Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
550
Views
5
Helpful
4
Replies

how to configure one-armed VIP with SSL

Go to solution
julxu
Level 1
Level 1

‎08-25-2006 01:35 AM

Could anyone help me to correct the following configuration:

service ssl-slot3-srv

type ssl-accel

keepalive type none

slot 3

add ssl-proxy-list ssl-slot3

active

service pub-serv

ip address 10.3.3.42

keepalive type tcp

keepalive port 80

active

content ssl-rule

port 443

protocol tcp

vip address 10.1.1.131

add service ssl-slot3-srv

active

content ssl-rule2

protocol tcp

port 81

balance leastconn

add service pub-serv

vip address 10.2.2.10

active

the archtecture is:

subnet 10.3.3.0 - server subnet not in DMZ, in public network.

subnet 10.2.2.0 - special vlan for configure SSL module. internal for CSS11506.

subnet 10.1.1.0 - VIPs, public site of CSS

I have to make the one-armed infrostructure work. I have tried to add destnation group for it, but confused which service I need added to the VIP.

How can I make one-armed archtecture with SSL termination on CSS work?

Any comments will be appreciated

Thanks in advance

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee
In response to julxu

‎08-25-2006 06:22 AM

You'll need to capture a sniffer trace.

Gilles.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎08-25-2006 02:25 AM

Hi,

first let me say there is no vlan between ssl module and css. The module is part of the css.

However, having a special subnet for decrypted traffic is ok.

So, client nat will be required when traffic leaves the css for the server.

This occurs after the traffic is decrypted.

Therefore, the group must be configured for the services that are in your decrypted content rule (ssl-rule2).

In this case you need a group for pub-serv.

If that does not work, verify with a 'sho summary' if you have a hit on your ssl rule and your decrypted rule each time you open a connection. If not, you may have a problem somewhere else.

Gilles.

Go to solution
julxu
Level 1
Level 1
In response to Gilles Dufour

‎08-25-2006 04:37 AM

group pub-serv

vip address 10.2.2.10

add destination service

active

on "sho sum" I can see the hit incease on both rules. but, I still can not see the page on my pc.

how can I troubleshoot this problem?

0 Helpful

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee
In response to julxu

‎08-25-2006 06:22 AM

You'll need to capture a sniffer trace.

Gilles.

0 Helpful

Go to solution
julxu
Level 1
Level 1
In response to Gilles Dufour

‎09-11-2006 09:31 PM

I found the problem. it need the route for the VIP in decrypted content rule.

0 Helpful
Customers Also Viewed These Support Documents