cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2470
Views
0
Helpful
1
Replies

IronPort S170 Not filtering when Backup Internet is Up

Luis Alvarez
Level 1
Level 1

Hello.

We have a Cisco IronPort WSA S170 (Transparent Mode) as our Web Proxy in our network along with an ASA 5510 ver 8.2(5) as a Gateway via WCCP v2. The ASA works with a main Internet connection and has a backup internet connection in case the main Internet connection goes off.

The IronPort is working fine along with the main Internet connection, but if the Main Internet goes down and the Backup Internet goes up. The WSA stops filtering as it should be, in fact, the when the backup internet is up the users can not access sites like google, yahoo, etc.

This is our ASA configuration

ASA Version 8.2(5)

!

hostname ASA-COMALA-I

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

no nameif

no security-level

no ip address

!

interface Ethernet0/0.1

description Administracion

shutdown

vlan 1

nameif LOCAL

security-level 100

ip address 172.x.0.12 255.255.255.240

!

interface Ethernet0/0.188

description BACKUP INTERNET ADSL 4M (VPN RESPALDO)

vlan 188

nameif INTERNET2

security-level 0

pppoe client vpdn group ENLACE-ADSL-BACKUP

ip address pppoe

!

interface Ethernet0/0.210

description DMZ

shutdown

vlan 210

nameif dmz

security-level 50

ip address 192.168.2.253 255.255.255.0

!

interface Ethernet0/1

nameif LAN

security-level 100

ip address 172.x.1.250 255.255.255.0

!

interface Ethernet0/2

description MAIN INTERNET ADSL 4M PRINCIPAL

nameif INTERNET1

security-level 0

pppoe client vpdn group ADSL-4M-MAIN

ip address pppoe

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.42.253 255.255.255.0

management-only

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00

dns domain-lookup INTERNET1

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list extended extended permit icmp any any

access-list vpntelco extended permit ip 172.x.0.0 255.255.0.0 172.16.x.0

255.255.255.0

access-list vpntelco extended permit ip 192.168.x.0 255.255.255.0 172.16.x.0

255.255.255.0

access-list vpntelco extended permit ip 192.168.210.0 255.255.255.0 172.16.x.0

255.255.255.0

access-list vpntelco extended permit ip 172.16.x.0 255.255.255.0 172.x.1.0

255.255.255.0

access-list vpntelco extended permit ip 172.16.x.0 255.255.255.0 192.168.x.0

255.255.255.0

access-list vpntelco extended permit ip 172.16.x.0 255.255.255.0 172.x.0.0

255.255.255.240

access-list vpntelco extended permit ip 172.16.x.0 255.255.255.0 172.x.0.0

255.255.0.0

access-list nonat extended permit ip 172.x.0.0 255.255.0.0 172.16.x.0 255.255.255.0

access-list nonat extended permit ip 192.168.x.0 255.255.255.0 172.16.x.0

255.255.255.0

access-list nonat extended permit ip 172.16.x.0 255.255.255.0 172.x.1.0

255.255.255.0

access-list nonat extended permit ip 172.x.0.0 255.255.0.0 172.x.0.0 255.255.0.0

access-list nonat extended permit ip 10.10.10.0 255.255.255.0 172.x.0.0 255.255.0.0

access-list nonat extended permit ip 172.x.0.0 255.255.0.0 10.10.10.0 255.255.255.0

access-list nonat extended permit ip 172.x.0.0 255.255.0.0 192.168.189.0

255.255.255.0

access-list nonat extended permit ip 172.x.1.0 255.255.255.0 172.16.x189.0

255.255.255.0

access-list nonat extended permit ip 172.16.x.0 255.255.255.0 172.x.0.0

255.255.255.240

access-list nonat extended permit ip 172.16.x.0 255.255.255.0 172.x.0.0 255.255.0.0

access-list nonat extended permit ip 172.x.0.0 255.255.255.0 172.x.56.0

255.255.255.0

access-list INTERNET2_access_in extended permit tcp any interface INTERNET2 eq www

access-list INTERNET2_access_in extended permit tcp any interface INTERNET2 eq

https

access-list INTERNET2_access_in extended permit tcp any interface INTERNET2 eq smtp

access-list INTERNET2_access_in extended permit object-group TCPUDP any interface

