Direction of ACL traffic flow

Similar Messages

• Cisco asa traffic flow

  Hi,
  Can somebody give the packet/traffic flow paths from a higher security interface to lower & viceversa..
  For eg: session > acl > xlate > etc...
  Are these checking different in both of the above scenarios ?

  Hi Felipe,
  But i do see find difference while reading the below URL.
  http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba9d00.shtml
  I would like to know how is the traffic flow from outside to inside and inside to outside.
  Hope you go it...
  regards
  rajesh

• How do I direct all internet traffic I on my firefox portable browser I use at school, through to my computer at home, so I can use my modem as a proxy?

  My school has a web filter that prevents me from accessing any website I want to at school, and I want to get past it.
  I know, from experience, that I can use a program called Ultrasurf to get around this, though it requires me to use IE, and is inconvenient.
  I want to know if it's possible to configure the proxy settings on Firefox (and some on my modem/router, and/or computer at home), in order to direct all my traffic through my router at home, similarly to how one would use a proxy.
  If so, how is this possible?
  (I'm relatively experienced with computers, but have very little programming, and other complex knowledge of the workings of these things)
  At home, my computer is running 64 bit Windows 7, has 4 GB of RAM, a 2.1GHz Intel Core 2 Duo processor, and can be turned on and online 24/7, such that if necessary, it can direct traffic sent to it.
  My router/modem at home is (I believe) a Westell 327W, I can get more information by looking at it later if necessary.
  At school, as of last year (and probably the same this year), the computers run Windows XP, and I am able to run programs installed on a flash drive on them, though cannot actually install programs on the computers themselves.
  I'll be using whatever the latest (not beta) version of Firefox Portable exists when I return to school in a week.

  My school has a web filter that prevents me from accessing any website I want to at school, and I want to get past it.
  I know, from experience, that I can use a program called Ultrasurf to get around this, though it requires me to use IE, and is inconvenient.
  I want to know if it's possible to configure the proxy settings on Firefox (and some on my modem/router, and/or computer at home), in order to direct all my traffic through my router at home, similarly to how one would use a proxy.
  If so, how is this possible?
  (I'm relatively experienced with computers, but have very little programming, and other complex knowledge of the workings of these things)
  At home, my computer is running 64 bit Windows 7, has 4 GB of RAM, a 2.1GHz Intel Core 2 Duo processor, and can be turned on and online 24/7, such that if necessary, it can direct traffic sent to it.
  My router/modem at home is (I believe) a Westell 327W, I can get more information by looking at it later if necessary.
  At school, as of last year (and probably the same this year), the computers run Windows XP, and I am able to run programs installed on a flash drive on them, though cannot actually install programs on the computers themselves.
  I'll be using whatever the latest (not beta) version of Firefox Portable exists when I return to school in a week.

• ASA 5505, how to configure DMZ to Inside traffic flows

  Dear.
  We have a Cisco ASA 5505 with an outside, inside and DMZ interface.
  We really need all these interfaces.
  The DMZ interface has been configured to block any traffic to the inside (restrict traffic flow). This restriction can’t be disable, an error occurred when doing this.
  I will allow only one single port has access from DMZ to the inside, is that possible? And how?
  Thanks for the feedback.
  Regards.
  Peter.

  What i mean with "can't be disabled": when you navigate to Configuration/interfaces and select the DMZ interface / advanced, you can block traffic. By default Inside has been selected in the drop-down box. However, you can't leave it blank, you need to specify at least one. I can't create another, extra interfaces because the license is 3 max.
  So, my question is: can I create a rule somewhere to overwrite this setting for only one specific port? And how?
  Result of the command: "show version"
  Cisco Adaptive Security Appliance Software Version 8.2(5)
  Device Manager Version 6.4(5)
  Compiled on Fri 20-May-11 16:00 by builders
  System image file is "disk0:/asa825-k8.bin"
  Config file at boot was "startup-config"
  router up 100 days 1 hour
  Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
  Internal ATA Compact Flash, 128MB
  BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
  Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                               Boot microcode   : CN1000-MC-BOOT-2.00
                               SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                               IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05
  0: Int: Internal-Data0/0    : address is a44c.11bb.5492, irq 11
  1: Ext: Ethernet0/0         : address is a44c.11bb.548a, irq 255
  2: Ext: Ethernet0/1         : address is a44c.11bb.548b, irq 255
  3: Ext: Ethernet0/2         : address is a44c.11bb.548c, irq 255
  4: Ext: Ethernet0/3         : address is a44c.11bb.548d, irq 255
  5: Ext: Ethernet0/4         : address is a44c.11bb.548e, irq 255
  6: Ext: Ethernet0/5         : address is a44c.11bb.548f, irq 255
  7: Ext: Ethernet0/6         : address is a44c.11bb.5490, irq 255
  8: Ext: Ethernet0/7         : address is a44c.11bb.5491, irq 255
  9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
  10: Int: Not used            : irq 255
  11: Int: Not used            : irq 255
  Licensed features for this platform:
  Maximum Physical Interfaces    : 8        
  VLANs                          : 3, DMZ Restricted
  Inside Hosts                   : 50       
  Failover                       : Disabled
  VPN-DES                        : Enabled  
  VPN-3DES-AES                   : Enabled  
  SSL VPN Peers                  : 2        
  Total VPN Peers                : 10       
  Dual ISPs                      : Disabled 
  VLAN Trunk Ports               : 0        
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled 
  AnyConnect for Cisco VPN Phone : Disabled 
  AnyConnect Essentials          : Disabled 
  Advanced Endpoint Assessment   : Disabled 
  UC Phone Proxy Sessions        : 2        
  Total UC Proxy Sessions        : 2        
  Botnet Traffic Filter          : Disabled 
  This platform has a Base license.
  Serial Number: xxxxxxxxxxxxxx
  Running Activation Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
  Configuration register is 0x1
  Configuration last modified by enable_15 at 14:43:11.295 CEDT Mon Sep 9 2013

• Trying to understand traffic Flow in a LWAPP wireless configuration.

  I'm trying to understand at a high level how wireless traffic flow in the new LWAPP configuration. Based on what I can tell all wireless traffic must flow through the controllers prior to getting onto the LAN.
  So lets say I have a LWAPP Access Point off an access switch in a remote closet and my controller is off my core switches. I want to communicate from my wireless PC to a wired PC on this same access switch. The traffic flows from the AP down to the core switch, through the Controller and back up to the access switch to the wired PC.
  Is that correct?
  If this is true my main concern is supporting APs from a central controller across a low speed WAN. Looks like I would not want to do that...

  You're right in your assumption. Data traffic travels from the client to the AP. The AP then encapsulates this data using LWAPP and forwards it to the Controller. The WLC then de-encapsulates (?) it, processes the traffic as necessary and then drops it onto the wired LAN.
  So, in your scenario, the wireless client would send data to the AP. This would be encapsulated between the AP and the controller and then sent back again unencapsulated to the wired client.
  Regarding using this system over a low speed WAN, there are two ways of doing this.
  The first is to use a local WLC at the remote site (e.g. a WLC2006 or the new WLC network module for 2800/3800 ISR routers).
  The second is to use AP1030s which are 'Remote Edge Access Points'. These aren't quite as lightweight as the rest of the 1000 Series in that they will bridge local traffic and only encapsulate traffic heading 'off site'. They will also continue to operate if connection back to the WLC is lost (the first WLAN configured on the WLC remains up on the REAP whilst connection to the WLC is lost).
  I believe that the recommendation for these is a minimum of 2Mbps WAN connection.

• Dual wan failover config: failback does not always work as expected for existing LAN traffic flows

  I have an 881 router configured with 2 dhcp WAN connections.  I am trying to configure failure detection of the primary connection (I do not really care about the secondary at this time).
  I have an ip sla/track configured to monitor the primary WAN connection, and if it stops passing traffic it removes that route, passing all traffic out the second WAN connection.  When the first connection is restored it should restore the route and everything should pass through the first connection again.  This works for all my tests except one.  If I start a ping stream from a client "ping 8.8.8.8 -t" and disconnect the primary connection it will lose a few packets but then use the secondary connection in about 15 seconds.  After restoring the primary connection all new traffic will use the primary connection, but the ping stream will then stop working (fails over, but not back).  If I stop the ping stream for a time (not sure how long is required, but my test was over a minute) it will then use the primary connection like all other new traffic.  A stop of a few seconds is not enough, and even opening up a second command prompt to ping the same target also does not work (pinging new targets works as desired).  It is as if something is caching the route/session/whatever and it has to have a window of no traffic before expiring/relearning the route.  This means any sustained traffic to the original target will not work until it is stopped for a certain time to let "something" age out.
  I need to know if there is a way to "flush the cache" (or whatever) during fail-back to force the primary route to be used after fail-back, or something else that will have the same effect.  My suspicion is that the second route gets "preferred" because the first is removed by the sla, and when the sla returns the route to the list the existing traffic flow is not aware of the route list change, using the last known good route (which now does not pass traffic).  The Issue here is that it takes a length of time for the now bad route to get flushed, which is greater than I want to have.
  config (edited):
  interface FastEthernet3
   description Backup ISP
   switchport access vlan 800
   no ip address
  interface FastEthernet4
   description Primary ISP
   ip dhcp client route track 100
   ip address dhcp
   ip nat outside
   ip virtual-reassembly in
   duplex auto
   speed auto
   crypto ipsec client ezvpn EZVPN-to-1941
  interface Vlan800
   description Backup ISP
   ip address dhcp
   ip nat outside
   ip virtual-reassembly in
  track 100 list boolean or
   object 101
   object 102
  track 101 ip sla 10 reachability
  track 102 ip sla 20 reachability
  ip sla 10
   icmp-echo 4.2.2.2 source-interface FastEthernet4
   threshold 1000
   timeout 1500
   frequency 5
  ip sla schedule 10 life forever start-time now
  ip sla 20
   icmp-echo 208.67.222.222 source-interface FastEthernet4
   threshold 1000
   timeout 1500
   frequency 5
  ip sla schedule 20 life forever start-time now
  ip route 4.2.2.2 255.255.255.255 FastEthernet4 permanent
  ip route 10.1.2.0 255.255.255.0 <1941 wan ip removed>
  ip route <1941 wan ip removed> 255.255.255.255 FastEthernet4 permanent
  ip route 208.67.222.222 255.255.255.255 FastEthernet4 permanent
  ip route 0.0.0.0 0.0.0.0 Vlan800 dhcp 254
  ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp
  Observation: the last 2 routes appear in the order shown above.  Even though the vlan800 route has a higher administrative cost it is in front of the FA4 route, could this be contributing to the issue?  Is there a way to ensure the FA4 route is always listed before vlan800 at all times?

