ACE - HTTPS CLASS MAP CONFIGURATION
Hi,
We have a secured web site (HTTPS) currently fronted by Cisco ACE 4170, running version A5(1.2). We are trying to use the http class map to manipulate the traffic flow in the following manner:
https://abc.com/ABC/* -> serverfarm#1
https://abc.com/* -> serverfarm#2 (Default)
Tecnically this should not be difficult and below is a sample of our configuration. We have similar configuration working on our non-secured web site (HTTP) However for the secure web site, the https request https://abc.com/ABC/xxx is continued being routed to serverfarm#2 instead of serverfarm#1 which is very frustrating.
We can easily get this working on my F5 LTM within 5 minutes but this Cisco ACE continue to frustrate me...Appreciate if any expert on Cisco ACE can help to advise on our configuration.. Thanks.
=========================================================
serverfarm host serverfarm#1
predictor leastconns
probe https_probe
rserver rs_server#1
inservice
rserver rs_server#2
inservice
serverfarm host serverfarm#2
predictor leastconns
probe https_probe
rserver rs_server#3
inservice
rserver rs_server#4
inservice
sticky http-cookie STICKY_HTTPS_serverfarm#1
cookie insert browser-expire
timeout 15
replicate sticky
serverfarm serverfarm#1
sticky http-cookie STICKY_HTTPS_serverfarm#2
cookie insert browser-expire
timeout 15
replicate sticky
serverfarm serverfarm#2
class-map type http loadbalance match-any class-map-serverfarm#1
2 match http url /ABC/.*
policy-map type loadbalance first-match vs_serverfarm_https
class class-map-serverfarm#1
sticky-serverfarm STICKY_HTTPS_serverfarm#1
insert-http x-forward header-value "%is"
ssl-proxy client ssl_serverfarm
class class-default
sticky-serverfarm STICKY_HTTPS_serverfarm#2
insert-http x-forward header-value "%is"
ssl-proxy client ssl_serverfarm
=========================================================
Kanwaljeet,
Yes, we are using ACE for SSL termination i.e. front end is https and back-end is also https.
We are doing end-to-end encryption as our IT security and audit wanted end-to-end encryption between the client and servers. ACE should be able to look at the HTTP header at the front end since the client SSL session is terminate on the ACE.
Below is an extract of the configuration, I've leave out the remaining configuration which is not required.
=========================================================
serverfarm host serverfarm#1
predictor leastconns
probe https_probe
rserver rs_server#1
inservice
rserver rs_server#2
inservice
serverfarm host serverfarm#2
predictor leastconns
probe https_probe
rserver rs_server#3
inservice
rserver rs_server#4
inservice
sticky http-cookie STICKY_HTTPS_serverfarm#1
cookie insert browser-expire
timeout 15
replicate sticky
serverfarm serverfarm#1
sticky http-cookie STICKY_HTTPS_serverfarm#2
cookie insert browser-expire
timeout 15
replicate sticky
serverfarm serverfarm#2
class-map match-all vs_serverfarm
2 match virtual-address 10.178.50.140 tcp eq https
class-map type http loadbalance match-any class-map-serverfarm#1
2 match http url /ABC/.*
policy-map type loadbalance first-match vs_serverfarm_https
class class-map-serverfarm#1
sticky-serverfarm STICKY_HTTPS_serverfarm#1
insert-http x-forward header-value "%is"
ssl-proxy client ssl_serverfarm
class class-default
sticky-serverfarm STICKY_HTTPS_serverfarm#2
insert-http x-forward header-value "%is"
ssl-proxy client ssl_serverfarm
policy-map multi-match PRODWEB_POLICY
class vs_serverfarm
loadbalance vip inservice
loadbalance policy vs_serverfarm_https
loadbalance vip icmp-reply active
nat dynamic 100 vlan 100
ssl-proxy server ssl_serverfarm
=========================================================
Similar Messages
-
This is what I want to achieve USING the ACE as a reverse proxy.
User uses the url https://abc/password - gets to the destination server & the web page
If user tries to use any thing additional then the connection is dropped at the ACE such as
https://abc/password/test or any such variation.
Following is the config I have to achieve this
class-map type http loadbalance match-any L7-CLASS-TEST
match http url /password
match http url /password/
class-map type http loadbalance match-any L7-CLASS-TEST-deny
2 match http url .*.*
policy-map type loadbalance first-match LBP-TEST
class L7-CLASS-TEST
serverfarm FARM-TEST
ssl-proxy client TEST
class L7-CLASS-TEST-deny
drop
class class-default
serverfarm FARM-TEST
ssl-proxy client TEST
The problem with this is when the page opens I get broken links on all the images. If I use the following line
match http url /password.*
I get the images to work but the user can use the https://abc/password/test which is not what I want.
Has any one faced this issue ?
Any help will be appreciated.
Thanks in advance
PrasannaPrasanna,
What about if you try it in HTTP and apply the following change?
class-map type http loadbalance match-any L7-CLASS-TEST-deny
2 match http url /.*
This should work in HTTP but not with HTTPS
Anyway, it should not work since everything seems to be encrypted, you may require either SSL-termination or END-TO-END SSL for this then the ACE can decrypt the request see what it needs to do and take the load balance decision.
Jorge -
Help with Class-map configuration - ZBFW
Hello,
I need some clarification regarding the class-map configuration in a ZBFW. I need to allow https,http,ftp & rdp traffic from Internet to few of the servers inside our LAN. So I put the below configuration to accomplish the task (example shows class-map for only https protocol) :
a.)
class-map type inspect match-all HTTPS-ACCESS
match protocol https
match access-group name HTTPS-SERVER-ACCESS
ip access-list extended HTTPS-SERVER-ACCESS
permit tcp any host 172.17.0.55 eq 443
permit tcp any host 172.17.0.56 eq 443
permit tcp any host 172.17.0.36 eq 443
permit tcp any host 172.17.0.45 eq 443
permit tcp any host 172.17.0.60 eq 443
Where 55,56,36,45,60 are the servers inside the LAN (12 more servers are there) that need to be accessed via https,http,ftp & rdp from Internet.
Is it a correct approach? or do I need to change my configuation so that I have to match ACL with my class-map like below:
b.)
ip access-list extended OUTSIDE-TO-INSIDE-ACL
permit tcp any host 172.17.0.55 eq 443
permit tcp any host 172.17.0.55 eq www
permit tcp any host 172.17.0.55 eq 21
permit tcp any host 172.17.0.55 eq 3389
permit tcp any host 172.17.0.56 eq 443
permit tcp any host 172.17.0.56 eq www
permit tcp any host 172.17.0.56 eq 21
permit tcp any host 172.17.0.56 eq 3389
permit tcp any host 172.17.0.36 eq 443
permit tcp any host 172.17.0.36 eq www
permit tcp any host 172.17.0.36 eq 21
permit tcp any host 172.17.0.36 eq 3389
permit tcp any host 172.17.0.45 eq 443
permit tcp any host 172.17.0.45 eq www
permit tcp any host 172.17.0.45 eq 21
permit tcp any host 172.17.0.45 eq 3389
class-map type inspect match-all OUT-IN-CLASS
match access-group name OUTSIDE-TO-INSIDE-ACL
Which one is the correct approach when we consider the performance of the firewall ? Please help me.
Regards,
YadhuHey
I do not agree with Varun, I think the first approach is the best one.
Why? Because when you issue the "match protocol ..." you are usig NBAR wich is an application inspection software, which means that https or whatever protocol is inspected at layer 7, not layer 3 and 4 which the seconds approach does (IP and port-number).
Lets say you use the second approach and an attacker uses some malicious protocol that runs over port 443 or whatever (a port that you opened). That attack would be successfull because all you say, you are going to IP-address 172.17.0.56 over port 443 so go ahead.
But if you are using NBAR, this would not work because NBAR will look at layer 7, inside the protocol itself and look if this really is HTTPS (or whatever protocol).
That's my two cents. Hope it helped! -
ACE ignoring class map depending on source???
I have a problem with a the load balancing "not working" properly depending on the source.
The load balancing decision is done with a secondary cookie (?ld=fe1 or ?ld=fe2). If it appears and the value is fe1 the request should go to serverfarm FE1-app. If the value is fe2 then serverfarm FE2-app should be choosen. If it is not present in the http request then serverfarm FE-app in the class-default is taking over.
This approach works if "surfing" to the VIP from a certain part of the internal network. It does not work from another part of the network. It seems that cookie is ignored and only the class default triggers.
The strange thing is that the same approach works for another setup that looks identical (with different rservers and different VIP of course). There the class map for the cookie triggers always.
