New ASA5512- 5515: content filter and WAN load balancing
Hi,
it's possible to make the content filter with the new models of asa?
One of our customers would like to have content filter with the possibiliy to monitor the single client activity (log).
It' s possible also make the load balancing between 2 WAN?
Now in HQ they have 2 WAN with WAN backup (ASA5505) and VPN to another site.
Thanks in advance,
Paolo.
I saw that you can add CX feature:
CX - Context Aware Security Feature:
Cisco ASA CX Context-Aware Security is a modular security service that extends the ASA platform with next-generation capabilities. It is available with SSD purchase for model such as 5512-X, 5515-X, 5525-X, 55545-X and 5555-X.
Application Visibility Control (AVC):
This is additional feature in CX. Activation of this feature require seperate license. This is the feature that do deep packet inspection for Application recognition. provide context-aware firewall security.
Web Security Essentials (WSE):
This is additional feature in CX. Activation of this feature require seperate license. It deliver features like "URL Filtering" and "Global Threat Intelligence".
Can somebody confirm that?
Have somebody already used and configured this features?
Thank you,
Paolo.
Similar Messages
-
I have used Photoshop 5.5 for years and it is all I need and more. I bought a new PC with Win 7 and tried loading my Photoshop 5.5 CD. It won't work because it is 16-bit, the new computer is 64-bit. Can I buy a 64-bit version of Photoshop 5.5?
Hi,
You actually tried to install photoshop 5.5 and got the message about it being 16 bit?
(usually it's only the installer that is 16 bit and the actual program is 32 bit)
Photoshop 5.5 should work on windows 7 x64 if you don't have more than 1 TB of free space on your hard drive.
Your sure it's photoshop 5.5 and not an earlier photoshop version.
You might try copying the folder that says photoshop off the cd onto your hard drive and then running the Setup.exe
Anyway, check how much free space your hard drive has and if it's more than 1 TB, then no use trying to use photoshop 5.5 because it won't work.
(photoshop versions before photoshop cs can't see free space on hard drives if it's more than 1 TB and would give a scratch disk full message if you try to run them) -
H-REAP and Client Load-Balancing
I'm told by Cisco that H-REAP does not support client load-balancing.
We have a situation where we want to deploy LWAPPs using H-REAP into a conference room where training would take place.
Any suggestions on how to overcome the inevitable slowness these people are going to experience from being unevenly associated with the APs?
We can't re-write the application so we are looking for a wireless solution.
Anyone hear about how other organizations have dealt with this type of situation?
I'll be glad to supply more details if I am not being clear in my description of the problem.
Thanks in advance. All responses will be rated.
PaulThis is the functionality which is missing in H-REAP: Client and Network Load Balancing
"Radio Resource Management (RRM) load-balances new clients across grouped lightweight access points reporting to each controller. This function is particularly important when many clients converge in one spot (such as a conference room or auditorium) because RRM can automatically force some subscribers to associate with nearby access points, allowing higher throughput for all clients. The controller provides a centralized view of client loads on all access points. This information can be used to influence where new clients attach to the network or to direct existing clients to new access points to improve wireless LAN performance. The result is an even distribution of capacity across an entire wireless network.
Note: Client load balancing works only for a single controller. It is not operate in a multi-controller environment."
I suppose if we limit the number of users that can associate with a particular AP then we will achieve some client load-balancing. Though a hard limit on the number of end-users will also lead to situations where some end users will not be allowed any access. -
Hello
I have the following issue with a Cisco 2811 router. I have two WAN connection ( fiber and ADSL ) and I want to make WAN load balancing
so I add two route : 0.0.0.0 0.0.0.0 dialer1 and 0.0.0.0 0.0.0.0 fa1 the problem is with fiber connection (fa1) in this configuration I can't ping WAN
from outside or use NAT on this connection. If I change default route's like this it's working but is not WAN load balancing : 0.0.0.0 0.0.0.0 dialer 150
0.0.0.0 0.0.0.0 fa1. Any idea.Hi Richard
I come back with more details:
First I try to setup router with WAN failover like this:
route-map SDM_RMAP_1 permit 1
match ip address 101
match interface FastEthernet0/0
route-map SDM_RMAP_2 permit 1
match ip address 102
match interface Dialer1
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 101 permit ip 172.26.60.0 0.0.0.255 any
access-list 102 permit ip 10.0.0.0 0.255.255.255 any
dialer-list 102 protocol ip permit
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
ip nat inside source route-map SDM_RMAP_2 interface Dialer1 overload
ip nat inside source static tcp 10.0.0.1 25 x.x.x.x 25 route-map SDM_RMAP_1 extendable
ip route 0.0.0.0 0.0.0.0 x.x.x.x 150
ip route 0.0.0.0 0.0.0.0 y.y.y.y track 1
interface FastEthernet0/0
ip address x.x.x.x
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
interface FastEthernet0/1
no ip address
ip mtu 1492
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ...............
