10 permit any 172.16.0.0 255.255.0.0 destination content OWN/PRIVATE

  clause 20 permit any 172.19.0.0 255.255.0.0 destination content OWN/PRIVATE

  clause 50 deny any any destination content OWN/PRIVATE

  clause 99 permit any any destination any

Any Idea?

Labels:
0 Helpful
12 Replies 12

Kristopher Martinez
Cisco Employee
Cisco Employee

‎12-06-2010 10:09 AM

Henry,

Did you apply the ACL to a circuit and enable the ACLs?  CSS requires that you enable ACLs after youconfigure them in order to take affect.  Take a look at the quick start guide for ACLs below.

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/security/guide/Access.html#wp1134054

Kris

0 Helpful

pablo.nxh
Level 3
Level 3

‎12-06-2010 10:12 AM

Howdy Henry,

To get ACL's working on the CSS is a 2 steps process, Apply the ACL to a circuit and then enable ACL globally on the box.

You need to make sure all your circuit VLAN's have an ACL configured even if needs to be permit any any otherwise the traffic

for that VLAN will be blocked.

In your case seems like you only have circuit VLAN 2 so the config would be like this:

acl 26

  clause 10 permit any 172.16.0.0 255.255.0.0 destination content OWN/PRIVATE

  clause 20 permit any 172.19.0.0 255.255.0.0 destination content OWN/PRIVATE

  clause 50 deny any any destination content OWN/PRIVATE

  clause 99 permit any any destination any

  apply circuit-(VLAN2)

Then go to config t mode and enter:

CSS(config)# acl enable

HTH

__ __

Pablo

0 Helpful

henry.saravia
Level 1
Level 1
In response to pablo.nxh

‎12-06-2010 12:30 PM

Yes, I did the "apply circuit-(VLAN2)" and the "acl enable " but all traffic is permited, no filter is applied!

I see in the log of the server that is only the ip 172.19.2.50  is accesing to the physical server.

172.19.26.50 -> 172.19.26.32 HTTP GET / HTTP/1.1

172.19.26.50 -> 172.19.26.32 HTTP GET /favicon.ico HTTP/1.1

172.19.26.50 -> 172.19.26.32 HTTP GET / HTTP/1.1

No the original source 172.16.0.0 255.255.0.0 or 172.19.0.0 255.255.0.0
Any Idea?

0 Helpful

henry.saravia
Level 1
Level 1
In response to henry.saravia

‎12-06-2010 12:41 PM

Sorry this is the log

172.19.2.50 -> 172.19.2.32 HTTP GET / HTTP/1.1

172.19.2.50 -> 172.19.2.32 HTTP GET /favicon.ico HTTP/1.1

172.19.2.50 -> 172.19.2.32 HTTP GET / HTTP/1.1

0 Helpful

pablo.nxh
Level 3
Level 3
In response to henry.saravia

‎12-06-2010 12:44 PM

Oh OK it isn't a ACL problem but a NAT issue.

The fact that you're seeing only requests from 172.19.2.50 is because you configured a source group to NAT incoming request

to content rules where these services were configured under. S-NAT avoids asymmetric routing issues in a one-armed design like yours.

group GROUP

  add destination service serv2

  add destination service serv1

  vip address 172.19.2.50

  active

ACLs should be working fine and traffic different than 172.16.0.0/16 or 172.19.0.0/16 will not have access to the rule in question.

HTH

__ __

Pablo

0 Helpful

henry.saravia
Level 1
Level 1
In response to pablo.nxh

‎12-06-2010 01:20 PM

I have the group config like this:

group GROUP

  add destination service serv1

  add destination service serv2

  vip address 172.19.2.50

  active

Im not clear about what your recommendation is?
Thanks

0 Helpful

pablo.nxh
Level 3
Level 3
In response to henry.saravia

‎12-06-2010 01:56 PM

Hey Henry,

It was not a recommendation, I was trying to explain why all the logs on your server are

coming from a single source (172.19.2.50).

On the CSS ACL matching happens before NAT so when a packet comes in CSS checks against your ACL, if doesn't belong

to 172.16 or 172.19 networks packet is discarded.

If the packet comes from one of these networks it would be permitted and then NAT'd using the source group so regardless if

it comes from .16 or .19 all the requests will seem to be sourced from 172.19.2.50.

You can't get rid of the source group in one-armed design unless you make sure the response of your servers has no way

to get to the client other than going through the CSS.

HTH

__ __

Pablo.

0 Helpful

henry.saravia
Level 1
Level 1
In response to pablo.nxh

‎12-10-2010 07:12 AM

Hi pablo I want restate my question

I have a content rule like this one:

content SSL-J2EE

    vip address 172.19.6.5

    add service ssl

    application ssl

    advanced-balance ssl

    protocol tcp

    port 443

    active

service ssl

  type ssl-accel

  slot 2

  add ssl-proxy-list ssl-bfa

  keepalive type none

  active

I need to do something like this:

content SSL-J2EE

    vip address 172.19.6.5

    add service ssl

    application ssl

    advanced-balance ssl

    protocol tcp

    port 443

    url "/private/*"

    active

content SSL-J2EE

    vip address 172.19.6.5

    add service ssl

    application ssl

    advanced-balance ssl

    protocol tcp

    port 443

    url "/public/*"

    active

and filter based in source IP (some IP can access to /private and another to /public). The problem is that https is encrypted and I can not see the path to distingish if is a public connection or private.
Any Idea?
Thanks

0 Helpful

pablo.nxh
Level 3
Level 3
In response to henry.saravia

‎12-10-2010 08:38 AM

Hi Henry,

Based on your config and specially on the service shown below, it means that you're offloading the SSL traffic on the CSS so

the URL filter will be configured on the clear text rules and the ACL will be pointing to those instead.

service ssl

  type ssl-accel

  slot 2

  add ssl-proxy-list ssl-bfa

  keepalive type none

  active

If you don't mind you can share a sanitized copy of the following outputs and I'll give you a hand with the ACL config.

CSS# show run ssl

CSS# show run owner

CSS# show run acl

Regards

__ __

Pablo

0 Helpful

henry.saravia
Level 1
Level 1
In response to pablo.nxh

‎12-10-2010 03:38 PM

it is the config:

76796-css.zip
0 Helpful

pablo.nxh
Level 3
Level 3
In response to henry.saravia

‎12-13-2010 10:37 AM

Hello Henry,

Your config looks in good shape The only thing that seems to be missing is the line that denies further access to "PRIVATE"

content rule.

acl 26
  clause 10 permit any 172.16.0.0 255.255.0.0 destination content ONE/PRIVATE
  clause 20 permit any 172.19.0.0 255.255.0.0 destination content ONE/PRIVATE
  clause 21 deny any any destination content ONE/PRIVATE
  clause 30 deny any any destination content BFA/PRIVATE
  clause 40 permit any 172.16.2.0 255.255.255.0 destination any
  clause 50 permit any any destination content BFA/PUBLIC
  clause 99 permit any any destination any
  apply circuit-(VLAN26)

Not sure if clause 30 was supposed to be the line that blocks that traffic.

Regards.

__ __

Pablo

0 Helpful

henry.saravia
Level 1
Level 1
In response to pablo.nxh

‎12-13-2010 12:05 PM

Hi Pablo

The ACL is applied like this

acl 26

  clause 10 permit any 172.16.0.0 255.255.0.0 destination content ONE/PRIVATE

  clause 20 permit any 172.19.0.0 255.255.0.0 destination content ONE/PRIVATE

  clause 30 deny any any destination content ONE/PRIVATE

  clause 40 permit any 172.16.2.0 255.255.255.0 destination any

  clause 50 permit any any destination content ONE/PUBLIC

  clause 99 permit any any destination any

  apply circuit-(VLAN26)

But the client access by https to the content
content SECURE
    vip address 172.19.2.5
    add service secure
    application ssl
    advanced-balance ssl
    protocol tcp
    port 443
    active
The SSL proxy access to the ONE/PRIVATE or ONE/PUBLIC content, not the client directly!
How does the CSS do to distinguish if customer want to access to PRIVATE or PUBLIC content?
For example a customer access to https://172.19.2.5/PRIVATE from an IP add 200.200.200.200. What clause match in the ACL?
Thanks

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card