Route to WSA based on destination
Dear
I need to purchase two Iron port box one for ADSL line and second for Leased Line
My aim Is when user open busineed site is go through Leased line and when open Un Business Site is go to ADSL
I need soultion to achive this ?
and i can predfine the Business and un business Site ?
Hello,
Unfortunately the WSA cannot control which requests get sent to it, it simply listens for traffic coming to its interface on specific ports (80, 3128, 21, 443). When it comes to specific URLs being routed to one WSA or another it will require that you have a device that can inspect the traffic at Layer 4 (HTTP/HTTPS/FTP) and make a routing decision based on the URI in the HTTP header.
You could add a 3rd WSA to route the traffic using an upstream proxy configuration. You would use proxy groups and routing policies to match Custom URL categories or predefined URL categories to send to one of the two upstream proxies.
Other than adding an additional device to route the traffic, you could look into Policy based routing or using multiple WCCP services (one for each WSA) and creating an ACL to match the business sites IP addresses vs the non-business sites. This could become an issue as most websites use dynamic IP schemes.
Hope this helps.
Best Regards,
Michael Hautekeete
Customer Support Engineer
Cisco Content Security - Web Security Appliance
http://www.cisco.com/en/US/products/ps11169/serv_group_home.html
https://supportforums.cisco.com/community/netpro/security/web
https://supportforums.cisco.com/community/feeds?community=2091
Similar Messages
-
How i can route the traffic based on destination address ?
Dears,
As you can see in the image i have two different setups.
ISP A setup is completely dedicated for Production & ISP B setup is dedicated for whole staff internet.
Below is the network information;
Firewall:
GigE0/0 - PUBLIC IP (PAT)
GigE0/1 - 192.168.0.1/24 no dhcp
ISP B Router:
ATM 0 - PUBLIC IP (PAT)
FaE0/0 - 192.168.0.2/24
FaE0/1 - 192.168.92.1/24 dhcp
Servers - 192.168.0.xxx/24
Clients - 192.168.92.xxx/24
All the clients have internet access through ISP B.
If a client wants to connect to any of the server, what kind of configuration is required on ISP B rotuer. I though of route-maps or doing a static routing between Firewall & ISP B Router but i am not sure which is the best practice to do so.
Kindly suggest with some suitable solutions.
Regards
@MohammedHi Shareef,
Below is the example of PBR.
ip access-list extended Redirect_PBR
permit tcp host 192.168.92.10 host 192.168.0.10 eq 443
permit tcp host 192.168.92.10 host 192.168.0.10 eq 21
etc
route-map Client_Server permit 10
match ip address Redirect_PBR
set ip next-hop 192.168.0.1 (Server LAN)
int Fa E 0/1
ip policy route-map Client_Server
You can have the required filtered rule created as an ACL... you can restrict how ever you wan't. Map that ACL to the route map and set a next hop to needed routing point. Then finally map that ACL to the interface of the router. In this case every traffic mentioned in route map and access-list will follow the PBR rule. All other traffic will route as usuall with the default route.
Hope this helps
Regards
Karthik -
Route decisions based on destination TCP port with EIGRP
Need information and plausibility on making routing decisions within EIGRP based on different destination TCP port. I have a third party partner that we communicate too and they are adding a second location which we will connect too. They are wanting to use the same destination host IP but make route decision based on destination TCP port; i.e. if we target tcp 6123 they want us to route down link A to site A, if we target tcp 7123 we would route down link B to site B. I have never had to make that happen so I am looking into whether it actually can and if so what is basic configuration to pursue. We use static IP routes to/from them today and will in the future at the edge, those are distributed internally to our EIGRP. Can EIGRP make decisions based on IP and Port?
No routing protocol makes decisions based on port number as far as I know.
You need to look into PBR (Policy Based Routing) for this where you can use acls to define the route that traffic takes.
Depending on your connections you may well need to use tracking as well but it depends.
If the only reason to use EIGRP is for these connections you probably don't need it as with PBR you are overriding the routing table anyway but you may want to run it for other connectivity.