ppp chap password 7 010109085702121F33434A0014524343
ppp pap sent-username .......... password 7 0614002D40471D091718160201537E7A
no cdp enable
crypto map SDM_CMAP_1
track timer interface 5
track 1 ip sla 1 reachability
delay down 15 up 10
ip sla 1
icmp-echo a.b.c.d source-interface y.y.y.y
timeout 5000
threshold 40
frequency 6000
ip sla schedule 1 life forever start-time now
And I want to achive the following results:
All computers from LAN use for internet connection y.y.y.y and if this failed use x.x.x.x and when come back y.y.y.y use this connection.
And I have one server with few services ( DNS, WWW, MAIL...) which must use just x.x.x.x connection if this failed dosen't matter if this services not working.
But with this configuration one thing not working i can't access from outside Mail server , DNS, WWW with x.x.x.x connection ( IP ) if I change default route like :
ip route 0.0.0.0 0.0.0.0 x.x.x.x track 1
ip route 0.0.0.0 0.0.0.0 y.y.y.y 150
it's working -
NW04 Portal and Cisco Load balancer
Hi everybody,
does anyone have a similar landscape as I have?
Reverse Proxy - Cisco Content Switch Module for Load Balancing - two NW04 Portal Servers.
How did you configure the stickyness / Load balancing mechanism on the load balancer in order to get it running?
Cheers
JochenHi,
Web AS Java issues a cookie called saplb.
You can check its value by connecting to the portal and then launching the command
"javascript:alert(document.cookie)"
within the browser. You will get a cookie value like
saplb_*=(J2EE6202500)6202551
The value in brackets determines the Instance; the second number equals the actual ClusterID (can also be found in the VisualAdmin. Usually 50 indicates the 1st server node, 51 the second one etc.
The saplb_*-cookie can be checked by the cisco see Cisco-Link above. Just configure the Cisco to be sticky on the instance number (value in the first brackets, in the example 6202500).
Several Customers do it like this, and actually the SAP Webdispatcher is also using this cookie to determine the instance to distribute the request to.
Good luck Bernhard -
Hi,
I am configuring 2 ASA5540 for internet trafic inside to outside ,
outside to inside (web,smtp) but also vpn load balancing for client to site , site to site and webvpn.
In the doc I can configure them for internet trafic as Active/Standby or Active/active.
for vpn : I can use vpn load balancing
But no information if I want to use the active/passif and vpn load balancing together.
Any thoughts on which way to go? what is the best thing to do ?
RegardsHi,
I think that you cannot use an Active/Active configuration for VPN connections as it is stated on Cisco's documentation: "Note: VPN failover is not supported on units that run in multiple context mode as VPN is not supported in multiple context. VPN failover is available only for Active/Standby Failover configurations in single context configurations" available at http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml
Hope it helps -
SRP541W WAN Load Balancing and NAT
Hello All,
New to the forums. Thanks for taking the time to read my post. I recently switched my office over from a RV042 to SRP541W. We have 2 DSL lines and have used the Load Balance feature on the RV42 to make the best of the connecton speeds. When setting up the SRP541W when i select load balancing it tells me NAT should be disabled. Why is that? I see a place to input static routes but Im not entirly sure what needs to be done here to set this up correctly. Any input would be appriciated. Also right off the bat we had some issues with access to Google Docs and Mail. I think its becuase those sites dont like seeing access from multiple IPs (fromt the Dual WAN) so I set up a entry in Policy Routing directing all traffic from port 443 to go through one WAN, is this the right way to do this?
Thanks!
Mike-Dear Mike,
Thank you and welcome to the Small Business Support Community.
It is possible to configure load balancing with NAT, however in this case, remote internet servers will potentially see sessions from remote hosts behind the SRP541W coming from different source IP addresses (the WAN IP addresses), causing the sessions to be reset unexpectedly.
The Policy Routing setting you setup is exactly what I would do in your case.
I hope these answer your question and please do not hesitate to reach me back if there is anything else I may assist you with.
Kind regards,
Jeffrey Rodriguez S. .:|:.:|:.
Cisco Customer Support Engineer
*Please rate the Post so other will know when an answer has been found. -
WAN Load-Balancing and multi VLAN design
Hello,
I need some help to define the design of a specifi LAN-WAN network.
1) There are 2 independant WAN entries (they have their own ISP-managed router)
2) I need to load-balanced the requests over the 2 WAN
3) If possible, the load-balancer must be redundant (GLBP ?)
4) On the LAN itself, there must be 15 different VLAN
5) We also need a DHCP solution (also redundant if possible) to provide IP to these VLAN, with unique gateway (the load-balancer)
What do I need to implement this configuration ?
And is it possible to configure with as much GUI as possible ?
Thanks in advance for your help.Dear Mike,
Thank you and welcome to the Small Business Support Community.
It is possible to configure load balancing with NAT, however in this case, remote internet servers will potentially see sessions from remote hosts behind the SRP541W coming from different source IP addresses (the WAN IP addresses), causing the sessions to be reset unexpectedly.
The Policy Routing setting you setup is exactly what I would do in your case.
I hope these answer your question and please do not hesitate to reach me back if there is anything else I may assist you with.
Kind regards,
Jeffrey Rodriguez S. .:|:.:|:.
Cisco Customer Support Engineer
*Please rate the Post so other will know when an answer has been found. -
Web content filter and shockwave
Hi! I am using in my organization Squid proxy with DansGuardian as web content filter. The problem that i'm facing is that when i visit a site that uses shockwave,i get the messagethat " the Xtra package failed to initialize.. ". This problem is brought up by using DansGuardian, because when i use squid everything works fine.
With the previous version of shockwave i had added as exceptions in url and site lists the following paths and everything worked fine:
adobe.com
download.macromedia.com/pub/shockwave/cabs/director/sw.cab#version=8,5,0
download.macromedia.com/pub/shockwave/cabs/director/sw.cab
get.adobe.com/shockwave/Try Settings > Wifi > your checked network > HTTP Proxy: Off
-
Hi,
I have CSS in single arm deployment model. I have multiple servers load balancing on this CSS on port 80 etc. Today I am trying to load balance one Oracle server but I am facing problem with it.
Real servers are accessible on port 80 without any problem but when we are trying to access the same servers on VIP we are not able to see the web page.
real server http://192.168.17.12/irs.htm
real server http://192.168.17.14/irs.htm
real server http://192.168.10.37/irs.htm
VIP
http://192.168.200.58/irs.htm
Below is the configuration. I can do the telnet on port 80 and I can ping the VIP IP address.
I will only put 192.168.200.58 in browser I can see the oracle page but with the full URL i am not able to see it.
Though I have other oracle servers which I have load balance with the same configuration and I can access the web page.
==========================================================================================
http://tptest.enoc.com/forms/frmservlet?config=tp (This is working fine).
========================================================================
http://irs.enoc.com/irs.htm (This is not working).
By name and by IP address both are not working.
http://192.168.200.58/irs.htm (This is not working).
=============================================================================
service IRC_1
ip address 192.168.17.12
keepalive type tcp
keepalive port 80
active
service IRC_2
ip address 192.168.17.14
keepalive type tcp
keepalive port 80
service IRC_DR
ip address 192.168.10.37
keepalive type tcp
keepalive port 80
content ENOC_IRC
add service IRC_1
add service IRC_2
add service IRC_DR
vip address 192.168.200.58
protocol tcp
port 80
advanced-balance sticky-srcip
active
owner ENOC_GIT
content ENOC_IRC
add service IRC_1
add service IRC_2
add service IRC_DR
vip address 192.168.200.58
protocol tcp
port 80
advanced-balance sticky-srcip
active
group ENOC_IRC
add destination service IRC_1
add destination service IRC_2
add destination service IRC_DR
vip address 192.168.200.58
active
===================================================================================================
ENOCDC-CSS01(config)# show service summary
Service Name State Conn Weight Avg State
Load Transitions
IRC_1 Alive 0 1 2 0
IRC_2 Suspended 0 1 255 1
IRC_DR Suspended 0 1 255 1
ENOCDC-CSS01(config)# show summary
Global Bypass Counters:
No Rule Bypass Count: 0
Acl Bypass Count: 0
Owner Content Rules State Services Service Hits
ENOC_GIT
ENOC_IRC Active IRC_1 103
IRC_2 10
IRC_DR 7
=======================================================================================================
Same setting I am doing for other servers and working fine only for these servers I am facing problem. Curently only one server is active in the configuration.
