07-07-2009 04:44 AM
Please could someone guide me in the correct direction. I have a CSS 11503 that I am using in a test environment and I want to be able to terminate SSL to the device and then balance unencrypted to back end web servers. When I bought this I read the brief on the CSS 11503 http://www.cisco.com/en/US/customer/prod/collateral/contnetw/ps5719/ps792/product_data_sheet0900aecd800f851e.html This says that SSL termination is possible and does not state anything about needing a SSL module. Please could you advise if this is correct ?
I am able to setup the CSS to the point where I try activate the SSL service and keep getting a BAD IP ADDRESS when I type the active command.
This is my config so if someone could guide me it would be great.
CSS11503(config)# service ssl_im1
CSS11503(config-service[ssl_im1])# active
%% Bad IP Address
CSS11503# show startup-config
!Generated on 07/07/2009 12:28:32
!Active version: sg0810106
configure
!*************************** GLOBAL ***************************
ssl associate rsakey imrsakey imrsakey
ip route 0.0.0.0 0.0.0.0 192.168.33.1 1
!************************* INTERFACE *************************
interface 2/6
bridge vlan 35
!************************** CIRCUIT **************************
circuit VLAN1
ip address 192.168.33.2 255.255.255.0
circuit VLAN35
ip address 192.168.35.1 255.255.255.0
!*********************** SSL PROXY LIST ***********************
ssl-proxy-list ssl_proxy1
ssl-server 10
ssl-server 10 rsacert imcert
ssl-server 10 rsakey imrsakey
ssl-server 10 vip address 192.168.33.11
ssl-server 10 cipher rsa-export-with-rc4-40-md5 192.168.35.11 80
active
!************************** SERVICE **************************
service EUHS1WEB20
keepalive type http
port 80
protocol tcp
ip address 192.168.35.20
active
service ssl_im1
keepalive type none
add ssl-proxy-list ssl_proxy1
!*************************** OWNER ***************************
owner im.com
content http-rule
protocol tcp
port 80
add service EUHS1WEB20
vip address 192.168.35.11
content ssl-rule
protocol tcp
port 443
add service ssl_im1
vip address 192.168.33.11
CSS11503#
Thank you in advance
07-07-2009 04:56 AM
You need an ssl module to do ssl encryption/decryption.
G.
07-07-2009 05:09 AM
I thought as much, love the way cisco gives you information as per document I attached saying SSL termination is possible then no indication or caveat that an SSL module is needed
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: