Cisco VPN :: 3030 - How To Filter Web Traffic
May 29, 2013
Most of our VPN connections are done with our Cisco 3030 and the internet goes out the ASA. We are able to filter all web traffic by doing a a span port for web traffic.
When we move VPN connections to the ASA we will loose the ability to span web traffic becuase its coming in and going out the same interface on the ASA. We will loose the ability to filter web traffic when this happens.
How we can filter web traffic on VPN connections on the ASA. We are using websense. I know there is some integration that can be done with the ASA and websense but it doesn't have all the capabilities as doing a span port for websense to monitor.
View 1 Replies
ADVERTISEMENT
Feb 6, 2013
I've got a PIX running 7.2(4) with its outside interface on the Internet. The only thing this PIX is doing is acting as the endpoint for an IPSEC LAN-to-LAN tunnel with an Internet-connected ASA on another network.
I'd like to filter inbound Internet traffic to this PIX so that only the designated ASA can attempt to establish an IPSEC connection -- in other words, I want to prevent any other device on the Internet from even being able to attempt to establish an IPSEC connection to the PIX. As far as I know (and have seen), this can't be done with an access-list on the outside interface, since that access-list doesn't apply to traffic to the PIX itself.
View 3 Replies
View Related
Mar 20, 2012
Is it possible to filter remote access VPN traffic on a PIX 501 (like you can on an ASA?)
View 1 Replies
View Related
Jan 23, 2011
Is it possible to configure cisco router like C3800 or catalyst switches like C4500 or C2960 to filter traffic based on allowable mac addresses only? I would like only to allow those devices that belongs to the domain, meaning if a user connects a computer or any devices that concerns network which I have not allowed the mac addresses, it will be denied access to the network. However, any of the allowable devices could able to use any port of the switch, meaning I dont want to associate an allowable Mac Address to a physical port on the switch.
View 2 Replies
View Related
Sep 20, 2012
I have a site to site VPN setup between a 5510 and 5505. All traffic is sent ovet the VPN from the remote site to the home office. Everything is working fine but the remote site "www" traffic is not going to the Barracuda. ISP -> CISCO ASA -> Barracuda -> Internal Switch.The Barracuda is setup "inline" with the internal network.
View 7 Replies
View Related
Jun 28, 2011
When I try to configure the Botnet Traffic filter with the commad "dynamic-filter use database" through the ASDM I get the following error message.
[ERROR] dynamic-filter use-database Dynamic Filter: New data file not terminated with newline
View 14 Replies
View Related
Feb 23, 2013
We have a lot of IPX traffic flowing through a switched network and we are being asked to filter it from a network standpoint. At one point they were using IPX in their network, but no longer need to, so they still have a lot of machines spewing out IPX traffic. We have removed the IPX routing commands from our distribution switches, (Cisco 6500), but after running a short 10 minute Wireshark capture I'm still getting a good bit of IPX traffic from a lot of different devices.
View 2 Replies
View Related
Apr 9, 2013
I have a ASA 5585 and a Nexus 5596, and i need a sugestion to configure this cenário:
My users in the Vlan 10 need access on the network in the Vlan 20, but this traffic must be filtered for firewall. In the firewall a received a trunk port for Nexus 5596, and i created subinterfaces to receive the Vlans for this trunk.
The gateway for my users is the address for the ASA subinterfaces.
What i do to filter the traffic between the Vlans?
View 3 Replies
View Related
Nov 16, 2011
Can the SRP547W be configured to allow traffic on port 25 from an external ip range to an internal address?
View 0 Replies
View Related
Dec 19, 2012
We want to filter IP traffic by MAC address on Catalyst 4500. Since we are using bonding (active-backup mode) we need those mac addresses appear on different ports. Below are solutions that we have tried: ACL but it does not work since mac acls only match non ip traffic (We CAN NOT use ip acl). Use a static mac address-table entry to ALLOW specific mac addresses. It does not work either since the same MAC address needs to be seen on a different port. Catalyst 4500 does not support auto-learn option (as e.g. Nexus 5000).
View 3 Replies
View Related
Nov 15, 2011
How does a firewall block or filter traffic on a specific port or IP address?
View 1 Replies
View Related
Dec 18, 2011
I'm decommissioning my SonicWall PRO 3060 and upgrading to an ASA5550 (we're increasing our WAN link speed to 1Gig and need the 5550). In any case, I want to copy over the configuration from the PRO to the ASA. I have everything documented and I've started doing the changeover, but in looking at some other network diagrams on the net I'm seeing router symbols between the LAN switches and the ASA and I'm beginning to worry that I might need routers to do this which, of course, would increase cost quite a bit.
So my question is this: If I have a core switch carved into multiple VLANs and I connect each VLAN to a port on the ASA, will I be able to route and filter traffic from VLAN to VLAN through the ASA? If so how, in general, is this accomplished (I'm betting ACLs). I think that the ASA will be able to do this easily, but I just want to be sure before I get too far into the configuration of this unit,.
