cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
553
Views
0
Helpful
1
Replies

CSS SSL Configuration .

subashmbi
Level 1
Level 1

Hi All,

Kindly review my config.

When i access the Vip addres from outside it is not working.Internally, i tried it is working.

Scenario:-

Outside client-----------Firewall(natted pulic ip to VIP)---------------CSS-----------Apache server

is it possible when we access the application outside from port 80 the content s

witch redirect to port 443?


!

!************************* INTERFACE *************************
interface e1
  bridge vlan 50

interface e2
  bridge vlan 50

interface e3
  bridge vlan 50

interface e4
  bridge vlan 50

interface e9
  bridge vlan 50

!************************** CIRCUIT **************************
circuit VLAN50

  ip address 10.5.5.6 255.255.255.0

!*********************** SSL PROXY LIST ***********************
ssl-proxy-list ssl_list1
  ssl-server 20
  ssl-server 20 vip address 10.5.5.7
  ssl-server 20 rsacert qisrsacertnew1
  ssl-server 20 rsakey qis1
  ssl-server 20 cipher rsa-export-with-rc4-40-md5 10.5.5.7 80
  active

!************************** SERVICE **************************
service Appache-1-http
  protocol tcp
  ip address 10.5.5.4
  port 80
  keepalive type http
  keepalive port 80
  active

service Appache-2-http
  protocol tcp
  ip address 10.5.5.5
  port 80
  keepalive type http
  keepalive port 80
  active

service ssl-serv1
  type ssl-accel
  slot 2
  keepalive type none
  add ssl-proxy-list ssl_list1
  active

!*************************** OWNER ***************************
owner test

  content HTTP-Appache
    vip address 10.5.5.7
    add service Appache-1-http
    primarySorryServer Appache-2-http
    protocol tcp
    port 80
    active

  content ssl-rule-1
    vip address 10.5.5.7
    add service ssl-serv1
    application ssl
    advanced-balance ssl
    protocol tcp
    port 443
    active

!*************************** GROUP ***************************
group test
  vip address 10.5.5.7
  add destination service Appache-1-http
  add destination service Appache-2-http
  active

1 Reply 1

Gilles Dufour
Cisco Employee
Cisco Employee

The configuration looks good.

Check if the new connection from outside does get to the CSS.

Check if the server gets the request and if it sends the response to the client through the CSS.

Sniffer trace would help here.

If you want to redirect port 80 traffic to prot 443, you first need to change the ssl-proxy config.

You will need to send the cleartext traffic to a different vip:port otherwise the decrypted traffic would also match the redirect rule.

Then for the vip:80 rule you configure a redirect as described in the config guide:

http://www.cisco.com/en/US/partner/products/hw/contnetw/ps789/products_configuration_example09186a00801de8d6.shtml

Gilles.

Review Cisco Networking for a $25 gift card