Cisco 5510 Barracuda Link Balancer With Virtual PFSense Appliance
May 8, 2013
trying to get my ducks in a row for replacing a Cisco 5510 and a Barracuda Link Balancer with a virtual pfSense appliance. This is partially due to eliminating support contract costs (nearly $3k annually between both appliance) and partially to utilize the redundancy and fault tolerance that our virtual environment can provide. I'm also implementing a colo site for replication/DR this year so doing a tunnel from site to site would make it a lot easier with like for like virtual appliance firewalls.
The VPN aspect. We are currently doing Cisco VPN with Radius auth on the back end, this is seamless to setup from an end user perspective as they just hit a URL, download/install the ANyConnect client, and log in with their credentials. Is there a comparable alternative in pfSense? I'm leaning toward IPsec but it still doesn't seem as seamless as what we currently have in the ASA.
We have an ACE Appliance in a DMZ and the ACE Appliance's Admin Context IP is translated between ACE and ANM. The ANM Server does not get translated. It is just the opposite then in another Community discussion.
Our Problem: When adding the ACE4710 Appliance to the ANM imported Device List, we use the ACE's NATed Admin Context IP. Import works well, but ANM reflects the Admin Context IP with it's real configured IP. Polling the ACE Appliance does not work therefore.
Is there a possibility of telling the ANM, that the ACE has to be polled through a NATed IP? I could not find a field to set a NATed Mgmt IP.
Configured IP on ACE Admin Context: 192.168.0.10 NATed ACE Admin Context IP: 172.16.0.10
Imported ACE with IP 172.16.0.10 into ANM, but ANM polls for Rserver, Vserver, Probes, etc. via 192.168.0.10 - which is not reachable from the ANM.
I have a site to site VPN setup between a 5510 and 5505. All traffic is sent ovet the VPN from the remote site to the home office. Everything is working fine but the remote site "www" traffic is not going to the Barracuda. ISP -> CISCO ASA -> Barracuda -> Internal Switch.The Barracuda is setup "inline" with the internal network.
currently have LMS 3.2 on a Windows server. I'd like to upgrade to 4.1 on a virtual appliance. I don't care about migrating data and would probably like to just start fresh. My question is If I were to download the 4.1 evaluation virtual appliance and also purchase the 3.2 to 4.1 upgrade license would I be able to apply that license to the evaluation?
Our ASA 5510 has been in place for nearly two years, we never have any issue what so ever with it. All along the ASA has been using the default policy. Lately, we beeen getting email deferred in our Barracuda Spam firewall. Google quickly reveals that ESMTP does not play nice with Barracuda witch i disabled eventhough we haven't had any issue with it before. However, the issue remains, we still getting email deferred in the barracuda.
While doing more troubleshooting on the ASA, I constated when issue the command show local-host + IP of the Barracuda, there is an IP address in outside of the interface that can get up to 96 UDP port 53 connections with the Barracuda, this connection never get lower than 20! However, when checking the default setup for the Barracuda, i have the values below:
Incoming SMTP Timeout: 20 Message per SMTP Session : 8 Maximum SMTP Error SMTP Session: 2 Maximum Connection per Client 30m:40
My question is if that ASA show up to 96 DNS session with an outside host to my barracuda, won't that push the barracuda to play email deferred timeout ? Should I change the barracuda default setting? Or should i change the connections limits for the Barracuda in the ASA?
We have an ANM Virtual Appliance, version 5.2, were we login and can go no further. This was working for fine for approximately two and half weeks. We created a backup and re-loaded the system via CLI with the same result. We logged in again via SSH and we have noted the following:
cscoanmsa/admin# sh disk temp. space 4% used (141244 of 4951688) disk: 7% used (353916 of 5935604) Internal filesystems: warning - /var is 100% used (89219000 of 89258112) cscoanmsa/admin# sh application status ANM
[code]....
Is there any way to access and clean out the /var directory from the CLI. is this achieved simply via the "delete" command with the full path ?
I am low on available disk space to perform backups on my LMS 4.2 installation. Is there a way to force the appliance to recognize the increased disk space allocated by ESX VMware?
The upgrade process for ANM virtual appliance 4.2 involves doing a backup and restore as root user. I have looked through the documentation and have even reinstalled the virtual appliance to see if the install script gives away the root password for the OS but without luck.
ASA error message: 16/ERROR: Unable to start VA, setup shared queue, or VA gave up on shared queue.Win 7 x64 client says: "The VPN client driver encountered an error. Please restart your computer or device, then try again."Client Event Log (AnyConnect): "The VPN client has sent the following close message to the gateway: Unable to start VA, setup shared queue, or VA gave up on shared queue."ASA 5510 running latest 8.41(1) and ASDM 6.4(1). Client is latest 3.0.1047.
Region : UnitedKingdom Model : TD-W8968 Hardware Version : V1 Firmware Version : latest ISP : french orange
I am trying to set up port forwarding on this router but it seems I need to use virtual servers but in all the guides there is a menu for this under the advance settings nat menu.I do not have that option, I have downloaded the latest firmware but still nothing.
We have a client whose Barracuda 410 has been out of warranty for at least 6 months, and had its hard drive die. They have a sister location with a 410 as well. Any way to clone the hard drive of the working 410 onto a new hard drive, then do a factory reset to set it up from scratch, or maybe import a config file if one was saved?Or, did they just get downgraded to a shitty $4000 1U server? I'm sure I could install something like untangle and get it to do some filtering without issue, or since it's actually an Athlon II X2 635e, which supports VT, I may just bump it to 8GB of RAM, throw in a pair of low profile drives (at least one, as I can fit that under the LAN/WAN ports), and turn it into an ESXi server to replace a few machines that are sitting around doing practically nothing (AV server, WSUS server, and whatever their door security system server is).
I'm trying to configure Hp1810-24G and pfsense firewall with no success. I' would like to create two virtual lan on swich which share same internet connection. To simplifing I suppose
vlan 2 port 1-12 vlan 3 port 13-23 port 24 pfsense lan connection
What altready I do on pfsense I create vlan 2 called 1STVLAN VPID 2 and vlan 3 called 2NDVLAN VPID and assigned to them to LAN pfsense real port enabled and gived a static ip to them on HP procure I create two vlan with
vlan 2 port 1-12 untaged 13-23 Excluded 24 tagged vlan 3 port 1-12 exluded 13-23 untagged 24 tagged
the problem is that I don't be able to speak with pfesense (ping failed on real lan ip and virtual lan ips) so I don't have also internet connection.The ethernet card i'm using are old (i have built the pfesense computer on spare parts that I have at home) so can be a driver issue?
In my home setup I have an PFsense firewall wich is doing all the routing right now, but right now my net speed is maxing out about 500mbit, i my think it's the pfsense hardware, but its an 1500Mhz C7 VIA with 2Gb ram, I just bought two new switchs, HP-1910-24g and a HP 5500-24G they can do some layer 3 routing, will my speed get a bumb up when the switch is doing some of the vlan routing.
I'm using PfSense 2.0.1. What im trying to do is connect to a game server I have running here in my house. I can connect to it locally with 192.168.8.6 no problem. I have it port forward correctly so that the rest of the world can connect to it via my WAN ip address. The problem comes is I want to be able to connect to it with my WAN address so that if someone decides to follow me STEAM will show my WAN address not my internal IP address of the server im connected to. I have "Disable NAT Reflection for port forwards" UNCHECKED which is what I am supposed to do according to documentation from PfSEnse. But it still doesn't seem to work.
I wanna get one of the following Atom boards for a Pfsense box:
X7SPA-HF-D525 Mini-ITX - [URL] X7SPE-HF-D525 FlexATX - [URL] X7SPA-HF D510 Mini-ITX - [URL] X7SPE-HF D510 FlexATX - [URL] And put it in this case: [URL]
However, I can't find any info on which style motherboard is compatible with the expansion slot on the front of the case. I know you need a riser card to extend the PCI-e slot to the expansion slot, but since FlexATX and Mini-ITX are difference shapes/lengths, I don't know if the case's expansion slot is designed to only work with one or the other.
so I have a new Supermicro X7SPA-HF-D525 Mobo 4GB ram comming in and am wondering what firewall software I should put on it. This is for home use. Currently im running DD-WRT on an Asus 520GU, so anything is a step up. I have played with both, though Untangle only for about 20 or so mins on a VM, and pfSense for about an hr or so on an old P4.
By first glance at the untangle, one thing I didnt like was it looked like if I wanted anything I had to pay a yearly subscription for the same stuff that was offered for free or already included in pfSense. But i see alot of people swaring by Untangle.
Ok so the mail flows to the Barracuda using a static 1:1 NAT configuration and then gets delivered from the Barracuda to the Exchange server. I want to implement active sync (Direct Push) for Windows mobile devices. They need to communicate with mail.domain.com over port 443. The problem is I want mail to continue to flow to the Barracuda, but direct Direct Push traffic to the Exchange server.I cnow I can't implement two 1:1 NAT mappings from the same external hostname to 2 different servers.
I have been running a email/web/ftp server on one server for 9 years. I have currently acquired a Barracuda spam 300. I cant get the emails to go thru the barracuda first. Here is how it is setup: my email and web come in thru one outside address..call it 166.5.5.5 I have a 1 to 1 nat for 166.5.5.5 to 10.0.0.2 (email/web/ftp server) ports 25 and 53 are forwarded to the 10.0.0.4 (barracuda) then out on 25 to my 10.0.0.2 no emails go thru as long as it is set this way I can nat the 166.5.5.5 to the barracuda first and emails go thru, but I lose my web and ftp will this router work for me? I was told that i needed to change mx records for email to 166.5.5.6 and then forward nat on that address to the barracuda. I dont really want to change mx records for 10-12 email domains.
I have gotten myself a neoware e140.It has an VIA 800MHz CPU with 128MB Flash and 128MB DDR2 RAM.he one I received a spare PCI slot which is occupied by a matrox graphic card Matrox Epica card. It shows up in the System Specs as a TC4 but I think it is a TC2.
It comes with this special adapter which splits into two DVI adapters. Each of these adapters supposedly can drive 2 monitors (I have no clue how).
The box currently has some neoware linux on it.I want to make a pfsense box out it to have support for a dual WAN setup. I have never dealt with this kind of stuff before and do not even know how to load the OS on the flash etc.
One of the persons involved in a home network has installed a Dlink DIR-825 Rev-B Extreme router on the Comcast cable system to allow a 'better' wireless signal on upper floors of the home. Two others involved in the same home network use a 'secure desktop access' software called NetOp to access the network remotely. To facilitate this software, we must 'port forward' port 6502 on BOTH UDP and TCP to the single system that is accessed.
However, this setup (simple port forwarding) does not seem to work - neither does 'virtual server', for that matter. Prior to this router being installed, it was extremely simple to accomplish this remote access using a Linksys router, so our software firewall configuration has not changed but the new Dlink seems unable to allow remote access.
How (and via which of these access methods - port forwarding or virtual server) would be best? This configuration seems frustratingly difficult to accomplish and I'm about to take the Dlink 'out' of the network and re-install the Linksys with a 'high-gain' external antenna to facilitate simple signal enhancement.
I just bought this to replace a working Linksys but wanted gigabit so after reading a lot of reviews this is the one I picked up. So tell me what is the magic toggle to get port forwarding to work or virtual servers? I've configured them on Linksys, netgear, Cisco, etc 100 times with no problems. Nothing I configure on this confounded thing works. I've setup 6 port forwards, RDP, FTP, VNC and none of them work. Nothing. "Connection timed out" when trying to connect. This works on my other router just fine so its not my software, or my PC configuration as they have no changed. Ports are correct.
I have an DLINK-dir 815 router.. I have tried for 10 hours to get broadcast IP to work, no luck.. All html/javascript modifications = no luck..The WOL works on LAN, but not over internet, so I figure it's the broadcast IP that needs to be virtual servered?
I've been trying to set-up DMZ for my DSL-2542B-SE_1.00_06112008.
But the problem is when I access my IP from WAN, It connects to Router Control Panel, I have set DMZ IP as 192.168.1.2 which is the my computer where I have the Server set-up.
Now I've disabled DMZ but still I can access to my router from WAN through my IP.
the difference between Virtual Servers and Port Forwarding on the DIR-825? I'm transitioning my router setup for a Tomato/MLPPP router to the DIR-825 and I'm a little confused on when you would use "Virtual Servers" and when you would use Port Forwarding? In the past, I've always relied on port forwarding to allow access to specific services on my LAN (ie. VPN, Apple Remote Desktop, etc.), so again, unsure what the Virtual Servers is used for?From what I can tell, Virtual Servers is for services that require a single port for communication (ie. a basic SSH setup on port 22) while Port Forwarding allows for the setup of services that require multiple ports (ie. VPN on ports 500 [UDP], 1701 [UDP], 1723 [TCP] and 4500 [UDP]). Is that the differences between the two configuration pages? It just seems odd to me to have two separate windows for just this difference? If that's the case, is there any reason I couldn't just use port forwarding, even for services that only require a single port (just to keep everything on the same configuration page, under Port Forwarding)?
I wonder what the difference is between the virtual server and the port forwarding because the router I was using previously had only port forwarding. When should I use virtual server instead of port forwarding?
I have seemingly tried everything! I am still getting vpn error 720 using windows client trying to connect to vpn server using PPTP. I am about to go out an buy another WNR200 because vpn works flawlessly on that router. I have 2 virtual servers set up, one for port 1723, the other for port 47(GRE). All the ALG check boxes are checked(I have tried them both ways, when they are un checked and I use port forwarding i get vpn error 800). I have tried with SPI enabled and disabled. No port forwarding set up for vpn just the virtual servers. Firmware is 1.34NA, 2010/04/16.
I have DIR-601 wireless router with two computers connected: Server (192.168.1.2) and Client (192.168.1.3 on Ethernet Port and 192.168.1.4 on Wireless)
I also use dlinkddns.com and my router's public IP is mapped as abc.dlinkddns.com.
In the router Virtual Server section, it is configured as: Public Port: 3389 (for Remote Desktop) Private Port: 3389 IP Address: 192.168.1.2 (server's IP)
I am expecting this to allow the client to access the server via windows Remote Desktop.
The current situation is:
- When wireless is on, the client can access the server's Remote Desktop
- When wireless is off and client is connected by wired Ethernet, the client cannot connect to the server's remote desktop. After timeout, the error msg is "Remote Desktop can't connect to the remote computer for one of these reasons: ...".
- When the client is in another network, it can connect to the server through the Internet.
I am sure it's not the client's problem because it can access via wireless or remotely from another network. It's not the router's virtual server config problem for the same reasons. Will it be a bug in the router? (hardware version: B1, firmware version: 2.00NA).
Region : Argentina Model : TL-WR1043ND Hardware Version : v1
I have read how to configure the Virtual Servers - Forwarding url...and added two entries, one for port 44612 and one for 32680 , my pc ip is 192.168.0. 100.Before I installed the router (my pc was connected directly to the lan connection) all was working just fine.And I double checked that the ports are not being blocked by firewall.
I've got a DIR-825 RevB Firmware V2.06NA on a static IP wan connection routing to a SBS2008 server and 10PC's. The server is serving mail, web, and files. Router has virtual servers setup for http, https, smtp, imap, imapssl, smtpssl, pptp, remote desktop, and a few others.
Everything works fine, but the routers https forwarding stops running periodically about half an hour after reboot. The server's working fine, but it doesn't see the https request, it looks like the router is trying to serve the 443 request itself. After a router reboot everything is back to normal.
I've replaced the router with another dir-825 and it has the same issue.
