Document ID: 20601
Contents
Introduction
Before You Begin
Conventions
Prerequisites
Components Used
Configure
Network Diagram
Configuration
Verify
Troubleshoot
Related Information
Introduction
This document provides a sample configuration for one-armed transparent Secure Content Accelerator (SCA) setup. This document does not include information on certificate and key configuration of the SCA.
Before You Begin
Conventions
For more information on document conventions, see the Cisco Technical Tips Conventions.
Prerequisites
There are no specific prerequisites for this document.
Components Used
The information in this document is based on the software and hardware versions below.
-
3.0.5 on the SCA
-
5.0(18) on the CSS 11800
The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.
Configure
In this section, you are presented with the information to configure the features described in this document.
Network Diagram
Configuration
SCA# show version CSCA Release 3.0.5.3 CSS-SCA-2FE-K9 version 2.3 build 200108071342
The main advantage of this configuration is that the web servers will receive the IP address of the client that made the request. This is often required by web servers' administrators for accounting purposes.
In a one-armed configuration only, the network port ( Enet0) is used on the SCA. Only this specific port can be used for this setup. Encrypted and decrypted traffic will go through the same link.
To have the SCA using only the network port in a one-armed configuration, the following command must be issued:
SCA# config (config[SCA])# mode one-port SCA# show device Device Hostname : SCA Device Type : CSS-SCA Hardware Address: 00:60:f5:11:81:42 Internet Address: 10.1.1.2(255.255.255.0) Default Router: 10.1.1.1 Uptime : 00:16:50, 0.13% system, 0.00% interrupt, 99.87% idle Firmware Version: MaxOS 2.5.1 build 200108071341 Product Version : CSS-SCA Release 3.0.5.3 Syslog sent to : n/a RemoteManagement: enabled SNMP access : disabled Telnet access : enabled Web Management : enabled Operational Mode: single-port
Verify that the interface Enet0 is up by issuing the following command:
SCA# sho interface Intf Name Status Duplex Speed Type ------------------------------------------------------------- 0 Enet0 connected auto auto TX (auto) 1 Enet1 notconnect auto auto TX (auto)
Configure the VLANs and the IP addresses on the CSS.
!*************************** GLOBAL *************************** ip route 0.0.0.0 0.0.0.0 10.48.66.1 1 !--- Route to the default gateway to the Internet. !************************* INTERFACE ************************* interface e2 bridge vlan 2 interface e4 bridge vlan 4 !************************** CIRCUIT ************************** circuit VLAN1 ip address 10.48.66.128 255.255.254.0 circuit VLAN2 ip address 10.2.2.2 255.255.255.0 !--- Default gateway for the servers. circuit VLAN4 ip address 10.1.1.1 255.255.255.0 !--- Default gateway for the SCA.
Configure the IP address on the SCA.
(config[SCA])# ip address 10.1.1.2 netmask 255.255.255.0
Configure the default gateway of the SCA. This is the IP address of the circuit VLAN on the CSS (VLAN 4).
(config[SCA])# ip route 0.0.0.0 0.0.0.0 10.1.1.1 metric 1
At this point, test that you can ping from the SCA to the CSS circuit's IP address directly connected (the circuit address (VLAN 4's IP address) and to the servers. The default gateway of the server must also be the IP address of the CSS' circuit VLANs (VLAN 2).
The SCA configuration off the servers is shown below.
ssl
server Site1 create
ip address 10.48.66.125
!--- Address on which to send unencrypted packets for website1.
sslport 443
!--- Port on which the SCA will listed listens for
!--- encrypted packets directed to website1.
remoteport 81
!--- Port on which to send the unencrypted packets for website1.
key default
cert default
secpolicy default
cachesize 20
end
When the transparent option is used, the SCA listens for encrypted packets on the configured server IP address, which will match the CSS VIP address. This can be seen by issuing the show netstat command once the configuration for the webserver has been entered.
SCA# show netstat Pro State Recv-Q Send-Q Local Address Remote Address R-Win S-Win -------------------------------------------------------------------------------- tcp LISTN 0 0 10.48.66.125:443 *:* 32768 0 udp 0 0 *:4099 *:* 0 0 udp 0 0 *:4098 *:* 0 0 tcp LISTN 0 0 *:2932 *:* 0 0 udp 0 0 *:2932 *:* 0 0 udp 0 0 *:520 *:* 0 0 udp 0 0 *:514 *:* 0 0 tcp LISTN 0 0 *:80 *:* 32768 0 tcp LISTN 0 0 *:23 *:* 0 0
The packets arriving to at the CSS have their destination MAC address changed to MAC of the SCA. NAT is not performed on the destination IP address. This is done on the CSS by setting the option Type transparent-cache on the service associated with the SCA.
content 443fromInternet
protocol tcp
port 443
add service SCA
vip address 10.48.66.239 .125
active
service SCA
ip address 10.1.1.2
port 443
protocol tcp
type transparent-cache
!--- Used to avoid IP destination NAT.
no cache-bypass
!--- Used to avoid content rule bypass for requests made by the SCA.
active
Upon reception of the SSL request on port 443, the SCA negotiates the session with the client, decrypts the content, and forwards the unencrypted content to the servers through a new session. That session will be initiated using the source IP address of the client that made the request. This is not normal TCP/IP behavior. When the server responds to the CSS, TCP/IP would normally route these per the local routing table. Normally, the routing table would cause the response to be sent to the internet via the CSS' default route, however, the CSS ignores its routing table and uses the flow table entry created when the request arrived, to send the server response back to the SCA.
Flow switching caches connection characteristics include such information as source and destination IP address, source and destination TCP port, physical ingress, and egress port, This mechanism enables reliable transparent mode operation.
A new default static route must be added in the CSS for each SCA used in the configuration, plus the normal default route.
ip route 0.0.0.0 0.0.0.0 10.48.66.1 1 !--- Static route towards the Internet. ip route 0.0.0.0 0.0.0.0 10.1.1.2 !--- Static route towards the SCA.
If you want the SCA to serve multiple websites, add a new server specifying a different IP address.
ssl
server Site2 create
ip address 10.48.66.239
!--- Address on which the SCA will listen for
!--- encrypted packets directed to website2.
sslport 443
remoteport 81
key default
cert default
secpolicy default
cachesize 20
end
end
The SCA listens for packets both on 10.48.66.125:443 and 10.48.66.239:443. The remaining part of the configuration is quite straightforward. The CSS must be configured so that it can loadbalance over the servers all the unencrypted requests coming from the SCA and from the Internet. To distinguish between the tw0, set the SCA to send the unencrypted requests on port 81 so that you can keep port 80 for the requests coming from the Internet.
content 80fromInternet
protocol tcp
port 80
!--- Traffic coming from the Internet.
url "/*"
add service realserver4
add service realserver5
vip address 10.48.66.239
active
content fromSCA
add service realserver4
add service realserver5
protocol tcp
port 81
!--- Traffic coming from the SCA.
url "/*"
vip address 10.48.66.239
active
Once the configuration is fully installed, check the basic connectivity. Be sure you can reach the servers from the CSS and from the SCA. Check that you can reach the CSS from a remote client. Issue the show summary command to troubleshoot.
CSS# show summary
Global Bypass Counters:
No Rule Bypass Count: 0
Acl Bypass Count: 0
Owner Content Rules State Services Service Hits
website1 81fromSCA Active realserver1 0
realserver2 0
realserver3 0
80fromInternet Active realserver1 0
realserver2 0
realserver3 0
443fromInternet Active SCA 0
website2 81fromSCA Active realserver4 0
realserver5 0
80fromInternet Active realserver4 0
realserver5 0
443fromInternet Active SCA 0
If you see a service hit in the 80fromInternet content rule, you know that unencrypted packets make their way to the CSS and are redirected to the servers. If you see a service hit in the 443fromInternet content rule, you know that encrypted packets make their way to the CSS and are redirected to the SCA. If you see a service hit in the 81fromSCA content rule, you know that the SCA has decrypted the packets it has received, and sent them to the CSS that has then redirected them to the webservers.
mattina# sho run
#
# Cisco CSCA Device Configuration File
#
# Written: Sun Feb 6 00:29:22 2106
# Inxcfg: version 2.3 build 200108071342
# Device Type: CSS-SCA
# Device Id: S/N 118142
# Device OS: MaxOS version 2.5.1 build 200108071341 by Dan L. Reading
### Device ###
mode one-port
ip address 10.1.1.2 netmask 255.255.255.0
hostname SCA
password access "2431244C362461476C67654D485269494C4634772E586A374E39472F"
password enable "2431246E6324386D437A6E714B44567174306565386A775566536931"
no ip domain-name
no rdate-server
timezone "MST7MDT"
rip
ip route 0.0.0.0 0.0.0.0 10.1.1.1 metric 1
### Interfaces ###
interface network
auto
end
interface server
auto
end
### Remote Management ###
no remote-management access-list
remote-management enable
### SNMP Subsystem ###
no snmp
telnet enable
no telnet access-list
web-mgmt enable
no web-mgmt access-list
### SSL Subsystem ###
ssl
server Site1 create
ip address 10.48.66.125
sslport 443
remoteport 81
key default
cert default
secpolicy default
cachesize 20
end
server Site2 create
ip address 10.48.66.239
sslport 443
remoteport 81
key default
cert default
secpolicy default
cachesize 20
end
end
Note: By configuring the second default gateway on the CSS, some traffic that needs to go to this gateway may be affected since there are now two possible paths to take. This will generally be new TCP connections originating from inside systems and UDP traffic from the inside systems.
To resolve this issue, ACLs are needed to direct the traffic to upstream router. By configuring these ACLs, you are directing traffic to a specific device. This will override normal routing. Additionally, enabling ACLs causes all VLANs to deny all traffic by default. Perform the steps below to create and enable ACLs.
-
Create a service containing the upstream-router.
service upstream-router ip address 10.48.66.1 type transparent-cache active
-
Create the needed ACLs.
ACL1 clause 10 permit any any destination any !--- This will be needed for all traffic to pass through the CSS. apply circuit-(VLAN1) apply circuit-(VLAN3) ACL 10 clause 10 permit any any destination any prefer upstream-router !--- This is necessary for traffic initiated from the server !--- VLAN to the Internet. apply circuit-(VLAN2) acl enable polio# sho run !Generated on 01/31/2002 20:25:05 !Active version: ap0500018s configure !*************************** GLOBAL *************************** ip route 0.0.0.0 0.0.0.0 10.48.66.1 1 ip route 0.0.0.0 0.0.0.0 10.1.1.2 1 !************************* INTERFACE ************************* interface e2 bridge vlan 2 interface e4 bridge vlan 4 !************************** CIRCUIT ************************** circuit VLAN1 ip address 10.48.66.128 255.255.254.0 circuit VLAN2 ip address 10.2.2.2 255.255.255.0 circuit VLAN3 ip address 10.1.1.1 255.255.255.0 !************************** SERVICE ************************** service upstream-router ip address 10.48.66.1 type transparent-cache active service SCA ip address 10.1.1.2 port 443 protocol tcp type transparent-cache no cache-bypass active service realserver1 ip address 10.2.2.3 port 80 protocol tcp active service realserver2 ip address 10.2.2.4 port 80 protocol tcp active service realserver3 ip address 10.2.2.5 port 80 protocol tcp active service realserver4 ip address 10.2.2.6 port 80 protocol tcp active service realserver5 ip address 10.2.2.7 port 80 protocol tcp active !*************************** OWNER *************************** owner website1 content 443fromInternet protocol tcp port 443 add service SCA vip address 10.48.66.125 active content 80fromInternet protocol tcp port 80 url "/*" add service realserver1 add service realserver2 add service realserver3 vip address 10.48.66.125 active content 81fromSCA add service realserver1 add service realserver2 add service realserver3 protocol tcp port 81 url "/*" vip address 10.48.66.125 active owner website2 content 443fromInternet protocol tcp port 443 add service SCA vip address 10.48.66.239 active content 80fromInternet protocol tcp port 80 url "/*" add service realserver4 add service realserver5 vip address 10.48.66.239 active content 81fromSCA add service realserver4 add service realserver5 protocol tcp port 81 url "/*" vip address 10.48.66.239 active !*************************** ACL *************************** ACL 5 clause 10 permit any any destination any !--- This will be needed for all traffic to pass through the CSS. apply circuit-(VLAN1) apply circuit-(VLAN3) ACL 10 clause 10 permit any any destination any prefer upstream-router !--- This is necessary for traffic initiated from the !--- server VLAN to the Internet. apply circuit-(VLAN2)
Verify
There is currently no verification procedure available for this configuration.
Troubleshoot
There is currently no specific troubleshooting information available for this configuration.
Related Information
- CSS 11000 Series Product Support Page
- SCA 11000 Series Secure Content Accelerators Hardware Support
- Cisco Secure Content Accelerator Software Download (registered customers only)
- Cisco Secure Content Accelerator 2 Software Download (registered customers only)
- Technical Support - Cisco Systems
| Updated: Jan 30, 2006 | Document ID: 20601 |