topic http traffic in Network Security

http traffic

prashantrecon — Mon, 11 Mar 2019 23:41:46 GMT

Hi all,

I am facing a typical issue.

I have two router router x and router y.connected to one firewall.

For particular vlan i have diverted the traffic from firewall to a diffrent router(with a dedicated link for vlan).

Just asuume gmail ,hotmail etc all traffic flows fromfireall is diverted router x.

And for one http trraafic (http application given by client flows through router y from firewall)

Link is of 2 Mbps for 10 users.

The problem is the user who connects first connects to that aplication via http traffic has no problem.

But when other two to thrre users connects to that application via hhtp traffic than all the users starts facing problem including the first user.

The recomended bandwidth for 10 users is 1mbps. But we have dedicated 2 Mbps bandwidth for that traffic.

Note- client have provided some public ip for that hhtp traffic.

And for that public ip we have given diffrent route from firewall.

http traffic

sansarav720e — Tue, 14 Aug 2012 05:02:22 GMT

Dear Prashant ,

kindly let me for following things ,

1) Is this same vlan need to access open internet & http application

2) Are you familar with application server IP address ??

3) Are you doing PATing or Static NATing for your LAN segment

4) Does your firewall has been defined with specfic route pointing to your application server to use your 2Mbps circuit .

your firewall should have static routing with application server subnet to use your 2Mbps circuit .

Let me know on this

HTH

Thks

Santhosh Sarav

http traffic

prashantrecon — Wed, 15 Aug 2012 14:41:50 GMT

HI ,

Thanks for your response.

As i already mentioned with one user evertthing work fine for 20 to 25 vminutes and than suddenly gets hanged.

When i captured the packect i found some duplicate packet along with retransmission of packet.

It is related anyrhing to MTU Or mss settings.

Bandwidth is never the issue,

Re: http traffic

sansarav720e — Thu, 16 Aug 2012 02:06:55 GMT

Dear Prashant ,

My insight over here is suspecting something on your NATing ,if you have done Static Nating or dynamic nating this will allow only one user session , if you have only 1 public IP address in your global pool for your internal network transalation to external world .

Try to configure PATing , if you have already configured PATing check for port utilisation , if it exceeds 64000 then u ll have problem , for our scenarion we have only 10 user so there should not be any problem for PATing .

Similalry check at client side http application server , does it allow multiple user session from a single public routable IP address , if it has got restriction to 1 then u need to have multiple induidual routable IP address for each user or Customer owned IP Private IP address for this resolution .

Dynamic NAT has these disadvantages:

•If the mapped pool has fewer addresses than the real group, you could run out of addresses if the amount of traffic is more than expected.

Use PAT if this event occurs often because PAT provides over 64,000 translations using ports of a single address.

•You have to use a large number of routable addresses in the mapped pool; if the destination network requires registered addresses, such as the Internet, you might encounter a shortage of usable addresses.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_dynamic.html#wp1078484

HTH

Thks

Santhosh Sarav

http traffic

prashantrecon — Thu, 16 Aug 2012 14:25:35 GMT

Hi santosh,

Today one activity was carried out by me .

With same dynamic nat policy it worked well for 10 users.The onething change was i bypassed the firewall in between of that.

But with same firewall it works well for one user.

On firewall I have an access-list permit ip any any.I donot know what exactly the problem is on firewall.

There is no ips module on it also.

http traffic

sansarav720e — Fri, 17 Aug 2012 02:28:35 GMT

Dear Prashant ,

where you are performing your dynamic nating in same firewall or in some other device ??

1) My insight is on your firewall config , as you said already your firewall is servcing for internet with global PATing . so over here your firewall is performing same PATing for your Application HTTP server .

2) To Avoid usage of global PATing , uses access-list based dynamic NATing on your firewall .

If possible post your firewall system configuration it will be greatful for the resolution . This only configuration error ..

HTH

Thks

Santhosh Sarav

http traffic

prashantrecon — Fri, 17 Aug 2012 03:23:55 GMT

I have directed the traffic from firewall and natted on router.

http traffic

sansarav720e — Fri, 17 Aug 2012 04:02:27 GMT

Dear Prashant ,

Could you please share your firewall configuration . Does your firewall is running PATing for general internet access ??? .