Cisco Services Modules

Simple Backend SSL Encryption Configuration with the Catalyst 6000 SSL Module

Document ID: 50061

Updated: Nov 30, 2005



The backend Secure Socket Layer (SSL) configuration is used when you want a client using HTTP (clear text) to communicate with an HTTPS server (encrypted traffic). The SSL module will act as a proxy and accept the HTTP connection from the client. The SSL module then connects via SSL to the server. All traffic from the client is encrypted by the SSL module and forwarded to the server. The traffic from the server is decrypted before being forwarded to the client.


This is the initial configuration of the SSL module. The VLAN definitions are included.

ssl-proxy vlan 499 
ssl-proxy vlan 500 
ssl-proxy vlan 501 

Before You Begin


Before attempting this configuration, please ensure that you meet these requirements:

  • Catalyst 6000 with SSL module

  • SSL module has been configured with a management VLAN

  • SSL module has been configured with client and server VLANs

Components Used

The information in this document is based on this hardware and software version:

  • SSL module version 2.1 minimum


For more information on document conventions, see the Cisco Technical Tips Conventions.

Backend SSL configuration

In this section, you are presented with the information to configure the features described in this document.

SSL and Certificates

A trusted Certificate Authority (CA) is required to validate the certificate presented to the SSL module by the Web server when establishing the SSL connection. Multiple trusted CAs can be configured and lined together with a CA pool.

Importing Trusted CA Certificates

Complete these steps:

  1. Create a trusted CA entry indicating the method to be used to import the certificates. In this example, copy and paste the certificate into a terminal window. Also, specify that the CA has no certificates revocation list (CRL).

    ssl-proxy(config)#crypto ca trustpoint CA1
    ssl-proxy(ca-trustpoint)#enrollment terminal 
    ssl-proxy(ca-trustpoint)#crl optional 
  2. Once the CA entry has been created, you can import the associated certificates.

    ssl-proxy(config)#crypto ca authenticate CA1
    Enter the base 64 encoded CA certificate.
    End with a blank line or the word "quit" on a line by itself
    -----END CERTIFICATE-----
    Certificate has the following attributes:
    Fingerprint: 458E7A60 0845AD98 A1649A8B 040F8E99 
    % Do you accept this certificate? [yes/no]: 
  3. You can repeat the steps above for as many CAs as needed.

Creating a Certificate Authority Pool

Complete these steps:

Now that you have created all the trusted CAs and imported their associated certificates, you need to link these CAs together.

ssl-proxy(config)#ssl-proxy pool ca pool1
ssl-proxy(config-ca-pool)#ca trustpoint CA1

Configuring the Backend SSL Service

Complete these steps:

  1. Create the SSL-proxy service. Specify that this is a backend SSL service by using the keyword client after the service name.

    ssl-proxy(config)#ssl-proxy service MyHTTPS client
  2. Define the Virtual IP (VIP) address and port on which the SSL module will be listening. The IP address must be part of the IP subnet defined on one of the SSL module VLANs.

    ssl-proxy(config-ssl-proxy)#virtual ipaddr protocol tcp port 80
  3. Define the HTTPS server that we will connect to

    ssl-proxy(config-ssl-proxy)#server ipaddr protocol tcp port 443
  4. Link the CA pool, which has already been defined.

    ssl-proxy(config-ssl-proxy)#trusted-ca mentone-pool
  5. Define what part of the certificate you want the SSL module to verify during SSL negotiation. This step is optional.

    ssl-proxy(config-ssl-proxy)#authenticate verify signature-only
  6. Activate the service.



This section provides information you can use to confirm your configuration is working properly.

Check that your SSL-proxy service is active and working properly:

ssl-proxy#sho ssl-proxy service MyHTTPS
Service id: 260, bound_service_id: 4
Virtual IP:, port: 80  
Server IP:, port: 443
Certificate authority pool: mentone-pool 
  CA pool complete 
Certificate authentication type: only signature verification
Admin Status: up
Operation Status: up

The output is correct.

This example shows a possible problem:

ssl-proxy#sho ssl-proxy service gduf 
Service id: 259, bound_service_id: 3
Virtual IP:, port: 80  
Server IP:, port: 443
Certificate authority pool: C2knica (not configured)
Certificate authentication type: only signature verification
Admin Status: up
Operation Status: down
Proxy status: CA pool incomplete

Check the statistics. Check that connections are being received from the client, and that connections are opened with the server.

ssl-proxy#sho ssl-proxy stats
TCP Statistics:
    Conns initiated     : 7             Conns accepted       : 7         
    Conns established   : 14            Conns dropped        : 6         
    Conns Allocated     : 22            Conns Deallocated    : 22        
    Conns closed        : 14            SYN timeouts         : 0         
    Idle timeouts       : 0             Total pkts sent      : 54        
    Data packets sent   : 18            Data bytes sent      : 1227      
    Total Pkts rcvd     : 54            Pkts rcvd in seq     : 24        
    Bytes rcvd in seq   : 9967      

SSL Statistics: 
    conns attempted     : 7             conns completed     : 7         
    full handshakes     : 1             resumed handshakes  : 0         
    active conns        : 0             active sessions     : 0         
    renegs attempted    : 0             conns in reneg      : 0         
    handshake failures  : 6             data failures       : 0         
    fatal alerts rcvd   : 0             fatal alerts sent   : 6         
    no-cipher alerts    : 0             ver mismatch alerts : 0         
    no-compress alerts  : 0             bad macs received   : 0         
    pad errors          : 0             session fails       : 0         

FDU Statistics:
    IP Frag Drops       : 0             IP Version Drops    : 0         
    IP Addr Discards    : 0             Serv_Id Drops       : 0         
    Conn Id Drops       : 0             Bound Conn Drops    : 0         
    Vlan Id Drops       : 0             TCP Checksum Drops  : 0         
    Hash Full Drops     : 0             Hash Alloc Fails    : 0         
    Flow Creates        : 44            Flow Deletes        : 44        
    Conn Id allocs      : 22            Conn Id deallocs    : 22        
    Tagged Pkts Drops   : 0             Non-Tagg Pkts Drops : 0         
    Add ipcs            : 1             Delete ipcs         : 0         
    Disable ipcs        : 1             Enable ipcs         : 0         
    Unsolicited ipcs    : 0             Duplicate Add ipcs  : 0         
    IOS Broadcast Pkts  : 36624         IOS Unicast Pkts    : 1310      
    IOS Multicast Pkts  : 0             IOS Total Pkts      : 37934     
    IOS Congest Drops   : 0             SYN Discards        : 0       


There is currently no specific troubleshooting information available for this configuration.

Related Information

Updated: Nov 30, 2005
Document ID: 50061