- Cisco Community
- Technology and Support
- Security
- Web Security
- IronPort S170 Not filtering when Backup Internet is Up
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
IronPort S170 Not filtering when Backup Internet is Up
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-15-2013 08:09 AM
Hello.
We have a Cisco IronPort WSA S170 (Transparent Mode) as our Web Proxy in our network along with an ASA 5510 ver 8.2(5) as a Gateway via WCCP v2. The ASA works with a main Internet connection and has a backup internet connection in case the main Internet connection goes off.
The IronPort is working fine along with the main Internet connection, but if the Main Internet goes down and the Backup Internet goes up. The WSA stops filtering as it should be, in fact, the when the backup internet is up the users can not access sites like google, yahoo, etc.
This is our ASA configuration
ASA Version 8.2(5)
!
hostname ASA-COMALA-I
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
no nameif
no security-level
no ip address
!
interface Ethernet0/0.1
description Administracion
shutdown
vlan 1
nameif LOCAL
security-level 100
ip address 172.x.0.12 255.255.255.240
!
interface Ethernet0/0.188
description BACKUP INTERNET ADSL 4M (VPN RESPALDO)
vlan 188
nameif INTERNET2
security-level 0
pppoe client vpdn group ENLACE-ADSL-BACKUP
ip address pppoe
!
interface Ethernet0/0.210
description DMZ
shutdown
vlan 210
nameif dmz
security-level 50
ip address 192.168.2.253 255.255.255.0
!
interface Ethernet0/1
nameif LAN
security-level 100
ip address 172.x.1.250 255.255.255.0
!
interface Ethernet0/2
description MAIN INTERNET ADSL 4M PRINCIPAL
nameif INTERNET1
security-level 0
pppoe client vpdn group ADSL-4M-MAIN
ip address pppoe
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.42.253 255.255.255.0
management-only
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
dns domain-lookup INTERNET1
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list extended extended permit icmp any any
access-list vpntelco extended permit ip 172.x.0.0 255.255.0.0 172.16.x.0
255.255.255.0
access-list vpntelco extended permit ip 192.168.x.0 255.255.255.0 172.16.x.0
255.255.255.0
access-list vpntelco extended permit ip 192.168.210.0 255.255.255.0 172.16.x.0
255.255.255.0
access-list vpntelco extended permit ip 172.16.x.0 255.255.255.0 172.x.1.0
255.255.255.0
access-list vpntelco extended permit ip 172.16.x.0 255.255.255.0 192.168.x.0
255.255.255.0
access-list vpntelco extended permit ip 172.16.x.0 255.255.255.0 172.x.0.0
255.255.255.240
access-list vpntelco extended permit ip 172.16.x.0 255.255.255.0 172.x.0.0
255.255.0.0
access-list nonat extended permit ip 172.x.0.0 255.255.0.0 172.16.x.0 255.255.255.0
access-list nonat extended permit ip 192.168.x.0 255.255.255.0 172.16.x.0
255.255.255.0
access-list nonat extended permit ip 172.16.x.0 255.255.255.0 172.x.1.0
255.255.255.0
access-list nonat extended permit ip 172.x.0.0 255.255.0.0 172.x.0.0 255.255.0.0
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 172.x.0.0 255.255.0.0
access-list nonat extended permit ip 172.x.0.0 255.255.0.0 10.10.10.0 255.255.255.0
access-list nonat extended permit ip 172.x.0.0 255.255.0.0 192.168.189.0
255.255.255.0
access-list nonat extended permit ip 172.x.1.0 255.255.255.0 172.16.x189.0
255.255.255.0
access-list nonat extended permit ip 172.16.x.0 255.255.255.0 172.x.0.0
255.255.255.240
access-list nonat extended permit ip 172.16.x.0 255.255.255.0 172.x.0.0 255.255.0.0
access-list nonat extended permit ip 172.x.0.0 255.255.255.0 172.x.56.0
255.255.255.0
access-list INTERNET2_access_in extended permit tcp any interface INTERNET2 eq www
access-list INTERNET2_access_in extended permit tcp any interface INTERNET2 eq
https
access-list INTERNET2_access_in extended permit tcp any interface INTERNET2 eq smtp
access-list INTERNET2_access_in extended permit object-group TCPUDP any interface
INTERNET2 eq domain
access-list INTERNET2_access_in extended permit tcp any interface INTERNET2 eq
23346
access-list INTERNET2_access_in extended permit icmp any any
access-list INTERNET2_access_in extended deny tcp host 192.168.2.69 any eq www
access-list INTERNET2_access_in extended permit tcp any interface INTERNET1 eq 993
access-list INTERNET2_access_in extended permit tcp any interface INTERNET1 eq 465
access-list INTERNET2_access_in extended permit tcp any interface INTERNET1 eq 587
access-list INTERNET2_access_in extended permit tcp any interface INTERNET1 eq pop3
access-list INTERNET2_access_in extended permit tcp any interface INTERNET1 eq 995
access-list LAN_access_in extended permit ip any host 200.76.208.137
access-list LAN_access_in extended permit ip host 200.76.208.137 any
access-list LAN_access_in extended permit ip any any
access-list Split_Tunnel_List remark la red detras del ASA
access-list Split_Tunnel_List standard permit 172.x.0.0 255.255.0.0
access-list Split_Tunnel_List standard permit 192.168.0.0 255.255.255.0
access-list Split_Tunnel_List standard permit 10.10.10.0 255.255.255.0
access-list wsa extended permit ip host 172.x.1.119 any
access-list clients remark PERMITE LA VLAN 212 CON ACCESO LIBRE
access-list clients extended deny ip 192.168.212.0 255.255.255.0 any
access-list clients extended deny ip host 172.x.1.20 any
access-list clients extended deny ip host 192.168.2.69 any
access-list clients remark PERMITE AL IRONPORT ESA CON ACCESO LIBRE
access-list clients extended deny ip host 172.x.1.202 any
access-list clients extended deny ip host 172.x.1.118 any
access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 187.210.97.14
access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 201.116.173.69
access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 200.33.61.11
access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 200.76.208.137
access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 207.248.70.252
access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 201.175.40.199
access-list clients remark ACCESO A www3.inegi.org.mx
access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 200.23.8.28
access-list clients remark ACCESO A www.siana.telmex.com
access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 200.57.141.242
access-list clients remark ACCESO A tesoreria.colima.gob.mx
access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 187.174.154.134
access-list clients remark ACCESO A ACTUALIZACIONES DE MICROSOFT
access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 65.55.58.195
access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 157.55.44.71
access-list clients remark ACCESO A portal.prosa.com.mx
access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 207.249.145.112
access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 201.148.1.112
access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 201.148.1.105
access-list clients remark oplinea.qualitas.com.mx
access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 201.151.239.111
access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 201.151.239.107
access-list clients remark acceso a www.coppel.com
access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 165.254.42.80
access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 165.254.42.73
access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 64.145.92.41
access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 64.145.92.16
access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 187.237.164.114
access-list clients remark ACCESO A BURO DE CREDITO
access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 187.141.53.130
access-list clients remark ACCESO A WEBEX
access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 209.197.193.97
access-list clients remark PERMITIR ACTUALIZACIONES DE KASPERSKY
access-list clients extended deny ip 172.x.0.0 255.255.0.0 host 38.117.98.199
access-list clients remark BLOQUEA TODO LO DEMAS
access-list clients extended permit ip any any
access-list 180 extended permit ip any any
access-list 7 extended permit ip 140.240.11.0 255.255.255.0 172.x.0.0 255.255.0.0
access-list sucursales extended permit ip 172.x.1.0 255.255.255.0 172.16.x189.0
255.255.255.0
access-list INTERNET1_access_in extended permit tcp any interface INTERNET1 eq www
access-list INTERNET1_access_in extended permit tcp any interface INTERNET1 eq
https
access-list INTERNET1_access_in extended permit tcp any interface INTERNET1 eq smtp
access-list INTERNET1_access_in extended permit object-group TCPUDP any interface
INTERNET1 eq domain
access-list INTERNET1_access_in extended permit tcp any interface INTERNET1 eq
23346
access-list INTERNET1_access_in extended permit icmp any any
access-list INTERNET1_access_in extended deny tcp host 192.168.2.69 any eq www
access-list INTERNET1_access_in extended permit tcp any interface INTERNET1 eq 993
access-list INTERNET1_access_in extended permit tcp any interface INTERNET1 eq 465
