Source ip filtering with class map on cisco ace30

Similar Messages

• Help with Class-map configuration - ZBFW

  Hello,
  I need some clarification regarding the class-map configuration in a ZBFW. I need to allow https,http,ftp & rdp traffic from Internet to few of the servers inside our LAN. So I put the below configuration to accomplish the task (example shows class-map for only https protocol) :
  a.)
  class-map type inspect match-all HTTPS-ACCESS
  match protocol https
  match access-group name HTTPS-SERVER-ACCESS
  ip access-list extended HTTPS-SERVER-ACCESS
  permit tcp any host 172.17.0.55 eq 443
  permit tcp any host 172.17.0.56 eq 443
  permit tcp any host 172.17.0.36 eq 443
  permit tcp any host 172.17.0.45 eq 443
  permit tcp any host 172.17.0.60 eq 443
  Where 55,56,36,45,60 are the servers inside the LAN (12 more servers are there) that need to be accessed via https,http,ftp & rdp from Internet.
  Is it a correct approach? or do I need to change my configuation so that I have to match ACL with my class-map like below:
  b.)
  ip access-list extended OUTSIDE-TO-INSIDE-ACL
  permit tcp any host 172.17.0.55 eq 443
  permit tcp any host 172.17.0.55 eq www
  permit tcp any host 172.17.0.55 eq 21
  permit tcp any host 172.17.0.55 eq 3389
  permit tcp any host 172.17.0.56 eq 443
  permit tcp any host 172.17.0.56 eq www
  permit tcp any host 172.17.0.56 eq 21
  permit tcp any host 172.17.0.56 eq 3389
  permit tcp any host 172.17.0.36 eq 443
  permit tcp any host 172.17.0.36 eq www
  permit tcp any host 172.17.0.36 eq 21
  permit tcp any host 172.17.0.36 eq 3389
  permit tcp any host 172.17.0.45 eq 443
  permit tcp any host 172.17.0.45 eq www
  permit tcp any host 172.17.0.45 eq 21
  permit tcp any host 172.17.0.45 eq 3389
  class-map type inspect match-all OUT-IN-CLASS
  match access-group name OUTSIDE-TO-INSIDE-ACL
  Which one is the correct approach when we consider the performance of the firewall ? Please help me.
  Regards,
  Yadhu

  Hey
  I do not agree with Varun, I think the first approach is the best one.
  Why? Because when you issue the "match protocol ..." you are usig NBAR wich is an application inspection software, which means that https or whatever protocol is inspected at layer 7, not layer 3 and 4 which the seconds approach does (IP and port-number).
  Lets say you use the second approach and an attacker uses some malicious protocol that runs over port 443 or whatever (a port that you opened).  That attack would be successfull because all you say, you are going to IP-address 172.17.0.56 over port 443 so go ahead.
  But if you are using NBAR, this would not work because NBAR will look at layer 7, inside the protocol itself and look if this really is HTTPS (or whatever protocol).
  That's my two cents. Hope it helped!

• Determine Target directory from Source file names with out mapping

  Hi All,
  I have a requirement to determine the Target Directories from the Source file names.
  File Sender Adapter - XI - File Receiver Adapter
  In this scenario I am not doing any mapping. Source File directory contain 3 files. These file should go to 3 directories in the Target Server.
  Please help me how can meet this requirement
  Thanks in advance
  Kevin

  Hi Kevin,
  if you can separate the files by name. have 3 sender communication channels each picking up one of the files (you do this by making the regex in the file name mutually exclusive) and then send them all to the target system using the same comm. channel.
  regards,
  Horia

• QoS Class-maps

  Trying to understand the class-default for marking
  I have the concept of Identify traffic with ACLs
  Classify traffic for marking with class-maps
  Mark traffic with policy-maps
  the policy-map will always have a default-class for unaccounted traffic in the policy-maps
  what I don't quite understand is that the there is not a class-map class-default
  when servicing the "policy" the class-maps are referenced with "class A" "class B" "class class-default"
  when looking for the matches on class class-default there is no reference class-map to go to....
  I figured I have to accept this logic means if  traffic was not specifically matched by the collection of class-maps in the config the IOS can assume the traffic would have been/is class-default.
  i had put a config together to classify certain traffic as CS0, like SNMP... i wanted to force traffic there as well as having all unaccounted traffic being classified CS0.
  but from what i read if i don't have snmp matched in any class-map in the config then this traffic would find itself in
  policy-map XXX
       class class-default
       set ip precedence 0
  even though class-default does not exist as class-map class-default

  Hi,
  You want to mark some traffic as CS0? and then count that traffic? but you won't know which traffic had CS0 imposed or was natively IPP 0 like all data traffic not specifically marked.
  the class class-default exists just do a show class-map and you'll see it, it is the IOS which creates it.
  Doing a show policy-map interface will show you which class-map was matched.

• Class-map for CSC ignores

  I have an application that is getting blocked by the Trend Micro CSC under the http class map. I need it to ignore http traffic from a 172.16.1.0/24, and allow all else. I haven't worked with class maps much, but my thinking is an ACL with the IP subnet, and a match statement under the class map, but where I have the question is, will the ACL be
  permit ip 172.16.1.0 255.255.255.0 any
  deny ip any any
  or the other way around?
  deny ip 172.16.1.0 255.255.255.0 any
  permit ip any any

  thats right
  but upong the ACL u have writen above u will ignore web traffic from 172.16.1.0/24 to 192.168.0.0
  and will match any other web traffic
  but nothing else
  i mean no smtp,pop3 or ftp
  if u want to match any thing else after the deny or ignore statement
  u have to make permit ip any any
  after u match it with class-map
  apply it to a policy map
  like polic-map global_policy (which is the default global policy)
  class-map (ur calss-map name)
  csc fail-open
  then
  service-policy global_policy global
  in this case it will be applied to all interfaces
  good luck
  Rate if helpful

• ACE ignoring class map depending on source???

  I have a problem with a the load balancing "not working" properly depending on the source.
  The load balancing decision is done with a secondary cookie (?ld=fe1 or ?ld=fe2). If it appears and the value is fe1 the request should go to serverfarm FE1-app. If the value is fe2 then serverfarm FE2-app should be choosen. If it is not present in the http request then serverfarm FE-app in the class-default is taking over.
  This approach works if "surfing" to the VIP from a certain part of the internal network. It does not work from another part of the network. It seems that cookie is ignored and only the class default triggers.
  The strange thing is that the same approach works for another setup that looks identical (with different rservers and different VIP of course). There the class map for the cookie triggers always.
  My question is now: Why does the ACE seem to ignore the class map for the cookie when coming from a certain part of the network? How can I debug/follow a certain connection or load balancing decision?
  Here is the config:
  rserver host FE1-app
    description frontend app
    ip address 192.168.137.69
    inservice
  rserver host FE2-app
    description frontend app
    ip address 192.168.137.74
    inservice
  serverfarm host FE1-app
    rserver FE1-app 80
      inservice
  serverfarm host FE2-app
    rserver FE2-app 80
      inservice
  serverfarm host FE-app
    rserver FE1-app 80
      inservice
    rserver FE2-app 80
      inservice
  class-map type http loadbalance match-all COOKIE-FE1
    2 match http cookie secondary ld cookie-value "fe1"
  class-map type http loadbalance match-all COOKIE-FE2
    2 match http cookie secondary ld cookie-value "fe2"
  class-map match-all VIP-app
    2 match virtual-address 192.168.138.39 tcp eq www
  policy-map type loadbalance first-match VIP-app-loadbalance
    class COOKIE-FE1
      serverfarm FE1-app
    class COOKIE-FE2
      serverfarm FE2-app
    class class-default
      serverfarm FE-app
  policy-map multi-match INT470
    class VIP-app
      loadbalance vip inservice
      loadbalance policy VIP-app-loadbalance
      loadbalance vip icmp-reply
  interface vlan 470
    description lb_rpfedrift
    ip address 192.168.138.36 255.255.255.240
    alias 192.168.138.35 255.255.255.240
    peer ip address 192.168.138.37 255.255.255.240
    service-policy input remote_mgmt_allow_policy
    service-policy input INT470
    no shutdown

  Hi Federico,
  The source of the request has no relation with the way ACE handles the connections, so, there are probably other differences in the traffic.
  The best way to troubleshoot these kind of connections is taking a traffic capture on the TenGigabit interface connecting the ACE with the switch backplane. Once you have it, you can try to look for differences between the working and failing connections.
  From what you describe, I wouldn't be surprised if the issue comes from the fact that there are several HTTP requests inside the same TCP flow (in which case, by default, the ACE will look only at the first one), so I would suggest you to enable "persistence rebalance" for this VIP. For more details, check the link below:
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/classlb.html#wp1062907
  I hope this helps
  Daniel

