Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

CSS11506 - Getting there but still a bit more help

Currently terminating SSL connection on CSS with backend webserver connected to isolated vlan off CSS module. This now seems to be working well. However my next step is I have a need to move the backend server off the CSS completely and back into our production LAN. I have been told I dont need to have my server connected to the CSS. Here is my config. Can someone have a look at it and let me know what do I need to do in order to make this move happen ?

CSS11506# sh run

!Generated on 05/12/2007 17:00:20

!Active version: sg0720003

configure

!*************************** GLOBAL ***************************

ssl associate rsakey myrsakey1 CSSrsakey1

ssl associate cert myrsacert1 CSScertfile1

ssl associate rsakey myrsakey2 CSSrsakey2

ssl associate cert myrsacert2 CSScertfile2

ip route 0.0.0.0 0.0.0.0 204.101.28.161 1

!************************* INTERFACE *************************

interface 5/13

description "Client Side"

bridge vlan 10

interface 5/15

bridge vlan 20

description "Server side"

!************************** CIRCUIT **************************

circuit VLAN10

ip address 204.x.x.163 255.255.255.224

circuit VLAN20

ip address 10.10.10.1 255.255.255.0

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list sslfrinew

ssl-server 97

ssl-server 97 vip address 204.101.28.166

ssl-server 97 cipher rsa-with-des-cbc-sha 10.10.10.10 80

ssl-server 97 cipher rsa-with-3des-ede-cbc-sha 10.10.10.10 80

ssl-server 97 cipher rsa-with-rc4-128-sha 10.10.10.10 80

ssl-server 97 cipher rsa-with-rc4-128-md5 10.10.10.10 80

ssl-server 97 rsacert myrsacert1

ssl-server 97 rsakey myrsakey1

ssl-server 97 urlrewrite 24 http://www.test.com

active

!************************** SERVICE **************************

service SSLFRIDAY

type ssl-accel

keepalive type none

slot 6

add ssl-proxy-list sslfrinew

active

service http_backend

ip address 10.10.10.10

port 80

protocol tcp

active

!*************************** OWNER ***************************

owner Dave

content SSLFriday

vip address 204.101.28.166

application ssl

add service SSLFRIDAY

protocol tcp

port 443

active

content decrypt_www

vip address 10.10.10.5

add service http_backend

port 80

protocol tcp

active

CSS11506#

Thanks again

Dave

1 REPLY
Bronze

Re: CSS11506 - Getting there but still a bit more help

Key and certificate generation may be necessary in instances when you do not have pre-existing keys or certificates for the CSS. REfer URL

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11000series/v6.10/configuration/advanced/guide/SSL

131
Views
0
Helpful
1
Replies
CreatePlease to create content