Document ID: 20600 | PDF Downloads
|
FeedbackIntroduction
This document provides a sample configuration for one-armed proxy setup using a Content Services Switch (CSS) 11000 Content Smart Switch and the CSS 11000 Secure Content Accelerator (SCA). This is the most scalable configuration, and is easy to troubleshoot. Using this configuration hides the IP address of the Secure Socket Layer (SSL) clients from the web servers. The Web server sees the SCA's address as the source IP address on all connections to port 81 (the decrypted SSL session).
Before You Begin
Conventions
For more information on document conventions, see the Cisco Technical Tips Conventions.
Prerequisites
There are no specific prerequisites for this document.
Components Used
The information in this document is based on the software and hardware versions below.
-
CSCA3.0.5 on the SCA and 5.0 (build 18) on a CSS 11800
The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.
Configure
In this section, you are presented with the information to configure the features described in this document.
Network Diagram
This document uses the network setup shown in the diagram below.
Configuring the Address and Interfaces on the SCA
In a one-armed configuration only, one port is used on the SCA. This port is named network on the SCA chassis, and referred to as Enet0 or Network in the internal configuration. Only this specific port can be used for this setup. Encrypted and decrypted traffic will go through the same link.
A sample configuration of the SCA using only the network port in a one-armed configuration is shown below.
| Configuration |
|---|
SCA# show version CSCA Release 3.0.5.3 CSS-SCA-2FE-K9 version 2.3 build 200108071342 SCA# config (config[SCA])# ip address 10.1.1.2 netmask 255.255.255.0 (config[SCA])# mode one-port (config[SCA])# exit SCA# show device Device Hostname : SCA Device Type : CSS-SCA Hardware Address: 00:60:f5:11:81:42 Internet Address: 10.1.1.2(255.255.255.0) Default Router: 10.1.1.1 Uptime : 00:16:50, 0.13% system, 0.00% interrupt, 99.87% idle Firmware Version: MaxOS 2.5.1 build 200108071341 Product Version : CSS-SCA Release 3.0.5.3 Syslog sent to : n/a RemoteManagement: enabled SNMP access : disabled Telnet access : enabled Web Management : enabled Operational Mode: single-port SCA# |
Verify that the interface Enet0 is up by issuing the show interface command, as shown below.
SCA# show interface Intf Name Status Duplex Speed Type ------------------------------------------------------------- 0 Enet0 connected auto auto TX (auto) 1 Enet1 notconnect auto auto TX (auto) SCA#
Configuration of the VLANs and the IP Addresses on the CSS
| Configuration |
|---|
!*************************** GLOBAL *************************** ip route 0.0.0.0 0.0.0.0 10.48.66.1 1 !--- Route to the default gateway to the internet. !************************* INTERFACE ************************* interface e2 bridge vlan 2 interface e4 bridge vlan 4 !************************** CIRCUIT ************************** circuit VLAN1 ip address 10.48.66.128 255.255.254.0 circuit VLAN2 ip address 10.2.2.2 255.255.255.0 !--- Default gateway for the SCA. circuit VLAN4 ip address 10.1.1.1 255.255.255.0 !--- Default gateway for the servers. |
Configure the default gateway of the SCA. This is normally the IP address of the circuit VLAN on the CSS (VLAN 4 in this example). A different path can be configured as long as the path from the SCA to the virtual IP address of the server goes to the CSS.
(config[SCA])# ip route 0.0.0.0 0.0.0.0 10.1.1.1 metric 1 (config[SCA])#
At this point, make sure that you can ping the following from the SCA:
-
The CSS circuit's IP address directly connected (the circuit VLAN 4's IP address).
-
The servers.
The server's return path to the SCA must go through CSS.
Use the default SSL certificates for the initial deployment. This approach is useful to bring up the setup without having to consider if the keys and certificates have been installed correctly. Installation of certificates is beyond the scope of this document.
Configuration of the Servers on the SCA
| Configuration |
|---|
ssl
server Site1 create
ip address 10.48.66.125
!--- Address on which to send
!--- unencrypted packets for website1.
sslport 443
!--- Port on which the SCA will listed for encrypted
!--- packets directed to website1.
remoteport 81
!--- Port on which to send the unencrypted
!--- packets for website1.
key default
cert default
secpolicy default
cachesize 20
no transparent
!--- Specifies to use the no-transparent
!--- option for this server.
end
|
The no-transparent option means that the SCA will be waiting to receive encrypted packets for website1 directed to its IP address (10.1.1.2). This can be seen by issuing the show netstat command once the configuration for the webserver has been entered.
SCA# show netstat Pro State Recv-Q Send-Q Local Address Remote Address R-Win S-Win --------------------------------------------------------------------------- udp 0 0 *:4099 *:* 0 0 udp 0 0 *:4098 *:* 0 0 tcp LISTN 0 0 *:2932 *:* 0 0 udp 0 0 *:2932 *:* 0 0 udp 0 0 *:520 *:* 0 0 udp 0 0 *:514 *:* 0 0 tcp LISTN 0 0 *:443 *:* 0 0 tcp LISTN 0 0 *:80 *:* 0 0 tcp LISTN 0 0 *:23 *:* 0 0 SCA#
All the encrypted packets for website1 will be read from port 443. Those packets are directed specifically to the IP address of the SCA. The SCA will decrypt them and forward the unencrypted content to the IP address and on the port of the server specified in the configuration.
If you want the SCA to serve multiple websites, you need to specify a different port to listen on so that the packets for the two destinations do not get confused.
ssl
server Site2 create
ip address 10.48.66.239
sslport 444
!--- Port on which the SCA will listed for encrypted
!--- packets directed to website2.
remoteport 81
key default
cert default
secpolicy default
cachesize 20
no transparent
end
end
The SCA will listen on port 443 for packets belonging to website1 and on port 444 for packets belonging to website2.
Configuration of Content Rules and Services on the CSS
The configuration for website2 has to be arranged on the CSS so that, when the encrypted packet for website2 arrives at the CSS on port 443, it will have to be sent to the SCA with not only the IP destination address set to be the SCA, but also with the destination port changed to 444. This can be easily done by changing the port in the service on the CSS that is associated with the SCA for website2.
| Configuration |
|---|
content 443fromInternet
protocol tcp
port 443
!--- Packet is intercepted on port 443.
add service SCA-website2
vip address 10.48.66.239
active
service SCA-website2
ip address 10.1.1.2
port 444
!--- Port is changed from 443 to 444.
protocol tcp
active
|
The remaining part of the configuration is quite straightforward. The CSS must be configured so that it can loadbalance, over the servers, all the unencrypted requests coming from the SCA and from the Internet. To distinguish between the two, set the SCA to send the unencrypted requests on port 81 in order to keep port 80 for the requests coming from the Internet.
content 80fromInternet
protocol tcp
port 80
!--- Traffic coming from the Internet.
url "/*"
add service realserver4
add service realserver5
vip address 10.48.66.239
active
content fromSCA
add service realserver4
add service realserver5
protocol tcp
port 81
!--- Traffic coming from the SCA.
url "/*"
vip address 10.48.66.239
active
Verify
Once the configuration is fully installed, check the basic connectivity. Be sure that you can reach the servers from the CSS and from the SCA. Check that you can reach the CSS from a remote client.
Issue the show summary command.
CSS11800# show summary
Global Bypass Counters:
No Rule Bypass Count: 0
Acl Bypass Count: 0
Owner Content Rules State Services Service Hits
website1 81fromSCA Active realserver1 0
realserver2 0
realserver3 0
80fromInternet Active realserver1 0
realserver2 0
realserver3 0
443fromInternet Active SCA-website1 0
website2 81fromSCA Active realserver4 0
realserver5 0
80fromInternet Active realserver4 0
realserver5 0
443fromInternet Active SCA-website2 0
CSS11800#
If you see a service hit in the 80fromInternet content rule, you know that unencrypted packets made their way to the CSS and are redirected to the servers.
If you see a service hit in the 443fromInternet content rule, you know that encrypted packets made their way to the CSS and are redirected to the SCA.
If you see a service hit in the 81fromSCA content rule, you know that the SCA has decrypted the packets that it has received and sent them to the CSS, which has then redirected them to the webservers.
| Command Output |
|---|
CSS11800# sho run
!Generated on 01/31/2002 20:25:05
!Active version: ap0500018s
configure
!*************************** GLOBAL ***************************
ip route 0.0.0.0 0.0.0.0 10.48.66.1 1
!************************* INTERFACE *************************
interface e2
bridge vlan 2
interface e4
bridge vlan 4
!************************** CIRCUIT **************************
circuit VLAN1
ip address 10.48.66.128 255.255.254.0
circuit VLAN2
ip address 10.2.2.2 255.255.255.0
circuit VLAN4
ip address 10.1.1.1 255.255.255.0
!************************** SERVICE **************************
service SCA-website1
ip address 10.1.1.2
port 443
protocol tcp
active
service SCA-website2
ip address 10.1.1.2
port 444
protocol tcp
active
service realserver1
ip address 10.2.2.3
port 80
protocol tcp
active
service realserver2
ip address 10.2.2.4
port 80
protocol tcp
active
service realserver3
ip address 10.2.2.5
port 80
protocol tcp
active
service realserver4
ip address 10.2.2.6
port 80
protocol tcp
active
service realserver5
ip address 10.2.2.7
port 80
protocol tcp
active
!*************************** OWNER ***************************
owner website1
content 443fromInternet
protocol tcp
port 443
add service SCA-website1
vip address 10.48.66.125
active
content 80fromInternet
protocol tcp
port 80
url "/*"
add service realserver1
add service realserver2
add service realserver3
vip address 10.48.66.125
active
content 81fromSCA
add service realserver1
add service realserver2
add service realserver3
protocol tcp
port 81
url "/*"
vip address 10.48.66.125
active
owner website2
content 443fromInternet
protocol tcp
port 443
add service SCA-website2
vip address 10.48.66.239
active
content 80fromInternet
protocol tcp
port 80
url "/*"
add service realserver4
add service realserver5
vip address 10.48.66.239
active
content 81fromSCA
add service realserver4
add service realserver5
protocol tcp
port 81
url "/*"
vip address 10.48.66.239
active
SCA# sho run
#
# Cisco CSCA Device Configuration File
#
# Written: Sun Feb 6 00:29:22 2106
# Inxcfg: version 2.3 build 200108071342
# Device Type: CSS-SCA
# Device Id: S/N 118142
# Device OS: MaxOS version 2.5.1 build 200108071341 by Dan L. Reading
### Device ###
mode one-port
ip address 10.1.1.2 netmask 255.255.255.0
hostname SCA
password access "2431244C362461476C67654D485269494C4634772E586A374E39472F"
password enable "2431246E6324386D437A6E714B44567174306565386A775566536931"
no ip domain-name
no rdate-server
timezone "MST7MDT"
rip
ip route 0.0.0.0 0.0.0.0 10.1.1.1 metric 1
### Interfaces ###
interface network
auto
end
interface server
auto
end
### Remote Management ###
no remote-management access-list
remote-management enable
### SNMP Subsystem ###
no snmp
telnet enable
no telnet access-list
web-mgmt enable
no web-mgmt access-list
### SSL Subsystem ###
ssl
server Site1 create
ip address 10.48.66.125
sslport 443
remoteport 81
key default
cert default
secpolicy default
cachesize 20
no transparent
end
server Site2 create
ip address 10.48.66.239
sslport 444
remoteport 81
key default
cert default
secpolicy default
cachesize 20
no transparent
end
end
|
Troubleshoot
There is currently no specific troubleshooting information available for this configuration.
Related Information
| Updated: Jan 30, 2006 | Document ID: 20600 |