Re: css11503 acl

cheng.ung · ‎08-13-2003

Hi all.

I have two css11503 configure with ASR. Everything is working so far except acl. Whenever I apply acl, nothing work. Can someone provide me a working sample of css acl?

acl 10

clause 5 permit icmp 116.115.124.128 255.255.255.128 destination 116.115.124.128 255.255.255.128

clause 15 permit any 116.115.124.128 255.255.255.128 destination 224.0.0.18

clause 25 permit tcp any destination 116.115.124.162 eq http

clause 45 permit tcp any destination 116.115.124.162 eq https

clause 200 deny any any destination any

apply circuit-(VLAN524)

acl 20

clause 5 permit any 10.20.1.0 255.255.255.0 destination 10.20.1.0 255.255.255.0

clause 15 permit any 10.20.1.0 255.255.255.0 destination 224.0.0.18

clause 50 deny any any destination any

apply circuit-(VLAN20)

115.116.124.x are the vip address and 10.20.1.x are the physical server ip addresses.

Thanks.

Cheng

stierb · ‎08-13-2003

What happens when the following are added to acl 20:

clause 20 permit tcp 10.20.1.0 255.255.255.0 eq 80 dest any

clause 25 permit tcp 10.20.1.0 255.255.255.0 eq 443 dest any

cheng.ung · ‎08-14-2003

I tried add these two lines and still not working.

Thanks.

Cheng

Gilles Dufour · ‎08-14-2003

Cheng,

what are all the circuits on this box ?

Do you see any hits on the content rule if you do a 'sho summary' ?

Gilles.

cheng.ung · ‎08-14-2003

I finally figure out the problem. It turns out that css was listening to port 443 from external but the server is listening to port 8080. After I changed my acl 20 from

clause 25 permit tcp 10.20.1.0 255.255.255.0 eq 443 dest any

to

clause 25 permit tcp 10.20.1.0 255.255.255.0 eq 8080 dest any

It works.

Thanks for the help.

Cheng