Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CSM-SSL, how to prevent to access the real server with clear text?

Based on the CSM-SSL configuraiton as follows, The 8080 is to handle the descrypted packet from SSL module but also able to access from client by http://1.1.1.1:8080

This may happen security issue by access with clear text to the real server. Any way to prevent and/or the best practice guide to implement this scenario.

##CSM

!

vserver test-web

virtual 1.1.1.1 tcp 8080

serverfarm test-server

inservice

!

vserver test-ssl

virtual 1.1.1.1 tcp https

serverfarm SSL-TRAFFIC

inservice

!

serverfarm SSL-TRAFFIC

real 2.2.2.2

inservice

!

serverfarm test-server

real 3.3.3.3

inservice

!

##SSL

!

interface SSL-Proxy0.111

encapsulation dot1Q 111

ip address 2.2.2.2 255.255.255.0

!

ssl-proxy context test

!

service test-SSL

virtual ipaddr 1.1.1.1 protocol tcp port 443 secondary

server ipaddr 2.2.2.10 protocol tcp port 8080

inservice

Thanks in advance,

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: CSM-SSL, how to prevent to access the real server with clear

specify a vlan in the vserver.

This will allow only traffic coming from the ssl vlan.

If you have no client on this vlan, then you're good.

Otherwise, move the sslm to a vlan used only between csm-sslm and use the vlan id config under the vserver.

Gilles.

2 REPLIES
Cisco Employee

Re: CSM-SSL, how to prevent to access the real server with clear

specify a vlan in the vserver.

This will allow only traffic coming from the ssl vlan.

If you have no client on this vlan, then you're good.

Otherwise, move the sslm to a vlan used only between csm-sslm and use the vlan id config under the vserver.

Gilles.

New Member

Re: CSM-SSL, how to prevent to access the real server with clear

Thanks a lot Gilles

109
Views
5
Helpful
2
Replies