Restrict Access To A L7 URL On ACE

rjonesis1977 · ‎03-13-2013

Hi

Basically I am wanting to restrict access to a L7 URL, allowing a number of source IP addresses access and denying everyone else.

I guess this would be simple to do with a L4 vip as it could be done with ACL's but I'm no sure how to restrict access to only allow certain IPs to a L7 URL and deny everyone else.

The URL I want to restrict is https://www.xxx.com/login/validate

below is the config for you ref

class-map match-any L4-CLASS-TESTPOC-SSL
10 match virtual-address 5.5.5.5 tcp eq https

class-map type http loadbalance match-any L7CLASS-login-validate
10 match http url /login/validate.*

class-map type http loadbalance match-any L7CLASS-login
10 match http url /login/.*
20 match http url /login*

policy-map type loadbalance http first-match TESTPOC-SSL-POLICY

class L7CLASS-login-validate (THIS IS AT THE TOP AS IT NEEDS TO MATCH FIRST DUE TO L7CLASS-login)

serverfarm TEST_POC

action URLREWRITE
class L7CLASS-login
sticky-serverfarm TEST_POC

    action URLREWRITE
class L7CLASS-MYHOME
    serverfarm APPSRV_30450_POC
    action URLREWRITE

policy-map multi-match CLIENT-VIPS
class L4-CLASS-TESTPOC-SSL
    loadbalance vip inservice
    loadbalance policy TESTPOC-SSL-POLICY
    loadbalance vip icmp-reply
    loadbalance vip advertise active
    nat dynamic 251 vlan 555
    appl-parameter http advanced-options TEST_HTTP_MAP
    ssl-proxy server TEST_POC_SSL_PROXY

I did try to accomplish the restriction with the use of a nested class-map that matched on source IP and URL with the drop action in the policy. This did work in that it dropped the connection from the source IP that was nested in the class-map but the the issues with this are as follows -

1) Denied access from 1 ip only, thus allowing everyone else access. I waned to allow 1 or 2 ips and deny everyone else.

2) I can only add 1 IP or subnet within the nested class-map as a source so I don't have the flexibility to add to it.

You help will be greatly received.

Thanks

ciscocsoc · ‎03-13-2013

Hi,

You should be able to do this with nested class-maps. The class-map that defines the allowed addresses needs to be of type http.

class-map type http loadbalance match-any ALLOW-VALIDATE

10 match source-address 10.1.1.1 255.255.255.255

15 match source-address 10.2.2.2 255.255.255.255

20 match source-address 10.3.4.5 255.255.255.255

25 match source-address 10.199.199.23 255.255.255.255

...

This should allow you the equivalent of matching on an ACL.

Hope that helps

Kind Regards

Cathy

rjonesis1977 · ‎03-13-2013

Hi Thanks for you reply.

I'm not sure this will work as I need it to. I am wanting to permit only a few addresses and deny everyone else, the everyone else being the internet so I won't know the specific addresses to deny only to ones to allow.

If I use the class-map as stated and the source address is not in the match address will this just be allowed by the next class in the policy-

class-map type http loadbalance match-any L7CLASS-login-validate
10 match http url /login/validate.*

class-map type http loadbalance match-any L7CLASS-login
10 match http url /login/.*
20 match http url /login*

policy-map type loadbalance http first-match TESTPOC-SSL-POLICY

class L7CLASS-login-validate Souce address not in class

serverfarm TEST_POC

action URLREWRITE
class L7CLASS-login Source addess will hit this next I believe and the connection will be accepted sticky-serverfarm TEST_POC

action URLREWRITE

class-map type http loadbalance match-any L7CLASS-login-validate
10 match http url /login/validate.*

class-map type http loadbalance match-any L7CLASS-login
10 match http url /login/.*
20 match http url /login*

Thanks again for your help.

jsirstin · ‎03-13-2013

Rick,

What about just using two different class-maps.

the first one would match on an ACL for the specific users that you want to hit the login/vlidate page.

build out the ACL and create the class-map to match on.

access-list ACL_name extended permit tcp host x.x.x.x host 5.5.5.5 eq tcp 443

Add all of the approved IPs to this list.

class-map match-any L4-CLASS-TESTPOC-validate

10 match access-list ACL_name

Add the L7 policy under this class.