  I have an 881 router configured with 2 dhcp WAN connections.  I am trying to configure failure detection of the primary connection (I do not really care about the secondary at this time).
  I have an ip sla/track configured to monitor the primary WAN connection, and if it stops passing traffic it removes that route, passing all traffic out the second WAN connection.  When the first connection is restored it should restore the route and everything should pass through the first connection again.  This works for all my tests except one.  If I start a ping stream from a client "ping 8.8.8.8 -t" and disconnect the primary connection it will lose a few packets but then use the secondary connection in about 15 seconds.  After restoring the primary connection all new traffic will use the primary connection, but the ping stream will then stop working (fails over, but not back).  If I stop the ping stream for a time (not sure how long is required, but my test was over a minute) it will then use the primary connection like all other new traffic.  A stop of a few seconds is not enough, and even opening up a second command prompt to ping the same target also does not work (pinging new targets works as desired).  It is as if something is caching the route/session/whatever and it has to have a window of no traffic before expiring/relearning the route.  This means any sustained traffic to the original target will not work until it is stopped for a certain time to let "something" age out.
  I need to know if there is a way to "flush the cache" (or whatever) during fail-back to force the primary route to be used after fail-back, or something else that will have the same effect.  My suspicion is that the second route gets "preferred" because the first is removed by the sla, and when the sla returns the route to the list the existing traffic flow is not aware of the route list change, using the last known good route (which now does not pass traffic).  The Issue here is that it takes a length of time for the now bad route to get flushed, which is greater than I want to have.
  config (edited):
  interface FastEthernet3
   description Backup ISP
   switchport access vlan 800
   no ip address
  interface FastEthernet4
   description Primary ISP
   ip dhcp client route track 100
   ip address dhcp
   ip nat outside
   ip virtual-reassembly in
   duplex auto
   speed auto
   crypto ipsec client ezvpn EZVPN-to-1941
  interface Vlan800
   description Backup ISP
   ip address dhcp
   ip nat outside
   ip virtual-reassembly in
  track 100 list boolean or
   object 101
   object 102
  track 101 ip sla 10 reachability
  track 102 ip sla 20 reachability
  ip sla 10
   icmp-echo 4.2.2.2 source-interface FastEthernet4
   threshold 1000
   timeout 1500
   frequency 5
  ip sla schedule 10 life forever start-time now
  ip sla 20
   icmp-echo 208.67.222.222 source-interface FastEthernet4
   threshold 1000
   timeout 1500
   frequency 5
  ip sla schedule 20 life forever start-time now
  ip route 4.2.2.2 255.255.255.255 FastEthernet4 permanent
  ip route 10.1.2.0 255.255.255.0 <1941 wan ip removed>
  ip route <1941 wan ip removed> 255.255.255.255 FastEthernet4 permanent
  ip route 208.67.222.222 255.255.255.255 FastEthernet4 permanent
  ip route 0.0.0.0 0.0.0.0 Vlan800 dhcp 254
  ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp
  Observation: the last 2 routes appear in the order shown above.  Even though the vlan800 route has a higher administrative cost it is in front of the FA4 route, could this be contributing to the issue?  Is there a way to ensure the FA4 route is always listed before vlan800 at all times?

• Traffic flowing through Fw

                     Hi Everyone,
  We have SVI vlan on layer 3 core switch A.
  this switch has connection to ASA  and also to another B Layer 3 switch.
  B Layer 3 switch connects to Layer 2 switch which has this vlan.
  Need to undertsand traffic flow from user PC to Switch A.
  Switch B has default route which is static to fw for subnet of vlan.
  Now traffic goes from layer 2 switch to core Switch B  then it has static route for that vlan which is ASA as next hop.
  now traffic comes to ASA  from there it goes to core Switch B which has SVI Vlan in it.
  Also Core Switch A and B has trunk connection which carries that vlan.
  Need to know if return traffic from core Switch A comes via ASA or by Switch B?
  How can i check this?
  Thanks
  MAhesh

  Hello Mahesh,
  Not sure if I undertsood the topology but anyway the way to test this would be creating captures on the interface where you think the ASA should receive the traffic, if you do not see the packets there well that would lead us to the returning traffic going to Switch B.

