Cisco WAN :: 3128 - How To Get Users Access To URL As High Priority
Dec 21, 2010
We have three locations, Seattle, LA and NJ. All the users need to go through the proxy server in NJ if they need to access to internet. We use the port 3128 on the proxy server for accessing the internet. We implement the QoS on the WAN for those three locations. For the internet acces, we configure the port 3128 as the NBAR and classify it as the lower priority.
The issue is...we want to have the users access to the URL as high priority, and the other web sites are still set as the lower priority. Are there any ways to accomodate it?
View 13 Replies
ADVERTISEMENT
Nov 19, 2012
i have a 3560 connecting to a sp with limited bandwidth. i have one interface on the switch whose traffic i do not want to drop. i want this traffic to go into the high priority queue. i am not sure how this should be configured, but here is my best guess and my current qos configuration on the switch:
qos map cos-dscp 0 8 16 26 32 46 48 56
mls qos srr-queue output cos-map queue 1 threshold 3 5
mls qos srr-queue output cos-map queue 2 threshold 1 4 6 7
mls qos srr-queue output cos-map queue 2 threshold 2 3(code)
since cos 5 is mapped to dscp 46 then this traffic would go into the priority queue. is this correct ?
View 7 Replies
View Related
Oct 10, 2011
I would like to do something verys imple with IPTABLES but i canno't find any "simple" way to achieve...iptables -t nat -A PREROUTING -i eth0 -s 10.0.0.0/24 -p tcp --dport 80 -j DNAT --to squid-box:3128.The idea is to redirect any connection to any host which try to connect to port tcp 80 being redirected to a server called squid-box on port 3128.I have seen that for proxy squid implementation with ASA i had to use wccp but for my personnal understanding.
View 1 Replies
View Related
Nov 1, 2011
Based on my diagram, my computer A (192.168.100.11) can ping and access my computer B (192.168.10.14). But, when i'm home and i use remote access vpn (192.168.200.x) in cisco asa 5520 to connect to my computer A is okay. But, when i try to ping my computer B is not okay. I already do the exemption for 192.168.100.x and 192.168.10.x in nat rules for inside interface (192.168.100.2) ...
Should i put routing from outside 1.1.1.2 to 192.168.10.x by using 192.168.100.1 as a gateway?
View 1 Replies
View Related
Mar 18, 2011
I have a customer with an ASA5510. We have an SSL VPN (tunnel-based, or "SVC") that we use for remote access. That works great.They want to be able to use this same functionality, but add users who will not have the full access that the current SSL VPN users have. So in other words we currently have a small group of users who get full access to the LAN. Then they want to have a second group of users who will only have access to certain nodes.I'm wondering if there's some way to do this using LDAP between the firewall and the Radius server? The user gets put in a different tunnel group depending on what the FW learns from the server?We only have the Anyconnect Essentials license, so unfortunately we can't do a clientless SSL VPN, which otherwise might work well here.
View 3 Replies
View Related
Jan 17, 2012
I have an ASA 5505. I have configured Remote Access VPN so that users can connect to VPN and access my main VLAN (Inside). I would like to secure it so that when a user VPN's in, they are only allowed access to the HVAC vlan (Vlan 2) as seen in my configuration. Please note there is also a LAN- 2- LAN VPN which has been configured as well.
View 17 Replies
View Related
May 17, 2013
Client has a Cisco ASA 5510 with 4 L2L VPN's all using 5505's
The L2L connect to the "outside" interface as do the VPN Users (I'm leary of this
The VPN Users need access to the "inside" networks and all L2L subnets.
The VPN User has its own subnet (192.168.168.0/24( seperate from the Local LANs (172.16.0.0/16)
When the Users VPN in they can get to all the subnets connected to the inside interface but none of the L2L subnets
I have verified that the UserVPN Subnet is in the crypto acls and in the route statements of all L2L 5505s
View 3 Replies
View Related
Mar 13, 2011
I just configure an ASA 5520, here is the config (the ip address of outside network if going to change from private direccion by reason security).
The problem that I have is the users can access to the web site through the public´s ip address but they do not can access through by name. We review all the config on the server DNS and with the command NSLOOKUP we can see that work fine. The client think that the asa is blocked the connnection.
[code]....
View 1 Replies
View Related
Dec 13, 2012
Is it possible to deny VPN access to specific AD accounts?
Currently setup with 5520, LDAP authentication for VPN users.
View 3 Replies
View Related
Oct 13, 2011
Today I've received reports of slow internet access/activity and have noticed myself that it seems a bit slow today. On the dashboard of our asa 5510 the "outside interface" traffic usage is running constantly high. It's at the top of the graph. How can I tell what is causing the spike in utilization. It usually runs at about 1500-2000 Kbps, and now it's up over 10,000.
View 6 Replies
View Related
Oct 19, 2011
I have a STORCENTER IX2-200 CLOUD EDITION in my office with 3 machines hooked up via the router. I cant seem to access users when I enable the security. If i disable security i can get in. This is happening on Windows XP and 7. I've tried Iomega support and it all has to be done via email which is annoying.If i enable security I get the following windows error: \iomegakate is not accessible. you miht not have permission to use this network resource. access is denied.all the machines are logged on as administrator. I did fix this problem although only for a few hours after speaking to Iomega. They advised to use the Net Use command and delete all connections. Ive forgotten what it was now as they remote accessed in.
View 1 Replies
View Related
May 28, 2011
got myself the Netgear internal PCI wifi adapter today & it works just fine on my Windows XP SP3 desktop.
The only problem I have is the question of restricting access to kids @ home. If it was an external USB adapter, I could have just taken it away but the concern is the device being an internal & always available one. The user configuration on the PC is such that there is 1 main administrator (The actual windows "administrator" account) that no one uses. Apart from that,
- 1 user with admin privileges (me)
- 1 limited account for the kid
- 1 admin privilege account for the kid again (for purposes like installation of games which require an admin account as mandatory)
I would like for the wifi PCI card to work only when I login to my account. There must be someway by which I could disable the device or make the internet inaccesible in the other accounts,, (but pls bear that 1 of the account that the kid uses also has admin privilege)
I tried disabling the device from control panel but in vain.. (tried something like the sys admins do in corporates ..) disabling the usb ports on the PC's in my office..!
View 14 Replies
View Related
Dec 21, 2012
I want to create a website but only allow a certain user or group of users access to that website. Assuming that user or users will be from the same location, and likely the same static IP, can I throw a firewall between my internet connection and web server and only allow that specific IP address access to my web server by a rule?If there is a better way to handle that,
View 3 Replies
View Related
Apr 1, 2012
I currently set up two LAN networks. But one of them (Router 2) will be open (no password). Will this create a security compromise? Can the Router 2 Users access information of users of Router 1?
Modem WAN > Router 1 WAN
Router 1 LAN > Router 2 WAN
The router 1 and 2 are broadcasting different networks and SSID.Is there any setting that I need to change, or this configuration is perfectly safe? both of them have DHCP enabled.
View 3 Replies
View Related
May 28, 2011
got myself the Netgear internal PCI wifi adapter today & it works just fine on my Windows XP SP3 desktop.
The only problem I have is the question of restricting complete internet access to kids @ home. If it was an external USB adapter, I could have just taken it away but the concern is the device being an internal & always available one.
The user configuration on the PC is such that there is 1 main administrator (The actual windows "administrator" account) that no one uses. Apart from that,
- 1 user with admin privileges (me)
- 1 limited account for the kid
- 1 admin privilege account for the kid again (for purposes like installation of games which require an admin account as mandatory)
I would like for the wifi PCI card to work only when I login to my user account. There must be someway by which I could disable the device or make the internet inaccessible in the other accounts,, (but pls bear that 1 of the account that the kid uses also has admin privilege)
I tried disabling the device from control panel but in vain.. (tried something like the sys admins do in corporates ..) disabling the usb ports on the PC's in my office..!
View 4 Replies
View Related
Nov 26, 2012
We installed a solution with 2 Cisco 2801, BGP multihomed failover.
1) The router which is currently getting all the traffic gets to 55% to 60% of CPU usage when handling 40 SIP/RTP streams . This equals 10Mbit up/10Mbit down and it showed around 5800 packets TX and around 5800 packets RX, with a majority of them CEF switched. As those figures are way less than the performance figures published by Cisco, we wonder if we made any mistake in setting up our router, or if we can do something to improve the router setup.
2) Does it have an impact on router performance if we increase/decrease RTP packet size, thus increasing or decreasing the pps relative to the consumed bandwidth?
3) If it is not possible to improve router configuration, we also wonder about possible replacement units for those routers. Would a 2901 do a good job? By how much would it rise the capacity? What other models would you recommend if we plan to rise the number of concurrent calls by a factor of 4 or even 8 times of what we have now (so up to 48000 pps and 80Mbit).
Here is what we tried:
- ip route-cache same-interface does not seem to improve anything
- ip flow ingress on or off makes no difference
- disabling the inbound ACL on fa0/0 seems to reduce load by 10%, although I don't understand why - a very high percentage is CPU interrupts, and ACLs are process switched, or not?
- we tried following the Cisco guide for high CPU due to high interrupts, with no success
Here are some usage statistics:
The graphs that we plot via SNMP show a propotional growth/increase of CPU and bandwidth (and thus pps) At the highest loads, we had a bit more than 55% CPU utilization with more than 50% interrupt CPU.
CPU utilization for five seconds: 36%/30%; one minute: 30%; five minutes: 30%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
127 13140 954 13773 2.00% 0.29% 0.07% 194 SSH Process
[Code].....
View 8 Replies
View Related
Feb 16, 2012
I have a ASA5505 and setup SSL VPN. My users can connect to the VPN but can't get access to any of the internal servers.
View 3 Replies
View Related
Sep 27, 2011
we have a ASA 5510 firewall and i have created remote vpn user who connects the internal network via vpn any connect after connecting i want him to only access his internal PC via rdp and not access other internal website or shared folders without connecting to the RDP however now he can access the internal website wihtout connecting to RDP?
View 3 Replies
View Related
Feb 12, 2013
I need a way to block MAC OS X users connecting remotely to our coporate users over VPN. I know there is an option to block connections based on VPN client Version, but cant find a way to block users based on operating system.
We use Cisco ASA 5510 firewals one with v8.2(1) and other with v7.2(3). I need to do on both firewalls. They are both at diffrent sites.
View 4 Replies
View Related
Nov 19, 2012
I have a base config of AnyConnect VPN below, however the ASA 8.3.1 code has deprecated some commands and the VPN/NAT/FW rule syntax is quite different. Can som point out what's missing from the pertinent config below that prevents the VPN Pool from accessing the internal LAN?
The Core LAN router is 1.2.3.1.
!
ASA Version 8.3(1)
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 1.2.3.2 255.255.255.0
View 2 Replies
View Related
Feb 9, 2012
The goal is to add a 2801 router between a DSL modem and a switch and obviously still access the internet. I connected and configured as explained below and the results are:
- I am able to ping internet addresses from the 2801 router
- I am not able to ping internet addresses from userlaptop but I am able to ping LAN gateway (192.168.254.254)
I cannot understand why the internet requests from the user laptopuser are not routed to the internet but the router itself can access the internet.
INTERNET====DSLmodem=====CISCO2801=====unmanagedSwitch=====userlaptop
DSLmodem:
non-bridged mode and does the PPPOe authentication.
WAN interface: Dynamic IP address assigned by ISP
[Code].....
View 14 Replies
View Related
Nov 7, 2012
Since we upgraded our ASA from 8.3 to 8.4(4), VPN users cannot access resources. This worked fine until the appliances were upgraded. We get the message:
[code]....
View 2 Replies
View Related
Dec 9, 2011
I configured one ASA 5510 firewall with CSC-SSM-10 in one of my customer location.
Here i want configure my firewall to send email alerts to particular mail ID, if anybody any access my network from outside( Like VPN users).
View 1 Replies
View Related
Apr 12, 2011
We have a high availability pair of ASA 5510's in Data Centre where we have configured remote access to allow users log in via SSL VPN, now we want to add further security to our environment we are adding endpoint assessment licenses...the question I have would I need two sets of the license ASA-ADV-END-SEC ?
I learned the hardway before with ASA SSL VPN licenses breaking other failover pair as it needed identical licenses on both units! Will I need 2 separate license sets to keep my firewalls in a HA pair?
View 1 Replies
View Related
Jan 10, 2012
restricting access to internet for roughly 20 users. Right now we are connected using broadbandand using dhcp as assigned by common switch. All pc's are in a common workgroup. recommend me the hardware / software required to restrict this access.
1. Will I require a router as well as a switch ? or should I simply get a new switch ( for more then 20 users ) This would mean static ip for all users.
2. My idea is to create a AD server and use websense on it so that users who require internet access can still open internet sites but will be restricted through websense proxy.
View 1 Replies
View Related
Aug 12, 2011
can i print as am joint to a domain.
View 2 Replies
View Related
Jul 23, 2012
I configured a dynamic vpn(easy vpn) in a cisco isr. But the vpn clients cannot access any of the lan devices. VPN pool is 10.0.0.1- 10.0.0.20 & internal netwrk add is 172.17.x.x. I tried to disable zone based firewall but no resultout[CODE]
View 1 Replies
View Related
Feb 28, 2013
I have configured and tested an ASA-5505 that will be deployed at a customer's home. The ISP cable modem will connect to the E0 (outside) interface of the ASA. All other interfaces on the ASA are configured for the inside network 192.168.5.0/24. I have created a VPN site-to-site tunnel between this ASA and the UC540 to allow 192.168.5.0/24 subnet access to the internal networks on the UC540.
The user has requested that all the network devices used by the rest of the family will only need to connect to the Internet. They will not need access to the VPN tunnel and they will not need access to the computers on the 192.168.5.0/24 inside network. I was planning on performing the following tasks to get this to work.
View 2 Replies
View Related
Dec 16, 2012
Pix 515e 6.3.4..A web server on our DMZ is exposed for external access.There is an "A" record (webserver.yyy) on a public DNS for this public IP.This works fine for external users. url..Now I have been asked to allowed our LAN user to access the same link and I CANNOT CREATE AN INTERNAL DNS RECORD TO TAKE CARE OF THIS, which means when our internal users access that link, the request goes out of OUTSIDE interface with a NAT overloaded address(111.111.111.2) that is in the same subnet as the URL is trying to resolve. Once it knows the IP address thru DNS resolution tries to comes back in thru the same Interface(OUTSIDE) to hit the web server in the DMZ and is not able to.
1- Where does the request from an internal user to hit url is dropped?
2- what can be done to allow this type of connectivity in the PIX 515e device?
View 7 Replies
View Related
Jan 21, 2013
I'm currently undergoing CCNa academy so I got a "job" from my boss to configure Cisco 871 router. Unfortunately we just finished first semester at academy so there are some things that I'm still having hard time to understand. I managed to configure router so it connect to internet or to be exact it has internet access through another adsl modem that is in bridge mode. url...The problem is that users are not able to use internet when connected to this router. I'm able to access router through telnet ( ip 192.168.13.10) but that's it.192.168.13.0 255.255.255.128 is network that we use at work. 192.168.13.5 is IP address that is assigned to zyxel adsl modem ( If I'm correct, we could have used any address here since we are connecting this directly to router ? ) Zyxel adsl modem is connected to FA4 port on Cisco router. LAN cable is connected to FA0 port and from there it goes to switch ( it's some asus switch with 50 ports). [code]
If I ping google dns from router e.g. ping 8.8.8.8 it works. If I ping url... it doesn't work. Also I'm able to access router via 192.168.13.10 but if I use router as default gateway then I'm not able to access the internet.
View 8 Replies
View Related
Dec 29, 2010
i want to control manageent access to symbol Wireless Switch WS6000 with my ACS. the issue is that i can't find the Vendor Specific Attributes forSymbol devices. i wonder if theres a way to control it with IETF or Other Radius Attributes.
View 3 Replies
View Related
Sep 14, 2011
I configurated ipsec remote vpn at catalyst 6500.
192.168.14.0/24-- my servers are assigned this subnet
vpn user:10.10.10.0/24
192.168.10.229 ---- webserver ip address
[code]...
View 3 Replies
View Related
Apr 15, 2012
I'm trying to allow 2 users to access as 2955 switch.
-admin privilege 15
-eousers privilege 2
When they both log in they just get to the user exec mode, how can I get them to go to their respective modes? [code]
View 1 Replies
View Related