My question is now: Why does the ACE seem to ignore the class map for the cookie when coming from a certain part of the network? How can I debug/follow a certain connection or load balancing decision?
Here is the config:
rserver host FE1-app
description frontend app
ip address 192.168.137.69
inservice
rserver host FE2-app
description frontend app
ip address 192.168.137.74
inservice
serverfarm host FE1-app
rserver FE1-app 80
inservice
serverfarm host FE2-app
rserver FE2-app 80
inservice
serverfarm host FE-app
rserver FE1-app 80
inservice
rserver FE2-app 80
inservice
class-map type http loadbalance match-all COOKIE-FE1
2 match http cookie secondary ld cookie-value "fe1"
class-map type http loadbalance match-all COOKIE-FE2
2 match http cookie secondary ld cookie-value "fe2"
class-map match-all VIP-app
2 match virtual-address 192.168.138.39 tcp eq www
policy-map type loadbalance first-match VIP-app-loadbalance
class COOKIE-FE1
serverfarm FE1-app
class COOKIE-FE2
serverfarm FE2-app
class class-default
serverfarm FE-app
policy-map multi-match INT470
class VIP-app
loadbalance vip inservice
loadbalance policy VIP-app-loadbalance
loadbalance vip icmp-reply
interface vlan 470
description lb_rpfedrift
ip address 192.168.138.36 255.255.255.240
alias 192.168.138.35 255.255.255.240
peer ip address 192.168.138.37 255.255.255.240
service-policy input remote_mgmt_allow_policy
service-policy input INT470
no shutdownHi Federico,
The source of the request has no relation with the way ACE handles the connections, so, there are probably other differences in the traffic.
The best way to troubleshoot these kind of connections is taking a traffic capture on the TenGigabit interface connecting the ACE with the switch backplane. Once you have it, you can try to look for differences between the working and failing connections.
From what you describe, I wouldn't be surprised if the issue comes from the fact that there are several HTTP requests inside the same TCP flow (in which case, by default, the ACE will look only at the first one), so I would suggest you to enable "persistence rebalance" for this VIP. For more details, check the link below:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/classlb.html#wp1062907
I hope this helps
Daniel -
Hello Gilles,
One question about something I was not able to find in the documentation.
Lets say I have one class-map which includes 2 ports (in this case https and 5061).
Can I associate this class-map to just 1 generic serverfarm and probe for both ports or I have to specify 2 serverfarms/rservers/probes?
So, by not specifying the ports on the rserver, if a request is received on port 443 (or 5061), it is sent to the same respective port on the rserver?
The same way is valid for the generic probe. ACE module is able to probe both ports based on the class-map?
Thanks and have a great day!!
Giulio.
probe tcp PROBE_GENERIC_TCP
description This probe works for all TCP services by inheriting the VIP port.
interval 15
faildetect 2
passdetect interval 15
passdetect count 2
open 2
rserver host SERVER1_ACCESS
ip address <1AC>
inservice
rserver host SERVER2_ACCESS
ip address <2AC>
inservice
serverfarm host ACCESS-SFARM
probe PROBE_GENERIC_TCP
rserver SERVER1_ACCESS
inservice
rserver SERVER2_ACCESS
inservice
class-map match-any OCS_L4ACCESS
2 match virtual-address x.x.x.176 tcp eq https
2 match virtual-address x.x.x.176 tcp eq 5061
policy-map type loadbalance first-match OCS_L4ACCESS
class class-default
sticky-serverfarm ACCESS_STICKY
policy-map multi-match POLICY
class OCS_L4ACCESS
loadbalance vip inservice
loadbalance policy OCS_L4ACCESS
loadbalance vip icmp-reply active
connection advanced-options OCS_VIPTIMEOUT
nat dynamic XXX vlan 503Even if you use the 4710 appliance or expect the inheritance in the module software, it's worth considering if this is really what you want. If you keep multiple ports in the L3/L4 class-map you can't handle the services independently. You will have a common serverfarm for both https and 5061. If https service stops on one rserver, the ACE will place that rserver (and not that service) in out-of-operation state and it won't receive any 5061 traffic either. (You have the fail-on-all probe option but I wouldn't say it's a better choice. In that case, https traffic would be sent to the rserver even if https port is closed as long as there is at least one working service on it.) That's why I prefer a separate class-map and separate serverfarm for each service. (They can contain the same rservers, no need to duplicate.) BUT if the software supports probe port inheritance, you can benefit from it even in this scenario: serverfarm-443 and serverfarm-5061 can both use your PROBE_GENERIC_TCP.
