ACE 4710: Config Allows all traffic except large HTTP downloads

Similar Messages

• RV016 Router Allow All Traffic For Outside IP

  Hi,
  I need to configure the firewall to allow all traffice for an IP address of a sever. What steps in the router do i need to configure this? This is a cloud based voip server and we have IP phones and we need to add an IP address of the phone server to allow all traffic for that IP.
  thanks.

  Hi Jonathan,
  I have a similar problem with VOIP traffic being dropped by my new RV016 v3 router.
  I have created one Firewall Rule, to allow ALL traffic from the external VOIP PBX provider (single IP) to connect to the internal VOIP phones, which have assigned addresses in a small IP Address range (eg. 10.1.2.50 - 10.1.2.59)
  The Aastra VOIP phones continually loose their  registration wtih the cloud-based PBX. If you make an outgoing call, it will work, but the PBX will lose connection with the phone, 3 or 4 minutes after you hang up,  and will mark it as offline. Incoming calls made within the 3 or 4 minutes will get through, but after that they go right to voicemail on the PBX system.
  We used to have an RV016 v2 router and VOIP traffic worked  OK,  with a similar Firewall Rule.  We replaced the v2 router  because its CPU crashed. 
  I tested the VOIP traffic with a WRT160 router with minimal Firewall Rules, and it works OK, as long as SIP-ALG is turned Off.   We want to use the RV016 because it provides a larger number of ports for our LAN.
  Any suggestions ?
  Kirk

• Firewall Allow all traffic on lan

  Is there a way to make a firewall rule to allow all traffic on en1? I have my ip ranges set to allow all traffic, but I still have to turn the firewall off for DHCP to give IP addresses to new devices on the network.

  dtich wrote:
  thx dean, yes, i had certainly looked at the log, which shows these entries:
  Nov 11 21:49:25 north-knoll-server ipfw[8789]: 65534 Deny UDP 169.254.14.242:138 169.254.255.255:138 in via en0
  but i have no idea where 169xxx is, nothing on my lan... if the port is 65534, that's an ftp passive port, tried opening that, doesn't solve the problem. if the port is 138, that's netbios, which would be odd, but i tried opening that too. nothing doing. can't figure it out. and the log really isn't helping too much.
  traceroute gives me:
  traceroute to 169.254.14.242 (169.254.14.242), 64 hops max, 40 byte packets
  1 169.254.14.242 (169.254.14.242) 0.593 ms 0.504 ms 0.195 ms
  so, i guess that's some internal address that my router uses or something..?? wacky. i'm out of my depth here.
  if i allow 169.254.x.x, i still get no joy.
  mean anything else to you?
  yeah, 169.254.x.x is part of the zeroconf net address range. (See http://en.wikipedia.org/wiki/Zeroconf for more details)
  Not sure why the device in particular is trying port 138 unless it's Windows box maybe? Is en0 on your local network or external?

• RV042 Limit speed all traffic except 1 Public IP

  Hi Support team,
  I would like to do Bandwidth Management in RV042 router.
  I know that this router can limit speed by IPs and ports.
  Can I limit speed all traffics except some public IPs?
  Please see it in attached file.
  Thank you so much.

  Hi Thunthorn,
  I found an article that might help with your issue: Bandwidth Managment on RV016, RV042, RV042G, and RV082 VPN Routers.
  Hope this helps,
  Anjana

• Firewall blocks Airplay (even under 'allow all traffic')

  Hi every body,
  I am somewhat at the end of my knowledge. I have a mac mini server running Lion 10.7.2 server. Interestingly, my the server's firewall blocks
  a) all airplay traffic and
  b) 'reading Airport confirguration' requests
  even when the firewall is set to 'allow all traffic'. However, when I completely switch it off, everything works just fine.
  Any help would really be appreciated.
  Thanks a lot.
  Nonresidentalien
  P.S. I have also tried to open ports 80 (t), 443(t), 554 (t/u), 3689(t), 5297(t), 5289(t/u), 5353(u), 49159(u) and 49163(u) with no success

  Pointing to the IPv6 thread was a good idea. After reading it, I found out that the firewall preferences in Server Admin only show you IPv4 related firewall rules.
  There is a terminal command that allows you to play with IPv6 rules. And by doing so, I was actually able to get AirPlay working again.
  First, you want to show you the current IPv6 firewall rules. In my case they looked like this (10.7.2):
  reptilehouse:~ sascha$ sudo ip6fw show
  01000        285      96163 allow ipv6 from any to any via lo0
  01100         66       5750 allow ipv6 from any to ff02::/16
  65000          0          0 deny ipv6 from any to any
  65535          6        306 allow ipv6 from any to any
  As you can see, rule number 01100 only allows traffic to the local subnet, while the next rule (65000) blocks anything else. So you want to get rid of 65000:
  reptilehouse:~ sascha$ sudo ip6fw delete 65000
  To confirm, show the rule table again and you should see 65000 is gone:
  reptilehouse:~ sascha$ sudo ip6fw show
  01000        285      96163 allow ipv6 from any to any via lo0
  01100         66       5750 allow ipv6 from any to ff02::/16
  65535          6        306 allow ipv6 from any to any
  Mind you, the rule numbers could be different on your system and you could see more or less rules. But you get the idea.
  What I don't know if whether this is sticky, e.g. survives a reboot.

• ACE 4710 how to direct traffic by source ip

  I would like to know in the simplest terms how to use the source ip of the request to direct traffic to 2 different server farms.
  One ip address source range to one server farm and all other ip address sources to another server farm.

  Good morning,
  It is possible to match the source IP of the client as a parameter for L7 class-map. See the link below for more details
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/slb/guide/classlb.html#wp1117372
  For your setup, you could just create two different class-maps (one for each source range) mapped to two different serverfarms.
  I hope this helps
  Daniel

• ACE 4710 config

  Hi,
  I'm new to ACE and trying to configure AAA for it.
  ACE's 4 eth interfaces are not showing up when I do "sh ip int b". please advise why?
  can we configure tacacs for ACE for whole user group instead of doing it per user?

  ===
  Does it show interface for the Admin user ? - no it doesnt.
  Does it show them if you do not have AAA configured ? - no it doesn't show, i dont' have aaa configured right now.
  What version do you have ? - I'm using "c4710ace-mz.A3_2_0.bin"
  ===
  what could be the issue? do we need to have license to get it show up in "sh ip int b"?

• Howto allow all inbound traffic on 678?

  I have a 501 behind a 678 (CBOS 2.4.6) The 678 does not allow inbound connection by default. How can I config the 678 to simply terminate the ADSL and allow all traffic both in and out, so that I can let the 501 do all the access control?

  Try:
  http://www.cisco.com/en/US/products/sw/netmgtsw/ps528/products_user_guide_book09186a008007ce34.html
  http://www.cisco.com/en/US/products/sw/netmgtsw/ps528/prod_release_note09186a00800eac45.html

• Allow DNS Traffic

  Hi!
  We need to allow DNS Traffic from Lan to Wan network for our internal LAN Users through Cisco Router. May we have the lines to add in the router and do we need anything else to apply this access-list?
  Thanks.

  access-list 101 extended permit tcp net_lan sub net_wan sub eq 53
  access-list 101 extended permit udp net_lan sub net_wan sub eq 53
  access-list 101 extended deny any any
  interface Serial 0/0
   ip access-group 101 out
  N.B. That access-list is only for permit traffic for DNS protocol. All traffic except DNS will be deny  

• TCP SYNSEEN with load balancing Cisco ACE 4710

  I have a Cisco ACE 4710 load balancing the traffic to two proxy servers, the configuration is the same since December 2012,  but yesterday it stated to show SYNSEEN in the show conn command, and the hosts cannot browse. I think that means that the three-way-handshake is not complete.
  If I bypass the ACE the hosts can browse without problems. 
  I have tested with another ACE appliance and the same configuration but the behaviour is the same.
  I need help as soon as possible,
  thanks,
  I've attached the Show conn, show conn detail and show run.

  Hi Cesar,
  Thank you for your answer,
  The issue was solved,
  We were running an A3 software version, it seems to have a Bug so it doesn't show the NAT commands in the "show run", so when we made the configuration backup we didn't noticed it.
  The ACE reloaded because an electrical failure so it losted the NAT config.
  We just upgraded to an A4 version and also added a NAT/PAT to enable the communication between the Clients and the Proxy.
  Regards,

• [ACE 4710] accessing server on serverfarm

  hi,
  i have 2 servers in serverfarm.
  the real IP for this 2 server are 172.16.34.5 and 172.16.34.6
  the virtual IP is 172.16.33.1
  the ip for vlan on server side is 172.16.34.10. the gateway on the 2 servers is 172.16.34.10
  the network gateway for vlan 34 is 172.16.34.62
  my question is, how can we access the individual server inside the server farm if we are not from the same vlan as the server?

  Hi,
  you need to create a static route on your upstream router for the server VLAN with next-hop the ACE.
  In you case it will be something like this:
  ip route 172.16.34.0 255.255.255.0 "ACE IP address of VLAN34"
  In case you have fault tolerance configured, use the alias IP of the ACEs on VLAN34.
  Don't forget that your ACL on the ACE needs to allow this traffic.
  If you use permit any any it shouldn't be a problem.
  HTH,
  Dario

• Setting up additional load balancing on ACE 4710

  I recently deployed ACE 4710 to load balance traffic to a group of web servers. I would like to add additional server farm(s) with different applications on them to ACE 4710 for load balancing the traffic. How can I best achieve this goal? I currently use 3 interfaces out of 4 interfaces (Server Side interface, Client side interface, and Failover interface). Do I need to use my last interface to set up for the new VIP address for a new server farm? Is virtualized service a possible solution? Thank you in advance.

  You can configure trunking so that multiple vlans can exist.
  Also note that the vip ip address does not have to belong to a subnet.
  You could configure a static route on the upstream router pointing the traffic for the new vip to the interface ip address.
  Gilles.

• ACE 4710 - can I dynamically sticky all traffic to 1 server based on URL?

  Hello all, I'm new to the ACE 4710 and need to know some details about stickyness.
  As background, we are a small company with a SaaS product and a pair of webservers.
  I have set up the loadbalancing default L7 Load-balancing rule to sticky based on a Cookie based Stickey Group.
  That seems to be working and session traffic is sticking to a server during the user's session.
  Based on a request from our outsourced developer they would like the Loadbalancer to not only sticky the users sessions, but also sticky a url to a server.
  I would like this to happen dynamically as each of our clients will have their own url based on our standard domain like clientname.fixeddomain.com and I don't want to have to come back to the loadbalancer every time we add a client.
  As I said, I'm new to these devices but understand the concepts, and am in the position of having to make it work little to no tranining on this hardware and no budget at this point to pay someone else for configuration and setup.
  I just need to know at this point if I can stick all requests for a specific URL to a server to avoid caching issue while those sessions are active and have new connections to other client urls balanced among the webservers.
  Hopefully this request makes sense.
  Thanks,
  Mark Steeves.

  Daniel,
  Thanks for the reply, but I cannot reach the URL you included.  It gives me a 403.
  Therfore without reading the article, I wanted to ask if the proper setup would be:
  1. Default L7 load-balancing action: Primary action: Sticky: Stickey Group using
  Type = HTTP Header: Header name = Host
  2. Server Farm: Predictor: Least Connections or Round Robin to distribute the load between the 2 web servers.
  Using this setting in testing, it looks like all the traffic keeps going to 1 server only.  Granted there is not much traffic t the servers, but I have 2 different url being tested. url1.ourdomain.com & url2.ourdomain.com
  If you have another link for the above document, please let me know.
  Thanks,
  Mark Steeves.

• ACE 4710: Possible to allow a user to clear counters but nothing else?

  Hello all,
  Using an ACE 4710 we have a user setup with the Network-Monitor role which allows the user to view config, interface status, etc.  We would also like to allow this user to clear the interface error counters as well, but nothing else.  Is this possible?
  Thanks!

  Hello Brandon-
  Network-Monitor only lets you browse outputs, it is a not a role that allows a user to make any changes including clearing stats.  You can create custom roles and domains to get closer to what you want, but you cannot zero in on a single command like that.
  i.e.
  ACE# conif t
  ACE(config)# role MyRole
  ACE(config-role)# rule 1 permit modify feature ?
    AAA             AAA related commands
    access-list     ACL related commands
    connection      TCP/UDP related commands
    fault-tolerant  Fault tolerance related commands
    inspect         Appln inspection related commands
    interface       Interface related commands
    loadbalance     Loadbalancing policy and class commands
    pki             PKI related commands
    probe           Health probe related commands
    rserver         Real server related commands
    serverfarm      Serverfarm related commands
    ssl             SSL related commands
    sticky          Sticky related commands
    vip             Virtual server related commands
  You can create a permit or deny rule, within that, create/debug/modify/monitor each feature seperately.
  Domains allow you to create containers for objects.  You can place specific rservers, serverfarms, etc. into it - then apply it to a role so that the user assigned to it can only touch those objects.
  Regards,
  Chris Higgins

• Rservers initiated traffic not sourcing the traffic as VIP in Ace 4710

  One of the feature of our application is that our Application Server initiate text message to our devices sourcing from UDP 1120 and device need to see the message come from a specific pubic IP (2.2.2.2) with UDP port 1120 and reply back with the same Public IP (2.2.2.2) with UDP port 1120.The problem is we can make that happen if we have only one server in our ACE Serverfarm when we do a SNAT the real servers with the VIP address (10.1.246.32) but it does not work when we have more than one server in the Serverfarm. Since we have 2 servers, i cannot nat the real servers with the VIP address, if I do a PAT, obviously it is changing the source port of the request.
  Note: This setup is working fine with the Cisco Content Switch module running on chasis 6509. When I sniff the traffic initiated from the server coming the CSM load balancer, it is sourcing the traffic as the VIP and the source port remains the same by default but this is not the case with ACE 4710
  Traffic flow as follows
  ===============
  ACE 4710                                                       FWSM (Firewall static NAT)                    Device ( configured with 2.2.2.2:1120 (udp) to snd/rcv msg)
                                               VIP
  Rserver 1   - 10.1.104.80       10.1.246.32           10.1.246.32  < - > 2.2.2.2                              1.1.1.1
  Rserver 2   - 10.1.104.81c
  ---------------------------------------------------------->           ------------------------------->                      - traffic flow from server to the device when we send msg
  Configs:
  ======
  rserver host server1
    ip address 10.1.104.80
    inservice
  rserver host server2
    ip address 10.1.104.81
    inservice
  serverfarm host SFARM
    failaction purge
    probe ICMP
    rserver server1
      inservice
    rserver server2
      inservice
  access-list TEST-1120 line 8 extended permit udp host 10.1.104.80 eq 1120 any
  access-list TEST-1120 line 16 extended permit udp host 10.1.104.81 eq 1120 any
  parameter-map type connection UDP_TIMEOUT
    set timeout inactivity 3600
  sticky ip-netmask 255.255.255.255 address source STKY-SFARM
    serverfarm SFARM
    timeout 180
    replicate sticky
  class-map match-all CLS-SFARM
    2 match virtual-address 10.1.246.32 udp eq 1120
  class-map match-all SERVERNAT
    2 match access-list TEST-1120
  policy-map type loadbalance first-match POL-SFARM
    class class-default
      sticky-serverfarm STKY-SFARM
  policy-map multi-match POL-LB
  class CLS-SFARM
      loadbalance vip inservice
      loadbalance policy POL-SFARM
      loadbalance vip icmp-reply active
      connection advanced-options UDP_TIMEOUT
  class SERVERNAT
     nat dynamic 1 vlan 244
  int vlan 244
  ip address 10.1.246.2 255.255.255.0
  service-policy input POL-LB
  nat-pool 1 10.1.246.32 10.1.246.32 netmask 255.255.255.255
    mac-sticky enable
    no icmp-guard
  no shut
  interface vlan 2506
  ip address 10.1.104.2 255.255.255.0
  service-policy input POL-LB
    mac-sticky enable
    no icmp-guard
  no shut

  I see in CSS, they are able to nat the source ip address with VIP and port-mapping diabled. How do I implement
  portmap disable in ACE 4710
  Disabling Port Mapping
  By default, the CSS NATs source IP addresses and PATs source ports for a configured source group. If you configure the portmap disablecommand in a source group, the CSS performs NAT on the source IP addresses but does not perform PAT on the source ports of UDP traffic that matches on that source group.
  For UDP applications with high-numbered assigned ports (for example, SIP and WAP), we recommend that you preserve those port numbers by configuring destination services in source groups instead of using the portmap disable command. Destination services cause the CSS to NAT the client source ports, but not the destination ports. For information about configuring destination services,