If you do a search on PBR you should find quite a few examples but if you get stuck then by all means come back. -
Prioritize traffic based on destination IP?
Hi all, we're looking to use an ASA5505 or 5510 as our firewall but want to see if one of them can help us prioritize traffic. I know it does QoS but we're wanting to dedicate x amount of our bandwidth to traffic based on destination IP address. Is that possible and does it take a license upgrade?
Thanks!Jerry, i would try something like in the second config example I mentioned. keep in mind, if ISP doesn't support marking packets, it may be hard to QoS inbound. if you assign the VOIP traffic high priority, it should go out interface first during congestion. Don't need to dedicate a certain amount of bandwidth in any way. Make sure in the design to keep the VOIP traffic, VPN traffic and User PAT (outbound NAT) traffic on separate IP's. That will help when defining the access-lists. This QoS stuff is kind of tricky and is bit confusing. I have setup a few configs according to the above examples and they _seem_ to work. I ran a policing queue on the edge router for traffic leaving to ASA, and ran a priority queue on the ASA. When i test big download from a major site, which could consume all bandwidth, it doesn't appear to clobber VOIP traffic. The same results apply, when I test a big upload to internet. The QoS stuff is tricky though, and i _didn't_ see what I expected when i use the show QoS commands to see traffic drops, etc. so YMMV!
Take a look at this link for ASA 7.X release, which may give you some ideas:
"QoS based on ACL with VPN Configuration" You can change ACL to include the outside interface IP as long as you have separated the NAT's, VPN, etc. like i mentioend earlier.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml
Will -
Oracle ESB - Message routing support & content based routing
Hi Friends,
Can anyone please let me know how message routing and content based routing is happening in Oracle ESB.Check this...
http://docs.oracle.com/cd/E23943_01/dev.1111/e15866/tasks.htm#i1116351
And this...
https://forums.oracle.com/forums/ann.jspa?annID=893 -
Cannot connect using Accessing the Router's Web-Based
I'm trying to update firmware, I have done all the step to access the router's web-based.. I connected DSL to the Ethernet port on the router, from the router I used another Ethernet cable to connect the router to my laptop.. I can't get an internet connection. The reason why I'm doing the update I have been using WRT54G2 V1 with no problems, all at once I can't connect to the internet using the router. I was told that I need to perform a firmware update.
Thank you for the helpWhat' s the ip address and the default gateway are you getting on the computer ?
Connect the DSL modem to the Internet port of the router then use port number one on the router to connect the computer.
Click on Start > Run > type CMD hit Enter command promt window will appear on the screen.
In the command promt window tupe "ipconfig" hit Enter. Now you will see the ip address and the default gateway on the screen. Use the default gateway to open the setup page of the router. -
WRT54GX4 - Difficulties Accessing the Router's Web-Based Setup Page
WRT54GX4 - Difficulties Accessing the Router's Web-Based Setup Page.
I have tried everything posted to the forums and the Knowledge Base for several weeks now with no luck. I can power push router and gain access to router's web-base interface but only for a few minutes than it quits loading part way through and or does not load at all. If I turn off the wireless side I can access the router at will with no problems. My warranty is almost over. I am at my wits end. I would like to get it replaced under warranty if I can. (^8
Solved!
Go to Solution.Thank you for your recommendations peanuts. (^8
I bought the router back in December 10, 2006.
I updated the firmware to v1.00.20 back in June 2007. After I did a successful firmware upgrade I reset the router to factory default settings and then reconfigured it. It has worked Ok till a couple of months ago.
I have read everything I can find here on the support forum and in the Knowledge Base several times.
I have tried changing all the different settings to the different recommendations posted here and in Knowledge Base with no success. Each time I would do a long reset back to factory defaults, let it soak for a few hours and then make one change at a time and let it soak.
I have been monitoring 6 other wireless AP(s) around me (none mine) for a couple of months too. None of them are strong enough to connect to. My SSID is different from them. I have tried all the channels. My router is passworded and MAC'd.
