Cisco Firewall :: 3128 Iptables Redirection To ASA Configuration
Oct 10, 2011
I would like to do something verys imple with IPTABLES but i canno't find any "simple" way to achieve...iptables -t nat -A PREROUTING -i eth0 -s 10.0.0.0/24 -p tcp --dport 80 -j DNAT --to squid-box:3128.The idea is to redirect any connection to any host which try to connect to port tcp 80 being redirected to a server called squid-box on port 3128.I have seen that for proxy squid implementation with ASA i had to use wccp but for my personnal understanding.
View 1 Replies
ADVERTISEMENT
Nov 19, 2012
I would like to have these commands on our Firewall to avoid at least several students to use this service. How to translate this? It's apparently working great if I will use an Linux box or another firewall compatible with iptables.
iptables -I INPUT -s hotspotshield.com -j REJECT
iptables -I INPUT -s hotspotshield.net -j REJECT
iptables -I INPUT -s anchorfree.com -j REJECT
iptables -I INPUT -s anchorfree.net -j REJECT
iptables -I INPUT -s openvpn.net -j REJECT
iptables -I OUTPUT -d hotspotshield.com -j REJECT
iptables -I OUTPUT -d hotspotshield.net -j REJECT
iptables -I OUTPUT -d anchorfree.com -j REJECT
iptables -I OUTPUT -d anchorfree.net -j REJECT
iptables -I OUTPUT -d openvpn.net -j REJECT
View 1 Replies
View Related
Jul 14, 2011
I am using cisco 5520 for my RAS & site - site VPN's. backbone 6509 --> CISCO 5520--> ISP router with 3 ethenet interfaces.From cisco 5520 there r 2 connections to router, one for sit-site vpn outside interface and the other for RAS outside. I want to configure url redirection on 5520 so that when someone from outside access public IP it should forward it to the server in LAN. I want to use the interface hosting RAS for this.
View 1 Replies
View Related
Nov 30, 2011
I'm trying to use port redirection to allow outside access to a internal web server. As far as I can see, everything is configured properly. The Open Port Checker tool from yougotsingle.com says that the port (80) is open. However when I goto access it the connection times out. The external address is static from my ISP, and I will call it xxx.xxx.xxx.xxx. The server is at 10.1.1.20, and is functioning properly over the LAN.
View 7 Replies
View Related
Jul 17, 2011
I currently have WCCP redirection setup on my ASA 5520 to redirect to an ironport on ip address 10.11.1.10. The ASA inside ip is 10.11.1.1 and the ironport is setup for transparent redirection to that IP. This all works well and the Service Identifier i'm using for WCCP is 95.I am now creating another WCCP group because on my ironport I have 4 interfaces so I wanted to use them for our admin network. So I created an ACL on the ASA for our admin traffic and I want to redirect that using Service Identifier 94 to the ip on the ironport of 10.11.1.22. But I can't get traffic to redirect.
View 1 Replies
View Related
Apr 3, 2013
I have the following topology, WCCP is configurated on ASA, inside interface, lan users and websense machine are located on the same VLAN of my catalyst 3750G?I want to filter traffic on port 80 (www) to the users on the LAN side debug on the ASA show me that comunication between that device and Websense is OK, there is Here_I_Am and I_See_You packets
WCCP-PKT:D00: Sending I_See_You packet to WEBSENSE_PROXY w/ rcv_id 0000015B
WCCP-PKT:D00: Received valid Here_I_Am packet from WEBSENSE_PROXY w/rcv_id 0000015B
WCCP-PKT:D00: Sending I_See_You packet to WEBSENSE_PROXY w/ rcv_id 0000015C
WCCP-PKT:D00: Received valid Here_I_Am packet from WEBSENSE_PROXY w/rcv_id 0000015C
WCCP-PKT:D00: Sending I_See_You packet to WEBSENSE_PROXY w/ rcv_id 0000015D
From show WCCP i saw that WCCP engine and ASA were detected
FW# sh wccp
Global WCCP information:
Router information:
Router Identifier: 200.X.X.X
Protocol Version: 2.0
[code]....
View 5 Replies
View Related
Apr 3, 2012
I'm new at the ASA5500 domain. I have a question: How can I redirect traffic coming on a port to a machine inside the LAN listening to another port ? I would like to use ASDM.
View 1 Replies
View Related
May 16, 2013
We have a singe IP Address in the Internet and want to forward SMTP traffic that hits our ASA Outside Interace to the internal Mailserver.And we like to forward Http Traffic to our Webserver.
Example.
212.23.23.23 Port 25 -> 192.168.1.100 Port 25
212.23.23.23 Port 80 -> 192 168.1.200 Port 80
How do i acomplish that. Which NAT rules do in need?
View 12 Replies
View Related
May 26, 2012
We have 2 TS (Terminal Servers) and have configured the 1st RDP using my public address (say 8.8.8.8) on port 3389. it is working very well of course. However I need setup my 2nd TS but will use port 7777 on the same public address which is not working.I am using ASDM 6.3 and firmware 8.3.1.Is this a limitation for this IOS?
View 6 Replies
View Related
Dec 9, 2012
I have a ASA5585 running 8.4 that is redirecting Internet http to a websense server via GRE.The integration is working fine, except when a user PC sends a large packet (~1500 bytes).With WCCP/GRE headers, the user packet is too large to be transmitted to websense, so the ASA fragments the packet in two and transmits both to websense.
A sniffer trace confirms that both fragments reach the websense server, but the TCP packet is never acknowledged.User-side TCP retransmits the large packet three times over 15 seconds, and eventually retransmits fine with smaller packets. The 15 second delay is of course not acceptable.Users and Websense server are both on the Inside interface.
We are considering imposing browser proxy to websense (which works fine), but would prefer not, considering the increasing diversity of devices.
View 4 Replies
View Related
Apr 11, 2012
I have a 5520 ASA using wccp redirection to our IronPorts on the inside and everything works great for inside users. What I'm trying to do is get VPN users off split tunneling and to filter their traffic through the IronPorts as well but I can't figure out how. When they connect they seem to bypass the Ironport completely.
View 5 Replies
View Related
Dec 21, 2010
We have three locations, Seattle, LA and NJ. All the users need to go through the proxy server in NJ if they need to access to internet. We use the port 3128 on the proxy server for accessing the internet. We implement the QoS on the WAN for those three locations. For the internet acces, we configure the port 3128 as the NBAR and classify it as the lower priority.
The issue is...we want to have the users access to the URL as high priority, and the other web sites are still set as the lower priority. Are there any ways to accomodate it?
View 13 Replies
View Related
Feb 27, 2013
Web auth redirect URL gets dropped if stateful firewall is between webauth host and switch management interface. Aaron at Cisco live london kinda hinted about maybe Cisco working on this ? We can't disable stateful inspection. Is there any other solutions or workarounds ?
"Although this approach introduces additional hops in the return path from the switch to the host, it produces negligible load on the default router and intervening infrastructure since only the WebAuth traffic from the switch to the host follows this path. In campus designs that do not use SVIs on the data VLAN,6 a default route is typically already configured. In this case, no additional configuration is required to support WebAuth.
However, problems may arise in the case in which traffic to the default router is bridged through a stateful firewall. The original SYN packet in the TCP handshake is consumed by the access switch, so the first packet that the firewall sees is the SYN-ACK packet from the access switch. Stateful firewalls typically drop SYN-ACK packets if they have not seen the original SYN packet.In this case, you will need to turn off stateful inspection for ports 80 and 443 on the firewall."
View 1 Replies
View Related
Aug 15, 2012
I am having difficulty following the logic of the port-translation. Here is the configuration on a 5505 with 8.3,So I would have thought the outside access-list should reference the 'mapped' port but even with 3398 open I cannot remote desktop to the host. If I open 3389 then I can connect successfully.
View 12 Replies
View Related
Oct 11, 2011
I have CSS in single arm deployment model. I want to configure port redirection for the servers. Servers are actually running web service on port TCP 3636. Which is accessibale by VIP http://192.168.200.87:3636 but I dont want to give user this URL I want the user to use standard HTTP URL as mention below, I want user to open http://192.168.200.87 and once they access this URL automatically CSS redirect them to port 3636. How I can achive this. I am using IP addresses for the load balancing.
View 4 Replies
View Related
Jun 17, 2012
I have successfully set up a 5505 as a cut-through proxy so that wireless users are required to log in when they open a browser to access the Internet. Is there a way to take them to the original page they requested after the login is complete, rather than having it sit at the screen where it is says they are logged in?
View 1 Replies
View Related
Mar 5, 2013
I have a little problem with a redirection. When I type my external ip, I am directly connected to my Cisco 861 ( through port 80 (HTTP))
Even if I do a factory default, I always have the same problem. I try to make another redirection on another internal ip , but always same problem...
View 7 Replies
View Related
Jul 26, 2011
im having problems getting desktop folder redirection to work on windows 7 machinesI have users set up just with local profiles but want to redirect "my documents" and "desktop" directories to the server. I have set up the gpo's on the server and it all works fine propergating to the xp machines but the windows 7 machines just wont take the desktop redirection. However "eventually" it did take the "my documents" redirection policy
View 7 Replies
View Related
Nov 20, 2012
I have a pair EA4500s that I am swapping out for a pair of EA6500s. One EA6500 is a router. The 2nd EA6500 is set as a bridge and us being used as an Access Point about 200ft and two floors above the main EA6500 router. The two units are connected via DECA (200MB Ethernet over DirecTV cable - an alternative for others with a cable provider is called MOCA). So, basically two EA6500s serving as two Access Points on opposite sides of the house and all wireless networks on different channels but all sharing the same SSID. Everything works GREAT except for one unusual issue.
The issue is with wired or wireless clients. If I try to use my PUBLIC address with port number to address a local client on the local network inside the NAT network the NAT redirection fails. In other words if I use 172.16.16.8 for a local web cam while inside my network from an iPhone or PC all works great. If I use the external public address, however, the connection times out. If I pop out the EA6500 doing the routing/NAt and swap it with the old EA4500 with basically the same config as the EA6500 everything works again. The EA6500 and the EA4500 are configured identical for the most part and with the EA4500 as the main router NAT redirection works great but with the EA6500 NAT redirection fails. I have the firewall setting to FILTER NAT REDIRECTION unchecked so that's not the problem.
Seems very odd.... and only seems to happen with the EA6500..... the work around is to use the local IP address when the client is on the inside and the public address when on the outside, but what a pain that is....
View 9 Replies
View Related
Aug 6, 2012
I have a wlc 5508 and I'd like to setup a network for visitors. They will connect to the WLAN, enter a password and then automatically get redirected to an external website. I understand the wlc 5508 supports this but I'm struggling to find out how to set this up I assume this can be done without having to customise webauth bundles?
View 2 Replies
View Related
Jul 9, 2012
I have a Cisco 2600. I would like to know how to redirect traffic going to a certain IP address three hops away to an IP address on a locally connected segment.
Ex. Packet leaves a device with source IP of 10.10.10.10 and destination of 20.20,20.20 When the packet hits the router (10.10.10.1) I want the router to redirect the destination of 20.20.20.20 to 30.30.30.30 (locally connected segment).
The router has two physical interfaces.I am thinking along the lines of creating a VLAN with an ip of 30.30.30.1 and then doing a NAT translation from 20.20.20.20 to 30.30.30.30.
View 3 Replies
View Related
Sep 5, 2012
wondering if redirection or conversion port 8080 into port 80 is possible? if so how and what cisco equipment can do that?
View 11 Replies
View Related
Jun 19, 2012
I am wondering if there is a method to redirect particular URLs to individual real servers in a server farm.Scenario: We have an url which is setup on our ACE4710s (A3 2.4) to load balancer to a particular server farm as per standard setup i.e.Customers access [URL] on an external VIP, this is then load balanced to a server farm "SF_WEBSITE" consisting of 2 real servers "Server_A" and "Server_B". Nothing difficult in this set up. However, I have eeen asked if it is possible to redirect certain urls to individual servers within the server farm "SF_WEBSITE": e.g.
Action 1 - Customers access [URL] is redirected to "Server_A" only
Action 2 - Customers access [URL] is redirected to "Server_B" only
Default Action - Customer access [URL] anything else is redirected to server farm "SF_WEBSITE" and is load balanced between "Server_A" and "Server_B"
The Standard Class Maps and Policy would be something like:
policy-map type loadbalance first-match SLB_WEBSITE
class class-default
serverfarm SF_WEBSITE
Where I thought I would need something like:
class-map type http loadbalance match-all CMAP_AREA1
description CMAP used to capture specific URL for area 1
2 match http url /area1
class-map type http loadbalance match-all CMAP_AREA2
description CMAP used to capture specific URL for area 2
2 match http url /area2
[code]...
I think the above method is ok for 1 instance, but if it test successfully, my company would want to to roll this out across dozens of server farm configurations each consisting of numerous real servers, which will make the administration and implementation time overheads massive, not to mention complicating and lengthening the configuration.
View 7 Replies
View Related
Sep 25, 2011
i have a 4710 appliance (one armed) and i am load balancing with two webservers. In the URL, there are links that need to be redirected to https:
[URL]
i am using the
rserver redirect REDIRECT-TO-HTTPS[URL]
The https is working but i have a problem. when i access the Main link "first" it is redirected to https to the Main link.But if i access one of the Sublinks directly(without having to click on the main link first) the page is redirected to https but to the Main Link. i have to click the Sublink again in order to get the page.How can i redirect to https and stay on the same page? What might be the general link in the webserver-redirection?
View 4 Replies
View Related
Nov 9, 2011
if a Cisco router or switch can handle wccp redirection enabled for both waas and some other web content filtering appliance using a different service group?
seems like the priority value would come into play determining which service group gets handled first?
we currently do WCCP for WaaS on our 3945s.
I am going to advocate to my customer that we separate this out for CPU load issues, config complexity issues, IOS issues, etc... but the question is going to come up - "can we do WCCP for different applications on our Catalyst 3750 core switch, or our 3945 WAN routers?"
View 2 Replies
View Related
Jul 18, 2012
I have a Cisco 7206VXR running 12.4(24)T3 IOS. It is configured with WCCPv2 using L2 mask redirection. I am using service groups and associated extended ACLs to select which subnets I want to redirect port 80 traffic from.
It is working fine for the subnet 192.168.1.0/24....
int gi0/2
ip wccp 10 redirect in
ip address 192.168.1.99 255.255.255.0
... however, there is OSPF running between the router and a Mikrotik device directly connected to this interface. The gateway addresses for all the client subnets are on the Mikrotik. Traffic from other subnets, e.g. 192.168.2.0/24, 192.168.3.0/24 come in on this interface and I want to redirect those too. But it appears that the redirection doesn't work for those subnets (I don't see any hits on the relevant ACL for any subnet except 192.168.1.0/24).
It seems like the router only wants to redirect traffic for subnets that it has an IP address in itself. Admittedly, all of the example configs i've found on cisco.com are for redirecting traffic from directly connected subnets but I can't find anything that denies thie possibility of redirecting any traffic that comes in on a given interface.
The question is, is this how WCCPv2 redirection works? i.e., the router must have an IP address in the subnet to be redirected?
View 1 Replies
View Related
May 16, 2011
I have two 1811's connected in a lab using a ipsec vpn tunnel (using a switch to simulate an internet connection between them).I am trying to configure one of the routers as a ZBPF just to allow a remote windows login (DC on the firewalled side, workstations on the other side).I'm trying to verify that the zbpf is working, but it doesn't seem to stop anything. I had match icmp added to the class-map, but took it out to test if icmp would fail. It didn't. Basically, I don't think the firewall is working at all. Any thoughts on how I can configure this so that the policies will work between zone-pairs?
Here's an quick drawing:
Here are the configurations:
Local router:
hostname sdc-1811-LocalLab
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
resource policy
[code]....
View 11 Replies
View Related
May 17, 2011
i have asa 5505 with the asdm v5.2 (4), and the asa v7.2(4). This platform has a base license. if i upgrade adsm and asa on v6.2(1) and v8.2(2) if I lose my license and that you need to activate them? i configured site to site vpn (this firewall and the another) that i lose my configuration if i upgrade my firewall.
View 2 Replies
View Related
Apr 7, 2013
We have an ASA with 8.4(5) version. we had detected that few ip's were getting shunned ,to overcome the problem no shun was used and the traffic normalised.But, the same problem re-occured a few days after that with logs showing traffic being shunned.
is there any fixed way to get rid of this. what commands can i use to verify related configuration on the firewall.
View 3 Replies
View Related
Mar 31, 2013
I have one firewall need to be configured in transparent mode. I have inside and outside router. What is the configuration of transparent firewall ASA8.2. I didn't find the configuration on Cisco site.
View 17 Replies
View Related
Nov 25, 2012
I am trying to set the PIX firewall to transparent mode.After I set it to transparent firewall, I allowed all icmp, tcp, udp traffics.Currently, any devices in the inside network can get the ip automatically from DHCP server in the outside network but cannot ping to any servers in the outside network either access the internet.Do I need additional confiration on the firewall?
Here's the configuration:
PIX Version 7.0(1)
firewall transparent
names
!
interface Ethernet0
[Code]....
View 1 Replies
View Related
Sep 11, 2007
I want to configure an ASA 5505 in transparent mode (7.x). Somehow, I got it to work.. but i need some kind of step by step description. I just want to connect it with outside on a route .. inside in my LAN. Its working now with one ASA. But in the Web Interface the Interfaces inside and outside are down.. but its working.
View 5 Replies
View Related
May 5, 2012
Setup new Cisco 861 and working well for a new BTNet line for the customer. Changed the firewall using CCP from Zone to Classic Firewall. Worked great all day and configured what I needed to do.Now, with CCP (version 2.6) have the following message.Cisco CP has detected that the router is configured with either legacy and Zone Policy Firewall (ZPF) or Legacy firewall. If you want to use Cisco CP to configure an zone-based firewall, you must first delete the Legacy configuration.
View 4 Replies
View Related