cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1329
Views
0
Helpful
5
Replies
Highlighted
Beginner

Restrict Access To A L7 URL On ACE

Hi

Basically I am wanting to restrict access to a L7 URL, allowing a number of source IP addresses access and denying everyone else.

I guess this would be simple to do with a L4 vip as it could be done with ACL's but I'm no sure how to restrict access to only allow certain IPs to a L7 URL and deny everyone else.

The URL I want to restrict is https://www.xxx.com/login/validate

below is the config for you ref

class-map match-any L4-CLASS-TESTPOC-SSL
  10 match virtual-address 5.5.5.5 tcp eq https

class-map type http loadbalance match-any L7CLASS-login-validate
  10 match http url /login/validate.*

class-map type http loadbalance match-any L7CLASS-login
  10 match http url /login/.*
  20 match http url /login*

policy-map type loadbalance http first-match TESTPOC-SSL-POLICY

  class L7CLASS-login-validate        (THIS IS AT THE TOP AS IT NEEDS TO MATCH FIRST DUE TO L7CLASS-login)

    serverfarm TEST_POC  

    action URLREWRITE
  class L7CLASS-login
    sticky-serverfarm TEST_POC

    action URLREWRITE
  class L7CLASS-MYHOME
    serverfarm APPSRV_30450_POC
    action URLREWRITE

policy-map multi-match CLIENT-VIPS
class L4-CLASS-TESTPOC-SSL
    loadbalance vip inservice
    loadbalance policy TESTPOC-SSL-POLICY
    loadbalance vip icmp-reply
    loadbalance vip advertise active
    nat dynamic 251 vlan 555
    appl-parameter http advanced-options TEST_HTTP_MAP
    ssl-proxy server TEST_POC_SSL_PROXY

I did try to accomplish the restriction with the use of a nested class-map that matched on source IP and URL with the drop action in the policy. This did work in that it dropped the connection from the source IP that was nested in the class-map but the the issues with this are as follows -

1) Denied access from 1 ip only, thus allowing everyone else access. I waned to allow 1 or 2 ips and deny everyone else.

2) I can only add 1 IP or subnet within the nested class-map as a source so I don't have the flexibility to add to it.

You help will be greatly received.

Thanks

5 REPLIES 5
Highlighted
Enthusiast

Hi,

You should be able to do this with nested class-maps. The class-map that defines the allowed addresses needs to be of type http.

class-map type http loadbalance match-any ALLOW-VALIDATE

10 match source-address 10.1.1.1 255.255.255.255

15 match source-address 10.2.2.2 255.255.255.255

20 match source-address 10.3.4.5 255.255.255.255

25 match source-address 10.199.199.23 255.255.255.255

...

This should allow you the equivalent of matching on an ACL.

Hope that helps

Kind Regards

Cathy

Highlighted

Hi Thanks for you reply.

I'm not sure this will work as I need it to. I am wanting to permit only a few addresses and deny everyone else, the everyone else being the internet so I won't know the specific addresses to deny only to ones to allow.

If I use the class-map as stated and the source address is not in the match address will this just be allowed by the next class in the policy-

class-map type http loadbalance match-any L7CLASS-login-validate
  10 match http url /login/validate.*

class-map type http loadbalance match-any L7CLASS-login
  10 match http url /login/.*
  20 match http url /login*

policy-map type loadbalance http first-match TESTPOC-SSL-POLICY

  class L7CLASS-login-validate      Souce address not in class

    serverfarm TEST_POC  

    action URLREWRITE
  class L7CLASS-login              Source addess will hit this next I believe and the connection will be accepted         sticky-serverfarm TEST_POC

    action URLREWRITE

class-map type http loadbalance match-any L7CLASS-login-validate
  10 match http url /login/validate.*

class-map type http loadbalance match-any L7CLASS-login
  10 match http url /login/.*
  20 match http url /login*

Thanks again for your help.

Highlighted
Beginner

Rick,

What about just using two different class-maps.

the first one would match on an ACL for the specific users that you want to hit the login/vlidate page.

build out the ACL and  create the class-map to match on.

access-list ACL_name extended permit tcp host x.x.x.x host 5.5.5.5 eq tcp 443

Add all of the approved IPs to this list.

class-map match-any L4-CLASS-TESTPOC-validate

  10 match access-list ACL_name

Add the L7 policy under this class.

Then have your existing class-map placed under the one above in the muilti-match policy.

class-map match-any L4-CLASS-TESTPOC-SSL

  10 match virtual-address 5.5.5.5 tcp eq https

and under the L7 match for validate you can just drop the traffic rather than sending it to a serverfarm.

policy-map type loadbalance http first-match TESTPOC-SSL-VALIDATE_DROP-POLICY
  class L7CLASS-login-validate
    drop
class L7CLASS-login
    sticky-serverfarm TEST_POC
    action URLREWRITE
  class L7CLASS-MYHOME
    serverfarm APPSRV_30450_POC
    action URLREWRITE


The class-map matching on the ACL would be hit first. If the user is one of the allowed IPs in the list it will match and they can get to the loging/validate page, or anywhere eles. If they are not one of these users they drop to the next L4 class (the existing one) and this time if they try to go to the login/validate page the ACE will just drop it. they can go anywhere else but this page.

This way you do the matching on the L4 class and  not in the L7 policy.

L7 policy is just to inforce that that non approved IPs will get dropped if they try to hit this page.

could this work for you?

Best regards

Jim

Highlighted

Hi Jim.

Thanks for you reply, however I'm still a little confused sorry :-(

I understand following

access-list ACL_name extended permit tcp host x.x.x.x host 5.5.5.5 eq tcp 443

class-map match-any L4-CLASS-TESTPOC-validate

  10 match access-list ACL_name

Add the L7 policy under this class ???? please explain am I correct wih the config below -

policy-map type loadbalance http first-match TESTPOC-SSL-VALIDATE_DROP-POLICY

  class L7CLASS-login-validate

    drop

class L7CLASS-login

    sticky-serverfarm TEST_POC

    action URLREWRITE

  class L7CLASS-MYHOME

    serverfarm APPSRV_30450_POC

    action URLREWRITE

policy-map multi-match CLIENT-VIPS

class-map match-any L4-CLASS-TESTPOC-validate

    loadbalance policy TESTPOC-SSL-VALIDATE_DROP-POLICY

class L4-CLASS-TESTPOC-SSL

    loadbalance vip inservice

    loadbalance policy TESTPOC-SSL-POLICY

    loadbalance vip icmp-reply

    loadbalance vip advertise active

    nat dynamic 251 vlan 555

    appl-parameter http advanced-options TEST_HTTP_MAP

    ssl-proxy server TEST_POC_SSL_PROXY

The class-map matching on the ACL would be hit first. If  the user is one  of the allowed IPs in the list it will match and they  can get to the  loging/validate page, or anywhere eles. If they are not  one of these  users they drop to the next L4 class (the existing one)  and this time if  they try to go to the login/validate page the ACE will  just drop it.  they can go anywhere else but this page. this bit I  don't understand will it not just allow it because the class associated  with this policy TESTPOC-SSL-POLICY has /login* meaning it can go to any  page ?

Thanks for your help with this

Highlighted

Rick,

I think you have it backwards

class-map match-any L4-CLASS-TESTPOC-validate

  10 match access-list ACL_name

class-map match-any L4-CLASS-TESTPOC-SSL

  10 match virtual-address 5.5.5.5 tcp eq https

policy-map multi-match CLIENT-VIPS

  class L4-CLASS-TESTPOC-validate

      loadbalance vip inservice

      loadbalance policy TESTPOC-SSL-POLICY

      loadbalance vip icmp-reply

      loadbalance vip advertise active

      nat dynamic 251 vlan 555

      appl-parameter http advanced-options TEST_HTTP_MAP

      ssl-proxy server TEST_POC_SSL_PROXY

L4-CLASS-TESTPOC-SSL

      loadbalance vip inservice

      loadbalance policy TESTPOC-SSL-VALIDATE_DROP-POLICY

      loadbalance vip icmp-reply

      loadbalance vip advertise active

      nat dynamic 251 vlan 555

      appl-parameter http advanced-options TEST_HTTP_MAP

the idea is if you are one of the ACL matches you are allowed to use the /login/validate url. the original l7 class allowed this so you would put this under the match on ACL.

The new loadbalance policy has a match for /login/validate but rather than sending it to a serverfarm the ACE will just drop this. This is just to make sure that if a non-approved IP tries to hit this URL they fail.

Does that make it clearer?

Thank you

Jim

This widget could not be displayed.