-
A problem with ACL in the class-map on the ACE module
Hi all,
I configured the following on the ACE module:
object-group network test
host 192.168.1.21
host 192.168.1.22
host 192.168.1.23
object-group service port
tcp eq www
tcp eq 8080
access-list T line 8 extended permit object-group port object-group test any
I tried to configure a class-map for matching this ACL:
ACE-4710-2/Lab-OPT-11(config)# class-map match-any TEST_C
ACE-4710-2/Lab-OPT-11(config-cmap)# match access-list T
Error: Cannot associate acl having object-group ACEs in class-map.
So couldn't I configure the class-map by using ACL with object-groups involved? Is it the bug or the normal behaviour? Because the customer uses object-groups in ACLs and he has to configure ACL without object-groups for the traffic classification. It is horrible.
Thank you
RomanHi Roman,
I'm afraid it's the expected behavior. You cannot use an ACL with object-groups inside a class-map.
Regards
Daniel -
Source ip filtering with class map on cisco ace30
Hello ,
I would like to know if it is possible to filter source ips connecting to a virtual ip within a class map configuration ( or something else ) ?
access-list S_IP_FILTERING line 8 extended permit ip host 1.1.1.1 any
class-map match-all S_IP_FILTERING_XVIP
2 match access-list S_IP_FILTERING
3 match virtual-address 2.2.2.2 any
Error: Only one match access-list is allowed in a match-all class-map and it cannot mix with any other match type
thanks for your support
Case,Hi,
Yes, it is possible to do this. Use the ACL filter for the source IP address under the policy-map type loadbalance. Then you would call that load balance policy in your multi-match policy under the appropriate class.
for example:
class-map type http loadbalance match-any LOADBALANCE-FILTER
2 match source-address X.X.X.X 255.255.255.255
class-map match-any TEST-CLASSMAP
2 match virtual-address Y.Y.Y.Y tcp eq www
policy-map type loadbalance first-match LOADBALANCE
class LOADBALANCE-FILTER
serverfarm TEST-SERVERFARM
policy-map multi-match UTC-PM
class TEST-CLASSMAP
loadbalance policy LOADBALANCE
loadbalance vip inservice
-Alex -
ACE HTTP loadbalancing problem
What i'm trying to achieve with the below config is
any request coming in with "programming" in the URL
will be mapped to one server and all else mapped to
a different. So what i see happening is that i can
get to the main page but not the page with "programming"
in the URL. I have to clear the connections to get
mapped to the serverfarm with that handles all requests
with "programming". I thought is was related to the
sticky serverfarm i had configured before so i reverted
to a ordinary serverfarm and it still doesn't work. Any
thoughts or suggestions????
rserver host TEST_01
ip address 10.10.204.200
inservice
rserver host TEST_02
ip address 10.10.204.201
inservice
serverfarm host TEST/PROG_SF
rserver TEST_02
inservice
serverfarm host TEST_SF
rserver TEST_01
inservice
class-map match-any TEST_VS
2 match virtual-address 10.10.215.27 tcp eq www
3 match virtual-address 10.10.215.27 tcp eq https
class-map type http loadbalance match-any TEST/PROG
3 match http url (/programming.*)
4 match http url /programming.*
policy-map type loadbalance first-match TEST_L7SLB
class TEST/PROG
serverfarm TEST/PROG_SF
class class-default
serverfarm TEST_SF
policy-map multi-match VIPS
class TEST_VS
loadbalance vip inservice
loadbalance policy TEST_L7SLB
loadbalance vip icmp-reply
interface vlan 215
service-policy input VIPSyou need to activate persistent rebalance which is not on by default so that subsequent requests inside the same tcp connection can be remapped to a different server if matching a different rule.
parameter-map type http HTTP-PARAM
persistence-rebalance
policy-map multi-match VIPS
class TEST_VS
appl-parameter http advanced-options HTTP-PARAM
Gilles. -
ACE http/https redirect or rewrite
Greetings,
We have a setup that requires ACE http/https redirection or rewrite.
A client connects to a secured Web portal which has its ssl termination on the ACE.
The web portal will request from the client a redirection to another application. As the portal is unaware that the incoming client https request was terminated on the ACE,
the client receives the redirect request for an unsecured http URL rather than for the secured https URL.
In this case what would be best to use? ACE "rewrite" or "redirect"?
Will the following example config for ACE "redirect" be sufficent to implement this?
ssl-proxy service ssl-App-443-81
key app1.test.com.key
cert app1.test.com.cert
rserver redirect App-secure-redirect
webhost-redirection https://app1.test.com/Go/
inservice
serverfarm redirect App-secure-redirect-sf
rserver App-secure-redirect
inservice
serverfarm host App-81-sf
probe TCP81
rserver proxy1 81
inservice
rserver proxy2 81
inservice
parameter-map type http http_param_map
header modify per-request
sticky http-cookie App-cookie App-sticky
cookie insert
replicate sticky
serverfarm App-81-sf
class-map match-any App-443-81-cm
2 match virtual-address 10.10.10.112 tcp eq https
class-map match-any App-81-cm
2 match virtual-address 10.10.10.112 tcp eq 81
class-map type http loadbalance App-secure-redirect-cm
match http url http://app1.test.com:81/Go/
policy-map type loadbalance http first-match App-rewrite-pm
class App-secure-redirect-cm
serverfarm App-secure-redirect-sf
policy-map type loadbalance http first-match App-sticky-443-81-pm
class class-default
sticky-serverfarm App-sticky
policy-map multi-match policy-inbound
class App-81-cm
loadbalance vip inservice
loadbalance policy App-rewrite-pm
loadbalance vip icmp-reply active
loadbalance vip advertise active
class App-443-81-cm
loadbalance vip inservice
loadbalance policy App-sticky-443-81-pm
loadbalance vip icmp-reply active
loadbalance vip advertise active
appl-parameter http advanced-options http_param_map
ssl-proxy server ssl-App-443-81If you are offloading www.yoursite.com on ACE and on the backend
real servers are not ssl aware (sends URL with http://) then with
following sample config you can instruct ACE to rewrite such urls (http->https)
class-map match-all VIP-443
match virtual-address x.x.x.x tcp eq https
action-list type modify http HTTP2HTTPS-REWRITE
ssl url rewrite location www\.yoursite\.* sslport 443 clearport 80
policy-map type loadbalance first-match YOUR-POLICY
class class-default
serverfarm YOUR-SFARM
action HTTP2HTTPS-REWRITE
class VIP-443
loadbalance vip inservice
loadbalance policy YOUR-POLICY
loadbalance vip icmp-reply active
ssl-proxy server YOUR-SSL-SERVICE
You need Ace2.x+ on Ace module & 3.x+ on 4710 appliance for this feature.
Syed Iftekhar Ahmed -
ZBF Class-map and different way of doing them
Hi People just though i would ask a question on how to set up a ZBF. (question at the end of example config's)
i have been playing with this for a while now and like to get advice over what way is the recomended way of doing multiple matchs
ok we we all know the basic
class-map type inspect match-any ZBF_CM_ICMP
match protocol icmp
policy-map type inspect ZBF_PM_EXTERNAL->DMZ
class type inspect ZBF_CM_ICMP
inspect
and then the ZP dont need to show, this is a simple map using nbar fair enough
then we could a mulitiple matches
class-map type inspect match-any ZBF_CM_STD_DMZ_PORTS
match protocol icmp
match protocol http
match protocol dns
match protocol https
policy-map type inspect ZBF_PM_DMZ->EXTERNAL
class type inspect ZBF_CM_STD_DMZ_PORTS
inspect
Ok still easy to understand but now come the bit that a little more copmplex non NBAR matches
ip access-list extended AL_RDP_PORT
permit tcp any any eq 3389
class-map type inspect match-all ZBF_CM_RDP
match access-group name AL_RDP_PORT
policy-map type inspect ZBF_PM_EXTERNAL->DMZ
class type inspect ZBF_CM_RDP
inspect
This config is now using an access list because NBAR dosent have the protocol in it then map the AL to the CM then CM to PM. next is example is what i setup to get more non NBAR ports and only for 1 host
ip access-list extended AL_HOST_IP_IN
permit ip any host 11.11.11.11
ip access-list extended AL_ISATAP
permit 41 any any
ip access-list extended AL_TEREDO
permit udp any any eq 3544
class-map type inspect match-ANY ZBF_CM_DirectAccess_Protocols
description Nested Class Map
match access-group name AL_ISATAP
match access-group name AL_TEREDO
match protocol https
class-map type inspect match-ALL ZBF_CM_APP_IN
match access-group name AL_HOST_IP_IN
match access-group name ZBF_CM_DirectAccess_Protocols
policy-map type inspect ZBF_PM_EXTERNAL->DMZ
class type inspect ZBF_CM_APP_IN
inspect (or pass with rule for other direction)
THis is what i setup and it works not for this example but the rule flow i then was having issues with DMVPN and ZBF (turned out to be an iso bug annoying me) but i used CiscoCP to setup the ZBF automaticly forthe DMVPN and it ZBF rule where same proceduare as below.