ASA
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
GigE0/0 GigE0/1 GigE0/2 GigE0/3 GigE1/0 GigE1/1 GigE1/2 GigE1/3
| | | | | | | |
| | | | | | | |
WAN BackupWAN VLAN400 VLAN500 VLAN600 VLAN700
View 4 Replies
View Related
May 25, 2011
I am having a setup with a 2851 router & websense url filtering server where I need to forward the traffic to websense server for all the internet requests. The http traffic is getting filtered properly, but the https traffic is not getting filtered. The two commands I ahev given for http & http are as follows: ip inspect name test http urlfilter ip inspect name test https.
View 9 Replies
View Related
Jun 29, 2012
I have upgraded to the new RV042G to take advantage of the gigabit Ethernet speeds and to prepare for when our ISP upgrades our bandwidth. I currently use the RV042 with Protect Link enabled to filter out various categories from our network traffic. I noticed that this feature is not included with the RV042G.
Is this something Cisco will decide to add back in later? In the meantime, how to block content on the network? The basic URL and keyword filter will not meet our needs, since it is much easier to let a service such as Trend Micro manage what is blocked in the categories they offer.
View 2 Replies
View Related
Jun 22, 2012
I have couple C2960G and C3750. Is there any way to filter (on ingress port) type of traffic? I would like to allow IP only, and discard (i.e.) IPX, or other garbage, that any device can produce.I have tried to find something about this, but only thing I have found is feature : protocol filter, which doesn't seems to be working on my hardware.
View 6 Replies
View Related
May 10, 2012
I am writing to be given some support related to a issue that I am having. The fact is that I am trying to give connectivity between two companies that are connected to mine through the same Cisco VPN 3030 device (I know that it would be better that they access directly between them and not through my Concentrator, but due to some security reasons it is not possible).
The problem that I found is how to route the destination network through one specific L2L, because the static routes can only be configured to IP addresses or Interfaces (in my case just Internal-LAN and External-Internet).
View 1 Replies
View Related
Jun 13, 2007
Is there any way to auto migrate my 3030 VPN configuration to an ASA platform?
View 3 Replies
View Related
Jul 31, 2012
I had to edit an ACL on an active S2S VPN today because traffic was being denied from a host onsite to a host on the remote site (port 449). After I made the change, we tried to make the connection again, but it was still denied. Do we need to tear down the S2S vpn for the change to the ACL to take effect? Also, what if we just wait for the connection to rekey itself? Will it work after that?
View 2 Replies
View Related
Apr 30, 2013
how we can clear the username in the Anyconnect Connection Profile on a users laptop? Currently it defaults to the last username used but our security group would like that cleared so that the field comes up blank every time. This feature was available in the old Cisco 3030's but I can't find it in the ASA.
View 3 Replies
View Related
Nov 21, 2012
I know the Catalyst 3030 is EOL/EOS and I am probably SOL.
Cisco IOS Software, CBS30X0 Software (CBS30X0-LANBASE-M), Version 12.2(25)SEE2, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 28-Jul-06 11:05 by yenanh
Image text-base: 0x00003000, data-base: 0x00AB4EB8
[code]....
I would like to put the below into the "stack trace" tool, but all links appear to be dead.
%PLATFORM-1-CRASHED: Program Exception (0x0700)!
%PLATFORM-1-CRASHED: SRR0 = 0xFEA10EC0 SRR1 = 0x00029210 SRR2 = 0x0043CD70 SRR3 = 0x00021200
%PLATFORM-1-CRASHED: ESR = 0x08000000 DEAR = 0x00000000 TSR = 0x8C000000 DBSR = 0x00000000
%PLATFORM-1-CRASHED:
[code]....
View 3 Replies
View Related
Apr 30, 2012
show logging
May 1 16:00:30: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/12, changed state to down
May 1 16:00:39: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/12, changed state to up
May 1 16:17:28: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/12, changed state to down
May 1 16:17:36: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/12, changed state to up
May 1 16:25:28: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/11, changed state to down
May 1 16:25:37: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/11, changed state to up
May 1 17:19:25: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/11, changed state to down
Configuration as below:
macro name vmware
switchport trunk encapsulation dot1q
switchport mode trunk
no switchport access vlan
[code].....
Note:Both active blade switch and standby one are connecting to same aggregate switch 3750. Yet the active one, with same config as standby one, has not occurred this issue.
View 2 Replies
View Related
Feb 17, 2013
We have configured a site to site tunnel from our ASA to another organizations Cisco 3030. It appears to have just one way initiation. We can do a ping to a device on the remote site and it will ping just fine. however, when the tunnel needs to be initiated from the remote site, it will not work until we have initiated the tunnel and then everything works.
I continue to see Error processing payload: Payload ID: 1 errors on the ASDM logs.It appears that all the configuration is in place because we can in fact establish the IPSec tunnel unidirectional. And once established, traffic can flow bidirectional.
View 1 Replies
View Related
Jan 31, 2013
Using ACS 5.2, under Network Resources>Network Devices and AAA Clients>, I can only filter by:
Name
NDG:Location
NDG:Device Type
Description
How can I find a device by its IP Address? or how can I enable this option?