Kindly let me know what I am missing and how to fix the problem.
I have also attached the full configuration of CSS.Hi,
My point of concern is that I did the same for Oracle server and this is working fine
http://192.168.200.95/forms/frmservlet?config=tp
only when I am doing the load balancing for
http://irs.enoc.com/irs.htm (This is not working).
By name and by IP address both are not working.
http://192.168.200.58/irs.htm (This is not working).
I dont have a option for TAC case is there a a way to fix the problem by apply other load balancing method. Is there something to do with the Circut VLAN. I didnt create the Circut VLAN 17 where this server is located.
I am doing almost 8 differenceservers load balancing in this CSS.
your expert opinion will definately help me. -
Lync 2010 and ACE load balancing
Hi there,
Has anyone deployed [or will be deploying] Lync 2010 utilising the ACE as a hardware load balancer. The ACE is not {yet] on the Microsoft list of supported devices for this product, but I am told this because of lack of documentation from Cisco.
The consensus from a few colleagues is that it should work as it did for OCS, which we have already deployed, so assuming that the set up and operation is similar, there shouldn't be much difference in the configurations.
regards,
Glenne.Hey Glenne,
It seems you got that working already but I wanted to share this simple sample:
parameter-map type http PARAMETER
set header-maxparse-length 65535
set content-maxparse-length 65535
============================================
interface vlan 112
ip address 10.198.16.71 255.255.255.192
alias 10.198.16.124 255.255.255.192
peer ip address 10.198.16.72 255.255.255.192
mac-sticky enable
access-group input anyone
nat-pool 25 10.198.16.125 10.198.16.125 netmask 255.255.255.0 pat
service-policy input ANS-MGT
service-policy input VIPS
no shutdown
============================================
policy-map multi-match VIPS
class LYNC_VIP
loadbalance policy LYNC_POLICY
ssl-proxy server SSL_LYNC_TERMINATION
loadbalance vip icmp-reply active
nat dynamic 25 vlan 112
appl-parameter http advanced-options PARAMETER
============================================
class-map match-all LYNC_VIP
2 match virtual-address 10.198.16.125 tcp eq https
============================================
ssl-proxy service SSL_LYNC_TERMINATION
key tac-key
cert tac-cert
chaingroup tac-chaingroup
============================================
policy-map type loadbalance first-match LYNC_POLICY
class class-default
sticky-serverfarm LYNC_COOKIE
============================================
sticky http-cookie ACE_COOKIE LYNC_COOKIE
timeout 30
replicate sticky
serverfarm LYNC_FARM
============================================
serverfarm host LYNC_FARM
rserver LYNC_SERVER1 80
inservice
rserver LYNC_SERVER2 80
inservice
============================================
rserver host LYNC_SERVER1
ip address 10.198.16.93
inservice
rserver host LYNC_SERVER2
ip address 10.198.16.113
inservice
===========================================
Jorge -
Cisco RV042 - Dual Wan Load Balancing - Secure Site (HTTPS) Trouble
PID VID :
RV042 V03
Firmware Version :
v4.0.0.07-tm (Aug 19 2010 19:19:50)
Ever since I setup my RV042 with load balancing using the Dual Wan system I have had trouble staying connected to some secure sites. After doing some searching I found that the potential issue is the IP change mid session.
"http://www.broadbandreports.com/forum/r25537589-Cisco-RV042-can-not-use-load-balancing-for-some-web-sites"
Although my interface is significantly different I was able to find the same area in my RV042 admin area however, it doesn't seem to work.
System Management
> Dual Wan
In Wan 1 & Wan 2 I have HTTPS and HTTPS Secondary all forwarded to use Wan 2 under Protocol Binding
This however has not managed to do anything at all for my network and every computer conneceted experiences the same HTTPS irregularities at some websites.
I'm sure I must be doing something wrong, but I don't know what it is.
Both incoming connections are from the same service provider although the plans are different.
Any help with this would greatly help me stop losing my mind trying to fight with my website control panel for 10 minutes to just login and get something done.
ThanksAny ideas or advice from anyone?
-
HTTP type connectivity between XI and R3 - load balancing options ?
Hi
We have a http type connectivity setup between XI and R3 in order enable XI to communicate with R3 using ABAP proxies. We did this by creating a RFC destination on the ABAP stack of XI of type 'H' ( http connection between R3 systems ). Now, while setting up this rfc destination, there is no option to specify a message server on R3 - we just see a target server field that can be filled in.
In an rfc destination of type 3 - on the XI box ( which is used for a XI --> R3 idoc adapter ) , I can see an option for specifying message server.
Does this mean that using type 'H' connectivity between XI and R3 does not give us an option of hitting the load balancing - message server on R3 and thus cannot use the load balancing setup on R3 ? Is this is a limitation of type 'H' connectivity between XI and R3 ?for HTTP load balancing the options seems to be somewhat different....check if these threads provide you any help:
http://help.sap.com/saphelp_nw04s/helpdata/en/ae/9bfc3f9ec4e669e10000000a155106/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/79/a1ce9569444647956b0ec1cf443c4d/content.htm
http://help.sap.com/saphelp_nw70/helpdata/en/43/39c7b227b91bcbe10000000a1553f7/content.htm
Regards,
Abhishek. -
RV320 - Dual WAN - Load Balance Problem
Hi all,
I've just bought a RV320 Dual WAN router an try to get it running. My network setup looks lice the picture attached.
I have 2 WAN Connections:
- Router 1 (16Mbit Down / 512kbit up) - no public WAN IP
- Router 2 (3 Mbit Down / 512kbit up) - Fixed public IP
Router 1 ist connected to WAN1 and router 2 to WAN2 port on the RV320.
I have enabled load balancing mode.
Qustions:
1.
I want WAN1 to be the primary line to be used until capacity reached.
Currently for some reason I don't understand the cisco always uses WAN2.
That's not good as all browsing and downloading is limited to 3mbit.
When I switch to "fail-over" mode and set primry live to WAN1 that works, but WAN2 is not kept alive.
2.
I am using VOIP and need to route all VOIP traffic to WAN2 interface.
The best would be to tell the router IP 192.168.177.9 (voip phone) should use WAN2. So far I didn't figure out how to do that.
Can I put VOIP into one VLAN group and allocated VLAN to one specific WAN interface?
BrgdsSo, you can hear the phone ringing and answer it? which means that SIP pakets are coming through WAN to LAN and well redirected to the phone IP, but you cannot hear after that, which means that there could be a problem with the RTP packets.
If you have problem only with the incoming calls and not the outgoing, than try enable/disable SIP ALG (Firewall). If that doesn't fix the issue, try to allow (or even forward) from WAN to LAN RDP - UDP ports 16384-32767 to the phone IP.
Regards,
Kremena -
CSS on multiple subnets and separate load balancing
Hello,
I've a situation where I need to load balance incoming clients on subnet A to 3 real servers on subnet B - no problems there.
But I also need to load balance different clients on subnet C to 3 other servers on subnet D and clients on subnet E to 2 servers on subnet F.
Basically I want to use the CSS for 3 different load balancing operations.
Rather than using 3 separate CSS11503s can I do all this with multiple VLANs on the LAN switches and 1 CSS?
Any help appreciated
Regards Tonyyou can have as many vlan as you want.
So yes you can do what you want.
Just be aware that the CSS can route as well between those vlans, so if you separation between them you may have to use ACL.
Gilles.
Maybe you are looking for
-
Delivery date in STO b/w sloc
Hi All, Need your help in understanding the delivery date prposed by SAP in ME21N for document type UB and stock transfer between sloc to sloc with delivery for a plant. Current stock in MMBE in issuing sloc is 34 Also checked the stock requirement l
-
We started with an apple computer and set up 1 apple id and for music on iPods. Now we have 3 apple phones and want to share the music but keep our contacts separate. what should we do? Right now we have the same apple id on the PC, ipodtouch, ipod,
-
Verizon Steals Vets Unlimited Data Plan & Veteran Discount
Whats to stop me from Filing an FCC Complaint? 1. I was promised I was qualified for Edge Program this last Nov. Waited a couple days and went to the Verizon store on my birthday to get my new Note4 and get on Edge. At this moment the sales guy said
-
I need to authorize my computer for my daughter's new iPod Touch but in the new version of itunes that just upgraded to day there is no "store" menu or "advanced" menu that I can see and I can't see a way to do it. So anything she buys with her i.d.
-
thanks!!