It is looking like it is time to call support and try to get a replacement under warranty while it is still in affect. -
Error in router's web-based setup page (WRT54G V5)
Hi,
My router’s web-based setup page is unable to load fully.
There seems to be an error with some document.setup.save file.
I have tried to reset my router but the router’s web-based setup page is still unable to load fully.
Please help.
Thanks.Try Internet Explorer, it usually works.
JavaScript must be enabled.
Temporarily turn off your computer's software firewall, and see if that corrects your problem.
Hope this helps. -
Content based Routing Vs Message based Routing
Hi friends,
Can u plz differentiale Content based Routing and Message based Routing?Hi,
Content based routing is when the receiver is determined based upon some value in message i.e for a field 'a' receiver is A but if its 'b' receiver is B.this is determined at runtime.
While message based is normal routing
Regards, -
Routing based on destination IP and traffic type
Is it possible to route traffic based on the destination IP and the type of traffic?
ASA5512
Software 9.2.1
We have an ASA 5512 that is used as a VPN termination point. Our employees connect from one of our customer sites to this VPN point. The customer also hosts services on the same IP address that our employees use to access our VPN on.
What I want to do is to use a different route for certain traffic to take to get to these other services provide by our customer, for instance they offer an FTP site and I want to use a different route to get our internal users to this FTP site. Is this possible to achieve?
Any help would be greatly appreciated.
MurrayTechnically speaking the ASA doesn't do policy based routing. However, you might be able to simulate something similar to PBR by using a combination of static routes and NAT.
If you describe your Network setup, ASA, and how the alternate route is connected to your customer, we might be able to help you better.
Please remember to select a correct answer and rate helpful posts -
HU routing to Staging area based on destination Storage type
Hi Experts,
I have a requirement where I need to route the HUs coming out from same VAS work center to the different staging areas according to the destination storage types.
Say for example,
VAS Workcenter - VAS1
HUs completed out of the VAS1 workcenter should be put away into the destination storage types (RS11, RS12, RS13, RS14) through the staging areas (ST11, ST12, ST13, ST14 respectively)
Any ideas how to achieve this through customizing to route the HUs through relevant staging areas ( VAS1 -> ST11 -> RS11, VAS1 -> ST12 -> RS12, etc..,)
Rgds
-ShravanThanks to everyone for your response.
Regarding Juergen's questions, here I am talking about the inbound process
RSXX are final storage types, where the materials will be finally put away
Staging area(work center) is used for inbound where we consolidate the materials going to same storage type (building), to the one trolley
The product put away WT is created when we complete the HU in the staging area workcenter (Final step IBS1 in the process), so we are not able to know to which storage type the product will be moved, until the HU is completed in the staging work center.
Rgds
Shravan -
Need to route traffic based on destination to 2 different routers
I have a 4451X that has a default route of 10.10.48.1. I have 2 other internet routers at 10.10.48.15, and 172.31.1.3.
The router at 172.31.1.3 is a VPN firewall and has a VPN to 3 specific IP networks. 172.31.252.0/24, 192.168.252.0/24, and 192.168.163.0/24.
I need the traffic headed to the 3 VPN'd networks to route to 172.31.1.3, and the remaining traffic to route to 10.10.48.15.
The source network is 172.31.0.0/23 and the gateway of the machines is 172.31.0.1.
I tried creating a PBR but the internet traffic seems to go outbound through the router's default route of 10.10.48.1 and not 10.10.48.15.
I am sure I am just missing something silly.
