How To Tunnel HTTP Traffic In VPN Based Connection
Mar 1, 2011
I have Site(s) Ani....i=1,..10 sites which communicate with site B to access a website/application. That's simple enough. However, the traffic is http well we primarily don't need https on ipsec tunnel right?. But since attacks related to eavesdropping of traffic come a real reality once it gets terminated by the ipsec device on both side.I have two options either to purchase a third-party ssl certificate to encrypt the traffic between two nodes or use a custom made one.I don't want to use a custom made one because this make the browser prompt an ugly untrusted certificate message; its ugly not from security perspective but for clients inconvenience and assuring users confidence in our systems is a critical issue for us. ?
a) How its possible to remove ugly certifcate message from user screen? Does the company need to register its certificate to some kind of CA body? or what ...
b) Due to some tcp acceleration issues, ssl traffic slows down the traffic between the nodes so we only require the encryption to stand just during the initial handshake when the username and password are being validated ; after that we want to revert back to http?
We have a Catalyst 6509 switch, and we hope to use policy based routing to redirect http traffic to my proxy server, where I can find the configuration example?
I am testing out some inspection options on an ASA 5505, and I am running into a situation in which applying a http inspection is dropping all outbound http traffic. I get a "protocol violation" error in the logs.
Here is the setup: I'm not sure why the web traffic is getting dropped.
policy-map type inspect dns preset_dns_map parameters message-length maximum client auto
I have recently purchased a E4200 i have flashed it with the latest Firmware 1.0.03 and Hard Reset the Router so the Media issue was resolved i was having. After upgrading the firmware to the latest version my Nortel VPN IPSEC Client no longer will work. The tunnel is connected and it passes traffic for about 15 seconds then nothing. The connection remains connected but no traffic passes cant ping across tunnel. I have checked all the settings and VPN - IPSEC - Passthru is enabled. I have put the client in DMZ mode and tried that same thing.
We are testing a Zone Based FW config since 1month, everything run smooth but we're having problem ( big slow speed access ) when a user try to reach a website on a non-standard port ( 8080 in that case ). All the trafic stay in our LAN, using a IPSEC/EZVPN connection between the 2 sites.As soon as I have disabled the Zone Based FW, the speed was much better.
I'm sure I'm missing a parameter to fix that problem but I tried many different options and I didn't find anything yet. All the routers are Cisco 1811 running adv IP Services 15.1.2.T1 IOS.A port-map has been created to map the port 8080 to the HTTP protocol for the inspection.The PC will have an IP address in the 10.2.2.x/24 and will access a server on 10.2.3.x/24, both devices are part of the zone private in each site/LAN.All the access between sites are managed by an ASA; the IPSEC/EZVPN peer.Little summary, it's gonna be something like : SiteA with a PC on private zone then on public zone for the EZVPN to SiteB on public zone and then private zone to access the server in the LAN.
I have a customer who wants his new ASA-5520 to load balance out-going traffic between 2 ISPs, fairly normal request. Now here's the twist. He wants to separate traffic based upon the protocol used, http to one ISP, https to the other.
i have a 7201 router with NPE-G2. i have a design which i have the option to send all the traffic through a GRE tunnel or a L2TPV3 tunnel.which method is more CPU consumption ?
I currently reside in a university which has firewall restrictions. I use a SSH tunnel to connect to the internet. I managed to get my wifi up and running on my mobile device using Connectify but the only the sites which are accesible through wifi are the ones that are accesible through the university firewall. Anyway i can extend the SSH proxy to the mobile device via the Laptop?
I have a customer I've built a webvpn tunnel for.Users on this tunnel need to have http access to a server at 10.1.1.12 and nothing else.That's fine, but in order for name resolution to work properly they need to be able to send DNS requests to 10.1.1.9.I'm working with two different access lists, my non access list (nat 0) and my split tunnel access list. I can't specify ports in the nat 0 access list, but I did try writing my split tunnel access list as follows:
When I do that users can access the 10.1.1.9 dns server, but they can hit it on anything (ping, 3389, etc.).I'm trying to figure out how I can limit them so they will only be able to pull dns but nothing else.They have the Any connect Essentials license, so unfortunately a clientless VPN is not an option. Is there some other access list I can interpose that will limit things the way I want?
I'm using a Cisco 2821 router to provide temporary Internet access for a private network of about 300 users for a conference at a hotel. The hotel has provided me a public IP address for the WAN side. On the LAN side I have a 10.x.x.x /8 subnet with the router providing DHCP and NATing (overload) across the WAN interface.
Users can pick up an IP address and access the web. Light web pages such as Google tend to load without issue, however if a user does something that takes more time, such as streaming a Youtube trailer or opening an RDP session, the connection will freeze.
It doesn't appear to be related to bandwidth availability. Pings return on average 10-15 ms. However, I will get a request time out about every 10th continual ping. Steaming video will load about 4-6 seconds worth of data, then will appear to freeze without dropping. Doing something like speedtest.net will send a large amount of data then will hang, without ever ending the conversation.
This doesn't happen when I plug a laptop directly into the hotel public Internet line. They also don't have issues with their network similar to this.
I do not have any ACLs, etc. loaded. The router is basically wide open as far as I can tell. I don't see the router resources getting used much at all.
i would like to use ISP2 for all http/https/ftp traffic.how could I force my ASA to set a different gateway for http/https/ftp traffic ?i have tried several solutions such as nat/pat rules, nothing seems to work.
Never seen a Cisco, or any other L3 switch before. Nor an Lx router. Any step by step,or class room or web based training, or a partner or Cisco helper to get us up to speed on this.Goal is to limit http and https traffic in favor of telnet to an AIX server and RDP to a Windows TS. Printing would be ahead of http/s and below the others.
Interstingly, the web site promises 9 videos, but there are only 8. The demo guide says about OoS: "Coming Soon".Where to go? Who(m) to call?
Foreach computer I need to go and configure the browser proxy settings and some people are getting smart and turn it to automatic configuration again.
So what i want to achieve is to have my DIR-655 to route all the HTTP/port 80 traffic to the proxy server. That way it is transparent and then it is not needed to configure each computers browser settings.
I am pretty new to this and the router configurations.
The proxy server works fine if i configure the browser manually.
How would I go about configuring RADIUS based AAA for remote access VPN users? I have an OSX RADIUS server and an ASA 5510
(I want to keep console and SSH using LOCAL, so I keep this: "aaa authentication ssh console LOCAL", right?)What does the rest of the config look like to get RADIUS based AAA for remote access VPN users?
On a Catalyst 6509 switch I have configured wccp protocol in order to redirect the Http traffic to a Bluecoat SG8100. It was working fine until a new L3 interface implementation.Thereafter I was unable to redirect the http traffic due to an error reported from the Cat6509: [code] After some checks I supposed that the problem should be the UDP 2048 port connection between the Switch and the Bluecoat while the switch L3 port and the bluecoat are on the same Lan. A deep analysis found that the WCCP protocol seems to be as follow:
-Proxy address 10.64.28.240 to Switch Port 10.64.28.250 Here I Am -Switch Port 10.64.28.250 to Proxy address 10.64.28.240 I See You -Switch Port 10.66.0.251 to Proxy address 10.64.28.240 UDP 2048 packet (dropped by firewall)
It's strange to me that the first dialog is correctly handled by the correct Cat6509 interface while the UDP packets are flowing from another Vlan interface not configured with the WCCP and apparently not involved on the protocol.Last of all the WCCP is now disabled and unusable?
Can the ACE appliance behave as a reverse proxy for http and ssl traffic? I would assume it can given how it does SLB but SLB is not a requirement at this time.
I am trying to mark http packets from a web server with DSCP ef, but when I am doing a traffic capture all http packets have tos 0x0.I am able to mark UDP and ICMP packets originated from this server, but not any TCP traffic.The web server is in VLAN 20This is my config mls qos ip access-list extended MARK-HTTP-ACL permit tcp host 10.10.10.10 eq www. [code]
Right now, in my network there is no proxy server and all users go straight through the ASA to access internet. I would like to put a squid with dansguardian (for web filtering). Steps in getting all http and https traffic from ASA go via my squid?
We have Cisco ASA 5505, 90.x.y.2/29 IP is assigned to outside interface. We have one internal HTTP server so that I use static (inside,outside) tcp interface [URL] to forward all incoming HTTP traffic to internal HTTP server 1. Now we need to add new physical HTTP server 2 so that I would like to forward
HTTP traffic to e.g. 90.x.y.3/29 to 172.16.0.11.
How can I do that? See scenario image (scenario.png) if needed.
I am using ASA5510 and i want to know if it is possible to redirect http traffic to an internal proxy software. I explain : PC from the LAN use a internal proxy in their IE browser but some other PC doesn't use it.They are directy connected to the Internet using the Public IP from the WAN interface ( via NAT). Can we redirected this HTTP Traffic from the WAN interface to the Proxy in the LAN ?
Http Traffic will be routed like that : PC -> WAN interface -> Proxy -> WAN interface -> Internet In fact,can we create a rule saying : All http traffic which doesn"t come from the IP Proxy must be redirected toward proxy.
I have an ASA 5505 that I am using to connect my contractors to via an inside interface, the outside interface is my private LAN. I have setup on our corporate Proxy server to allow traffic from my outside interface of my ASA to go to the internet without credentials BUT log internet activity. The question is I want to know if the ASA can send that http & https traffic to my proxy server and all other traffic to my default route? I want to be able to send all internet traffic to my proxy server. This will avoid me asking the contractors to place proxy credentials in their browsers.
I am trying to set up my router to grant http traffic a minimum bandwidth of - for example - 5,000 kBit (if there is any http traffic).
So I set http min. rate to 5,000 while I set nntp min. rate to 1 However, when I run nntp downloads on several connections (e.g. 10) my single http download never goes above 1,000 kBit. Without any other connections I reach 8,000 kBit.
We have an ASA that has 3 IPSEC VPN tunnels and standard interenet trafic coming in on Int E0/0 that I need to have go out Int E0/1. E0/1 is directly connected to a Steelhead Riverbed 2020. The Traffic will need to come back out of the Steelhead Riverbed 2020 and into the ASA to Int E0/2. From here it needs to go out either Int E0/3 which is connected to a Catalyst 3560 Switch or back out Int E0/0 though one of the VPN tunnels. I attached a PDF with a diagram if that works.
The reason we are doing this is we have Riverbed's at all our locations and they need to talk to each other to optimize traffic. Is this routing possible any other way than PBR (Policy Based Routing)? I am of the understanding that PBR is not supported on the ASA or PIX.
I am working on a task of redirecting any unmatched http traffic to Symantec public transparent proxy through Cisco ASA. For the definition of uncatched http traffic, we have inbound squid servers for deploying IE proxy pac and redirect the http traffic to Symantec public transpraent proxy, however we can't deploy IE proxy pac to mobile device and non-support web browers.Since we have some application using IE proxy setting for direct http communication with external domains, the current symantec policy addes those domains in the exception list so that they are not redirect to Symantec public transparent proxy server.
-For the platform - Cisco ASA 5510 ASA 8.4(4)1
-For the solution, I have the following two nat rules
this is my first time configuring a cisco router. For instance, a cisco router 1700 with 2 ethernet WICs and 1 LAN port. We have 2 ISPs one more stable than the other. We use an RDP session to an external host identified by lets say IP address 200.1.1.2 using ISP2 to get to this computer. We use ISP1 for all the internet usage, web pages, youtube etc. We are thinking of using this cisco router 1700 to make the packet filtering and routing of this RDP session to the correct ISP2 since we only have 1 NIC per computer on the LAN side.
The main idea would be:
| YES -----> ----------- then use ISP2 LAN---------> Are the packets RDP ? | No--------> ----------- then use ISP1
Does this can be achieved using packet filtering using extended ACLs and to be router from the lan interface to route rdp (port 3389) packets to ISP2 WAN interface?
we're looking to use an ASA5505 or 5510 as our firewall but want to see if one of them can prioritize traffic. I know it does QoS but we're wanting to dedicate x amount of our bandwidth to traffic based on destination IP address. Is that possible and does it take a license upgrade?
I have a Nexus 5500 which is the core of our network and we have access layer switches uplinked to it. I know by default the qos markings will be trusted.
1. On a trunk uplink from an access layer switch to the Nexus, I have "mls qos trust dscp". Will the DSCP marking be preserved when it reaches the Nexus?
2. How do I do prioritization of voice traffic on an uplink on Nexus based on DSCP EF?
Currently I have users that connect with the Cisco VPN client to our PIX 515e. Our corporate network is also directly connected to our partners network, sharing common address space. I want to be able allow our VPN users to connect to certain resources on their network. Since they already have routing for our address space, can I allow the VPN to only NAT traffic to certain destination addresses with a local IP address on our network? That way the partner's network does not have to change any routing since they would see the source address as a local IP on our network.
I try to make a gre tunnel with 2 cisco routers 2901, ping responds between tunnel ip's ends, but I don't have pings from the pc's inside the networks. [code]
i have 2 routers, 2821 and 2811. they are connected via GRE over IPsec, and all of the traffic from 2821 is being routed to 2811 with a default route to its tunnel interface. 2821 needs to access internet through 2811 valid ip address, my question is that how should i nat the traffic on 2811 so that 2821 can access the internet?
