PRSM Offbox Enable CX Traffic Redirection
Hi
Iv'e got PRSM (Offbox) 9.3 installed.
I've imported an ASA5585-X Failover Pair - Each with a CX module in it (great)
How on earth do you set a traffic redirection policy to send the traffic through the CX module(s)!!
Im pulling my hair out, if you add the 'traffic redirection' tab is says 'no items found.'
Im not surprised, its not enabled - I want to turn it on with PRSM!
This software is awful!
Pete
Hi Pete. Take a break on what hair you have left and check the CX Module Quick Start Guide for the ASDM method.
Short answer is you use a service policy rule (policy-map). The CLI for it is explained in more detail in the ASA CX User Guide.
You can technically configure this bit on the ASA from PRSM but you'd have to first import and manage the ASA itself (not just the CX modules). I've not tried that method as PRSM is a poor tool for managing an ASA. Even Cisco kind of steers you away from that option in their documentation
Similar Messages
-
Traffic Redirection tab not visible in PRSM single device mode
I am using a 5515-X in single device mode. Software is version 9.2.1.2-69.
I noticed a couple things that I am not sure are a problem or not. When I go to the configuration overview tab PRSM shows mode of the ASA CX as "unknown". Also the User Guide says I should see a "traffic redirection" tab under configuration policies/settings but I don't see that.
I guess I can configure traffic redirection with ASDM but just wondering if this is normal, or cosmetic bug or something else?
Thanks,
DiegoIf you're running single device mode (on-box PRSM) you cannot manage the ASA configuration like you can with the off-box PRSM. Note this section of the user guide which states:
"Traffic Redirection—(ASA, Multiple Device mode only.) Configure traffic redirection from the ASA to its CX module." -
Guest Wireless traffic redirect to Proxy Server
I have Guest WLAN and i want to redirect all the traffice to Proxy Server. We use Cisco Ironport.
Cisco proxy Ironport has the ip 10.X.X.X.
We also have NCS Server. Can anybody tells me where i can configure this
best regards and thanks in advanceMuzaffar:
If you have web-auth configured you may have problems with the redirection if the users are using manual proxy server configured.
For that, you better enable WebAuth proxy redirection on wireless controller.
Here is the config example
http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080b8a909.shtml
HTH
Amjad -
Hi All,
I need help on Configuring the Site to Site VPN from Cisco 2811 to Websense Cloud for web Traffic redirect
2811 having C2800NM-ADVIPSERVICESK9-M
2811 router connects to the Internet SW then connects to the Internet router.
Note- For Authentication am using the Device ID & Pre share key. I am worried as all user traffic goes with PAT and not firing up my tunnel for port 80 traffic. Can you please suggest what can be the issue ?
Below is router config for VPN & NAT
crypto keyring ISR_Keyring
pre-shared-key hostname vpn.websense.net key 2c22524d554556442d222d565f545246
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 10
crypto isakmp profile isa-profile
keyring ISR_Keyring
self-identity user-fqdn [email protected]
match identity user vpn-proxy.websense.net
crypto ipsec transform-set ESP-NULL-SHA esp-null esp-sha-hmac
crypto map GUEST_WEB_FILTER 10 ipsec-isakmp
set peer vpn.websense.net dynamic
set transform-set ESP-NULL-SHA
set isakmp-profile isa-profile
match address 101
interface FastEthernet0/1
description connected to Internet
ip address 216.222.208.101 255.255.255.128
ip access-group HVAC_Public in
ip nat outside
ip virtual-reassembly
duplex full
speed 100
no cdp enable
crypto map GUEST_WEB_FILTER
access-list 101 permit tcp 192.168.8.0 0.0.3.255 any eq www
access-list 103 deny ip 192.168.8.0 0.0.3.255 host 85.115.41.187 log
access-list 103 deny ip 192.168.8.0 0.0.3.255 host 85.115.41.181 log
access-list 103 deny ip 192.168.8.0 0.0.3.255 host 85.115.41.182 log
access-list 103 deny ip 192.168.8.0 0.0.3.255 86.111.216.0 0.0.1.255
access-list 103 deny ip 192.168.8.0 0.0.3.255 116.50.56.0 0.0.7.255
access-list 103 deny ip 192.168.8.0 0.0.3.255 86.111.220.0 0.0.3.255
access-list 103 deny ip 192.168.8.0 0.0.3.255 103.1.196.0 0.0.3.255
access-list 103 deny ip 192.168.8.0 0.0.3.255 177.39.96.0 0.0.3.255
access-list 103 deny ip 192.168.8.0 0.0.3.255 196.216.238.0 0.0.1.255
access-list 103 permit ip 192.168.8.0 0.0.3.255 any
ip nat pool mypool 216.222.208.101 216.222.208.101 netmask 255.255.255.128
ip nat inside source list 103 interface FastEthernet0/1 overload
ip nat inside source route-map nonat pool mypool overloadHow does Websense expect your source IPs in the tunnel? 192.168.8.0 0.0.3.255 or PAT'ed 216.222.208.101 ?
Check
show crypto isakmp sa
show crypto ipsec sa
show crypto session
You'd better remove the preshared key from your post. -
Service Insertion/Service Graphs & Policy based traffic redirection
Hi,
My question is to use policy based service insertion/service graphs between the EPGs communications to redirect traffic to ASA firewall & F5 slb.
Below are Cisco ACI components:
1- Spines & Leafs
2- APIC Controllers
3- Cisco ASA Firewall attached to the APIC via device package
4- F5 SLB attached to the APIC via device package
I have the below scenario for the communication between the EPGs e.g:
WEB-EPG (consumer)
APP EPG (provider) (consumer for DB)
DB (provider)
I want to use contract that includes filter on port 80 to permit and action for service insertion to provide SLB (F5) service between the WEB & APP communications.
I want to use contract that includes filter on port any* to permit and action for service insertion to provide firewall (ASA) service between the APP & DB communications.
Can I do policy based "traffic redirection" through service graphs in the contract's service insertion?
Is it supported in version 1.0(3i)?
I believe, NSH (Network services header) will add in the VXLAN header before reaching the dest VNID and redirect the traffic to the clusters of the services node i.e. SLB or FW, Then traffic will reach the destination address after striping all services.
Regards,
AnserHello Muhammad,
traffic redirection is not supported on 1.0(3i) , while NSH is still submitted to IETF as a draft from industry vendors , I think try to avoid waiting for it.
Regards
Mohammed ElSherbiny -
Enabling SAML V2 redirection to target application
Hi Gurus,
I have been facing to issues for which I cannot find any relevant information. I have been trying to enable SSO SAML 2 on our SAP Netweaver Platform and I am not able to configure everything.
I followed the step by step implementation described here:
http://wiki.scn.sap.com/wiki/display/Security/Single+Sign-On+with+SAML+2.0+and+ABAP+Systems+Supporting+SAP+Logon+Tickets
The only difference lays in the fact that the provider is an external one and not hosted by NW.
The SAML V2 is activated and the SAML backbone of my customer redirects to the endpoint URL I gave for a test (our java portal address). So this is more or less fine.
But my business case is different as redirecting to a fixed URL: I want to allow any user to run any BEx queries to be authenticated via SAML 2 backbone and to be redirected to the initially targetted query.
Meaning:
A user is accessing the following URL:
http://<server_name>/irj/servlet/prt/portal/prtroot/pcd!3aportal_content!2fcom.sap.pct!2fplatform_add_ons!2fcom.sap.ip.bi!2fiViews!2fcom.sap.ip.bi.bex?QUERY=<query_id>
The actual situation: the user is getting redirected to the SSO backbone and back to the endpoint I gave meaning:
http://<server_name>/irj/portal
What I would like to have as a behaviour is to:
1- the user request any URL hosted on our Java (it can be BEx query as well as a Web Dynpro application called)
2- he is getting authenticated by the SSO Backbone and redirected to the original URL
I am not an admin and it is hard for me to find the relevant information.
Thanks for helping me!
Cheers,
Cyril.Hello,
although an answer to my question was provided it doesn't really solve the problem because in order to be able to get the patch that fixes the flaw it requires as described at the bottom of the page of My Oracle Support website that "This site is intended solely for use by authorized Oracle customers, partners, and employees."
I'm not currently part of any of this groups so access to such resources is denied for me. So, i would kindly request from someone to explain to me the purpose of this kind of policy. Oracle Apex and Oracle Database XE are suppossed to be free products. Why are patches of discovered bugs on these products require special privileges to access them ? I say this because now i have to wait for several weeks or even months for the next release of APEX to be able to continue my study.
I would really love to hear a comment on this issue.
Thank you very much. -
WRVS4400N traffic redirection depend on host header
Hello,
I have a question related to WRVS4400N. Do you plan adding feature, in short described as:
- related to specific port , for example port 80/HTTP
- depend on the host header, router to forward the traffic to internal IP1, IP2 and so on. Example - if i have Internet site A that i host on internal IP1, and Internet site B that i host on internal IP2, router automatically to redirect the traffic to the necessary IPs depend on the site names.
And the s second question - do you have such feature already made in other products?While you can set up Single Port Forwarding to map incoming HTTP requests to a particular NAT IP on the LAN side of the Router, I dont see a way we can read the hostname out of the HTTP message and map to a particular device on the subnet, no. Since your WebSite will DNS resolve to the WAN IP of the router, it would seem like we would be limited to one Webserver sitting behind that WAN IP.
Adding a second Router will resolve this, and may be preferable if traffic rates will be high (more bandwidth per web host) -
I use a website about 2 or 3 times a week. After logging onto the website, it needs to redirect me to another page but always asks for my permission to allow.
Where in the Tools, Options does it allow me to give automatic permission to be redirected. Otherwise, I sit looking at the screen waiting for it to change, having not noticed ther bar at the top of the page, waiting!!
ThanksGo to the Advance panel of the Options dialog, in the General tab there is a setting "Warn me when web sites try to redirect or reload the page"
-
I have a RV 120W VPN where I wish to route HTTP traffic from local host to remote proxy server. How can i do it.
I have a RV 120W VPN where I wish to route HTTP traffic from local host to remote proxy server. How can i do it.
-
How can I redirect the https requests to my CE. Would it work's in transparent mode? Could anyone send me a sample config?
Thanks!Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen
If anyone else in the forum has some advice, please reply to this thread.
Thank you for posting. -
WLC - Web Traffic redirection without using Web Auth?
Hi there,
I am in need of solution to integrate it to WLC where the Guest Users can use the wireless access and then be redirected to the company's website once they open a browser.
This is where the guest users will no longer click any buttons (or accept any certificates). Once the browser is hit it will automatically go to the companys website.You can use pfsense or monowall (there are others, but these are the top two open source splash screen portals) or a commercial offering as the gateway
pfsense is bsd based and has more features than monowall. The splash can be http or https and is fully customizable. -
hi
i use many rangs of ip in my network , and i need to config my router; if a client have a web request from this source address 192.168.20.0/24 to any ,should be redirect to a specific web page .
the web server is in my network and our client can ping it now.
thankshow can i redirect it?
-
Enabling AFP traffic through firewall
I have set the access for specific services and applications in the firewall settings. I frequently enable AFP-filesharing. Even though the AFP protocol appears in the list for allowed services when enabled, connections are not possible until I disable firewall altogether. This, however, is laborious and undesirable security-wise. Is it possible to use AFP while the firewall is still running?
Yes it is -- I do. How is Sys Prefs > Sharing > File Sharing > Shared Folders and Users (for each shared folder) set up? (You will need to unlock the padlock to show users and their permissions).
In the interim, is this computer confined to a residential network? Do you implicitly trust all the other users on your home network? If wireless (who isn't?), are you using WPA2 with a strong password? If so, then if the home router has NAT enabled and its port-based firewall is keeping all the riffraff out, I wouldn't be too overly concerned while you are trying to get this working the way that it should. -
How to enable VLAN traffic in Mac book Pro
Hi
i am running Yosemite OS on MACBOOK PRO 13" also windows 8.1 running on parallel V10 (the latest one).
in my line of work, we use custom tools to communicate with our products, all the tools are based on windows and running in layer 2.
some of the tools transmits with VLAN ID, i can see that the packets are sent with VLAN but nothing is returned, deeper inspection i found that the retuned packet , that it is also tagged with VLAN, is simply dropped and doesn't reach the windows.
on a regular windows machine, i can control the VLAN setting in the NIC configuration and typically what the NIC is doing is decapsulation the VLAN.
How do i do the same on a MAC?
Please help.
thanksiPhoto does NOT come with the OS. It is a separate App. Yes it is included on every Mac when new.
Since you are running Snow Leopard 10.6.8 you got 2 DVDs witrh your system. One is for installing the operating system, OS X, and the other is for reinstalling the iLife Apps that come with every Mac.
So find your original system discs and the Applications disc in particular. Delete, "Move To Trash", the current iPhoto app then reinstall from that Applications disc. Then use Software update to update it to the most current version. -
Enable WebAuth on WLC to intercept https (or https redirection) for authentication
Hi all
My company is using WLC with Guest access feature, and use Layer 3 security authentication to permit only Guests who provided valid user/password to access.
But we met a issue that, when guests connect to Guest SSID successful, on PC they have to open web browser and access to 1 website by http, after that WLC will intercept and redirect to authentication page.
If customer access to https (as google, gmail, ...) WLC cannot intercept and redirect to authentication. Because almost customers access to https://google.com at first by their habit.
On my firewall, I can do intercept by both http and https, so I wonder on WLC I can enable intercepting and redirecting to authentication of https also
If possible, please advice us how to enable this feature.
Regards
Hai Dao TuanThanks all
I also just found a link that mentions about this case clearly and commands to enable it
https://supportforums.cisco.com/document/12398536/understanding-https-redirect-over-web-auth
(WLC)> config wlan security web-auth enable <wlan-id>
(WLC)> config network web-auth https-redirect enable
Maybe you are looking for
-
I've followed the directions here 8 times now: http://docs.info.apple.com/article.html?artnum=107393 I've tried it with various timing alterations, and I just can't seem to get started up in safe mode. Any clue what I might be doing wrong? Thanks.
-
Item Background Color changes when placed in production (Forms 10g)
Hello All, I have searched the forum on this topic, but have not been successful in finding a topic/solution for multi-line items that need to render a different color than the rest. I have used set_item_instance_property (and set_item_property) as w
-
My notes doesn't syn between iPhone & Macbook air but Contacts does?
How do i make sure my Notes also sync over icloud. Currently my contacts automatically sync between two devices without a problem?
-
from http://www.pocket-lint.co.uk/news.php?newsId=22 "Creative has announced a price reduction for its Zen Micro Photo player that puts it up directly against the Apple's iPod nano. The announcement follows Creative?s foundling CEO and Chairman Sim W
-
Business Catalyst not Recognizing Dreamweaver
I am setting up a new site on Business Catalyst using the beta of Adobe Dreamweaver CS6. All seemed to be working fine until last week. I brought up a page and went to access the Business Catalyst widgets in the BC panel. Instead, the BC panel gave m