ip access-list extended AL_HOST_IP_IN
permit ip any host 11.11.11.11
ip access-list extended AL_ISATAP
permit 41 any any
ip access-list extended AL_TEREDO
permit udp any any eq 3544
class-map type inspect match-ANY CM_ISATAP
match access-group name AL_ISATAP
class-map type inspect match-ANY CM_TEREDO
match access-group name AL_TEREDO
class-map type inspect match-ANY ZBF_CM_DirectAccess_Protocols
description Nested Class Map
match class-map CM_ISATAP
match class-map CM_TEREDO
match protocol https
class-map type inspect match-ALL ZBF_CM_APP_IN
match access-group name AL_HOST_IP_IN
match access-group name ZBF_CM_DirectAccess_Protocols
policy-map type inspect ZBF_PM_EXTERNAL->DMZ
class type inspect ZBF_CM_APP_IN
inspect
So what Cisco CP did was make yet another level of nesting rather then the match-all class map having the match access list command then made a cm with access list then the main class map had only other match class maps in it..
QUESTION:
Why did CiscoCP do the extra nesting
both ways worked but i would like to know why the cisco CP did the same thing with the other layer of CM did it do this for best practise or dose this make changed later easier i cant understand whats the advange to doing it this way... but if there is a valid reason then ill great jjust trying to understand.
thanks
regards
A very sore headed
DaveWhen people say "use as few classes as possible", it's usually related not to optimize heap usage, but jar size.
But it's true that some smart use of OOP can save a lot of memory during runtime (and even jar size in some cases). Using an interface in my GUI library helps make the architecture a lot simpler and more compact, to the point that even if all the GUI widgets are being used (so the "just loading the code you need at the moment" argument is moot) memory use is still smaller because I need a lot less hacks to glue everything together.
It still is worth noting that often memory fragmentation is the true cause of running-out-of-memory-errors, and in this case loading many small classes will achieve exactly the opposite.
shmoove -
Hi, anyone can explain the "sh class-map list type qos" in XR platforms ? is this command used to know how many types of class-maps configured in one router ?
It is a useful command to help clean up unused class-maps:
RP/0/RSP0/CPU0:A9K-BNG#show class-map list type qos
Thu Sep 12 14:58:56.383 EDT
1) ClassMap: class1 Type: qos
Referenced by 3 Policymaps
2) ClassMap: class3 Type: qos
Referenced by 2 Policymaps
in this examples the QOS class-maps class1 and class3 which have index 1 and 2 respectively are used by respectively 3 or 2 policy-maps. can't remove them.
I could technically remove this class-map:
20) ClassMap: v6 Type: qos
Referenced by 0 Policymaps
Not used at all.
regards
xander -
I have an application that is getting blocked by the Trend Micro CSC under the http class map. I need it to ignore http traffic from a 172.16.1.0/24, and allow all else. I haven't worked with class maps much, but my thinking is an ACL with the IP subnet, and a match statement under the class map, but where I have the question is, will the ACL be
permit ip 172.16.1.0 255.255.255.0 any
deny ip any any
or the other way around?
deny ip 172.16.1.0 255.255.255.0 any
permit ip any anythats right
but upong the ACL u have writen above u will ignore web traffic from 172.16.1.0/24 to 192.168.0.0
and will match any other web traffic
but nothing else
i mean no smtp,pop3 or ftp
if u want to match any thing else after the deny or ignore statement
u have to make permit ip any any
after u match it with class-map
apply it to a policy map
like polic-map global_policy (which is the default global policy)
class-map (ur calss-map name)
csc fail-open
then
service-policy global_policy global
in this case it will be applied to all interfaces
good luck
Rate if helpful -
Cisco ACE loadbalancing matching more than one header in L7 class map
Dear All,
This is regarding Cisco ACE loadbalancing matching more than one header in L7 class map. I have a small setup with ACE 30 module in Cisco6500. I have got three webservers. Presently I have following configuration where I am mathing one url header.
class-map type http loadbalance match-all L7_WEB_HEADER_MATCH
description MATCH THE HOST HEADER OF HTTP REQUEST
2 match http header Host header-value ".*abhisar.com*"
So for above configuration, when traffic is coming for abhisar.com, it is working fine.