INTERNET2 eq domain

access-list INTERNET2_access_in extended permit tcp any interface INTERNET2 eq

23346

access-list INTERNET2_access_in extended permit icmp any any

access-list INTERNET2_access_in extended deny tcp host 192.168.2.69 any eq www

access-list INTERNET2_access_in extended permit tcp any interface INTERNET1 eq 993

access-list INTERNET2_access_in extended permit tcp any interface INTERNET1 eq 465

access-list INTERNET2_access_in extended permit tcp any interface INTERNET1 eq 587

access-list INTERNET2_access_in extended permit tcp any interface INTERNET1 eq pop3

access-list INTERNET2_access_in extended permit tcp any interface INTERNET1 eq 995

access-list LAN_access_in extended permit ip any host 200.76.208.137

access-list LAN_access_in extended permit ip host 200.76.208.137 any

access-list LAN_access_in extended permit ip any any

access-list Split_Tunnel_List remark la red detras del ASA

access-list Split_Tunnel_List standard permit 172.x.0.0 255.255.0.0

access-list Split_Tunnel_List standard permit 192.168.0.0 255.255.255.0

access-list Split_Tunnel_List standard permit 10.10.10.0 255.255.255.0

access-list wsa extended permit ip host 172.x.1.119 any

access-list clients remark PERMITE LA VLAN 212 CON ACCESO LIBRE

access-list clients extended deny ip 192.168.212.0 255.255.255.0 any

access-list clients extended deny ip host 172.x.1.20 any

access-list clients extended deny ip host 192.168.2.69 any

access-list clients remark PERMITE AL IRONPORT ESA CON ACCESO LIBRE

access-list clients extended deny ip host 172.x.1.202 any

access-list clients extended deny ip host 172.x.1.118 any

access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 187.210.97.14

access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 201.116.173.69

access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 200.33.61.11

access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 200.76.208.137

access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 207.248.70.252

access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 201.175.40.199

access-list clients remark ACCESO A www3.inegi.org.mx

access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 200.23.8.28

access-list clients remark ACCESO A www.siana.telmex.com

access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 200.57.141.242

access-list clients remark ACCESO A tesoreria.colima.gob.mx

access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 187.174.154.134

access-list clients remark ACCESO A ACTUALIZACIONES DE MICROSOFT

access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 65.55.58.195

access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 157.55.44.71

access-list clients remark ACCESO A portal.prosa.com.mx

access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 207.249.145.112

access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 201.148.1.112

access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 201.148.1.105

access-list clients remark oplinea.qualitas.com.mx

access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 201.151.239.111

access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 201.151.239.107

access-list clients remark acceso a www.coppel.com

access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 165.254.42.80

access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 165.254.42.73

access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 64.145.92.41

access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 64.145.92.16

access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 187.237.164.114

access-list clients remark ACCESO A BURO DE CREDITO

access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 187.141.53.130

access-list clients remark ACCESO A WEBEX

access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 209.197.193.97

access-list clients remark PERMITIR ACTUALIZACIONES DE KASPERSKY

access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 38.117.98.199

access-list clients remark BLOQUEA TODO LO DEMAS

access-list clients extended permit ip any any

access-list 180 extended permit ip any any

access-list 7 extended permit ip 140.240.11.0 255.255.255.0 172.x.0.0 255.255.0.0

access-list sucursales extended permit ip 172.x.1.0 255.255.255.0 172.16.x189.0

255.255.255.0

access-list INTERNET1_access_in extended permit tcp any interface INTERNET1 eq www

access-list INTERNET1_access_in extended permit tcp any interface INTERNET1 eq

https

access-list INTERNET1_access_in extended permit tcp any interface INTERNET1 eq smtp

access-list INTERNET1_access_in extended permit object-group TCPUDP any interface

INTERNET1 eq domain

access-list INTERNET1_access_in extended permit tcp any interface INTERNET1 eq

23346

access-list INTERNET1_access_in extended permit icmp any any

access-list INTERNET1_access_in extended deny tcp host 192.168.2.69 any eq www

access-list INTERNET1_access_in extended permit tcp any interface INTERNET1 eq 993

access-list INTERNET1_access_in extended permit tcp any interface INTERNET1 eq 465

access-list INTERNET1_access_in extended permit tcp any interface INTERNET1 eq 587

access-list INTERNET1_access_in extended permit tcp any interface INTERNET1 eq pop3

access-list INTERNET1_access_in extended permit tcp any interface INTERNET1 eq 995

access-list INTERNET1_access_in extended permit udp 172.x.1.0 255.255.255.0 host

200.76.208.137 eq isakmp

pager lines 24

logging enable

logging asdm informational

mtu LOCAL 1500

mtu INTERNET1 1500

mtu INTERNET2 1500

mtu dmz 1500

mtu LAN 1500

mtu management 1500

ip local pool telcovpnclient 192.168.161.10-192.168.161.29

ip local pool telcopool 172.16.x.1-172.16.x.15 mask 255.255.255.0

ip local pool sucursales 172.16.x189.100-172.16.x189.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (INTERNET1) 1 interface

global (INTERNET2) 1 interface

nat (LAN) 0 access-list nonat

nat (LAN) 1 192.168.2.69 255.255.255.255

nat (LAN) 1 192.168.212.0 255.255.255.0

nat (LAN) 1 172.x.0.0 255.255.0.0

static (LAN,INTERNET1) tcp interface https 172.x.1.20 https netmask 255.255.255.255

static (LAN,INTERNET1) tcp interface www 172.x.1.20 www netmask 255.255.255.255

static (LAN,INTERNET1) tcp interface smtp 172.x.1.118 smtp netmask 255.255.255.255

static (LAN,INTERNET1) tcp interface domain 172.x.1.22 domain netmask

255.255.255.255

static (LAN,INTERNET1) udp interface domain 172.x.1.22 domain netmask

255.255.255.255

static (LAN,INTERNET1) tcp interface 23346 192.168.2.69 23346 netmask

255.255.255.255

static (LAN,INTERNET2) tcp interface www 172.x.1.20 www netmask 255.255.255.255

static (LAN,INTERNET2) tcp interface https 172.x.1.20 https netmask 255.255.255.255

static (LAN,INTERNET2) tcp interface smtp 172.x.1.118 smtp netmask 255.255.255.255

static (LAN,INTERNET2) tcp interface domain 172.x.1.22 domain netmask

255.255.255.255

static (LAN,INTERNET2) tcp interface 23346 192.168.2.69 23346 netmask

255.255.255.255

static (LAN,INTERNET2) udp interface domain 172.x.1.22 domain netmask

255.255.255.255

static (LAN,INTERNET1) tcp interface 993 172.x.1.21 993 netmask 255.255.255.255

static (LAN,INTERNET1) tcp interface 465 172.x.1.21 465 netmask 255.255.255.255

static (LAN,INTERNET1) tcp interface 587 172.x.1.21 587 netmask 255.255.255.255

static (LAN,INTERNET1) tcp interface pop3 172.x.1.21 pop3 netmask 255.255.255.255

static (LAN,INTERNET1) tcp interface 995 172.x.1.21 995 netmask 255.255.255.255

static (LAN,INTERNET2) tcp interface 993 172.x.1.21 993 netmask 255.255.255.255

static (LAN,INTERNET2) tcp interface 465 172.x.1.21 465 netmask 255.255.255.255

static (LAN,INTERNET2) tcp interface 587 172.x.1.21 587 netmask 255.255.255.255

static (LAN,INTERNET2) tcp interface pop3 172.x.1.21 pop3 netmask 255.255.255.255

static (LAN,INTERNET2) tcp interface 995 172.x.1.21 995 netmask 255.255.255.255

access-group INTERNET1_access_in in interface INTERNET1

access-group INTERNET2_access_in in interface INTERNET2

access-group LAN_access_in in interface LAN

!

router eigrp 10

no auto-summary

network 10.10.10.0 255.255.255.0

network 172.x.52.0 255.255.255.0

network 172.x.0.0 255.255.0.0

network 172.16.x.0 255.255.255.0

!

router rip

network 172.x.0.0

network 192.168.0.0

version 2

!

route INTERNET1 0.0.0.0 0.0.0.0 200.y.x.226 1 track 1

route INTERNET2 0.0.0.0 0.0.0.0 200.y.x.226 250

route LAN 140.240.11.0 255.255.255.0 172.x.1.121 1

route LAN 172.x.0.0 255.255.255.0 172.x.1.254 1

route LAN 172.16.x110.0 255.255.255.0 172.x.1.121 1

route LAN 192.168.2.0 255.255.255.0 172.x.1.254 1

route LAN 192.168.3.0 255.255.255.0 172.x.1.121 1

route LAN 192.168.6.0 255.255.255.0 172.x.0.10 1

route LAN 192.168.x.251 255.255.255.255 192.168.x.254 1

route LAN 192.168.x.252 255.255.255.255 192.168.x.254 1

route LAN 192.168.212.0 255.255.255.0 172.x.1.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http server session-timeout 25

http 192.168.x.0 255.255.255.0 management

http 172.16.x.0 255.255.255.0 LAN

http 172.x.1.0 255.255.255.0 LAN

http 172.16.x110.0 255.255.255.0 LAN

http 0.0.0.0 0.0.0.0 LAN

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp LOCAL

sla monitor 123

type echo protocol ipIcmpEcho 200.38.193.226 interface INTERNET1

num-packets 3

frequency 10

sla monitor schedule 123 life forever start-time now

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map TELCO_VPN 10 set transform-set ESP-3DES-SHA