• ACE - Inter-context traffic flow.

  Experts ,
  Could you please guide me for a traffic-flow mentioned below ?
  Connection flow:
  client IP 192.168.240.220 == VLAN721=[VIP 10.106.108.137] ===VLAN 537[Server 10.106.24.133]<=={User context test1}
  [Server 10.106.24.133]=== VLAN 739==[VIP 10.106.112.59] =====VLAN343 [Server 10.106.3.8]  <= {User Context test2}
  There are two context test1 & test2 on the same ACE box resides in a  CAT6k ..  Just curious to know how to redirect the server (10.106.24.133) context test1   to VIP (10.106.112.59) context test 2 which are not in a shared vlan ..
  context test 1
  rserver redirect OASIS-SSO-STG2_OOS_REDIRECT
    webhost-redirection https://eportal-stg.publix.com/content/Associate/OutagePag
    inservice
  rserver host SITMA21
    ip address 10.106.24.133
    probe PING
    inservice
  rserver host SITMA22
    ip address 10.106.24.138
    probe PING
    inservice
  serverfarm host L17SVWOASIS03_FARM
    description oasis-sso-stg2 server farm
    failaction purge
    probe TCP-80
    rserver SITMA21 80
      inservice
    rserver SITMA22 80
  serverfarm redirect OASIS-SSO-STG2_OOS_REDIRECT_FARM
    rserver OASIS-SSO-STG2_OOS_REDIRECT
      inservice
  sticky ip-netmask 255.255.255.255 address both L17SVWOASIS03_STICKY
    serverfarm L17SVWOASIS03_FARM backup OASIS-SSO-STG2_OOS_REDIRECT_FARM
    timeout 10
    replicate sticky
  Need to know , when the redirection will takes place here .... i feel that only if the serverfarm (L17SVWOASIS03_FARM ) goes down , then the redirect server comes into picture as per the configs attached..
  If that is the case then
  rserver redirect OASIS-SSO-STG2_OOS_REDIRECT
    webhost-redirection https://eportal-stg.publix.com/content/Associate/OutagePag
    inservice
  The highligted URL should be the VIP of the context test2 i.e 10.106.112.59 is it right ? in  this the case how send this request to the VIP , since both are in different vlan ? is it should be done with PBR (policy based routing) via CAT6k ? could anyone please share the configs?
  Or this can done with a default route to the VIP  on  the contexts?

  Configs
  =====
  CSS - Context 1
  ============
  probe tcp qaahmapp1-ssl-475_PROBE
    port 475
    interval 5
    passdetect interval 5
    connection term forced
  rserver host HS_PROD.sanovia_447-ssl-a
    ip address 10.99.0.13
    inservice
  rserver host HS_PROD.sanovia_447-ssl-b
    ip address 10.99.0.14
    inservice
  serverfarm host sanovia.qaahm.ssl
    probe qaahmapp1-ssl-475_PROBE
    rserver HS_PROD.sanovia_447-ssl-a 475
      conn-limit max 4000000 min 4000000
      inservice
    rserver HS_PROD.sanovia_447-ssl-b 475
      conn-limit max 4000000 min 4000000
      inservice
  parameter-map type http cisco_avs_parametermap
    case-insensitive
    persistence-rebalance
    parsing non-strict
  action-list type optimization http cisco_avs_bandwidth_and_latency
    delta
    flashforward
  action-list type optimization http cisco_avs_img_latency
    flashforward-object
  action-list type optimization http cisco_avs_obj_latency
    flashforward-object
  class-map type http loadbalance match-all cisco_avs_bandwidth_and_latency
    2 match http url .*
  class-map type http loadbalance match-any cisco_avs_img_latency
    2 match http url .*jpg
    3 match http url .*jpeg
    4 match http url .*jpe
    5 match http url .*png
  class-map type http loadbalance match-any cisco_avs_obj_latency
    2 match http url .*gif
    3 match http url .*css
    4 match http url .*js
    5 match http url .*class
    6 match http url .*jar
    7 match http url .*cab
    8 match http url .*txt
    9 match http url .*ps
    10 match http url .*vbs
    11 match http url .*xsl
    12 match http url .*xml
    13 match http url .*pdf
    14 match http url .*swf
  class-map match-all sanovia.qaahm.ssl_CLASS
    2 match virtual-address 10.99.1.76 tcp eq https
  policy-map type loadbalance first-match sanovia.qaahm.ssl_CLASS-l7slb
    class class-default
      serverfarm sanovia.qaahm.ssl
      insert-http x-forward header-value "%is"
  policy-map type optimization http first-match sanovia.qaahm.ssl_CLASS-l7opt
    class cisco_avs_obj_latency
      action cisco_avs_obj_latency
    class cisco_avs_img_latency
      action cisco_avs_img_latency
    class cisco_avs_bandwidth_and_latency
      action cisco_avs_bandwidth_and_latency
  policy-map multi-match POLICY
    class sanovia.qaahm.ssl_CLASS
      loadbalance vip inservice
      loadbalance policy sanovia.qaahm.ssl_CLASS-l7slb
      optimize http policy sanovia.qaahm.ssl_CLASS-l7opt
      loadbalance vip icmp-reply active
      nat dynamic 2 vlan 20
      appl-parameter http advanced-options cisco_avs_parametermap
  interface vlan 20
    ip address 10.99.1.240 255.255.255.0
    alias 10.99.1.241 255.255.255.0
    nat-pool 1 10.99.1.221 10.99.1.221 netmask 255.255.255.255 pat
    nat-pool 2 10.99.1.220 10.99.1.220 netmask 255.255.255.255 pat
    no shutdown
  ip route 0.0.0.0 0.0.0.0 10.99.1.1
  ========================================================================================
  SCA - Context 2
  ============
  crypto chaingroup GoDaddy
    cert cisco-sample-cert
  probe tcp AHM_QA-PROBE
    port 8080
    interval 5
    passdetect interval 5
    connection term forced
  rserver host AHM_QA
    ip address 10.99.1.76
    conn-limit max 4000000 min 4000000
    inservice
  serverfarm host AHM_QA
    rserver AHM_QA 8080
      conn-limit max 4000000 min 4000000
      probe AHM_QA-PROBE
      inservice
  parameter-map type ssl sanovia-ssl-parms
    description This is where you tweak your SSL parms, cert, etc.
    cipher RSA_WITH_RC4_128_MD5 priority 4
    cipher RSA_WITH_RC4_128_SHA priority 5
    cipher RSA_WITH_DES_CBC_SHA priority 3
    cipher RSA_WITH_3DES_EDE_CBC_SHA priority 6
    cipher RSA_WITH_AES_128_CBC_SHA priority 7
    cipher RSA_WITH_AES_256_CBC_SHA priority 8
  ssl-proxy service sanovia-ssl-proxy
    key cisco-sample-key
    cert cisco-sample-cert
    chaingroup GoDaddy
    ssl advanced-options sanovia-ssl-parms
  class-map match-any AHM_QA-CLASS
    2 match virtual-address 10.99.0.13 tcp eq 475
    3 match virtual-address 10.99.0.14 tcp eq 475
  policy-map type loadbalance first-match AHM_QA-CLASS-l7slb
    class class-default
      serverfarm AHM_QA
  policy-map multi-match POLICY
    class AHM_QA-CLASS
      loadbalance vip inservice
      loadbalance policy AHM_QA-CLASS-l7slb
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 10
      ssl-proxy server sanovia-ssl-proxy
  interface vlan 10
    ip address 10.99.0.17 255.255.255.0
    peer ip address 10.99.0.11 255.255.255.0
    nat-pool 1 10.99.0.13 10.99.0.13 netmask 255.255.255.255 pat
    service-policy input POLICY
    no shutdown
    ip route 0.0.0.0 0.0.0.0 10.99.0.1
  ========================================================================================
  CSS - Context 1 ( another VIP)
  =======================
  rserver host qaahmapp1-8080
    ip address 10.99.1.217
    conn-limit max 4000000 min 4000000
    inservice
  serverfarm host sanovia.qaahm.postssl
    rserver qaahmapp1-8080 8080
      conn-limit max 4000000 min 4000000
      inservice
  parameter-map type http HTTP_PARAMETER_MAP
    persistence-rebalance
  sticky http-cookie ACE_Cookie qanovia.qaahm.postssl-STICKY
    cookie insert
    serverfarm sanovia.qaahm.postssl
    timeout 45
    replicate sticky
  class-map match-all sanovia.qaahm.postssl_CLASS
    2 match virtual-address 10.99.1.76 tcp eq 8080
  policy-map type loadbalance first-match sanovia.qaahm.postssl_CLASS-l7slb
    class class-default
      sticky-serverfarm qanovia.qaahm.postssl-STICKY
  policy-map multi-match POLICY
    class sanovia.qaahm.postssl_CLASS
      loadbalance vip inservice
      loadbalance policy sanovia.qaahm.postssl_CLASS-l7slb
      loadbalance vip icmp-reply active
      nat dynamic 2 vlan 20
      appl-parameter http advanced-options HTTP_PARAMETER_MAP
  interface vlan 20
    ip address 10.99.1.240 255.255.255.0
    alias 10.99.1.241 255.255.255.0
    nat-pool 1 10.99.1.221 10.99.1.221 netmask 255.255.255.255 pat
    nat-pool 2 10.99.1.220 10.99.1.220 netmask 255.255.255.255 pat
    no shutdown
  =============================================================================
  I have configured two vlans in CAT6k i.e vlan 10  & vlan 20 with the following ip's as mentioned in the route of ACE
  10.99.0.1 & 10.99.1.1
  Also configured only the final rserver 10.99.1.217 under vlan 20 .... this made all the vip and rserver up .. but still couldnt get the required page...  there is small confusion in the first context as the vip is shown as https , but i dont see any cert and key in the customer config , so i made it as http for my test... but the second context vip is https , where i have added the certs n key as requied....
  Let me know if i am missing anything here.... Many thanks in advance...
  thanks
  Martin

