Cisco Validated Design Guide, Cisco WebEx Social Release 3.3
Sample ACE Configuration for a DMZ Deployment
Downloads: This chapterpdf (PDF - 179.0KB) The complete bookPDF (PDF - 2.35MB) | Feedback

Sample ACE Configuration for a DMZ Deployment

Table Of Contents

Sample ACE Configuration for a DMZ Deployment


Sample ACE Configuration for a DMZ Deployment


The following is an example of an ACE configuration used in a WebEx Social DMZ deployment. This configuration was built in a lab environment.Actual configurations in your production network will vary depending upon your network.

interface gigabitEthernet 1/1
  switchport access vlan 11
  no shutdown
interface gigabitEthernet 1/2
  switchport access vlan 10
  no shutdown
interface gigabitEthernet 1/3
  shutdown
interface gigabitEthernet 1/4
  switchport access vlan 1000
  no shutdown
 
   
 
   
crypto chaingroup wxschain
  cert CiscoSSCA2.cer
  cert DSTRootCAX3.cer
 
   
access-list ALL line 8 extended permit ip any any
 
   
 
   
ip domain-lookup
ip name-server xxx.xxx.xxx.xxx (domain server ip)
 
   
probe http HTTP
  description "Simple HTTP probe"
  interval 5
  faildetect 2
  expect status 200 400
probe https HTTPS
  description "Simple HTTPS probe"
  faildetect 2
  passdetect interval 7
  passdetect count 2
  ssl version all
  expect status 200 302
probe icmp PING
  description "Simple Ping Probe"
  interval 5
  faildetect 2
 
   
rserver redirect HTTP-REDIRECT
  webhost-redirection https://wxstme.cisco.com/%p
  inservice
rserver host ws31app1
  ip address 192.168.1.11
  inservice
rserver host ws31app2
  ip address 192.168.1.12
  inservice
 
   
serverfarm redirect REDIRECT-SF
  rserver HTTP-REDIRECT
    inservice
serverfarm host WXS-SF
  probe PING
  rserver ws31app1 80
    inservice
  rserver ws31app2 80
    inservice
 
   
parameter-map type http long-header
  persistence-rebalance
  header modify per-request
  set header-maxparse-length 65535
 
   
sticky http-cookie wsxcookie STICKY-WXS-SF
  cookie insert browser-expire
  timeout 480
  replicate sticky
  serverfarm WXS-SF
 
   
 
   
ssl-proxy service WXS-SSL-PROXY
  key wxstme.key
  cert wxstme.cisco.com.cer
  chaingroup wxschain
 
   
class-map match-any L4-WXS-HTTPS
  2 match virtual-address 172.27.3.198 tcp eq https
class-map match-any WXS-HTTP
  2 match virtual-address 172.27.3.198 tcp eq www
class-map type management match-any remote_access
  2 match protocol xml-https any
  3 match protocol icmp any
  4 match protocol telnet any
  5 match protocol ssh any
  6 match protocol http any
  7 match protocol https any
  8 match protocol snmp any
 
   
policy-map type management first-match remote_mgmt_allow_policy
  class remote_access
    permit
 
   
policy-map type loadbalance http first-match HTTP-REDIRECT
  class class-default
    serverfarm REDIRECT-SF
policy-map type loadbalance http first-match WSX-SF-LB
  class class-default
    sticky-serverfarm STICKY-WXS-SF
 
   
policy-map multi-match WXS
  class L4-WXS-HTTPS
    loadbalance vip inservice
    loadbalance policy WSX-SF-LB
    loadbalance vip icmp-reply
    nat dynamic 5 vlan 10
    appl-parameter http advanced-options long-header
    ssl-proxy server WXS-SSL-PROXY
  class WXS-HTTP
    loadbalance vip inservice
    loadbalance policy HTTP-REDIRECT
 
   
interface vlan 10
  ip address 192.168.1.4 255.255.255.0
  access-group input ALL
  nat-pool 5 192.168.1.100 192.168.1.106 netmask 255.255.255.0 pat
  service-policy input WXS
  no shutdown
interface vlan 11
  ip address 192.168.2.4 255.255.255.0
  access-group input ALL
  service-policy input WXS
  no shutdown
interface vlan 1000
  ip address 172.27.3.200 255.255.255.224
  access-group input ALL
  access-group output ALL
  service-policy input remote_mgmt_allow_policy
  service-policy input WXS
  no shutdown
 
   
ip route 0.0.0.0 0.0.0.0 172.27.3.193