cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
478
Views
0
Helpful
2
Replies

CSS 11503 and SSL configuration

yulunga
Level 1
Level 1

Please could someone guide me in the correct direction. I have a CSS 11503 that I am using in a test environment and I want to be able to terminate SSL to the device and then balance unencrypted to back end web servers. When I bought this I read the brief on the CSS 11503 http://www.cisco.com/en/US/customer/prod/collateral/contnetw/ps5719/ps792/product_data_sheet0900aecd800f851e.html This says that SSL termination is possible and does not state anything about needing a SSL module. Please could you advise if this is correct ?

I am able to setup the CSS to the point where I try activate the SSL service and keep getting a BAD IP ADDRESS when I type the active command.

This is my config so if someone could guide me it would be great.

CSS11503(config)# service ssl_im1

CSS11503(config-service[ssl_im1])# active

%% Bad IP Address

CSS11503# show startup-config

!Generated on 07/07/2009 12:28:32

!Active version: sg0810106

configure

!*************************** GLOBAL ***************************

ssl associate rsakey imrsakey imrsakey

ip route 0.0.0.0 0.0.0.0 192.168.33.1 1

!************************* INTERFACE *************************

interface 2/6

bridge vlan 35

!************************** CIRCUIT **************************

circuit VLAN1

ip address 192.168.33.2 255.255.255.0

circuit VLAN35

ip address 192.168.35.1 255.255.255.0

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list ssl_proxy1

ssl-server 10

ssl-server 10 rsacert imcert

ssl-server 10 rsakey imrsakey

ssl-server 10 vip address 192.168.33.11

ssl-server 10 cipher rsa-export-with-rc4-40-md5 192.168.35.11 80

active

!************************** SERVICE **************************

service EUHS1WEB20

keepalive type http

port 80

protocol tcp

ip address 192.168.35.20

active

service ssl_im1

keepalive type none

add ssl-proxy-list ssl_proxy1

!*************************** OWNER ***************************

owner im.com

content http-rule

protocol tcp

port 80

add service EUHS1WEB20

vip address 192.168.35.11

content ssl-rule

protocol tcp

port 443

add service ssl_im1

vip address 192.168.33.11

CSS11503#

Thank you in advance

2 Replies 2

Gilles Dufour
Cisco Employee
Cisco Employee

You need an ssl module to do ssl encryption/decryption.

G.

I thought as much, love the way cisco gives you information as per document I attached saying SSL termination is possible then no indication or caveat that an SSL module is needed

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: