CSS 11503 and SSL configuration

Unanswered Question

Please could someone guide me in the correct direction. I have a CSS 11503 that I am using in a test environment and I want to be able to terminate SSL to the device and then balance unencrypted to back end web servers. When I bought this I read the brief on the CSS 11503 http://www.cisco.com/en/US/customer/prod/collateral/contnetw/ps5719/ps792/product_data_sheet0900aecd800f851e.html This says that SSL termination is possible and does not state anything about needing a SSL module. Please could you advise if this is correct ?



I am able to setup the CSS to the point where I try activate the SSL service and keep getting a BAD IP ADDRESS when I type the active command.


This is my config so if someone could guide me it would be great.


CSS11503(config)# service ssl_im1

CSS11503(config-service[ssl_im1])# active

%% Bad IP Address


CSS11503# show startup-config

!Generated on 07/07/2009 12:28:32

!Active version: sg0810106


configure



!*************************** GLOBAL ***************************


ssl associate rsakey imrsakey imrsakey



ip route 0.0.0.0 0.0.0.0 192.168.33.1 1


!************************* INTERFACE *************************

interface 2/6

bridge vlan 35


!************************** CIRCUIT **************************

circuit VLAN1

ip address 192.168.33.2 255.255.255.0


circuit VLAN35


ip address 192.168.35.1 255.255.255.0


!*********************** SSL PROXY LIST ***********************

ssl-proxy-list ssl_proxy1

ssl-server 10

ssl-server 10 rsacert imcert

ssl-server 10 rsakey imrsakey

ssl-server 10 vip address 192.168.33.11

ssl-server 10 cipher rsa-export-with-rc4-40-md5 192.168.35.11 80

active


!************************** SERVICE **************************

service EUHS1WEB20

keepalive type http

port 80

protocol tcp

ip address 192.168.35.20

active


service ssl_im1

keepalive type none

add ssl-proxy-list ssl_proxy1


!*************************** OWNER ***************************

owner im.com


content http-rule

protocol tcp

port 80

add service EUHS1WEB20

vip address 192.168.35.11


content ssl-rule

protocol tcp

port 443

add service ssl_im1

vip address 192.168.33.11


CSS11503#



Thank you in advance



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Tue, 07/07/2009 - 04:56
User Badges:
  • Cisco Employee,

You need an ssl module to do ssl encryption/decryption.


G.

Actions

This Discussion