cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2295
Views
4
Helpful
3
Replies

Is there any way to simplify this rules in ACE

hamz-zackops
Level 1
Level 1

Hello Support Forum Members,

i just create some ACL rules in cisco ACE 4710.

here are some rules,

class-map type http inspect match-any DENIED_URL

  2 match url .*.exe

  3 match url .*.php

  4 match url .*.asp

  5 match url .*.aspx

  6 match url .*.cgi

  7 match url .*.pl

  8 match url .*.bat

  9 match url .*.cfm

  10 match url .*.ihtml

  11 match url .*.las

  12 match url .*.lasso

  13 match url .*.lassoapp

  14 match url .*.phtml

  15 match url .*.rna

  16 match url .*.r

  17 match url .*.shtml

  18 match url .*.stm

  19 match url .*.ini

  20 match url .*.dll

  21 match url .*.htx

  22 match url .*.htw

  23 match header mime-type video\*

  24 match header mime-type audio\*

  25 match content ".*[bB][fF]6[eE][fF][fF][fF]3[-]4558[-]4[cC]4[cC][-][aA][dD][aA][fF][-][aA]87891[cC]5[fF]3[aA]3.*"

  26 match content ".*[lL][iI][sS][tT][cC][tT][rR][lL]\x2e[lL][iI][sS][tT][cC][tT][rR][lL][cC][tT][rR][lL]\x2e1.*"

  27 match url .*.ico

  28 match url .*etc.*

  29 match url .*wp[-].*

  30 match request-method rfc trace

  31 match url /images

  32 match request-method rfc delete

  33 match request-method rfc options

  34 match request-method rfc put

  35 match url /status

  36 match request-method rfc head

  37 match request-method rfc connect

class-map type http inspect match-any URL_TO_PERMIT

  4 match request-method rfc get

  5 match request-method rfc post

  7 match header length request range 200 200

  12 match url /stripe/.*

  13 match url /stripe-string/.*

  15 match url /

  16 match url /foobar/agent.*

my query is, can i simplify this rule become some few of lines.?

my need is : all access to /foobar/agent, /stripe-string/, /stripe with get and post method are allowed, also with situation server response is 200 200, other will be crush.

it's possible i simplify the rule in ace.

many thanks in advanced

hamzah

3 Replies 3

Kanwaljeet Singh
Cisco Employee
Cisco Employee

Hi Hamzah,

If you know exactly what you need to allow then you can be as specific as you can be and other than that if you need to deny everything then you can generalize. Now in your case class-map "URL_TO_PERMIT" you have match condition  "/" which basically matches all other statments like /stripe/.*, /stripe-string/.*,/foobar/agent.*. Either you remove that or there is no use of other statements to put in along with "/" unless it is like test.com/ or foobar.com/ or stripe.com/ etc.

Also, you want 200 server response to be allowed but in match condition you have mentioned "request range". Please change that as well.

Regards,

Kanwal

Hi Singh,

if i put / in denied url, it will drop anything.

or maybe you can suggest me another way?

btw tahnkyou for your response

regards

hamzah

Hi Hamzah,

/ will match anything after / in url i.e the path. For example, / will match test.com/test as well as test.com/notest. But it will not match test.com and abc.com. If you want a wildcard to block everything then something like .* can be used.But this will match everything.

Regards,

Kanwal

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: