Outside-PAT all UDP traffic, but exclude DNS

Similar Messages

• Low-latency prio queue for udp traffic, but not matching ACL?

  Hi,
  I have an OpenVPN service running behind an ASA for which I would like to prioritize the packets.
  The OpenVPN service connects to a remote OpenVPN service on 1194/udp, and accepts traffic on udp/1194 for yet another OpenVPN server.
  Here's what I did:
  access-list priority extended permit udp any any eq 1194
  priority-queue outside
  class-map priotraffic
  match access-list priority
  policy-map QoS_policy
  class priotraffic
    priority
  service-policy QoS_policy global
  priority-queue outside
  I know there are hundreds of packets per second on this OpenVPN, but still I only see 2 matched packets on the ACL "priority":
  # show access-list | inc priority
  access-list priority line 1 extended permit udp any any eq 1194 (hitcnt=2) 0xbbdd01d4
  Am I missing something? Must I know both src AND destination ports in order to achieve this?

  I started suspecting that it only matched packets for new connections (in iptables called NEW / UNREPLIED). I tested my thesis by restarting one of my openvpn tunnels, and indeed I see now a hit count of one packet.
  Question is, how come only new udp connections being matched? I would obviously like to prioritize all packets for an already established session.
  Thanks,
  By the way, the statistics after I reinitiated one of the tunnels:
  asa# show access-list | inc priority
  access-list priority line 1 extended permit udp any any eq 1194 (hitcnt=1) 0xbbdd01d4
  asa# show service-policy
  Global policy:
    Service-policy: QoS_policy
      Class-map: priotraffic
        Priority:
          Interface outside: aggregate drop 0, aggregate transmit 0
        Priority:
          Interface inside: aggregate drop 0, aggregate transmit 0
        Priority:
          Interface mobenga: aggregate drop 0, aggregate transmit 0
        Priority:
          Interface escom: aggregate drop 0, aggregate transmit 0
        Priority:
          Interface management: aggregate drop 0, aggregate transmit 0
        Priority:
          Interface server: aggregate drop 0, aggregate transmit 0
        Priority:
          Interface vpn: aggregate drop 0, aggregate transmit 0
        Priority:
          Interface cafe_member: aggregate drop 0, aggregate transmit 0
      Class-map: class-default

• WISM Blocking UDP traffic

  I am having a problem with the WISM blade blocking UDP traffic on port 6001. This is for a Sentinel Hardware Key. The software sends out a UDP request but it appears that the controller just drops it. I have tried an explicit permit ACL on this network for all UDP traffic. This did not work either. This software work fine on the wire. Anyone else seen this?

  All layer two broadcasts (FF:FF:FF:FF:FF:FF) are stopped at the WISM. This is a function of the controller. I found a white paper from Cisco stating this. The hardware key I was trying to use, utilized a layer two broadcast and it was stopped at the controller. There were no ACL's present when I started testing. I even tried it with an allow all ACL just to make sure.

• How to configure DNS server to redirect all web traffic to one external website?

  I'd like to use the DNS service on my OS X Server as a way to force all all web traffic to one specific, external website. Not quite sure how to go about configuring it, though - any recommendations?
  (BTW, this is, obviously, not our primary DNS server; I intend to silently update the preferred DNS server for users who fail to complete their timesheets in order to force the issue)

  Web clients don't generate uniquely-identifiable DNS queries; there's no SRV request or related traffic that you could select on and spoof.  So if you do implement this, everything querying the spoofing DNS server will get the spoofed host, or you'll have to spot specific queries that are likely web queries; Facebook, Google, Bing, etc. 
  If you still want to implement this, then I'd probably replace the DNS server with a runt DNS server (maybe hack dnsmasq or maraDNS, or create yourself a trivial DNS server) and have that always return the specified IP address.  This avoids having to hack BIND to be universally authoritative, which is probably on par with hacking a simpler DNS server to always return a fixed IP address, and the latter is probably easier to undo.
  A firewall can spot TCP port 80 and port 443 traffic, unlike a DNS server.   Firewalling outbound port 80 traffic is more typical of these requests, and either trap that traffic to a specific web page based on the capabilities of the firewall, or the web proxy approach that Camelot suggests.  There are folks that tie access into the web proxies into external authentication and related; that'd be able to do what you want.   Web proxies are usually combined with firewall blocks, as most sites want only the web proxy to have external access, too.  But this is also rather more pieces than a DNS redirect, too.

• Would like to upgrade to Dragon Naturally Speaking 11 from DNS 6 (which would also entail a necessary upgrade from Windows 2000 to 7) but understand after all this expense and trouble, DNS upgrade may not be compatible with Firefox 6?

  Question
  Would like to upgrade to Dragon Naturally Speaking 11 from DNS 6 (which would also entail a necessary upgrade from Windows 2000 to 7) but understand after all this expense and trouble, DNS upgrade may not be compatible with Firefox 6?
  Main priority is voice activation upgrade. Ideas about how to proceed appreciated!

  AFAIK, it's been over three years since a WinXP laptop or desktop PC has been sold; I specifically bought a laptop in June 2008 because it was being clearanced by that retail chain to meet Microsoft's deadline, and got it real cheap. It was tagged for the store manager to purchase, but he let me have it because I exceeded his expectations for the services I performed for his store and thought I deserved it. Anything that wasn't made for Vista-compatibility will be very iffy with Win7, IMO - so that basically rules out anything that was made before like Oct or Nov 2007.
  Unless another DNS 11 user happens to see this thread and can verify whether it works in Firefox 6.0 or not, I don't what to recommend except for you doing a web search to see what other DNS / Firefox users have to say about compatibility.

• Itunes could not connect to internet.. i have read all your solution but non help, include firewall, restart dns, check IE setting ETC... PLS HELP, my phone can't sync with itune...........

  itunes could not connect to internet.. i have read all your solution but non help, include firewall, restart dns, check IE setting ETC... PLS HELP, my phone can't sync with itune...........

  i could not do anything with itune, check updates, help. etc..
  i am using windows 7.. and the latest itune, (previous itune also can't sync)

• Outbound PAT for SMTP traffic

  Cisco ASA 5505, Software 8.0(3)
  ASA IP: xxx.xxx.xxx.yy4/29
  This is part of my ASA config that ensures PAT for incomming SMTP traffic:
  access-list acl_inbound_outside extended permit tcp any host xxx.xxx.xxx.yy7 eq smtp
  nat-control
  global (outside) 1 interface
  nat (inside) 0 access-list acl_no_nat_inside
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) tcp xxx.xxx.xxx.yy7 ftp 172.27.1.1 smtp netmask 255.255.255.255
  access-group acl_inbound_outside in interface outside
  This ensures SMTP traffic to xxx.xxx.xxx.yy7 reach my SMTP server.
  But outgoing SMTP traffic is from xxx.xxx.xxx.yy4 (WAN IP of ASA).
  How can I set up that ONLY SMTP traffic from 172.27.1.1 is PATed behind IP xxx.xxx.xxx.yy7 and other traffic from 172.27.1.1 will be NATed to
  xxx.xxx.xxx.yy4?

  Hi,
  It seems that there is either a typo or mistake in the configuration above.
  You are forwarding "ftp" port to "smtp" port
  Shouldnt it be
  static (inside,outside) tcp xxx.xxx.xxx.yy7 smtp 172.27.1.1 smtp netmask 255.255.255.255
  So in addition to forwarding the "smtp" port you also want all outgoing "smtp" traffic from this single host/server to use the public IP address xxx.xxx.xxx.yy7
  Then you can configure this
  access-list SMTP-POLICYPAT remark Policy PAT for SMTP traffic
  access-list SMTP-POLICYPAT permit tcp host 172.27.1.1 any eq smtp
  global (outside)  25 xxx.xxx.xxx.yy7
  nat (inside) 25 access-list SMTP-POLICYPAT
  Hope this helps
  Please do remember to mark the reply as the correct answer if it answered your question.
  - Jouni