• Layer 7 class-map with different match types

  Hello,
  I am fighting with a problem on an ACE-4710 version A3(2.4) configuation. I just want to configure a layer 7 class-map that matches if one of two conditions is true. The problem is that these conditions are not from the same type and the ACE refuses the second match statement. However, in the configuration guide, it is clearly defined that it should be possible :
  Here is what the configuration guides says :
  host1/Admin(config)# class-map type http loadbalance match-any CLASS3
  host1/Admin(config-cmap-http-lb)# 100 match http url .*.gif
  host1/Admin(config-cmap-http-lb)# 200 match http header Host header-value XYZ
  host1/Admin(config-cmap-http-lb)# exit
  If I test exactly the same configuration in a context of my ACE, I receive an error message :
  CH01AC03/P-104-A(config)# class-map type http loadbalance match-any CLASS3
  CH01AC03/P-104-A(config-cmap-http-lb)# 100 match http url .*.gif
  CH01AC03/P-104-A(config-cmap-http-lb)# 200 match http header Host header-value XYZ
  Error: Match-any classmap can not have different type of match
  If I use nested class-maps, I receive the same error message !
  Is it a known problem or is it a solution for it ?
  Thank you for any help
  Yves

  Hello Yves,
  The command error is correct.  I'll take a look at the docs and see about getting them corrected, if necessary.
  Basically, for a match-all, you would have to use different types.  For example, there will only be one Host header, so you would only specify it once using regex or a fixed string.  As you found out, the match-any requires that they all be of the same type.  See my example below:
  class-map type http loadbalance match-all HEADER-AND-URL
    100 match http url /login.*
    200 match http header Host header-value "XYZ"
  class-map type http loadbalance match-any URLS
    100 match http url .*\.gif
    200 match http url .*\.jpg
  class-map type http loadbalance match-any HEADER
    200 match http header Host header-value "CISCO"
  policy-map type loadbalance first-match SLB_LOGIC
    class HEADER-AND-URL
      serverfarm LOGIN-FARM
    class URLS
      serverfarm IMAGES-FARM
    class HEADER
      serverfarm CISCO-FARM
    class class-default
      serverfarm WWW-FARM
  So let's say you want to match requests for URLs ending in .jpg or for requests with Host header XYZ, and if it matches either one, then send to the same serverfarm.
  class-map type http loadbalance match-any URL-JPG
    2 match http url .*\.jpg
  class-map type http loadbalance match-any HOST-XYZ
    2 match http header Host header-value "XYZ"
  policy-map type loadbalance first-match SLB_LOGIC
    class URL-JPG
      serverfarm SERVER-FARM
    class HOST-XYZ
      serverfarm SERVER-FARM
  If you wanted to send these requests to the farm only if they matched BOTH matches, then you could do it as follows:
  class-map type http  loadbalance match-all HEADER-AND-URL
     100 match http url /login.*
     200 match http header Host header-value "XYZ"
  policy-map type  loadbalance first-match SLB_LOGIC
     class HEADER-AND-URL
       serverfarm LOGIN-FARM
  Hope this helps,
  Sean

• Cisco ACE loadbalancing matching more than one header in L7 class map

  Dear All,
  This is regarding Cisco ACE loadbalancing matching more than one header in L7 class map. I have a small setup with ACE 30 module in Cisco6500. I have got three webservers. Presently I have following configuration where I am mathing one url header.
  class-map type http loadbalance match-all L7_WEB_HEADER_MATCH
  description MATCH THE HOST HEADER OF HTTP REQUEST
  2 match http header Host header-value ".*abhisar.com*"
  So for above configuration, when traffic is coming for abhisar.com, it is working fine.
  Now, I have following headers and DNS entry is pointing to same virtual IP for all http url header same as abhisar.com
  abhisarindia.com
  indiaabhi.com
  So new configuration will be
  class-map type http loadbalance match-any L7_WEB_HEADER_MATCH
  description MATCH THE HOST HEADER OF HTTP REQUEST
  2 match http header Host header-value ".*abhisar.com*"
  4 match http header Host header-value ".*abhisarindia.com*"
  6 match http header Host header-value ".*indiaabhi.com*"
  So just want to confirm if this is fine.
  Thank You,
  Abhisar.

  Dear Rajesh,
  Thank you for reply. I will let you know once I carry out this activity.
  Thank You,
  Abhisar.

• Issue in mapping.. Source message expect with prefix ns0 in input message!

  Issue in mapping.. Source message expect with prefix ns0 in input message
  Hi All,
  I used the XSD structure which I got from partner which starts like below.
  <xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" targetNamespace="http://xxxx.com/DirectSales/CustomerData" xmlns:prodata="urn:schemas-progress-com:xml-prodata:0001" xmlns="">
  <xsd:element name="CustomerRequest" prodata:proDataSet="true">
  I'm receiving the messages through SOAP adapter and the message looks like below.
  <?xml version="1.0" encoding="UTF-8" standalone="yes" ?><!-- Technical Routing --> <CustomerRequest xmlns='http://XXXX.com/DirectSales/CustomerData' xmlns:xsd='http://www.w3.org/2001/XMLSchema' xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xmlns:SE='http://schemas.xmlsoap.org/soap/encoding/'>
  The message is failing during mapping. When i checked in message mapping, I found that the input source message is expecting with prefix "ns0" like <ns0:CustomerRequest...
  how I can solve this issue? Is there anyway I can add the prefix "ns0" before it comes to mapping step.?
  Thanks
  Deepthi

  Hi Guys,
  I tried to use the below paramter.
  anonymizer.acceptNamespaces         'http://XXXX.com/DirectSales/CustomerData  ns0
  The ns0 is coming in all the tags including segments and fields. I just want ns0 to come only at the root level ie <ns0:customerReq..>
  it is coming like below...
  - <ns0:CustomerRequest xmlns:ns0="http://XXXXXX.com/DirectSales/CustomerData">
  - <ns0:ttCustomer>
    <ns0:branch-num>1424</ns0:branch-num>
    <ns0:cust-num>121</ns0:cust-num>
    <ns0:contact-code>3</ns0:contact-code> 
     </ns0:ttCustomer>
    </ns0:CustomerRequest>
  I want the message to come as
  - <ns0:CustomerRequest xmlns:ns0="http://XXXXXX.com/DirectSales/CustomerData">
  - <ttCustomer>
    <branch-num>1424</branch-num>
    <cust-num>121</cust-num>
    <contact-code>3</contact-code> 
     </ttCustomer>
    </CustomerRequest>
  Kindly help me with the paramater value  to be passed for anonymizer.acceptNamespaces.
  Thanks
  Deepthi

• A problem with ACL in the class-map on the ACE module

                    Hi all,
  I configured the following on the ACE module:
  object-group network test
    host 192.168.1.21
    host 192.168.1.22
    host 192.168.1.23
  object-group service port
    tcp eq www
    tcp eq 8080
  access-list T line 8 extended permit object-group port object-group test any
  I tried to configure a class-map for matching this ACL:
  ACE-4710-2/Lab-OPT-11(config)# class-map match-any TEST_C
  ACE-4710-2/Lab-OPT-11(config-cmap)# match access-list T
  Error: Cannot associate acl having object-group ACEs in class-map.
  So couldn't I  configure the class-map by using ACL with object-groups involved? Is it the bug or the normal behaviour? Because the customer uses object-groups in ACLs and he has to configure ACL without object-groups for the traffic classification. It is horrible.
  Thank you
  Roman

  Hi Roman,
  I'm afraid it's the expected behavior. You cannot use an ACL with object-groups inside a class-map.
  Regards
  Daniel

• Specifying table with jdbc-class-map-name

  Greetings
  How do I specify the name of the table to map to when using the jdbc-
  class-map-name hint?
  In my jdo file, I have specified:
  <class name="Customer" objectid-class="CustomerId">
  <extension vendor-name="kodo" key="jdbc-class-map-name" value="base">
  <extension vendor-name="kodo" key="table" value="PERSONS"/>
  </extension>
  but when mappingtool generates the mapping file, the "table" hint
  is ignored, and I end up with the following in the .mapping file:
  <class name="Customer">
  <jdbc-class-map type="base" table="FRED.CUSTOMER"/>
  What I really want to see in the above jdbc-class-map is:
  table="FRED.PERSONS"
  I am using the property setting: kodo.jdbc.Schemas: FRED
  Note that mapping fields to columns using jdbc-field-map-name
  seems to work fine...
  Any clues? Thanks.
  droo.

