Chapter 10 SSG TCP Redirect

Typically, if a service is connected, SSG forwards packets to a user and packets from a user even if the packets do not match the protocol and TCP ports specified for redirection. However, the behavior of initial captivation on the Cisco 10000 series router differs in the following ways:

When a packet arrives from an SSG user and the packet matches the protocol and TCP ports configured as the redirection filter, the packet is subject to initial captivation and is redirected. If the packet does not match the redirection filter, it is not subject to initial captivation and the packet is dropped.

When a packet arrives from a service destined for an SSG user that is subject to initial captivation, the packet is dropped.

Restrictions for SSG TCP Redirect

The SSG TCP Redirect feature has the following restrictions:

The server(s) defined in a server group must be globally routable.

Traffic from hosts with overlapping IP addresses can be redirected only to SESMs with port-bundle host keys.

When overlapping IP address support is enabled (the host key feature is enabled), a host can reach the SSG only by a particular interface on the router. All packets between the host and the SSG use this interface and you should not change the route between SSG and the host.

After you configure the servers in a group, the routes to those servers should not change. SSG TCP Redirect does not work if packets from servers that need to be redirected are received on a non-SSG interface.

TCP sessions that can remain idle for more than one minute are not supported.

Prerequisites for SSG TCP Redirect

Cisco SESM Release 3.1(1) or later is required to handle unauthenticated redirections. For other types of redirection, SESM Release 3.1.1 or later is required.

Configuration of SSG TCP Redirect

To configure SSG TCP Redirect, perform the following tasks:

Enable SSG TCP Redirect.

Define the captive portal server groups.

Specify the redirect server groups for unauthenticated user redirection.

Define network lists.

Define port lists.

Associate network and port lists with server groups.

Specify the default groups for captivation.

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

10-4

OL-4387-02

 

 

Page 65 Page 67
Page 66
Image 66
Cisco Systems OL-4387-02 manual Restrictions for SSG TCP Redirect, Prerequisites for SSG TCP Redirect, 10-4
Page 65 Page 67
Top Page Image Contents