cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1256
Views
0
Helpful
3
Replies

Config SSL on Cisco ACE 4710

alkabeer80
Level 1
Level 1

Hi,

This is the first time i am configuring cisco ACE for SSL offloading, i need help in accomplish this task.

i have router outside which nat public ip to vip on ace. i want to configure ssl offloading on ace and after ACE traffic to pass as clear text port 80.

i have purchased public certifcate and install it on ACE, internal server is not yet ready .

How i can verify my config. , Is this correct , first i dont want to apply any filter or any L7 inspection ?

How to test it before the server is ready ?

rserver host Host1
  ip address 1.1.1.1
  conn-limit max 4000000 min 4000000
  probe HTTP
  inservic


serverfarm host SF1
  probe HTTP
  rserver Host1
    conn-limit max 4000000 min 4000000
    inservice


sticky ip-netmask 255.255.255.255 address source STICKY
  timeout 60
  timeout activeconns
  serverfarm SF1

ssl-proxy service ID1
  key KEY1.PEM
  cert ID1.pem
  chaingroup ID

class-map match-all VIP_ID
  2 match virtual-address 1.1.1.2 tcp eq https

policy-map type loadbalance first-match VIP_ID-l7slb
  class class-default
    sticky-serverfarm STICKY

policy-map multi-match Client-side-VIP
  class VIP_ID
    loadbalance vip inservice
    loadbalance policy VIP_ID-l7slb
    nat dynamic 2 vlan 11
    ssl-proxy server ID1

show crypto certificate all

ID1.pem:
Subject: /serialNumber=***********
Issuer: *******
Not Before: Nov 20 08:33:55 2013 GMT
Not After: Nov 21 10:53:19 2016 GMT
CA Cert: FALSE

3 Replies 3

Kanwaljeet Singh
Cisco Employee
Cisco Employee

Hi Alkabeer,

The configuration looks fine. For the testing purpose you can use any machine or device which is accessible through HTTP and add it as rserver and try to access it through VIP. You can use test certificate and key for that purpose. Ensure that you mention 80 in front of rserver in serverfarm so that ACE forwards the traffic to backend rserver on port 80.

Regards,

Kanwal

Hi Singh,

there is one more requirment which is i want to access the server on port base

https://www.xyz.com:9000

what is the way to allow port 9000 and another port 9001 ?

thanks

Hi Alkabeer,

By default ACE will use the same destination port  which will come in client request to VIP for forwarding the connection to rserver.

So if a request is https, ACE will send the traffic to the backend rserver at port 443. If it is 80, then it will send at port 80 to rserver.

If you want that request from client comes on port 443 but goes on port 9000 at the backend to rserver then you should add port for rserver under serverfarm. For example:

serverfarm host SF1

probe HTTP

rserver Host1   9000<------------------------------------------ This should be defined.

conn-limit max 4000000 min 4000000

inservice

Hope this answers your question.

Regards,

Kanwal

Review Cisco Networking for a $25 gift card