Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Please verify the CSS and SCA configuration for one-armed transparent mode

I have a problem to configure one-armed transparent mode. I cannot access the server with "https://9.9.9.1" even "http://9.9.9.1:80" and "http://9.9.9.1:81" operational. looks CSS cannot communicate properly with SCA.

I couldn't figure out from CCO sample configuration. please correct the attached configuraiton.

Thanks,

** connectivity ********

<client>----<router>----<CSS>---<SCA>,<Server>

- client=7.7.7.100

- router's e0/0=7.7.7.1, e0/1=8.8.8.3(connect to VLAN2 of CSS)

- SCA=11.11.11.100, connect to VLAN3 of CSS

- server=10.147.153.12 and 10.147.153.15 on the same box, connect to VLAN4 of CSS

** configuration *********

CSS11050# sh run

!Generated on 01/01/2079 00:00:47

!Active version: ap0500105

configure

!*************************** GLOBAL ***************************

acl enable

ip route 0.0.0.0 0.0.0.0 11.11.11.100 1

ip route 7.7.7.100 255.255.255.255 8.8.8.3 1

ip route 7.7.7.200 255.255.255.255 8.8.8.3 1

!************************* INTERFACE *************************

interface e2

bridge vlan 2

interface e3

bridge vlan 3

interface e4

bridge vlan 4

interface e5

bridge vlan 4

!************************** CIRCUIT **************************

circuit VLAN1

ip address 9.9.9.2 255.255.255.0

circuit VLAN2

ip address 8.8.8.2 255.255.255.0

circuit VLAN3

ip address 11.11.11.1 255.255.255.0

circuit VLAN4

ip address 10.147.153.1 255.255.255.0

!************************** SERVICE **************************

service ING_SVC_12

protocol tcp

ip address 10.147.153.12

active

service ING_SVC_15

protocol tcp

ip address 10.147.153.15

active

service ING_SVC_SCA

port 443

protocol tcp

ip address 11.11.11.100

type transparent-cache

no cache-bypass

active

service upstream

ip address 8.8.8.3

type transparent-cache

active

!*************************** OWNER ***************************

owner ING_OWNER

content cnt_443

add service ING_SVC_SCA

protocol tcp

port 443

vip address 9.9.9.1

active

content cnt_80

add service ING_SVC_12

add service ING_SVC_15

protocol tcp

port 80

url "/*"

vip address 9.9.9.1

active

content cnt_81

add service ING_SVC_12

add service ING_SVC_15

vip address 9.9.9.1

protocol tcp

port 81

url "/*" <-- If I configure url "/secure/*", not working "http://9.9.9.1:81" from client.

active

!**************************** ACL ****************************

acl 1

clause 10 permit any any destination any

apply circuit-(VLAN1)

acl 2

clause 10 permit any any destination any

apply circuit-(VLAN2)

acl 3

clause 10 permit any any destination any

apply circuit-(VLAN3)

acl 4

clause 10 permit any any destination any

apply circuit-(VLAN4)

ING_SCA# sh run

#

# Cisco SCA Device Configuration File

#

# Written: Sun Feb 6 01:12:54 2106 MST

# Inxcfg: version 4.1 build 200211151311

# Device Type: CSS-SCA

# Device Id: S/N 11aca8

# Device OS: MaxOS version 4.1.0 build 200211151311 by reading

### Mode ###

mode one-port

### Interfaces ###

interface network

auto

end

interface server

auto

end

### Device ###

ip address 11.11.11.100 netmask 255.255.255.0

hostname ING_SCA

timezone "MST7MDT"

### Password ###

password idle-timeout 15

### SNTP ###

sntp interval 86400

### Static Routes ###

ip route 0.0.0.0 0.0.0.0 11.11.11.1 metric 1

### RIP ###

no rip

### DNS ###

no ip name-server

no ip domain-name

### Telnet ###

telnet enable

### Web Management ###

web-mgmt port 80

no web-mgmt enable

### SNMP Subsystem ###

no snmp

### SSL Subsystem ###

ssl

server ING create

ip address 9.9.9.1

localport 443

remoteport 81

key default

cert default

secpolicy default

sslv2 enable

sslv3 enable

tlsv1 enable

session-cache size 20480

session-cache timeout 300

session-cache enable

no clientauth enable

clientauth verifydepth 1

clientauth error cert-other-error fail

clientauth error cert-not-provided fail

clientauth error cert-has-expired fail

clientauth error cert-not-yet-valid fail

clientauth error cert-has-invalid-ca fail

clientauth error cert-has-signature-failure fail

clientauth error cert-revoked fail

sharedcipher error failhtml

ephemeral error failhtml

no httpheader client-cert

no httpheader server-cert

no httpheader session

no httpheader pre-filter

httpheader prefix "SSL"

ephrsa

keepalive frequency 5

keepalive maxfailure 3

no keepalive enable

end

end

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Please verify the CSS and SCA configuration for one-armed tr

the problem is the routing.

You need a route for the client pointing to the SCA like this

ip route 7.7.7.100 255.255.255.255 11.11.11.100 1

This is so the reply from the server to the client goes back to the SCA first

for encryption.

Gilles.

1 REPLY
Cisco Employee

Re: Please verify the CSS and SCA configuration for one-armed tr

the problem is the routing.

You need a route for the client pointing to the SCA like this

ip route 7.7.7.100 255.255.255.255 11.11.11.100 1

This is so the reply from the server to the client goes back to the SCA first

for encryption.

Gilles.

111
Views
0
Helpful
1
Replies
CreatePlease to create content