Here are the relevant portions of the config:
interface GigabitEthernet0/0/1
ip address 172.31.0.20 255.255.254.0
ip nat inside
ip policy route-map Test
negotiation auto
vrrp 1 ip 172.31.0.1
vrrp 1 priority 105
interface GigabitEthernet0/0/1.2
encapsulation dot1Q 2
ip address 10.10.48.12 255.255.255.224
ip nat inside
ip access-group 199 in
vrrp 1 ip 10.10.48.3
vrrp 1 priority 105
vrrp 2 priority 105
no cdp enable
ip route 0.0.0.0 0.0.0.0 10.10.48.1
ip route 0.0.0.0 0.0.0.0 172.31.1.3 2
access-list 116 permit ip 172.31.0.0 0.0.1.255 172.31.254.0 0.0.0.255
access-list 116 permit ip 172.31.0.0 0.0.1.255 192.168.252.0 0.0.0.255
access-list 116 permit ip 172.31.0.0 0.0.1.255 192.168.163.0 0.0.0.255
route-map Test permit 19
match ip address 116
continue 20
set ip next-hop 172.31.1.3
route-map Test1 permit 20
set ip next-hop 10.10.48.15
Thanks in advance.
Burton HallmanFirstly I'm not sure why you have two default routes if everything is meant go via 10.10.48.1 ?
That aside in terms of your PBR -
1) remove the continue statement. I don't know what it is meant to be doing but as far as i know it has no effect with PBR
2) more importantly your second statement is using a different route map name ie Test1 which makes it a completely different route map so the one applied to the interface only has the first statement in it which is the one for VPN traffic.
Jon -
How do I NAT based on destination port while source port can be ANY
Goal - I want to forward Internet bound HTTP and HTTPS traffic to a Proxy via an IPSEC Tunnel - I want to maintain my private IP as it goes accross the IPSEC Tunnel - I also want remaining Internet Traffic to route Normally by NATing to my outside address.
In 8.4 this is quite easy as I can specify a destination port and have "any" source port for the NAT
Here is a snap shot of the config:
object service Proxy_HTTP
service tcp destination eq www
object service Proxy_HTTPS
service tcp destination eq https
nat (inside,outside) source static any any service Proxy_HTTP Proxy_HTTP
nat (inside,outside) source static any any service Proxy_HTTPS Proxy_HTTPS
object network Non_Proxy
nat (any,outside) dynamic interface
PROBLEM: I need this behavior in 8.2.x - I have found no way to mimic this.
You cannot use NAT Exemption as it cannot be port based
A static policy NAT with Access list will not work as you must specify a single source port - Since there is no way to predict the source port this wont work.
I don't see any of the other NAT Types working this way.
If there is a way to make this work in 8.2 please let me know - We have many ASAs and we are not ready to make the leap to 8.4 but we need to use the proxy.Karen-
Results: Did not work. The web based shortcuts did not appear.
Below is the steps taken with your tips incorporated. (Again it's lengthy sorry about that, but anyone can recreate what was done here. Maybe someone can see something left out by doing/reviewing it).
Here is what was done:
1. Installed a fresh install of Windows 8.1 enterprise on a pc. No updates were ran.
2. During setup created the admin account.
3. Logged into the account a simple start screen was arranged and setup by:
Starting desktop Internet Explorer. Going to Technet's website. Clicked tools and then selecting "Add site to Apps" from the drop down menu. Went to Apps screen, right clicked and pinned it to start screen. Repeated this procedure with an
educational web based site.
Right clicked a few provisioned apps and unpinned them from the start screen.
Made a few groups and labeled them. Web based shortcuts were arranged with one provisioned app in that particular group.
4. Opened a Powershell, right clicked it and ran as administrator. Typed the following:
export-startlayout -path C:\Users\Public\Master.xml -as xml
(Master is the name chosen for this test .xml file and was put in a location all users would have privelages to access it).
5. Opened the command prompt and right clicked and "ran as administrator", typed in gpedit.
6. In the Local Group Policy under User Configuration, under Start Menu and Taskbar I choose the Start Screen Layout.
7. Enabled the policy and typed in: C:\Users\Public\Master.xml for the Start Layout File.
8. Opened computer management, under Local Users and Groups I chose Users, right clicked in the middle screen and created a new user called Alpha.
