05-14-2013 01:36 PM
Hi all,
I'm desperately trying to get the ACE to limit access to a certain policy based on a list of source address hosts.
So far I've gotten this configuration:
object-group network ALLOWED-IP
description IPs allowed to access HTTPS
host 94.247.XXX.XXX
host 178.132.XXX.XXX
host 86.26.XXX.XXX
host 5.135.XXX.XXX
access-list ANY line 8 extended permit icmp any any
access-list ANY line 16 extended permit ip any any
ssl-proxy service proxy-1
class-map match-all L4-WEB-IP
2 match virtual-address 5.39.XXX.XXX tcp eq www
class-map type management match-all PUBLIC_REMOTE
2 match protocol ssh source-address 5.135.XXX.XXX 255.255.255.255
class-map type management match-all REMOTE_ACCESS
2 match protocol ssh any
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
policy-map type management first-match REMOTE_PUBLIC_MGMT
class PUBLIC_REMOTE
permit
policy-map type loadbalance http first-match WEB_L7_POLICY
class class-default
serverfarm FARM_WEB
insert-http x-forward header-value "%is"
policy-map multi-match WEB-to-vIPs
class L4-WEB-IP
loadbalance vip inservice
loadbalance policy WEB_L7_POLICY
loadbalance vip icmp-reply active
nat dynamic 1 vlan 3014
appl-parameter http advanced-options HTTP_PARAMETER_MAP
interface vlan 1229
ip address 5.39.XXX.XXX 255.255.255.240
alias 5.39.XXX.XXX 255.255.255.240
peer ip address 5.39.XXX.XXX 255.255.255.240
access-group input ANY
service-policy input REMOTE_PUBLIC_MGMT
service-policy input WEB-to-vIPs
no shutdown
Does anyone have any suggestions?
05-20-2013 07:40 PM
Hi Florian,
Please try this configuration and see if it meets your requirment.
class-map match-any Source
2 match source-address 94.247.XXX.XXX 255.255.255.255
3 match source-address 178.132.XXX.XXX 255.255.255.255
4 match source-address 86.26.XXX.XXX 255.255.255.255
5 match source-address 5.135.XXX.XXX 255.255.255.255
class-map match-all L4-WEB-IP
2 match virtual-address 5.39.XXX.XXX tcp eq www
policy-map type loadbalance http first-match WEB_L7_POLICY
class Source
serverfarm FARM_WEB
insert-http x-forward header-value "%is"
policy-map multi-match WEB-to-vIPs
class L4-WEB-IP
loadbalance vip inservice
loadbalance policy WEB_L7_POLICY
loadbalance vip icmp-reply active
nat dynamic 1 vlan 3014
appl-parameter http advanced-options HTTP_PARAMETER_MAP
interface vlan 1229
ip address 5.39.XXX.XXX 255.255.255.240
alias 5.39.XXX.XXX 255.255.255.240
peer ip address 5.39.XXX.XXX 255.255.255.240
access-group input ANY
service-policy input REMOTE_PUBLIC_MGMT
service-policy input WEB-to-vIPs
no shutdown
Let me know how it goes.
Regards,
Kanwal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide