03-13-2013 01:30 AM
Hi
Basically I am wanting to restrict access to a L7 URL, allowing a number of source IP addresses access and denying everyone else.
I guess this would be simple to do with a L4 vip as it could be done with ACL's but I'm no sure how to restrict access to only allow certain IPs to a L7 URL and deny everyone else.
The URL I want to restrict is https://www.xxx.com/login/validate
below is the config for you ref
class-map match-any L4-CLASS-TESTPOC-SSL
10 match virtual-address 5.5.5.5 tcp eq https
class-map type http loadbalance match-any L7CLASS-login-validate
10 match http url /login/validate.*
class-map type http loadbalance match-any L7CLASS-login
10 match http url /login/.*
20 match http url /login*
policy-map type loadbalance http first-match TESTPOC-SSL-POLICY
class L7CLASS-login-validate (THIS IS AT THE TOP AS IT NEEDS TO MATCH FIRST DUE TO L7CLASS-login)
action URLREWRITE
class L7CLASS-login
sticky-serverfarm TEST_POC
action URLREWRITE
class L7CLASS-MYHOME
serverfarm APPSRV_30450_POC
action URLREWRITE
policy-map multi-match CLIENT-VIPS
class L4-CLASS-TESTPOC-SSL
loadbalance vip inservice
loadbalance policy TESTPOC-SSL-POLICY
loadbalance vip icmp-reply
loadbalance vip advertise active
nat dynamic 251 vlan 555
appl-parameter http advanced-options TEST_HTTP_MAP
ssl-proxy server TEST_POC_SSL_PROXY
I did try to accomplish the restriction with the use of a nested class-map that matched on source IP and URL with the drop action in the policy. This did work in that it dropped the connection from the source IP that was nested in the class-map but the the issues with this are as follows -
1) Denied access from 1 ip only, thus allowing everyone else access. I waned to allow 1 or 2 ips and deny everyone else.
2) I can only add 1 IP or subnet within the nested class-map as a source so I don't have the flexibility to add to it.
You help will be greatly received.
Thanks
03-13-2013 05:14 AM
Hi,
You should be able to do this with nested class-maps. The class-map that defines the allowed addresses needs to be of type http.
class-map type http loadbalance match-any ALLOW-VALIDATE
10 match source-address 10.1.1.1 255.255.255.255
15 match source-address 10.2.2.2 255.255.255.255
20 match source-address 10.3.4.5 255.255.255.255
25 match source-address 10.199.199.23 255.255.255.255
...
This should allow you the equivalent of matching on an ACL.
Hope that helps
Kind Regards
Cathy
03-13-2013 10:05 AM
Hi Thanks for you reply.
I'm not sure this will work as I need it to. I am wanting to permit only a few addresses and deny everyone else, the everyone else being the internet so I won't know the specific addresses to deny only to ones to allow.
If I use the class-map as stated and the source address is not in the match address will this just be allowed by the next class in the policy-
class-map type http loadbalance match-any L7CLASS-login-validate
10 match http url /login/validate.*
class-map type http loadbalance match-any L7CLASS-login
10 match http url /login/.*
20 match http url /login*
policy-map type loadbalance http first-match TESTPOC-SSL-POLICY
class L7CLASS-login-validate Souce address not in class
serverfarm TEST_POC
action URLREWRITE
class L7CLASS-login Source addess will hit this next I believe and the connection will be accepted sticky-serverfarm TEST_POC
action URLREWRITE
class-map type http loadbalance match-any L7CLASS-login-validate
10 match http url /login/validate.*
class-map type http loadbalance match-any L7CLASS-login
10 match http url /login/.*
20 match http url /login*
Thanks again for your help.
03-13-2013 10:55 AM
Rick,
What about just using two different class-maps.
the first one would match on an ACL for the specific users that you want to hit the login/vlidate page.
build out the ACL and create the class-map to match on.
access-list ACL_name extended permit tcp host x.x.x.x host 5.5.5.5 eq tcp 443
Add all of the approved IPs to this list.
class-map match-any L4-CLASS-TESTPOC-validate
10 match access-list ACL_name
Add the L7 policy under this class.
Then have your existing class-map placed under the one above in the muilti-match policy.
class-map match-any L4-CLASS-TESTPOC-SSL
10 match virtual-address 5.5.5.5 tcp eq https
and under the L7 match for validate you can just drop the traffic rather than sending it to a serverfarm.
policy-map type loadbalance http first-match TESTPOC-SSL-VALIDATE_DROP-POLICY
class L7CLASS-login-validate
drop
class L7CLASS-login
sticky-serverfarm TEST_POC
action URLREWRITE
class L7CLASS-MYHOME
serverfarm APPSRV_30450_POC
action URLREWRITE
The class-map matching on the ACL would be hit first. If the user is one of the allowed IPs in the list it will match and they can get to the loging/validate page, or anywhere eles. If they are not one of these users they drop to the next L4 class (the existing one) and this time if they try to go to the login/validate page the ACE will just drop it. they can go anywhere else but this page.
This way you do the matching on the L4 class and not in the L7 policy.
L7 policy is just to inforce that that non approved IPs will get dropped if they try to hit this page.
could this work for you?
Best regards
Jim
03-13-2013 12:53 PM
Hi Jim.
Thanks for you reply, however I'm still a little confused sorry :-(
I understand following
access-list ACL_name extended permit tcp host x.x.x.x host 5.5.5.5 eq tcp 443
class-map match-any L4-CLASS-TESTPOC-validate
10 match access-list ACL_name
Add the L7 policy under this class ???? please explain am I correct wih the config below -
policy-map type loadbalance http first-match TESTPOC-SSL-VALIDATE_DROP-POLICY
class L7CLASS-login-validate
drop
class L7CLASS-login
sticky-serverfarm TEST_POC
action URLREWRITE
class L7CLASS-MYHOME
serverfarm APPSRV_30450_POC
action URLREWRITE
policy-map multi-match CLIENT-VIPS
class-map match-any L4-CLASS-TESTPOC-validate
loadbalance policy TESTPOC-SSL-VALIDATE_DROP-POLICY
class L4-CLASS-TESTPOC-SSL
loadbalance vip inservice
loadbalance policy TESTPOC-SSL-POLICY
loadbalance vip icmp-reply
loadbalance vip advertise active
nat dynamic 251 vlan 555
appl-parameter http advanced-options TEST_HTTP_MAP
ssl-proxy server TEST_POC_SSL_PROXY
The class-map matching on the ACL would be hit first. If the user is one of the allowed IPs in the list it will match and they can get to the loging/validate page, or anywhere eles. If they are not one of these users they drop to the next L4 class (the existing one) and this time if they try to go to the login/validate page the ACE will just drop it. they can go anywhere else but this page. this bit I don't understand will it not just allow it because the class associated with this policy TESTPOC-SSL-POLICY has /login* meaning it can go to any page ?
Thanks for your help with this
03-13-2013 01:57 PM
Rick,
I think you have it backwards
class-map match-any L4-CLASS-TESTPOC-validate
10 match access-list ACL_name
class-map match-any L4-CLASS-TESTPOC-SSL
10 match virtual-address 5.5.5.5 tcp eq https
policy-map multi-match CLIENT-VIPS
class L4-CLASS-TESTPOC-validate
loadbalance vip inservice
loadbalance policy TESTPOC-SSL-POLICY
loadbalance vip icmp-reply
loadbalance vip advertise active
nat dynamic 251 vlan 555
appl-parameter http advanced-options TEST_HTTP_MAP
ssl-proxy server TEST_POC_SSL_PROXY
L4-CLASS-TESTPOC-SSL
loadbalance vip inservice
loadbalance policy TESTPOC-SSL-VALIDATE_DROP-POLICY
loadbalance vip icmp-reply
loadbalance vip advertise active
nat dynamic 251 vlan 555
appl-parameter http advanced-options TEST_HTTP_MAP
the idea is if you are one of the ACL matches you are allowed to use the /login/validate url. the original l7 class allowed this so you would put this under the match on ACL.
The new loadbalance policy has a match for /login/validate but rather than sending it to a serverfarm the ACE will just drop this. This is just to make sure that if a non-approved IP tries to hit this URL they fail.
Does that make it clearer?
Thank you
Jim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide