Catalyst 6500 Series SSL Services Module Configuration Note, 3.1
Example SSL Configurations
Downloads: This chapterpdf (PDF - 689.0KB) The complete bookPDF (PDF - 5.09MB) | Feedback

Example SSL Configurations

Table Of Contents

Example SSL Configurations

Policy-Based Routing Configuration Example

Configuring the Allowed VLANs

Configuring the Access List and Route Map

Importing a Test Certificate

Configuring the SSL Proxy Subinterface

Configuring the SSL Proxy Service

Verifying Service and Connections

CSM and SSL Services Module Configuration Example (Bridge Mode, No NAT)

CSM and SSL Services Module Configuration Example (Router Mode, Server NAT)

Basic Backend Encryption Example

Configuring VLANS and Switchports

Configuring the Allowed VLANs

Configuring the Access List and Route Map

Configuring the SSL Proxy Subinterface

Configuring the Root Certificate Authority Trustpoint for Server Certificate Authentication

Configuring the SSL Proxy Service

Verifying Service and Connections

Integrated Secure Content-Switching Service Example

Configuring the CSM

Configuring the SSL Services Module

Site-To-Site Transport Layer VPN Example

Site 1 Configuration

SSL Module 1 Configuration

Site 2 Configuration

SSL Module 2 Configuration

Certificate Security Attribute-Based Access Control Examples

HTTP Header Insertion Examples

Example 1

Example 2

Example 3

Example 4

Example 5

URL Rewrite Examples

Example 1

Example 2

Example 3

Example 4

HSRP Examples

Standalone Redundancy Example

Supervisor Engine Configuration

SSL 1 Configuration

SSL 2 Configuration

Load Balancing Example

Supervisor Engine Configuration

SSL 1 Configuration

SSL 2 Configuration

Displaying Statistics

Virtualization with VRF Example

Configuring the Supervisor Engine

Configuring the SSL Services Module

Offloading Non-HTTP Protocols Example

Configuring the Supervisor Engine

Configuring the SSL Services Module

Health Probe Example

Configuring the Supervisor Engine

Configuring the SSL Services Module

Health Probe with Default (Server) Port

Health Probe with Port Mismatch

Health Probe with No NAT Server Configured on Service

Health Probe with Port Mismatch and No NAT Server Configured on Service

Client Authentication Example

Configuring the Supervisor Engine

Configuring the SSL Services Module


Example SSL Configurations


This appendix has the following sections:

Policy-Based Routing Configuration Example

CSM and SSL Services Module Configuration Example (Bridge Mode, No NAT)

CSM and SSL Services Module Configuration Example (Router Mode, Server NAT)

Basic Backend Encryption Example

Integrated Secure Content-Switching Service Example

Site-To-Site Transport Layer VPN Example

Certificate Security Attribute-Based Access Control Examples

HTTP Header Insertion Examples

URL Rewrite Examples

HSRP Examples

Virtualization with VRF Example

Offloading Non-HTTP Protocols Example

Health Probe Example

Client Authentication Example

Policy-Based Routing Configuration Example

This section shows a policy-based routing configuration example using a real client and a real server.

In Figure A-1, the SSL Services Module and the real server both have the IP address 3.100.100.151. The IP address on the SSL Services Module is configured with the secondary keyword and will not reply to ARP requests for this address, which avoids the problem of using duplicate IP addresses.

The client (2.200.200.14) is attached to a VLAN 2 switchport (access mode). The client's default gateway IP address is 2.100.100.100 (VLAN 2 IP address on the supervisor engine).

The real server is attached to a VLAN 3 switchport (access mode). The default gateway on the real server is 3.100.100.100 (VLAN 3 IP address on the supervisor engine). The real server has two addresses: 3.100.100.151 (primary) and 3.200.200.146 (alias).

Clear-text (HTTP) traffic destined for IP address 3.100.100.151 on port 80 is sent directly to the real server, which bypasses the SSL Services Module.

With policy-based routing, SSL traffic destined for IP address 3.100.100.151 on port 443 is redirected to the SSL Services Module for decryption. The decrypted traffic is sent to IP address 3.200.200.146 on port 81 (the alias IP address for the real server). The return traffic from the real server is forwarded to the SSL Services Module. The module encrypts the traffic and sends it to the client.

Figure A-1 Client-to-Server Traffic Flow Example

Configuring the Allowed VLANs

These examples show how to allow VLAN 3 between the SSL Services Module and the supervisor engine:

Cisco IOS Software

Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# ssl-proxy module 8 allowed-vlan 3
Router(config)# ^Z
Router#
Router# show ssl-proxy module 8 state 
SSL-proxy module 8 data-port:
 Switchport:Enabled
Administrative Mode:trunk
Operational Mode:trunk
Administrative Trunking Encapsulation:dot1q
Operational Trunking Encapsulation:dot1q
Negotiation of Trunking:Off
Access Mode VLAN:1 (default)
Trunking Native Mode VLAN:1 (default)
Trunking VLANs Enabled:3
Pruning VLANs Enabled:2-1001
Vlans allowed on trunk:3
Vlans allowed and active in management domain:3
Vlans in spanning tree forwarding state and not pruned:
   3
Allowed-vlan :3

Router# 

Catalyst Operating System Software

Console> (enable) set trunk 8/1 3
Adding vlans 3 to allowed list. 
Console> (enable) show trunk 8/1
* - indicates vtp domain mismatch
# - indicates dot1q-all-tagged enabled on the port
Port      Mode         Encapsulation  Status        Native vlan
--------  -----------  -------------  ------------  -----------
 8/1      nonegotiate  dot1q          not-trunking  1

Port      Vlans allowed on trunk
--------  ---------------------------------------------------------------------
 8/1      3

Port      Vlans allowed and active in management domain
--------  ---------------------------------------------------------------------
 8/1      3

Port      Vlans in spanning tree forwarding state and not pruned
--------  ---------------------------------------------------------------------
 8/1      3

Configuring the Access List and Route Map

This example shows how to configure the access list and route map for redirecting SSL traffic from the client to the SSL Services Module and for redirecting clear text traffic from the real server to the SSL Services Module:

Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#
Router(config)# ip access-list extended redirect_ssl
Router(config-ext-nacl)# permit tcp any 3.0.0.0 0.255.255.255 eq 443
Router(config-ext-nacl)# !
Router(config-ext-nacl)# ip access-list extended reverse_traffic
Router(config-ext-nacl)# permit tcp 3.0.0.0 0.255.255.255 eq 81 any
Router(config-ext-nacl)# !
Router(config-ext-nacl)# route-map redirect_ssl permit
Router(config-route-map)# match ip address redirect_ssl
Router(config-route-map)# set ip next-hop 3.100.100.150
Router(config-route-map)# !
Router(config-route-map)# route-map reverse_traffic permit 
Router(config-route-map)# match ip address reverse_traffic
Router(config-route-map)# set ip next-hop 3.100.100.150
Router(config-route-map)# !
Router(config-route-map)# interface Vlan2
Router(config-if)# ip address 2.100.100.100 255.0.0.0
Router(config-if)# ip policy route-map redirect_ssl
Router(config-if)# !
Router(config-if)# interface Vlan3
Router(config-if)# ip address 3.100.100.100 255.0.0.0
Router(config-if)# ip policy route-map reverse_traffic
Router(config-if)# !
Router(config-if)#^Z
Router#

Importing a Test Certificate

This example shows how to import the test certificate. For information on configuring a trustpoint and obtaining a certificate, see the "Configuring Keys and Certificates" section:

ssl-proxy# test ssl-proxy certificate install 
% Opening file, please wait ...
% Writing, please wait ............
% Please use the following config command to import the file.
  "crypto pki import <trustpoint-name> pkcs12 nvram:test/testssl.p12 cisco"
% Then you can assign the trustpoint to a proxy service for testing.

*Oct  9 19:49:17.570:%STE-6-PKI_TEST_CERT_INSTALL:Test key and certificate was installed 
into NVRAM in a PKCS#12 file.
ssl-proxy# configure terminal
ssl-proxy(config)# crypto pki import sample pkcs12 nvram: cisco
Source filename [sample]? test/testssl.p12
ssl-proxy(config)#
*Oct  9 19:51:04.674:%SSH-5-ENABLED:SSH 1.5 has been enabled
*Oct  9 19:51:04.678:%CRYPTO-6-PKCS12IMPORT_SUCCESS:PKCS #12 Successfully Imported.
ssl-proxy(config)# ^Z
ssl-proxy#

Configuring the SSL Proxy Subinterface

This example shows how to add an interface to VLAN 3 on the SSL Services Module:

ssl-proxy# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ssl-proxy(config)# interface SSL-Proxy 0.3
ssl-proxy(config-subif)# encapsulation dot1q 3
ssl-proxy(config-subif)# ip address 3.100.100.150 255.0.0.0
ssl-proxy(config-subif)# no shutdown
ssl-proxy(config-subif)# exit
ssl-proxy(config)# ^Z
ssl-proxy#

Configuring the SSL Proxy Service

This example shows how to add a specific proxy service that identifies a virtual IP address and a server IP address for each proxy:

ssl-proxy# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ssl-proxy(config)# ssl-proxy context Default
ssl-proxy(config-context)# service sample
ssl-proxy(config-ctx-ssl-proxy)# virtual ipaddr 3.100.100.151 protocol tcp port 443 
secondary 
ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 3.200.200.146 protocol tcp port 81
ssl-proxy(config-ctx-ssl-proxy)# cert rsa general-purpose trustpoint sample
ssl-proxy(config-ctx-ssl-proxy)# inservice
ssl-proxy(config-ctx-ssl-proxy)# ^Z
ssl-proxy#

Verifying Service and Connections

This example shows how to verify the SSL proxy service and connections:

ssl-proxy# show ssl-proxy service sample
No context name provided, assuming context 'Default'...

Service id:3, bound_service_id:259
Virtual IP:3.100.100.151, port:443 (secondary configured)
Server IP:3.200.200.146, port:81
rsa-general-purpose certificate trustpoint:sample 
  Certificate chain in use for new connections:
    Server Certificate:
       Key Label:sample
       Serial Number:01
    Root CA Certificate:
       Serial Number:00
  Certificate chain complete 
Context name: Default
Context Id  : 0
Admin Status:up
Operation Status:up
ssl-proxy#

ssl-proxy# show ssl-proxy conn
Connections for TCP module 1
Local Address       Remote Address          VLAN   Conid  Send-Q Rwind  Recv-Q State
------------------- -------------------     -----  ------ ------ ------ ------ ------
3.100.100.151.443   2.200.200.14.37820      3      470     0     32768    0    ESTABLISHED
2.200.200.14.37820  3.200.200.146.81        3      471     0     32768    0    ESTABLISHED
ssl-proxy#

CSM and SSL Services Module Configuration Example (Bridge Mode, No NAT)

This section describes a CSM and SSL Services Module configuration that contains two SSL Services Modules, a CSM, a client network, and a server farm that has three web servers (IP addresses 10.20.105.10, 10.20.105.20, and 10.20.105.30).

In this example, the CSM client VLAN and CSM server VLAN for the SSL Services Modules are configured in the same IP subnet (bridge mode), while the CSM server VLAN for the web servers is in a separate IP subnet. (See Figure A-2.)

The CSM is configured so that it does not perform NAT operations when it is load balancing encrypted traffic to the SSL Services Modules. The SSL Services Modules are also configured not to perform NAT operations when they are sending decrypted traffic back to the CSM. The CSM is then configured to perform NAT for the decrypted traffic to the selected destination server.

Figure A-2 Bridge Mode, No NAT Configuration Example

The following addresses are configured on the CSM virtual servers:

Client clear text traffic—10.20.102.100:80

Client SSL traffic—10.20.102.100:443

Decrypted traffic from SSL Services Modules—10.20.102.100:80

The following address is configured on the SSL virtual server:

10.20.102.100:443 (This IP address is configured with the secondary keyword.)

Figure A-2 shows VLAN 102 and VLAN 103 in the same subnet and VLAN 105 in a separate subnet.

Add all required VLANs to the VLAN database, and configure the IP interface for VLAN 102 on the MSFC. Configure VLAN 102, VLAN 103, and VLAN105 on the CSM. See the "Initial SSL Services Module Configuration" section for information on how to configure VLANs and IP interfaces.


Note While VLAN 102 exists as Layer 3 interface on the MSFC, both VLAN 103 and VLAN 105 exist only as VLANs in the VLAN database and as CSM VLANs, but they do not have corresponding Layer 3 interfaces on the MSFC.


This example shows how to create the client and server VLANs on the CSM installed in slot number 5:

Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# module csm 5 
Router(config-module-csm)# vlan 102 client
Router(config-slb-vlan-client)# ip address 10.20.102.2 255.255.255.0
Router(config-slb-vlan-client)# gateway 10.20.102.99
Router(config-slb-vlan-client)# exit
Router(config-module-csm)# vlan 103 server
Router(config-slb-vlan-server)# ip address 10.20.102.2 255.255.255.0
Router(config-slb-vlan-server)# alias 10.20.102.1 255.255.255.0
Router(config-slb-vlan-server)# exit
Router(config-module-csm)# vlan 105 server
Router(config-slb-vlan-server)# ip address 10.20.105.2 255.255.255.0
Router(config-slb-vlan-server)# alias 10.20.105.1 255.255.255.0
Router(config-slb-vlan-server)# end

This example shows how to allow VLAN 103 between the SSL Services Module and the CSM:

Cisco IOS Software

Router(config)# ssl-proxy module 4 allowed-vlan 103

Catalyst Operating System Software

Console> (enable) set trunk 4/1 103

This example shows how to create the server farm of web servers (configured with server NAT) and the server farm of SSL Services Modules (configured with no server NAT):

Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# module csm 5
Router(config-module-csm)# serverfarm SSLFARM
Router(config-slb-sfarm)# no nat server 
Router(config-slb-sfarm)# real 10.20.102.10
Router(config-slb-real)# inservice
Router(config-slb-real)# real 10.20.102.20
Router(config-slb-real)# inservice
Router(config-slb-real)# exit
Router(config-slb-sfarm)# exit
Router(config-module-csm)# serverfarm WEBSERVERS
Router(config-slb-sfarm)# nat server 
Router(config-slb-sfarm)# real 10.20.105.10
Router(config-slb-real)# inservice
Router(config-slb-real)# real 10.20.105.20
Router(config-slb-real)# inservice
Router(config-slb-real)# real 10.20.105.30
Router(config-slb-real)# inservice
Router(config-slb-real)# end 

This example shows how to configure the three virtual servers. In this example, the web servers are receiving traffic on port 80 only, either directly from the clients or as decrypted traffic from the SSL Services Modules (since no port translation is configured).

The CSM distinguishes between requests received directly from the clients and requests received from the SSL Services Modules based on the VLAN from where the connections are received.

A sticky group is also configured to maintain stickiness based on the SSL ID.

Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# module csm 5
Router(config-module-csm)# sticky 100 ssl timeout 30
Router(config-module-csm)# vserver CLEAR_VIP
Router(config-slb-vserver)# virtual 10.20.102.100 tcp www
Router(config-slb-vserver)# vlan 102
Router(config-slb-vserver)# serverfarm WEBSERVERS
Router(config-slb-vserver)# inservice
Router(config-slb-vserver)# exit
Router(config-module-csm)# vserver DECRYPT_VIP
Router(config-slb-vserver)# virtual 10.20.102.100 tcp www
Router(config-slb-vserver)# vlan 103
Router(config-slb-vserver)# serverfarm WEBSERVERS
Router(config-slb-vserver)# inservice
Router(config-slb-vserver)# exit
Router(config-module-csm)# vserver SSL_VIP
Router(config-slb-vserver)# virtual 10.20.102.100 tcp https
Router(config-slb-vserver)# vlan 102
Router(config-slb-vserver)# serverfarm SSLFARM
Router(config-slb-vserver)# sticky 30 group 100
Router(config-slb-vserver)# inservice
Router(config-slb-vserver)# end

This example shows how to configure the SSL Services Module to communicate with the CSM:

ssl-proxy# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ssl-proxy(config)# interface SSL-Proxy 0.103
ssl-proxy(config-subif)# encapsulation dot1q 103
ssl-proxy(config-subif)# ip address 10.20.102.10 255.255.255.0
ssl-proxy(config-subif)# no shutdown
ssl-proxy(config-subif)# end

To complete the configuration, enter the service command under ssl-proxy context to create a new service on the SSL Services Module (test1). This example shows how to configure a virtual IP address that matches the virtual server created on the CSM. (This virtual IP address is configured with the secondary keyword so that the SSL Services Module does not reply to ARP requests for this IP address.) The service is configured to send decrypted traffic back to the CSM without performing NAT.

ssl-proxy# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ssl-proxy(config)# ssl-proxy context Default
ssl-proxy(config-context)# service test1
ssl-proxy(config-ctx-ssl-proxy)# virtual ipaddr 10.20.102.100 protocol tcp port 443 
secondary 
ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 10.20.102.1 protocol tcp port 80
ssl-proxy(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint testtp 
ssl-proxy(config-ctx-ssl-proxy)# no nat server
ssl-proxy(config-ctx-ssl-proxy)# inservice
ssl-proxy(config-ctx-ssl-proxy)# end

The following examples show the output of the various show commands on the MSFC and CSM:

Router# show module csm 5 vlan detail
vlan   IP address       IP mask          type      
---------------------------------------------------
102    10.20.102.2      255.255.255.0    CLIENT
  GATEWAYS
  10.20.102.99     
103    10.20.102.2      255.255.255.0    SERVER
  ALIASES
  IP address       IP mask
  --------------------------------
  10.20.102.1      255.255.255.0    
105    10.20.105.2      255.255.255.0    SERVER
  ALIASES
  IP address       IP mask
  --------------------------------
  10.20.105.1      255.255.255.0    

Router# show module csm 5 vserver detail
SSL_VIP, type = SLB, state = OPERATIONAL, v_index = 13
  virtual = 10.20.102.100/32:443, TCP, service = NONE, advertise = FALSE
  idle = 3600, replicate csrp = none, vlan = 102, pending = 30
  max parse len = 600, persist rebalance = TRUE
  conns = 0, total conns = 2
  Default policy:
    server farm = SSLFARM, backup = <not assigned>
    sticky: timer = 30, subnet = 0.0.0.0, group id = 100
  Policy          Tot Conn     Client pkts  Server pkts
  -----------------------------------------------------
  (default)       2            22           15           

CLEAR_VIP, type = SLB, state = OPERATIONAL, v_index = 14
  virtual = 10.20.102.100/32:80, TCP, service = NONE, advertise = FALSE
  idle = 3600, replicate csrp = none, vlan = 102, pending = 30
  max parse len = 600, persist rebalance = TRUE
  conns = 0, total conns = 0
  Default policy:
    server farm = WEBSERVERS, backup = <not assigned>
    sticky: timer = 0, subnet = 0.0.0.0, group id = 0
  Policy          Tot Conn     Client pkts  Server pkts
  -----------------------------------------------------
  (default)       0            0            0            

DECRYPT_VIP, type = SLB, state = OPERATIONAL, v_index = 15
  virtual = 10.20.102.100/32:80, TCP, service = NONE, advertise = FALSE
  idle = 3600, replicate csrp = none, vlan = 103, pending = 30
  max parse len = 600, persist rebalance = TRUE
  conns = 0, total conns = 2
  Default policy:
    server farm = WEBSERVERS, backup = <not assigned>
    sticky: timer = 0, subnet = 0.0.0.0, group id = 0
  Policy          Tot Conn     Client pkts  Server pkts
  -----------------------------------------------------
  (default)       2            11           7            

The following examples show the output of the various show commands on the SSL Services Module:

ssl-proxy# show ssl-proxy service test1
No context name provided, assuming context 'Default'...

Service id: 0, bound_service_id: 256
Virtual IP: 10.20.102.100, port: 443 (secondary configured)
Server IP: 10.20.102.1, port: 80
rsa-general-purpose certificate trustpoint: testtp 
  Certificate chain in use for new connections:
    Server Certificate:
       Key Label: testtp
       Serial Number: 01
    Root CA Certificate:
      Serial Number: 00
  Certificate chain complete 
Context name: Default
Context Id  : 0
Admin Status: up
Operation Status: up
ssl-proxy#
ssl-proxy# show ssl-proxy stats 
TCP Statistics:
    Conns initiated   : 2             Conns accepted   : 2         
    Conns established : 4             Conns dropped    : 4         
    Conns closed      : 4             SYN timeouts     : 0         
    Idle timeouts     : 0             Total pkts sent  : 26        
    Data packets sent : 15            Data bytes sent  : 8177      
    Total Pkts rcvd   : 27            Pkts rcvd in seq : 11        
    Bytes rcvd in seq : 5142      

SSL stats: 
    conns attempted     : 2             conns completed     : 2         
    full handshakes     : 2             resumed handshakes  : 0         
    active conns        : 0             active sessions     : 0         
    renegs attempted    : 0             conns in reneg      : 0         
    handshake failures  : 0             data failures       : 0         
    fatal alerts rcvd   : 0             fatal alerts sent   : 0         
    no-cipher alerts    : 0             ver mismatch alerts : 0         
    no-compress alerts  : 0             bad macs received   : 0         
    pad errors          : 0         

FDU Statistics
    IP Frag Drops     :  0               Serv_Id Drops     :  0           
    Conn Id Drops     :  0               Checksum Drops    :  0           
    IOS Congest Drops :  0               IP Version Drops  :  0           
    Hash Full Drops   :  0               Hash Alloc Fails  :  0           
    Flow Creates      :  4               Flow Deletes      :  4           
    conn_id allocs    :  4               conn_id deallocs  :  4           
    Tagged Drops      :  0               Non-Tagged Drops  :  0           
    Add ipcs          :  0               Delete ipcs       :  0           
    Disable ipcs      :  0               Enable ipcs       :  0           
    Unsolicited ipcs  :  0               Duplicate ADD ipcs:  0           
ssl-proxy#

CSM and SSL Services Module Configuration Example (Router Mode, Server NAT)

This section describes a CSM and SSL Services Module configuration that contains two SSL Services Modules, a CSM, a client network, and a server farm that has three web servers (IP addresses 10.20.105.10, 10.20.105.20, and 10.20.105.30).

In this example, the three CSM VLANs (client VLAN, server VLAN for the SSL Services Modules, and server VLAN for the web servers) are configured in distinct IP subnets (router mode). (See Figure A-3.)

The CSM is configured to perform server NAT operations when it is load balancing the encrypted traffic to the SSL Services Modules. The SSL Services Modules are also configured to perform server NAT operations when they are sending decrypted traffic back to the CSM. The CSM is then configured to perform NAT on the decrypted traffic to the selected destination server.

Figure A-3 Configuration Example—Router Mode, Server NAT

The following addresses are configured on the CSM virtual servers:

Client clear text traffic—10.20.102.100:80

Client SSL traffic—10.20.102.100:443

Decrypted traffic from SSL Services Modules—10.20.103.100:81

The following addresses are configured on the SSL virtual server:

10.20.103.110:443

10.20.103.120:443

In Figure A-3, VLAN 102, VLAN 103, and VLAN 105 are in separate subnets. VLAN 100 (admin) is set up as a separate VLAN for management purposes.

Add all the required VLANs to the VLAN database, and configure the IP interfaces for VLAN 100 and VLAN 102 on the MSFC. Configure VLAN 102, VLAN 103, and VLAN 105 on the CSM. See the "Initial SSL Services Module Configuration" section for information on how to configure VLANs and IP interfaces.


Note While VLAN 100 and VLAN 102 exist as Layer 3 interfaces on the MSFC, both VLAN 103 and VLAN 105 exist only as VLANs in the VLAN database and as CSM VLANs, but they do not have corresponding Layer 3 interfaces on the MSFC.


This example shows how to create the client and server VLANs on the CSM installed in slot number 5:

Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# module csm 5 
Router(config-module-csm)# vlan 102 client
Router(config-slb-vlan-client)# ip address 10.20.102.2 255.255.255.0
Router(config-slb-vlan-client)# alias 10.20.102.1 255.255.255.0
Router(config-slb-vlan-client)# gateway 10.20.102.99
Router(config-slb-vlan-client)# exit
Router(config-module-csm)# vlan 103 server
Router(config-slb-vlan-server)# ip address 10.20.103.2 255.255.255.0
Router(config-slb-vlan-server)# alias 10.20.103.1 255.255.255.0
Router(config-slb-vlan-server)# exit
Router(config-module-csm)# vlan 105 server
Router(config-slb-vlan-server)# ip address 10.20.105.2 255.255.255.0
Router(config-slb-vlan-server)# alias 10.20.105.1 255.255.255.0
Router(config-slb-vlan-server)# end

This example shows how to allow VLAN 103 (client VLAN) between the SSL Services Module and the CSM, and VLAN 100 (admin VLAN) between the SSL Services Module and the MSFC:

Cisco IOS Software

Router(config)# ssl-proxy module 4 allowed-vlan 100,103

Catalyst Operating System Software

Console> (enable) set trunk 4/1 100,103

This example shows how to create the server farm of web servers (configured with server NAT) and the server farm of SSL Services Modules (configured with server NAT):

Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# module csm 5
Router(config-module-csm)# serverfarm SSLFARM
Router(config-slb-sfarm)# nat server
Router(config-slb-sfarm)# real 10.20.103.110
Router(config-slb-real)# inservice
Router(config-slb-real)# real 10.20.103.120
Router(config-slb-real)# inservice
Router(config-slb-real)# exit
Router(config-slb-sfarm)# exit
Router(config-module-csm)# serverfarm WEBSERVERS
Router(config-slb-sfarm)# nat server 
Router(config-slb-sfarm)# real 10.20.105.10
Router(config-slb-real)# inservice
Router(config-slb-real)# real 10.20.105.20
Router(config-slb-real)# inservice
Router(config-slb-real)# real 10.20.105.30
Router(config-slb-real)# inservice
Router(config-slb-real)# end

This example shows how to configure the three virtual servers. In this example, the web servers receive requests on port 80 directly from the clients, and decrypted requests on port 81 from the SSL Services Modules (since IP and port translation are configured).

This example also shows how to configure a sticky group to maintain stickiness based on the SSL ID:

Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# module csm 5
Router(config-module-csm)# sticky 100 ssl timeout 30
Router(config-module-csm)# vserver CLEAR_VIP
Router(config-slb-vserver)# virtual 10.20.102.100 tcp www
Router(config-slb-vserver)# vlan 102
Router(config-slb-vserver)# serverfarm WEBSERVERS
Router(config-slb-vserver)# inservice
Router(config-slb-vserver)# exit
Router(config-module-csm)# vserver DECRYPT_VIP
Router(config-slb-vserver)# virtual 10.20.103.100 tcp 81
Router(config-slb-vserver)# vlan 103
Router(config-slb-vserver)# serverfarm WEBSERVERS
Router(config-slb-vserver)# inservice
Router(config-slb-vserver)# exit
Router(config-module-csm)# vserver SSL_VIP
Router(config-slb-vserver)# virtual 10.20.102.100 tcp https
Router(config-slb-vserver)# vlan 102
Router(config-slb-vserver)# serverfarm SSLFARM
Router(config-slb-vserver)# sticky 30 group 100
Router(config-slb-vserver)# inservice
Router(config-slb-vserver)# end

This example shows how to configure the SSL Services Module to communicate with the CSM over VLAN 103 and to communicate with the MSFC over VLAN 100:

ssl-proxy# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ssl-proxy(config)# interface SSL-Proxy 0.100
ssl-proxy(config-subif)# encapsulation dot1q 100
ssl-proxy(config-subif)# ip address 10.20.100.10 255.255.255.0
ssl-proxy(config-subif)# no shutdown
ssl-proxy(config-subif)# exit
ssl-proxy(config)# ip route 0.0.0.0 0.0.0.0 10.20.100.99
ssl-proxy(config)# interface SSL-Proxy 0.103
ssl-proxy(config-subif)# encapsulation dot1q 103
ssl-proxy(config-subif)# ip address 10.20.103.10 255.255.255.0
ssl-proxy(config-subif)# no shutdown
ssl-proxy(config-subif)# end

To complete the configuration, enter the service command under ssl-proxy context to create a new service on the SSL Services Module (test1). This example shows how to configure a virtual IP address, which acts as a real server for the CSM. (Since this virtual IP address is required to reply to ARP, the secondary keyword is not entered.) The service is configured to send decrypted traffic back to the CSM and to perform NAT on both the destination IP address and the port:

ssl-proxy# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ssl-proxy(config)# ssl-proxy contest Default
ssl-proxy(config-context)# service test1
ssl-proxy(config-ctx-ssl-proxy)# virtual ipaddr 10.20.103.110 protocol tcp port 443 
ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 10.20.103.100 protocol tcp port 81
ssl-proxy(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint testtp
ssl-proxy(config-ctx-ssl-proxy)# nat server
ssl-proxy(config-ctx-ssl-proxy)# inservice
ssl-proxy(config-ctx-ssl-proxy)# end

The following examples show the output of the various show commands on the MSFC and CSM:

Router# show mod csm 5 vlan detail
vlan   IP address       IP mask          type      
---------------------------------------------------
102    10.20.102.2      255.255.255.0    CLIENT
  GATEWAYS
  10.20.102.99     
  ALIASES
  IP address       IP mask
  --------------------------------
  10.20.102.1      255.255.255.0    
103    10.20.103.2      255.255.255.0    SERVER
  ALIASES
  IP address       IP mask
  --------------------------------
  10.20.103.1      255.255.255.0    
105    10.20.105.2      255.255.255.0    SERVER
  ALIASES
  IP address       IP mask
  --------------------------------
  10.20.105.1      255.255.255.0    

Router# show mod csm 5 vser detail
CLEAR_VIP, type = SLB, state = OPERATIONAL, v_index = 10
  virtual = 10.20.102.100/32:80, TCP, service = NONE, advertise = FALSE
  idle = 3600, replicate csrp = none, vlan = 102, pending = 30
  max parse len = 600, persist rebalance = TRUE
  conns = 0, total conns = 1
  Default policy:
    server farm = WEBSERVERS, backup = <not assigned>
    sticky: timer = 0, subnet = 0.0.0.0, group id = 0
  Policy          Tot Conn     Client pkts  Server pkts
  -----------------------------------------------------
  (default)       1            6            4            

DECRYPT_VIP, type = SLB, state = OPERATIONAL, v_index = 11
  virtual = 10.20.103.100/32:81, TCP, service = NONE, advertise = FALSE
  idle = 3600, replicate csrp = none, vlan = 103, pending = 30
  max parse len = 600, persist rebalance = TRUE
  conns = 0, total conns = 2
  Default policy:
    server farm = WEBSERVERS, backup = <not assigned>
    sticky: timer = 0, subnet = 0.0.0.0, group id = 0
  Policy          Tot Conn     Client pkts  Server pkts
  -----------------------------------------------------
  (default)       2            11           7            
          
SSL_VIP, type = SLB, state = OPERATIONAL, v_index = 13
  virtual = 10.20.102.100/32:443, TCP, service = NONE, advertise = FALSE
  idle = 3600, replicate csrp = none, vlan = 102, pending = 30
  max parse len = 600, persist rebalance = TRUE
  conns = 0, total conns = 2
  Default policy:
    server farm = SSLFARM, backup = <not assigned>
    sticky: timer = 30, subnet = 0.0.0.0, group id = 100
  Policy          Tot Conn     Client pkts  Server pkts
  -----------------------------------------------------
  (default)       2            21           15 

The following examples show the output of the various show commands on the SSL Services Module:

ssl-proxy# show ssl-proxy service test1
No context name provided, assuming context 'Default'...

Service id: 0, bound_service_id: 256
Virtual IP: 10.20.103.110, port: 443  
Server IP: 10.20.103.100, port: 81
rsa-general-purpose certificate trustpoint: testtp 
  Certificate chain in use for new connections:
    Server Certificate:
       Key Label: testtp
       Serial Number: 01
    Root CA Certificate:
      Serial Number: 00
  Certificate chain complete 
Context name: Default
Context Id  : 0
Admin Status: up
Operation Status: up
ssl-proxy#
ssl-proxy# show ssl-proxy stats
TCP Statistics:
    Conns initiated   : 2             Conns accepted   : 2         
    Conns established : 4             Conns dropped    : 4         
    Conns closed      : 4             SYN timeouts     : 0         
    Idle timeouts     : 0             Total pkts sent  : 26        
    Data packets sent : 15            Data bytes sent  : 8212      
    Total Pkts rcvd   : 26            Pkts rcvd in seq : 11        
    Bytes rcvd in seq : 5177      

SSL stats: 
    conns attempted     : 2             conns completed     : 2         
    full handshakes     : 2             resumed handshakes  : 0         
    active conns        : 0             active sessions     : 0         
    renegs attempted    : 0             conns in reneg      : 0         
    handshake failures  : 0             data failures       : 0         
    fatal alerts rcvd   : 0             fatal alerts sent   : 0         
    no-cipher alerts    : 0             ver mismatch alerts : 0         
    no-compress alerts  : 0             bad macs received   : 0         
    pad errors          : 0         

FDU Statistics
    IP Frag Drops     :  0               Serv_Id Drops     :  0           
    Conn Id Drops     :  0               Checksum Drops    :  0           
    IOS Congest Drops :  0               IP Version Drops  :  0           
    Hash Full Drops   :  0               Hash Alloc Fails  :  0           
    Flow Creates      :  4               Flow Deletes      :  4           
    conn_id allocs    :  4               conn_id deallocs  :  4           
    Tagged Drops      :  0               Non-Tagged Drops  :  0           
    Add ipcs          :  0               Delete ipcs       :  0           
    Disable ipcs      :  0               Enable ipcs       :  0           
    Unsolicited ipcs  :  0               Duplicate ADD ipcs:  0 

Basic Backend Encryption Example

Backend encryption allows you to create a secure end-to-end environment. This example shows a basic backend encryption configuration.

In Figure A-4, the client (7.100.100.1) is connected to switchport 6/47 in access VLAN 7. The server (191.162.2.8) is connected to switchport 10/2 in access VLAN 190.

The SSL proxy 0.7 subinterface has the following configuration:

IP address—7.100.100.150

Static route—191.0.0.0

Virtual IP address of client proxy service—7.100.100.150:81

Server IP address—191.162.2.8

Figure A-4 Basic Backend Encryption

Configuring VLANS and Switchports

These examples show how to create VLANs and assign ports to the respective VLANs:

Cisco IOS Software

Router# configure terminal
Router(config)# vlan 7
Router(config-vlan)# exit
Router(config)# vlan 190
Router(config-vlan)# exit
Router(config)# interface FastEthernet6/47
Router(config-if)# switchport
Router(config-if)# switchport access vlan 7
Router(config-if)# switchport mode access
Router(config-if)# exit
Router(config)#
Router(config)# interface GigabitEthernet10/2
Router(config-if)# switchport
Router(config-if)# switchport access vlan 190
Router(config-if)# switchport mode access
Router(config-if)# exit
Router(config)#

Catalyst Operating System

Console> (enable) set vlan 7
VTP advertisements transmitting temporarily stopped,
and will resume after the command finishes.
Vlan 7 configuration successful
Console> (enable)
Console> (enable) set vlan 190
VTP advertisements transmitting temporarily stopped,
and will resume after the command finishes.
Vlan 190 configuration successful
Console> (enable)
Console> (enable) set vlan 7 6/47
VLAN  Mod/Ports
---- -----------------------
7     6/47
Console> (enable) set vlan 190 10/2
VLAN  Mod/Ports
---- -----------------------
190   10/2
Console> (enable)

Configuring the Allowed VLANs

This example shows how to allow VLAN 7 between SSL module in slot 12 and the supervisor engine:

Cisco IOS Software

Router# configure terminal
Router(config)# ssl-proxy module 12 allowed-vlan 7
Router(config)# exit
Router#

Router# show ssl-proxy mod 12 state
Router module 12 data-port:
 
Switchport:Enabled
Administrative Mode:trunk
Operational Mode:trunk
Administrative Trunking Encapsulation:dot1q
Operational Trunking Encapsulation:dot1q
Negotiation of Trunking:Off
Access Mode VLAN:1 (default)
Trunking Native Mode VLAN:1 (default)
Trunking VLANs Enabled:7
Pruning VLANs Enabled:2-1001
Vlans allowed on trunk:7
Vlans allowed and active in management domain:7
Vlans in spanning tree forwarding state and not pruned:
   7
Allowed-vlan :7

Router#

Catalyst Operating System

Console> (enable) show mod 12
Mod Slot Ports Module-Type               Model               Sub Status
--- ---- ----- ------------------------- ------------------- --- --------
12  12   1     SSL Module                WS-SVC-SSL-1        no  ok

Mod Module-Name          Serial-Num
--- -------------------- -----------
12                       SAD062004N0

Mod MAC-Address(es)                        Hw     Fw         Sw
--- -------------------------------------- ------ ---------- -----------------
12  00-e0-b0-ff-f0-c2                      0.305  7.2(1)     2.1(1)
Console> (enable)
Console> (enable) set trunk 12/1 7
Adding vlans 7 to allowed list.
Port(s) 12/1 allowed vlans modified to 7.
Console> (enable)
Console> (enable) show trunk 12/1
* - indicates vtp domain mismatch
# - indicates dot1q-all-tagged enabled on the port
$ - indicates non-default dot1q-ethertype value
Port      Mode         Encapsulation  Status        Native vlan
--------  -----------  -------------  ------------  -----------
12/1      nonegotiate  dot1q          trunking      1

Port      Vlans allowed on trunk
--------  ---------------------------------------------------------------------
12/1      7,190

Port      Vlans allowed and active in management domain
--------  ---------------------------------------------------------------------
12/1      7,190

Port      Vlans in spanning tree forwarding state and not pruned
--------  ---------------------------------------------------------------------
12/1      7,190
Console> (enable)

Configuring the Access List and Route Map

This example shows how to configure the access list and route map for redirecting SSL traffic from the server to the SSL Services Module and for redirecting clear text traffic from the client to the SSL Services Module:

Router(config)# ip access-list extended client
Router(config-ext-nacl)# permit tcp any host 7.100.100.126 eq 81
Router(config-ext-nacl)# exit
Router(config)#
Router(config)# ip access-list extended server
Router(config-ext-nacl)# permit tcp host 191.162.2.8 eq 443 any
Router(config-ext-nacl)# exit
Router(config)#
Router(config)# route-map server permit 10
Router(config-route-map)# match ip address server
Router(config-route-map)# set ip next-hop 7.100.100.150
Router(config-route-map)# exit
Router(config)#
Router(config)# route-map client permit 10
Router(config-route-map)# match ip address client
Router(config-route-map)# set ip next-hop 7.100.100.150
Router(config-route-map)# exit
Router(config)#
Router(config)# interface Vlan7
Router(config-if)# ip address 7.100.100.100 255.0.0.0
Router(config-if)# ip policy route-map client
Router(config-if)# end
Router#
Router# configure terminal
Router(config)# interface Vlan190
Router(config-if)# ip address 191.162.2.10 255.0.0.0
Router(config-if)# ip policy route-map server
Router(config-if)# end

Configuring the SSL Proxy Subinterface

This example shows how to add an interface to VLAN 7 on the SSL Services Module:

ssl-proxy# configure terminal
ssl-proxy(config)# interface ssl-proxy0.7
ssl-proxy(config-subif)# encapsulation dot1q 7
ssl-proxy(config-subif)# ip address 7.100.100.150 255.0.0.0
ssl-proxy(config-subif)# no shutdown
ssl-proxy(config-subif)# exit
ssl-proxy(config)# ip route 191.0.0.0 255.0.0.0 7.100.100.100

Configuring the Root Certificate Authority Trustpoint for Server Certificate Authentication

This example shows how to configure root certificate authority trustpoint for authenticating server certificates. See the "Server Certificate Authentication" section for information on configuring server certificate authentication.

ssl-proxy(config)# crypto pki trustpoint root
ssl-proxy(ca-trustpoint)# enrollment terminal
ssl-proxy(ca-trustpoint)# exit
ssl-proxy(config)# crypto pki auth root

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIICSTCCAfOgAwIBAgIBATANBgkqhkiG9w0BAQUFADBxMQswCQYDVQQGEwJVUzET
MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoT
BUNpc2NvMQwwCgYDVQQLEwNIU1MxHDAaBgNVBAMTE0NlcnRpZmljYXRlIE1hbmFn
ZXIwHhcNMDIwNDI3MDcwMDAwWhcNMDYwNDI3MDcwMDAwWjBxMQswCQYDVQQGEwJV
UzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNV
BAoTBUNpc2NvMQwwCgYDVQQLEwNIU1MxHDAaBgNVBAMTE0NlcnRpZmljYXRlIE1h
bmFnZXIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAvadjzN/Z3SEe7dBktvG6U1/W
hoe1/vJ6uIV/goS/fwYnr0+Gk1Lw2DGEMN9P1li5qcM2Rgq6E+6AQv2UYerBjQID
AQABo3YwdDARBglghkgBhvhCAQEEBAMCAAcwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
HQ4EFgQU7u9bvU3N9Wtgnc9GwuoleyKlCAAwHwYDVR0jBBgwFoAU7u9bvU3N9Wtg
nc9GwuoleyKlCAAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBBQUAA0EAhYZX
upIv+ZRo639io4ZLaiCWePHA+6Oz2n4B1kX9Jqx9fS3Zbyc712BP6lM2Apk5fhBs
6z/WrDRR0GZhlOoAvg==
-----END CERTIFICATE-----
quit
Certificate has the following attributes:
Fingerprint:683F909E 0B9F1651 7AAB8E36 14DBE45F 
% Do you accept this certificate? [yes/no]:yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
ssl-proxy(config)# ssl-proxy context Default
ssl-proxy(config-context)# pool ca root-ca
ssl-proxy(config-ctx-ca-pool)# ca trustpoint root
ssl-proxy(config-ctx-ca-pool)# exit

Configuring the SSL Proxy Service

This example shows how to configure the SSL client proxy service to accept clear text connections to virtual IP address 7.100.100.126 with TCP port 81 and to initiate an SSL connection to the backend SSL server IP address 191.162.2.8 with destination TCP port 443. See the "SSL Client Proxy Services" section for information on configuring client proxy services.

ssl-proxy(config)# ssl-proxy context Default
ssl-proxy(config-context)# service backend-ssl client
ssl-proxy(config-ctx-ssl-proxy)# virtual ipaddr 7.100.100.126 protocol tcp port 81 
ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 191.162.2.8 protocol tcp port 443
ssl-proxy(config-ctx-ssl-proxy)# trusted-ca root-ca
ssl-proxy(config-ctx-ssl-proxy)# authenticate verify all
ssl-proxy(config-ctx-ssl-proxy)# inservice
ssl-proxy(config-ctx-ssl-proxy)# ^Z
ssl-proxy#

Verifying Service and Connections

This example shows the successful initiation of the SSL connection to the backend SSL server:

ssl-proxy# show ssl-proxy stats ssl
SSL Statistics:
    conns attempted     :5             conns completed     :5         
    conns in handshake  :0             conns in data       :0         
    renegs attempted    :0             conns in reneg      :0         
    active sessions     :0             max handshake conns :1         
    rand bufs allocated :1             cached rand buf miss:0         
    current device q len:0             max device q len    :1         
    sslv2 forwards      :0             cert reqs processed :0         
    fatal alerts rcvd   :0             fatal alerts sent   :0         
    stale packet drops  :0             service_id discards :0         
    session reuses      :0             hs handle in use    :0         

    SSL3 Statistics:
      full handshakes    :0             resumed handshakes :0         
      handshake failures :0             data failures      :0         
      bad macs received  :0             pad errors         :0         
      conns established with cipher rsa-with-rc4-128-md5        :0         
      conns established with cipher rsa-with-rc4-128-sha        :0         
      conns established with cipher rsa-with-des-cbc-sha        :0         
      conns established with cipher rsa-with-3des-ede-cbc-sha   :0         

    TLS1 Statistics:
      full handshakes    :3             resumed handshakes :2         
      handshake failures :0             data failures      :0         
      bad macs received  :0             pad errors         :0         
      conns established with cipher rsa-with-rc4-128-md5        :5         
      conns established with cipher rsa-with-rc4-128-sha        :0         
      conns established with cipher rsa-with-des-cbc-sha        :0         
      conns established with cipher rsa-with-3des-ede-cbc-sha   :0         

SSL error statistics:
    session alloc fails :0             session limit exceed:0         
    handshake init fails:0             renegotiation fails :0         
    no-cipher alerts    :0             ver mismatch alerts :0         
    no-compress alerts  :0             multi buf rec errors:0         
    ssl peer closes     :0             non-ssl peer closes :0         
    unexpected record   :0             rec formatting error:0         
    rsa pkcs pad errors :0             premaster errors    :0         
    failed rsa reqs     :0             failed random reqs  :0         
    failed key-material :0             failed master-secret:0         
    failed update hash  :0             failed finish hash  :0         
    failed encrypts     :0             failed decrypts     :0         
    bad record version  :0             bad record size     :0         
    cert verify errors  :0             unsupported certs   :0         
    conn aborted        :0         
    overload drops      :0             hs limit exceeded   :0         
    hs handle mem fails :0             conn reuse error    :0         
    dev invalid params  :0             dev failed requests :0         
    dev timeout         :0             dev busy            :0         
    dev cancelled       :0             no dev fails        :0         
    dev resource fails  :0             dev unknown errors  :0         
    dev conn ctx fails  :0             dev cmd ctx fails   :0         
    mem alloc fails     :0             buf alloc fails     :0         
    invalid cipher algo :0             invalid hash algo   :0         
    unaligned buf addr  :0             unaligned buf len   :0         
    internal error      :0             unknown ipcs        :0         
    double free attempts:0             alert-send fails    :0         

SSL Crypto Statistics:
    blocks encrypted    :20            blocks decrypted    :249       
    bytes encrypted     :4898          bytes decrypted     :25194     
    rsa public key ops  :7             rsa private key ops :4         
    crypto failures     :0             device dma errors   :0         

SSL last 5 sec average Statistics:
    full handshakes     :0             resumed handshakes  :0         
    handshake failures  :0             data failures       :0         
    bytes encrypted     :0             bytes decrypted     :0         

SSL last 1 min average Statistics:
    full handshakes     :0             resumed handshakes  :0         
    handshake failures  :0             data failures       :0         
    bytes encrypted     :0             bytes decrypted     :0         

SSL last 5 min average Statistics:
    full handshakes     :0             resumed handshakes  :0         
    handshake failures  :0             data failures       :0         
    bytes encrypted     :0             bytes decrypted     :0         

SSL PKI Statistics:
    number of malloc    :224           number of free      :209       
    ssl buf allocated   :12            ssl buf freed       :8         

    Peer Certificate Verify Statistics:
    cert approved       :3             cert disapproved    :0         
    peer cert empty     :0             total num of request:3         
    req being processed :0             req pending         :0         
    longest queue       :1             longest pending     :0         
    verify congestion   :0             req dropped, q full :0         
    no memory for verify:0             verify data error   :0         
    verify context error:0             context delete error:0         
    timer expired error :0             timer expired count :0         
    late verify result  :0             timer turned on     :3         
    timer turned off    :3             context created     :3         
    context deleted     :3         

    High Priority IPC:
    ipc request received:23            ipc request dropped :0         
    ipc req duplicated  :0             ipc req fragment err:0         
    ipc req parm len err:0             ipc req op code err :0         
    ipc req cert len err:0             ipc response sent   :23        
    ipc resp no memory  :0             ipc resp no ssl buf :0         
    ipc buffer allocated:0             ipc buffer freed    :0         
    ipc buf alloc failed:0             ipc send msg failed :0         

    Normal Priority IPC:
    ipc buffer allocated:3             ipc buffer freed    :3         
    ipc request sent    :3             ipc request received:3         
    ipc buf alloc failed:0             ipc send msg failed :0         
    ipc requests dropped:0         

ssl-proxy# 

Integrated Secure Content-Switching Service Example

Configuring an integrated secure content-switching service (using a content switching module [CSM] as a server load balancer) with backend encryption has all the benefits of load-balancing and content switching, while securing data with full SSL coverage as it traverses paths of vulnerability.

As shown in Figure A-5, an integrated secure content-switching service configuration involves five processing steps:

1. The CSM load-balances the SSL traffic, based on either load-balancing rules or using the SSL sticky feature (see the "Sticky Connections" section for information on configuring sticky connections), to an SSL Services Module.

2. The SSL Services Module terminates the SSL session, decrypts the SSL traffic into clear text traffic, and forwards the traffic back to the CSM.

3. The CSM content-switches the clear text traffic to the SSL Services Module again for encryption to SSL traffic.

4. The SSL Services Module forwards the encrypted SSL traffic to the CSM.

5. The CSM forwards the SSL traffic to the HTTPS server.

Figure A-5 Backend Encryption Example—Integrated Secure Content-Switching Service

Configuring the CSM

This example shows how to configure the VLANs on the CSM. VLAN 24 is the VLAN through which client traffic arrives. VLAN 35 is the VLAN between the SSL Services Module and the CSM.

Router# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# module ContentSwitchingModule 6 
Router(config-module-csm)# vlan 24 client
Route(config-slb-vlan-client)# ip address 24.24.24.24 255.0.0.0
Route(config-slb-vlan-client)# vlan 35 server
Route(config-slb-vlan-server)# ip address 35.35.35.35 255.0.0.0
Route(config-slb-vlan-server)# route 36.0.0.0 255.0.0.0 gateway 35.200.200.3

This example shows how to configure the URL policy for Layer 7 parsing:

Route(config-slb-vlan-server)# map URL url
Router(config-slb-map-url)# match protocol http method GET url /*

This example shows how to create server farms:

Router(config-slb-map-url)# serverfarm SSLCARDS
Router(config-slb-sfarm)# real 35.200.200.101
Router(config-slb-real)# inservice

Router(config-slb-real)# serverfarm VLAN36REALS
Router(config-slb-sfarm)# real 36.200.200.14
Router(config-slb-real)# inservice
Router(config-slb-real)# real 36.200.200.5
Router(config-slb-real)# inservice

This example shows how to create the virtual servers:

Router(config-slb-real)# vserver LB-HTTP-SSLMODS
Router(config-slb-vserver)# virtual 35.35.35.25 tcp 81
Router(config-slb-vserver)# vlan 35
Router(config-slb-vserver)# slb-policy URL
Router(config-slb-vserver)# inservice

Router(config-slb-vserver)# vserver LB-SSL-SSLMODS
Router(config-slb-vserver)# virtual 24.24.24.25 tcp https
Router(config-slb-vserver)# serverfarm SSLCARDS
Router(config-slb-vserver)# inservice

This example shows how to display the status of the real servers and virtual servers:

Router# sh module contentSwitchingModule all reals 
---------------------- CSM in slot 6 ----------------------

real                  server farm      weight  state          conns/hits
-------------------------------------------------------------------------
35.200.200.101        SSLCARDS         8       OPERATIONAL    0        
36.200.200.14         VLAN36REALS      8       OPERATIONAL    0        
36.200.200.5          VLAN36REALS      8       OPERATIONAL    0        

Router# sh module contentSwitchingModule all vservers 
---------------------- CSM in slot 6 ----------------------

vserver         type  prot virtual                  vlan state        conns
---------------------------------------------------------------------------
LB-HTTP-SSLMODS SLB   TCP  35.35.35.25/32:81        35   OPERATIONAL  0       
LB-SSL-SSLMODS  SLB   TCP  24.24.24.25/32:443       ALL  OPERATIONAL  0       

Router# 

Configuring the SSL Services Module

This example shows how to configure the SSL Services Module to communicate with the CSM over VLAN 35:

ssl-proxy(config)# interface SSL-Proxy 0.35
ssl-proxy(config-subif)# encapsulation dot1q 35
ssl-proxy(config-subif)# ip address 35.200.200.3 255.0.0.0
ssl-proxy(config-subif)# no shutdown

This example shows how to configure a trusted certificate authority pool on the SSL Services Module:

ssl-proxy(config)# ssl-proxy context Default
ssl-proxy(config-context)# pool ca net
ssl-proxy(config-ctx-ca-pool)# ca trustpoint keon-root
ssl-proxy(config-ctx-ca-pool)# ca trustpoint net-root
ssl-proxy(config-ctx-ca-pool)# ca trustpoint TP-1024-pcks12-root

This example shows how to configure a URL rewrite policy on the SSL Services Module:

ssl-proxy(config)# ssl-proxy context Default
ssl-proxy(config-context)# policy url-rewrite frontend
ssl-proxy(config-ctx-url-rewrite-policy)# url www.cisco.com clearport 80 sslport 443
ssl-proxy(config-ctx-url-rewrite-policy)# url wwwin.cisco.com clearport 80 sslport 443
ssl-proxy(config-ctx-url-rewrite-policy)# url wwwin.cisco.com clearport 81 sslport 443

This example shows how to configure the SSL server proxy that accepts client traffic coming through the CSM. This example also shows how to configure client authentication, SSL v2.0 forwarding, and URL rewrite policy.


Note For SSL V2.0 connections, the SSL Services Module directly opens a connection to SSL Services Module instead of giving it back to CSM.


ssl-proxy(config)# ssl-proxy context Default
ssl-proxy(config-context)# service frontend
ssl-proxy(config-ctx-ssl-proxy)# virtual ipaddr 35.200.200.101 protocol tcp port 443 
ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 35.35.35.25 protocol tcp port 81
ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 35.200.200.14 protocol tcp port 443 sslv2
ssl-proxy(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint TP-1024-pkcs12
ssl-proxy(config-ctx-ssl-proxy)# policy url-rewrite frontend
ssl-proxy(config-ctx-ssl-proxy)# trusted-ca net
ssl-proxy(config-ctx-ssl-proxy)# authenticate verify all
ssl-proxy(config-ctx-ssl-proxy)# inservice

This example shows how to configure the SSL client proxy that accepts clear text traffic from the CSM after the traffic completes Layer 7 parsing and decides the real server. This example also shows how to configure client certificates and a wildcard proxy.


Note The gateway address (35.200.200.125) is the address through which the real servers (36.200.200.14 and 36.200.200.5) are reached.


ssl-proxy(config-ctx-ssl-proxy)# service wildcard client
ssl-proxy(config-ctx-ssl-proxy)# virtual ipaddr 0.0.0.0 0.0.0.0 protocol tcp port 81 
secondary
ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 35.200.200.125 protocol tcp port 443
ssl-proxy(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint client-cert
ssl-proxy(config-ctx-ssl-proxy)# no nat server
ssl-proxy(config-ctx-ssl-proxy)# trusted-ca net
ssl-proxy(config-ctx-ssl-proxy)# authenticate verify all
ssl-proxy(config-ctx-ssl-proxy)# inservice
ssl-proxy(config-ctx-ssl-proxy)# ^Z

This example shows how to display the status of the SSL server proxy service:

ssl-proxy# show ssl-proxy service frontend
No context name provided, assuming context 'Default'...
Service id: 2, bound_service_id: 258
Virtual IP: 35.200.200.101, port: 443  
Server IP: 35.35.35.25, port: 81
SSLv2  IP: 35.200.200.14, port: 443
URL Rewrite Policy: frontend
Certificate authority pool: net 
  CA pool complete 
rsa-general-purpose certificate trustpoint: TP-1024-pkcs12 
  Certificate chain for new connections:
    Certificate:
       Key Label: TP-1024-pkcs12, 1024-bit, not exportable
       Key Timestamp: 22:53:16 UTC Mar 14 2003
       Serial Number: 3C2CD2330001000000DB
    Root CA Certificate:
       Serial Number: 313AD6510D25ABAE4626E96305511AC4
  Certificate chain complete 
Certificate authentication type: All attributes (like CRL) are verified
Context name: Default
Context Id  : 0
Admin Status: up
Operation Status: up
ssl-proxy#

This example shows how to display status of the SSL client proxy service:

ssl-proxy# show ssl-proxy service wildcard
No context name provided, assuming context 'Default'...

Service id: 267, bound_service_id: 11
Virtual IP: 0.0.0.0, port: 81 (secondary configured)
Virtual IP mask: 0.0.0.0
Server IP: 35.200.200.125, port: 443
Certificate authority pool: net 
  CA pool complete 
rsa-general-purpose certificate trustpoint: client-cert 
  Certificate chain for new connections:
    Certificate:
       Key Label: client-cert, 1024-bit, not exportable
       Key Timestamp: 18:42:01 UTC Jul 14 2003
       Serial Number: 04
    Root CA Certificate:
       Serial Number: 01
  Certificate chain complete 
Certificate authentication type: All attributes (like CRL) are verified
Context name: Default
Context Id  : 0
Admin Status: up
Operation Status: up
ssl-proxy#

Site-To-Site Transport Layer VPN Example

A site-to-site transport layer VPN configuration connects two trusted sites to support TCP-based applications.

In Figure A-6, SSL module 1 is configured with a client proxy service. SSL module 1 encrypts the client clear text traffic into SSL traffic and forwards the encrypted SSL traffic to SSL module 2 on the remote site through a backend SSL session. SSL module 2 is configured with a standard SSL offload virtual service, which decrypts the received SSL traffic into clear text and forwards it to the servers on the remote site.

When you configure a proxy service as either clear text-to-encryption or encryption-to-clear text mode, the proxy service acts in an SSL client role while communicating with the secure backend server. You need to configure SSL policies to describe the SSL client and the backend SSL session. See the "Configuring SSL Policy" section for information on configuring SSL policies.

This section gives an example of how to tunnel HTTP traffic from the client to the server and back to the client through an SSL VPN.

Figure A-6 Backend Encryption Example—Site-to-Site Transport Layer VPN

In Figure A-6, Site 1 and Site 2 are connected by Gigabit Ethernet; however, both sites could also be connected through the Internet.

The client PC (7.100.100.1) is connected to switchport 2/47 in access VLAN 7. The server (191.162.2.8) is connected to switchport 10/2 in access VLAN 190.

Site 1 Configuration

Site 1 in Figure A-6 shows the SSL Services Module (SSL module 1) installed in slot 13 in Catalyst 6500 series switch 1.

The following example shows how to add a VLAN between the SSL Services Module and the supervisor engine:

cat6k-router-1# show mod 13
Mod Ports Card Type                              Model              Serial No.
--- ----- -------------------------------------- ------------------ -----------
 13    1  SSL Module                             WS-SVC-SSL-1       SAD062503FZ

Mod MAC addresses                       Hw    Fw           Sw           Status
--- ---------------------------------- ------ ------------ ------------ -------
 13  0010.7b00.0e00 to 0010.7b00.0e07   0.304 7.2(1)       2.1(1)       Ok

Mod Online Diag Status 
--- -------------------
 13 Pass

cat6k-router-1# configure terminal
cat6k-router-1(config)# ssl-proxy module 13 allowed-vlan 7
cat6k-router-1(config)# exit

The following example shows to configure the VLAN, configure a port as a switchport, and assign the switchport to the access VLAN:

cat6k-router-1# configure terminal
cat6k-router-1(config)# vlan 7
cat6k-router-1(config-vlan)# exit
cat6k-router-1(config)# interface FastEthernet2/47
cat6k-router-1(config-if)# switchport
cat6k-router-1(config-if)# switchport access vlan 7
cat6k-router-1(config-if)# switchport mode access
cat6k-router-1(config-if)# exit
cat6k-router-1(config)#

The following examples show how to configure extended access lists:

Access list "client" is used to match any traffic going to IP address 191.162.2.8 with destination TCP port 80 (HTTP traffic).

cat6k-router-1(config)# ip access-list extended client
cat6k-router-1(config-ext-nacl)# permit tcp any host 191.162.2.8 eq www
cat6k-router-1(config-ext-nacl)# exit

Access list "server" is used to match any traffic from IP address 191.162.2.8 with source TCP port 443 (encrypted traffic from site 2).

cat6k-router-1(config)# ip access-list extended server
cat6k-router-1(config-ext-nacl)# permit tcp host 191.162.2.8 eq 443 any
cat6k-router-1(config-ext-nacl)# exit

The following examples show how to configure route maps to redirect traffic to the SSL Services Module for encryption and decryption:

Route map "client" redirects the traffic that matches access-list "client" to the next hop IP address 7.100.100.101 (the IP address of SSL proxy subinterface 0.7 on SSL-module-1).

cat6k-router-1(config)# route-map client permit 10
cat6k-router-1(config-route-map)# match ip address client
cat6k-router-1(config-route-map)# set ip next-hop 7.100.100.101
cat6k-router-1(config-route-map)# exit

Route map "server" redirects the traffic that matches access-list "server" to the next hop IP address 7.100.100.101 (the IP address of SSL proxy subinterface 0.7 on SSL-module-1).

cat6k-router-1(config)# route-map server permit 10
cat6k-router-1(config-route-map)# match ip address server
cat6k-router-1(config-route-map)# set ip next-hop 7.100.100.101
cat6k-router-1(config-route-map)# exit

The following example shows how to configure the routed interface and assign the route map:

cat6k-router-1(config)# interface Vlan7
cat6k-router-1(config-if)# ip address 7.100.100.100 255.0.0.0
cat6k-router-1(config-if)# ip policy route-map client
cat6k-router-1(config-if)# exit
cat6k-router-1(config)# interface GigabitEthernet1/1
cat6k-router-1(config-if)# ip address 217.162.1.2 255.255.255.0
cat6k-router-1(config-if)# ip policy route-map server
cat6k-router-1(config-if)# exit

SSL Module 1 Configuration

The following examples show how to configure the SSL client proxy service. The client proxy service is configured with virtual IP address 191.162.2.8, TCP port 80. The server is configured with IP address 7.100.100.100 so that server-side traffic is sent to 7.100.100.100 for further routing without changing the server IP address. See the "SSL Client Proxy Services" section for information on configuring client proxy services. See the "Server Certificate Authentication" section for more information on authenticating server certificates.

ssl-module1# configure terminal
ssl-module1(config)# ssl-proxy context Default
ssl-module1(config-context)# service encrypt-clear-text client
ssl-module1(config-ctx-ssl-proxy)# virtual ipaddr 191.162.2.8 protocol tcp port 80 
secondary
ssl-module1(config-ctx-ssl-proxy)# server ipaddr 7.100.100.100 protocol tcp port 443
ssl-module1(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint cert2048
ssl-module1(config-ctx-ssl-proxy)# no nat server
ssl-module1(config-ctx-ssl-proxy)# trusted-ca root-ca
ssl-module1(config-ctx-ssl-proxy)# authenticate verify all
ssl-module1(config-ctx-ssl-proxy)# inservice
ssl-module1(config-ctx-ssl-proxy)# exit
ssl-module1(config-context)# exit
ssl-module1(config)#

The following example shows how to configure the SSL proxy subinterface on the SSL Services Module:

ssl-module1(config)# interface SSL-Proxy 0.7
ssl-module1(config-subif)# encapsulation dot1q 7
ssl-module1(config-subif)# ip address 7.100.100.101 255.0.0.0
ssl-module1(config-subif)# no shutdown
ssl-module1(config-subif)# exit

The following example shows how to import the root-ca certificate to the SSL Services Module:

ssl-module1(config)# crypto pki trustpoint root-ca
ssl-module1(ca-trustpoint)# enroll terminal
ssl-module1(ca-trustpoint)# exit
ssl-module1(config)# crypto pki auth root-ca

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIIC1zCCAoGgAwIBAgIQadUxzU/i97hDmZRYJ1bBcDANBgkqhkiG9w0BAQUFADB1
MQswCQYDVQQGEwJVUzETMBEGA1UECBMKY2FsaWZvcm5pYTERMA8GA1UEBxMIc2Fu
IGpvc2UxDjAMBgNVBAoTBWNpc2NvMQwwCgYDVQQLEwNoc3MxIDAeBgNVBAMTF3Np
bXBzb24tZGV2dGVzdC1yb290LUNBMB4XDTAzMTExMTIxNDgwMloXDTEzMTExMTIx
NTczOVowdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCmNhbGlmb3JuaWExETAPBgNV
BAcTCHNhbiBqb3NlMQ4wDAYDVQQKEwVjaXNjbzEMMAoGA1UECxMDaHNzMSAwHgYD
VQQDExdzaW1wc29uLWRldnRlc3Qtcm9vdC1DQTBcMA0GCSqGSIb3DQEBAQUAA0sA
MEgCQQCWEibAnUlVqQNUn0Wb94qnHi8FKjmVhibLHGRl6J+V7gHgzmF2MTz5WP5l
VQ2/1NVu0HjUORRdeCm1/raKJ/7ZAgMBAAGjgewwgekwCwYDVR0PBAQDAgHGMA8G
A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFCYGLUBTKNd9EgUonHnoSvbHg0axMIGX
BgNVHR8EgY8wgYwwQ6BBoD+GPWh0dHA6Ly9jaXNjby1sOGo2b2hwbnIvQ2VydEVu
cm9sbC9zaW1wc29uLWRldnRlc3Qtcm9vdC1DQS5jcmwwRaBDoEGGP2ZpbGU6Ly9c
XGNpc2NvLWw4ajZvaHBuclxDZXJ0RW5yb2xsXHNpbXBzb24tZGV2dGVzdC1yb290
LUNBLmNybDAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQUFAANBACBqe1wy
YjalelGZqLVu4bDVMFo6ELCV2AMBgi41K3ix+Z/03PJd7ct2BIAF4lktv9pCe6IO
EoBcmZteA+TQcKg=
-----END CERTIFICATE-----
quit
Certificate has the following attributes:
Fingerprint:AC6FC55E CC29E891 0DC3FAAA B4747C10 
% Do you accept this certificate? [yes/no]:yes
Trustpoint CA certificate accepted.
% Certificate successfully imported

The following example shows how to configure a certificate authority pool. See the "Client Certificate Authentication" section for information on configuring certificate authority pools.

ssl-module1(config)# ssl-proxy context Default
ssl-module1(config-context)# pool ca root-ca
ssl-module1(config-ctx-ca-pool)# ca trustpoint root
ssl-module1(config-ctx-ca-pool)# exit

The following example shows how to disable revocation checking by entering the revocation-check none command for the trustpoint. See the "Checking the Certificate Status" section for information on configuring certificate revocation list options.

ssl-module1(config)# crypto pki trustpoint cert1024
ssl-module1(ca-trustpoint)# revocation-check none
ssl-module1(ca-trustpoint)# exit
ssl-module1(config)# exit
ssl-module1#

Site 2 Configuration

Site 2 in Figure A-6 shows the SSL Services Module (SSL module 2) installed in slot 3 in Catalyst 6500 switch 2.

The following example shows how to add VLAN 190 between SSL Services Module and the supervisor engine:

cat6k-router-2# show mod 3
Mod Ports Card Type                              Model              Serial No.
--- ----- -------------------------------------- ------------------ -----------
  3    1  SSL Module                             WS-SVC-SSL-1       SAD0722010N

Mod MAC addresses                       Hw    Fw           Sw           Status
--- ---------------------------------- ------ ------------ ------------ -------
  3  0002.fcbe.91f0 to 0002.fcbe.91f7   2.0   7.2(1)       2.1(1)       Ok

Mod Online Diag Status 
--- -------------------
  3 Bypass

cat6k-router-2# config t
cat6k-router-2(config)# ssl-proxy module 3 allowed-vlan 190
cat6k-router-2(config)# exit

The following example shows how to configure the VLAN, configure the server port as a switchport, and assign the switchport to the access VLAN:

cat6k-router-2# config t
cat6k-router-2(config-vlan)# vlan 190
cat6k-router-2(config)# exit
cat6k-router-2# config t
cat6k-router-2(config)# interface GigabitEthernet10/2
cat6k-router-2(config-if)# switchport
cat6k-router-2(config-if)# switchport access vlan 190
cat6k-router-2(config-if)# switchport mode access
cat6k-router-2(config-if)# spanning-tree portfast
cat6k-router-2(config-if)# exit
cat6k-router-2(config)#

The following examples show how to configure the access lists:

Access list "client" is used to match traffic going to host IP address 191.162.2.8 with destination TCP port 443 (the standard SSL port number).

cat6k-router-2(config)# ip access-list extended client
cat6k-router(config-ext-nacl)# permit tcp any host 191.162.2.8 eq 443
cat6k-router(config-ext-nacl)# exit
cat6k-router-2(config)#

Access list "server" is used to match traffic from server IP address 191.162.2.8 with source port 80 (HTTP traffic).

cat6k-router-2(config)# ip access-list extended server
cat6k-router(config-ext-nacl)# permit tcp host 191.162.2.8 eq 80 any
cat6k-router(config-ext-nacl)# exit
cat6k-router-2(config)#

The following examples show how to configure route maps to redirect traffic to the SSL Services Module for encryption and decryption:

Route map "client" redirects the traffic that matches access-list "client" to the next hop IP address 191.162.2.11 (the IP address of SSL proxy 0.190 subinterface on SSL-module-2). This configuration redirects encrypted HTTP traffic to the SSL Services Module for decryption.

cat6k-router-2(config)# route-map client permit 10
cat6k-route(config-route-map)# match ip address client
cat6k-route(config-route-map)# set ip next-hop 191.162.2.11
cat6k-route(config-route-map)# exit
cat6k-router-2(config)#

Route map "server" redirects the traffic that matches access-list "server" to the next hop IP address 191.162.2.11 (the IP address of SSL proxy 0.190 subinterface on SSL-module-2). This configuration redirects clear text HTTP traffic to the SSL Services Module for encryption.

cat6k-router-2(config)# route-map server permit 10
cat6k-route(config-route-map)# match ip address server
cat6k-route(config-route-map)# set ip next-hop 191.162.2.11
cat6k-route(config-route-map)# exit
cat6k-router-2(config)#

The following example shows how to configure the routed-interface and assign the IP policy route maps:

cat6k-router-2(config)# interface GigabitEthernet1/1
cat6k-router-2(config-if)# ip address 217.162.1.1 255.255.255.0
cat6k-router-2(config-if)# ip policy route-map client
cat6k-router-2(config-if)# exit
cat6k-router-2(config)#
cat6k-router-2(config-if)# interface Vlan190
cat6k-router-2(config-if)# ip address 191.162.2.10 255.0.0.0
cat6k-router-2(config-if)# ip policy route-map server
cat6k-router-2(config-if)# exit
cat6k-router-2(config)# exit

SSL Module 2 Configuration

The following example shows how to configure the SSL server proxy to decrypt the encrypted HTTP traffic into clear text HTTP traffic:

ssl-module2# configure terminal
ssl-module2(config)# ssl-proxy context Default
ssl-module2(config-context)# service decrypt-ssl-traffic
ssl-module2(config-ctx-ssl-proxy)# virtual ipaddr 191.162.2.8 protocol tcp port 443 
secondary
ssl-module2(config-ctx-ssl-proxy)# server ipaddr 191.162.2.10 protocol tcp port 80 
ssl-module2(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint cert1024 
ssl-module2(config-ctx-ssl-proxy)# no nat server
ssl-module2(config-ctx-ssl-proxy)# trusted-ca root-ca
ssl-module2(config-ctx-ssl-proxy)# authenticate verify all
ssl-module2(config-ctx-ssl-proxy)# inservice
ssl-module2(config-ctx-ssl-proxy)# exit
ssl-module2(config)#

This example shows how to configure SSL proxy subinterface:

ssl-module2(config)# interface SSL-Proxy 0.190
ssl-module2(config-subif)# encapsulation dot1q 190
ssl-module2(config-subif)# ip address 191.162.2.11 255.255.0.0
ssl-module2(config-subif)# no shutdown
ssl-module2(config-subif)# exit
ssl-module2(config)#

The following example shows how to import the root-ca certificate to the SSL Services Module:

ssl-module2(config)# crypto pki trustpoint root-ca
ssl-module2(ca-trustpoint)# revocation-check none
ssl-module2(ca-trustpoint)# enrollment terminal
ssl-module2(ca-trustpoint)# exit
ssl-module2(config)# crypto pki authenticate root-ca

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIIC1zCCAoGgAwIBAgIQadUxzU/i97hDmZRYJ1bBcDANBgkqhkiG9w0BAQUFADB1
MQswCQYDVQQGEwJVUzETMBEGA1UECBMKY2FsaWZvcm5pYTERMA8GA1UEBxMIc2Fu
IGpvc2UxDjAMBgNVBAoTBWNpc2NvMQwwCgYDVQQLEwNoc3MxIDAeBgNVBAMTF3Np
bXBzb24tZGV2dGVzdC1yb290LUNBMB4XDTAzMTExMTIxNDgwMloXDTEzMTExMTIx
NTczOVowdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCmNhbGlmb3JuaWExETAPBgNV
BAcTCHNhbiBqb3NlMQ4wDAYDVQQKEwVjaXNjbzEMMAoGA1UECxMDaHNzMSAwHgYD
VQQDExdzaW1wc29uLWRldnRlc3Qtcm9vdC1DQTBcMA0GCSqGSIb3DQEBAQUAA0sA
MEgCQQCWEibAnUlVqQNUn0Wb94qnHi8FKjmVhibLHGRl6J+V7gHgzmF2MTz5WP5l
VQ2/1NVu0HjUORRdeCm1/raKJ/7ZAgMBAAGjgewwgekwCwYDVR0PBAQDAgHGMA8G
A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFCYGLUBTKNd9EgUonHnoSvbHg0axMIGX
BgNVHR8EgY8wgYwwQ6BBoD+GPWh0dHA6Ly9jaXNjby1sOGo2b2hwbnIvQ2VydEVu
cm9sbC9zaW1wc29uLWRldnRlc3Qtcm9vdC1DQS5jcmwwRaBDoEGGP2ZpbGU6Ly9c
XGNpc2NvLWw4ajZvaHBuclxDZXJ0RW5yb2xsXHNpbXBzb24tZGV2dGVzdC1yb290
LUNBLmNybDAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQUFAANBACBqe1wy
YjalelGZqLVu4bDVMFo6ELCV2AMBgi41K3ix+Z/03PJd7ct2BIAF4lktv9pCe6IO
EoBcmZteA+TQcKg=
-----END CERTIFICATE-----
quit
Certificate has the following attributes:
Fingerprint:AC6FC55E CC29E891 0DC3FAAA B4747C10 
% Do you accept this certificate? [yes/no]:yes
Trustpoint CA certificate accepted.
% Certificate successfully imported

ssl-module2(config)#

The following example shows how to configure a certificate authority pool. See the "Client Certificate Authentication" section for information on configuring certificate authority pools. The example also show to disable certificate revocation checking by entering the revocation-check none command for the trustpoint. See the "Checking the Certificate Status" section for information on configuring certificate revocation list options.

ssl-module2(config)# ssl-proxy context Default
ssl-module2(config-context)# pool ca root-ca
ssl-module2(config-ctx-ca-pool)# ca trustpoint root-ca
ssl-module2(config-ctx-ca-pool)# exit
ssl-module2(config-context)# exit
ssl-module2(config)# crypto pki trustpoint cert1024
ssl-module2(ca-trustpoint)# revocation-check none
ssl-module2(ca-trustpoint)# exit
ssl-module2(config)#

The following example show how to display statistics when connections are active:

SSL module 1

ssl-module1# show ssl-proxy con
Connections for TCP module 1
Local Address         Remote Address        VLAN Conid  Send-Q Recv-Q State
--------------------- --------------------- ---- ------ ------ ------ ------
191.162.2.8:80        7.100.100.1:34472     7    9      0      0      ESTAB 
7.100.100.1:34472     191.162.2.8:443       7    196617 0      0      ESTAB 

SSL module 12

ssl-module2# show ssl-proxy con
Connections for TCP module 1
Local Address         Remote Address        VLAN Conid  Send-Q Recv-Q State
--------------------- --------------------- ---- ------ ------ ------ ------
191.162.2.8:443       7.100.100.1:34472     190  9      0      0      ESTAB 
7.100.100.1:34472     191.162.2.8:80        190  196617 0      0      ESTAB 

Certificate Security Attribute-Based Access Control Examples

The Certificate Security Attribute-Based Access Control feature adds fields to the certificate that allow specifying an access control list (ACL) to create a certificate-based ACL.

For information on configuring certificate security attribute-based access control, refer to Certificate Security Attribute-Based Access Control at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ftcrtacl.htm

In the following example, SSL connections for the SSL proxy service "ssl-offload" are successful only if the subject-name of the client certificate contains the domain name .cisco.com:

ssl-proxy(config)# ssl-proxy context Default
ssl-proxy(config-context)# service ssl-offload
ssl-proxy(config-ctx-ssl-proxy)# virtual ipaddr 8.100.100.126 protocol tcp port 443
ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 191.162.2.8 protocol tcp port 80
ssl-proxy(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint cert
ssl-proxy(config-ctx-ssl-proxy)# nat client client-nat
ssl-proxy(config-ctx-ssl-proxy)# trusted-ca root-ca
ssl-proxy(config-ctx-ssl-proxy)# authenticate verify all
ssl-proxy(config-ctx-ssl-proxy)# inservice
ssl-proxy(config-ctx-ssl-proxy)# exit
ssl-proxy(config-context)# pool ca root-ca
ssl-proxy(config-ctx-ca-pool)# ca trustpoint root
ssl-proxy(config-ctx-ca-pool)# end
ssl-proxy(config)#
ssl-proxy(config)# crypto pki trustpoint root
ssl-proxy(ca-trustpoint)# enrollment terminal
ssl-proxy(ca-trustpoint)# revocation-check none
ssl-proxy(ca-trustpoint)# match certificate acl
ssl-proxy(ca-trustpoint)# exit
ssl-proxy(config)#
ssl-proxy(config)# crypto pki certificate map acl 10
ssl-proxy(ca-certificate-map)# subject-name co .cisco.com
ssl-proxy(ca-certificate-map)# exit

In the following example, certificate ACLs are configured so that SSL connections for the proxy service "ssl-offload" are successful for the following conditions:

the subject-name of the client certificate contains ste3-server.cisco.com or ste2-server.cisco.com.

the valid-start of the client certificate is greater than or equal to 30th Jul 2003.

the expiration date of the client certificate is less than 1st Jan 2007.

the issuer-name of the client certificate contains "certificate manager" in the string.

ssl-proxy(config)# ssl-proxy context Default
ssl-proxy(config-context)# service ssl-offload
ssl-proxy(config-ctx-ssl-proxy)# virtual ipaddr 8.100.100.126 protocol tcp port 443
ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 191.162.2.8 protocol tcp port 80
ssl-proxy(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint cert
ssl-proxy(config-ctx-ssl-proxy)# nat client client-nat
ssl-proxy(config-ctx-ssl-proxy)# trusted-ca root-ca
ssl-proxy(config-ctx-ssl-proxy)# authenticate verify all
ssl-proxy(config-ctx-ssl-proxy)# inservice
ssl-proxy(config-ctx-ssl-proxy)# exit
ssl-proxy(config-context)# pool ca root-ca
ssl-proxy(config-ctx-ca-pool)# ca trustpoint root
ssl-proxy(config-ctx-ca-pool)# exit
ssl-proxy(config)#
ssl-proxy(config)# crypto pki trustpoint root
ssl-proxy(ca-trustpoint)# enrollment terminal
ssl-proxy(ca-trustpoint)# revocation-check none
ssl-proxy(ca-trustpoint)# match certificate acl
ssl-proxy(ca-trustpoint)# exit
ssl-proxy(config)#
ssl-proxy(config)# crypto pki certificate map acl 10
ssl-proxy(ca-certificate-map)# subject-name co ste3-server.cisco.com
ssl-proxy(ca-certificate-map)# valid-start ge Jul 30 2003 00:00:00 UTC
ssl-proxy(ca-certificate-map)# expires-on lt Jan 01 2007 00:00:00 UTC
ssl-proxy(ca-certificate-map)# issuer-name co certificate manager
ssl-proxy(ca-certificate-map)# exit
ssl-proxy(config)#
ssl-proxy(config)# crypto pki certificate map acl 20
ssl-proxy(ca-certificate-map)# subject-name co ste2-server.cisco.com
ssl-proxy(ca-certificate-map)# expires-on lt Jan 01 2007 00:00:00 UTC
ssl-proxy(ca-certificate-map)# issuer-name co certificate manager
ssl-proxy(ca-certificate-map)# valid-start ge Jul 30 2003 00:00:00 UTC
ssl-proxy(ca-certificate-map)# exit
 
   

In the following SSL initiation example, the server certificate is checked for the domain name in the certificate field. SSL initiation is successful only if the subject-name of the server certificate contains the domain name .cisco.com:

ssl-proxy# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ssl-proxy(config)# ssl-proxy context Default
ssl-proxy(config-context)# service ssl-initiation client
ssl-proxy(config-ctx-ssl-proxy)# virtual ipaddr 8.100.100.126 protocol tcp port 81 
ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 191.162.2.8 protocol tcp port 443
ssl-proxy(config-ctx-ssl-proxy)# nat client client-nat
ssl-proxy(config-ctx-ssl-proxy)# trusted-ca root
ssl-proxy(config-ctx-ssl-proxy)# authenticate verify all
ssl-proxy(config-ctx-ssl-proxy)# inservice
ssl-proxy(config-ctx-ssl-proxy)# exit
ssl-proxy(config-context)# ssl-proxy pool ca root-ca
ssl-proxy(config-ca-pool)# ca trustpoint root
ssl-proxy(config-ca-pool)# exit
ssl-proxy(config)#
ssl-proxy(config)# crypto pki trustpoint root
ssl-proxy(ca-trustpoint)# enrollment terminal
ssl-proxy(ca-trustpoint)# revocation-check none
ssl-proxy(ca-trustpoint)# match certificate acl
ssl-proxy(ca-trustpoint)# exit
ssl-proxy(config)#
ssl-proxy(config)# crypto pki certificate map acl 10
ssl-proxy(ca-certificate-map)# subject-name co .cisco.com
ssl-proxy(ca-certificate-map)# exit
ssl-proxy(config)#

HTTP Header Insertion Examples

The following examples show how to insert various HTTP headers and how to display header insertion statistics.

Example 1

This example shows how to insert custom headers, client IP address and TCP port number information, and a prefix string in HTTP requests that are sent to the server:

ssl-proxy# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ssl-proxy(config)# ssl-proxy context Default
ssl-proxy(config-context)# policy http-header ssl-offload
ssl-proxy(config-ctx-http-header-policy)# custom SOFTWARE VERSION :3.1(1)
ssl-proxy(config-ctx-http-header-policy)# custom module :SSL MODULE - CATALYST 6500
ssl-proxy(config-ctx-http-header-policy)# custom 
type-of-proxy:server_proxy_with_1024_bit_key_size
ssl-proxy(config-ctx-http-header-policy)# client-ip-port
ssl-proxy(config-ctx-http-header-policy)# prefix SSL-OFFLOAD
ssl-proxy(config-ctx-http-header-policy)# exit
ssl-proxy(config-context)# service ssl-offload
ssl-proxy(config-ctx-ssl-proxy)# virtual ipaddr 8.100.100.126 protocol tcp port 443
ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 191.162.2.8 protocol tcp port 80
ssl-proxy(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint cert
ssl-proxy(config-ctx-ssl-proxy)# nat client client-nat
ssl-proxy(config-ctx-ssl-proxy)# policy http-header ssl-offload
ssl-proxy(config-ctx-ssl-proxy)# inservice
ssl-proxy(config-ctx-ssl-proxy)# end
ssl-proxy(config)# exit

Custom headers and client IP address and TCP port number information are added to every HTTP request and are prefixed by the prefix string, as shown below:

SSL-OFFLOAD-Client-IP:7.100.100.1
SSL-OFFLOAD-Client-Port:59008
SSL-OFFLOAD-SOFTWARE VERSION :3.1(1)
SSL-OFFLOAD-module :SSL MODULE - CATALYST 6500
SSL-OFFLOAD-type-of-proxy:server_proxy_with_1024_bit_key_size 

This example shows how to display header insertion information:

ssl-proxy# show ssl-proxy stats hdr
Header Insert Statistics:
    Session Headers Inserted : 4          Custom Headers Inserted : 8         
    Session Id's Inserted    : 4          Client Cert. Inserted   : 2         
    Client IP/Port Inserted  : 4          PEM Cert. Inserted      : 0         
    Aliased Hdrs Inserted    : 0         
    No End of Hdr Detected   : 0          Payload no HTTP header  : 0         
    Desc Alloc Failed        : 0          Buffer Alloc Failed     : 0         
    Client Cert Errors       : 0          Malloc failed           : 0         
    Service Errors           : 0          Conn Entry Invalid      : 0         
    Buffers allocated        : 0          Buffers Scanned         : 4         
    Insertion Points Found   : 4          Hdrs Spanning Records   : 0         
    End of Header Found      : 4          Buffers Accumulated     : 4         
    Multi-buffer IP Port     : 0          Multi-buffer Session Id : 0         
    Multi-buffer Session Hdr : 0          Multi-buffer Custom Hdr : 0         
    Scan Internal Error      : 0          Database Not Initialized: 0         

This example shows how to display SSL statistics:

ssl-proxy# show ssl-proxy stats ssl
SSL Statistics: 
    conns attempted     : 15            conns completed     : 15        
    conns in handshake  : 0             conns in data       : 0         
    renegs attempted    : 0             conns in reneg      : 0         
    active sessions     : 0             max handshake conns : 3         
    rand bufs allocated : 1             cached rand buf miss: 0         
    current device q len: 0             max device q len    : 1         
    sslv2 forwards      : 0             cert reqs processed : 6         
    fatal alerts rcvd   : 0             fatal alerts sent   : 5         
    stale packet drops  : 0             service_id discards : 0         
    session reuses      : 0             hs handle in use    : 0         
    netscape step-ups   : 0             SGC step-ups        : 0         
 
    SSL3 Statistics:
      full handshakes    : 0             resumed handshakes : 0         
      handshake failures : 0             data failures      : 0         
      bad macs received  : 0             pad errors         : 0         
      conns established with cipher rsa-with-rc4-128-md5          : 0         
      conns established with cipher rsa-with-rc4-128-sha          : 0         
      conns established with cipher rsa-with-des-cbc-sha          : 0         
      conns established with cipher rsa-with-3des-ede-cbc-sha     : 0         
      conns established with cipher rsa-with-null-md5             : 0         
      conns established with cipher rsa-exp1024-with-des-cbc-sha  : 0         
      conns established with cipher rsa-exp1024-with-rc4-56-sha   : 0         
      conns established with cipher rsa-exp1024-with-rc4-56-md5   : 0         
      conns established with cipher rsa-exp-with-rc4-40-md5       : 0         
      conns established with cipher rsa-exp-with-des40-cbc-sha    : 0         
 
    TLS1 Statistics:
      full handshakes    : 6             resumed handshakes : 2         
      handshake failures : 0             data failures      : 0         
      bad macs received  : 0             pad errors         : 0         
      conns established with cipher rsa-with-rc4-128-md5          : 8         
      conns established with cipher rsa-with-rc4-128-sha          : 0         
      conns established with cipher rsa-with-des-cbc-sha          : 0         
      conns established with cipher rsa-with-3des-ede-cbc-sha     : 0         
      conns established with cipher rsa-with-null-md5             : 0         
      conns established with cipher rsa-exp1024-with-des-cbc-sha  : 0         
      conns established with cipher rsa-exp1024-with-rc4-56-sha   : 0         
      conns established with cipher rsa-exp1024-with-rc4-56-md5   : 0         
      conns established with cipher rsa-exp-with-rc4-40-md5       : 0         
      conns established with cipher rsa-exp-with-des40-cbc-sha    : 0         

Example 2

This example shows how to insert session headers and a prefix string. The full session headers are added to the HTTP request when the full SSL handshake occurs. However, only the session ID is inserted when the session resumes.

ssl-proxy# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ssl-proxy(config)# ssl-proxy context Default
ssl-proxy(config-context)# policy http-header ssl-offload
ssl-proxy(config-ctx-http-header-policy)# session
ssl-proxy(config-ctx-http-header-policy)# prefix SSL-OFFLOAD
ssl-proxy(config-ctx-http-header-policy)# exit
ssl-proxy(config-context)# service ssl-offload
ssl-proxy(config-ctx-ssl-proxy)# virtual ipaddr 8.100.100.126 protocol tcp port 443
ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 191.162.2.8 protocol tcp port 80
ssl-proxy(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint cert
ssl-proxy(config-ctx-ssl-proxy)# nat client client-nat
ssl-proxy(config-ctx-ssl-proxy)# policy http-header ssl-offload
ssl-proxy(config-ctx-ssl-proxy)# inservice
ssl-proxy(config-ctx-ssl-proxy)# end
ssl-proxy(config)# exit

For the full SSL handshake, the session headers, prefixed by the prefix string, are added to the HTTP request as shown below:

SSL-OFFLOAD-Session-Id:33:FF:2C:2D:25:15:3C:50:56:AB:FA:5A:81:0A:EC:E9:00:00:0A:03:00:60:
2F:30:9C:2F:CD:56:2B:91:F2:FF
SSL-OFFLOAD-Session-Step-Up: FALSE
SSL-OFFLOAD-Session-Initial-Cipher-Name: 
SSL-OFFLOAD-Session-Initial-Cipher-Key-Size: 
SSL-OFFLOAD-Session-Initial-Cipher-Use-Size: 
SSL-OFFLOAD-Session-Cipher-Name:RC4-SHA
SSL-OFFLOAD-Session-Cipher-Key-Size:128
SSL-OFFLOAD-Session-Cipher-Use-Size:128 

When the session resumes, only the session ID is inserted:

SSL-OFFLOAD-Session-Id:33:FF:2C:2D:25:15:3C:50:56:AB:FA:5A:81:0A:EC:E9:00:00:0A:03:00:60:
2F:30:9C:2F:CD:56:2B:91:F2:FF

This example shows how to display header insertion information:

ssl-proxy# show ssl-proxy stats hdr
Header Insert Statistics:
    Session Headers Inserted :1          Custom Headers Inserted :0         
    Session Id's Inserted    :2          Client Cert. Inserted   :0         
    Client IP/Port Inserted  :0         
    No End of Hdr Detected   :0          Payload no HTTP header  :0         
    Desc Alloc Failed        :0          Buffer Alloc Failed     :0         
    Client Cert Errors       :0          No Service              :0         

This example shows how to display SSL statistics:

ssl-proxy# show ssl-proxy stats ssl
SSL Statistics:
    conns attempted     :2             conns completed     :2         
    conns in handshake  :0             conns in data       :0         
    renegs attempted    :0             conns in reneg      :0         
    active sessions     :0             max handshake conns :1         
    rand bufs allocated :0             cached rand buf miss:0         
    current device q len:0             max device q len    :2         
    sslv2 forwards      :0             cert reqs processed :0         
    fatal alerts rcvd   :0             fatal alerts sent   :0         
    stale packet drops  :0             service_id discards :0         
    session reuses      :0         

    SSL3 Statistics:
      full handshakes    :0             resumed handshakes :0         
      handshake failures :0             data failures      :0         
      bad macs received  :0             pad errors         :0         
      conns established with cipher rsa-with-rc4-128-md5        :0         
      conns established with cipher rsa-with-rc4-128-sha        :0         
      conns established with cipher rsa-with-des-cbc-sha        :0         
      conns established with cipher rsa-with-3des-ede-cbc-sha   :0         

    TLS1 Statistics:
      full handshakes    :1             resumed handshakes :1         
      handshake failures :0             data failures      :0         
      bad macs received  :0             pad errors         :0         
      conns established with cipher rsa-with-rc4-128-md5        :0         
      conns established with cipher rsa-with-rc4-128-sha        :2         
      conns established with cipher rsa-with-des-cbc-sha        :0         
      conns established with cipher rsa-with-3des-ede-cbc-sha   :0 

Example 3

This example shows how to insert custom headers, decoded client certificate fields, and the IP address and destination TCP port number of the client-side connection, prefixed by the prefix string. The complete decoded client certificate fields are inserted for the full SSL handshake. However, only session ID is inserted when the SSL session resumes.

ssl-proxy# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ssl-proxy(config)# ssl-proxy context Default
ssl-proxy(config-context)# policy http-header ssl-offload
ssl-proxy(config-ctx-http-header-policy)# custom SOFTWARE VERSION :3.1(1)
ssl-proxy(config-ctx-http-header-policy)# custom module :SSL MODULE - CATALYST 6500
ssl-proxy(config-ctx-http-header-policy)# custom 
type-of-proxy:server_proxy_with_1024_bit_key_size
ssl-proxy(config-ctx-http-header-policy)# client-cert
ssl-proxy(config-ctx-http-header-policy)# client-ip-port
ssl-proxy(config-ctx-http-header-policy)# prefix SSL-OFFLOAD
ssl-proxy(config-ctx-http-header-policy)# exit
ssl-proxy(config-context)# service ssl-offload
ssl-proxy(config-ctx-ssl-proxy)# virtual ipaddr 8.100.100.126 protocol tcp port 443 
ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 191.162.2.8 protocol tcp port 80
ssl-proxy(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint cert
ssl-proxy(config-ctx-ssl-proxy)# nat client client-nat
ssl-proxy(config-ctx-ssl-proxy)# policy http-header ssl-offload
ssl-proxy(config-ctx-ssl-proxy)# trusted-ca root-ca
ssl-proxy(config-ctx-ssl-proxy)# authenticate verify all
ssl-proxy(config-ctx-ssl-proxy)# inservice
ssl-proxy(config-ctx-ssl-proxy)# end
ssl-proxy(config)# exit

For the full SSL handshake, the custom headers, decoded client certificate fields, the IP address and destination TCP port number of the client-side connection, prefixed by the prefix string, are added to the HTTP request, as shown below:

SSL-OFFLOAD-Client-IP:7.100.100.1
SSL-OFFLOAD-Client-Port:59011
SSL-OFFLOAD-Session-Id:0F:61:9C:F2:E5:98:70:9D:1B:C1:EA:1D:38:F5:A1:2B:00:00:0E:03:00:60:
2F:30:9C:2F:1D:7D:5A:82:30:F6
SSL-OFFLOAD-SOFTWARE VERSION :3.1(1)
SSL-OFFLOAD-module :SSL MODULE - CATALYST 6500
SSL-OFFLOAD-type-of-proxy:server_proxy_with_1024_bit_key_size
SSL-OFFLOAD-ClientCert-Valid:1
SSL-OFFLOAD-ClientCert-Error:none
SSL-OFFLOAD-ClientCert-Fingerprint:1B:11:0F:E8:20:3F:6C:23:12:9C:76:C0:C1:C2:CC:85 
SSL-OFFLOAD-ClientCert-Subject-CN:a
SSL-OFFLOAD-ClientCert-Issuer-CN:Certificate Manager
SSL-OFFLOAD-ClientCert-Certificate-Version:3
SSL-OFFLOAD-ClientCert-Serial-Number:0F:E5 
SSL-OFFLOAD-ClientCert-Data-Signature-Algorithm:sha1WithRSAEncryption
SSL-OFFLOAD-ClientCert-Subject:OID.1.2.840.113549.1.9.2 = ste2-server.cisco.com +
OID.2.5.4.5 = B0FFF22E, CN = a, O = Cisco
SSL-OFFLOAD-ClientCert-Issuer:CN = Certificate Manager, OU = HSS, O = Cisco, L = San Jose,
ST = California, C = US
SSL-OFFLOAD-ClientCert-Not-Before:22:29:26 UTC Jul 30 2003
SSL-OFFLOAD-ClientCert-Not-After:07:00:00 UTC Apr 27 2006
SSL-OFFLOAD-ClientCert-Public-Key-Algorithm:rsaEncryption
SSL-OFFLOAD-ClientCert-RSA-Public-Key-Size:1024 bit
SSL-OFFLOAD-ClientCert-RSA-Modulus-Size:1024 bit
SSL-OFFLOAD-ClientCert-RSA-Modulus:B3:32:3C:5E:C9:D1:CC:76:FF:81:F6:F7:97:58:91:4D:B2:0E:
C1:3A:7B:62:63:BD:5D:F6:5F:68:F0:7D:AC:C6:72:F5:72:46:7E:FD:38:D3:A2:E1:03:8B:EC:F7:C9:9A:
80:C7:37:DA:F3:BE:1F:F4:5B:59:BD:52:72:94:EE:46:F5:29:A4:B3:9B:2E:4C:69:D0:11:59:F7:68:3A:
D9:6E:ED:6D:54:4E:B5:A7:89:B9:45:9E:66:0B:90:0B:B1:BD:F4:C8:15:12:CD:85:13:B2:0B:FE:7E:8D:
F0:D7:4A:98:BB:08:88:6E:CC:49:60:37:22:74:4D:73:1E:96:58:91 
SSL-OFFLOAD-ClientCert-RSA-Exponent:00:01:00:01 
SSL-OFFLOAD-ClientCert-X509v3-Authority-Key-Identifier:keyid=EE:EF:5B:BD:4D:CD:F5:6B:60:
9D:CF:46:C2:EA:25:7B:22:A5:08:00 
SSL-OFFLOAD-ClientCert-X509v3-Basic-Constraints:
SSL-OFFLOAD-ClientCert-Signature-Algorithm:sha1WithRSAEncryption
SSL-OFFLOAD-ClientCert-Signature:87:09:C1:F8:86:C1:15:C5:57:18:8E:B3:0D:62:E1:0F:6F:D4:9D:
75:DA:5D:53:E2:C6:0B:73:99:61:BE:B0:F6:19:83:F2:E5:48:1B:D2:6C:92:83:66:B3:63:A6:58:B4:5C:
0E:5D:1B:60:F9:86:AF:B3:93:07:77:16:74:4B:C5 
SSL-OFFLOAD-ClientCert-X509v3-Subject-Alternative-Name: 
ipAddress=192.168.1.100,rfc822Name=my@other.com
SSL-OFFLOAD-ClientCert-X509v3-Key-Usage: Digital Signature,Non-Repudiation,Key 
Encipherment,
Data Encipherment,Key Agreement,Key Cert Sign,CRL Signature,Encipher Only,Decipher Only
SSL-OFFLOAD-ClientCert-X509v3-Authority-Information-Access: Access Method=OCSP,Access 
Location=http://ocsp.my.host/" 
SSL-OFFLOAD-ClientCert-X509v3-CRL-Distribution-Points: http://myhost.com/myca.crl

This example shows how to display header insertion information:

ssl-proxy# show ssl-proxy stats hdr
Header Insert Statistics:
    Session Headers Inserted :0          Custom Headers Inserted :1         
    Session Id's Inserted    :1          Client Cert. Inserted   :1         
    Client IP/Port Inserted  :1         
    No End of Hdr Detected   :0          Payload no HTTP header  :0         
    Desc Alloc Failed        :0          Buffer Alloc Failed     :0         
    Client Cert Errors       :0          No Service              :0         

This example shows how to display SSL statistics:

ssl-proxy# show ssl-proxy stats ssl
SSL Statistics:
    conns attempted     :1             conns completed     :1 
    conns in handshake  :0             conns in data       :0 
    renegs attempted    :0             conns in reneg      :0 
    active sessions     :0             max handshake conns :1 
    rand bufs allocated :0             cached rand buf miss:0 
    current device q len:0             max device q len    :2 
    sslv2 forwards      :0             cert reqs processed :1 
    fatal alerts rcvd   :0             fatal alerts sent   :0 
    stale packet drops  :0             service_id discards :0 
    session reuses      :0 

    SSL3 Statistics:
      full handshakes    :0             resumed handshakes :0 
      handshake failures :0             data failures      :0 
      bad macs received  :0             pad errors         :0 
      conns established with cipher rsa-with-rc4-128-md5        :0 
      conns established with cipher rsa-with-rc4-128-sha        :0 
      conns established with cipher rsa-with-des-cbc-sha        :0 
      conns established with cipher rsa-with-3des-ede-cbc-sha   :0 

    TLS1 Statistics:
      full handshakes    :1             resumed handshakes :0 
      handshake failures :0             data failures      :0 
      bad macs received  :0             pad errors         :0 
      conns established with cipher rsa-with-rc4-128-md5        :0 
      conns established with cipher rsa-with-rc4-128-sha        :0 
      conns established with cipher rsa-with-des-cbc-sha        :0 
      conns established with cipher rsa-with-3des-ede-cbc-sha   :1 

Example 4

This example shows how to configure the SSL Services Module to insert session headers, a header alias, and a prefix:

ssl-proxy# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ssl-proxy(config)# ssl-proxy context s1
ssl-proxy(config-context)# policy http-header ssl-offload
ssl-proxy(config-ctx-http-header-policy)# prefix SSL-OFFLOAD
ssl-proxy(config-ctx-http-header-policy)# session
ssl-proxy(config-ctx-http-header-policy)# alias My-Session-Cipher session-cipher-name
ssl-proxy(config-ctx-http-header-policy)# exit
ssl-proxy(config-context)# service ssl-offload
ssl-proxy(config-ctx-ssl-proxy)# policy http-header ssl-offload
 

In addition to the standard HTTP headers, the following header information is inserted:


Note The alias name (My-Session-Cipher) is used instead of the standard name (session-cipher-name).


SSL-OFFLOAD-Session-Id:33:FF:2C:2D:25:15:3C:50:56:AB:FA:5A:81:0A:EC:E9:00:00:0A:03:00:60:
2F:30:9C:2F:CD:56:2B:91:F2:FF
SSL-OFFLOAD-My-Session-Cipher:RC4-SHA
SSL-OFFLOAD-Session-Cipher-Key-Size:128
SSL-OFFLOAD-Session-Cipher-Use-Size:128
SSL-OFFLOAD-Session-Step-Up:FALSE
SSL-OFFLOAD-Session-Initial-Cipher-Key-Size:
SSL-OFFLOAD-Session-Initial-Cipher-Name:
SSL-OFFLOAD-Session-Initial-Cipher-Use-Size: 

Example 5

This example shows how to insert the client certificate in PEM format as a header, and it adds a prefix string to the header. The PEM format client certificate is inserted for the full SSL handshake. However, only the session ID is inserted when the SSL session resumes.

ssl-proxy# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ssl-proxy(config)# ssl-proxy context Default
ssl-proxy(config-context)# policy http-header ssl-offload
ssl-proxy(config-ctx-http-header-policy)# client-cert pem
ssl-proxy(config-ctx-http-header-policy)# prefix SSL-OFFLOAD
ssl-proxy(config-ctx-http-header-policy)# exit
ssl-proxy(config-context)# service ssl-offload
ssl-proxy(config-ctx-ssl-proxy)# virtual ipaddr 8.100.100.126 protocol tcp port 443 
ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 191.162.2.8 protocol tcp port 80
ssl-proxy(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint cert
ssl-proxy(config-ctx-ssl-proxy)# nat client client-nat
ssl-proxy(config-ctx-ssl-proxy)# policy http-header ssl-offload
ssl-proxy(config-ctx-ssl-proxy)# trusted-ca root-ca
ssl-proxy(config-ctx-ssl-proxy)# authenticate verify all
ssl-proxy(config-ctx-ssl-proxy)# inservice
ssl-proxy(config-ctx-ssl-proxy)# exit
ssl-proxy(config)# exit
 

For the full SSL handshake, the PEM format client certificate, prefixed by the prefix string, is added to the HTTP request, as shown below:

SSL-OFFLOAD-Session-Id: 3A:D9:E3:B7:6E:95:EA:B4:A8:9E:E0:BD:76:8D:43:3A:00:00:12:03:00:E0:
B0:FF:F1:48:1C:5B:B2:62:D9:40
SSL-OFFLOAD-ClientCert-PEM: 	-----BEGIN CERTIFICATE-----
MIIDcDCCAtmgAwIBAgIBDDANBgkqhkiG9w0BAQQFADCBhjEeMBwGA1UEAxMVTXkg
Q2VydGlmaWNhdGlvbiBBdXRoMQ8wDQYDVQQIEwZBbGFza2ExCzAJBgNVBAYTAlVT 
MRwwGgYJKoZIhvcNAQkBFg1teWNhQG15Y2Eub3JnMSgwJgYDVQQKEx9NeSBSb290 
IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA1MDcyMDE5MTY1N1oXDTEwMDcx 
OTE5MTY1N1owgYUxFDASBgNVBAMTC21vcmVleHQuY29tMQswCQYDVQQIEwJTVzEL 
MAkGA1UEBhMCRVUxHzAdBgkqhkiG9w0BCQEWEG1vcmVAbW9yZWV4dC5jb20xHDAa 
BgNVBAoTE01vcmUgRXh0ZW5zaW9ucyBMdGQxFDASBgNVBAsTC21vcmUgZXh0IG91 
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNHLRU6I2t7b7DFLFJbYLpFplj 
D/l+9m1ZGtVp7Bf1K7YuXK8XztVs/XGk8ibmdBGyVTDyu/3gDCS6jKQUtAqwijGn 
LitqEEtjl6e+7og6iB58NgEdO8UyT5wBwCX6Q5bdJuB460N3EhlEYlGs4lBib61A 
HWPsiugF817nm/Ee2wIDAQABo4HsMIHpMAwGA1UdEwQFMAMBAf8wDwYDVR0PAQH/ 
BAUDAwf/gDBMBgNVHREERTBDgRBtb3JlQG1vcmVleHQuY29tgQxteUBvdGhlci5j 
b22GFmh0dHA6Ly9teW90aGVydXJsLmhlcmWHBMCoAWSIAyoDBDAwBggrBgEFBQcB 
AQQkMCIwIAYIKwYBBQUHMAKGFGh0dHA6Ly9vY3NwLm15Lmhvc3QvMEgGA1UdHwRB 
MD8wIKAeoByGGmh0dHA6Ly9teWhvc3QuY29tL215Y2EuY3JsMBugGaAXhhVodHRw 
Oi8vb3RoLmNvbS9teS5jcmwwDQYJKoZIhvcNAQEEBQADgYEAIABQBXZ5Ky5uZHuv 
hxN8pXdr+vm0FRBZmFflEsd46HV4yug4W6pmDzBhW56913HzKYQOQvc0WoRTlZ0f 
53rvQZq7UOSGZLtXvn/I9/epdEWCx/YYcWnCNGhTZycf6VRcmainW5prZVBfTUAq 
Nlnar2TvW0bLOG/qtkYQZooZzR8=
-----END CERTIFICATE-----

URL Rewrite Examples

The following examples show how to configure URL rewrite depending on the desired outcome and assume the following proxy configuration:

service frontend  
 virtual ipaddr 35.200.200.101 protocol tcp port 443  
 server ipaddr 35.200.200.14 protocol tcp port 80
 certificate rsa general-purpose trustpoint TP-1024-pkcs12
 policy url-rewrite test-url-rewrite
 inservice
!

Example 1

The following example shows how to configure a protocol rewrite (for example, HTTP to HTTPS) when the clear text port is the standard HTTP port 80. In this example, when the server sends the relocation string as http://ssl-136.cisco.com/index2.html, the SSL Services Module rewrites the string as https://ssl-136.cisco.com/index2.html.

To configure a protocol rewrite (HTTP to HTTPS), specify any of the following URL rewrite rules:

policy url-rewrite test-url-rewrite
 url ssl-136.cisco.com
!

policy url-rewrite test-url-rewrite
 url ssl*
!

policy url-rewrite test-url-rewrite
 url *com
!

Example 2

The following example shows how to configure a protocol rewrite (for example, HTTP to HTTPS) when the clearport is a non-standard HTTP port. In this example, when the server sends the relocation string as http://ssl-136.cisco.com:100/index2.html, the SSL Services Module rewrites the string as https://ssl-136.cisco.com/index2.html.

To configure a protocol rewrite (HTTP to HTTPS) with a non-standard clear text port, specify any of the following URL rewrite rules:

policy url-rewrite test-url-rewrite
 url ssl-136.cisco.com clearport 100
!

policy url-rewrite test-url-rewrite
 url ssl* clearport 100
!

policy url-rewrite test-url-rewrite
 url *com clearport 100
!

Example 3

The following example shows how to configure a protocol rewrite and SSL port rewrite when the clear text port is the standard HTTP port 80. In this example, when the server sends the relocation string as http://ssl-136.cisco.com/index2.html, the SSL Services Module rewrites the string as https://ssl-136.cisco.com:445/index2.html.

To configure a protocol rewrite (HTTP to HTTPS) with a non-standard SSL text port, specify any of the following URL rewrite rules:

policy url-rewrite test-url-rewrite
 url ssl-136.cisco.com sslport 445
!

policy url-rewrite test-url-rewrite
 url ssl* sslport 445
!

policy url-rewrite test-url-rewrite
 url *com sslport 445
!

Example 4

The following example shows how to configure a protocol rewrite and SSL port rewrite when the clear text port is non-standard. In this example, when the server sends the relocation string as http://ssl-136.cisco.com:100/index2.html, the SSL Services Module rewrites the string as https://ssl-136.cisco.com:445/index2.html.

To configure a protocol rewrite and SSL port rewrite with a non-standard clear text port, specify any of the following URL rewrite rules:

policy url-rewrite test-url-rewrite
 url ssl-136.cisco.com clearport 100 sslport 445
!

policy url-rewrite test-url-rewrite
 url ssl* clearport 100 sslport 445
!

policy url-rewrite test-url-rewrite
 url *com clearport 100 sslport 445
!


The following example displays the above URL rewrite policy:

ssl-proxy# show ssl-proxy policy url-rewrite test-url-rewrite
No context name provided, assuming context 'Default'...
Rule URL                                     Clearport SSLport
  1 *com                                       100        445
SSL proxy services using this policy:
          frontend
Usage count of this policy:1

ssl-proxy#

HSRP Examples

In systems with an SSL Services Module and a Content Switching Module (CSM), the failover functionality on the CSM provides stateless redundancy on the SSL module. When the SSL module is used in a standalone configuration (using policy-based routing), you can configure HSRP to provide redundancy.

See the "Configuring Redundancy" section for more information on configuring redundancy using HSRP.

Standalone Redundancy Example

Load Balancing Example

Standalone Redundancy Example

In Figure A-7, both SSL Services Modules have the same proxy service configured and specify the secondary keyword for the virtual IP address and the same HSRP configuration. Both modules are configured with standby IP address 8.100.100.126. SSL 1 is the active module and accepts SSL connections. SSL 2 is the backup module and does not accept SSL connections until SSL 1 goes offline.

Policy-based routing is configured on the MSFC so that any TCP traffic destined for IP address 8.100.100.126:443 is redirected to the next-hop IP address 8.100.100.126.

Figure A-7 Standalone Redundancy

Supervisor Engine Configuration

This example shows how to configure the route maps and access lists:

Router# config t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# route-map client permit 10
Router(config-route-map)# set ip next-hop 8.100.100.126
Router(config-route-map)# match ip address client
Router(config-route-map)# exit
Router(config)# route-map server permit 10
Router(config-route-map)# match ip address server
Router(config-route-map)# set ip next-hop 8.100.100.126
Router(config-route-map)# exit
Router(config)# 
Router(config)# ip access-list extended client
Router(config-ext-nacl)# permit tcp any host 8.100.100.126 eq 443
Router(config-ext-nacl)# exit
Router(config)# 
Router(config)# ip access-list extended server
Router(config-ext-nacl)# permit tcp host 8.100.100.140 eq www any
Router(config-ext-nacl)# exit
Router(config)# 
Router(config)# interface Vlan7
Router(config-if)# ip address 7.100.100.100 255.0.0.0
Router(config-if)# ip policy route-map client
Router(config-if)# exit
Router(config)# 
Router(config)# interface Vlan8
Router(config-if)# ip address 8.100.100.100 255.0.0.0
Router(config-if)# ip policy route-map server
Router(config-if)# exit
Router(config)# exit
Router#

SSL 1 Configuration

This example shows how to configure the proxy service and the VLAN on SSL 1:

ssl-mod-1# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ssl-mod-1(config)# ssl-proxy context Default
ssl-mod-1(config-context)# service ssl-offload
ssl-mod-1(config-ctx-ssl-proxy)# virtual ipaddr 8.100.100.126 protocol tcp port 443 
secondary
ssl-mod-1(config-ctx-ssl-proxy)# server ipaddr 8.100.100.140 protocol tcp port 80
ssl-mod-1(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint cert
ssl-mod-1(config-ctx-ssl-proxy)# inservice
ssl-mod-1(config-ctx-ssl-proxy)# exit
ssl-mod-1(config-context)# exit
ssl-mod-1(config)# interface SSL-Proxy 0.8
ssl-mod-1(config-subif)# encapsulation dot1q 8
ssl-mod-1(config-subif)# ip address 8.100.100.200 255.0.0.0
ssl-mod-1(config-subif)# standby ip 8.100.100.126
ssl-mod-1(config-subif)# standby timers 1 3
ssl-mod-1(config-subif)# standby priority 90
ssl-mod-1(config-subif)# exit
ssl-mod-1(config)# ip route 191.0.0.0 255.0.0.0 8.100.100.100
ssl-mod-1(config)# exit
ssl-mod-1#

SSL 2 Configuration

This example shows how to configure the proxy service and the VLAN on SSL 2:

ssl-mod-2# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ssl-mod-2(config)# ssl-proxy context Default
ssl-mod-2(config-context)# service ssl-offload
ssl-mod-2(config-ctx-ssl-proxy)# virtual ipaddr 8.100.100.126 protocol tcp port 443 
secondary 
ssl-mod-2(config-ctx-ssl-proxy)# server ipaddr 8.100.100.140 protocol tcp port 80 
ssl-mod-2(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint cert
ssl-mod-2(config-ctx-ssl-proxy)# inservice
ssl-mod-2(config-ctx-ssl-proxy)# exit
ssl-mod-2(config-context)# exit
ssl-mod-2(config)# interface SSL-Proxy 0.8
ssl-mod-2(config-subif)# encapsulation dot1q 8
ssl-mod-2(config-subif)# ip address 8.100.100.250 255.0.0.0
ssl-mod-2(config-subif)# standby ip 8.100.100.126
ssl-mod-2(config-subif)# standby timers 1 3
ssl-mod-2(config-subif)# standby priority 110
ssl-mod-2(config-subif)# exit
ssl-mod-2(config)# exit
ssl-mod-2#

Load Balancing Example

In Figure A-8, each SSL Services Module is configured with more than one proxy service. Each SSL Services Module has a different HSRP group configured.

On the MSFC, configure policy-based routing so that traffic to the different proxy services is load balanced between the two SSL Services Modules.

On the SSL Services Modules, configure the standby group_number preempt delay delay command for the following reasons:

When a module goes offline and comes back online, half of the traffic is switched back to the new (online) module for efficient load balancing.

The new (online) module does not become immediately active, giving sufficient time for the proxy services to come online.

Configure client NAT for each proxy service so that when multiple proxies send traffic to the same server, the traffic from the server is sent back to the module that originated the traffic. See the "Client NAT" section for information on configuring client NAT.

Figure A-8 Load Balancing

Supervisor Engine Configuration

This example shows how to configure the route maps and access lists:

Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# ip access-list extended ssl-offload
Router(config-ext-nacl)# permit tcp any host 8.100.100.110 eq 443
Router(config-ext-nacl)# exit
Router(config)# ip access-list extended ssl-offload-checkout
Router(config-ext-nacl)# permit tcp any host 8.100.100.111 eq 443
Router(config-ext-nacl)#
Router(config-ext-nacl)# exit
Router(config)# route-map client permit 10
Router(config-route-map)# match ip address ssl-offload
Router(config-route-map)# set ip next-hop 8.100.100.126
Router(config-route-map)#
Router(config-route-map)# exit
Router(config)# route-map client permit 20
Router(config-route-map)# match ip address ssl-offload-checkout
Router(config-route-map)# set ip next-hop 8.100.100.127
Router(config-route-map)# exit
Router(config)# interface Vlan5
Router(config-if)# ip address 13.0.0.100 255.0.0.0
Router(config-if)# ip policy route-map client
Router(config-if)# no shutdown
Router(config-if)# exit
Router(config)# interface GigabitEthernet10/7
Router(config-if)# switchport
Router(config-if)# switchport access vlan 5
Router(config-if)# switchport mode access
Router(config-if)# spanning-tree portfast
Router(config-if)# no shutdown
Router(config-if)# exit
Router(config)# interface GigabitEthernet10/11
Router(config-if)# switchport
Router(config-if)# switchport access vlan 24
Router(config-if)# switchport mode access
Router(config-if)# spanning-tree portfast
Router(config-if)# no shutdown
Router(config-if)# exit
Router(config)# interface Vlan24
Router(config-if)# ip address 24.1.1.100 255.0.0.0
Router(config-if)# no shutdown
Router(config-if)# no ip redirects
Router(config-if)# ^Z
Router#

SSL 1 Configuration

This example shows how to configure the proxy services and the VLAN on SSL 1:

ssl-mod-1# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ssl-mod-1(config)# ssl-proxy context Default
ssl-mod-1(config-context)# natpool client-nat 8.100.1.1 8.100.1.8 netmask 255.0.0.0
ssl-mod-1(config-context)# service ssl-offload
ssl-mod-1(config-ctx-ssl-proxy)# virtual ipaddr 8.100.100.110 protocol tcp port 443 
secondary 
ssl-mod-1(config-ctx-ssl-proxy)# server ipaddr 24.0.0.2 protocol tcp port 80
ssl-mod-1(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint cert
ssl-mod-1(config-ctx-ssl-proxy)# nat client client-nat
ssl-mod-1(config-ctx-ssl-proxy)# inservice
ssl-mod-1(config-ctx-ssl-proxy)# exit
ssl-mod-1(config-context)#
ssl-mod-1(config-context)# service ssl-offload-checkout
ssl-mod-1(config-ctx-ssl-proxy)# virtual ipaddr 8.100.100.111 protocol tcp port 443 
secondary 
ssl-mod-1(config-ctx-ssl-proxy)# server ipaddr 24.0.0.2 protocol tcp port 80
ssl-mod-1(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint cert
ssl-mod-1(config-ctx-ssl-proxy)# nat client client-nat
ssl-mod-1(config-ctx-ssl-proxy)# inservice
ssl-mod-1(config-ctx-ssl-proxy)# exit
ssl-mod-1(config-context)# exit
ssl-mod-1(config)# interface SSL-Proxy 0.8
ssl-mod-1(config-subif)# encapsulation dot1 8
ssl-mod-1(config-subif)# ip address 8.100.100.200 255.0.0.0
ssl-mod-1(config-subif)# standby 1 ip 8.100.100.126
ssl-mod-1(config-subif)# standby 1 timers 1 3
ssl-mod-1(config-subif)# standby 1 priority 90
ssl-mod-1(config-subif)# standby 1 preempt delay minimum 60
ssl-mod-1(config-subif)# standby 2 ip 8.100.100.127
ssl-mod-1(config-subif)# standby 2 timers 1 3
ssl-mod-1(config-subif)# standby 2 priority 110
ssl-mod-1(config-subif)# standby 2 preempt delay minimum 60
ssl-mod-1(config-subif)# exit
ssl-mod-1(config)# ip route 24.0.0.0 255.0.0.0 8.100.100.100
ssl-mod-1(config)#

SSL 2 Configuration

This example shows how to configure the proxy services and the VLAN on SSL 2:

ssl-mod-2# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ssl-mod-2(config)# ssl-proxy context Default
ssl-mod-2(config-context)# natpool client-nat 8.100.2.1 8.100.2.8 netmask 255.0.0.0
ssl-mod-2(config-context)# service ssl-offload  
ssl-mod-2(config-ctx-ssl-proxy)# virtual ipaddr 8.100.100.110 protocol tcp port 443 
secondary 
ssl-mod-2(config-ctx-ssl-proxy)# server ipaddr 24.0.0.2 protocol tcp port 80
ssl-mod-2(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint cert
ssl-mod-2(config-ctx-ssl-proxy)# nat client client-nat
ssl-mod-2(config-ctx-ssl-proxy)# inservice
ssl-mod-2(config-ctx-ssl-proxy)# exit
ssl-mod-2(config-context)# service ssl-offload-checkout 
ssl-mod-2(config-ctx-ssl-proxy)# virtual ipaddr 8.100.100.111 protocol tcp port 443 
secondary 
ssl-mod-2(config-ctx-ssl-proxy)# server ipaddr 24.0.0.2 protocol tcp port 80
ssl-mod-2(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint cert
ssl-mod-2(config-ctx-ssl-proxy)# nat client client-nat
ssl-mod-2(config-ctx-ssl-proxy)# inservice
ssl-mod-2(config-ctx-ssl-proxy)# exit
ssl-mod-2(config-context)# exit
ssl-mod-2(config)# interface SSL-Proxy 0.8 
ssl-mod-2(config-subif)# encapsulation dot1q 8
ssl-mod-2(config-subif)# ip address 8.100.100.250 255.0.0.0
ssl-mod-2(config-subif)# standby priority 110
ssl-mod-2(config-subif)# standby 1 ip 8.100.100.126
ssl-mod-2(config-subif)# standby 1 timers 1 3
ssl-mod-2(config-subif)# standby 1 priority 110
ssl-mod-2(config-subif)# standby 1 preempt delay minimum 60
ssl-mod-2(config-subif)# standby 2 ip 8.100.100.127
ssl-mod-2(config-subif)# standby 2 timers 1 3
ssl-mod-2(config-subif)# standby 2 priority 90
ssl-mod-2(config-subif)# standby 2 preempt delay minimum 60
ssl-mod-2(config-subif)# exit
ssl-mod-2(config)# ip route 24.0.0.0 255.0.0.0 8.100.100.100
ssl-mod-2(config)#

Displaying Statistics

These examples show how to display statistics to show that load balancing is occurring in two SSL Services Module:

SSL 1

ssl-mod-1# show ssl-proxy stats service
No context name provided, assuming context 'Default'

Service ssl-offload SSL Statistics:
    conns attempted     :0             conns completed     :0         
    full handshakes     :0             resumed handshakes  :0         
    conns in handshake  :0             conns in data       :0         
    renegs attempted    :0             conns in reneg      :0         
    blocks encrypted    :0             bytes encrypted     :0         
    blocks decrypted    :0             bytes decrypted     :0 
    valid cache entry   :0             session limit exceed:0 
    handshake failures  :0             data failures       :0         
    fatal alerts rcvd   :0             fatal alerts sent   :0         
    bad macs received   :0             pad errors          :0         
    no-cipher alerts    :0             no-compress alerts  :0         
    ver mismatch alerts :0         

Service ssl-offload-checkout SSL Statistics:
    conns attempted     :3288          conns completed     :3286      
    full handshakes     :3287          resumed handshakes  :0         
    conns in handshake  :1             conns in data       :1         
    renegs attempted    :0             conns in reneg      :0         
    blocks encrypted    :41468         bytes encrypted     :57831402  
    blocks decrypted    :3287          bytes decrypted     :289256 
    valid cache entry   :253152        session limit exceed:0 
    handshake failures  :0             data failures       :0         
    fatal alerts rcvd   :0             fatal alerts sent   :0         
    bad macs received   :0             pad errors          :0         
    no-cipher alerts    :0             no-compress alerts  :0         
    ver mismatch alerts :0         

ssl-mod-1# show standby
Ethernet0/0.8 - Group 1
  State is Standby
    7 state changes, last state change 00:03:37
  Virtual IP address is 8.100.100.126
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (default)
  Hello time 1 sec, hold time 3 sec
    Next hello sent in 0.004 secs
  Preemption enabled, delay min 60 secs
  Active router is 8.100.100.250, priority 110 (expires in 2.000 sec)
  Standby router is local
  Priority 90 (configured 90)
  IP redundancy name is "hsrp-Et0/0.8-1" (default)
Ethernet0/0.8 - Group 2
  State is Active
    2 state changes, last state change 01:53:29
  Virtual IP address is 8.100.100.127
  Active virtual MAC address is 0000.0c07.ac02
    Local virtual MAC address is 0000.0c07.ac02 (default)
  Hello time 1 sec, hold time 3 sec
    Next hello sent in 0.648 secs
  Preemption enabled, delay min 60 secs
  Active router is local
  Standby router is 8.100.100.250, priority 90 (expires in 2.644 sec)
  Priority 110 (configured 110)
  IP redundancy name is "hsrp-Et0/0.8-2" (default)
ssl-mod-1# 

SSL 2

ssl-mod-2# show ssl-proxy stats service
No context name provided, assuming context 'Default'...

Service ssl-offload SSL Statistics:
    conns attempted     :4128          conns completed     :4126      
    full handshakes     :4127          resumed handshakes  :0         
    conns in handshake  :1             conns in data       :1         
    renegs attempted    :0             conns in reneg      :0         
    blocks encrypted    :51757         bytes encrypted     :72085513  
    blocks decrypted    :4127          bytes decrypted     :363176 
    valid cache entry   :136076        session limit exceed:0 
    handshake failures  :0             data failures       :0         
    fatal alerts rcvd   :0             fatal alerts sent   :0         
    bad macs received   :0             pad errors          :0         
    no-cipher alerts    :0             no-compress alerts  :0         
    ver mismatch alerts :0         

Service ssl-offload-checkout SSL Statistics:
    conns attempted     :0             conns completed     :0         
    full handshakes     :0             resumed handshakes  :0         
    conns in handshake  :0             conns in data       :3         
    renegs attempted    :0             conns in reneg      :0         
    blocks encrypted    :0             bytes encrypted     :0         
    blocks decrypted    :0             bytes decrypted     :0 
    valid cache entry   :126001        session limit exceed:0 
    handshake failures  :0             data failures       :0         
    fatal alerts rcvd   :0             fatal alerts sent   :0         
    bad macs received   :0             pad errors          :0         
    no-cipher alerts    :0             no-compress alerts  :0         
    ver mismatch alerts :0         

ssl-mod-2# show standby
Ethernet0/0.8 - Group 1
  State is Active
    2 state changes, last state change 02:23:54
  Virtual IP address is 8.100.100.126
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (default)
  Hello time 1 sec, hold time 3 sec
    Next hello sent in 0.232 secs
  Preemption enabled, delay min 60 secs
  Active router is local
  Standby router is 8.100.100.200, priority 90 (expires in 2.232 sec)
  Priority 110 (configured 110)
  IP redundancy name is "hsrp-Et0/0.8-1" (default)
Ethernet0/0.8 - Group 2
  State is Standby
    10 state changes, last state change 00:03:34
  Virtual IP address is 8.100.100.127
  Active virtual MAC address is 0000.0c07.ac02
    Local virtual MAC address is 0000.0c07.ac02 (default)
  Hello time 1 sec, hold time 3 sec
    Next hello sent in 0.876 secs
  Preemption enabled, delay min 60 secs
  Active router is 8.100.100.200, priority 110 (expires in 2.876 sec)
  Standby router is local
  Priority 90 (configured 90)
  IP redundancy name is "hsrp-Et0/0.8-2" (default)
ssl-mod-2#

Virtualization with VRF Example

This section shows how to configure virtualization with VPN routing and forwarding (VRF).

Figure A-9 shows the following information:

VRF "spitzer"

VLAN 9

IP address 5.100.100.0

assigned to context "spitzer"

VRF "hubble"

VLAN 19

IP address 5.100.100.0

assigned to context "hubble"

Figure A-9 Virtualization with VRF

Configuring the Supervisor Engine

These examples show how to create VLAN 9 (for VRF "spitzer") and VLAN 19 (for VRF "hubble") and assign ports to the respective VLANs:

Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# vlan 9
Router(config-vlan)# vlan 19
Router(config-vlan)# exit
Router(config)# interface fastEthernet 4/48
Router(config-if)# switchport
Router(config-if)# switchport access vlan 9
Router(config-if)# switchport mode access
Router(config-if)# no shutdown
Router(config-if)# exit
Router(config)# interface GigabitEthernet5/6
Router(config-if)# switchport
Router(config-if)# switchport access vlan 19
Router(config-if)# switchport mode access
Router(config-if)# no shutdown
Router(config-if)# exit
Router(config)# 

This example shows how to allow VLANs 9 and 19 between the SSL Services Module and the supervisor engine:

Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# ssl-proxy module 2 allowed-vlan 9,19
Router(config)# exit
Router#

Configuring the SSL Services Module

This example shows the initial configurations for the two different VRFs:

ssl-proxy# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ssl-proxy(config)# ip vrf hubble
ssl-proxy(config-vrf)# rd 300:300
ssl-proxy(config-vrf)# exit 
ssl-proxy(config)# ip vrf spitzer
ssl-proxy(config-vrf)# rd 200:200
ssl-proxy(config-vrf)# end
ssl-proxy#

This example shows how to associate the VRFs with the SSL proxy subinterface:

ssl-proxy# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ssl-proxy(config)# interface SSL-Proxy0.9
ssl-proxy(config-subif)# encapsulation dot1Q 9
ssl-proxy(config-subif)# ip vrf forwarding spitzer
ssl-proxy(config-subif)# ip address 5.100.100.10 255.255.255.0
ssl-proxy(config-subif)# no cdp enable
ssl-proxy(config-subif)# no shut
ssl-proxy(config-subif)# no shutdown
ssl-proxy(config-subif)# exit
ssl-proxy(config)# interface SSL-Proxy0.19
ssl-proxy(config-subif)# encapsulation dot1Q 19
ssl-proxy(config-subif)# ip vrf forwarding hubble
ssl-proxy(config-subif)# ip address 5.100.100.10 255.255.255.0
ssl-proxy(config-subif)# no cdp enable
ssl-proxy(config-subif)# no shutdown
ssl-proxy(config-subif)# end
ssl-proxy#

This example shows how to configure context "hubble":

ssl-proxy# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ssl-proxy(config)# ssl-proxy context hubble
ssl-proxy(config-context)# vrf-name hubble
ssl-proxy(config-context)# service hubble
ssl-proxy(config-ctx-ssl-proxy)# virtual ipaddr 3.100.100.108 protocol tcp port 443
ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 5.100.100.41 protocol tcp port 80
ssl-proxy(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint shuttle
ssl-proxy(config-ctx-ssl-proxy)# nat client hubble
ssl-proxy(config-ctx-ssl-proxy)# inservice
ssl-proxy(config-ctx-ssl-proxy)# exit
ssl-proxy(config-context)# natpool hubble 5.100.100.20 5.100.100.27 netmask 255.255.255.0
ssl-proxy(config-context)# end
ssl-proxy#

This example shows how to configure context "spitzer":

ssl-proxy# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ssl-proxy(config)# ssl-proxy context spitzer
ssl-proxy(config-context)# vrf-name spitzer
ssl-proxy(config-context)# service spitzer
ssl-proxy(config-ctx-ssl-proxy)# virtual ipaddr 3.100.100.107 protocol tcp port 443
ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 5.100.100.41 protocol tcp port 80
ssl-proxy(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint shuttle
ssl-proxy(config-ctx-ssl-proxy)# nat client spitzer
ssl-proxy(config-ctx-ssl-proxy)# inservice
ssl-proxy(config-ctx-ssl-proxy)# exit
ssl-proxy(config-context)# natpool spitzer 5.100.100.20 5.100.100.27 netmask 255.255.255.0
ssl-proxy(config-context)# end
ssl-proxy#

Offloading Non-HTTP Protocols Example

This section shows how to configure the SSL Services Module to offload non-HTTP protocols. Figure A-10 shows the traffic flow from the POP3 and IMAP clients to the POP3 and IMAP servers.

Figure A-10 Offloading Non-HTTP Protocols

Configuring the Supervisor Engine

These examples show how to create client-side VLAN 7 and server-side VLAN 19 and assign ports to the respective VLANs:

Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# vlan 7
Router(config-vlan)# vlan 19
Router(config-vlan)# interface FastEthernet3/29
Router(config-if)# switchport
Router(config-if)# switchport access vlan 19
Router(config-if)# switchport mode access
Router(config-if)# no shutdown
Router(config-if)# exit
Router(config)# interface FastEthernet3/38
Router(config-if)# switchport
Router(config-if)# switchport access vlan 7
Router(config-if)# switchport mode access
Router(config-if)# no shutdown
Router(config-if)# exit

This example shows how to allow VLANs 7 and 19 between the SSL Services Module and the supervisor engine:

Router(config)# ssl-proxy mod 7 allowed-vlan 7,19
Router(config)#

Configuring the SSL Services Module

This example shows how to configure the VLAN 7 (client-side) and VLAN 19 (server-side):

ssl-proxy(config)# interface ssl-proxy 0
ssl-proxy(config-if)# no shutdown
ssl-proxy(config-if)# interface SSL-Proxy0.7
ssl-proxy(config-subif)# encapsulation dot1Q 7
ssl-proxy(config-subif)# ip address 7.100.100.121 255.0.0.0
ssl-proxy(config-subif)# exit
ssl-proxy(config)# interface SSL-Proxy0.20
ssl-proxy(config-subif)# encapsulation dot1Q 19
ssl-proxy(config-subif)# ip address 19.0.0.100 255.0.0.0
ssl-proxy(config-subif)# exit

This example shows how to configure the SSL context:

ssl-proxy# configure terminal
ssl-proxy(config)# ssl-proxy context mail_ssl_offload
ssl-proxy(config-context)# description ssl pop3 /imap mail traffic offload
ssl-proxy(config-context)# exit

This example shows how to configure the NAT pool for client NAT:

ssl-proxy(config)# ssl-proxy context mail_ssl_offload 
ssl-proxy(config-context)# natpool natpool 19.2.2.1 19.2.2.8 netmask 255.0.0.0

This example shows how to configure the SSL proxy service to offload encrypted IMAP traffic to the IMAP server at IP address 19.0.0.2 on port 143 (the clear text IMAP port) when the client connects to the proxy service at IP address 7.100.100.180 with SSL port 993:

ssl-proxy(config-context)# service imap_ssl_offload 
ssl-proxy(config-ctx-ssl-proxy)# virtual ipaddr 7.100.100.180 protocol tcp port 993 
ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 19.0.0.2 protocol tcp port 143
ssl-proxy(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint cert1024 
ssl-proxy(config-ctx-ssl-proxy)# nat client natpool
ssl-proxy(config-ctx-ssl-proxy)# inservice
ssl-proxy(config-ctx-ssl-proxy)# exit
ssl-proxy(config-context)#

This example shows how to configure the SSL proxy service to offload encrypted POP3 traffic to the POP3 server at IP address 19.0.0.1 on port 110 (the clear text POP3 port) when the client connects to the proxy service at IP address at 7.100.100.180 with SSL port 995:

ssl-proxy(config-context)# service pop3_ssl_offload
ssl-proxy(config-ctx-ssl-proxy)# virtual ipaddr 7.100.100.180 protocol tcp port 995 
ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 19.0.0.1 protocol tcp port 110
ssl-proxy(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint cert1024 
ssl-proxy(config-ctx-ssl-proxy)# nat client natpool
ssl-proxy(config-ctx-ssl-proxy)# inservice
ssl-proxy(config-ctx-ssl-proxy)# exit
ssl-proxy(config-context)#

Health Probe Example

This section shows how to configure the SSL Services Module to probe the server to detect a server failure. Figure A-11 shows the traffic flow between the real server and the SSL Services Module.

Figure A-11 TCP Health Probe

Configuring the Supervisor Engine

These examples show how to create client-side VLAN 7 and server-side VLAN 19 and assign ports to the respective VLANs:

Router(config)# vlan 7
Router(config-vlan)# vlan 19
Router(config-vlan)# interface FastEthernet3/29
Router(config-if)# switchport
Router(config-if)# switchport access vlan 19
Router(config-if)# switchport mode access
Router(config-if)# no shutdown
Router(config-if)# exit
Router(config)# interface FastEthernet3/38
Router(config-if)# switchport
Router(config-if)# switchport access vlan 7
Router(config-if)# switchport mode access
Router(config-if)# no shutdown
Router(config-if)# exit

This example shows how to allow VLANs 7 and 19 between the SSL Services Module and the supervisor engine:

Router(config)# ssl-proxy mod 7 allowed-vlan 7,19
Router(config)#

Configuring the SSL Services Module

This example shows how to configure the VLAN 7 (client-side) and VLAN 19 (server-side):

ssl-proxy(config)# interface SSL-Proxy0
ssl-proxy(config-if)# no shutdown
ssl-proxy(config-if)# exit
ssl-proxy(config)# interface SSL-Proxy0.7
ssl-proxy(config-subif)# encapsulation dot1Q 7
ssl-proxy(config-subif)# ip address 7.100.100.121 255.0.0.0
ssl-proxy(config-subif)# no shutdown
ssl-proxy(config-subif)# exit
ssl-proxy(config)# interface SSL-Proxy0.20
ssl-proxy(config-subif)# encapsulation dot1Q 19
ssl-proxy(config-subif)# ip address 19.0.0.100 255.0.0.0
ssl-proxy(config-subif)# no shutdown
ssl-proxy(config-subif)# exit
ssl-proxy(config)#

This example shows how to configure the SSL context:

ssl-proxy(config)# ssl-proxy context ssl
ssl-proxy(config-context)# description ssl-offload with tcp health probe 

This example shows how to configure the NAT pool with IP addresses from the server VLAN:

ssl-proxy(config-context)# natpool natpool 19.2.2.1 19.2.2.8 netmask 255.0.0.0
ssl-proxy(config-context)#

Health Probe with Default (Server) Port

This example shows how to configure the SSL proxy service "ssloffload" and apply the TCP health probe policy:

ssl-proxy(config-context)# service ssloffload
ssl-proxy(config-ctx-ssl-proxy)# virtual ipaddr 7.100.100.180 protocol tcp port 443 
ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 19.0.0.1 protocol tcp port 80
ssl-proxy(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint cert1024 
ssl-proxy(config-ctx-ssl-proxy)# policy health-probe tcp probe1
ssl-proxy(config-ctx-ssl-proxy)# nat client natpool
ssl-proxy(config-ctx-ssl-proxy)# inservice
ssl-proxy(config-ctx-ssl-proxy)# exit
ssl-proxy(config-context)#

This example shows how to configure a TCP health probe to check if the server that is listening on port 80 (server port) is able to accept TCP connections successfully:

ssl-proxy(config-context)# policy health-probe tcp probe1
ssl-proxy(config-ctx-tcp-probe)# exit
ssl-proxy(config-context)# 

The following example shows the state of the SSL proxy service:

ssl-proxy# show ssl-proxy service ssloffload context ssl
Service id: 1, bound_service_id: 257
Virtual IP: 7.100.100.180, port: 443  
Server IP: 19.0.0.1, port: 80
TCP Health Probe Policy: probe1
Nat pool: natpool  
rsa-general-purpose certificate trustpoint: cert1024 
  Certificate chain for new connections:
    Certificate:
       Key Label: cert1024.key, 1024-bit, exportable
       Key Timestamp: 05:18:23 UTC Dec 30 2005
       Serial Number: 12F332E200000000000D
    Root CA Certificate:
       Serial Number: 6522F512C30E078447D8AFC35567B101
  Certificate chain complete 
Context name: ssl
Context Id  : 2
Admin Status: up
Operation Status: up

Health Probe with Port Mismatch

This example shows how to configure the SSL proxy service "ssloffload" and apply the TCP health probe policy:

ssl-proxy(config-context)# service ssloffload
ssl-proxy(config-ctx-ssl-proxy)# virtual ipaddr 7.100.100.180 protocol tcp port 443 
ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 19.0.0.1 protocol tcp port 80
ssl-proxy(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint cert1024 
ssl-proxy(config-ctx-ssl-proxy)# policy health-probe tcp probe1
ssl-proxy(config-ctx-ssl-proxy)# nat client natpool
ssl-proxy(config-ctx-ssl-proxy)# inservice
ssl-proxy(config-ctx-ssl-proxy)# exit
ssl-proxy(config-context)#

This example shows how to configure a TCP health probe to check if the server (19.0.0.1) that is listening on port 81 is able to accept TCP connections successfully:

ssl-proxy(config-context)# policy health-probe tcp probe1
ssl-proxy(config-ctx-tcp-probe)# 81
Warning: Port in the service ssloffload configuration (80) differs from the port in the 
health probe configuration (81)
ssl-proxy(config-ctx-tcp-probe)# exit
ssl-proxy(config-context)# 

Health Probe with No NAT Server Configured on Service

In this example, the port used for the TCP health probe is 80 and the IP address is 7.100.100.180.

This example shows how to configure the SSL proxy service "ssloffload" with no nat server and apply the TCP health probe policy:

ssl-proxy(config-context)# service ssloffload
ssl-proxy(config-ctx-ssl-proxy)# virtual ipaddr 7.100.100.180 protocol tcp port 443 
secondary
ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 19.0.0.1 protocol tcp port 80
ssl-proxy(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint cert1024 
ssl-proxy(config-ctx-ssl-proxy)# policy health-probe tcp probe1
ssl-proxy(config-ctx-ssl-proxy)# no nat server
ssl-proxy(config-ctx-ssl-proxy)# nat client natpool
ssl-proxy(config-ctx-ssl-proxy)# inservice
ssl-proxy(config-ctx-ssl-proxy)# exit
ssl-proxy(config-context)#

This example shows how to configure a TCP health probe to check if the server that is listening on port 80 is able to accept TCP connections successfully:

ssl-proxy(config-context)# policy health-probe tcp probe1
ssl-proxy(config-ctx-tcp-probe)# exit
ssl-proxy(config-context)# 

Health Probe with Port Mismatch and No NAT Server Configured on Service

In this example, the port used for the TCP health probe is 444 and the IP address is 7.100.100.180.

This example shows how to configure the SSL proxy service "ssloffload" with no nat server and apply the TCP health probe policy:

ssl-proxy(config-context)# service ssloffload
ssl-proxy(config-ctx-ssl-proxy)# virtual ipaddr 7.100.100.180 protocol tcp port 443 
secondary
ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 19.0.0.1 protocol tcp port 80
ssl-proxy(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint cert1024 
ssl-proxy(config-ctx-ssl-proxy)# policy health-probe tcp probe1
ssl-proxy(config-ctx-ssl-proxy)# no nat server
ssl-proxy(config-ctx-ssl-proxy)# nat client natpool
ssl-proxy(config-ctx-ssl-proxy)# inservice
ssl-proxy(config-ctx-ssl-proxy)# exit
ssl-proxy(config-context)#

This example shows how to configure a TCP health probe to check if the server that is listening on port 81 is able to accept TCP connections successfully:

ssl-proxy(config-context)# policy health-probe tcp probe1
ssl-proxy(config-ctx-tcp-probe)# 444
ssl-proxy(config-ctx-tcp-probe)# exit
Warning: Port in the service ssloffload configuration (80) differs from the port in the 
health probe configuration (444)
ssl-proxy(config-context)# 

Client Authentication Example

This section shows how to configure client authentication. Figure A-12 shows the network layout and traffic flow to the SSL Services Module.

Figure A-12 Client Authentication

Configuring the Supervisor Engine

These examples show how to create client-side VLAN 7 and server-side VLAN 19 and assign ports to the respective VLANs:

Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# vlan 7
Router(config-vlan)# vlan 19
Router(config-vlan)# interface FastEthernet3/29
Router(config-if)# switchport
Router(config-if)# switchport access vlan 19
Router(config-if)# switchport mode access
Router(config-if)# no shutdown
Router(config-if)# exit
Router(config)# interface FastEthernet3/38
Router(config-if)# switchport
Router(config-if)# switchport access vlan 7
Router(config-if)# switchport mode access
Router(config-if)# no shutdown
Router(config-if)# exit

This example shows how to allow VLANs 7 and 19 between the SSL Services Module and the supervisor engine:

Router(config)# ssl-proxy mod 7 allowed-vlan 7,19
Router(config)#

Configuring the SSL Services Module

This example shows how to configure the VLAN 7 (client-side) and VLAN 19 (server-side):

ssl-proxy# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ssl-proxy(config)# interface ssl-proxy0.7
ssl-proxy(config-subif)# encapsulation dot1Q 7
ssl-proxy(config-subif)# ip address 7.100.100.121 255.0.0.0
ssl-proxy(config-subif)# exit
ssl-proxy(config)# interface ssl-proxy0.20
ssl-proxy(config-subif)# encapsulation dot1Q 19
ssl-proxy(config-subif)# ip address 19.0.0.100 255.0.0.0
ssl-proxy(config-subif)# end
ssl-proxy(config)# 

This example shows how to configure the CA certificate and assign a trustpoint to the certificate. This signed certificate from the certificate authority is used at the client browser.


Note This trustpoint cannot have server and private keys. The trustpoint that is used with this proxy service cannot be used for client-authentication purposes because the trustpoint contains a private key and a server certificate.


ssl-proxy(config)# crypto pki trustpoint ca_cert
ssl-proxy(ca-trustpoint)# enrollment terminal
ssl-proxy(ca-trustpoint)# revocation-check none
ssl-proxy(ca-trustpoint)# exit
ssl-proxy(config)# crypto pki auth ca_cert

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIIDjjCCAvegAwIBAgIQZSL1EsMOB4RH2K/DVWexATANBgkqhkiG9w0BAQUFADCB
jzEgMB4GCSqGSIb3DQEJARYRc2ltcHNvbkBjaXNjby5jb20xCzAJBgNVBAYTAlVT
MQswCQYDVQQIEwJDQTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoTBUNpc2Nv
MQwwCgYDVQQLEwNXQlUxIDAeBgNVBAMTF3NpbXBzb24tZGV2dGVzdC1yb290LWNh
MB4XDTA1MDYxNDA2NTUyMFoXDTE1MDYxNDA3MDMyN1owgY8xIDAeBgkqhkiG9w0B
CQEWEXNpbXBzb25AY2lzY28uY29tMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
ETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQKEwVDaXNjbzEMMAoGA1UECxMDV0JV
MSAwHgYDVQQDExdzaW1wc29uLWRldnRlc3Qtcm9vdC1jYTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAsbMVYdM/XxtHLXRHT1S0mg8K/v/ZNQ5uCCCNZ7l1nBnj
7vAsIsGR8HoSsPQQFi3/iYO2GjiBEqdikFevWqyrOdehrahpVbkL3xp1dZZP08ZN
psZgbYqkyizNljuOKS5Y66jvZ2jMR5yJH0hQHBiNjtqcjCD4XT6JWGH6TIZ7veMC
AwEAAaOB6DCB5TALBgNVHQ8EBAMCAcYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
FgQUTJGjnYT0iOGmpbcjmROSUo6AvhowgZMGA1UdHwSBizCBiDBBoD+gPYY7aHR0
cDovL3dpbjJrLXJvb3QtY2EvQ2VydEVucm9sbC9zaW1wc29uLWRldnRlc3Qtcm9v
dC1jYS5jcmwwQ6BBoD+GPWZpbGU6Ly9cXHdpbjJrLXJvb3QtY2FcQ2VydEVucm9s
bFxzaW1wc29uLWRldnRlc3Qtcm9vdC1jYS5jcmwwEAYJKwYBBAGCNxUBBAMCAQAw
DQYJKoZIhvcNAQEFBQADgYEAOoWOfrM/4H4ltFYpHtowGso+V+YuANw7OsWTR1Ay
qIYNzSTO4xDyApE25PrGL3vYHsMTWWRnXMsp+5xujU746/Y6pmnDvSWykJlerrfG
SkQVCkcm0ygFtm/0VUvA/4582wbhE6BjH1WYKIHTMVmhwkeQZk2StoCdhMwX9a2l
4S4=
-----END CERTIFICATE-----

Certificate has the following attributes:
Fingerprint: 9913F4FA 99CC239B C9D72DF1 6764B7CD 
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported

This example shows how to create the certificate authority pool and add a trusted certificate authority to the pool.

ssl-proxy(config-context)# pool ca trusted_ca_pool
ssl-proxy(config-ctx-ca-pool)# ca trustpoint ca_cert
ssl-proxy(config-ctx-ca-pool)# exit

This example shows how to configure the NAT pool for client-side NAT:

ssl-proxy(config)# ssl-proxy context ssl
ssl-proxy(config-context)# natpool natpool 19.2.2.1 19.2.2.8 netmask 255.0.0.0

This example shows the SSL proxy service with client authentication with full verification:

ssl-proxy(config-context)# service ssl-1
ssl-proxy(config-ctx-ssl-proxy)# virtual ipadd 7.100.100.180 pro tcp port 443
ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 19.0.0.1 protocol tcp port 80
ssl-proxy(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint cert1024 
ssl-proxy(config-ctx-ssl-proxy)# nat client natpool
ssl-proxy(config-ctx-ssl-proxy)# inservice
ssl-proxy(config-ctx-ssl-proxy)# authenticate verify all
ssl-proxy(config-ctx-ssl-proxy)# trusted-ca trusted_ca_pool
ssl-proxy(config-context)# ^Z
ssl-proxy#
ssl-proxy# show ssl-proxy service ssl-1 context ssl
Service id: 6, bound_service_id: 262
Virtual IP: 7.100.100.180, port: 443  
Server IP: 19.0.0.1, port: 80
Nat pool: natpool  
Certificate authority pool: trusted_ca_pool 
  CA pool complete 
rsa-general-purpose certificate trustpoint: cert1024 
  Certificate chain for new connections:
    Certificate:
       Key Label: cert1024.key, 1024-bit, exportable
       Key Timestamp: 05:18:23 UTC Dec 30 2005
       Serial Number: 12F332E200000000000D
    Root CA Certificate:
       Serial Number: 6522F512C30E078447D8AFC35567B101
  Certificate chain complete 
Certificate authentication type: All attributes (like CRL) are verified
Context name: ssl
Context Id  : 6
Admin Status: up
Operation Status: up
ssl-proxy#

Successful client authentication causes the "cert approved" counter to increase when you enter the show ssl-proxy stats ssl command:

...

SSL PKI Statistics: 
    number of malloc    : 6256          number of free      : 6226      
    ssl buf allocated   : 4             ssl buf freed       : 1         

    Peer Certificate Verify Statistics:
    cert approved       : 3943          cert disapproved    : 2101