12-27-2013 08:32 AM
Hi,
This is the first time i am configuring cisco ACE for SSL offloading, i need help in accomplish this task.
i have router outside which nat public ip to vip on ace. i want to configure ssl offloading on ace and after ACE traffic to pass as clear text port 80.
i have purchased public certifcate and install it on ACE, internal server is not yet ready .
How i can verify my config. , Is this correct , first i dont want to apply any filter or any L7 inspection ?
How to test it before the server is ready ?
rserver host Host1
ip address 1.1.1.1
conn-limit max 4000000 min 4000000
probe HTTP
inservic
serverfarm host SF1
probe HTTP
rserver Host1
conn-limit max 4000000 min 4000000
inservice
sticky ip-netmask 255.255.255.255 address source STICKY
timeout 60
timeout activeconns
serverfarm SF1
ssl-proxy service ID1
key KEY1.PEM
cert ID1.pem
chaingroup ID
class-map match-all VIP_ID
2 match virtual-address 1.1.1.2 tcp eq https
policy-map type loadbalance first-match VIP_ID-l7slb
class class-default
sticky-serverfarm STICKY
policy-map multi-match Client-side-VIP
class VIP_ID
loadbalance vip inservice
loadbalance policy VIP_ID-l7slb
nat dynamic 2 vlan 11
ssl-proxy server ID1
show crypto certificate all
ID1.pem:
Subject: /serialNumber=***********
Issuer: *******
Not Before: Nov 20 08:33:55 2013 GMT
Not After: Nov 21 10:53:19 2016 GMT
CA Cert: FALSE
12-27-2013 09:36 AM
Hi Alkabeer,
The configuration looks fine. For the testing purpose you can use any machine or device which is accessible through HTTP and add it as rserver and try to access it through VIP. You can use test certificate and key for that purpose. Ensure that you mention 80 in front of rserver in serverfarm so that ACE forwards the traffic to backend rserver on port 80.
Regards,
Kanwal
12-28-2013 12:51 AM
Hi Singh,
there is one more requirment which is i want to access the server on port base
what is the way to allow port 9000 and another port 9001 ?
thanks
12-28-2013 04:41 AM
Hi Alkabeer,
By default ACE will use the same destination port which will come in client request to VIP for forwarding the connection to rserver.
So if a request is https, ACE will send the traffic to the backend rserver at port 443. If it is 80, then it will send at port 80 to rserver.
If you want that request from client comes on port 443 but goes on port 9000 at the backend to rserver then you should add port for rserver under serverfarm. For example:
serverfarm host SF1
probe HTTP
rserver Host1 9000<------------------------------------------ This should be defined.
conn-limit max 4000000 min 4000000
inservice
Hope this answers your question.
Regards,
Kanwal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide