ACE to bypass IPSec traffic

Similar Messages

• ACE Module and IPSEC

  Hi,
  can i Loadbalance IPSEC to a Couple of Routers via the ACE Module?
  Sven

  Yes, the ACE module supports ipsec.
  You need stickyness based on src ip to guarantee that the isakmp traffic goes to the same router as the ipsec traffic.
  Gilles.

• CSS Bypassing farm traffic based on matching HTTP header

  Hi,
  I am trying to find out whether the CSS is able to bypass specific traffic.
  I have an existing content to match all HTTP and send to a farm. However, there are some HTTP flows i dont want to goto the farm, i just want CSS to route them onward to the destination. These specific HTTP packets are differentiated by the host field in the header. What config is needed to allow these host annotated packets to bypass the serverfarm?
  Thanks
  Alan

  Hi Gilles,
  Thanks for your response. The only thing you may have misread is that i need to select the host header field, as the URL's may not have host part in them, ie. raw http, not proxied. I guess then i need a header match rule linked to the new content, instead of the URL filter you mentioned.
  BR
  Alan

• Allow IPSEC traffic thru 871?

  I am using Cisco 871's with Advanced IP Sec IOS for remote offices. I need to allow IPSEC traffic to pass thru the 871 to establish a client IPSEC tunnel. The client VPN software is Nortel's Contivity VPN.
  How can I allow IPSEC traffic to pass thru the 871?

  If you are initiating vpn client connectivity from behind the 871 to outside you need to allow through the IPsec ports udp 500, udp 4500 and protocol 50 esp. I don't know Nortel's vpn client but Im sure they follow the Ipsec security standards.
  try this on your 871 router.
  access-list 101 permit udp any any eq 500 log
  access-list 101 permit udp any any eq 4500 log
  access-list 101 permit esp any any log
  apply acl-101 to your outbound interface
  access-group 101 in
  HTH
  Jorge

• ASA5500: TCP state bypass for traffic, coming from IPsec tunnel

  Hello!
  We have problems on central firewall with restricting traffic coming from remote office from IPsec. (The network sheme is attached)
  All branch offices are connected to central asa though IPsec.
  The main aim is to rule access from branch offices only on the central firewall, NOT on each IPsec tunnel
  According to the sheme:
  172.16.1.0/24 is on of the branch office LANs
  10.1.1.0/24 and 10.2.2.0/24 are central office LAN
  The crypto ACL looks like  permit ip 172.16.1.0/24 10.0.0.0/8
  The aim is to
  restrict access from 172.16.1.0/24 to 10.1.1.0/24
  When packets are generated from host 10.1.1.10 to 172.16.1.0/24 all is ok -  they are dropped by acl2
  When packets are generated from 172.16.1.0/24 to 10.1.1.10 they are not dropped by any ACL - the reason is stateful firewall - traffic bypasses all access lists on a back path
  I thought that TCP State Bypass feature can solve this problem and disable stateful firewall inspection for traffic coming from 172.16.1.0/24 to 10.1.1.0/24, but it didn't help.
  The central asa 5500 is configured according to cisco doc http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html
  access-list tcp_bypass_acl extended permit tcp 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0
  class-map tcp_bypass_map
  description "TCP traffic that bypasses stateful firewall"
  match access-list tcp_bypass_acl
  policy-map tcp_bypass_policy
  class tcp_bypass_map
  set connection advanced-options tcp-state-bypass
  service-policy tcp_bypass_policy interface outside
  service-policy tcp_bypass_policy interface inside
  Does anyone know, how to make TCP State Bypass works properly?

  I understand the pain of creating diffrent crypto for diffrent tunnels but i never come across better solution. However TCP state bypass is not going to help in regards to restrict access. TCP state bypass is a way to for FW to act like router which does not do statefull and I dont think that fits in your scenario.
  You can still control access on center site by using vpn-filters.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml
  Thanks
  Ajay

• Cisco Ace asymetric routing - DNS traffic

  Hi,
  I am wondering if Ace supports asymetric routing.
  In my setup Ace is connected to router with two transit L3 interface. Interface on the router side belongs to different VRFs (e.g. VRF-A & VRF-B). Router is running MPLS in order to connect to internet-border gateway router then to internet.
  Now issue is Ace got the default route with the next hop as the router's interface in VRF-A. However the server's subnet (SVI on Ace) is advertised on router in VRF-B.
  So the outbound traffic(DNS query) from servers to internet takes the default route with next hop of router's int in VRF-A and inbound traffic (DNS response) comes back via MPLS using the VRF-B. That is because server's subnet is just advertised in VRF-B so remote internet broder-gateway will see the server's subnet with route-target applied to it in VRF-B.
  When I enabled the reverse-path forwarding on the transit interface I could clearly see in the Ace logs that DNS response is getting dropped on the ace. I have evn removed the reverse-path forwarding(nothing in the logs - but DNS response from internet still cant reach the servers). I think logically its still asymetrical routing from Ace's point of view but not sure.
  Please can anyone confirm the solution to this issue. I am thinking if I advertise server's subnet in VRF-A as well then it will be symterical routing but not 100% sure if it will fix it.
  So just wondering if there are any other options advisable ?
  Thanks

  Is it not possible to have a host route added to the destination server ? This would allow the traffic to be routed back the same way it came and thus the connection work ?
  Try adding a static route onto the destination server along the lines of ...
  route add [source address of server] mask 255.255.255.255 [IP address of ACE interface]
  This would cause the traffic to be routed between the two hosts via the ACE module which is good because the ACE is acting as a router between the two network segments.
  That's just what I would do but I understand that it may not be the option you want.
  Good luck

• ACE and selection of traffic based on ACL

  Hi Folks,
  I have noticed on the ACE it is possible to select traffic to hit a chosen farm based on an ACL. On further look into the ACE ACL, i was not able to determine whether the ACL can match IP DSCP value, like you can on the IOS side.
  Can someone please confirm if its possible to have an ACE ACL matching a specific DSCP value in the packet.
  Best Regards
  Alan

  Alan,
  unfortunately this is not possible.
  Gilles.

• ACE - bridged mode - blocking Traffic

  Hi
  Just a short question. Is an ACE blocking traffic from a Source if the mac-address of that source is not in the ARP/MAC table? No security feature is enabled. The sniffer shows, that the packet is not going through. Other traffic works fine. So no problem with incoming ACL or something else. Any reason for that.
  Cheers
  patrick

  Patrick,
  indeed, if the src mac is not in the arp table, we can't setup a flow entry for that traffic and it is dropped.
  We should first learn the mac-address from arp traffic.
  Also check the following command to see if that helps:
  switch/Admin(config-if)# arp inspection validate src-mac ?
  flood Enable the flood option
  no-flood Enable the no flood option
  Carriage return.
  Gilles.

• F5-asm and ace forward and reverse traffic

  Hi all,
  In our datacentre setup , we have f5 asm & ace- cisco for loadbalancing
  in which f5 is configured with  self ip& below the selfip,the  nodeip is there which is inturn the
  virtual ip for Ace t2 context
  the incoming traffic on f5 is like
  Publicip:xx--> f5.selfip:80-->Ace virtualip:yy
  for the ace request handling is of below
  Ace.virtualip:yy-->Rserver:xx
  but here the issue is that reverse http response flow is some what not analogous
  rserver:xx-->f5.selfip:80 & back to the Public ip
  myquery is that why the reply back from the rserver is not given back to ace virtual ip, but to the
  selfip of f5

  Good morning,
  You need to configure your routing in a way that the return traffic goes through the ACE. If you don't,  you may end up in the situation you are seeing
  Daniel

• ACE Normalization for SMTP Traffic

  Hi,
  I was facing issue with the ACE normalization and that was stopping my SMTP traffic. When i disabled it globally my SMTP traffic is working fine. But due to the audit i cannot disabled it for all the traffic. I want to disabled the normalization only for the SMTP por 25 traffic.
  I am trying to create the L4 policy as mention below but unable to set the partameter require for to disable the normalization.
  class-map match-any SMTP_CLASS
  match port tcp eq 25
  parameter-map type connection TCP_SMTP_MAP
  no random-sequence-number
  exceed-mss allow
  policy-map multi-match TCP_SMTP_POLICY
  What else i need to reacll in parameter-map in order to disable the normalization for SMTP traffic.
  Pleae help.

  Hi,
  I have attached the capture when normalization was enabled (not working) and capture when normalization was disabled.
  Please review and let me know how to achive this by fine tunning the parameters.
  We are seeing lot of tcp retransmission error etc.
  I have done some research and normalization deals with the following below mentoin parameters.
  exceed-mss-----Configure behavior if a packet exceeds MSS
  random-seq-num-disable----Disable TCP sequence number randomization
  reserved-bits-----Configure Reserved bits in TCP header
  syn-data-----Configure behavior for a SYN packet containing data
  tcp-options-----Configure TCP header options
  urgent-flag-----Allow/Clear Urgent flag

• Security zone for IPSec traffic

  Hi.
  Suppose i have classic static IPSec with remote site like this:
  crypto map CRYPTOMAP 10 ipsec-isakmp set peer x.x.x.x set transform-set TS match address crypto_aclip access-list extended crypto_acl  permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255interface Fas0/0  ip address <some internet address>  crypto map CRYPTOMAP !interface Fas0/1 ip address 10.1.0.1 255.255.0.0!ip route 10.2.0.0 255.255.0.0 <ISP address>
  Now i want to establish zone-based-firewall.
  I create zones
  zone security INETzone security REMOTE_SITEzone security LAN!zone-pair blah-blah...!interface Fas0/0 zone-member INET!interface Fas0/1 zone-member LAN
  How do i put traffic passing through IPSec tunnel to zone REMOTE_SITE ???
  Note: this is NOT ASA, this is IOS.
  Note2: remote site is not Cisco and i connot create Tunnel interface.

  Hello Utair,
  You need only 2 interfaces,
  The one that connects to the internal devices
  The one that connects to the outside interface (where the crypto-map is usually applied)
  Just match the traffic from the internal interface to the outside interface and apply the right action
  Same thing for the traffic that will be generated in the other site to the Local Area Network
  Do you follow me?
  For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
  Cheers,
  Julio Carvajal Segura

• ACE not passing the traffic to the server.

  Hi Experts,
  Could you please help me on this issue:-
  The users are not able to access the palm application passing through the ACE module. The clients gets to the citrik server and from ther it goes to palm application. Now both external and internal users are not able to accpess the palm aapplication.
  Troubelshooting doen:-
  1) Connecting to the palm server by exluding the ACE it works.
  2) Servers are reachable from ACE module
  3) It was working fine before, but not now. There was no changes been made on ACE but still the issue.
  4) Checked the Palm context that seems to be okay. But still not able to get though.
  Any help would be great.
  Thanks
  Sum.

  Sniffer trace in front of ace and backend.
  Capture a failure.
  Before and after the connection failure also get the following command
  'show service-policy detail'
  See if you have connection hits.
  Gilles.

• Bypassing specific traffic on Guest SSID

  Hey guys,
  I have a guest access setup with WISM and Anchor controllers in DMZ for internet access. L2 security policy is based on WAP2+PSK awith Layer3 on web authentication. Would it be possible to let un-authenticated users to connect to some web sites say Cisco.com (That is without being authenticated by WLC).
  Thanks in advance,
  Jay

  Sure, that is what the preauthentication ACL is for. Just create an ACL on the WLC and under the WLAN select that ACL for the preauth ACL on the layer-3 security tab. Anything that is permitted by the ACL will be allowed to pass through the controller regardless if the client has authenticated yet or not.

• Get report on ingress and egress ipsec traffic size per session

  Hi,
  I am looking for advice on how to best get the ingress and egress byte counts per VPN session.   I have a netflow appliance which gives me aggregated data, but I am looking for the best way to get byte size in and out per session.  I am using VPN on a Cisco IOS router (2811).
  Thanks.

  by the way there is simultaneously no B2B credits deficit on the corresponding fc port and no drops on it observed.

• ACE real server rate liiting

  Hi,
  If the ACE is configured to rate limit the traffic to a given real server to a certain bandwidth, what happens to the traffic that exceeds the specified limit ? Does the ACE drop this traffic in all cases as the documentation says ? Or can we configure the ACE to bypass this traffic either without any load balancing or to a backup server ?
  Thanks and regards

  That sounds good, When there is excess traffic, all the new connections would be sent to the serverfarm representing the DG. Now when the traffic level of the cache due to the existing connections decrease below acceptable levels, the ACE will again bring it in to rotation.
  Cool, One question though. What happens if there are two caching servers, and we want to implement the same to both the servers. I'm thinking the net effect would be similar. But would there be any caveats ?