9. Logged out of the inital account and logged into newly created Alpha account.
10. When the Alpha account logged in the start screen came up with everything changed in the inital account but no web based shortcuts were found on the start screen or App view. -
Changed source address based on destination IP
Hello,
Suppose I had the following configuration in an IOS router
interface <interface type/number>
ip address 1.1.1.3 255.255.255.0 secondary
ip address 1.1.1.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 1.1.1.1
access-list standard INTERNET_BOUND_ACL
permit <lan subnet-id> <lan wildcard>
ip nat inside source list INTERNET_BOUND_ACL interface <interface type/number> overload
I need to change the source inside global IP address based on the destination outside global IP address.
Example: I need our source IP to be 1.1.1.3 when I ping 8.8.8.8
How would i accomplish this?Hi,
You would need to use two NAT pools and two different ACLs to separate your internal clients depending on the destination they want to communicate with, and to subsequently NAT them using a selected NAT pool. For example:
ip access-list extended NAT_2
permit ip <LAN Network> <Wildcard> <DestinationX> <WildcardX>
ip access-list extended NAT_3
permit ip <LAN Network> <Wildcard> <DestinationY> <WildcardY>
ip nat pool NATPOOL_2 1.1.1.2 1.1.1.2 netmask 255.255.255.0
ip nat pool NATPOOL_3 1.1.1.3 1.1.1.3 netmask 255.255.255.0
ip nat inside source list NAT_2 pool NATPOOL_2 overload
ip nat inside source list NAT_3 pool NATPOOL_3 overload
Exactly one of the ACLs should actually contain an entry saying
permit ip <LAN Network> <Wildcard> any
to make sure that the internal network gets translated to some of the two public addresses even if itt does not communicate with any specific destination IP.
Do you believe this could be a workable solution for you?
Best regards,
Peter -
Can not login to my EA4500 router's web based setup page
Hello All-I have a EA4500 router. I attempted to login to my router' web based setup page late last year using my IE11 browser.I received an error message stating that I cannot login with that browser. I need an updated IE,Google Chrome or Mozilla Firefox to be able to visit that site. I attempted about 3 more times and received the same error message. I switched to Google Chrome that worked very well up to tonight(3/31/2004). Cisco web page is preventing me from opening my setup page. I believe I should be contacting Customer Support about this problem but none of their support options cover this problem. Thanks in advance.
IE 11 isn't compatible. Use Google Chrome if you don't want to uninstall IE 11 and go back to IE 10.
You can force the local login by disconnecting the cable from the router's internet port and then logging in.
If the Smart Wifi is giving you trouble and you don't mind reconfiguring your router. Then you could disable Smart Wifi services.
To disable Smart Wifi Services:
Reset the router to factory defaults (recessed button for 30 seconds or through the router UI)
For setup choose "I want to skip Setup and configure my router manually"
Please remember to Kudo those that help you.
Linksys
Communities Technical Support
Maybe you are looking for
-
Itunes no longer recognizes iphone
Hi everyone, I'm having a big problem synching my iphone 5 with iTunes 11.1.4.62 on my Windows 8.1 laptop. It started two days ago when I tried to add a couple albums to my phone (via cable) and noticed that it was synching about 5 times slower than
-
Mac Pro 8 core with boot drive cloned from MacBook Pro
I bought a Mac Pro 8 core and in order to avoid having to reinstall all my stuff, I cloned my OSx (tiger 10.49) partition from my MacBook Pro running vista (installed via bootcamp) to my new MacPro's startup disk. The disk works fine except that the
-
MacBook Pro DVD Drive Bitsettings/Booktype
I have a MacBook Pro with a 'MATSHITA DVD-R UJ-857D' DVD Drive and I am wanting to make changes to the Booktype when I burn a DVD. I have not been able to find a solution but below is a list of what I have tried: * Emulated Windows XP and tried makin
-
Hello guys, I have a problem with by product, when I run CK11n. So, in the left screen, it appear me zero value for byproduct with "minus quantity". Why CK11n doesn`t multiply q-ty of byproduct with price defined in material master and valuation vari
-
Error Details Error when opening an RFC connection Error Details ERROR: partner 'wc40-alt.medialogik.com:sapgw01' not reached Error Details LOCATION: SAP-Gateway on host sapdev / sapgw03 Error Details ERROR TEXT: WSAECONNREFUSED: Conn