topic Config SSL on Cisco ACE 4710 in Application Networking

Config SSL on Cisco ACE 4710

alkabeer80 — Fri, 27 Dec 2013 16:32:35 GMT

Hi,

This is the first time i am configuring cisco ACE for SSL offloading, i need help in accomplish this task.

i have router outside which nat public ip to vip on ace. i want to configure ssl offloading on ace and after ACE traffic to pass as clear text port 80.

i have purchased public certifcate and install it on ACE, internal server is not yet ready .

How i can verify my config. , Is this correct , first i dont want to apply any filter or any L7 inspection ?

How to test it before the server is ready ?

rserver host Host1
ip address 1.1.1.1
conn-limit max 4000000 min 4000000
probe HTTP
inservic

serverfarm host SF1
probe HTTP
rserver Host1
conn-limit max 4000000 min 4000000
inservice

sticky ip-netmask 255.255.255.255 address source STICKY
timeout 60
timeout activeconns
serverfarm SF1

ssl-proxy service ID1
key KEY1.PEM
cert ID1.pem
chaingroup ID

class-map match-all VIP_ID
2 match virtual-address 1.1.1.2 tcp eq https

policy-map type loadbalance first-match VIP_ID-l7slb
class class-default
sticky-serverfarm STICKY

policy-map multi-match Client-side-VIP
class VIP_ID
    loadbalance vip inservice
    loadbalance policy VIP_ID-l7slb
    nat dynamic 2 vlan 11
    ssl-proxy server ID1

show crypto certificate all

ID1.pem:
Subject: /serialNumber=***********
Issuer: *******
Not Before: Nov 20 08:33:55 2013 GMT
Not After: Nov 21 10:53:19 2016 GMT
CA Cert: FALSE

Config SSL on Cisco ACE 4710

Kanwaljeet Singh — Fri, 27 Dec 2013 17:36:14 GMT

Hi Alkabeer,

The configuration looks fine. For the testing purpose you can use any machine or device which is accessible through HTTP and add it as rserver and try to access it through VIP. You can use test certificate and key for that purpose. Ensure that you mention 80 in front of rserver in serverfarm so that ACE forwards the traffic to backend rserver on port 80.

Regards,

Kanwal

Config SSL on Cisco ACE 4710

alkabeer80 — Sat, 28 Dec 2013 08:51:22 GMT

Hi Singh,

there is one more requirment which is i want to access the server on port base

https://www.xyz.com:9000

what is the way to allow port 9000 and another port 9001 ?

thanks

Config SSL on Cisco ACE 4710

Kanwaljeet Singh — Sat, 28 Dec 2013 12:41:03 GMT

Hi Alkabeer,

By default ACE will use the same destination port which will come in client request to VIP for forwarding the connection to rserver.

So if a request is https, ACE will send the traffic to the backend rserver at port 443. If it is 80, then it will send at port 80 to rserver.

If you want that request from client comes on port 443 but goes on port 9000 at the backend to rserver then you should add port for rserver under serverfarm. For example:

serverfarm host SF1

probe HTTP

rserver Host1 9000<------------------------------------------ This should be defined.

conn-limit max 4000000 min 4000000

inservice

Hope this answers your question.

Regards,

Kanwal