Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Using SSL module - Is client IP address passthrough possible

We have our CSS devices configured for front-end SSL. One impact of this is that the back end servers see the VIP address of the SSL rule as the incoming client address. Is there are way to use the CSS for SSL offloading but passthrough the client IP address ?

Thanks in advance for replies.

cheers,

Mike

5 REPLIES
Silver

Re: Using SSL module - Is client IP address passthrough possible

you can do it with HTTP header insert.

http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_750/cmdrefgd/cmdsslc.htm

Is there a URL rewrite function to rewrite all http:// traffic to https://for a given set of content? The "url rewrite" function that one can configure in the ssl-proxy-list only seems to cover redirects. The url rewrite only rewrite urls in SSL.

Cisco Employee

Re: Using SSL module - Is client IP address passthrough possible

there is not.

The reason is that it would kill performances to inspect all traffic to do the rewrite.

I would suggest you rewrite your server to avoid direct link and replace them with relative path.

Gilles.

Cisco Employee

Re: Using SSL module - Is client IP address passthrough possible

Mike,

this is happening because you have a group config to nat client ip address.

You probably have a one-armed design.

So, you can either use the other suggestion that was made to you and insert the client ip into the header, then reconfigure your server to extract the ip from the header.

Or, you can also do some redesign to avoid the one-armed config and get rid of client nat.

Gilles.

Community Member

Re: Using SSL module - Is client IP address passthrough possible

Gilles,

We do not have a one armed design or any NATing.

Traffic comes in on the VIP on Port 443, this is decrypted by the SSL module then sent to another VIP on clear text port 81 (which has an associated content rule pointing to the servers).

The server guys only see traffic coming in from the VIP address.

cheers,

Mike

Cisco Employee

Re: Using SSL module - Is client IP address passthrough possible

Mike,

I'm telling you. This is not possible.

Send me your config and I'll show you where you do the nating.

Check if you have any "group <...>" config using a vip matching the one you see on the server.

If you do, suspend the group and you will see that the nating does not occur anymore.

Gilles.

174
Views
0
Helpful
5
Replies
CreatePlease to create content