• Port Disable for traffic flowing only one direction

  Hi,
  We use some Catalyst Express 500 and ESW-520 in our company.
  But with the Catalyst Express 500 we have problem that we can't arrive to explain.
  Some Gi port turn disable with this log error message :
  Description: Gi1: This port is disabled because the traffic is flowing only in one direction. The cause might be incorrect cabling.
  Recommendation: Make sure that cable is properly connected to the ports. For fiber connections, ensure that the transmit and receive fibers are connected correctly. Disable and Enable the port.
  For the recommandation the cable is right, we change it and we change the switch by an other and the probleme continue.
  If we change with a ESW-520 the problem don't arrive, but we can't change all our old switch for moment.
  Any idea about this problem?

  Hi Guys,
  Thank you all for your help. The packet was being dropped on the "implicit rule", that means that the packet was not finding an ACL to match.
  I checked the ACLs that the VPN Wizard generates by itself when used to configure an IPSec connection, and the ACLs where correct and "before" the implicit rule . (They are called by default outside_cryptomap_"number")
  It seems that since I am not using "sysopt connection permit-vpn" I have to add the same ACLs to the "Local Network" interface (VPN_LAN).
  Since there was inbound ACLs related to the VPN_LAN interface, the firewall jumped directly to the "implicit rule".
  So the result is that I have two times the same rules first inbound on the VPN_LAN and second on the default outside_cryptomap ACLs.
  Greetings,
  Daniel

• ACL Applied in Inbound direction and another ACL exist for in outbound direction - will return traffic allow

  interface gix/y
  ip address A.B.C.D 255.255.255.192
  ip access-group ACL-Inbound in
  ip access-group ACL-Outbound out
  exit
  In ACL-Inbound I have allowed SMTP traffic 6 source address to 4 destination server. One sample output among 24 acl is given below.
  permit tcp host E.F.G.H host I.J.K.L eq 25
  I haven't applied any specific rule for SMTP traffic on outbound direction. My understanding is destinations will be able to reply to the request. Does that need to be specified in the ACL

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  As Fahad has already noted, if you're going to use both an in and out ACL, you'll need to account for the traffic allowed in both direction.  Normally, the in and out ACE are just mirror entries, so for your example of:
  in
  permit tcp host E.F.G.H host I.J.K.L eq 25
  out would be:
  permit tcp host I.J.K.L eq 25 host E.F.G.H
  Fahad also mentioned using a Reflexive ACL.  These will generate a stateful mirror ACE for the reverse traffic.  The reverse ACE will stay active for a short duration after seeing traffic that creates it and the it will time out and remove itself.  Normally you would only use one on a trusted side of the device for generated flows.  When used with a trusted side, the ACE often are made more generic, for example, any inside to outside HTTP flow will allow and ACE for the return traffic.

• Cisco asa traffic flow with destination nat

  Hi Folks,
                     Can anybody comment on the below.
  1.  in source natting (inside users accessing internet), first the NAT will happen then the routing will happen. I agree with this..
  2. in destination natting (outside users accessing inside server on public ip), what will happen first, NATTING or Routing. I am looking forward to hear an explanation.
  regards
  Rajesh

  The ASA will always apply NAT based on the order of the NAT table (which is directly derived from the running configuration), which can be viewed with 'show nat detail'. It takes the packet and walks down the table in order of the entries programmed into the table, looking for the first rule that has a matching interface(s) and matching IP subnets/ports that apply to the packet in question; at that point the NAT translation is applied and further processing stops.
  The NAT phase that you show highlighted reflects the stage where the packet's IP headers in an existing connection are re-written by NAT; it is not the exact phase where the egress interface selection is overridden by the translation table.
  That order of operations slide is really quite simplified, and intentionally missing some steps because I just don't have time to go over the nuances of NAT during the general troubleshooting presentation that the picture was pulled from.  On the next slide titled "Egress Interface", I do explain that NAT can override the global routing table for egress interface selection. This order of operations is somewhat "rough", and there are corner cases that can make the order of operations confusing.
  The confusion here probably stems from the doubt about which comes first when selecting egress interfaces, routing or NAT. Hopefully with my explanation below, you'll have the missing pieces needed to fully explain why you see the seemingly inconsistent behavior. Please let me know what is unclear or contradictory about my explanation and I'll try and clear it up. I would also appreciate your suggestions on how to simply and clearly show these steps on a slide, so that I can improve how we deliver this information to our customers. Anyway, on to the explanation...
  The short answer:
  The NAT divert check (which is what overrides the routing table) is checking to see if there is any NAT rule that specifies destination address translation for an inbound packet arriving on an interface. 
       If there is no rule that explicitly specifies how to translate that packet's destination IP address, then the global routing table is consulted to determine the egress interface.
       If there is a rule that explicitly specifies how to translate the packets destination IP address, then the NAT rule "pulls" the packet to the other interface in the translation and the global routing table is effectively bypassed.
  The longer answer:
  For the moment, ignore the diagram above. For the first packet in the flow arriving inbound on an ASA's interface (TCP SYN packet for example):
  Step 1: un-translate the packet for the Security check: Check the packet's headers for matching NAT rules in the NAT table. If the rules apply to the packet, virtually un-NAT the packet so we can check it against the access policies of the ASA (ACL check).
       Step 1.A: ACL Check: Check the un-translated packet against the interface ACL, if permitted proceed to step 2
  Step 2: Check NAT-divert table for global routing table override: In this step the ASA checks the packet and determines if either of the following statements are true:
       Step 2 check A: Did the packet arrive inbound on an interface that is specified as the global (aka mapped) interface in a NAT translation (this is most common when a packet arrives inbound on the outside interface and matches a mapped ip address or range, and is forwarded to an inside interface)?
     -or-
       Step 2 check B:  Did the packet arrive inbound on an interface that is specified as the local (real) interface in a NAT translation that also has destination IP translation explicitly specified (this is seen in your first example, the case with your NAT exempt configuration for traffic from LAN to WAN bypassing translation)?
       If either of these checks returns true, then the packet is virtually forwarded to the other interface specified in the matching NAT translation line, bypassing the global routing table egress interface lookup; Then, a subsequent interface-specific route lookup is done to determine the next-hop address to forward the packet to.
  Put another way, Step 2 check B checks to see if the packet matches an entry in the NAT divert-table. If it does, then the global routing table is bypassed, and the packet is virtually forwarded to the other (local) interface specified in the nat translation. You can actually see the nat divert-table contents with the command 'show nat divert-table', but don't bother too much with it as it isn't very consumable and might be mis-leading.
  Now lets refer to the specific example you outlined in your post; you said:
  route ISP-1 0.0.0.0 0.0.0.0 1.1.1.1 1
  route ISP-2 0.0.0.0 0.0.0.0 2.2.2.1 254
  nat (LAN,ISP-1) after-auto source dynamic any interface
  nat (LAN,ISP-2) after-auto source dynamic any interface
  Now lets say that there is a connection coming from behind LAN interface with the source IP address 10.10.10.10 destined for 8.8.8.8 on destination port TCP/80. The flow chart would seem to indicate (with the above information/configuration in mind) that a NAT would be done before L3 Route Lookup?
  The packet you describe will not match any nat-divert entries, and the egress interface selection will be performed based on the L3 routing table, which you have tested and confirmed. This is because the packet does not match Step 2 checks A or B.
  It doesn't match Step 2 Check A because the packet did not arrive inbound on the mapped (aka global) interfaces ISP-1 or ISP-2 from the NAT config lines. It arrived inbound on the local (aka real) interface LAN.
  It doesn't match Step 2 Check B because these NAT rules don't have destination IP address translation explicitly configured (unlike your LAN to WAN example)...therefore the ASA won't match a divert-table entry for the packet (actually you'll see a rule in the divert table, but it will have ignore=yes, so it is skipped).
  Message was edited by: Jay Johnston

• Which direction should ACL be applied

  Hello there,
  I'm adding ACLs to lock down the LAN environment and my core is a 4510+R.  I want to block port 80, 443 and 8080 from coming INTO the network.  My security guy tells me users use port 80, 443 and 8080 to get out and web services use other ports to come back  in.   I want to use an extended access-list the likes of:
  ip access-list extended NO_HTTP
  deny tcp any any eq 80
  deny tcp any any eq 443
  deny tcp any any eq 8080
  permit ip any any
  My confusion is:  which direction on my SVI do I apply this ACL if I want users to be able to access web sites but block inbound traffic on 80, 443 and 8080? All information I've been able to read says to apply extended ACLs as close to the source as possible.  With an SVI, that seems like a grey area?
  Any kind of clarification on this would be most helpful and appreciative.
  Thanks very much in advance,
  Kiley

  I think from the perspective of SVI you have to apply the access list OUT. OUT means that the traffic will be process by the access list after is get routed or exiting the interface in other words packets origin from the outside GOING OUT to your LAN.

• Cisco Pix Syslog - details of traffic flow

  Hi
  We are logging to a syslog server on level informational. I see a byte count logged with each connection and I'm trying to understand what it means.
  Is it the sum of in+out traffic for the connection? Or is it only one direction? Is there a way to determine bytes counts for both directions (like netflow)?
  We are using version 6.3, but are in a position to upgrade if that will help meet our above requirements.
  Thanks

  Go through this Cisco PIX Firewall System Log Messages, Version 6.3. It will clear your doubts.
  http://www.cisco.com/en/US/docs/security/pix/pix63/system/message/63syslog.html

• Configure Wireshark on 3850 to capture bi-directional Wireless Client Traffic

  I'm trying to configure Wireshark to capture bi-directional client traffic of a single wireless client only. The IP address is 10.10.10.14 on VLAN 1.  Since I can't apply filters to the CAPWAP interface, I chose VLAN 1, with the following base commands.
  monitor capture MCAP interface VLAN1 both
  monitor capture MCAP file location usbflash:mcap.pcap buffer-size 1
  monitor capture MCAP limit duration 120
  If I configure "monitor capture MCAP match ipv4 any any"  I get too much information.   If I use "monitor capture MCAP match ipv4 host 10.10.10.14 any" I get packets transmitted by 10.10.10.14, but not the responses.
  Is there a way to accomplish this, or do I need to use Wireshark to filter unwanted packets?   If this were a busy AP, this could result in a very large capture file.   Thanks for the help.

  I'm trying to configure Wireshark to capture bi-directional client traffic of a single wireless client only. The IP address is 10.10.10.14 on VLAN 1.  Since I can't apply filters to the CAPWAP interface, I chose VLAN 1, with the following base commands.
  monitor capture MCAP interface VLAN1 both
  monitor capture MCAP file location usbflash:mcap.pcap buffer-size 1
  monitor capture MCAP limit duration 120
  If I configure "monitor capture MCAP match ipv4 any any"  I get too much information.   If I use "monitor capture MCAP match ipv4 host 10.10.10.14 any" I get packets transmitted by 10.10.10.14, but not the responses.
  Is there a way to accomplish this, or do I need to use Wireshark to filter unwanted packets?   If this were a busy AP, this could result in a very large capture file.   Thanks for the help.

• Can't get traffic flowing between VLANs on an ASA 5505

  I've got an ASA 5505 with the Security Plus license that I'm trying to configure.
  So far I have setup NATing on two VLANs, one called 16jda (VLAN 16 - 10.16.2.0/24) and one called 16jdc (VLAN 11 - 10.105.11.0/24).
  From each subnet I am able to connect to the internet, but I need these subnets to also be able to talk to each other.
  I have each VLAN interface at security level 100 and enabled "same-security-traffic permit inter-interface", and I have setup static NAT mappings between the two subnets, but they still can't communicate.
  When I try to ping there is no reply and the only log message is:
  6     Aug 21 2012     09:00:54     302020     10.16.2.10     23336     10.105.11.6     0     Built inbound ICMP connection for faddr 10.16.2.10/23336 gaddr 10.105.11.6/0 laddr 10.105.11.6/0
  I have attached a copy of the router config.

  Hi Bro
  I know your problem and I know exactly how to solve it too. You could refer to https://supportforums.cisco.com/message/3714412#3714412 for further details.
  Moving forward, this is what you’re gonna paste in your FW. This should work like a charm.
  access-list from-inside permit ip 10.105.1.0 255.255.255.0 10.105.11.0 255.255.255.0
  access-list from-inside permit ip 10.105.1.0 255.255.255.0 10.16.2.0 255.255.255.0
  access-list from-16jda permit ip 10.16.2.0 255.255.255.0 10.105.1.0 255.255.255.0
  access-list from-16jda permit ip 10.16.2.0 255.255.255.0 10.105.11.0 255.255.255.0
  access-list from-16jdc permit ip 10.105.11.0 255.255.255.0 10.105.1.0 255.255.255.0
  access-list from-16jdc permit ip 10.105.11.0 255.255.255.0 10.16.2.0 255.255.255.0
  nat (inside) 0 access-list from-inside
  nat (16jdc) 0 access-list from-16jdc
  nat (16jda) 0 access-list from-16jda
  clear xlate
  nat (inside) 1 10.105.1.0 255.255.255.0 <-- You forgot this!!
  Basically, when inside wants to communicate with the other interfaces bearing security-level 100 e.g. 16jda or 16jdc or vice-versa, you’ll need to enable “NAT Exemption” i.e. nat (nameif) 0 . I know you have already enabled the same-security permit inter-interface command, but this command becomes useless once you’ve enable dynamic nat on one of those interfaces. It’s as if the same-security traffic command wasn't even entered in the first place. Hence, the Cisco ASA is behaving as expected as per Cisco's documentation. For further details on this, you could refer to the URLs below;
  https://supportforums.cisco.com/thread/223898
  http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1042530