04-19-2006 02:57 PM
I am confused over the example in Cisco's documentation on how to set up a full proxy ssl. Here is the link to the web page with the example. http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_750/sslgd/examples.htm#wp999253
What I do not understand is where does the new source address (192.168.7.200) come from. I understand the underlying concepts and theory on how this works. But the example code does not seem to match the description of the example?
Burke McCrory
Internet Administrator
Oklahoma Tax Commission
IT Division
04-20-2006 03:42 AM
the only place where I see this ip on the document you referenced is line
vip address 192.168.7.200
So, this ip is just a vip address.
Could you be more precise where you see this address in the example.
Thanks,
Gilles.
04-20-2006 07:48 AM
I agree it is a VIP address what I can not find is where it is in the commands that are shown to set it up. The group ssl_module_proxy has a VIP but it is 192.168.8.1 . The VIP address of 192.168.7.200 is no where in the command list. I am sure that it is something simple but I still can not see it.
06-14-2006 02:24 AM
Hi ,
Any update related to 192.168.8.1 vip configured on that example.
We have to test a similar scenario and I am trying to find the relation of that address.
regards
R.Sundara Rajan
06-14-2006 03:54 AM
the error is in the diagram related to
"SSL Initiation Between a CSS and One Data Center"
The correct config should replace 192.168.7.200 with 172.16.1.200.
This has been corrected in the next release.
http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_810/sslgd/examples.htm
Gilles.
06-14-2006 06:40 AM
Hi Gilles,
Referring the SSL Full Proxy Configuration - One SSL Module . Configured as below.
--------------------------------
group ssl_module_proxy
add destination service ssl_module1
add destination service ssl_module2
vip address 192.168.8.1
active
-----------------------
In that 192.168.8.1 is no where mentioned in the doucment.
If you could clarify it will be really helpful
regards
R.Sundara Rajan
06-14-2006 11:11 PM
This is a "group" config which is uses to do client nat. We use this option in one-armed design or when the server are not using the CSS as a default gateway.
This a way to guarantee that the response comes back to the CSS.
The vip can be any ip address.
The ip address in the config should be 192.168.7.200 to match the diagram.
[see the client ip address was nated as well as the vip address].
I have to admit this part of the config is somewhat misleading as it is absolutely not required.
I hope this helps.
Gilles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide