Force http traffic to specific interface
Just setup a 2801 router. We have a Serial interface card on it connected to a T1 and eth1 connected to DSL. We want to force web traffic (http, https, ftp) to use the DSL connection. I tried a simple access-list to allow http to the DSL and deny to the T1, however it didn't seem to work. Then I noticed that in the SDM it has "default" rultes that always enable http. Do I need to disable the http server to get this access list to work or is there an easier way to force web traffic to a specific interface?
Thanks in advance.
I setup the route-map and access-list and applied it to FE 0/1 (DSL connection), however it still appears nothing is going through that interface. When I monitor it in the SDM, it shows 0% bandwidth usage.
Just to double check I unplugged the DSL to see if web traffic stopped, but it was still going, I assume through the T1 at S 0/2/0.
FE 0/0 goes to our fw, then to lan
FE 0/1 goes to DSL
S 0/2/0 goes to T1
Here is my config:
router#show run
Building configuration...
Current configuration : 4506 bytes
! Last configuration change at 10:29:45 MDT Fri Aug 4 2006 by admin
! NVRAM config last updated at 15:17:31 MDT Thu Aug 3 2006 by admin
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
boot-start-marker
boot system flash c2801-ipbasek9-mz.124-8.bin
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$EWDt$pvWzeNhilneb/EUJosxlv0
no aaa new-model
resource policy
clock timezone MDT -7
clock summer-time MDT date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
ip cef
ip tcp synwait-time 10
no ip bootp server
ip name-server 198.60.22.2
ip name-server 198.60.22.22
username admin privilege 15 secret 5 $1$TF47$aa8RLf18isZxIwjOKfdmZ.
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
ip address 199.104.124.210 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
no mop enabled
interface FastEthernet0/1
description $FW_OUTSIDE$$ETH-LAN$
ip address 192.168.2.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
ip policy route-map toDSL
duplex auto
speed auto
no mop enabled
interface FastEthernet0/1/0
interface FastEthernet0/1/1
interface FastEthernet0/1/2
interface FastEthernet0/1/3
interface Serial0/2/0
ip address 204.228.133.46 255.255.255.252
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip route-cache flow
ip route 0.0.0.0 0.0.0.0 204.228.133.45
ip route 192.168.2.0 255.255.255.0 192.168.2.1
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
logging trap debugging
access-list 111 permit tcp any any eq www
no cdp run
route-map toDSL permit 1
match ip address 111
set ip next-hop 192.168.2.1
control-plane
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
exec-timeout 30 0
privilege level 15
login local
transport input ssh
transport output ssh
line vty 5 15
access-class 102 in
privilege level 15
login local
transport input ssh
scheduler allocate 20000 1000
ntp clock-period 17178101
ntp update-calendar
ntp server 198.60.22.240 source Serial0/2/0
end
Similar Messages
-
Redirecting all HTTP traffic to HTTPS that will reverse proxy specific URI
-- Requirement --
I have a Sun web server 6.1 SP4 that sits in a DMZ that must securely reverse proxy traffic to an internal application server listening on 443.
The web server instance has two listen sockets, 80 and 443.
The web server instance must accept traffic on port 80 but re-direct it to 443 so all subsequent traffic with the client happens over HTTPS.
HTTPS traffic for "www.mydomain.com/myapp/" must be reverse proxied to the internal app server, "https://myapp.mydomain.com/myapp/".
-- Current set-up --
The server reverse proxies both HTTP and HTTPS traffic with the indicated URI.
How can I constrain the reverse proxying to HTTPS traffic?
Thanks for your help,
JezThanks Chris that worked perfectly.
Aside
Before your solution I had (unsuccessfully) tried the following obj.conf directive
<Client security="false">
NameTrans fn="redirect" from="/" url-prefix="https://www.mydomain.com/"
</Client>However, it didn't work - is it not possible to use the <Client security="false"> in this manner? -
WSA blocking HTTPS traffic -allowing HTTP
We have two S170 WSA appliances configured as Guest Wi-Fi Internet proxy servers. The local network design is as follows:
WLC5508 (Foreign) >> WLC5508 (Anchor) >> ACE20 Context >> WSA 170 >> FWSM >> Internet
Guest traffic is authenticated via WCS using RADIUS but is disabled for now.
