Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
440
Views
5
Helpful
4
Replies

port redirect on CSS

NAVIN PARWAL
Level 2
Level 2

‎01-07-2008 07:26 AM

Folks,

Please correct me i am wrong here.

In CSS if you do not specify any port under the cotent, it will accept connections at all ports unlike ACE?

Also, If i am listen at port 443 under the content and the rule is matched and i have a service under that content at port 80, the CSS will do a redirect that means it will listen at port 443 and if the rule is matched it would open a connection to the server or service at port 80?

I will defintily rate the post, please help.

Labels:
0 Helpful
4 Replies 4

Diego Vargas
Cisco Employee
Cisco Employee

‎01-07-2008 07:32 AM

Hi,

You are right, if you do not specify the port it will by a layer 3 rule that will accept any destination port traffic.

Ans yes, the CSS listens on the port that you configure the content rule and will send the traffic to the port on the server configured on the service.

Now with the example given that does not mean that if you are listening for HTTPS traffic in port 443 you will send it decrypted in port 80 to the server. In that specific case you would need to have SSL termination configured on the CSS.

Hope it helps!!

0 Helpful

NAVIN PARWAL
Level 2
Level 2
In response to Diego Vargas

‎01-07-2008 07:44 PM

Thanks I will surely rate this post. One last question, my understanding was that ACE comes in between the client and the server and opens two individual tcp connections and when the client request matches a rule it connects the two sessions together so that they can talk to each other directly. Now if was doing a port remaping at the ace, how would that work? i know 443 to 80 was not a good example, so lets say port 8080 and port 80 on the server side, how would ace deal with them, will it always be in the picture to do port redirect? what if it was port 80 to port 80, will the ace move out of the picture.

Will rate all posts.

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to NAVIN PARWAL

‎01-08-2008 02:26 AM

ACE works like the CSS.

If you match only on ip address (no port specified), the ACE module will only use the destination to match the rule and it will then forward to a server.

The box does not really listen on all ports.

It just looks at the traffic coming in and try to match it to a class-map.

If it has a match it performs the appropriate action ie: loadbalancing.

Same if your class-map speficies a port ie: 8080. We check if the packet matches the class-map and if it does, we perform a loadbalancing decision and when the server is selected we forward the traffic to it performing nating of the port if needed.

Now, if you introduce the tcp-reuse feature (only available with ACE) we will keep the connection with the server open and if another client sends traffic that matches the same rule, we will send its requests to the server using the already opened connection.

This feature only works at L7. Which means you need to make the ACE module spoofs the connection ( url-map, or cookie stickyness, ..).

Gilles.

tjcouey
Level 1
Level 1

‎01-30-2008 11:16 AM

To answer your first question if you specify 'protocol tcp' in your content rule with no port then yes, it will accept requests for all TCP ports.

For your second question are you using an SSL accellerator & SSL-Proxy-List?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents