RV042 - Priority Routing HTTP Traffic Over WAN2?

Similar Messages

• How can I route internet traffic over IPSec point to point?

  I have a remote site that connects by IPSEC with the end points on a router and ASA. The connection is working fine and the remote site can access my other networks at the main headquarters. The problem is, currently this remote site is accessing the internet via the same link that is supposed to VPN everything back to headquarters. I need to figure out how to VPN their internet traffic to my main headquarters. There's an IPrism behind the firewall to filter web access so it seems like I need to point the remote sites default gateway to my routing device that's behind my Iprism? 
  Also, currently the outside interface on the remote site's router does not have an ACL applied, can someone suggest what that ACl should look like? Thank you for your help! Here is a sample configuration of the remote site's router:
  crypto isakmp policy 20
  (encryption parameters here)
  crypto isakmp key password address x.x.x.x (Public ASA IP) no-xauth
  crypto ipsec transform-set remotesite (encryption parameters here)
  crypto ipsec df-bit clear
  crypto map Mainsite 1 ipsec-isakmp
   set peer x.x.x.x (Public ASA IP)
   set transform-set remotesite
   match address 100
  interface FastEthernet0/0
   description $ETH-LAN$
   ip address 10.1.1.1 255.255.0.0
   ip nbar protocol-discovery
  interface FastEthernet0/1
   description ISP Interface
   ip address x.x.x.x (public IP) 255.255.255.0
   crypto map Mainsite
   crypto ipsec df-bit clear
  ip route 0.0.0.0 0.0.0.0 x.x.x.x (ISP's default gateway)
  access-list 100 remark Access list Mainsite Access
  access-list 100 permit ip 10.1.0.0 0.0.255.255 10.3.0.0 0.0.255.255
  and other various headquarter networks...

  Hi Mark, you can modify your crypto acl to permit any any on your remote site which will make all traffic goes through the tunnel. Then on ASA you need to do hairpinning on the outside interface. This will make users on remote site to access internet via HQ. But if you do it this way the internet traffic goes straight to internet without having them filtered by your iPrism. 
  What I am not sure about is if there is a way to do it if you want those traffics to be filtered by the iPrism before going out to internet. 
  HTH

• Best way to pass IPv4 and IPv6 traffic over a GRE Tunnel

  Hello,
  We have two 3825 routers with Advanced Enterprise IOS 12.4.9(T). Each of them serves many IPv4 (private and public) and IPv6 networks on their respective site.
  We have created a wireless link between the two, using 4 wireless devices, with IP Addresses 10.10.2.2, 3, 4, 5 respectively (1 and 6 are the two end Ethernet interfaces on the routers).
  Then we created a GRE tunnel over this link using addresses 172.16.1.1 and 2 (for the two ends) to route traffic over this link.
  Now we want to route IPv6 traffic over the same link. However, we found that simply routing the IPv6 traffic over the above GRE / IP tunnel did not work.
  Questions:
  Is there a way we can use the same (GRE / IP) tunnel to transport both IPv4 and IPv6 traffic?
  If not, can we setup two GRE tunnels over the same wireless link, that is, one GRE / IP for IPv4 traffic and a second one GRE / IPv6 for IPv6 traffic?
  In brief, what is the suggested way to transport IPv4 and IPv6 traffic over the aforementioned (wireless) link?
  I have read http://www.cisco.com/c/en/us/td/docs/ios/12_4/interface/configuration/guide/inb_tun.html#wp1061361 and other Internet material, however I am still confused.
  Please help.
  Thanks in advance,
  Nick

  We have set up two tunnels over the same link, one GRE / IP for the IPv4 traffic and one IPv6 / IP ("manual") for the IPv6 traffic. This setup seems to be working OK.
  If there are other suggestions, please advise.
  Thanks,
  Nick

• RV042 set route priority

  We are using two RV042s at site with a remote office, and each has a normal internet connection on WAN1. The remote site also has a dedicated wireless link to the Main site so those users can access the server, but the RV042 is routing normal outbound traffic over BOTH WANs instead of just WAN1 (Load Balance).
  How does one set WAN1 as the prinary outbound link? Dual Wan only has "Load Balance" and "Smart Link", .. and there appears to be no way to set the route priority.
      Thanks1
      Lee

  L.V,
  Use Protocol Binding to bind outbound traffic to one WAN port or the other. As an example you can bind all http traffic to WAN 1 so anyone browsing the web will connect over that WAN port only. If WAN 1 goes down, then the traffic will route to WAN 2.
  - Marty

• Encapsulate ODBC traffice over HTTP???