Clients associate to SSID, receive IP address via local DHCP scope on anchor WLC and forward all traffic to DFWG which is ACE20 interface.
ACE20 has specific class-maps for public DNS use and loadbalance policy-map which forwards all other traffic (excluding DNS) to WSA.
HTTP traffic works fine, HTTPS traffic fails. The HTTPS proxy service uses a local self-signed certificate for initial decryption of the session. The browser and WSA negotiates to use TLSv1 then the error below is shown.
Fails
57666018.658 32 192.168.244.1 NONE_SSL/200 0 TCP_CONNECT 10.153.9.6:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 0 cs-auth-group= - c-port= 54930 cs-bytes= 0 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= - cs-referer= - cs-cookie= -
1357666018.760 32 192.168.244.1 NONE_SSL/200 0 TCP_CONNECT 10.153.9.6:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 0 cs-auth-group= - c-port= 54931 cs-bytes= 0 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= - cs-referer= - cs-cookie= -
1357666018.799 0 192.168.244.1 TCP_DENIED_SSL/403 0 GET https://post.packetconsulting.com:443/owa - NONE/- - BLOCK_ADMIN-HTTPS-NonLocalDestination-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 1 cs-auth-group= - c-port= 54931 cs-bytes= 598 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB7.4; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; InfoPath.2; Tablet PC 2.0; MS-RTC LM 8)" cs-referer= - cs-cookie= -
I have seen this error posted before but no resolution. I'm sure this is a config problem, but cannot figure why or where!
Any ideas, thoughts or help would be great...
CheersHi axa,
This is an access policy blocking the SSL traffic based on the TCP_DENIED_SSL / 403. Also I would suspect that you do not have HTTPS proxy enabled which would be required since your not using port 80 for 443 traffic. I would recommend opening a ticket with the WSA Content Security Team.
Sincerely,
Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator
Message was edited by: Erik Kaiser -
How to add a route for a specific interface
HI,
i want to make a direct link beetween 2 computers (ubuntu and solaris) with a cross over cable.
solaris : e1000g0 (192.168.0.212= normal network)
e1000g1 (172.18.0.2 = network for interconnection beetween ubuntu and solaris
routing table:
Destination Gateway Flags Ref Use Interface
default 192.168.0.245 UG 1 7040 e1000g0
192.168.0.0 192.168.0.212 U 1 5167 e1000g0
224.0.0.0 192.168.0.212 U 1 0 e1000g0
127.0.0.1 127.0.0.1 UH 4 30343 lo0
ubuntu : eth0 (192.168.0.144 = normal network)
eth1 (172.18.0.3 = network for interconnection beetween ubuntu and solaris)
routing table :
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 192.168.0.245 0.0.0.0 UG 0 0 0 eth0
at the beginning, i was thinking that no route was necessary, but the ping didn't work beetween the two servers.
so, my question is : how can i add a route for a specific interface on my solaris (i want that the traffic for the network 172.18.0.0 go throught e1000g1)
thank for your helpSOLARIS :
-bash-3.00# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
e1000g0: flags=1004843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,IPv4> mtu 1500 index 2
inet 192.168.0.212 netmask ffffff00 broadcast 192.168.0.255
ether 0:1b:24:f0:7a:fc
e1000g1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
inet 172.18.0.2 netmask ffffff00 broadcast 172.18.0.255
ether 0:1b:24:f0:7a:fd
-bash-3.00# netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
default 192.168.0.245 UG 1 7040 e1000g0
192.168.0.0 192.168.0.212 U 1 5323 e1000g0
224.0.0.0 192.168.0.212 U 1 0 e1000g0
127.0.0.1 127.0.0.1 UH 8 31593 lo0
-bash-3.00#
UBUNTU :
ifconfig
eth0 Link encap:Ethernet HWaddr 00:1e:c9:d1:22:ea
inet addr:192.168.0.144 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::21e:c9ff:fed1:22ea/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:19992226 errors:0 dropped:0 overruns:0 frame:0
TX packets:9886296 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10075930406 (10.0 GB) TX bytes:2847567457 (2.8 GB)
Interrupt:16 Memory:f8000000-f8012700
eth1 Link encap:Ethernet HWaddr 00:1e:c9:d1:22:ec
inet addr:172.18.0.3 Bcast:172.18.0.255 Mask:255.255.255.0
inet6 addr: fe80::21e:c9ff:fed1:22ec/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:919 errors:0 dropped:0 overruns:0 frame:0
TX packets:905 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:58816 (58.8 KB) TX bytes:91286 (91.2 KB)
Interrupt:16 Memory:f4000000-f4012700
# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 192.168.0.245 0.0.0.0 UG 0 0 0 eth0 -
QoS value for http traffic from IP Phone
Since the phone marks all voice with COS 5 and data traffic with COS 0. Does this also include traffic sourced from the IP Phone http? request when doing Directory Lookups, IP Phone Services.
Thanks!With 4.1 and up (not sure if 4.0 had this), this traffic is marked with TOS 3 or DSCP CS3 (24). You can modify this enterprise parameter to what ever you want.
DSCP for SCCP Phone-based Services :
This parameter specifies the Differentiated Service Code Point (DSCP) IP classification for IP phone services on SCCP-based phones, including any HTTP traffic. Note: You must restart SCCP-based phones for this parameter change to take effect.
This is a required field.
Default: default DSCP (000000).
Restart SCCP-based phones for the parameter change to take effect.
HTH
Sankar
PS: please remember to rate posts! -
SG300 Redirect HTTP Traffic to Proxy
Dear Cisco Community,
We have the following setup
1 x SG300 Switch in Layer 3 Mode
VLAN 100 (Management VLAN)
VLAN 200 (Data VLAN for Internet Users)
The SG300 has an IP4 Interface in each VLAN:
100: 10.1.1.254 / 24
200: 10.1.2.254 / 24
The internet gateway (Zyxel USG-100) is located in VLAN 100.
In order to restrict the web browsing acitivites, we're in the process of implementing a Proxy server (GFI Webmonitor). Is it possible, to redirect all HTTP and HTTPS traffic which arrives at the SG300's VLAN200 IP interface to the proxy server? I was thinking of a static route, but then this would apply to all traffic. Another option would be to block port 80/443 traffic using an ACL I suppose=
Any input will be highly appreciated, thank you!
Kind regards,
RomeoHi Mohamad,
I've seen this done in slightly different ways. One way is at the very bottom of the following examples from the Cisco.com CSM-S config guide:
CSM-S Configuration Examples
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csms/2.1.1/configuration/guide/cfgxpls.html
Another way is like this:
serverfarm REDIRECT
nat server
no nat client
redirect-vserver REDIRECT
webhost relocation https://www.example.com/
inservice
serverfarm SSL_DC
no nat server
no nat client
real 192.168.78.36 local
inservice
vserver VSERVER_80
virtual 192.168.78.35 tcp 80
serverfarm REDIRECT
persistent rebalance
inservice
vserver VSERVER_443
virtual 192.168.78.35 tcp 443
serverfarm SSL_DC
persistent rebalance
inservice
Hope this helps get you started.
Sean -
Debugging HTTP traffic from iPad with Charles
Here's a great tip on how to use Charles on your Mac or PC to proxy HTTP traffic from your iPad so you can debug it.
http://www.ravelrumba.com/blog/ipad-http-debugging/Talking of debugging iPad, and Flash apps specifically, I only recently tried out the "Quick publishing for device debugging" option. When you do that, and run the app on the device, you can set Flash to be in a remote debugging session, and on the app screen you type in the IP address of your computer. You can then debug the running app in just the same way you would debug a swf running in your desktop browser. You don't even have to be connected by USB, it works across the wireless network.
-
Routing traffice using 2 interfaces
my question is whats the best solution for routing internet traffic out one interface and production, management traffic out another interface. using a cisco ISR 2900
You can use PBR.
Here are 2 documents with examples:
http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.html
https://supportforums.cisco.com/docs/DOC-1634
HTH -
Capture http traffic between server and proxy
Hi,
I am not a solaris admin so I need some help to capture http traffic between proxy and server.
