Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SSL in transparent mode.


i have done this migration for my client who didn't want to change anything on his existing network.

So we went ahead with L2 ACE,though it working now here are my issues:

1. I have 2 vlans for the servers, vlan 20 and 30, only 1 vlan seems to work at one time in the admin context , so i had to create 2 contexts for the 2 vlans, need to know the reason for this or am i missing something here ??

2. my SSL doesn't seem to work when doing basic SSL termination , as of now the way its working is i think its just forwarding the SSL request to the servers which are doing SSL termination.

if i change the "rserver" port to 80 or to 443 explicitly it doesn't work.

if i add the SSL-proxy server + i try to do SSL initiation to the SSL servers behind, it still doesn't work.

If my webservers are doing SSL termination i am required to do "end-to-end SSL termination" , correct ?

do i have to do a L7 policy ? this is one thing i haven't done..

throw me some light gentlemen !!


Cisco Employee

Re: SSL in transparent mode.

1/ you are missing access-group on the server interfaces to allow traffic.

Not sure if that can explain the issue you had seen.

But you can have multiple bridge-group inside a single context.

2/ You need to have separate class-map for ssl and http.

The serverfarm must be configured with port 80 specifically for both SSL and HTTP

(unless you want to re-encrypt traffic on the backend).

Finally, doesn't work is pretty vague.

You need to capture the config, stats before and after a test and a sniffer trace.

With that info, you can define the 'does not work' and make changes where required.

BTW, nat-pool are being used only on the output interface.

You have defined them on the client vlan...I doubt this is what you want.

Usually, you configure them on the server vlan.

But in bridge mode, I don't see the need for nat-pool anyway.