Cisco WAN :: ASA 5520 - Routing Based On What Interface Traffic Comes
Mar 26, 2012
We have an ASA that has 3 IPSEC VPN tunnels and standard interenet trafic coming in on Int E0/0 that I need to have go out Int E0/1. E0/1 is directly connected to a Steelhead Riverbed 2020. The Traffic will need to come back out of the Steelhead Riverbed 2020 and into the ASA to Int E0/2. From here it needs to go out either Int E0/3 which is connected to a Catalyst 3560 Switch or back out Int E0/0 though one of the VPN tunnels. I attached a PDF with a diagram if that works.
The reason we are doing this is we have Riverbed's at all our locations and they need to talk to each other to optimize traffic. Is this routing possible any other way than PBR (Policy Based Routing)? I am of the understanding that PBR is not supported on the ASA or PIX.
this is my first time configuring a cisco router. For instance, a cisco router 1700 with 2 ethernet WICs and 1 LAN port. We have 2 ISPs one more stable than the other. We use an RDP session to an external host identified by lets say IP address 200.1.1.2 using ISP2 to get to this computer. We use ISP1 for all the internet usage, web pages, youtube etc. We are thinking of using this cisco router 1700 to make the packet filtering and routing of this RDP session to the correct ISP2 since we only have 1 NIC per computer on the LAN side.
The main idea would be:
| YES -----> ----------- then use ISP2 LAN---------> Are the packets RDP ? | No--------> ----------- then use ISP1
Does this can be achieved using packet filtering using extended ACLs and to be router from the lan interface to route rdp (port 3389) packets to ISP2 WAN interface?
I am building a new VPN Anyconnect solution. I want the traffic to enter a interface and that traffic should be forwarded to my "VPN-Machine".
The system is a ASA5520 with old software, I am not at work now so i cannot tell exactly.
So my question is, how do i make the traffic enter one interface and being forwarded to another? I have splitted the physical interface to several sub-interfaces.
I'm trying to route all default traffic from my production environment through my ASA 5520 on the "outside2" interface.The 5520 has a site to site VPN to our DR site on the "outside/inside" interfaces via one ISP. On another ISP, interfaces "outside2/inside2" go to the internet. When I make my 3750 stack default route for the inside2 interface IP I cannot get to the internet. When it is pointed to the inside interface on my 5505, I can.
I get the following errors when I try to open google.com from a production server:Why is the 5520 trying to use the "outside" interface instead of the "outside2" interface to go out?
I have an issue where our ASA 5520 is impacting upload (from LAN to internet) speed. We have a 100Mbps SDSL internet link and only see around 45-50 Mbps on the upload when going via the firewall, download is around 90+ Mbps so that is acceptable. I have tested a laptop connected directly to the internet router and that give near on the 100Mbps up and down speeds, but if I put that laptop on the LAN or directly onto the firewall interface I only see 90Mbps down and 45Mbps up. I have check that the interface speeds/duplex on the firewall, switch and laptop are correct and also checked there are no errors on the ports. I also turned off the IPS and that made no difference. In addition I have checked the CPU during download/upload (max): CPU utilization for 5 seconds = 9%; 1 minute: 3%; 5 minutes: 1%
In theory the 5520 should be able to cope with this throughput:
Cisco ASA 5500 Series Model/License: 5520 Maximum firewall throughput (Mbps): 450 Mbps Maximum firewall connections: 280,000
We have a Catalyst 6509 switch, and we hope to use policy based routing to redirect http traffic to my proxy server, where I can find the configuration example?
I am looking for a config, as per the attached diagram, if the traffic comes from FE01 it should go via FE03 for the internet and when the traffic comes from FE02 it should go via FE04 for the internet.
I have a customer who wants his new ASA-5520 to load balance out-going traffic between 2 ISPs, fairly normal request. Now here's the twist. He wants to separate traffic based upon the protocol used, http to one ISP, https to the other.
Is it possible to establish PBR rules that set the ip next-hop to point directly to the inside interface of the ASA5550?Or, do I need to direct this PBR traffic first to a directly connected router interface and then default route to the ASA?At a high level, here's what we have:
ISP 1 - with /21 IP PrefixNo BGP Routing3845 Edge Router - Default Route to ISP 1PIX535 Firewalls (HA) - Default Route to Edge RouterLAN Core/Distribution - Default Route to PIX535 Inside InterfaceAll applications/services use this egress path for PAT/NAT/DMZ/VPN/Etc.
Here's what we are adding:
ISP 2 - with /24 IP PrefixNo BGP Routing3925E Edge Router - Default Route to ISP 2ASA5550 Firewalls (HA) - Default Route to Edge RouterSame connectivity to LAN Core/Distribution
Goals:Maintain ISP 1 for nowMigrate only end user Internet traffic to ISP 2No disruptions to applications/services using current DefGW to PIX535
Question: how to best use PBR to selectively direct traffic to the ASA inside interface?
I have a Nexus 5500 which is the core of our network and we have access layer switches uplinked to it. I know by default the qos markings will be trusted.
1. On a trunk uplink from an access layer switch to the Nexus, I have "mls qos trust dscp". Will the DSCP marking be preserved when it reaches the Nexus?
2. How do I do prioritization of voice traffic on an uplink on Nexus based on DSCP EF?
I have ezVPN configured on an ASA 5520 for my server with 5505s as my clients at several remote sites. The tunnels come up no problem and I can hit everything I need to on both sides of the tunnel, but I'm not able to get to another remote network from a remote network. The traffic goes out the tunnel on the 5505 but on the 5520 all I see is a bunch of scrolling tear down messages.
I have two ethernet adaptors on my windows machine. OS is Win-XP.I am running ADSL broadband on LAN1 and on LAN2 I am accessing applications on our company's WAN. LAN1 is on 192.168.1.0/24 subnet and LAN2 is on 10.68.104.0/22 subnet.Accessing application through LAN2 involves DNS that is located distantly, therefore routers are also in picture.Problem is that while accessing the application that run on the network of LAN2, I have to disable LAN1. Otherwise the traffic goes on LAN1.
I've just started a CCNA course and my lack of knowledge has me a bit stuck. My network is comprised of Cisco components and I'm semi familiar with them just from reading and looking through options. I currently am using a Cisco ASA 5520 on my network and I am trying to join another network via one of the interfaces. My network is 192.168.0.0 255.255.0.0 and my inside interface is 192.168.1.1 255.255.0.0. I enabled a second interface using a static ip of 10.0.0.1 with a subnet of 255.255.255.128. Connected to that interface, I have a Fortigate firewall at 10.0.0.2 255.255.255.128. I can ping just fine from the Fortigate network to the 10.0.0.1 interface on the Cisco ASA 5520 network, but I can not ping the 10.0.0.1 interface (or anything past it) on the ASA 5520 from any computer on the Cisco network. I've read that ACL's and NAT have to be done as well as enabling traffic between interfaces with the same security levels. (both interfaces have security levels of 100 and the option is checked to allow traffic).
Note: each network has it's own internet connection. The connection is to share information on servers on both networks with each other.
The top device of my network is cisco router 7609. There are two part subnet of my network, each part use same device type, same running-configs and same network topple: sw6506(to campus)--->sw3560(to buildings)<--->linksys sr324(to offices). IP addresses for manager vlan is 192.168.1.0/24.Suppose we name two part subnet as A and B. the problem is from 7609 I can telnet to every device of part A quickly, but when telnet to each sw3560 of part B,it responses very slowly. And only sw3560 of part B are response slowly, other devices of part B are ok.If I telnet to linksys sr324 first, then from linksys sr324 telnet to the current sw3560, it's ok.I try to capture packets of manage vlan, but there seems no strange things in it.No users of part B report problems, it seems the network is running well. Compare two sw6506s, the only diffirent thing is, there are "overrun" count at each interface in use of part B's sw6506. Each interface traffic is far less than it's capability, but it's "overun" count still increasing at working hours everyday.
Initially we had a rv110w in place and had problems with the port forwarding stopping a few times a day so we replaced with with a RV180W. Now port forwarding appears to be staying up, however I have a new problem. We host a web page, for some reason when an internal user points the url to the web page it resolves to the web interface of the Router and not the expected web page. If you are outside of the network it resolves to the correct web page. I am not sure why this is happening as it didn't happen with the RV110W or the PIX before that.
I have two attachments that show my basic network layout. I can get from the VPN Cisco Client to Workstation 2 just fine with my current NAT rules in place. I can also get from Workstation 2 to Workstation 3 just fine. But I'm having issues when I try to get from the VPN client to Workstation 3... What would I need to do enable to get to Workstation 3 from the VPN client? IT seems very simple to me (just PAT that traffic as I do the traffic from Workstation 2 to Workstation 3) but that does not work.
I have a SMTP relay deployed on the DMZ for mailing. I have also a mail servers installed in the internal lan,
I want to allow trafic from dmz to reach internal lan, and i want normally also allow stmp relay from dmz to reach Internet.
How can i block trafic from DMZ to reach Internal Lan (instead of smtp) if the to allow trafic from dmz to internet i must put ANY in the policy?
For allowing trafic from DMZ to reach Internet, the policy must be DMZ -----> ANY ----->Services., this policy means DMZ can implicity reach Internal Lan?
As above, I got a problem with C3750e, ios c3750e-universalk9-mz.122-58.SE1.bin, when send AF41 traffic passing through it. My topolygy is as following
WAN link <----------> G0/0/2.100 - ASR1002 - G0/0/5 <---------> G1/0/1 - C3750e - G1/0/3 <--------> G0/0/1 - ASR1004
On this C3750e, I turned on mls qos, trust dscp on both G1/0/1 and G1/0/3 and no else is configured. ASR1002 G0/0/2.100, i applied the CB shaping fror AF41 traffic.
C3750e#sh mls qos QoS is enabled QoS ip packet dscp rewrite is enabled C3750e#sh mls qos int g1/0/3 GigabitEthernet1/0/3 trust state: trust dscp
[code]....
Then, from ASR1004, i send ICMP traffic with TOS set to AF41 (136) and i found out that
1. The traffic is dropped on c3750e
sh mls qos int g1/0/3 statistics GigabitEthernet1/0/3 (All statistics are in packets) 30 - 34 : 63 63 48 86 1534
2. The traffic never get hit into AF41 class in ASR1002 ? Why C3750e dropped this AF41 traffic? and what can I do to fix it?
On a router I can use IP Accounting or Netflow to see what kind of traffic is moving over an interface. Are there any tools on a 3750 switch with a routed interface which would tell you who is hogging the bandwidth on that interface?
How to configure traffic flow between computers inside VLANs and a routed port? Here is the setup details:
1. Switch 3750-X 2. VLAN 100 - ( SVI IP address 192.168.100.1 /24) 3. VLAN 200 - ( SVI IP address 192.168.200.1 /24) 4. routed port gi1/0/48 (IP address 192.168.150.1 /24). Note: this port is directly connected to a firewall ASA 5520 port IP 192.168.150.100 /24
Ip routing is enabled on the switch and inter vlan traffic is flowing ok. I can ping the routed port gi1/0/48 from any computer connected in the VLAN 100 or 200. For example computer with IP 192.168.100.25 can ping the routed port 192.168.150.1. Switch can ping firewall port 192.168.150.100 and the 'sh ip route' command shows the network 192.168.150.0 /24 as directly connected network.
any computer in the two VLANs CANNOT ping firewall ASA port 192.168.150.100 Is it because inter VLAN routing does not work with a routed port on L3 switch? I looked up fallback bridging, but it is meant for non IP traffic.The goal is I am trying to set the ASA port as an internet gateway for VLANs.
Currently we are having a 2 ISP for Internet. Need to achieve redundancy for IPSEC VPN using the domain.
Requirement :Will configure a domain and assign two public IP address from 2 service providers. Will set the priority for the public ip address and do the manual change during the ISP failure.We will provide the domain name to the clients to setup the IPSEC VPN.So incase of failure by one ISP, we will change the priority in the domain to point to the availble address.So that we can reduce the downtime and no need of configuring new IPSEC VPN tunnels.
Question :Whether we can achieve this in Cisco ASA 5520.Or do we have an alternate solution to overceome this solution.
My question is can my traffic goes from inside interface to outside interface? (because the inside interface address not from 10.0/172./192.168 private address)Also I'm allowing internet from this email server (132.147.162.14) so what my access list to be configured? and what my subnet mask shoud be there?
Pix(config)#access-list outbound permit tcp 132.147.162.14 255.255.0.0 any eq 80 Pix(config)#access-list outbound permit udp 132.147.162.14 255.255.0.0 any eq 53 Pix(config)#access-group outbound in interface inside
I have Cisco ASA 5520 / ASA Ver: 8.0(4) / ASDM Ver: 6.1(3). I have configured Remote Access VPN and everything seems to be fine. Like i have created Extended ACL and allowed for singe host with particlar port to be allowed.
After login with the Anyconnect client, i am restricted to access the single host configured, but not based on ports. i.e. i do not want user to RDP the server allowed, but only access the application based on the port that is allowed. But somehow it is not working.
how can i allow user to access a server with defined port only and not any other service/port access for the server.
A customer has an ASA5520 and 2 ISP routers with one WAN link each, and wants to split the load over both routers based on source IP ("natted" IP on ASA). I found this excellent doc on the topic: {URL}. Using PBR to achieve this is an option I was looking at, but I have come across a possible loop doing this with 2 routers. Setup:
Both Routers receive default routes via BGP, and customer networks are propagated via BGP as well (i.e. the customer can specify the return path for the traffic). The ASA5520 forwards traffic to a HSRP virtual IP for redundancy purposes. If one router or ISP fails, all the traffic should use the other router/ISP. The customer wants to specify which traffic is sent over which link, by defining nat rules on the ASA. e.g. traffic sourced from the network 10.10.1.0/24 will always use ISP 1, and traffic sourced from the network 10.10.2.0/24 will always use ISP 2.
My problem: if I use route-maps on both routers (CE-1 and CE-2), sending part of the traffic to the other, and one ISP link fails, in my opinion I have a loop, since part of the traffic will get sent back to the router it came from. Is there any other was to achieve my goal without using PBR? I have looked at CEF and GLBP, but I cannot seem to find a way to load share via source IP.
I have Site(s) Ani....i=1,..10 sites which communicate with site B to access a website/application. That's simple enough. However, the traffic is http well we primarily don't need https on ipsec tunnel right?. But since attacks related to eavesdropping of traffic come a real reality once it gets terminated by the ipsec device on both side.I have two options either to purchase a third-party ssl certificate to encrypt the traffic between two nodes or use a custom made one.I don't want to use a custom made one because this make the browser prompt an ugly untrusted certificate message; its ugly not from security perspective but for clients inconvenience and assuring users confidence in our systems is a critical issue for us. ?
a) How its possible to remove ugly certifcate message from user screen? Does the company need to register its certificate to some kind of CA body? or what ...
b) Due to some tcp acceleration issues, ssl traffic slows down the traffic between the nodes so we only require the encryption to stand just during the initial handshake when the username and password are being validated ; after that we want to revert back to http?
I have a 2911 router connected to two different ISP. Is it posible to route traffic based on what interface the traffic came first?Lets say I have the deault route to use interface gig0/0(ISP1), but a certain ip packet reach the router by interface gig0/1(ISP2). Is there any way (if possible without using source NAT) that I could route traffic back to that ip address using interface gig0/1. The source Ip addresses are not fixed, so I can not use Policy Based Routing.
I am trying to establish routing between two Site to Site vpn tunnels, both of which are terminating on the same outside interface of my Cisco ASA.
find attached Network Diagram for the same. All Firewalls used are Cisco ASA 5520.
Both VPN tunnels between Point A and Point B, Point B and Point C too are up. I have enabled Same security level intra interface permit command also.
How do i enable traffic originating from LAN Subnets behind Point A to reach LAN Subnets behind Point C without having to create a Seperate tunnel between Point A and Point C
we're looking to use an ASA5505 or 5510 as our firewall but want to see if one of them can prioritize traffic. I know it does QoS but we're wanting to dedicate x amount of our bandwidth to traffic based on destination IP address. Is that possible and does it take a license upgrade?
I have configured a vlan interface on a 3750 switch. there is aprox 4Mb active traffic flowing through the interface, but when I do a "show interface vlan (vlanid)" the output show zero bits in and zero bits out. Its a typical L3 config with one IP on the vllan interface acting as the gateway for the VLAN devices. Is this a normal behaviur ? and if so is there any way to get the traffic in/out stats. The end PC/devices are connected to this switch via an L2 TRUNK and I dont have access to the L2 switch on which the actual devices connect. so cant get the real time stats of those interfaces.
i'm going mad on following problem. I'm trying to get 2 networks seeing each other while one of the network is a non VLAN network and the other one is a VLAN network.They should use the same interface so i added VLAN e0/0.122 to the interface e0/0.Send a ping from my asa to both gw-IP's made me happy at first. In second in figured out that i cannot reach any client in the other network. For testing purpose i created an permit acl to any/any for both networks, but the packets still get dropped by the default implicit rule. (deny any/anyMaybe i'm to stupid for this
We are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.
I have a 5520 VPN that is otherwise correctly configured for access (so I would say). It is in test (external IP x.x.x.10/22) running parallel on an external switch to a Check Point (x.x.x.4/22) that is the live setup.
I can tunnel consistently to the outside interface on its external IP from inside the network, which is probably natural since I'm inside the network making the attempt; however...
When attempting connection from somewhere outside the network, I generally do not get response from the device. If I connect/disconnect from the Check Point VPN first, then I can subsequently get a connection to the ASA. I did actually have one instance of non-massaged connectivity to the ASA, but there was nothing that I did in the configs that would allow me to claim credit for that instance.
So here's the question: Is there a timeout setting that makes the outside interface go to sleep or something? I'm still at the developmental stage where settings that would be obvious trip me up for hours. I verified the routes. the timeout configs are below; I believe they are all default..