crypto dynamic-map TELCO_VPN 10 set security-association lifetime seconds 4502145

crypto dynamic-map TELCO_VPN 10 set reverse-route

crypto map CLIENT_VPN_TELCO 10 ipsec-isakmp dynamic TELCO_VPN

crypto map CLIENT_VPN_TELCO interface INTERNET1

crypto map CLIENT_VPN_TELCO interface INTERNET2

crypto isakmp enable INTERNET1

crypto isakmp enable INTERNET2

crypto isakmp policy 3

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

track 1 rtr 123 reachability

telnet 172.x.0.0 255.255.0.0 LOCAL

telnet timeout 60

ssh 0.0.0.0 0.0.0.0 LAN

ssh timeout 60

ssh version 2

console timeout 0

management-access LAN

vpdn group ENLACE-ADSL-BACKUP request dialout pppoe

vpdn group ENLACE-ADSL-BACKUP localname cajacomala

vpdn group ENLACE-ADSL-BACKUP ppp authentication pap

vpdn group ADSL-4M-MAIN request dialout pppoe

vpdn group ADSL-4M-MAIN localname cajaprovidencia

vpdn group ADSL-4M-MAIN ppp authentication pap

vpdn username cajacomala password ***** store-local

vpdn username cajaprovidencia password ***** store-local

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-

rate 200

wccp 97 redirect-list clients group-list wsa

wccp interface LAN 97 redirect in

webvpn

group-policy DfltGrpPolicy attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel_List

nem enable

group-policy sucursales internal

group-policy sucursales attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value sucursales

group-policy vpntelco internal

group-policy vpntelco attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpntelco

group-policy vpn-comala internal

group-policy vpn-comala attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpntelco

group-policy coyuca internal

group-policy coyuca attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value

nem enable

username telco password Jbsl8uLRrOXXvHMU encrypted privilege 15

username telco attributes

vpn-group-policy vpn-comala

username providencia password ****** encrypted

username admin password UxD2e5tNdy.HlZqZ encrypted privilege 15

username coyuca password HzvJv/pjSBW6LHTo encrypted

username coyuca attributes

vpn-group-policy coyuca

username corporativo password PEjH0LFRulhoPfas encrypted privilege 0

username corporativo attributes

vpn-group-policy vpntelco

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *****

tunnel-group vpntelco type remote-access

tunnel-group vpntelco general-attributes

address-pool telcopool

default-group-policy vpntelco

tunnel-group vpntelco ipsec-attributes

pre-shared-key *****

tunnel-group coyuca type remote-access

tunnel-group coyuca general-attributes

default-group-policy coyuca

tunnel-group coyuca ipsec-attributes

pre-shared-key *****

tunnel-group sucursales type remote-access

tunnel-group sucursales general-attributes

address-pool sucursales

default-group-policy sucursales

tunnel-group sucursales ipsec-attributes

pre-shared-key *****

tunnel-group vpn-comala type remote-access

tunnel-group vpn-comala general-attributes

address-pool telcopool

default-group-policy vpn-comala

tunnel-group vpn-comala ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map type inspect im bloqueo_msn

description bloqueo_msn

parameters

match protocol msn-im yahoo-im

  drop-connection log

policy-map type inspect dns MY_DNS_INSPECT_MAP

parameters

  message-length maximum 65000

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect dns MY_DNS_INSPECT_MAP

policy-map type inspect skinny Skinny

parameters

  message-id max 0x141

  timeout media 0:01:00

  timeout signaling 0:05:00

  rtp-conformance

policy-map type inspect sip SIP_Policy

description Providencia VPN

parameters

  max-forwards-validation action drop log

  state-checking action drop log

  rtp-conformance

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:aa9eceecd7d6eedb30bc4f14e2b6bc03

: end

Attached you'll find both WSA and ASA config files and a topology diagram.

Thank you very much for your Help.

Best Regards.

Note: Both DSL connections belong to the same ISP, that's why the default routes use the same gateway but different interface.

1 Reply 1

Luis Silva Benavides
Cisco Employee
Cisco Employee

Hi Luis,

The internet "failover" should be totally transparent for the WSA since it should be always routing traffic to same internal address.. From the WSA config is 192.168.75.254 which is through the management interface of the WSA. The first thing that comes to my mind is that the Backup lonk fails when it is set as the active link.

Have you tried to bypass the WSA?

Are you able to ping the internet from the ASA when the primary link is down?

Saludos!

Luis Silva

"If you need PDI (Planning, Design, Implement) assistance feel free to reach"

http://www.cisco.com/web/partners/tools/pdihd.html

Luis Silva