How can I do it only with L4 if I just have one IP address?

Regards,

Antonio

Hi,

You can differentiate on the basis of TCP ports.

class-map match-any vip_http

  2 match virtual-address 192.168.99.100 tcp eq www

class-map match-any vip_http

  2 match virtual-address 192.168.99.100 tcp eq 443

Regards,

Kanwal

Hi Kanwal,

Unfortunately it is not possible to use different ports because the clients are not aware - they just type https://www.mysite.com or https://www.mysite2.com and the DNS resolves both URL's to same IP address. Do I have any other option besides SSL termination?

Regards,

Antonio

Hi Antonio,

For ACE to take decision on the basis of host header value, it needs to decrypt the traffic, so there is no other way.

Second workaround would be to make a change in DNS zone file and resolve mysite2.com to some other IP address which is a VIP on ace but using SSL termination is a better option since you will offload SSL  to ACE which is cpu intensive and ACE can take decision on the basis of L7 information since now it can look into the HTTP header.

Regards,

Kanwal

Hi Kanwal,

The clients are on the internet and I just have an ASA Firewall in the midle, so I think it's not possible to use the "DNS trick".

Regarding the SSL offload option, how can I do it? I'm aware that I need to upload the certificate and key to the ACE and that I need to create the SSL proxy service and add these two files to it. But I have some doubts regarding the class and policy configuration since I want to preserve the remaining configuration.

Regards,

Antonio

Hi,

You just need to add SSL proxy in policy multi-match under class vip_https.

Regards,

Kanwal

Hi Antonio,

Have a look at this below as well for details.

Example of an SSL Termination Configuration

The following example illustrates a running configuration of the ACE acting as an SSL proxy server; terminating SSL or TLS connections from a client and then establishing a TCP connection to an HTTP server. When the ACE terminates the SSL or TLS connection, it decrypts the cipher text from the client and transmits the data as clear text to the HTTP server. The SSL termination-specific configuration elements appear in bold in the example.

access-list ACL1 line 10 extended permit ip any any

probe https GEN-HTTPS

  port 80

  interval 50

  faildetect 5

  expect status 200 200

rserver SERVER1

  ip address 172.27.16.11

    inservice

rserver SERVER2

  ip address 172.27.16.12

    inservice

rserver SERVER3

  ip address 172.27.16.13

    inservice

rserver SERVER4

  ip address 172.27.16.14

    inservice

serverfarm host SFARM1

  description SERVER FARM 1 FOR SSL TERMINATION

  probe GEN-HTTPS

  rserver SERVER1 80

    inservice

  rserver SERVER2 80

    inservice

serverfarm host SFARM2

  description SERVER FARM 2 FOR SSL TERMINATION

  probe GEN-HTTPS

  rserver SERVER3 80

    inservice

  rserver SERVER4 80

    inservice

parameter-map type ssl PARAMMAP_SSL_TERMINATION

  cipher RSA_WITH_3DES_EDE_CBC_SHA

  cipher RSA_WITH_AES_128_CBC_SHA priority 2

  cipher RSA_WITH_AES_256_CBC_SHA priority 3

  version all

parameter-map type connection TCP_PARAM

  syn-data drop

  exceed-mss allow

ssl-proxy service SSL_PSERVICE_SERVER

  ssl advanced-options PARAMMAP_SSL_TERMINATION

  key MYKEY.PEM

  cert MYCERT.PEM

class-map type http loadbalance match-all L7_SERVER_CLASS

  description Sticky for SSL Testing

  2 match http url .*.jpg

  3 match source-address 192.168.130.0 255.255.255.0

class-map type http loadbalance match-all L7_SLB-HTTP_CLASS

  2 match http url .*

  3 match source-address 192.168.130.0 255.255.255.0

class-map match-all L4_SSL-TERM_CLASS

  description SSL Termination VIP

  2 match virtual-address 192.168.130.11 tcp eq https

policy-map type loadbalance first-match L7_SSL-TERM_POLICY

  class L7_SERVER_CLASS

    serverfarm SFARM1

    insert-http I_AM header-value "SSL_TERM"

    insert-http SRC_Port header-value "%ps"

    insert-http DEST_IP header-value "%id"

    insert-http DEST_Port header-value "%pd"

    insert-http SRC_IP header-value "%is"

  class L7_SLB-HTTP_CLASS

    serverfarm SFARM1

    insert-http I_AM header-value "SSL_TERM"

    insert-http SRC_Port header-value "%ps"

    insert-http DEST_IP header-value "%id"

    insert-http DEST_Port header-value "%pd"

    insert-http SRC_IP header-value "%is"

policy-map multi-match L4_SSL-VIP_POLICY

  class L4_SSL-TERM_CLASS

    loadbalance vip inservice

    loadbalance policy L7_SSL-TERM_POLICY

    loadbalance vip icmp-reply

    ssl-proxy server SSL_PSERVICE_SERVER

    connection advanced-options TCP_PARAM

interface vlan 120

  description Upstream VLAN_120 - Clients and VIPs

  ip address 192.168.120.1 255.255.255.0

  fragment chain 20

  fragment min-mtu 68

  access-group input ACL1

  nat-pool 1 192.168.120.70 192.168.120.80 netmask 255.255.255.0 pat

  service-policy input L4_SSL-VIP_POLICY

  no shutdown

ip route 10.1.0.0 255.255.255.0 192.168.120.254

Regards,

Kanwal

Hi Antonio,

You also will need a SNA certificate to make it work

Hi Kanwal,

In your configuration all the https traffic is terminated in ACE. Is it possible to terminate only this particulary traffic ( I think not)?

Regards,

Antonio