Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SSL with servers not attached to CSM

I have the CSM11503 setup in a DMZ. HTTP is working fine to the servers which are in a different subnet. However I cannot get the SSL to work to those same servers. Is there a trick to get it working? What am I overlooking?

Thanks

3 REPLIES
Cisco Employee

Re: SSL with servers not attached to CSM

this is because for http you do client using the group but you don't for SSL.

You should create a content rule to receive the decrypted traffic and use client nat.

Try to replace the following 2 lines

ssl-server 21 cipher rsa-export1024-with-rc4-56-sha 10.131.155.39 7777

ssl-server 21 cipher rsa-export1024-with-des-cbc-sha 10.131.155.39 7777

with these

ssl-server 21 cipher rsa-export1024-with-rc4-56-sha 10.131.153.30 7777

ssl-server 21 cipher rsa-export1024-with-des-cbc-sha 10.131.153.30 7777

I believe it should work after that.

Gilles.

New Member

Re: SSL with servers not attached to CSM

Thanks Gilles, I have tried that however it did not work. Perhaps there is an issue with the servers themselves?

Cisco Employee

Re: SSL with servers not attached to CSM

capture a sniffer trace to see if a response is coming back.

Are you server really listening on port 7777 ?

Your config is not really standard.

A better way to do this would be to configure a service for port 80 and a service for port 7777 with tcp probe. So, at least we'll know if the servers are listening.

Then assigned the port 80 service to your current http content rule.

Then create a new content rule with same vip address but with tcp port 7777.

Assign the service with port 7777 to this content rule.

Keep ssl-proxy-list unchanged.

Capture 'show summary' before and after a test and capture a sniffer trace on client and server simultanously.

Gilles.

132
Views
0
Helpful
3
Replies