I used 'snoop port 80' on my proxy server but this command gives me the traffic between client and proxy.
PS: i do not have access to remote server.
Thanks
LindaYou probably need this instead:
snoop host server
where server is the hostname of the server that you are trying to connect to.
If you have multiple interfaces, you have to be sure you are snooping on the right interface. -
MPF ASA for Web Filtering. Https traffic
SOURCE: https://supportforums.cisco.com/docs/DOC-1268#Allow_specific_urls
Hi all,
I have the following configuration in my ASA based on guidelines from the above source to allow only certain sites in my home and block all requests to http and https sites. However,requests to HTTP sites are being blocked but not to HTTPS. Only one host in the network can access all sites
access-list WEBFILTER extended deny tcp host 192.168.254.115 any eq www
access-list WEBFILTER extended deny tcp host 192.168.254.115 any eq https
access-list WEBFILTER extended permit tcp any any eq www
access-list WEBFILTER extended permit tcp any any eq https
regex allowex1 “website1\.com”
regex allowex2 “website2\.com”
class-map type inspect http match-all allow-url-class
match not request header host regex allowex1
match not request header host regex allowex2
class-map allow-user-class
match access-list WEBFILTER
policy-map type inspect http allow-url-policy
parameters
class allow-url-class
drop-connection
policy-map allow-user-url-policy
class allow-user-class
inspect http allow-url-policy
service-policy allow-user-url-policy interface inside
HOW can the HTTPS traffic be also blocked in the above configuration? What am I missing?
Thanks in advance for your help
JuanIs it even possible for for MPF ASA to inspect and filter HTTPS traffic? I do not even see it in the options:
(config)# class-map type inspect ?
configure mode commands/options:
dns Configure a class-map of type DNS
ftp Configure a class-map of type FTP
h323 Configure a class-map of type H323
http Configure a class-map of type HTTP
im Configure a class-map of type IM
sip Configure a class-map of type SIP -
RV320, specific traffic through specific wan port
Hello all,
I love the RV320, one of the best routers i've bought in years and it works like a charm with our Fiber connection on WAN1 and Coax Cable on WAN2.
The only question I have right now, i know it is possible to sent specific traffic (DNS,HTTP etc) through specific WAN ports.
But would it also be possible in some way to say *.website.com traffic will go through WAN port x only?
Specific apps we use are only available through an IP coming from the provider we use on WAN2 (cable coax), so it would be handy if we could say that if app this or that and/or website is being called, auto serve it through WAN port x.
Is this possible and if not, something cisco could add?Dear Michiel,
Thank you for reaching Small Business Support Community.
Besides the service management options available I do not see a particular feature to accomplish your needs. I work on this community forum as an analyst and I am going to mark this post as a business opportunity for improvement of the device.
Thank you for your comment and please do not hesitate to reach me back if there is anything I may assist you with in the meantime.
Kind regards,
Jeffrey Rodriguez S. .:|:.:|:.
Cisco Customer Support Engineer
*Please rate the Post so other will know when an answer has been found. -
ISE Guest Portal only redirect HTTPS traffic.
I have a wireless deployment consisting of the following:
5760 WLC & ISE 1.2
Am I missing something here
I have 4 similar deployments, and never had these issues:
On Android / Apple devices, the guest portal does not pop up automatically &
On a Windows Laptop only https traffic directs to the guest portal.
Thanxi think you need to recheck the configuration also check the link for step by step config
http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-security/landing_DesignZone_TrustSec.html -
We have registration forms and other pages that collect personal details from users who are registering for the site or submitting other transactions (other than shopping cart purchases). By default these pages are delivered using HTTP under the main website.
We need these pages to be secured using HTTPS. How can we force HTTPS on these pages?
Thanks,
ColinOnly way on BC is javascript
eg:
var secureURL = "yourdomain.worldsecuresystems.com";
if ((window.location.protocol == "http:" || location.hostname != secureURL) && location.search.search("A=Template") == -1 && location.search.search("Preview") == -1) window.location = "https://"+secureURL+window.location.pathname; -
How to correct COOKIE + FORCED HTTP METHOD error
I am running a few pages against the Access Me plug-in in
firefox and
received 3 errors..and 2 warnings...
where do i began to resolve these issues?
Access Me String Test Results
FORCED HTTP METHOD
Attack Details:
a.. HTTP Method: SECCOMP
The attacked page is dangerously similar to the original
page. It is 100%
similar. Got access to a resource that should be protected.
Server response
code:200 OK.
COOKIE + FORCED HTTP METHOD
Attack Details:
a.. Input Parameter: ASP.NET_SessionId
b.. HTTP Method: SECCOMP
The attacked page is dangerously similar to the original
page. It is 100%
similar. Got access to a resource that should be protected.
Server response
code:200 OK.
COOKIE
Attack Details:
a.. Input Parameter: ASP.NET_SessionId
The attacked page is dangerously similar to the original
page. It is 100%
similar. Got access to a resource that should be protected.
Server response
code:200 OK.
FORCED HTTP METHOD
Attack Details:
a.. HTTP Method: HEAD
Got access to a resource that should be protected. Server
response code:200
OK. The attacked page is not very similar to the original
page. It is 0.649%
similar.
COOKIE + FORCED HTTP METHOD
Attack Details:
a.. Input Parameter: ASP.NET_SessionId
b.. HTTP Method: HEAD
Got access to a resource that should be protected. Server
response code:200
OK. The attacked page is not very similar to the original
page. It is 0.649%
similar.
ASP, SQL2005, DW8 VBScript, Visual Studio 2005, Visual Studio
2008I think in get_p method you have declared the field type as Value help and in GET_V method you havent filled your value help table. Please check these two methos. Hope this helps you.
Regards,
Lakshmi.Y -
Archiving and different Retention period by specific interface
We want to specify different Retention period for different interfaces (audit reasons)... and based on search in SDN, it does not seem like this is supported by SAP...
Do any of you know if SAP intends to support this in future? Any ideas for overcoming this gap? or is this limitation deliberate (and has been kept in place for a reason)?Hi Krish,
Actually I don't think we have this option of setting the retention period for specific interfaces,
but for the global interfaces in the system.
If you want to increase the time for Audit Log messages you need to change parameter 'messaging.auditLog.memoryCache' to false in order to persist the audit logs in PI 7.1 system. Take a look at note #1314974 for more details.
And notice that after changing the parameter to false, audit logs are persisted till the corresponding messages are deleted. The default retention period of messages on AE is 30 days, keep in mind that it could have a little impact on the data volume.
To increase the retention time in AFW, go to:
Services -> XPI Adapter: XI:
"xiadapter.outbound.persistDuration.default"
"xiadapter.inbound.persistDuration.default"
For the Integration Engine, it's under SXMB_ADM -> Integration Engine Configuration and Configuration.
Regards,
Caio Cagnani
Maybe you are looking for
-
Interested in subscribing to iTunes Match but concerned about number of devices
My family and I all share 1 iTunes library. All purchases are made using the same AppleID account. We currently have 17 apple devices and will most likely be adding more with Xmas coming up next month. We are interested in subscribing to iTunes Match
-
Views on multiple ExtendProxy services in same cluster
Hi, I would like to load-balance 2 sets of clients for the same cluster such that each client set is balanced separately. The motivation is that one set is quite small and the other is much larger so it can happen that the clients in the smaller set
-
IP Address using Windows with Parallels
Hi, I have a linux based satellite receiver with a 192.168 IP address and my MacBook Pro which also has a 192.168 IP address connected to my wireless router. I have a program for editing channel info on my sat receiver which only works on Windows, I
-
I have a console application written in Dot Net which gets data from SAP and does some processing. It was felt we convert the console application to a service to reduce the complexity in procedure. Therefore i'd like to know how to specify the RFC de
-
Uccx lan/wan deployment requirement
Hi All, I have a ccx case opened with Cisco Tac. The issue is that I have a CCX HA and my client needs to reinstall the ccx subscriber with the new IP address scheme. After the reinstllation, I need to logon to the ccx subsricber for initial the ccx