On this link:[URL] I read the following: ''Network Device Filters—Based on the AAA client that processes the request. A network device can be identified by its IP address, by the device name that is defined in the network device repository, or by the NDG'.....
How could I do this on my ACS server?
View 5 Replies
View Related
Dec 11, 2010
We have cisoc 2821 at one of branch and created five sub inetrfaces for different vlans.Output of Show interface shows very frequent increase in the input error count.I have changed the physical cable and switch port on the other side.But still error rate is increasing.When the traffic is less error rate is low but with high traffic it is increasing drastically.My router process is very less(4%) only.What could be possible reason. [code]
View 8 Replies
View Related
Mar 10, 2011
We are looking to implement traffic shaping/policing primarily for P2P traffic. As natively the ASA5550 is only capable of p2p inspection if the traffic is tunneled via port 80 is the AIP-SSM the way forward? We have 2 5550s in active/active failover config. As a side note we are also looking to implement an IDS/IPS system so could this module cover all?Is this module going to provide the desired outcome or is there another module/device out there better suited for this? I would prefer to use the ASA5550s as opposed to implementing another product if only that we can make use of the investment we already made on these devices.
View 1 Replies
View Related
Nov 27, 2012
I am testing limit bandwith using my ASA 8.2, i am trying to limit internet access for certains users , i order to save Bandwith for the important things but i can´t get any limitation
My configuration is the following, the acces list is just for my pc in order to test, and the service policy is applied to outside interface (called internet in my case) for incoming traffic
access-list Internet_mpc_1 extended permit ip host 172.16.127.70 any class-map Internet-class-TEST match access-list Internet_mpc_1 policy-map Internet-policy-web class Internet-class-TEST police output 1024000 1500
service-policy Internet-policy-web interface Internet
With show service policy i can´t see any activity on the policy , but if i do a similar configuration for inside interface outgoing traffic i can see packets allowed and dropped
View 3 Replies
View Related
Apr 29, 2012
I have an ASA 5520 with the below config
Gi0/0: outside (Internet)
Gi0/1: inside (Internal users)
Gi0/2: DMZ (web servers, ftp, Mail etc..)
I have a SMTP relay deployed on the DMZ for mailing. I have also a mail servers installed in the internal lan,
I want to allow trafic from dmz to reach internal lan, and i want normally also allow stmp relay from dmz to reach Internet.
How can i block trafic from DMZ to reach Internal Lan (instead of smtp) if the to allow trafic from dmz to internet i must put ANY in the policy?
For allowing trafic from DMZ to reach Internet, the policy must be DMZ -----> ANY ----->Services., this policy means DMZ can implicity reach Internal Lan?
View 2 Replies
View Related
Mar 19, 2013
We have a Cisco 2811 running ITP IOS. On that router we run the SMPP service. A client on the network connects to this service, and we need to capture the traffic for debug.
I've tried traffic-export, but I cannot see any outbound traffic.I'm guessing that this is due to the fact that the outbound SMPP traffic is not transit traffic as it is generated by the router itself.
Is there any way to capture the outbound traffic?
View 4 Replies
View Related
Jan 12, 2011
I have hw-550-3G modem and I like to know how to setup Mac, IP filter.To allow only the Mac, address in the list using the internet.
View 3 Replies
View Related
Apr 16, 2012
[URL]
I'm at task 6
Am I wrong but the only way to filter external routes - type 5 - is with a stub area, and area 0 can't be a stub? As far as I know OSPF can't filter on the route tag, so should I be filtering with a route-map?
View 19 Replies
View Related
Sep 22, 2012
My main goal i want to filter certain sites including facebook not to be accessible within the network and block all torrets including maliciuos site. I was advised to get Cisco ASA 5505 which i already got a quote. But now i want to know if is the ASA 5505 good enough for this purpose, is there anything additional required to succesfully overcome my main goal?
View 5 Replies
View Related
Aug 6, 2012
is there any way to apply hostname or object network in the syntax? The command gives the option to use hostname or A.B.C.D but doesn't accept the hostname PIX1(config)# filter url except 0.0.0.0 0.0.0.0 ?configure mode commands/options: Hostname or A.B.C.D The address of foreign/external host which is destination for connections requiring filtering Can an FQDN be used as a foreign/external host?
View 3 Replies
View Related
Aug 4, 2011
I am trying to come up with the best way to traffic shape traffic with 3750 Me switches. the traffic will be coming from a 6504 Sup-7203b downstream and going out the wan. Core---L3---->6504--intvlan80--trunkport to--->3750Me---g/1/1/1-trunkport to---MetroE network--->int f0/0.80--branch router. The idea is to use the 3750 to traffic shape the traffic going towards the wan/branch to 500 to match the contracted rate and then to use qos on shaped rate. I tried to apply it to g1/1/1 using port based policies but it did not shape the traffic. I changed everything to IP interfaces and it worked. I need to break up the metroe into different vlans so I can bring branch offices in on different vlans.c
View 3 Replies
View Related
