Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

CISCO ACE 4720, SSL, and IPs

In our infrastructure we are using an ASA 5520 firewall.  We have static NAT setup to convert externally facing IPs to internal IPs that correspond with the VIPs on our loadbalancer.  We have the following 3 VIPs setup:

- One for https://www.example.com

- One for https://www.another-example.com

- One for https://www.example.com (Client Authenticated)

All three of these VIPs loadbalance the same serverfarm.

For example.com, we need to maintain both the standard SSL and Client Authenticated SSL.   However, for the client authenticated SSL we know the source IPs that are authorized access to that site.  example.com (non-client auth) and another-example.com are open to the public.

So we are using 3 external IPs to reach the same server farm.  I would love to get down to using only one or two....but I don't see how I can do it.

The way I understand it, the SSL proxy is assigned to a Virtual Server.  Since all three of these site require a different SSL proxy (2 due to using different certs, the other one is for the client auth) I think I'm stuck.  I think the best case is that I can have the folks using the client auth site connect on a different port and setup a virtual server on that port.

What I would love to use is some sort of name based load balancing so that www.example.com would use one SSL proxy and www.another-example.com would use a different SSL proxy.  I've read up on Layer 7 class-maps and the like but I can't see how it will work since the SSL proxy is assigned at the Layer 3/4 level.

Thanks for the help.

822
Views
0
Helpful
0
Replies
CreatePlease login to create content