Using Wildcards in HOST Class-Map
I want to use a wild card to match a HOST in a class-map. I want to match multiple hosts for the same site:
? Support.Cisco.com
? Employee.Cisco.com
? Helpdesk.Cisco.com
I want to match this with *.Cisco. Will this work?
You are right, my mistake
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hqos_r/qos_m1h.htm#wp1128712
Similar Messages
-
Using wildcard in Host header-value
I have a redirect in my configuration that if a host header matches a certain value, then it will redirect to https.
Originally I had the full host header, www.domain.com (actually www[.]domain[.]com).
However, I found out that if a user just enters "domain.com", without the www, it is not being detected and redirected.
I want to add a wildcard for the host portion. I tried .*[.]domain[.]com. But it seems to be hit or miss. Sometimes it seems to work, but other times it doesn't.
Is this the correct format for what I'm trying to do?
Thanks.
JasonJason-
Can you send all of the relvant configuration? technically what you have should work, but there are some other things you might need (persistance rebalance, non-case sensitivity, etc.) Also, you could just add another line to a match-any class for the 2nd header instead of including every possible combination.
Regards,
Chris Higgins -
Hi
i'm a little unsure of how using ACL's works within a class map.
I want to allow access to a web server 1.1.1.1 and deny all othetraffic coming from the outside zone to the inside zone, so i have created an acl with a
permit http to 1.1.1.1 and a deny ip any any statement and applied it to the class map.
when i apply this to the policy map i can either inspect, drop or pass the traffic.
what i don't understand is how this works with the ACL permit or deny statements or the implicit deny functionality of the ACL.
for example if I apply the pass action to this class-map/ACL how does it handle the deny ip any any statement in the ACL?
If i am passing the traffic in the policy, does it still deny any deny statements in the ACL?
also what about multiple class maps in a policy map, wouldn't a deny statement in the first acl stop further processing in the policy map
hope this makes sense..
thanks for any helpWhen using ACLs in a class map, a permit entry causes the ACL condition to match and a deny entry does not. So, for your ACL "permit tcp any host 1.1.1.1 eq www", any HTTP traffic to 1.1.1.1 on 80/tcp will be matched by the class map and the implicit "deny ip any any" will not be matched. There is no action implied by the ACL when used this way, only a match or no match.
ip access-list extended ACL_HTTP
permit tcp any host 1.1.1.1 eq www
class-map type inspect match-any CM_HTTP
match access-group name ACL_HTTP
In order to actually deny the traffic, you have to specify a drop in the policy map.
policy-map PM_HTTP
class CM_HTTP
inspect
class class-default
drop
To illustrate the point a bit further, let's say you were going to allow HTTP and HTTPS with two ACLs and did it like this:
ip access-list extended ACL_HTTP
permit tcp any host 1.1.1.1 eq www
ip access-list extended ACL_HTTPS
permit tcp any host 1.1.1.1 eq 443
class-map type inspect match-any CM_HTTP
match access-group name ACL_HTTP
match access-group name ACL_HTTPS
policy-map PM_HTTP
class CM_HTTP
inspect
class class-default
drop
In the above case, HTTP traffic to 1.1.1.1 is a hit on ACL_HTTP's permit statement, is matched by the class map and is inspected by the policy map. HTTPS traffic to 1.1.1.1 is a hit on ACL_HTTPS's permit statement, is likewise matched by the class map and is inspected by the policy map. The implicit deny statements (and any other deny statements you may add) only ensure that the packet doesn't match that element of the class map and doesn't prevent it from being matched against another. -
According to Cisco dumentation (http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/mpc.html)
, the ASA is equipped with two default class-maps
class-map inspection_default
match default-inspection-traffic
and
class-map class-default
match any
The first makes perfect sense, but what is the class-default used for? Cisco says
"This class map appears at the end of all Layer 3/4 policy maps and essentially tells the adaptive security appliance to not perform any actions on all other traffic. You can use the class-default class map if desired, rather than making your own
match any class map. In fact, some features are only available for class-default."
But I see stuff like this:
policy-map MyPolicy
class class-default
inspect tfp MyFTPpolicy
Obviously it is being used here to act on traffic! So I am confused.
I also noticed that when you upgrade from 8.2 to 8.4, all default class-maps are removed from the configuration: you have to re-create everything (strange)Hello Collin,
This is Mike. I dont think it is well documented. Basically it is just a class map (that does not appear on the configuration unless an action is specified) that will match all traffic passing through the ASA firewall. Some features like NSEL (Netflow) and Traffic shaping are only allowed to use this kind of class maps because they dont support any other match command.
The one that you currently have (and God I hope its not applied) will look for tftp traffic on every IP packet passing across the ASA.
This specific type of policy you have there can only be applied on the interface (as it is not a layer 7 inspection policy) you can check if it is applied or not by running the show "run service-policy command"
Mike -
How can I do this using Wildcards?
Hi everyone,
I have a classed called LabeledDecimal which is a subclass of BigDecimal. Now, I have a class called Pair which is written using Wildcards.
This class has a copyFrom() method which looks like :
public void copyFrom(T p2)
this.first = p2.first;
this.second = p2.second;
}If I try to use this method like below:
Pair<BigDecimal> p1 = new Pair<BigDecimal>();
Pair<LabeledDecimal> p2 = new Pair<LabeledDecimal>(ld1, ld2);
p1.copyFrom(p2);Then I get the error:
The method copyFrom(Pair<BigDecimal>) in the type Pair<BigDecimal> is not applicable for the arguments (Pair<LabeledDecimal>)
How do I fix the copyFrom() method to get rid of this problem using wildcards?
Edited by: fantastic_ray on Mar 20, 2008 12:07 AMFigured it out!
public void copyFrom(Pair<? extends T> p2) That will fix it. -
Using Wildcards in Mapping Script
Hi everybody, im new in FDM and i have some doubts about mapping scripts.
I have to recreate this Hyperion Translation Rule into FDM:
ACC_SAP tm_sap Reverse Sign UD4
N21099Z300 {NULL} FALSE CD1
D31199Z000 {NULL} FALSE CD1
????99 * FALSE CD
ACC_SAP is the source account
TM_SAP will be loaded into UD5 (as look up)
How could i manage with a like mapping?
I guess using a script but im not sure how to use wildcards within scripts, is it possible?
Another related question, in a explicit mapping, how can i manage with NULL values if i want to assign them [None] value, do i have to put NULL in th source field?
BR and thanksThanks KellyDGreen. With the exampl shown is as you say but what if tm_sap has wildcards?
F.i
ACC_SAP TM_SAP TARGET_CUSTOM4
999? 123? 198276
Suppose that TM_SAP has been stored in UD5. Source dimensions are different from target dimension so i have to do it via script, dont I?
BR
Francisco -
I want to allow only specific url using class-map
i have two dir on server like abc and xyz on the web server , but i have blocked the url using class-map like *xyz*
is there any way to allow specific url like in dir /abc/login.html and block all the files from /abc dirThanks. Actually, I posted my query because I haven't been able to make Parental Controls in OS X do what I want. I've been trying that tool for a while. It seems that there are sort of three options:
1. Allow everything with no exceptions
2. Block sites that fail an automated filter for "adult" content, and then add back allowable sites.
3. Block everything, and then add a white list of allowed sites
In my case, option 2 doesn't work, because frankly, I don't care if my kids choose to look at content that somebody has evaluated as "adult." Generally, the web log says that they don't, and if that does become an issue, then I will deal with it when it arises.
What I want to be able to do is the direct opposite of option 3 listed above: Allow everything except an admin-specified black list defined per user, and be able to modify that list from time to time when I have a specific issue with a specific user.
I just want to be able - from time to time, like when I know they are behind on school work - to be able block a short list of "innocuous" persistent time-sucking sites as Youtube, Facebook, Twitter etc., even though there is not necessarily any objection content per se on the sites I want to block for that specific user (the "user-specific, admin-defined blacklist"). It is the lost (mis-allocated) time, not the risk of loose morals that concerns me.
Network-level solutions exist, but these do not allow me to discriminate among user accounts as far as I can tell. If anybody knows of a good solution that works in OS X across various platforms - freeware or commercial - I will appreciate a lead. Or, if there is a hack that will allow me to accomplish this in Parental Controls, I would appreciate a pointer in that direction, as well. -
Same parameter-map used on 2 different classes
Greetings,
If the same parameter-map (type connection or http) is used on two different policy-map classes, will that create a conflict in how traffic for each of serverfarms uses persistence or inactivity timeout (script 1)?
Should we create a different instance of parameter-maps for each policy-map class (script 2)?
Script 1
parameter-map type connection inactivity_2000
set timeout inactivity 2000
parameter-map type http persistence-rebalance
persistence-rebalance
policy-map multi-match L4_POLICY
class L3-4_VIP_A
connection advanced-options inactivity_2000
appl-parameter http advanced-options persistence-rebalance
loadbalance policy L7_Serverfarm_A_Policy
loadbalance vip inservice
loadbalance vip icmp-reply active
class L3-4_VIP_B
connection advanced-options inactivity_2000
appl-parameter http advanced-options persistence-rebalance
loadbalance policy L7_Serverfarm_B_Policy
loadbalance vip inservice
loadbalance vip icmp-reply active
Script 2
parameter-map type connection L3-4_VIP_A_connection
set timeout inactivity 2000
parameter-map type connection L3-4_VIP_B_connection
set timeout inactivity 2000
parameter-map type http L3-4_VIP_A_http
persistence-rebalance
parameter-map type http L3-4_VIP_B_http
persistence-rebalance
policy-map multi-match L4_POLICY
class L3-4_VIP_A
connection advanced-options L3-4_VIP_A_connection
appl-parameter http advanced-options L3-4_VIP_A_http
loadbalance policy L7_Serverfarm_A_Policy
loadbalance vip inservice
loadbalance vip icmp-reply active
class L3-4_VIP_B
connection advanced-options L3-4_VIP_B_connection
appl-parameter http advanced-options L3-4_VIP_B_http
loadbalance policy L7_Serverfarm_B_Policy
loadbalance vip inservice
loadbalance vip icmp-reply active
Thanksyou can reuse the same parameter map.
Gilles. -
Class-maps used for load balancing on ACE
I am from CCS background and am trying to understand how the VIPs could be configured on an ACE module (using class maps).
I am looking for specific information for the following :
1. Will each VIP have a corresponding Service-policy on the VLAN Interface or can we club many VIPs (through policy-maps) onto a single service-policy entry on teh interface?
2. I could not find any cisco doco with the configuration examples for more than one VIP address and would please like to know some examples, if possible or could some one direct me to a doco with many VIP entries ?
- Should each VIP have a seperate class-map or can list them together?You will have to configure L3/L4 class-maps for corresponding VIPs. You just need a single policy with n class-maps for n VIPS.
I am writing a sample that will hopefully help you on this
class-map match-all app1-vip
match virtual-address 10.1.1.1 tcp eq 80
class-map match-any app2-vip
match virtual-address 10.1.1.2 tcp eq 443
policy-map type loadbalance first-match L7app1
class class-default
server-farm App1-farm
policy-map type loadbalance first-match L7app2
class class-default
server-farm App2-farm
policy-map multi-match All-vips
class app1-vip
loadbalance vip inservice
loadbalance policy L7app1
loadbalance vip icmp-reply active
class app2-vip
loadbalance vip inservice
loadbalance policy L7app2
loadbalance vip icmp-reply active
int vlan 100
ip address 10.10.10.101 255.255.255.0
service-policy input All-vips
Syed Iftekhar Ahmed -
A problem with ACL in the class-map on the ACE module
Hi all,
I configured the following on the ACE module:
object-group network test
host 192.168.1.21
host 192.168.1.22
host 192.168.1.23
object-group service port
tcp eq www
tcp eq 8080
access-list T line 8 extended permit object-group port object-group test any
I tried to configure a class-map for matching this ACL:
ACE-4710-2/Lab-OPT-11(config)# class-map match-any TEST_C
ACE-4710-2/Lab-OPT-11(config-cmap)# match access-list T
Error: Cannot associate acl having object-group ACEs in class-map.
So couldn't I configure the class-map by using ACL with object-groups involved? Is it the bug or the normal behaviour? Because the customer uses object-groups in ACLs and he has to configure ACL without object-groups for the traffic classification. It is horrible.
Thank you
RomanHi Roman,
I'm afraid it's the expected behavior. You cannot use an ACL with object-groups inside a class-map.
Regards
Daniel -
IOS Firewall: what is this class map doing?
Hi, a few weeks ago I set up a class map but now as I am finding time to review my config, I am wondering what effect this has. It is applied to a policy map for ssh access from the Internet to the router for management:
class-map type inspect match-any SSH
match protocol ssh
match access-group name SSH
The access list with the name "SSH" just allows certain public IP network blocks.
But I think I should be setting this to match-all and not match-any if I want it to allow the ssh protocol from only my IP, correct?
Also just to ensure I am not confused about proper creation of the ACL. The ACL with the name SSH I've given is as follows:
ip access-list extended SSH
permit tcp xx.xx.0.0 0.255.255.255 any eq 22
permit tcp xx.xx.0.0 0.7.255.255 any eq 22
permit tcp xx.xx.0.0 0.255.255.255 any eq 22
First, am I being redundant in the class map by telling it to match protocol ssh and also specifiying port 22 in the ACL? And, is this ACL readout done properly if I want only certain IP blocks to be able to come in from the Internet, to the router, using ssh?Hello Colin,
But I think I should be setting this to match-all and not match-any if I want it to allow the ssh protocol from only my IP, correct?
Exactly you are getting it now It needs to be a match all....
Regarding the ACL should be like this:
access-list SSH
permit tcp host outside_user_ip host router_outside_interface eq 22
Regards, -
Source ip filtering with class map on cisco ace30
Hello ,
I would like to know if it is possible to filter source ips connecting to a virtual ip within a class map configuration ( or something else ) ?
access-list S_IP_FILTERING line 8 extended permit ip host 1.1.1.1 any
class-map match-all S_IP_FILTERING_XVIP
2 match access-list S_IP_FILTERING
3 match virtual-address 2.2.2.2 any
Error: Only one match access-list is allowed in a match-all class-map and it cannot mix with any other match type
thanks for your support
Case,Hi,
Yes, it is possible to do this. Use the ACL filter for the source IP address under the policy-map type loadbalance. Then you would call that load balance policy in your multi-match policy under the appropriate class.
for example:
class-map type http loadbalance match-any LOADBALANCE-FILTER
2 match source-address X.X.X.X 255.255.255.255
class-map match-any TEST-CLASSMAP
2 match virtual-address Y.Y.Y.Y tcp eq www
policy-map type loadbalance first-match LOADBALANCE
class LOADBALANCE-FILTER
serverfarm TEST-SERVERFARM
policy-map multi-match UTC-PM
class TEST-CLASSMAP
loadbalance policy LOADBALANCE
loadbalance vip inservice
-Alex -
ACE - HTTPS CLASS MAP CONFIGURATION
Hi,
We have a secured web site (HTTPS) currently fronted by Cisco ACE 4170, running version A5(1.2). We are trying to use the http class map to manipulate the traffic flow in the following manner:
https://abc.com/ABC/* -> serverfarm#1
https://abc.com/* -> serverfarm#2 (Default)
Tecnically this should not be difficult and below is a sample of our configuration. We have similar configuration working on our non-secured web site (HTTP) However for the secure web site, the https request https://abc.com/ABC/xxx is continued being routed to serverfarm#2 instead of serverfarm#1 which is very frustrating.
We can easily get this working on my F5 LTM within 5 minutes but this Cisco ACE continue to frustrate me...Appreciate if any expert on Cisco ACE can help to advise on our configuration.. Thanks.
=========================================================
serverfarm host serverfarm#1
predictor leastconns
probe https_probe
rserver rs_server#1
inservice
rserver rs_server#2
inservice
serverfarm host serverfarm#2
predictor leastconns
probe https_probe
rserver rs_server#3
inservice
rserver rs_server#4
inservice
sticky http-cookie STICKY_HTTPS_serverfarm#1
cookie insert browser-expire
timeout 15
replicate sticky
serverfarm serverfarm#1
sticky http-cookie STICKY_HTTPS_serverfarm#2
cookie insert browser-expire
timeout 15
replicate sticky
serverfarm serverfarm#2
class-map type http loadbalance match-any class-map-serverfarm#1
2 match http url /ABC/.*
policy-map type loadbalance first-match vs_serverfarm_https
class class-map-serverfarm#1
sticky-serverfarm STICKY_HTTPS_serverfarm#1
insert-http x-forward header-value "%is"
ssl-proxy client ssl_serverfarm
class class-default
sticky-serverfarm STICKY_HTTPS_serverfarm#2
insert-http x-forward header-value "%is"
ssl-proxy client ssl_serverfarm
=========================================================Kanwaljeet,
Yes, we are using ACE for SSL termination i.e. front end is https and back-end is also https.
We are doing end-to-end encryption as our IT security and audit wanted end-to-end encryption between the client and servers. ACE should be able to look at the HTTP header at the front end since the client SSL session is terminate on the ACE.
Below is an extract of the configuration, I've leave out the remaining configuration which is not required.
=========================================================
serverfarm host serverfarm#1
predictor leastconns
probe https_probe
rserver rs_server#1
inservice
rserver rs_server#2
inservice
serverfarm host serverfarm#2
predictor leastconns
probe https_probe
rserver rs_server#3
inservice
rserver rs_server#4
inservice
sticky http-cookie STICKY_HTTPS_serverfarm#1
cookie insert browser-expire
timeout 15
replicate sticky
serverfarm serverfarm#1
sticky http-cookie STICKY_HTTPS_serverfarm#2
cookie insert browser-expire
timeout 15
replicate sticky
serverfarm serverfarm#2
class-map match-all vs_serverfarm
2 match virtual-address 10.178.50.140 tcp eq https
class-map type http loadbalance match-any class-map-serverfarm#1
2 match http url /ABC/.*
policy-map type loadbalance first-match vs_serverfarm_https
class class-map-serverfarm#1
sticky-serverfarm STICKY_HTTPS_serverfarm#1
insert-http x-forward header-value "%is"
ssl-proxy client ssl_serverfarm
class class-default
sticky-serverfarm STICKY_HTTPS_serverfarm#2
insert-http x-forward header-value "%is"
ssl-proxy client ssl_serverfarm
policy-map multi-match PRODWEB_POLICY
class vs_serverfarm
loadbalance vip inservice
loadbalance policy vs_serverfarm_https
loadbalance vip icmp-reply active
nat dynamic 100 vlan 100
ssl-proxy server ssl_serverfarm
========================================================= -
Hello Gilles,
One question about something I was not able to find in the documentation.
Lets say I have one class-map which includes 2 ports (in this case https and 5061).
Can I associate this class-map to just 1 generic serverfarm and probe for both ports or I have to specify 2 serverfarms/rservers/probes?
So, by not specifying the ports on the rserver, if a request is received on port 443 (or 5061), it is sent to the same respective port on the rserver?
The same way is valid for the generic probe. ACE module is able to probe both ports based on the class-map?
Thanks and have a great day!!
Giulio.
probe tcp PROBE_GENERIC_TCP
description This probe works for all TCP services by inheriting the VIP port.
interval 15
faildetect 2
passdetect interval 15
passdetect count 2
open 2
rserver host SERVER1_ACCESS
ip address <1AC>
inservice
rserver host SERVER2_ACCESS
ip address <2AC>
inservice
serverfarm host ACCESS-SFARM
probe PROBE_GENERIC_TCP
rserver SERVER1_ACCESS
inservice
rserver SERVER2_ACCESS
inservice
class-map match-any OCS_L4ACCESS
2 match virtual-address x.x.x.176 tcp eq https
2 match virtual-address x.x.x.176 tcp eq 5061
policy-map type loadbalance first-match OCS_L4ACCESS
class class-default
sticky-serverfarm ACCESS_STICKY
policy-map multi-match POLICY
class OCS_L4ACCESS
loadbalance vip inservice
loadbalance policy OCS_L4ACCESS
loadbalance vip icmp-reply active
connection advanced-options OCS_VIPTIMEOUT
nat dynamic XXX vlan 503Even if you use the 4710 appliance or expect the inheritance in the module software, it's worth considering if this is really what you want. If you keep multiple ports in the L3/L4 class-map you can't handle the services independently. You will have a common serverfarm for both https and 5061. If https service stops on one rserver, the ACE will place that rserver (and not that service) in out-of-operation state and it won't receive any 5061 traffic either. (You have the fail-on-all probe option but I wouldn't say it's a better choice. In that case, https traffic would be sent to the rserver even if https port is closed as long as there is at least one working service on it.) That's why I prefer a separate class-map and separate serverfarm for each service. (They can contain the same rservers, no need to duplicate.) BUT if the software supports probe port inheritance, you can benefit from it even in this scenario: serverfarm-443 and serverfarm-5061 can both use your PROBE_GENERIC_TCP.
-
Layer 7 class-map with different match types
Hello,
I am fighting with a problem on an ACE-4710 version A3(2.4) configuation. I just want to configure a layer 7 class-map that matches if one of two conditions is true. The problem is that these conditions are not from the same type and the ACE refuses the second match statement. However, in the configuration guide, it is clearly defined that it should be possible :
Here is what the configuration guides says :
host1/Admin(config)# class-map type http loadbalance match-any CLASS3
host1/Admin(config-cmap-http-lb)# 100 match http url .*.gif
host1/Admin(config-cmap-http-lb)# 200 match http header Host header-value XYZ
host1/Admin(config-cmap-http-lb)# exit
If I test exactly the same configuration in a context of my ACE, I receive an error message :
CH01AC03/P-104-A(config)# class-map type http loadbalance match-any CLASS3
CH01AC03/P-104-A(config-cmap-http-lb)# 100 match http url .*.gif
CH01AC03/P-104-A(config-cmap-http-lb)# 200 match http header Host header-value XYZ
Error: Match-any classmap can not have different type of match
If I use nested class-maps, I receive the same error message !
Is it a known problem or is it a solution for it ?
Thank you for any help
YvesHello Yves,
The command error is correct. I'll take a look at the docs and see about getting them corrected, if necessary.
Basically, for a match-all, you would have to use different types. For example, there will only be one Host header, so you would only specify it once using regex or a fixed string. As you found out, the match-any requires that they all be of the same type. See my example below:
class-map type http loadbalance match-all HEADER-AND-URL
100 match http url /login.*
200 match http header Host header-value "XYZ"
class-map type http loadbalance match-any URLS
100 match http url .*\.gif
200 match http url .*\.jpg
class-map type http loadbalance match-any HEADER
200 match http header Host header-value "CISCO"
policy-map type loadbalance first-match SLB_LOGIC
class HEADER-AND-URL
serverfarm LOGIN-FARM
class URLS
serverfarm IMAGES-FARM
class HEADER
serverfarm CISCO-FARM
class class-default
serverfarm WWW-FARM
So let's say you want to match requests for URLs ending in .jpg or for requests with Host header XYZ, and if it matches either one, then send to the same serverfarm.
class-map type http loadbalance match-any URL-JPG
2 match http url .*\.jpg
class-map type http loadbalance match-any HOST-XYZ
2 match http header Host header-value "XYZ"
policy-map type loadbalance first-match SLB_LOGIC
class URL-JPG
serverfarm SERVER-FARM
class HOST-XYZ
serverfarm SERVER-FARM
If you wanted to send these requests to the farm only if they matched BOTH matches, then you could do it as follows:
class-map type http loadbalance match-all HEADER-AND-URL
100 match http url /login.*
200 match http header Host header-value "XYZ"
policy-map type loadbalance first-match SLB_LOGIC
class HEADER-AND-URL
serverfarm LOGIN-FARM
Hope this helps,
Sean
Maybe you are looking for
-
I new to macbook air where is the eject button
i am new to the macbook air, where is the eject button?
-
Thunderbolt disables wifi in Win7 Bootcamp.
If I boot into Windows 7 with my Thunderbolt-to-Firewire 800 adaptor connected, wifi is disabled. If I boot without it, wifi works just fine. Any solution to this?
-
Re-using statements with open ResultSet
Hi, Question about re-using connections while keeping a result set open - basically I am trying to do: Connection conn = dataSource.getConnection(); Statement stmt = conn.createStatement(); if (stmt.execute(QUERY)) resultSet = stmt.getResultSet(); Ar
-
Is there a function to go UP in the directory tree?
Hi, Anybody knows about a function to go up one stage in the directory tree? Thanks, Marce
-
Accessing SAP ECC 6.0 from the iPad or iPhone
Dear experts Can we access ECC 6.0 through iPad or iPhone? whether we can access as same as we use through desktop clinet with all transactions & report access kindly revert Thanks Venugopal