  You can't specify table or column names via mapping tool hints. The
  typical way to change the default names is either to override the
  getValidTableName/getValidColumnName methods in a custom DBDictionary
  for systematic changes, or to follow the process outlined in example 7.6
  on this page:
  http://www.solarmetric.com/Software/Documentation/latest/docs/ref_guide_mapping.html#ref_guide_mapping_mappingtool_examples

• Issue with ACE HTTP class map

  This is what I want to achieve USING the ACE as a reverse proxy.
  User uses the url https://abc/password - gets to the destination server & the web page
  If user tries to use any thing additional then the connection is dropped at the ACE such as
  https://abc/password/test or any such variation.
  Following is the config I have to achieve this
  class-map type http loadbalance match-any L7-CLASS-TEST
    match http url /password
    match http url /password/
  class-map type http loadbalance match-any L7-CLASS-TEST-deny
    2 match http url .*.*
  policy-map type loadbalance first-match LBP-TEST
    class L7-CLASS-TEST
      serverfarm FARM-TEST
      ssl-proxy client TEST
    class L7-CLASS-TEST-deny
      drop
    class class-default
      serverfarm FARM-TEST
      ssl-proxy client TEST
  The problem with this is when the page opens I get broken links on all the images. If I use the following line
  match http url /password.*
  I get the images to work but the user can use the https://abc/password/test which is not what I want.
  Has any one faced this issue ?
  Any help will be appreciated.
  Thanks in advance
  Prasanna

  Prasanna,
  What about if you try it in HTTP and apply the following change?
  class-map type http loadbalance match-any L7-CLASS-TEST-deny
    2 match http url /.*
  This should work in HTTP but not with HTTPS
  Anyway, it should not work since everything seems to be encrypted, you may require either SSL-termination or END-TO-END SSL for this then the ACE can decrypt the request see what it needs to do and take the load balance decision.
  Jorge

• Class-map with ACL rule

  In the following class-map:
  "class-map match-any voice
  match access-group 190"
  If the ACL 190 has more than one line with "permit" statements.
  In order for the policy-map using the above class-map to find a match and use the rules applied for the above class-map, does the traffic need to meet all the criteria in the ACL or does it work like a regular ACL, where it "walks" down and it stops execution at the first permit/deny "hit"?
  Regards,
  Christos

  the explicit " match-any" will do just that.So, a nested ACL can be configured for multiple criteria.
  The alternate is a "match-all" where all nested options in your acl MUST be met. Hope this helps.
  T

• Copy of source message to an element with graphical mapping

  Hi all,
  Is there a way to copy the complete source message of a mapping to an element of the destination message (with CDATA) with the graphical mapping (or UDF, but I want to avoid XSL) ?
  For example, from this message:
  <source>
    <element>test</element>
    <element2>test2</element2>
  </source>
  I expect the following result:
  <dest>
    <data><![CDATA[<source><element>test</element><element2>test2</element2></source>]]>
    </data>
  </dest>
  Thanks for your help.
  Greg

  Hi,
  Use this Simple Concept
  XML node into a string with graphical mapping
  /people/michal.krawczyk2/blog/2005/11/01/xi-xml-node-into-a-string-with-graphical-mapping
  Regards
  Seshagiri

• OBIEE 11g - Maps with Google Map as Source

  Hi Experts,
  Am trying to create some maps using information from Google Maps as source.
  In Map-viewer console, I have added Google Maps as the source in 'Manage Map Tile Layer' and was able to see the base map when I did a 'View Map/Manage Tiles'.
  However when I logged into analytics and tried to import layers, am not able to see anything.
  Is there anything that I am missing out. Thanks for any pointers.
  - Sujana

  Spatial data has to be setup in the database to get layers. I tried using some of the layers from the spatial data I had and then could get a map with google map as the background map.
  But couldn't find any easy alternate to fetch layer information.
  Edited by: user638087 on Apr 19, 2013 1:15 AM
  Edited by: user638087 on Apr 19, 2013 1:17 AM