Guest

Cisco SCA 11000 Series Secure Content Accelerators

Configuring CSS and SCA for One-Armed Transparent Mode

Cisco - Configuring CSS and SCA for One-Armed Transparent Mode

Document ID: 20601

Updated: Jan 30, 2006

   Print

Introduction

This document provides a sample configuration for one-armed transparent Secure Content Accelerator (SCA) setup. This document does not include information on certificate and key configuration of the SCA.

Before You Begin

Conventions

For more information on document conventions, see the Cisco Technical Tips Conventions.

Prerequisites

There are no specific prerequisites for this document.

Components Used

The information in this document is based on the software and hardware versions below.

  • 3.0.5 on the SCA

  • 5.0(18) on the CSS 11800

The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.

Configure

In this section, you are presented with the information to configure the features described in this document.

Network Diagram

css_sca_1arm_trans.gif

Configuration

SCA# show version 
CSCA Release 3.0.5.3 
CSS-SCA-2FE-K9 version 2.3 build 200108071342

The main advantage of this configuration is that the web servers will receive the IP address of the client that made the request. This is often required by web servers' administrators for accounting purposes.

In a one-armed configuration only, the network port ( Enet0) is used on the SCA. Only this specific port can be used for this setup. Encrypted and decrypted traffic will go through the same link.

To have the SCA using only the network port in a one-armed configuration, the following command must be issued:

SCA# config 
(config[SCA])# mode one-port 

SCA# show device 
Device Hostname : SCA 
Device Type     : CSS-SCA 
Hardware Address: 00:60:f5:11:81:42 
Internet Address: 10.1.1.2(255.255.255.0) Default Router: 10.1.1.1 
Uptime          : 00:16:50, 0.13% system, 0.00% interrupt, 99.87% idle 
Firmware Version: MaxOS 2.5.1 build 200108071341 
Product Version : CSS-SCA Release 3.0.5.3 
Syslog sent to  : n/a 
RemoteManagement: enabled 
SNMP access     : disabled 
Telnet access   : enabled 
Web Management  : enabled 
Operational Mode: single-port 

Verify that the interface Enet0 is up by issuing the following command:

SCA# sho interface 
Intf  Name                Status     Duplex Speed    Type 
------------------------------------------------------------- 
   0  Enet0              connected   auto  auto     TX (auto) 
   1  Enet1              notconnect  auto  auto     TX (auto) 

Configure the VLANs and the IP addresses on the CSS.

!*************************** GLOBAL *************************** 
  ip route 0.0.0.0 0.0.0.0 10.48.66.1 1   

!--- Route to the default gateway to the Internet.


!************************* INTERFACE ************************* 
interface e2 
  bridge vlan 2 

interface e4 
  bridge vlan 4 

!************************** CIRCUIT ************************** 
circuit VLAN1 

  ip address 10.48.66.128 255.255.254.0 

circuit VLAN2 

  ip address 10.2.2.2 255.255.255.0  

!--- Default gateway for the servers.
 

circuit VLAN4 

  ip address 10.1.1.1 255.255.255.0  

!--- Default gateway for the SCA. 


Configure the IP address on the SCA.

(config[SCA])# ip address 10.1.1.2 netmask 255.255.255.0 
  

Configure the default gateway of the SCA. This is the IP address of the circuit VLAN on the CSS (VLAN 4).

(config[SCA])# ip route 0.0.0.0 0.0.0.0 10.1.1.1 metric 1 

At this point, test that you can ping from the SCA to the CSS circuit's IP address directly connected (the circuit address (VLAN 4's IP address) and to the servers. The default gateway of the server must also be the IP address of the CSS' circuit VLANs (VLAN 2).

The SCA configuration off the servers is shown below.

ssl 
  server Site1 create 
    ip address 10.48.66.125  

!--- Address on which to send unencrypted packets for website1.

    sslport 443  

!--- Port on which the SCA will listed listens for 
!--- encrypted packets directed to website1.
 
    remoteport 81 

!--- Port on which to send the unencrypted packets for website1. 

    key default 
    cert default 
    secpolicy default 
    cachesize 20 
  end 

When the transparent option is used, the SCA listens for encrypted packets on the configured server IP address, which will match the CSS VIP address. This can be seen by issuing the show netstat command once the configuration for the webserver has been entered.

SCA#  show netstat
Pro State Recv-Q Send-Q Local Address         Remote Address        R-Win S-Win 
-------------------------------------------------------------------------------- 
tcp LISTN      0      0 10.48.66.125:443      *:*                    32768     0 
udp            0      0 *:4099                *:*                        0     0 
udp            0      0 *:4098                *:*                        0     0 
tcp LISTN      0      0 *:2932                *:*                        0     0 
udp            0      0 *:2932                *:*                        0     0 
udp            0      0 *:520                 *:*                        0     0 
udp            0      0 *:514                 *:*                        0     0 
tcp LISTN      0      0 *:80                  *:*                    32768     0 
tcp LISTN      0      0 *:23                  *:*                        0     0 

The packets arriving to at the CSS have their destination MAC address changed to MAC of the SCA. NAT is not performed on the destination IP address. This is done on the CSS by setting the option Type transparent-cache on the service associated with the SCA.

content 443fromInternet 
    protocol tcp 
    port 443 
    add service SCA 
    vip address 10.48.66.239 .125 
    active 

service SCA 
  ip address 10.1.1.2 
  port 443 
  protocol tcp 
  type transparent-cache  

!--- Used to avoid IP destination NAT. 

  no cache-bypass  

!--- Used to avoid content rule bypass for requests made by the SCA.

  active 

Upon reception of the SSL request on port 443, the SCA negotiates the session with the client, decrypts the content, and forwards the unencrypted content to the servers through a new session. That session will be initiated using the source IP address of the client that made the request. This is not normal TCP/IP behavior. When the server responds to the CSS, TCP/IP would normally route these per the local routing table. Normally, the routing table would cause the response to be sent to the internet via the CSS' default route, however, the CSS ignores its routing table and uses the flow table entry created when the request arrived, to send the server response back to the SCA.

Flow switching caches connection characteristics include such information as source and destination IP address, source and destination TCP port, physical ingress, and egress port, This mechanism enables reliable transparent mode operation.

A new default static route must be added in the CSS for each SCA used in the configuration, plus the normal default route.

  ip route 0.0.0.0 0.0.0.0 10.48.66.1 1  

!--- Static route towards the Internet.

  ip route 0.0.0.0 0.0.0.0 10.1.1.2  

!--- Static route towards the SCA.

If you want the SCA to serve multiple websites, add a new server specifying a different IP address.

ssl 
  server Site2 create 
    ip address 10.48.66.239  

!--- Address on which the SCA will listen for 
!--- encrypted packets directed to website2.

    sslport 443 
    remoteport 81 
    key default 
    cert default 
    secpolicy default 
    cachesize 20 
  end 
end 

The SCA listens for packets both on 10.48.66.125:443 and 10.48.66.239:443. The remaining part of the configuration is quite straightforward. The CSS must be configured so that it can loadbalance over the servers all the unencrypted requests coming from the SCA and from the Internet. To distinguish between the tw0, set the SCA to send the unencrypted requests on port 81 so that you can keep port 80 for the requests coming from the Internet.

 content 80fromInternet 
    protocol tcp 
    port 80  

!--- Traffic coming from the Internet.
 
    url "/*" 
    add service realserver4 
    add service realserver5 
    vip address 10.48.66.239 
    active 

  content fromSCA 
    add service realserver4 
    add service realserver5 
    protocol tcp 
    port 81  

!--- Traffic coming from the SCA. 

    url "/*" 
    vip address 10.48.66.239 
    active 

Once the configuration is fully installed, check the basic connectivity. Be sure you can reach the servers from the CSS and from the SCA. Check that you can reach the CSS from a remote client. Issue the show summary command to troubleshoot.

CSS# show summary 
Global Bypass Counters: 
   No Rule Bypass Count:     0 
   Acl Bypass Count:         0 

Owner            Content Rules    State     Services         Service Hits 
  

website1         81fromSCA        Active    realserver1      0 
                                            realserver2      0 
                                            realserver3      0 
  

                 80fromInternet   Active    realserver1      0 
                                            realserver2      0 
                                            realserver3      0 

                 443fromInternet  Active    SCA              0 
  

website2         81fromSCA        Active    realserver4      0 
                                            realserver5      0 

                 80fromInternet   Active    realserver4      0 
                                            realserver5      0 

                 443fromInternet  Active    SCA              0 

If you see a service hit in the 80fromInternet content rule, you know that unencrypted packets make their way to the CSS and are redirected to the servers. If you see a service hit in the 443fromInternet content rule, you know that encrypted packets make their way to the CSS and are redirected to the SCA. If you see a service hit in the 81fromSCA content rule, you know that the SCA has decrypted the packets it has received, and sent them to the CSS that has then redirected them to the webservers.

mattina# sho run 
# 
# Cisco CSCA Device Configuration File 
# 
# Written:      Sun Feb  6 00:29:22 2106 
# Inxcfg:       version 2.3 build 200108071342 
# Device Type:  CSS-SCA 
# Device Id:    S/N 118142 
# Device OS:    MaxOS version 2.5.1 build 200108071341 by Dan L. Reading 

### Device ### 

mode one-port 
ip address 10.1.1.2 netmask 255.255.255.0 
hostname SCA 
password access "2431244C362461476C67654D485269494C4634772E586A374E39472F" 
password enable "2431246E6324386D437A6E714B44567174306565386A775566536931" 
no ip domain-name 
no rdate-server 
timezone "MST7MDT" 
rip 
ip route 0.0.0.0 0.0.0.0 10.1.1.1 metric 1 

### Interfaces ### 

interface network 
  auto 
end 
interface server 
  auto 
end 

### Remote Management ### 

no remote-management access-list 
remote-management enable 

### SNMP Subsystem ### 

no snmp 
telnet enable 
no telnet access-list 
web-mgmt enable 
no web-mgmt access-list 

### SSL Subsystem ### 

ssl 
  server Site1 create 
    ip address 10.48.66.125 
    sslport 443 
    remoteport 81 
    key default 
    cert default 
    secpolicy default 
    cachesize 20 
  end 
  server Site2 create 
    ip address 10.48.66.239 
    sslport 443 
    remoteport 81 
    key default 
    cert default 
    secpolicy default 
    cachesize 20 
  end 
end 

Note: By configuring the second default gateway on the CSS, some traffic that needs to go to this gateway may be affected since there are now two possible paths to take. This will generally be new TCP connections originating from inside systems and UDP traffic from the inside systems.

To resolve this issue, ACLs are needed to direct the traffic to upstream router. By configuring these ACLs, you are directing traffic to a specific device. This will override normal routing. Additionally, enabling ACLs causes all VLANs to deny all traffic by default. Perform the steps below to create and enable ACLs.

  1. Create a service containing the upstream-router.

    service upstream-router 
      ip address 10.48.66.1 
      type transparent-cache 
      active 
  2. Create the needed ACLs.

    ACL1 
    
    clause 10 permit any any destination any 
    
    !--- This will be needed for all traffic to pass through the CSS. 
    
    apply circuit-(VLAN1) 
    apply circuit-(VLAN3) 
      
    
    ACL 10 
    clause 10  permit any any destination any prefer upstream-router 
    
    !--- This is necessary for traffic initiated from the server 
    !--- VLAN to the Internet.
    
    apply circuit-(VLAN2) 
    
    acl enable 
      
    
    polio#  sho run 
    !Generated on 01/31/2002 20:25:05 
    !Active version: ap0500018s 
    
    configure 
      
    
    !*************************** GLOBAL *************************** 
      ip route 0.0.0.0 0.0.0.0 10.48.66.1 1 
      ip route 0.0.0.0 0.0.0.0 10.1.1.2 1 
    
    !************************* INTERFACE ************************* 
    interface e2 
      bridge vlan 2 
    
    interface e4 
      bridge vlan 4 
    
    !************************** CIRCUIT ************************** 
    circuit VLAN1 
    
      ip address 10.48.66.128 255.255.254.0 
    
    circuit VLAN2 
    
      ip address 10.2.2.2 255.255.255.0 
    
    circuit VLAN3 
    
      ip address 10.1.1.1 255.255.255.0 
    
    !************************** SERVICE ************************** 
    service upstream-router 
      ip address 10.48.66.1 
      type transparent-cache 
      active
    
    service SCA 
      ip address 10.1.1.2 
      port 443 
      protocol tcp 
      type transparent-cache 
      no cache-bypass 
      active 
    
    service realserver1 
      ip address 10.2.2.3 
      port 80 
      protocol tcp 
      active 
    
    service realserver2 
      ip address 10.2.2.4 
      port 80 
      protocol tcp 
      active 
    
    service realserver3 
      ip address 10.2.2.5 
      port 80 
      protocol tcp 
      active 
    
    service realserver4 
      ip address 10.2.2.6 
      port 80 
      protocol tcp 
      active 
    
    service realserver5 
      ip address 10.2.2.7 
      port 80 
      protocol tcp 
      active 
    
    !*************************** OWNER *************************** 
    
    owner website1 
    
      content 443fromInternet 
        protocol tcp 
        port 443 
        add service SCA 
        vip address 10.48.66.125 
        active 
    
      content 80fromInternet 
        protocol tcp 
        port 80 
        url "/*" 
        add service realserver1 
        add service realserver2 
        add service realserver3 
        vip address 10.48.66.125 
        active 
    
      content 81fromSCA 
        add service realserver1 
        add service realserver2 
        add service realserver3 
        protocol tcp 
        port 81 
        url "/*" 
        vip address 10.48.66.125 
        active 
    
    owner website2 
    
      content 443fromInternet 
        protocol tcp 
        port 443 
        add service SCA 
        vip address 10.48.66.239 
        active 
    
      content 80fromInternet 
        protocol tcp 
        port 80 
        url "/*" 
        add service realserver4 
        add service realserver5 
        vip address 10.48.66.239 
        active 
    
      content 81fromSCA 
        add service realserver4 
        add service realserver5 
        protocol tcp 
        port 81 
        url "/*" 
        vip address 10.48.66.239 
        active 
    
    !*************************** ACL *************************** 
    
    ACL 5 
      clause 10 permit any any destination any 
     
    !--- This will be needed for all traffic to pass through the CSS.
     
      apply circuit-(VLAN1) 
      apply circuit-(VLAN3) 
      
    
    ACL 10 
      clause 10  permit any any destination any prefer upstream-router 
    
    !--- This is necessary for traffic initiated from the 
    !--- server VLAN to the Internet.
    
      apply circuit-(VLAN2) 
    
    

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Related Information

Updated: Jan 30, 2006
Document ID: 20601