cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
436
Views
0
Helpful
1
Replies

Please verify the CSS and SCA configuration for one-armed transparent mode

cjrchoi11
Level 1
Level 1

I have a problem to configure one-armed transparent mode. I cannot access the server with "https://9.9.9.1" even "http://9.9.9.1:80" and "http://9.9.9.1:81" operational. looks CSS cannot communicate properly with SCA.

I couldn't figure out from CCO sample configuration. please correct the attached configuraiton.

Thanks,

** connectivity ********

<client>----<router>----<CSS>---<SCA>,<Server>

- client=7.7.7.100

- router's e0/0=7.7.7.1, e0/1=8.8.8.3(connect to VLAN2 of CSS)

- SCA=11.11.11.100, connect to VLAN3 of CSS

- server=10.147.153.12 and 10.147.153.15 on the same box, connect to VLAN4 of CSS

** configuration *********

CSS11050# sh run

!Generated on 01/01/2079 00:00:47

!Active version: ap0500105

configure

!*************************** GLOBAL ***************************

acl enable

ip route 0.0.0.0 0.0.0.0 11.11.11.100 1

ip route 7.7.7.100 255.255.255.255 8.8.8.3 1

ip route 7.7.7.200 255.255.255.255 8.8.8.3 1

!************************* INTERFACE *************************

interface e2

bridge vlan 2

interface e3

bridge vlan 3

interface e4

bridge vlan 4

interface e5

bridge vlan 4

!************************** CIRCUIT **************************

circuit VLAN1

ip address 9.9.9.2 255.255.255.0

circuit VLAN2

ip address 8.8.8.2 255.255.255.0

circuit VLAN3

ip address 11.11.11.1 255.255.255.0

circuit VLAN4

ip address 10.147.153.1 255.255.255.0

!************************** SERVICE **************************

service ING_SVC_12

protocol tcp

ip address 10.147.153.12

active

service ING_SVC_15

protocol tcp

ip address 10.147.153.15

active

service ING_SVC_SCA

port 443

protocol tcp

ip address 11.11.11.100

type transparent-cache

no cache-bypass

active

service upstream

ip address 8.8.8.3

type transparent-cache

active

!*************************** OWNER ***************************

owner ING_OWNER

content cnt_443

add service ING_SVC_SCA

protocol tcp

port 443

vip address 9.9.9.1

active

content cnt_80

add service ING_SVC_12

add service ING_SVC_15

protocol tcp

port 80

url "/*"

vip address 9.9.9.1

active

content cnt_81

add service ING_SVC_12

add service ING_SVC_15

vip address 9.9.9.1

protocol tcp

port 81

url "/*" <-- If I configure url "/secure/*", not working "http://9.9.9.1:81" from client.

active

!**************************** ACL ****************************

acl 1

clause 10 permit any any destination any

apply circuit-(VLAN1)

acl 2

clause 10 permit any any destination any

apply circuit-(VLAN2)

acl 3

clause 10 permit any any destination any

apply circuit-(VLAN3)

acl 4

clause 10 permit any any destination any

apply circuit-(VLAN4)

ING_SCA# sh run

#

# Cisco SCA Device Configuration File

#

# Written: Sun Feb 6 01:12:54 2106 MST

# Inxcfg: version 4.1 build 200211151311

# Device Type: CSS-SCA

# Device Id: S/N 11aca8

# Device OS: MaxOS version 4.1.0 build 200211151311 by reading

### Mode ###

mode one-port

### Interfaces ###

interface network

auto

end

interface server

auto

end

### Device ###

ip address 11.11.11.100 netmask 255.255.255.0

hostname ING_SCA

timezone "MST7MDT"

### Password ###

password idle-timeout 15

### SNTP ###

sntp interval 86400

### Static Routes ###

ip route 0.0.0.0 0.0.0.0 11.11.11.1 metric 1

### RIP ###

no rip

### DNS ###

no ip name-server

no ip domain-name

### Telnet ###

telnet enable

### Web Management ###

web-mgmt port 80

no web-mgmt enable

### SNMP Subsystem ###

no snmp

### SSL Subsystem ###

ssl

server ING create

ip address 9.9.9.1

localport 443

remoteport 81

key default

cert default

secpolicy default

sslv2 enable

sslv3 enable

tlsv1 enable

session-cache size 20480

session-cache timeout 300

session-cache enable

no clientauth enable

clientauth verifydepth 1

clientauth error cert-other-error fail

clientauth error cert-not-provided fail

clientauth error cert-has-expired fail

clientauth error cert-not-yet-valid fail

clientauth error cert-has-invalid-ca fail

clientauth error cert-has-signature-failure fail

clientauth error cert-revoked fail

sharedcipher error failhtml

ephemeral error failhtml

no httpheader client-cert

no httpheader server-cert

no httpheader session

no httpheader pre-filter

httpheader prefix "SSL"

ephrsa

keepalive frequency 5

keepalive maxfailure 3

no keepalive enable

end

end

1 Accepted Solution

Accepted Solutions

Gilles Dufour
Cisco Employee
Cisco Employee

the problem is the routing.

You need a route for the client pointing to the SCA like this

ip route 7.7.7.100 255.255.255.255 11.11.11.100 1

This is so the reply from the server to the client goes back to the SCA first

for encryption.

Gilles.

View solution in original post

1 Reply 1

Gilles Dufour
Cisco Employee
Cisco Employee

the problem is the routing.

You need a route for the client pointing to the SCA like this

ip route 7.7.7.100 255.255.255.255 11.11.11.100 1

This is so the reply from the server to the client goes back to the SCA first

for encryption.

Gilles.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: