Cisco :: Manipulating Traffic Flows On The ASA?
Sep 19, 2011
So I've just discovered the Cisco ASA is not capable of performing policy-based routing.
I am in a position where I need to manipulate traffic flows from the inside network outwards for TCP80 & TCP443 traffic toward a transparent proxy server while default routing the remainder of the non-matching traffic.
Can anybody think of a way to do this with the ASA? Would a destination NAT work?
For example:
nat (inside,outside) source static any any destination obj_any proxy_object service tcp 80 80 nat (inside,outside) source static any any destination obj_any proxy_object service tcp 443 443
Why would the ASA not support PBR?
View 7 Replies
ADVERTISEMENT
Aug 6, 2012
I am aware that the 3750 switches are not able to support Netflows, so I have created a SPAN port and spanning traffic from a specific port. I would like to create a seperate VLAN and trunk the traffic from the SPAN port down to the 6509 switch and then capture all the traffic for that VLAN on the 6509.
View 4 Replies
View Related
Aug 26, 2012
Does ACS 5.3 has a feature to allow you to change or otherwise manipulate a user-name value within ACS as an authentication request comes into the system.
We want to use ACS to authenticate users to a particular device, but the device does not allow us to have username's in the format that we require, and the rest of our systems allow and require.
We want a way of manipulating the user ID of someone logging into the system, so that when the authentication request hits the ACS their username is massaged into the format we require, before being further processed against identity policies etc.
View 5 Replies
View Related
Dec 12, 2011
I am attempting to create a mass upgrade server for some of our more standardized equipment since our vender cannot upgrade them pre-shipping for us, we've got to do them on our own. This means using a terribly organized wizard written in what appears to be Java...
I have an aversion to Windows and felt that I could accomplish the same thing using expect scripts and a Gentoo Linux server; now all I need is to set my Cisco 3550 (c3550-ipservicesk9-mz.122-44.SE6.bin) to have each port on it's own VLAN, except for fa0/1 which will be a trunk port to communicate with all ports as well as the server.
View 4 Replies
View Related
Nov 7, 2012
Is it possible to split data flows on a single T1. Say 1 Flow on time-slots 5-6 and another data flow on time-slots 10-14. If one was data and the other voice would this work?
View 6 Replies
View Related
Oct 14, 2012
some misconfiguration (?) may be the reason for an undesired behaviour we are experiencing with our Cisco CSS 11501s. Balancing mechanisms work fine, however if a service transitions to the "down" state, the corresponding flows remain "alive" leading to a temporary outage of our service. Subsequent client requests are still being sent to the "down" frontend which is unresponsive.
View 4 Replies
View Related
May 26, 2011
Do you know if it is possible to filter TOIP flows between call server (Siemens technology) and phones ?Specialy, PIX is able to support dynamic ports opening?? Is there an ALG embeded?Is it required to upgrade PIX or not? is required a special licence??
View 1 Replies
View Related
Sep 13, 2010
I have a problem with a Site-to Site VPN connection between two ASA 5505 (ASA 8.2, ASDM 6.2). I have build the configuration on both devices [URL] . Under "Specifying Hosts and Networks / Remote Network" i use not the external ip of remote Site, i use the internal networks ( 10.0.1.0 and 10.0.2.0 ). I need connetion to two remote internal networks ( from 10.0.0.0 to 10.0.1.0 and 10.0.2.0 ). The Tunnel (Phase1 and Phase 2) comes up when i ping a host of the second (10.0.2.x) remote network, but a ping is not possible. Syslog says "Asymmetric NAT rules matched for forward and reverseflows; Connection for icmp src outside: 10.0.0.x dst dmz:10.0.1.x (type8, code 0) denied due to NAT reverse path failure ". On both Sites VPN connections with Cisco VPN Clients are possible.
View 5 Replies
View Related
Nov 30, 2011
I have an ASA 5510 running version 7.0. I have a problem with an exchange server using a static map and its outbounc connectivity. It connects outbound through the global address even though inbound connectivity works fine through the static mapping. The recent changes are changing of the zero route through a different interface (there are to circuit connected to this ASA on different interfaces). So the idea was to get all workstations in the office using the global address and routing out through one circuit, and the servers connecting in/out through the other circuit. Shouldn't a static mapping ignore what the zero route is?
Here are what I believe to be the relevant configs.
interface Ethernet0/0
description New 6mb circuit
speed 100
[Code]....
So exchang2 server can be connected to from the outside properly via IP xxx.207.51.231/exchange2-outside, but all outbound connections from this server are going out via IP xxx.122.47.218/circuit-6mb as do all the workstations due to the global address statement.
View 2 Replies
View Related
May 6, 2013
I am new to ASA's and have just configured my 5505 out the box with an outside (10.10.1.7) + inside (192.168.1.1) IP & NAT. The ASA has got a default route to another router (default geteway) thats connected to the internet. I have it connected this way so I can play and **** around with the ASA. My problem is when I try and ping a host on the ASA inside network (192.168.1.0/24) from the outside (10.10.1.0/24) I'm getting the following error: 5May 07 201316:38:36305013192.168.1.6Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.10.1.22 dst inside:192.168.1.6 (type 8, code 0) denied due to NAT reverse path failure The recommendation from the syslog details is:"When not on the same interface as the host using NAT, use the mapped address instead of the actual address to connect to the host. In addition, enable the inspect command if the application embeds the IP address". Beliw is my config:
interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0!interface Vlan2nameif outsidesecurity-level 0ip address 10.10.1.7 255.255.255.0!boot system disk0:/asa842-k8.binftp mode passiveclock timezone EST -5clock summer-time EDT recurringdns domain-lookup insidedns domain-lookup outsidedns server-group DefaultDNSname-server 10.10.1.1object network obj_anysubnet 0.0.0.0 0.0.0.0object network obj_net_Insidesubnet 192.168.1.0 255.255.255.0object network Outside_globalhost 10.10.1.6access-list outside_access_in extended permit icmp any any echo-replyaccess-list outside_access_in extended permit icmp any any source-quenchaccess-list outside_access_in extended permit icmp any any unreachableaccess-list outside_access_in extended permit icmp any any time-exceededaccess-list
[code]....
View 8 Replies
View Related
Jul 29, 2012
I am seeing the following error on my Cisco ASA 5510 running 8.4(4):Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src inside:10.1.0.8/1798 dst inside:10.1.0.14/25 denied due to NAT reverse path failure .Doing research I see there are plenty of nonat statements regarding connecting from one interface to another, but why am I seeing this error on the same interface.All our servers are connected via a Cisco 3750G switch with a very basic config. Why is the firewall interjecting itself and causing these issues?
View 8 Replies
View Related
Nov 11, 2012
Having a problem with a VPN site trying to communicate to a subnet off my ASA 5505. The network is simple, VPN IPSEC remote site is 192.168.6.0/24 and I can ping and access hosts on 192.168.10.0/24 (called InfraNet). I am now trying to allow communications between 192.168.6.0/24 (called FD_net) to 192.168.9.0/24 (called Inside) [code]
View 2 Replies
View Related
Dec 11, 2010
We have cisoc 2821 at one of branch and created five sub inetrfaces for different vlans.Output of Show interface shows very frequent increase in the input error count.I have changed the physical cable and switch port on the other side.But still error rate is increasing.When the traffic is less error rate is low but with high traffic it is increasing drastically.My router process is very less(4%) only.What could be possible reason. [code]
View 8 Replies
View Related
Mar 10, 2011
We are looking to implement traffic shaping/policing primarily for P2P traffic. As natively the ASA5550 is only capable of p2p inspection if the traffic is tunneled via port 80 is the AIP-SSM the way forward? We have 2 5550s in active/active failover config. As a side note we are also looking to implement an IDS/IPS system so could this module cover all?Is this module going to provide the desired outcome or is there another module/device out there better suited for this? I would prefer to use the ASA5550s as opposed to implementing another product if only that we can make use of the investment we already made on these devices.
View 1 Replies
View Related
Nov 27, 2012
I am testing limit bandwith using my ASA 8.2, i am trying to limit internet access for certains users , i order to save Bandwith for the important things but i can´t get any limitation
My configuration is the following, the acces list is just for my pc in order to test, and the service policy is applied to outside interface (called internet in my case) for incoming traffic
access-list Internet_mpc_1 extended permit ip host 172.16.127.70 any class-map Internet-class-TEST match access-list Internet_mpc_1 policy-map Internet-policy-web class Internet-class-TEST police output 1024000 1500
service-policy Internet-policy-web interface Internet
With show service policy i can´t see any activity on the policy , but if i do a similar configuration for inside interface outgoing traffic i can see packets allowed and dropped
View 3 Replies
View Related
Apr 29, 2012
I have an ASA 5520 with the below config
Gi0/0: outside (Internet)
Gi0/1: inside (Internal users)
Gi0/2: DMZ (web servers, ftp, Mail etc..)
I have a SMTP relay deployed on the DMZ for mailing. I have also a mail servers installed in the internal lan,
I want to allow trafic from dmz to reach internal lan, and i want normally also allow stmp relay from dmz to reach Internet.
How can i block trafic from DMZ to reach Internal Lan (instead of smtp) if the to allow trafic from dmz to internet i must put ANY in the policy?
For allowing trafic from DMZ to reach Internet, the policy must be DMZ -----> ANY ----->Services., this policy means DMZ can implicity reach Internal Lan?
View 2 Replies
View Related
Mar 19, 2013
We have a Cisco 2811 running ITP IOS. On that router we run the SMPP service. A client on the network connects to this service, and we need to capture the traffic for debug.
I've tried traffic-export, but I cannot see any outbound traffic.I'm guessing that this is due to the fact that the outbound SMPP traffic is not transit traffic as it is generated by the router itself.
Is there any way to capture the outbound traffic?
View 4 Replies
View Related
Aug 4, 2011
I am trying to come up with the best way to traffic shape traffic with 3750 Me switches. the traffic will be coming from a 6504 Sup-7203b downstream and going out the wan. Core---L3---->6504--intvlan80--trunkport to--->3750Me---g/1/1/1-trunkport to---MetroE network--->int f0/0.80--branch router. The idea is to use the 3750 to traffic shape the traffic going towards the wan/branch to 500 to match the contracted rate and then to use qos on shaped rate. I tried to apply it to g1/1/1 using port based policies but it did not shape the traffic. I changed everything to IP interfaces and it worked. I need to break up the metroe into different vlans so I can bring branch offices in on different vlans.c
View 3 Replies
View Related
May 16, 2011
I have tried to understand these TCP traffic and NAT network but not sure if what I write is correct. Refer to the TCP traffic in cap1a.cap and cap1b.cap. They were captured on the two network interfaces of computer A, and record Network address translation (NAT) traffic that is propagated between network 45 and network 3 by computer A. Figure 1 shows the network configuration.
View 19 Replies
View Related
Aug 30, 2011
I have a site with a 1700 router connected to a 2960 switch. For some of the computers on site I want to determine how much traffic is local to the LAN and how much is going across the WAN.
One strategy I've come up with is to reset the interface counters on the switch ports to the machines in question and after some time compare the total bytes in and out of the interface with netflow data from the router. My only concern is that netflow is not completely accurate about the amount of data that has passed through an interface.
Is there a better or more accurate way to accomplish my goal?
View 7 Replies
View Related
Nov 3, 2012
I need to block the P2P traffic on a Cisco router. How can do it effectively? I configured NBAR on my router but still users can download using the utorrent client.
View 5 Replies
View Related
Apr 30, 2011
I've looked at many others having this same problem, but can't seem to figure out what my problem is. Same issue as most, I can connect fine, I get an IP, but it won't pass any traffic, I can't ping anything or access anything.
View 8 Replies
View Related
Mar 28, 2011
They have an old cisco pix 501 firewall. I can access it via the device manager interface from my browser. What they want is to be able to get all the traffic from the firewall to the internet and vis versa. They want to know the originating nat IP address and the destination from the inside interface. I looked at the console and I can't find away to capture any traffic from either interface.
View 6 Replies
View Related
Apr 18, 2012
For some reason my ASA is preventing my traffic from going out. I've added some crumby access-list and applied it to NAT for it to work. I don't like this. I know it is not right, but I am not sure what part is wrong. I will highlight the stuff I have added to make it work. I don't see what I am missing. If I were to remove these lines my ASA could ping in both directions (in and out), but my LAN cannot do anything but ping the ASA. No other traffic is going out unless I have added these unsafe lines of code.
!
interface Vlan1
nameif inside
security-level 100
[Code].....
View 2 Replies
View Related
May 9, 2012
We have an MPLS that connects our main office with our 7 branch offices. We have 3Mb coming into the main office and 1.5 into all of the branch offices. I would like to give rdp traffic the highest priority. We have a Cisco 1841 at all branches and a Cisco 2811 at the main office. Do I have to configure QOS on all routers or just the one at the main location?
View 5 Replies
View Related
Oct 20, 2011
I am slowly getting this router configured........I am up and running. Traffic from All nodes inside can go outside. My next step is to configure traffic coming in to go to my server. I have Web, FTP, SMTP and POP running on the same server in my LAN. I need to us NAT/PAT to direct incoming traffic to it. I belive I have this done correctly, but obviously not...I only have port 80 configured in the config file, if I can get that to work the rest would be the same........
View 1 Replies
View Related
Nov 15, 2012
Configured cisco 881, WAN has static IP address and LAN is nothing fancy. I can ping out to url... or anywhere from the router but cannot from LAN client computers. [code]
View 4 Replies
View Related
Nov 15, 2011
Currently I have users that connect with the Cisco VPN client to our PIX 515e. Our corporate network is also directly connected to our partners network, sharing common address space. I want to be able allow our VPN users to connect to certain resources on their network. Since they already have routing for our address space, can I allow the VPN to only NAT traffic to certain destination addresses with a local IP address on our network? That way the partner's network does not have to change any routing since they would see the source address as a local IP on our network.
View 1 Replies
View Related
Dec 6, 2012
I have two ISP, I want to divide Inbound to ISP1 and Outbound to ISP2.
View 3 Replies
View Related
Jan 25, 2012
I don't have an ASA to lab this up on, and having read through the literature I have available to me I'm not sure how this would work but here's where I am at the moment. Situation: One ASA, two contexts, no shared interfaces, no 'hairpinning' to another common device like a router or layer 3 switch.Requirement: The ASA will separate two security zones. Each zone must be independent of the other (no shared interfaces).Expectation: Traffic to be enter the sole interface in context A, then be internally directed to context B before being dispatched out.
View 7 Replies
View Related
Apr 29, 2011
A former coworker of mine setup VPN capabilities to our office network shortly before he left. It is no longer working. We can connect to VPN but I'm not able to ping any devices on the remote network or Remote Desktop to any of the server. After 30 minutes, the VPN connection drops. I have attached our ASA 5505 config to assist in troubleshooting.
View 3 Replies
View Related
Apr 24, 2012
I need to allow traceroute traffic through ASA running version 8.0.2.This traffic is natted. what configuration is required on ASA to allow this natted traceroute traffic.Traffic is coming from inside and going outside.Also can we capture this traceroute traffic on asa using capture feature.
View 12 Replies
View Related
Oct 29, 2012
I have a setup with a few sites that have layer three switches behind firewalls. I've been successful in setting up GRE tunnels between all the layer three switches, the GRE traverses IPsec which goes between the firewalls at each site. That way, the GRE is encrypted over the Internet and I don't have to deal with protocol forwarding and stuff. The GRE tunnels are terminated at the loopback addresses of each layer three switch, this works well for the most part, except that I need to put static routes for each loopback address in each switch to point via the firewalls, because when OSPF comes up over the GRE tunnels it starts advertising the loopbacks, and as such the switches think they can get to them over the GRE (which is built from the loopbacks to begin with), as you can see, sort of a catch 22. The static route method works fine, but it makes it so that I can't access the loopback address for monitoring/management purposes from any other sites on the basis that the local core tries to send it directly to the firewall rather than over the GRE tunnel. Is there any way to force only the GRE traffic out via the firewall while letting any other loopback-destined traffic go over the GRE? I'm thinking this could be done with a properly-matching route-map, but I'm not sure where I would apply it, could I apply it directly to the loopback or would the GRE traffic skip that on the way out?
View 7 Replies
View Related
