We have an ASA Version 8.0(5)19 as our firewall.We are trying an cloud service on the internet and found that the ASA is removing the X-Forwarded-For on the header on the surf traffic.Is it possible to not remove the X-Forwarded-For in ASA?
View 3 Repliesi have an ASA 5520 8.4(1) with following config
interface GigabitEthernet0/0
nameif WAN
security-level 0
ip address 216.52.185.33 255.255.255.240 standby 216.52.185.34
!
i need traffic (port 9350) from DMZ and WAN forwarded to object Production_23 port 3389, how do i achieve this ?
I have two Catalyst 6506 in VSS mode with VS-S720-10G running 12.2(33)SXI1 IP SERVICES.I have two firewalls that communicate on to the other through a dedicated VLAN created on Catalyst 6506.
One firewall is able to ping the other one on this dedicated VLAN but if I send multicast traffic from firewall-1 I didn't receive it on firewall-2.I found a bug related to multicast issues on Cisco WS-C6509-E with VS-S720-10G. The bug ID is CSCtc59038.
I've been looking into IGMP snooping and have read that a L2 switch will forward multicast traffic to all ports connected to an interested receiver AND all mrouter ports. In a L2 'V' topology this results in all multicast traffic routed onto a VLAN being forwarded to the 2nd distribution switch. My question is how should a 6500 Sup720 deal with this unwanted multicast traffic? Both a Local SPAN of the RP and a Netdr capture suggest that this traffic is punted to the RP and ultimately dropped. Is this expected behavior or should the traffic be dropped in H/W?
View 2 Replies View RelatedI have pix firewall 525, configured with ospf process. We are also performing route filetering in ospf process using route-map. Now we want to remove this route-map from ospf process. Any step-by-step process for removing route map as per below list. How to remove route-map without having any impact as per above configuration.
View 1 Replies View Related: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password EhxQ5dBfvkyaUj52 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.10.8 W2K3-X32-SP
[code]....
I have a problem with a dmz vlan. I can´t surf over internet on a remote host.The dmz vlan links with remote network on host 192.168.20.3 .
INSIDE (192.168.10.0) -------------- Outside (88.88.88.0) -------------- DMZ (192.168.20.0)
^
|---------- Remote network (192.168.9.0)
I need to remove FWSM from a prodcution 6509. This FWSM is a standby. What's the best way to remove without powering down the switch or impacting antyhing?
View 3 Replies View RelatedWe are looking to implement traffic shaping/policing primarily for P2P traffic. As natively the ASA5550 is only capable of p2p inspection if the traffic is tunneled via port 80 is the AIP-SSM the way forward? We have 2 5550s in active/active failover config. As a side note we are also looking to implement an IDS/IPS system so could this module cover all?Is this module going to provide the desired outcome or is there another module/device out there better suited for this? I would prefer to use the ASA5550s as opposed to implementing another product if only that we can make use of the investment we already made on these devices.
View 1 Replies View RelatedI am testing limit bandwith using my ASA 8.2, i am trying to limit internet access for certains users , i order to save Bandwith for the important things but i can´t get any limitation
My configuration is the following, the acces list is just for my pc in order to test, and the service policy is applied to outside interface (called internet in my case) for incoming traffic
access-list Internet_mpc_1 extended permit ip host 172.16.127.70 any class-map Internet-class-TEST match access-list Internet_mpc_1 policy-map Internet-policy-web class Internet-class-TEST police output 1024000 1500
service-policy Internet-policy-web interface Internet
With show service policy i can´t see any activity on the policy , but if i do a similar configuration for inside interface outgoing traffic i can see packets allowed and dropped
I have an ASA 5520 with the below config
Gi0/0: outside (Internet)
Gi0/1: inside (Internal users)
Gi0/2: DMZ (web servers, ftp, Mail etc..)
I have a SMTP relay deployed on the DMZ for mailing. I have also a mail servers installed in the internal lan,
I want to allow trafic from dmz to reach internal lan, and i want normally also allow stmp relay from dmz to reach Internet.
How can i block trafic from DMZ to reach Internal Lan (instead of smtp) if the to allow trafic from dmz to internet i must put ANY in the policy?
For allowing trafic from DMZ to reach Internet, the policy must be DMZ -----> ANY ----->Services., this policy means DMZ can implicity reach Internal Lan?
Actually i want to trap the e-mail sender's mac address using his ip from header of e-mail ID... isn't that possible...??
View 1 Replies View RelatedI managed to narrow down my question to this.SOCKS5 proxy is able to handle both TCP and UDP transport protocols.If I have IPinIP encapsulated tunnel, will this work?
in other words, does SOCKS5 expect Layer 4 header immediately after Layer 3 header or not?
I have an ACE version A5.2 configured in one-armed leg (doing source nat). I have a requirement to add(or copy) the "referer" header value from the original request to the request send by ACE.
I cannot figure out how to copy this value. It is easy to add the source ip address by adding: " insert-http x-forwarded-for header-value "%is".
So how I am going to copy the Refere header?
#Referer
#Address (URI) of the resource from which the URI in the request was obtained
I created several rules to balance on a specific server somes apps. Everythings works great in http but no in https.In my example, i would like [URL] to be redirected to my server2 but it's always using the default rules instead of the L7CLASSSrv2. Today [URL] is well redirected. All other apps are correctly loadbalance with the stickyness effect but I can't handle the https connections.
class-map match-all L4-WEB-IP
2 match virtual-address xxxx tcp eq www
class-map match-all L4-WEBHTTPS-IP
2 match virtual-address xxxx tcp eq https
class-map type http loadbalance match-any L7CLASSSrv1
[code]....
We are using Cisco ACE 4710 to load balance servers. We have created VIP under the interface vlan using nat-pool command. Also, we have changed the gateway of the server to point to the ACE vlan ip address which is created using alias 10.x.x.x 255.x.x.x command under the interface vlan. In short ACE is in inline mode for the servers which needs to be load balanced.
[code]...
But still I am not able to view the original client IP. Just to add more, the site is a HTTPS site & we have not doing any kind of SSL offloading on the ACE, it is taken care by server itself
I just want to do the HTTP & HTTPS load balancing without SSL offloading & should be able to see the original client IP in the server logs
How to find OS and browser of sender using email header?
View 1 Replies View RelatedIs there a way to convert TCP options header into an http header using Cisco ACE ? is there an equivalent solution with Cisco as the one proposed by F5 here: url.
View 7 Replies View RelatedWe are migrating from ACE 20 module to an ACE 4710 appliance. [code] When pasting in the config on the ACE 4710 running A4(2.1) code, I get the subject error message when trying to enter in the highlighted sticky-serverfarm command above. Again, this config works on the older hardware and older code.
View 1 Replies View RelatedOne of my customer has raised a new requirement for implementation of short sequence number format support in PPP multilink header for Cisco MWR 2941 E1/T1 serial interface, whereas router is supporting long sequence number format.here is the output of "debug ppp negotiation" command:-Currently in the MWR debugging logs we can see that by default MWR is sending long sequence header format as below
*Mar 13 01:32:55.438: Se0/2:0 LCP: O CONFREQ [REQsent] id 238 len 25
*Mar 13 01:32:55.438: Se0/2:0 LCP: MagicNumber 0x26CDF693 (0x050626CDF693)
*Mar 13 01:32:55.438: Se0/2:0 LCP: MRRU 1500 (0x110405DC)
*Mar 13 01:32:55.438: Se0/2:0 LCP: EndpointDisc 2 16.16.16.11 (0x1307021010100B)
*Mar 13 01:32:55.438: Se0/2:0 LCP: MultilinkHdrFmt seq long classes 2 (0x1B040202)
While as per the requirement PPP multilink header should support short sequence.
MWR configuration:
controller E1 0/2
framing NO-CRC4
clock source line
channel-group 0 timeslots 1-31
[code]....
My 2811 sip gateway send invite to my ITSP server with incorrect IP address in Contact section. It uses the internal ip address instead of using the public ip. As results, the re-invite sent back from ITSP sip server cannot be recieve. Could some tell how to change the ip address in Contact section of the invite message.
View 6 Replies View RelatedI attached a really ugly picture of how the switches are connected. Basically, we have 4 VLANs in the company. Everything works fine on all VLANs, except the management VLAN (ID 1 - yeah, also the default VLAN ID, I know it's bad and it's going to change some day but...one step at a time). All the switches have their management interface on VLAN1.Here's what works and what doesn't work:If I connect my PC, on VLAN1, to switch number 5 (or any other one on the same row with it) or 4, I can ping 5 (and the entire row), 4 and 3. I cannot however ping 1 and 2If I connect my PC on VLAN1 to switch number 3 I can only ping 1,2 and 3.So basically from what I can gather, switch number 3 (D-Link) is not forwarding VLAN frames containing the tag 1 from and towards the trunk between it and switch number 4 (Cisco).What is strange is that this only happens on VLAN1, everything works perfectly on the others. And it stopped working when we installed the D-Link, we didn't have any problems when instead of the D-Link we had a 48-port netgear switch.
View 6 Replies View RelatedI Get a mail From Someone which claims which says that they are forwarding a mail from someone How do i find out that the mail i have received s from that original person onlyBecause that person is not replying to me directlyHe forwards mail to a second person{assume} and that person forward me the mail::how do i find out that the mail i have got is really originated from that first person only
View 4 Replies View RelatedWhat am I missing - can't get my new SG 200-08 Switch to handle Jumbo Frames
I have set the MTU size to 9216, saved the conf. and rebooted the box - however when I try to "ping -f -l 8000 xxx.xxx.xxx.xxx" through it (or to the switch itself) I recieve only "Request timed out"!?
I have tried MTU=9000 as well.....
F/W: 1.0.1.0
Is there anything, apart from increasing the MTU size, that needs to be done?
I have my 2Wire AT&T U-Verse router properly set up to forward the port 25565 from my machine. (Incidentally, PortForward.com gives me a blank page when I try to look up how to do this.) However, when I test the port is indeed open ( Open Port Check Tool - Test Port Forwarding on Your Router ), it returns as closed. Yes, I'm running the server software while I run the test. I only have the Windows Firewall, but I ran attempts while the firewall was completely disabled as well as with just the appropriate programs allowed.
View 9 Replies View RelatedI am trying to create a server in a game called Minecraft. I have forwarded port 25565 (which I put in the server settings for incoming connections and I checked that 10 times so that is ok) on my thomson TG787. I've opened the same port on my firewall in windows 7. I've disabled my firewall completely. But it's still blocked. It's simply doesn't work..I'm 100% I fixed it on the router.
View 21 Replies View Relatedsomeone at work sent me an e-mail they claim was forwarded. I don't think it was, and I need to know before I ask, because accusing someone of making it look forwarded, I viewed the source code, but I can't tell, it was sent through a microsoft exchange server.I think they copied and pasted and changed dates, is there anyway to tell from the source code?
View 2 Replies View RelatedI am trying to create a server in a game called Minecraft. I have forwarded port 25565 (which I put in the server settings for incoming connections and I checked that 10 times so that is ok) on my netgear wnd3700. I've opened the same port on my firewall in windows 7. I've disabled my firewall completely. Everything should be cool, but still, checking with canyouseeme.org and asking friends to join. It is still blocked. It simply doesn't work.. I checked my router for any firewall but couldnt see any.. So yeah I'm 100% I fixed it on the router, unless someone is gonna tell me that there is still an option in the router that might fix it.. but I think I did something wrong in the firewall..Although I have been trying to get this to work all day.. I'd rather get some advice on the firewall or other options in my router. Btw, I am using AVG free edition, and I am pretty sure there is no firewall in that version, but there might be something I have to disable in order for this to work ?
View 15 Replies View Relatedi'm trying to use VNC as a remote desktop i was told to forward port 5900 in order to connect. but whatever i do i still an error saying that the port is not forwarded..Connection test failed.VNC Server appears to be behind a NAT router with IP address x.x.x.x. You will need to configure that router to forward port 5900 to this computer before you can connect to VNC Server over the Internet.as you can see here the port is forwarded to the server computers local IP.i have no firewalls active, and no anti-virus software that could be blocking VNC.
View 1 Replies View RelatedI was asked to enable netflow in an ASA Firewall for Orion/Solarwinds server monitoration. Firewall is a 5550, with 4G RAM, and no extra modules but SSM-4GE. This firewall has 5 DMZ segments and ans specific segment for internet traffic.There are segments as unique subinterfaces in physical interfaces. Other segments as individual subinterfaces in the same physical interface (but individual VLANs)Usually firewall CPU flows between 30% to 40%. Rarely to 50%.
1 - How dangerous or risky could be implement netflow in this firewall?...This firewall is very critical for the customer. My concern is regrading CPU, traffic generated, memory, etc
2 - In a month, firewall will be migrated from 8.2 software version to 8.4 software version. Is there any incompatibility in some commands?...Would be recommended to perform netflow configuration after software upgrade?
3 - How could it be implemented for Orion monitoring, regarding each individual sub-interface (and so, each VLAN assigned)?I there any recommendation regarding configuration, best practices?
We have a pair of CSS 11501,Currently it is using source ip for load balancing and 5 servers as backend , however we have users loggin in using http and based on its source IP (ISP PROXY) , it is forwarded to SERVER A.However, we have a SSL page and when the client switches over to SSL , it is forwarded to SERVER B/C/D/E based on its source IP ( REAL CLIENT IP) .This will cause the user to be terminated as the 5 servers are independent and not running in a cluster.
Is there any way that we can use the X-Forwarded-For address to load balance so that when users loging , they are sent to SERVER A (Based on X-Forwarded-For Header IP which translate to REAL CLIENT IP).This way we are able to also send it back to the same server when it uses SSL.I believe that we should be able to load balance using X-Forwarded-For IP or to rewrite the X-Forwarded-For IP into client source IP.
I have a client with a cisco 1841 router with a static public ip. He has 3 dvr's he wanted to acces from the internet and we opened the ports for the dvr's ip's. The issue were having is that only the first ip that we opened shows the port opened and works ok, the other 2 ip with their ports show closed.
View 17 Replies View RelatedWe have 2 FWSM modules in each 6500 switches. 1st module is having 04 firewall vlan groups with 18 vlan interfaces in a single context firewall. All are working fine with no issues. Recently we create one more vlan on MFSC and add into the same firewall module. However newly created vlan inside the FW is not able to communicate with outside and also outside users not able to reach newly created subnet. But within the firewall zones (other interfaces) it can communicate. Once we did packet capture we noticed that its hitting firewall outside interface only and when we ping we got TTL expired error. we have default routes to outside and there's no any route inside as new segment is within the firewall (no any hop).
I guess there's no limitation on number of vlans that we can assign on one firewall eventhough there is a limitation for number of vlan-group which is 16 max (but we are within that limit).
I have a western digital USB 2tb drive. It works great on my intranet (my laptops and other devices can access it). I have a sticky Ip address and would like to be able to access my drive from my work, but I don't know how to set up or if it can be set up to work. Can the USB be port forwarded? I have the E3200 router, Windows 7 OS (if needed)
View 4 Replies View Related