Cisco CSS 11501 SSL Termination configuration

Unanswered Question
May 28th, 2009

Hi,

I am having issue with SSL termination config on the Cisco CSS11501.

With my config below, when I hit the Virtual IP of the CSS, httpS://10.211.242.164/,

I get a prompt for a SSL Certificate warning but since I know its a

fake SSL, I say OK (I use IE 7) and proceed to the site. Then I see a

login page (httpS://....../welcome.do) and as soon as I login with my

credentials, I get re-directed to URL http://10.211.242.164/ instead of

keeping httpS://.....

My intent is to have an httpS:// session maintained throughout with

CSS accepting the incoming encrypted message, does the authentication,

decrypts the message to HTTP and forwards the client request to Web dispatcher on port 8182.

Once the results are back from Web dispatch, CSS should re-encrypt it and

send the results back to the same client via HTTPS.

Can someone please help me to achieve this? My current config as as

follows: -

Thanks a million :)

Gowri

----------------------------------------------------------------------------------------------------------------------

CSS11501# show running-config

!Generated on 08/23/2007 16:45:45

!Active version: sg0730005

configure

!*************************** GLOBAL ***************************

cdp run

no restrict web-mgmt

app

app session 10.210.252.218

ssl associate rsakey rsakey rsakey

ssl associate cert rsacert rsacert.pem

ssl associate cert ec0 rsacert.pem

ssl associate cert ec0-test ec0.cer

ip route 0.0.0.0 0.0.0.0 10.211.242.5 1

ip route 10.211.239.105 255.255.255.255 10.211.242.1 1

!************************* INTERFACE *************************

interface e8

bridge vlan 2

!************************** CIRCUIT **************************

circuit VLAN1

ip address 10.211.242.11 255.255.255.0

circuit VLAN2

ip address 10.210.252.217 255.255.255.252

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list test

ssl-server 13

ssl-server 13 vip address 10.211.242.164

ssl-server 13 rsakey rsakey

ssl-server 13 cipher rsa-with-rc4-128-md5 10.211.242.164 8182

ssl-server 13 rsacert ec0-test

active

!************************** SERVICE **************************

service server-ec0

ip address 10.211.228.102

port 8182

protocol tcp

no prepend-http

domain "https://ec0.uk.rweutil.net"

active

service ssl_module1

type ssl-accel

slot 2

add ssl-proxy-list test

keepalive type none

port 443

active

!*************************** OWNER ***************************

owner ssl

content http-ec0

vip address 10.211.242.164

add service server-ec0

advanced-balance cookies

port 8182

protocol tcp

url "/*"

active

content ssl-ec0

vip address 10.211.242.164

add service ssl_module1

application ssl

port 443

protocol tcp

redirect "https://ec0.uk.rwetuil.net/"

advanced-balance ssl

active

!*************************** GROUP ***************************

group ssl_module_proxy

vip address 10.211.242.10

add destination service server-ec0

active

CSS11501#

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Silviu Pietris Sat, 04/12/2014 - 09:15

Hi!

 

It is a quite old topic but I have just bought such a device from ebay for my personal lab and I have found out that the 11501 (without S model) is not performing SSL termination.

I am thinking that this is why you are getting that behavior.

Sad Cisco limits the termination of SSL for this SMB device.

Anyway - if you got a workaround please let me know, because I am keen to get that SSL termination without spending more money on a 11503.

 

THX!

 

Regards,

Silviu

Silviu Pietris Fri, 04/25/2014 - 14:00

Hi!

Thank you very much for your reply.

I know about the S model - as per my post - but unfortunately I have realized after making the purchase.

Can you please help me with the following issue: my unit is not able to boot from FTP, even if I follow up the CISCO official documentation for that version (I issue all the commands as in the manual). More than that, if I setup the Primary Boot Configuration and then I want to check it up there is nothing in that field. The Secondary Boot Configuration keeps its settings and after the Primary failure it will try the Network Booting but with Failed status - returning me to the OffDM.

I mention that I am using the OffDM because the unit I bought has no Flash Card.

Also I am not sure how can I have a "network mounted filesystem" and in the meantime to use the FTP protocol;  setting up a NFS server wont provide me with Windows style absolute path like k:/.... as per CISCO official guide. Is that a plain-ftp generically called as Network File System??? "First, create these subdirectories on the FTP server, then copy the files from the boot image to the subdirectories"

Is this linked with the fact that I am using a Linux box for my FTP Server? Can you please help me to understand what the following line from CISCO official guide means "A network boot is not supported on UNIX workstations"

 

Thank you!

 

Actions

This Discussion