Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

css problem

www.xxxxx.co.uk points to 19x.244.202.21

www.yyyyy.com points to 19x.244.202.21 as well

the address 19x.244.202.21 maps to 192.168.214.8 internally

192.168.214.8 is a Cisco CSS which spreads load between 4 boxes accordingly

these boxes live on 192.168.6.0/24

This is the problem: since there's no host-header checking on the content switch, anything that is destined for 19x.244.202.21 (from the outside) will end on on the same IP as galagames.co.uk

*the same 192.168.6.0/24 IP

this means that we can't have another SSL cert on that address (because galagames.co.uk) is already there, because the host header is itself encypted with https

we need to find a way of sending traffing to another address, based solely on host-header

does that make sense!?

"gw01-lastmin"..."gw04-lastmin" and have it work by host header. but i dont have a clue how

Here is the config of CSS

!*************************** GLOBAL ***************************

restrict ftp

ip opportunistic all

ip redundancy

snmp auth-traps

snmp trap-host 192.168.216.14 public

snmp trap-host 192.168.216.19 public

snmp trap-host 10.171.255.11 public

snmp trap-host 10.171.255.62 public

ip route 0.0.0.0 0.0.0.0 192.168.214.1 1

ip route 192.168.213.0 255.255.255.0 192.168.216.40 1

!************************* INTERFACE *************************

interface ethernet-1

redundancy-phy

bridge vlan 10

phy 100Mbits-FD

interface ethernet-2

bridge vlan 20

redundancy-phy

phy 100Mbits-FD

interface ethernet-8

phy 100Mbits-FD

!************************** CIRCUIT **************************

circuit VLAN1

ip address 192.168.214.34 255.255.255.240

redundancy-protocol

circuit VLAN10

redundancy

circuit VLAN20

redundancy

ip address 192.168.216.33 255.255.255.0

!************************** SERVICE **************************

service asd

service g01-games

service gw01-bingo

ip address 192.168.216.3

keepalive port 80

keepalive type http

keepalive uri "/css-check.jsp"

active

service gw01-casino

keepalive type http

keepalive uri "/css-check.jsp"

ip address 192.168.216.2

keepalive port 80

service gw01-games

ip address 192.168.216.1

keepalive port 80

keepalive uri "/css-check.jsp"

keepalive type http

active

service gw02-bingo

ip address 192.168.216.8

keepalive port 80

keepalive type http

keepalive uri "/css-check.jsp"

active

service gw02-casino

ip address 192.168.216.7

keepalive port 80

keepalive type http

keepalive uri "/css-check.jsp"

active

service gw02-games

keepalive port 80

keepalive type http

keepalive uri "/css-check.jsp"

active

service gw03-bingo

ip address 192.168.216.13

keepalive port 80

keepalive type http

keepalive uri "/css-check.jsp"

active

service gw03-casino

ip address 192.168.216.12

keepalive port 80

keepalive type http

keepalive uri "/css-check.jsp"

active

service gw03-games

ip address 192.168.216.11

keepalive port 80

keepalive type http

active

service gw04-bingo

ip address 192.168.216.18

keepalive port 80

keepalive type http

keepalive uri "/css-check.jsp"

active

service gw04-casino

keepalive type http

keepalive uri "/css-check.jsp"

ip address 192.168.216.17

keepalive port 80

active

service gw04-games

ip address 192.168.216.16

keepalive port 80

keepalive type http

keepalive uri "/css-check.jsp"

active

owner gala_leisure

content L4_rule_port443_bingo

add service gw01-bingo

add service gw02-bingo

add service gw03-bingo

add service gw04-bingo

protocol tcp

port 443

vip address 192.168.214.10

advanced-balance sticky-srcip-dstport

active

content L4_rule_port443_casino

add service gw01-casino

add service gw02-casino

add service gw03-casino

add service gw04-casino

protocol tcp

port 443

vip address 192.168.214.9

advanced-balance sticky-srcip-dstport

active

content L4_rule_port443_games

add service gw01-games

add service gw02-games

add service gw03-games

add service gw04-games

protocol tcp

port 443

vip address 192.168.214.8

balance leastconn

advanced-balance sticky-srcip-dstport

active

content L4_rule_port80_bingo

protocol tcp

port 80

add service gw01-bingo

add service gw02-bingo

add service gw03-bingo

vip address 192.168.214.10

add service gw04-bingo

balance leastconn

advanced-balance sticky-srcip-dstport

active

content L4_rule_port80_casino

protocol tcp

port 80

add service gw01-casino

add service gw02-casino

add service gw03-casino

add service gw04-casino

balance leastconn

vip address 192.168.214.9

advanced-balance sticky-srcip-dstport

active

content L4_rule_port80_games

protocol tcp

port 80

add service gw01-games

add service gw02-games

add service gw03-games

add service gw04-games

balance leastconn

vip address 192.168.214.8

advanced-balance sticky-srcip-dstport

active

!*************************** GROUP ***************************

group SOURCE_NAT

vip address 192.168.214.8

add service gw01-games

add service gw01-casino

add service gw01-bingo

!**************************** ACL ****************************

acl 2

clause 30 permit any any destination any

apply circuit-(VLAN10)

apply circuit-(VLAN20)

clause 10 permit any any destination any sourcegroup SOURCE_NAT

acl 1

clause 20 permit any any destination any

apply circuit-(VLAN1)

1 REPLY
Bronze

Re: css problem

Shashank,

If I understand your question correctly, you can terminate the ssl connections on a ssl module in the CSS (or on an external SCA), which will allow the CSS to match a content rule based on header information. If required, the CSS can also re-encrypt the traffic towards the back end servers. You can find more configuration information here:

http://cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a0080157875.html

~Zach

159
Views
0
Helpful
1
Replies
CreatePlease to create content