Now, I have following headers and DNS entry is pointing to same virtual IP for all http url header same as abhisar.com
abhisarindia.com
indiaabhi.com
So new configuration will be
class-map type http loadbalance match-any L7_WEB_HEADER_MATCH
description MATCH THE HOST HEADER OF HTTP REQUEST
2 match http header Host header-value ".*abhisar.com*"
4 match http header Host header-value ".*abhisarindia.com*"
6 match http header Host header-value ".*indiaabhi.com*"
So just want to confirm if this is fine.
Thank You,
Abhisar.Dear Rajesh,
Thank you for reply. I will let you know once I carry out this activity.
Thank You,
Abhisar. -
ACE - FQDN in a class map or other suggestions
It appears it is only possible to use an IP address when creating match conditions in a class map which makes sense.
We are using this basically as a NAT.
ie, server sends an HTTP message to the ACE containing XML
ACE then encrypts with an SSL cert and substitutes a public IP address and sends the XML out to a customer IP on the public internet
Problem is when customer changes the IP address, we need to change the configuration on the ACE. Ideally if I could use a DNS name, then the customer can manage any changes via DNS and not involve us.
Disclaimer: I'm a complete novice to the ACE
Any ideas appreciated!Hi Rob,
Can you share the current configuration and also the traffic flow here.
Regards,
Kanwal -
ACE class-map match url syntax
Can someone help me with the string that would match a url with no path specified? For instance; user types "https://outlook.domain.net" into their browser and I want the ACE to redirect that request to https://outlook.domain.net/owa".
2 match http url oulook\.domain\.net\Adam and Shday,
I'll give you a hand on this =)
Adam we can solve your problem only if you're doing SSL offloading on the ACE as the layer 5 information that needs to be checked is being sent encrypted.
In case SSL termination is configured then the configuration would be like this:
rserver redirect OWA
webhost-redirection https://%h/owa 301
inservice
serverfarm redirect OWA
rserver OWA
inservice
class-map type http loadbalance match-any OWA
2 match http header Host header-value "outlook.domain.net"
policy-map type loadbalance first-match OWA
class OWA
serverfarm OWA
class class-default
serverfarm Backend
Shday yours is pretty much the same but you need to decide if class-default needs
to be in place:
rserver redirect Domain
webhost-redirection http://%h/any_path 301
inservice
serverfarm redirect Domain
rserver Domain
inservice
class-map type http loadbalance match-any Any
2 match http url /.*
class-map type http loadbalance match-any Domain
2 match http header Host header-value "domain.com"
policy-map type loadbalance first-match Domain
class Any
serverfarm Backend
class Domain
serverfarm Domain
HTH
Pablo
Maybe you are looking for
-
Hello everyone... I've being having trouble with my macbook pro... and someone suggested that I might wanna restore it to it's factory settings... I'm wondering if it's better just to erase it and reinstall all, the only problem is that I don't know
-
Hi there We upgrade Discoverer 4i to BI Discoverer 10g release2, I have responsibilities define for each module, my all responsibilities are working fine in Discoverer 10g , except GL responsibilities, I am not able to see the data in Discoverer 10g
-
How to embed a viedo from youtube?
hi there. i have been stuck on this problem for about 2 days now and have no idea. can anyone tell me how i can embed a youtube video in my flash website (AS3, CS4) If that is not possible i have found a program called videolightbox, but that is in h
-
Getting encoded Email attachment!!!!
Hi Frds, I am sending a notification through email. Its the same SendEmailWith Attachments example. The samplecover.pdf file is shown properly in email attachment , but when I wanna read .txt/.doc/.rtf file its showing some encoding. I am using mime
-
Calling form with new db connection
Hi all, This is my problem. I have a requirement to call a form from the when-button-pressed trig of a different form and connect to that called form using a different username/password/connect string. I used logout and logon to do it and it works fi