• Routing non-TCP/UDP traffic while using FWLB on CSS 11503s

  Hello all,
  I've been tasked to setup up FWLB with CSS 11503's as shown below. The issue is that intranet workstations use VPN client software when connecting to certain sites through the Internet and other times they use http or https (for connection to different sites). Because no flow is setup for ipsec and ECMP uses per packet routing for non TCP/UDP traffic, I'm concerned that load balancing through the firewalls will occur on a per packet basis. If that is true, stateful inspection in the firewalls will block asymmetrical traffic flows.
  Is my understanding correct? And, if so, is there a way to configure the CSS units to deal with this?
  Thanks in advance.
  (sorry for the dots in the drawing but the spaces kept getting deleted)
  .| Internet |
  ..........|
  .| CSS-outside |
  .............|
  ........|...............|
  .| FW1 |.....| FW2 |
  .......|................|
  ............|
  .| CSS-inside |
  ............|
  .| Intranet |

  for non-flowy traffic like IPSEC, we use a hash algorithm to decide where to send the traffic.
  So, it's not per packet loadbalancing.
  The same source/destination ip/port will always go to the same firewall.
  Gilles.

• WRT610N Configuration: blocking all UDP connections

   Hi all,
  I am the disapointed owner of the WRT610N. I previously had a buffalo N routeur in the UK, which had no firmware update in 9 months, and plenty of spelling mistakes and problems (router hanging, needed to reset). I managed to refund it and I paid nearly 200 pounds for that WRT610n.
  I can see the potential of such router, but with that price range and the many problems, it is a complete failure. I noticed many people complaining exactly the same way about that router, which is simply too expensive for the amount of problems it is encountering.
  This is not about blindly giving a critic about that router which certainly has some strenghts and potential, but it has been overpriced for the problems in progress. It looks like a "beta".
  The latest firmware (1.10?) released early 2009 has corrected a few problems (ftp and USB stick works better, the "wifi protected setup" does turn off properly in 2.4ghz mode, etc...) but still some remains such as that "wifi protected setup" from hell that keep asking me the code on the 5GHZ frequency when I use my intel 4965agn with it, even when I turned that feature off in the router config.
  Anyway my current "problem" is I want to block the flatmate from using all UDP connections, simply because she floods the network with that. 
  But it does not seems to works at all: I went to access restriction, created and enabled one entry with her IP.
  Then, I created an application name (blockUDP) and port 1 to 59 999, then I added it to the right side (Blocked List).
  It does not seems to work as when I run a "wireshark" I can still see packets coming in/out of that IP address.
  Ideally i would also like her to use only basic internet (port 80) because she keeps downloading/uploading with no limits, and telling her to stop does not make her change. She pretends being not guilty and show advance signs of retardness. For example, we all complained about downloading, and this person gave the wireless password to her friends leaving nearby... Of course they are now blocked, password changed and she will never have it but...
  I understood to block from all (TCP, UDP...) from "1 to 79" and from "81 to 59999": Again it does not seems to work as in wireshark I see traffic.
  She only have 1 "nic", the wired cable. No wireless.
  Thanks in advance!

  To accomplish what you need will take more than this router can offer. I would recommned you use the QOS feature and make her last place even to ping another note to keep in mind is you might want to set her up on a static ip.
  Under Access restrictions is where i would be lookin to accomplish what you need. Just a little advice if you want her to have just port 80 access and possibly 443 if she access her email online most are secured.
  Now make sure the policy is enabled and also make sure that the spi firewall is enabled under the security tab. Also she might be running P2P software since i am not aware of to many desktop apps that use UDP as a protocol
  Also almost forgot to mention is wireshark will see all traffic originating internally so if her computer is broadcasting wireswhark will see it, what you need to pay attention too is if the router is actually forwarding her traffic threw it's WAN interface.

• Doesn't Managed Server's sip channel support udp traffic by default ?

  Hi All,
  I am new to the WebLogic Server. I have tried to set up a Managed Server via an AdminConsole of BEA WebLogic 9.2.
  My configurations in config.xml are as shown below. In the AdminConsole, I could startup the Managed Server successfully. However, when I generated a SIP message (to the listening port of Managed Server, which is 5068) using sipp, the Managed Server could not receive the sip message.
  When, I used "netstat -a" to check listening ports. It showed that the Managed Server (Server-5) listened on tcp port 5068 but NOT on udp port 5068. And, since my sipp generated a sip message to udp port 5068, the Managed Server could not obtain the sip message.
  I read the online document and it states that when a channel is created for a server, it will automatically support both tcp and udp traffic. Therefore, from my understanding, the Managed Server should automatically listen on both udp and tcp port when it starts up. In fact, I have checked that my Admin Server listens on both udp port and tcp port (in this case, port 5060).
  I doubt that I may miss something in the configuration of the Managed Server. I woud be appreciated if someone could enlighten me up.
  Kind Regards,
  Kirati
  <server>
  <name>Server-5</name>
  <machine>Machine-0</machine>
  <listen-port>7007</listen-port>
  <web-server>
  <web-server-log>
  <number-of-files-limited>false</number-of-files-limited>
  </web-server-log>
  </web-server>
  <listen-address>10.252.8.241</listen-address>
  <network-access-point>
  <name>Channel-8</name>
  <protocol>sip</protocol>
  <listen-address>10.252.8.241</listen-address>
  <public-address>10.252.8.241</public-address>
  <listen-port>5068</listen-port>
  <public-port>5068</public-port>
  <http-enabled-for-this-protocol>false</http-enabled-for-this-protocol>
  <tunneling-enabled>false</tunneling-enabled>
  <outbound-enabled>true</outbound-enabled>
  <enabled>true</enabled>
  <two-way-ssl-enabled>false</two-way-ssl-enabled>
  <client-certificate-enforced>false</client-certificate-enforced>
  </network-access-point>
  </server>
  Edited by: user10871458 on Jan 30, 2009 1:17 AM

  I have found an answer to my question.
  I simply forgot to load a sip-container service to my new created server..

• UDP traffic analyzed in L4 traffic monitor?

  Dear all,
  I just wonder if anyone knows whether UDP traffic is analyzed by the WSA's L4 traffic monitor?
  It just tells "all ports" in the settings and reports also only reflect port numbers but no details like
  which protocol (tcp/udp).
  Anyone?
  Best,
  Hascha

  UDP ports will not be blocked.
  The L4TM will use the T1 interface to detect traffic to destinations that are on its blacklist.  Once detected, the the data interface on the WSA will send a packet with the TCP reset flag to the client to prevent a TCP connection.
  I have not tested this so someone correct me if I am wrong.  I am answering this based on my understanding of the L4TM feature, and how it works.  Since UDP is connectionless, there is no connection for it to kill.
  Now this makes me wonder about the Monitor feature though.  But I am almost certain it will not block if the action is set to block.
  I'll check this out when I'm in the office and will get back to you.
  -Vance

• CSM 4.2 Service per packet for udp traffic

  Hi,
  We have a problem with the predictor round robin. We have to balance traffic UDP with the same source IP and PORT. Round robin algorithm use the same server for all the traffic as well as see the same source address. We use the service per packet option, but if we use this the nat server doesn't work? It is possible?
  Thanks
  Ira

  if you do per-packet the csm does not create a flow entry, so when the server response comes back from the server ip, the CSM is unable to map it to the vserver.
  So your servers need to be configured with the same loopback ip address which will be the same as the vserver ip address.
  The servers need to be directly connected to the CSM [no next-hop] so the CSM can forward traffic without changing destination ip.
  Another solution instead of per-packet, would be to reduce the idle timeout to a minimum, so the CSM removes the flow entry earlier and permit the next packet to be loadbalanced to a diffirent server.
  Regards,
  Gilles.

• Block all incoming traffic and Active FTP

  Will setting the firewall to Block all incoming traffic break Active FTP Connections?
  The firewall will normally dynamically create exceptions for the Connection using the Application Layer Gateway, but will the profile override these?

  Hi TribleTrouble,
  Do you have any issue about FTP active mode?
  If the clients are part of your domain, push the FTP firewall rules via GPO to your clients allowing FTP inbound sockets
  netsh advfirewall firewall add rule name="File Transfer Program" protocol=TCP profile=domain Program=C:\Windows\System32\ftp.exe dir=in action=allow
  netsh advfirewall firewall add rule name="File Transfer Program" protocol=UDP profile=domain Program=C:\Windows\System32\ftp.exe dir=in action=allow
  For Windows 7, the entire networking stack was rewritten and several security measures were taken to further secure Windows.
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• IPSEC Cisco VPN connection. Modifying default VPN gateway allows internet traffic but loses access to VPN

  Hello!!
  I'm using the IPSEC Cisco VPN Network property to connect to my company.
  Once I get connected, I lose internet access, because all the traffic is redirected through the tunnel and I want both, of course.
  If I modify the default getaway in the routing table, with this command
  route change default x.x.x.x, where this is the getaway IP when not connected to the VPN,
  I gain access to internet, but I lose access through the VPN tunnel.
  I was reading about it in google, and what I have to do is to add a static route to the VPN again, but I don't know how.
  Could you please help me?
  thanks in advance!!

  Hi Norbert,
  I am sorry to say that configuring routes in Azure Virtual network is not supported. I recommend you to submit your reuqirement on Azure Feedback and hope it would be released soon:
  http://feedback.azure.com/forums/217313-networking-dns-traffic-manager-vpn-vnet
  Best regards,
  Susie
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• How do I direct all internet traffic I on my firefox portable browser I use at school, through to my computer at home, so I can use my modem as a proxy?

  My school has a web filter that prevents me from accessing any website I want to at school, and I want to get past it.
  I know, from experience, that I can use a program called Ultrasurf to get around this, though it requires me to use IE, and is inconvenient.
  I want to know if it's possible to configure the proxy settings on Firefox (and some on my modem/router, and/or computer at home), in order to direct all my traffic through my router at home, similarly to how one would use a proxy.
  If so, how is this possible?
  (I'm relatively experienced with computers, but have very little programming, and other complex knowledge of the workings of these things)
  At home, my computer is running 64 bit Windows 7, has 4 GB of RAM, a 2.1GHz Intel Core 2 Duo processor, and can be turned on and online 24/7, such that if necessary, it can direct traffic sent to it.
  My router/modem at home is (I believe) a Westell 327W, I can get more information by looking at it later if necessary.
  At school, as of last year (and probably the same this year), the computers run Windows XP, and I am able to run programs installed on a flash drive on them, though cannot actually install programs on the computers themselves.
  I'll be using whatever the latest (not beta) version of Firefox Portable exists when I return to school in a week.

  My school has a web filter that prevents me from accessing any website I want to at school, and I want to get past it.
  I know, from experience, that I can use a program called Ultrasurf to get around this, though it requires me to use IE, and is inconvenient.
  I want to know if it's possible to configure the proxy settings on Firefox (and some on my modem/router, and/or computer at home), in order to direct all my traffic through my router at home, similarly to how one would use a proxy.
  If so, how is this possible?
  (I'm relatively experienced with computers, but have very little programming, and other complex knowledge of the workings of these things)
  At home, my computer is running 64 bit Windows 7, has 4 GB of RAM, a 2.1GHz Intel Core 2 Duo processor, and can be turned on and online 24/7, such that if necessary, it can direct traffic sent to it.
  My router/modem at home is (I believe) a Westell 327W, I can get more information by looking at it later if necessary.
  At school, as of last year (and probably the same this year), the computers run Windows XP, and I am able to run programs installed on a flash drive on them, though cannot actually install programs on the computers themselves.
  I'll be using whatever the latest (not beta) version of Firefox Portable exists when I return to school in a week.