cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
635
Views
0
Helpful
6
Replies

how to configure ace to send the response as forbidden code or bad request based on the URL string

svenkateshv
Level 1
Level 1

I have a requirement where ACE has to forbidden the HTTP access to the URL based on the strings in the URL  /admin/ or /console/ .  I believe I can match the traffic with the following class-map, but how to action on it to forbidden? example configurations? 

class-map type http loadbalance match-any Forbidden-admin-access
   2 match http url /admin/.*
   3 match http url /console/.*

 

6 Replies 6

Kanwaljeet Singh
Cisco Employee
Cisco Employee

Hi Sven,

ACE cannot give response but can allow, drop or reset the connection based on L7 information or you can make ACE to forward the traffic to servers which can send those responses after the above condition is matched. But surely can "Silently" drop or reset the connection as well. Pasting configuration below for your reference.

If you want to send a reset, then you would need to use 'inspect' as such:

 

class-map type http inspect match-all CM-INSPECT

2 match header Host header-value "private.example.com"

 

class-map match-all VIP_WWW

2 match virtual-address 10.86.178.167 tcp eq www

 

policy-map type inspect http all-match PM-INSPECT
class CM-INSPECT
reset

 

policy-map type loadbalance first-match WWW_SERVERS
class class-default
serverfarm SERVER_FARM


policy-map multi-match VIP
class VIP_WWW
loadbalance vip inservice
loadbalance policy WWW_SERVERS
inspect http policy PM-INSPECT
loadbalance vip icmp-reply

Now, if you would rather not send a RST, but just drop it, then you would use 'loadbalance' as such:

 

class-map type http loadbalance match-any CM-DROP
2 match http header Host header-value "private.example.com"

class-map match-all VIP_WWW

2 match virtual-address 10.86.178.167 tcp eq www

policy-map type loadbalance first-match WWW_SERVERS
class CM-DROP
drop


class class-default
serverfarm SERVER_FARM

policy-map multi-match VIP
class VIP_WWW
loadbalance vip inservice
loadbalance policy WWW_SERVERS
loadbalance vip icmp-reply

 

Regards,

Kanwal

Hi Kanwalsi,

I'm facing the same issue but with the following difference:

I'd like to permit everyone access to ie. www.abc.com but allow access to www.abc.com/admin only to specific ip adresses. Please let me know if you have any suggestion.

Regards

 

Hi,

You should have L7 class map statement like:

class-map type http inspect match-all CM-inspect
  2 match url /admin

And then call this class-map under policy map etc as shown above and check if it works fine. The action should be either DROP or RESET depending upon your preference.

Regards,

Kanwal

 

I guess it should work fine as to drop requests for everybody but the problem that I'm facing is:

- Everybody can access url "www.example.com" through vip 70.10.10.11 to serverfarm EXAMPLE-80.

- but only the 2 adresses 23.22.21.2 /23 can access "www.example.com/admin"  ( same vip and serverfarm) and requests from other source Ip adresses are dropped.

Could you please be more specific in your suggestion.

Thanks.

 

Hi,

I am sorry but i didn't get your question here. Are you saying that everyone who comes to www.example.com is getting access but only two users are being dropped when they go to www.example.com/admin? Are all other users getting access to /admin too? Can you share the configuration in place?

Regards,

Kanwal

Hi,

In fact, no configurations have been made yet and what i described is what I want to accomplish. meaning:

Everybody should be permitted to access www.example.com

But only 2 source ip addresses should be permitted to access www.example.com/admin. All  requests coming from other IP addresses should be dropped for that specific url.

Regards.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: