Cisco Firewall :: ASA5585 WCCP-GRE Redirection To Websense Times Out?
Dec 9, 2012
I have a ASA5585 running 8.4 that is redirecting Internet http to a websense server via GRE.The integration is working fine, except when a user PC sends a large packet (~1500 bytes).With WCCP/GRE headers, the user packet is too large to be transmitted to websense, so the ASA fragments the packet in two and transmits both to websense.
A sniffer trace confirms that both fragments reach the websense server, but the TCP packet is never acknowledged.User-side TCP retransmits the large packet three times over 15 seconds, and eventually retransmits fine with smaller packets. The 15 second delay is of course not acceptable.Users and Websense server are both on the Inside interface.
We are considering imposing browser proxy to websense (which works fine), but would prefer not, considering the increasing diversity of devices.
View 4 Replies
ADVERTISEMENT
Jul 17, 2011
I currently have WCCP redirection setup on my ASA 5520 to redirect to an ironport on ip address 10.11.1.10. The ASA inside ip is 10.11.1.1 and the ironport is setup for transparent redirection to that IP. This all works well and the Service Identifier i'm using for WCCP is 95.I am now creating another WCCP group because on my ironport I have 4 interfaces so I wanted to use them for our admin network. So I created an ACL on the ASA for our admin traffic and I want to redirect that using Service Identifier 94 to the ip on the ironport of 10.11.1.22. But I can't get traffic to redirect.
View 1 Replies
View Related
Apr 3, 2013
I have the following topology, WCCP is configurated on ASA, inside interface, lan users and websense machine are located on the same VLAN of my catalyst 3750G?I want to filter traffic on port 80 (www) to the users on the LAN side debug on the ASA show me that comunication between that device and Websense is OK, there is Here_I_Am and I_See_You packets
WCCP-PKT:D00: Sending I_See_You packet to WEBSENSE_PROXY w/ rcv_id 0000015B
WCCP-PKT:D00: Received valid Here_I_Am packet from WEBSENSE_PROXY w/rcv_id 0000015B
WCCP-PKT:D00: Sending I_See_You packet to WEBSENSE_PROXY w/ rcv_id 0000015C
WCCP-PKT:D00: Received valid Here_I_Am packet from WEBSENSE_PROXY w/rcv_id 0000015C
WCCP-PKT:D00: Sending I_See_You packet to WEBSENSE_PROXY w/ rcv_id 0000015D
From show WCCP i saw that WCCP engine and ASA were detected
FW# sh wccp
Global WCCP information:
Router information:
Router Identifier: 200.X.X.X
Protocol Version: 2.0
[code]....
View 5 Replies
View Related
Apr 11, 2012
I have a 5520 ASA using wccp redirection to our IronPorts on the inside and everything works great for inside users. What I'm trying to do is get VPN users off split tunneling and to filter their traffic through the IronPorts as well but I can't figure out how. When they connect they seem to bypass the Ironport completely.
View 5 Replies
View Related
Nov 9, 2011
if a Cisco router or switch can handle wccp redirection enabled for both waas and some other web content filtering appliance using a different service group?
seems like the priority value would come into play determining which service group gets handled first?
we currently do WCCP for WaaS on our 3945s.
I am going to advocate to my customer that we separate this out for CPU load issues, config complexity issues, IOS issues, etc... but the question is going to come up - "can we do WCCP for different applications on our Catalyst 3750 core switch, or our 3945 WAN routers?"
View 2 Replies
View Related
Jul 18, 2012
I have a Cisco 7206VXR running 12.4(24)T3 IOS. It is configured with WCCPv2 using L2 mask redirection. I am using service groups and associated extended ACLs to select which subnets I want to redirect port 80 traffic from.
It is working fine for the subnet 192.168.1.0/24....
int gi0/2
ip wccp 10 redirect in
ip address 192.168.1.99 255.255.255.0
... however, there is OSPF running between the router and a Mikrotik device directly connected to this interface. The gateway addresses for all the client subnets are on the Mikrotik. Traffic from other subnets, e.g. 192.168.2.0/24, 192.168.3.0/24 come in on this interface and I want to redirect those too. But it appears that the redirection doesn't work for those subnets (I don't see any hits on the relevant ACL for any subnet except 192.168.1.0/24).
It seems like the router only wants to redirect traffic for subnets that it has an IP address in itself. Admittedly, all of the example configs i've found on cisco.com are for redirecting traffic from directly connected subnets but I can't find anything that denies thie possibility of redirecting any traffic that comes in on a given interface.
The question is, is this how WCCPv2 redirection works? i.e., the router must have an IP address in the subnet to be redirected?
View 1 Replies
View Related
Jul 27, 2011
I've been trying to configured Websense urlfiltering using ZFW feature on my Cisco 881G router. The router is running on IOS 15.0(1)M with Advanced IP Services. And I have confirmed it supports urlfilter feature.
This is what I tried to accomplish but IOS version 15.0x seems to have different command set.
-----------------------
class-map type inspect httptraffic
match protocol http
parameter-map type urlfilter param
server vendor websense 10.20.30.40
[Code]...
View 2 Replies
View Related
Jun 6, 2012
We have purchased a new Websense 10000 Appliance and I'm not a hundred percent how to set this up. I see that URL Filtering is a possibility and WCCP, which way to move forward on implementing this?
View 4 Replies
View Related
May 25, 2011
I am having a setup with a 2851 router & websense url filtering server where I need to forward the traffic to websense server for all the internet requests. The http traffic is getting filtered properly, but the https traffic is not getting filtered. The two commands I ahev given for http & http are as follows: ip inspect name test http urlfilter ip inspect name test https.
View 9 Replies
View Related
Dec 19, 2011
I am interesting how ASA 5585-X with SSP-60 operates in dual firewall mode, if I install two SSP-60 modules in chassi, do I get one logical firewall with doubled performance of (SSP-60) ?
View 1 Replies
View Related
May 17, 2012
I have put 2 physicl interfaces (te0/8 & 9) on the ASA-5585 into a PO and am assigning ips/vlans to the sub-interfaces. I have 2 issues: - Why am I not able to ping the other sub-interface from the ASA itself? (I can ping the 1st one), Secondly, why the IPs are not visible in "sh int ip brief" ?Although I can see them in "sh ip" ..
/actNoFailover(config-if)# int po17.100
/actNoFailover(config-subif)# vlan 100
/actNoFailover(config-subif)# ip add
[Code]....
View 2 Replies
View Related
Jan 22, 2012
I am responding to a tender where the client is asking for the firewall to support an onboard disk drive for logging purposes, which is a minimum of 500 GB in size.
The other requirements all point towards the top of the range ASA 5585-X Chas w/SSP60,IPS SSP60,12GE, 8 SFP+,2 AC,3DES/AES.
I note the 5585 when configured on DCT comes with HDD blanking plates, is there an HDD supported on this?
View 1 Replies
View Related
Mar 12, 2013
I've read through netpro and found everyone points to this doc.
[url]....
However that still doesnt allow traceroute through for us. We still see syslogs with deny's on high level random UDP ports to different Internet destinations.
[code]....
View 2 Replies
View Related
Oct 17, 2012
I got some issues with my CISCO ASA, the thing is that when I add a new rule on the device this rule duplicate and goes to the bottom. We already tried to delete the duplicate rule but it always show an error.
-Model 5585
-ASA Version: 8.2(5)
-ASDM version: 6.4(5)
View 5 Replies
View Related
Jun 7, 2011
We saw this syslog on ASA5585 with version 8.4(1). I have two HA firewall pairs (contains 4 ASA5585, active/standby), and I saw this message on the standby ones.
Jun 7 07:36:26 10.99.96.32 last message repeated 4 times
Jun 7 07:36:26 10.99.96.32 :Jun 07 07:36:26 HKST: %ASA-ha-3-210005: LU allocate connection failed
[Code]....
View 4 Replies
View Related
Jul 6, 2012
I have ASA5585 Firewall between my WAN Cloud and LAN Network. I plan to configure Layer 3 Vlan Interfaces inside FW and it would be Layer 3 gateway for some of Subnets. Layer 3 VLAN Interfaces are planned to be dual stack containing both IPv4 and IPv6 Address stack.
I plan to configure 6 to 4 Tunnel with my Hub Site where we have native Ipv6 awareness. One tunnel end point would be ASA and the other endpoint would be Hub site WAN Router/L3 Switch. So IPv6 traffic hitting to vlan interfaces on ASA would be policy checked and routed over tunnel interface to Hub Site.
6to4 Tunnel manual tunnel configuration on ASA. I have configured such tunnel on L3 Switch or Router with following config.
Int tunnel xyz
ipv6 address <ipv6 address>
ipv6 enable
tunnel source <loopback address of my L3 Switch>
tunnel destination <loopback address of my hus site L3 Switch/Router>
tunnel mode ipv6ip
end
I need to implement something similar in ASA. How can I do that?
View 2 Replies
View Related
Apr 25, 2013
How do i measure the total throughput going via 5585-X.It has the firewall througput of 5Gbps. Looking at aggregate of all the interfaces traffic going through it seems about 4gbps is going through.
I use show traffic command and add up the trasmit and receive traffic on each live interface.Is that correct method and are there any more commands?
View 1 Replies
View Related
Jul 14, 2011
I am using cisco 5520 for my RAS & site - site VPN's. backbone 6509 --> CISCO 5520--> ISP router with 3 ethenet interfaces.From cisco 5520 there r 2 connections to router, one for sit-site vpn outside interface and the other for RAS outside. I want to configure url redirection on 5520 so that when someone from outside access public IP it should forward it to the server in LAN. I want to use the interface hosting RAS for this.
View 1 Replies
View Related
Aug 18, 2011
use of a pair of ASA 5585's in active/active mode with a shared outside interface.Last time I did this was with FWSM, there was a restriction where all contexts that share an outside interface have to be in the same failover group.Does this apply also to the ASA? My thought is that it will, but I am unable to find that in any documentation.
View 1 Replies
View Related
Oct 24, 2012
We're currently PATing everything from a particular subnet to the IP of an outside interface using our ASA5585 (dynamic PAT). We're experiencing pool exhaustion and therefore need to expand the global IP range. Any way of cutting over to the new range without dropping existing connections? For clarity, the current interface address is x.x.x.37/22 and the new PAT pool is x.x.x.114-6/22.
View 6 Replies
View Related
Jun 29, 2011
Running ASA5585’s in active/standby across a local campus MPLS network. Supported design, leading practice etc. Specifically our design is that two ASA5585 are configured as active/standby through a local campus MPLS network over 10gig links through ASR9k etc. The ASA’s are providing inter-vrf routing capability only with p2p l2vpn circuits configured for each logical interface between the ASA over MPLS etc.The failover link is via a direct fibre and the state link will be through a p2p l2vpn (option for direct fibre also)Is this a supported design to begin with?
View 2 Replies
View Related
Oct 19, 2011
We are experiencing intermittent issues with the IPS on our ASA5585 vs 8.4(2). Probably something with the dataplane. So I want to keep debug cplane 255 activated and logged with log debug-trace setting to syslog server. But when session times out the debug command is cleared so the output stops. Since it is a intermittent issue I want to keep debug activated...Totally different behaviour then with routers which keeps it activated. how to keep debug activated on a ASA.
View 1 Replies
View Related
Nov 30, 2011
I'm trying to use port redirection to allow outside access to a internal web server. As far as I can see, everything is configured properly. The Open Port Checker tool from yougotsingle.com says that the port (80) is open. However when I goto access it the connection times out. The external address is static from my ISP, and I will call it xxx.xxx.xxx.xxx. The server is at 10.1.1.20, and is functioning properly over the LAN.
View 7 Replies
View Related
Aug 14, 2011
I have two ASA in failover with Active/standby configuration. When I switch from standby to active from the standby ASA I get a lot (like 100) of error messages like these below: [code] The failover works fine and nothing seems to be wrong with the firewalls function.
-Hardware is ASA5585-SSP-10.
-Software version: ASA 8.2(5),
ASA is in multiple mode with 17 active context. Why these error messages appear and what they mean?
View 2 Replies
View Related
Oct 10, 2011
I would like to do something verys imple with IPTABLES but i canno't find any "simple" way to achieve...iptables -t nat -A PREROUTING -i eth0 -s 10.0.0.0/24 -p tcp --dport 80 -j DNAT --to squid-box:3128.The idea is to redirect any connection to any host which try to connect to port tcp 80 being redirected to a server called squid-box on port 3128.I have seen that for proxy squid implementation with ASA i had to use wccp but for my personnal understanding.
View 1 Replies
View Related
Apr 3, 2012
I'm new at the ASA5500 domain. I have a question: How can I redirect traffic coming on a port to a machine inside the LAN listening to another port ? I would like to use ASDM.
View 1 Replies
View Related
May 16, 2013
We have a singe IP Address in the Internet and want to forward SMTP traffic that hits our ASA Outside Interace to the internal Mailserver.And we like to forward Http Traffic to our Webserver.
Example.
212.23.23.23 Port 25 -> 192.168.1.100 Port 25
212.23.23.23 Port 80 -> 192 168.1.200 Port 80
How do i acomplish that. Which NAT rules do in need?
View 12 Replies
View Related
Jun 9, 2012
We have pair of ASA5585 (ver 8.4(4) with IPS module configured with Active/Standby failover. There are total 09 interfaces are connecting to different zones in the firewall and out of which three(3) interfaces are connecting to Palo Alto 2nd layer firewall. When we test the failover whatever interfaces not connecting Palo Alto failed or shutdown, ASA triggers the failover to other unit, however the Palo Alto is not detecting this failover and it still keeps its previous Active Palo Alto to pass traffic, thereby failing passing traffic on Active firewall through Standby Palo Alto firewall.
But when there's a interface failed or shutdonw on the interfaces where PaloAlto also connected, then once the ASA failover triggers and the same time Palo Alto also trigger its failover then both new active firewall and Palo Alto sending traffic through firewall.However we we cant all the interfaces of ASA also to connect Palo Alto and let the Palo Alto to inspect all the interfaces, but we need our ASA to work in a situation where any of the interfaces failed, the failover to work smooth the pass the traffic via either Palo Alto device.I just need to know is there anything tricky that we can configure on our ASA in this failover senario, or to confirm if there's no any workable solution to this situation.
I have attached the senario that I explained above. Just to emphasis the issue again, if any interface of Gig0/0, Gig0/4 or Gig0/5 failed on active firewall, ASA switching to standby firewall and act as Active, but Palo Alto still remains his Active state and the new Active ASA is not passing traffic via standby PA as its not detecting any of its interfaces as failed or unreachable..?
View 1 Replies
View Related
May 26, 2012
We have 2 TS (Terminal Servers) and have configured the 1st RDP using my public address (say 8.8.8.8) on port 3389. it is working very well of course. However I need setup my 2nd TS but will use port 7777 on the same public address which is not working.I am using ASDM 6.3 and firmware 8.3.1.Is this a limitation for this IOS?
View 6 Replies
View Related
Feb 27, 2013
Web auth redirect URL gets dropped if stateful firewall is between webauth host and switch management interface. Aaron at Cisco live london kinda hinted about maybe Cisco working on this ? We can't disable stateful inspection. Is there any other solutions or workarounds ?
"Although this approach introduces additional hops in the return path from the switch to the host, it produces negligible load on the default router and intervening infrastructure since only the WebAuth traffic from the switch to the host follows this path. In campus designs that do not use SVIs on the data VLAN,6 a default route is typically already configured. In this case, no additional configuration is required to support WebAuth.
However, problems may arise in the case in which traffic to the default router is bridged through a stateful firewall. The original SYN packet in the TCP handshake is consumed by the access switch, so the first packet that the firewall sees is the SYN-ACK packet from the access switch. Stateful firewalls typically drop SYN-ACK packets if they have not seen the original SYN packet.In this case, you will need to turn off stateful inspection for ports 80 and 443 on the firewall."
View 1 Replies
View Related
Oct 31, 2012
I am currently trying to enable WCCP between a Cisco ASA 5512 firewall and Barraccuda Webfilter 410 Vx applicance. The ASA firewall is running IOS version 8.6(1)2 and the Barracuda is funning firemware 6.0.0.013. Both the ASA and Barracuda are in the same network and can ping eachother. The ASA has several interfaces, outside, inside, data and dmz. The PCs and barracuda appliance are behind the data interface. ASA data IP 172.16.18.1 Barracuda IP 172.16.18.40 All PCs in the 172.16.18.0/24 subnet use the ASA as the default gateway and should have web requests redirected to the Barracuda.
Below are the respecive bits of my ASA config
interface GigabitEthernet0/0
description Management
speed 1000
[Code].....
I suspect my issue is that the ASA is generating a Router Identifier of 172.21.20.1 which is my inside network and the barracuda cannot communicate with it. how I can get this working ?
View 3 Replies
View Related
Mar 10, 2011
What the support for WCCP on a FWSM running 4.0(7) is like, if there is any at all ?
I've read that the earliest PIX release that supports WCCP was 7.2(1) but I'm not sure how FWSM 4.0(7) aligns with the PIX versions.The only doc's i can find refrencing WCCP on a 6500 with FWSM is in the 6500 12.2 IOS guide.
View 1 Replies
View Related
Feb 22, 2012
I have a IOS firewall on a 2921 router, zone-based config. The remote and main sites have Cisco WAAS , running 4.4.1 software. I am using WCCP redirection on the WAAS/router combination. If I leave it off the firewall passes SSH correctly to the devices on the other side of the firewall. If I enable WCCP the SSH connections fail. The SSH to the router itself is fine, I am not using the self zone for router protection. I had seen a few posts on WAAS but the only one mentioning a config statement in the firewall was on 4.0 WAAS and the command is no longer on the IOS firewall. Is this supposed to work transparently or am I missing a config?
View 2 Replies
View Related