  Does anyone know if it's possible to have an external client (in the internet) make an ODBC connection to a database that is behind a firewall which only allows HTTP traffic to pass through? I guess the question is, Is is possible to encapsulate ODBC traffic over the HTTP protocol so that it can pass through the firewall?
  Thanks in advance,
  John Sebastian

  Probably not easily, no.
  If the firewall allows arbitrary traffic on port 80, you could configure the Oracle database to accept connections on that port and configure the tnsnames.ora on the client machine to use port 80. This wouldn't go through HTTP, so if the firewall is actually analyzing the traffic, you'd be out of luck, but it would work if the port is wide open. Of course, it is a terrible idea from a security perspective-- opening up databases to connections over the internet is a recipe for pain and suffering.
  It is certainly possible to write an ODBC to HTTP proxy that converts an ODBC call into some sort of web service call and then write an HTTP to ODBC proxy that lives inside the firewall that translates the HTTP calls back into ODBC calls, but that is likely to be very slow. And a lot of code-- I'm not aware of any commercial utilities that do that sort of thing.
  Generally, the proper way to do something like this is to use Oracle Connection Manager (or something similar that is baked in to certain firewall products) to proxy the Oracle connection through the firewall. But that requires changing the firewall setup and/or installing additional software.
  Justin

• Cisco RV042 Firewall Blocking LAN Traffic

  Hello Everyone,
  I currently have an RV042G with a downstream SG-300 connected to one of the LAN interfaces.  Connected to the SG-300 are a couple servers running ESXi.  Intervlan routing is working fine on the current setup; however, I only able to connect to my ESXi hosts on a separate VLAN for approximately a minute before the connection is dropped.  I have concluded that the firewall seems to be culprit in blocking my traffic.  If I turn the firewall off, everything acts as expected.  There is a default "ANY/ANY" rule for LAN traffic enabled and I have added a couple extras allowing all traffic for IP ranges, but I still seem to be losing my connections.  To make matters more confusing, I can see ACCESS_RULE events in the firewall logs permitting the traffic (or so I'm interpretting).
  Regardless, here's how my rules currently stand below.  I put another ANY/ANY rule in because the default didn't seem to be working -- I immediately was able to ping other hosts on different VLANs after adding the rule.  I was under the assumption allowing all traffic from any source to any destination would make the LAN pretty accessible.  I would appreciate any guidance or resources on this topic to set up some quick firewall rules to get things up and running.  Thanks in advance.
  Priority
  Enable
  Action
  Service
  Source
  Interface
  Source
  Destination
  Time
  Day
  Delete
  123
  Allow
  All Traffic [1]
  LAN
  10.10.21.1 ~ 10.10.21.31
  10.10.10.10 ~ 10.10.10.10
  Always
  123
  Allow
  All Traffic [1]
  LAN
  10.10.10.10 ~ 10.10.10.10
  10.10.21.1 ~ 10.10.21.31
  Always
  123
  Allow
  All Traffic [1]
  LAN
  Any
  Any
  Always
  Allow
  All Traffic [1]
  LAN
  Any
  Any
  Always
  Deny
  All Traffic [1]
  WAN1
  Any
  Any
  Always
  Deny
  All Traffic [1]
  WAN2
  Any
  Any
  Always

  I guess I should clarify, the SG-300 is running in Layer 3 mode, and the VLANs are defined on it; however, the static routes are defined on the RV042.  Maybe there's a more efficient way of doing this? 
  Below is a scrubbed copy of my switch configuration. 
  config-file-header
  SWITCH01
  v1.3.5.58 / R750_NIK_1_35_647_358
  CLI v1.0
  set system mode router
  vlan database
  vlan 2
  exit
  no bonjour enable
  hostname SWITCH01
  no logging console
  ip ssh server
  ip ssh password-auth
  clock timezone CEST +1
  interface vlan 1
  ip address 10.10.10.2 255.255.255.0
  no ip address dhcp
  interface vlan 2
  name VIRTUAL-MANAGEMENT
  ip address 10.10.21.1 255.255.255.224
  interface gigabitethernet1
  description ESXI01:VMNIC0:MGMT
  switchport trunk allowed vlan add 2
  interface gigabitethernet20
  description UPLINK
  exit
  ip route 0.0.0.0 /0 10.10.10.1 metric 15
  The routes I have defined is:
  Destination IP
  Subnet Mask
  Default Gateway
  Hop Count
  Interface
  10.10.21.0
  255.255.255.224
  10.10.10.2
  1
  eth0
  10.10.10.0
  255.255.255.0
  0
  eth0
  255.255.252.0
  0
  eth1
  239.0.0.0
  255.0.0.0
  0
  eth0
  default
  0.0.0.0
  40
  eth1
  Just to reiterate the problem, I am able to connect to hosts on VLAN 2 from my computer on VLAN 1, but I am disconnected a minute or so later.  When the firewall is disabled, I have no issues with connecting to the host across VLANs and maintaining that connection.  Maybe I have a misconfiguration somewhere that is causing some issues?  I appreciate the help. 

• RV042 Static Routing Question

  I am currently using RV042 in the two-WAN backup mode. However, I tried the redundant option and am finding it to give me more bandwidth and better performance than only one of the WANs.
  My problem is that in the redundant mode, I am unable to use a few websites that I use on a regular basis. One of the sites is our internet hosted time sheet service and their site just goes crazy when I try to access it through the router set up in redundant mode. I am not even able to login to their site, and it is important for my daily work.
  My question is - can I set up static routes for certain sites so that the router knows to access them through only one of my WANs? For example, if my timesheet software site is 123.123.123.123, and my prefered WAN gateway is 68.68.68.68, can I tell the router to only access this site through the given gateway, even if the router is configured to use either WAN?
  I have tried static routes and it does not seem to work at all.
  For example:
  Site: 123.123.123.123
  SM: 255.255.255.0
  Gateway 68.68.68.68
  When I save this and run the tracert to 123.123.123.123, it goes through the other gateway, and not the one I specified here.
  Any hints are appreciated.
  Thanks,
  Alex P.

  If your using this in load balance mode, go to system management and scroll down to protocol binding.  Chances are your going to a secure site with both wans working and the site sees one connection with two ip addresses coming at it and breaks the connection.  You can do a protocol bind for all your https traffic to go out one wan for all the ip addresses in your network and this should fix the issue.  You can do this for mail and other protocols that would get messed up by the dual wan.  Hope this helps.

• RV042 - Cant route additional internal Subnets to Internet

  HI,
  ive got a problem, which from what im reading, is not an islolated one.
  Currently we have 1 RV042 which provides Internet Traffic for 192.168.16.x/24, in addition to this I also have a test environment sitting in VMware that exists on 192.168.0.x/24. Due to the nature of the test environment, and to ensure that no DHCP traffic (amongst others) leaves the test environment, I have a Linux router which routes between 192.168.0.x/24 and 192.168.16.x/24. For those that understand VMware, the test vSwitch does not have any uplinks, all traffic in and out of the test environment must go through the Linux Router.
  I have a additional route specificed in the RV042 for the 192.168.0.x subnet using the Linux router as the G/w.
  All machines in the test environment can ping/route/connect to machines in the production network, and vice versa (RV042 inc).
  All machines in the Prod environment can access the Internet through the RV042 (both on the 192.168.16.x subnet).
  The machines in the Test environment cannot access the Internet through the RV042, however they can ping the internal (192.168.16.x) interface of the RV042.
  Ive investigated using the Multi-Subnet feature of the RV042 and also homing it on the 192.168.0.x subnet, however this will not work as the 192.168.0.x machines cannot access the physical network without going through the Linux Router and terminating on the 192.168.16.x subnet.
  See Diagram below for clearer idea. Keep in mind that Multi-home the RV042 on the 192.168.0.x network is not an option!!!
  (FOR A FULL SIZE VERSION OF THE DIAGRAM CLICK --> http://www.excelerate.com.au/downloads/rv042.jpg

  HI,ive got a problem, which from what im reading, is not an islolated one.Currently
  we have 1 RV042 which provides Internet Traffic for 192.168.16.x/24, in
  addition to this I also have a test environment sitting in VMware that
  exists on 192.168.0.x/24. Due to the nature of the test environment,
  and to ensure that no DHCP traffic (amongst others) leaves the test
  environment, I have a Linux router which routes between 192.168.0.x/24
  and 192.168.16.x/24. For those that understand VMware, the test vSwitch
  does not have any uplinks, all traffic in and out of the test
  environment must go through the Linux Router.I have a additional route specificed in the RV042 for the 192.168.0.x subnet using the Linux router as the G/w.All machines in the test environment can ping/route/connect to machines in the production network, and vice versa (RV042 inc).All machines in the Prod environment can access the Internet through the RV042 (both on the 192.168.16.x subnet).The
  machines in the Test environment cannot access the Internet through the
  RV042, however they can ping the internal (192.168.16.x) interface of
  the RV042.Ive
  investigated using the Multi-Subnet feature of the RV042 and also
  homing it on the 192.168.0.x subnet, however this will not work as the
  192.168.0.x machines cannot access the physical network without going
  through the Linux Router and terminating on the 192.168.16.x subnet.See Diagram below for clearer idea. Keep in mind that Multi-home the RV042 on the 192.168.0.x network is not an option!!!
  Hi,
  As per the above conclusion it is clear thattraffic behind the linux router is not getting natted and unable to use the internet,try configuring linux router for ip table.
  http://www.karlrupp.net/en/computer/nat_tutorial
  Hope to Help !!
  Ganesh.H
  Remember to rate the helpful post

• Intercepting all http traffic and forwarding to VIP on CSM?

  We would like to intercept all http traffic from clients from all vlans and redirect them to a VIP on the CSM for loadbalancing to 2 proxy servers. Is this possible? I can't seem to find a solution similar to our issue? Please help thanks!

  Thx Giles! Do you mean a policy that uses route-maps with next-hop? So would I point the next-hop address to the CSM client vlan IP? Do you have a support link that covers this in detail? Thx!

• SG300 Redirect HTTP Traffic to Proxy

  Dear Cisco Community,
  We have the following setup
  1 x SG300 Switch in Layer 3 Mode
  VLAN 100 (Management VLAN)
  VLAN 200 (Data VLAN for Internet Users)
  The SG300 has an IP4 Interface in each VLAN:
  100: 10.1.1.254 / 24
  200: 10.1.2.254 / 24
  The internet gateway (Zyxel USG-100) is located in VLAN 100.
  In order to restrict the web browsing acitivites, we're in the process of implementing a Proxy server (GFI Webmonitor).  Is it possible, to redirect all HTTP and HTTPS traffic which arrives at the SG300's VLAN200 IP interface to the proxy server?  I was thinking of a static route, but then this would apply to all traffic.  Another option would be to block port 80/443 traffic using an ACL I suppose=
  Any input will be highly appreciated, thank you!
  Kind regards,
  Romeo

  Hi Mohamad,
  I've seen this done in slightly different ways.  One way is at the very bottom of the following examples from the Cisco.com CSM-S config guide:
  CSM-S Configuration Examples
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csms/2.1.1/configuration/guide/cfgxpls.html
  Another way is like this:
  serverfarm REDIRECT
    nat server
    no nat client
     redirect-vserver REDIRECT
      webhost relocation https://www.example.com/
      inservice
  serverfarm SSL_DC
    no nat server
    no nat client
    real 192.168.78.36 local
     inservice
  vserver VSERVER_80
    virtual 192.168.78.35 tcp 80
    serverfarm REDIRECT
    persistent rebalance
    inservice
  vserver VSERVER_443
    virtual 192.168.78.35 tcp 443
    serverfarm SSL_DC
    persistent rebalance
    inservice
  Hope this helps get you started.
  Sean

• Muliticast Traffic Over ATM Link

  Hi,
  I have a ATM link (45Mb/s) between 2 location . In one of my locations I multicast 4 diffrent Video traffic. But my 4 multicast traffic is going to the source router by 1 Fastethernet port and after that it's going to destionation over the ATM link. now I have a issue on destionation . I need to seperate 4 multicast traffic on the destionation router . it has to be  1 on of my multicast traffic going through VLAN 123 and other 3 multicast traffics going through VLAN 200.
  now all of the multicast traffic is going trough vlan 123.
  any body can help me on this issue?
  thanks
  Mike

  Hey Stephan,
  The 'vpc bind-vrf' command allocates a special internal VLAN for routing traffic over the vPC peer-link to ensure L3 connections on the vPC peer or orphan ports successfully receive multicast traffic on N5k/N6k platforms.  This workaround is not needed on the N7K because that platform implements the vPC loop prevention rule differently in hardware.
  In short, 'vpc bind-vrf' is not required on N7K.
  -Andy

• Ironport not forwarding HTTPS traffic

  We have recently been trying to setup a BYOD wireless network and the wireless Clients that join this network have their traffic routed directly to an Ironport S370 (Ver7.1.4-053) as we do not want the BYOD users to have to configure their proxy settings.
  We have created an Identity which matches the Subnet given to BYOD devices with no authentication and then an Access Policy for filtering, all this works as long as the traffic is HTTP, as soon as you try to access anything using HTTPS then the Ironport seems to drop the traffic as it never hits the firewall and the page cannot be displayed.
  Any domained clients which have the Ironport address as their proxy work fine.
  The Ironport is not set to bypass any addresses in bypass settings.
  I am sure there must be a simple answer as to why HTTPS traffic is not being forwarded and any pointers as to why this is would be gretly appreciated.
  Many thanks,
  Neil.

  Hi Igor and Neil,
  As per AsyncOS 7.5 documentation, HTTPS proxy needs to be enabled to process HTTPS traffic in transparent mode.
  following is the extract from the doco.
  " When the Web Proxy is configured in transparent mode, you must enable the HTTPS Proxy if the appliance receives HTTPS traffic. When the HTTPS Proxy is disabled, the Web Proxy passes through explicit HTTPS connections and it drops transparently redirected HTTPS requests. The access logs contain the CONNECT requests for explicit HTTPS connections, but no entries exist for dropped transparently redirected HTTPS requests "
  If you do not want to decrypt HTTPS traffic, you can enable HTTPS proxy in pass-through mode.
  Thanks,
  Wipula.

• Transporting QinQ traffic over L2 EoMPLS circuit

  Hello,
  Suppose that we have QinQ traffic that reaches a GigabitEthernet interface of a GSR. (The second VLAN tag has been previously imposed at a dot1q-tunnel interface of some edge switch. Traffic that reaches the GSR has 2 VLAN tags.) We want to deliver this traffic (over an MPLS backbone) to the GigabitEthernet interface of another GSR. What configuration options are there ? Would a configuration like the following (symmetrically configured at both GigabitEthernet interfaces) work and why ?
  interface GigabitEthernet s1/s2/s3.x
  encapsulation dot1Q x
  xconnect <peer-router-id> <vc-id> encapsulation mpls
  (x above is supposed to play the role of the outermost/service VLAN tag)
  I am wondering whether the command encapsulation dot1q second-dot1q is actually needed or not.
  Any answers or documentation or related standards/drafts will be appreciated.
  Kind Regards,
  Maria

  HI Maria, [Pls RATE if HELPS]
  I have implemented a Scenario as below:
  Base Station - A
  =================
  Metro Edge Switch Config:
  int Gi 0/46
  switchport access vlan 402 >> OuterVLAN in QnQ
  switchport mode dot1q-tunnel
  description X-Connect to BaseStation-LAN
  Base Satation LAN Switch Config:
  int GI 0/45
  description X-connection to Metro Edge
  switchport trunk encapsulation dot1q
  switchport mode trunk
  Bast Station - B
  =================
  Metro Edge Switch Config:
  int GI 0/46
  switchport access vlan 401 >> OuterVlan in QnQ
  switchport mode dot1q-tunnel
  description X-connect to Bast Station LAN
  Base Station LAN Switch Config:
  int GI 0/45
  description X-Connect to Metro Edge
  switchport trunk encapsulation dot1q
  switchport mode trunk
  NOC:
  ====
  Metro Head end Switch Config:
  int GI 0/45
  description to X-Connect to Provider Edge
  switchport mode dot1q-tunnel
  switchport mode trunk
  Provider Edge Router Config:
  int Gi 0/1.402100
  encapsulation dot1q 402 second-dot1q 100
  !! 402 is the OuterVLAN and 100 is Customer VLAN
  ip address 10.100.0.101 255.255.255.252
  description Customer Bast Station - A
  int Gi 0/1.401100
  encapsulation dot1q 401 second-dot1q 100
  !! 401 is the OuterVLAN and 100 is Customer VLAN
  ip address 10.100.0.101 255.255.255.252
  description Customer Bast Station - B
  In the above Config the QnQ is enabled in the Metro Edge & provider edge routers encapsulation function will be carried out by the edge metro switches and PE Routers. By this way the VLAN's are duplicated are in Metro network itself also making the VLAN allocation locally.
  Hope I am Informative.
  PLS RATE if HELPS
  Best Regards,
  Guru Prasad R

• Can OS X Server 10.6 reverse proxy be setup to route port traffic 5003 (FileMaker Server) to 2 seperate servers (FM 11 and FM 12)?

  Can OS X Server 10.6 reverse proxy be setup to route port traffic 5003 (FileMaker Server) to 2 seperate servers (FM 11 and FM 12)?

  In your scenario, how is the 'OS X 10.6 Server' supposed to identify which FM machine to proxy the connection to?
  The FM client uses a proprietary protocol, so it's not something simple like HTTP.  Off hand I don't know of any way the server can accept arbitrary connections on port 5003 and know which FM server to relay it to.
  Two options come to mind. One is to nix the OS 10.6 Server altogether - I don't understand this machine's purpose in your network - the second is to setup different ports on the OS X 10.6 Server machine and map each port to a different FM server, e.g. 5003 -> FM11, 5004 -> FM12, then you configure the remote client to connect to a different port number based on the server they want to connect to. I haven't used FM client in a long time to know if this is supported on the client side, but I'm guessing it is.
  Either way, using a proprietary protocol, there's no way for the proxy machine to be able to filter the traffic on any given ports.

• Vpc bind-vrf on Nexus 7000/N7k to ensure forwarding of multicast traffic over peer-link?

  In previous vPC setups with N5k (or also N6k), I had to use the 'vpc bind-vrf' command to ensure the forwarding of multicast over the vpc peer-link, especially for receivers in in non-vPC VLANs and the receivers connected to Layer 3 interfaces.
  I am wondering why this command isn't available on N7k? Isn't this necessary on this platform or is it just not yet implemented?
  Any hint is welcome!
  Stephan Strack

  Hey Stephan,
  The 'vpc bind-vrf' command allocates a special internal VLAN for routing traffic over the vPC peer-link to ensure L3 connections on the vPC peer or orphan ports successfully receive multicast traffic on N5k/N6k platforms.  This workaround is not needed on the N7K because that platform implements the vPC loop prevention rule differently in hardware.
  In short, 'vpc bind-vrf' is not required on N7K.
  -Andy