Then have your existing class-map placed under the one above in the muilti-match policy.

class-map match-any L4-CLASS-TESTPOC-SSL

10 match virtual-address 5.5.5.5 tcp eq https

and under the L7 match for validate you can just drop the traffic rather than sending it to a serverfarm.

policy-map type loadbalance http first-match TESTPOC-SSL-VALIDATE_DROP-POLICY
class L7CLASS-login-validate
    drop
class L7CLASS-login
    sticky-serverfarm TEST_POC
    action URLREWRITE
class L7CLASS-MYHOME
    serverfarm APPSRV_30450_POC
    action URLREWRITE

The class-map matching on the ACL would be hit first. If the user is one of the allowed IPs in the list it will match and they can get to the loging/validate page, or anywhere eles. If they are not one of these users they drop to the next L4 class (the existing one) and this time if they try to go to the login/validate page the ACE will just drop it. they can go anywhere else but this page.

This way you do the matching on the L4 class and not in the L7 policy.

L7 policy is just to inforce that that non approved IPs will get dropped if they try to hit this page.

could this work for you?

Best regards

Jim

rjonesis1977 · ‎03-13-2013

Hi Jim.

Thanks for you reply, however I'm still a little confused sorry :-(

I understand following

access-list ACL_name extended permit tcp host x.x.x.x host 5.5.5.5 eq tcp 443

class-map match-any L4-CLASS-TESTPOC-validate

10 match access-list ACL_name

Add the L7 policy under this class ???? please explain am I correct wih the config below -

policy-map type loadbalance http first-match TESTPOC-SSL-VALIDATE_DROP-POLICY

class L7CLASS-login-validate

drop

class L7CLASS-login

sticky-serverfarm TEST_POC

action URLREWRITE

class L7CLASS-MYHOME

serverfarm APPSRV_30450_POC

action URLREWRITE

policy-map multi-match CLIENT-VIPS

class-map match-any L4-CLASS-TESTPOC-validate

loadbalance policy TESTPOC-SSL-VALIDATE_DROP-POLICY

class L4-CLASS-TESTPOC-SSL

loadbalance vip inservice

loadbalance policy TESTPOC-SSL-POLICY

loadbalance vip icmp-reply

loadbalance vip advertise active

nat dynamic 251 vlan 555

appl-parameter http advanced-options TEST_HTTP_MAP

ssl-proxy server TEST_POC_SSL_PROXY

The class-map matching on the ACL would be hit first. If the user is one of the allowed IPs in the list it will match and they can get to the loging/validate page, or anywhere eles. If they are not one of these users they drop to the next L4 class (the existing one) and this time if they try to go to the login/validate page the ACE will just drop it. they can go anywhere else but this page. this bit I don't understand will it not just allow it because the class associated with this policy TESTPOC-SSL-POLICY has /login* meaning it can go to any page ?

Thanks for your help with this

jsirstin · ‎03-13-2013

Rick,

I think you have it backwards

class-map match-any L4-CLASS-TESTPOC-validate

10 match access-list ACL_name

class-map match-any L4-CLASS-TESTPOC-SSL

10 match virtual-address 5.5.5.5 tcp eq https

policy-map multi-match CLIENT-VIPS

class L4-CLASS-TESTPOC-validate

loadbalance vip inservice

loadbalance policy TESTPOC-SSL-POLICY

loadbalance vip icmp-reply

loadbalance vip advertise active

nat dynamic 251 vlan 555

appl-parameter http advanced-options TEST_HTTP_MAP

ssl-proxy server TEST_POC_SSL_PROXY

L4-CLASS-TESTPOC-SSL

loadbalance vip inservice

loadbalance policy TESTPOC-SSL-VALIDATE_DROP-POLICY

loadbalance vip icmp-reply

loadbalance vip advertise active

nat dynamic 251 vlan 555

appl-parameter http advanced-options TEST_HTTP_MAP

the idea is if you are one of the ACL matches you are allowed to use the /login/validate url. the original l7 class allowed this so you would put this under the match on ACL.

The new loadbalance policy has a match for /login/validate but rather than sending it to a serverfarm the ACE will just drop this. This is just to make sure that if a non-approved IP tries to hit this URL they fail.

Does that make it clearer?

Thank you

Jim