CSS Full Proxy example in doc's seems in error

Unanswered Question
Apr 19th, 2006
User Badges:

I am confused over the example in Cisco's documentation on how to set up a full proxy ssl. Here is the link to the web page with the example. http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_750/sslgd/examples.htm#wp999253


What I do not understand is where does the new source address (192.168.7.200) come from. I understand the underlying concepts and theory on how this works. But the example code does not seem to match the description of the example?


Burke McCrory

Internet Administrator

Oklahoma Tax Commission

IT Division

[email protected]

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Thu, 04/20/2006 - 03:42
User Badges:
  • Cisco Employee,

the only place where I see this ip on the document you referenced is line


vip address 192.168.7.200



So, this ip is just a vip address.


Could you be more precise where you see this address in the example.


Thanks,


Gilles.

burkemccrory Thu, 04/20/2006 - 07:48
User Badges:

I agree it is a VIP address what I can not find is where it is in the commands that are shown to set it up. The group ssl_module_proxy has a VIP but it is 192.168.8.1 . The VIP address of 192.168.7.200 is no where in the command list. I am sure that it is something simple but I still can not see it.

Hi Gilles,


Referring the SSL Full Proxy Configuration - One SSL Module . Configured as below.

--------------------------------

group ssl_module_proxy

add destination service ssl_module1

add destination service ssl_module2

vip address 192.168.8.1

active

-----------------------

In that 192.168.8.1 is no where mentioned in the doucment.


If you could clarify it will be really helpful

regards

R.Sundara Rajan

Gilles Dufour Wed, 06/14/2006 - 23:11
User Badges:
  • Cisco Employee,

This is a "group" config which is uses to do client nat. We use this option in one-armed design or when the server are not using the CSS as a default gateway.

This a way to guarantee that the response comes back to the CSS.

The vip can be any ip address.

The ip address in the config should be 192.168.7.200 to match the diagram.

[see the client ip address was nated as well as the vip address].


I have to admit this part of the config is somewhat misleading as it is absolutely not required.


I hope this helps.


Gilles.

Actions

This Discussion