Guest

Cisco 500 Series Cache Engines

Configuring SSL Tunneling with Cisco Cache Engine 2.2

Cisco - Configuring SSL Tunneling with Cisco Cache Engine 2.2

Document ID: 12570

Updated: Sep 08, 2006

   Print

Introduction

This sample configuration shows you how to set up a Cisco Cache Engine as a Secure Hypertext Transfer Protocol (HTTPS) proxy server to relay HTTPS-over-HTTP requests that are initiated by clients' browsers, which have been configured to point HTTPS traffic to the Web cache.

The Cache Engine cannot terminate Secure Socket Layer (SSL) traffic, so Web Cache Communication Protocol (WCCP) and transparent caching cannot be used. The client will attempt to open an SSL session with the Cache Engine in transparent mode and since the Cache Engine does have an SSL certificate, it will not be able to terminate the session and the connection will fail. The Cache Engine can pass traffic in proxy mode but this requires that all browsers using the Cache Engine for SSL requests have their proxy address set to the Cache Engine for secure protocols. This is done individually on each browser.

The Cache Engine creates a connection to the origin server directly or through another proxy server and allows the Web client and origin server to set up a SSL tunnel through the Cache Engine. HTTPS traffic is encrypted and cannot be interpreted by the Cache Engine or any other device between the Web client and the origin server. HTTPS objects are not cached.

Note:  PIX cannot look into the SSL packets, so SL FTP does not work with the fixup command. The secure FTP encapsulates a copy of the host IP address inside the encrypted payload. Since the packet is encrypted, PIX cannot fixup the private address to the public address in the payload.

Before You Begin

Conventions

For more information on document conventions, see the Cisco Technical Tips Conventions.

Prerequisites

There are no specific prerequisites for this document.

Components Used

This configuration was developed and tested using the software and hardware versions.

  • Cisco Cache Engine 550 running Cisco Cache Software Release 2.2

  • Cisco 2600 Router running Cisco IOS® Software Release 12.0

  • Cisco Private Internet Exchange (PIX) firewall running Secure PIX Firewall Software Release 5.2(3)

Configure

Network Diagram

ssl_tunneling.jpg

The HTTPS traffic initiated by the SSL Client PC1 is proxied by the Cache Engine 550, which has the only IP address from the internal LAN that is allowed in the PIX to go out to the Internet. The https proxy incoming command selects the ports on which the Cache Engine is listening for HTTPS connections.

Configurations

Cache Engine 550 (Cisco Cache Software Release 2.2)
!
hostname tikka
!
interface ethernet 0
ip address 10.10.10.50 255.255.255.0
ip broadcast-address 10.10.10.255
bandwidth 10
halfduplex
exit
!
!
interface ethernet 1
exit
!
ip default-gateway 10.10.10.1
ip name-server 144.254.6.77
ip domain-name cisco.com
ip route 0.0.0.0 0.0.0.0 10.10.10.1
inetd enable ftp 12
cron file /local/etc/crontab
clock timezone CET -7 0
!
no bypass load enable
http max-ttl hours text 4 binary 8
wccp router-list 1 10.10.10.1
wccp web-cache router-list-num 1 password ****
wccp version 2
!
authentication login local enable
authentication configuration local enable
rule no-cache url-regex .*cgi-bin.*
rule no-cache url-regex .*aw-cgi.*
https proxy incoming 443
https destination-port allow all
!
!
end

Cisco Router 2600 (Cisco IOS Software Release 12.0)
!
ip subnet-zero
ip wccp web-cache password ww
no ip domain-lookup
!
!
!
interface FastEthernet0/0
ip address 8.8.8.1 255.255.255.0
ip wccp web-cache redirect out
ip route-cache same-interface
!
!
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.0
no ip route-cache
no ip mroute-cache
!

PIX 506 (Secure PIX Firewall Software Release 5.2(3)
!
PIX Version 5.2(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
logging buffered debugging
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside 172.17.241.14 255.255.255.0
ip address inside 8.8.8.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
static (inside,outside) 172.17.241.50 10.10.10.50
netmask 255.255.255.255 00
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 172.17.241.29 1
route inside 10.10.10.0 255.255.255.0 8.8.8.1 1
timeout xlate 3:00:00
terminal width 80
Cryptochecksum:a02a164a924492533b8272dd60665e29
: 
end

debug and show Commands

The following are samples of debug and show command outputs.

Before issuing debug commands, please see Important Information on Debug Commands.

debug https header trace

The debug https header trace command allows you to view and troubleshoot the request received by PC1.

Wed Dec 13 02:41:37 2000: Https request received from client:
CONNECT www.tronet.sk:443 HTTP/1.0
User-Agent: Mozilla/4.75 [en] (WinNT; U)
 
Wed DEC 13 02:41:37 2000: CONNECT www.tronet.sk:443 HTTP/1.0
User-Agent: Mozilla/4.75 [en] (WinNT; U) 
HTTPS response headers sent:
Wed DEC 13 02:41:38 2000: HTTPS response headers sent:
HTTP/1.0 200 Connection Established
Wed DEC 13 02:41:38 2000: HTTP/1.0 200 Connection Established 

Wed DEC 13 02:41:38 2000:  
Https request received from client:
Wed DEC 13 02:41:39 2000: Https request received from client:
CONNECT www.tronet.sk:443 HTTP/1.0
User-Agent: Mozilla/4.75 [en] (WinNT; U)
Wed DEC 13 02:41:39 2000: CONNECT www.tronet.sk:443 HTTP/1.0
User-Agent: Mozilla/4.75 [en] (WinNT; U) 

HTTPS response headers sent:
Wed DEC 13 02:41:39 2000: HTTPS response headers sent:
HTTP/1.0 200 Connection Established
Wed DEC 13 02:41:39 2000: HTTP/1.0 200 Connection Established

show statistics https

Use the show statistics https command to display HTTPS connection statistics.

                                  HTTPS Statistics

                                                Total                % of Total

                             ---------------------------------------------------

           Total connections:                       2                         -
           Connection errors:                       0                       0.0
                 Total bytes:                  116261                         -
  Bytes received from client:                    1069                       0.9
        Bytes sent to client:                  115192                      99.1

show https all

Use the show https command to display HTTPS proxy status and port policies.

Incoming HTTPS proxy:
  Servicing Proxy mode HTTPS connections on ports:  443

Outgoing HTTPS proxy:
  Not using outgoing proxy mode.

Destination port policies:
  Allow  all

These commands were used on the PIX firewall:

  • show xlate—Use the show xlate command to view or clear translation slot information (privileged mode).

    Global 172.17.241.50 Local 10.10.10.50 static
  • show logging—Use the show logging command to displays the state of logging (syslog).

    302001: Built outbound TCP connection 68 for faddr 195.168.21.2/443
            gaddr 172.17.241.50/1091 laddr 10.10.10.50/1091
    
    302001: Built outbound TCP connection 69 for faddr 195.168.21.2/443
            gaddr 172.17.241.50/1092 laddr 10.10.10.50/1092
    
    302002: Teardown TCP connection 68 faddr 195.168.21.2/443
            gaddr 172.17.241.50/1091 laddr 10.10.10.50/1091 duration 
            0:00:02 bytes 59513 (TCP FINs)
    
    302002: Teardown TCP connection 69 faddr 195.168.21.2/443
            gaddr 172.17.241.50/1092 laddr 10.10.10.50/1092 duration 
            0:00:02 bytes 58128 (TCP Fins)

Related Commands

You can extend the above example to use another upstream proxy server (8.8.8.3) to serve HTTPS requests by using the proxy-protocols global configuration command.

CE(config)# https proxy outgoing host 8.8.8.3 8880

In this case, you can exclude particular domains from being forwarded to the outgoing proxy server.

CE(config)# proxy-protocols transparent default-server 
CE(config)# proxy-protocols outgoing-proxy exclude enable 
CE(config)# proxy-protocols outgoing-proxy exclude list tronet.sk

You also can deny outgoing HTTPS connection for ports 6565 and 6566.

CE(config)# https destination-port deny 6565 6566

Related Information

Updated: Sep 08, 2006
Document ID: 12570