access-list INTERNET1_access_in extended permit tcp any interface INTERNET1 eq 587
access-list INTERNET1_access_in extended permit tcp any interface INTERNET1 eq pop3
access-list INTERNET1_access_in extended permit tcp any interface INTERNET1 eq 995
access-list INTERNET1_access_in extended permit udp 172.x.1.0 255.255.255.0 host
200.76.208.137 eq isakmp
pager lines 24
logging enable
logging asdm informational
mtu LOCAL 1500
mtu INTERNET1 1500
mtu INTERNET2 1500
mtu dmz 1500
mtu LAN 1500
mtu management 1500
ip local pool telcovpnclient 192.168.161.10-192.168.161.29
ip local pool telcopool 172.16.x.1-172.16.x.15 mask 255.255.255.0
ip local pool sucursales 172.16.x189.100-172.16.x189.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (INTERNET1) 1 interface
global (INTERNET2) 1 interface
nat (LAN) 0 access-list nonat
nat (LAN) 1 192.168.2.69 255.255.255.255
nat (LAN) 1 192.168.212.0 255.255.255.0
nat (LAN) 1 172.x.0.0 255.255.0.0
static (LAN,INTERNET1) tcp interface https 172.x.1.20 https netmask 255.255.255.255
static (LAN,INTERNET1) tcp interface www 172.x.1.20 www netmask 255.255.255.255
static (LAN,INTERNET1) tcp interface smtp 172.x.1.118 smtp netmask 255.255.255.255
static (LAN,INTERNET1) tcp interface domain 172.x.1.22 domain netmask
255.255.255.255
static (LAN,INTERNET1) udp interface domain 172.x.1.22 domain netmask
255.255.255.255
static (LAN,INTERNET1) tcp interface 23346 192.168.2.69 23346 netmask
255.255.255.255
static (LAN,INTERNET2) tcp interface www 172.x.1.20 www netmask 255.255.255.255
static (LAN,INTERNET2) tcp interface https 172.x.1.20 https netmask 255.255.255.255
static (LAN,INTERNET2) tcp interface smtp 172.x.1.118 smtp netmask 255.255.255.255
static (LAN,INTERNET2) tcp interface domain 172.x.1.22 domain netmask
255.255.255.255
static (LAN,INTERNET2) tcp interface 23346 192.168.2.69 23346 netmask
255.255.255.255
static (LAN,INTERNET2) udp interface domain 172.x.1.22 domain netmask
255.255.255.255
static (LAN,INTERNET1) tcp interface 993 172.x.1.21 993 netmask 255.255.255.255
static (LAN,INTERNET1) tcp interface 465 172.x.1.21 465 netmask 255.255.255.255
static (LAN,INTERNET1) tcp interface 587 172.x.1.21 587 netmask 255.255.255.255
static (LAN,INTERNET1) tcp interface pop3 172.x.1.21 pop3 netmask 255.255.255.255
static (LAN,INTERNET1) tcp interface 995 172.x.1.21 995 netmask 255.255.255.255
static (LAN,INTERNET2) tcp interface 993 172.x.1.21 993 netmask 255.255.255.255
static (LAN,INTERNET2) tcp interface 465 172.x.1.21 465 netmask 255.255.255.255
static (LAN,INTERNET2) tcp interface 587 172.x.1.21 587 netmask 255.255.255.255
static (LAN,INTERNET2) tcp interface pop3 172.x.1.21 pop3 netmask 255.255.255.255
static (LAN,INTERNET2) tcp interface 995 172.x.1.21 995 netmask 255.255.255.255
access-group INTERNET1_access_in in interface INTERNET1
access-group INTERNET2_access_in in interface INTERNET2
access-group LAN_access_in in interface LAN
!
router eigrp 10
no auto-summary
network 10.10.10.0 255.255.255.0
network 172.x.52.0 255.255.255.0
network 172.x.0.0 255.255.0.0
network 172.16.x.0 255.255.255.0
!
router rip
network 172.x.0.0
network 192.168.0.0
version 2
!
route INTERNET1 0.0.0.0 0.0.0.0 200.y.x.226 1 track 1
route INTERNET2 0.0.0.0 0.0.0.0 200.y.x.226 250
route LAN 140.240.11.0 255.255.255.0 172.x.1.121 1
route LAN 172.x.0.0 255.255.255.0 172.x.1.254 1
route LAN 172.16.x110.0 255.255.255.0 172.x.1.121 1
route LAN 192.168.2.0 255.255.255.0 172.x.1.254 1
route LAN 192.168.3.0 255.255.255.0 172.x.1.121 1
route LAN 192.168.6.0 255.255.255.0 172.x.0.10 1
route LAN 192.168.x.251 255.255.255.255 192.168.x.254 1
route LAN 192.168.x.252 255.255.255.255 192.168.x.254 1
route LAN 192.168.212.0 255.255.255.0 172.x.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http server session-timeout 25
http 192.168.x.0 255.255.255.0 management
http 172.16.x.0 255.255.255.0 LAN
http 172.x.1.0 255.255.255.0 LAN
http 172.16.x110.0 255.255.255.0 LAN
http 0.0.0.0 0.0.0.0 LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp LOCAL
sla monitor 123
type echo protocol ipIcmpEcho 200.38.193.226 interface INTERNET1
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map TELCO_VPN 10 set transform-set ESP-3DES-SHA
crypto dynamic-map TELCO_VPN 10 set security-association lifetime seconds 4502145
crypto dynamic-map TELCO_VPN 10 set reverse-route
crypto map CLIENT_VPN_TELCO 10 ipsec-isakmp dynamic TELCO_VPN
crypto map CLIENT_VPN_TELCO interface INTERNET1
crypto map CLIENT_VPN_TELCO interface INTERNET2
crypto isakmp enable INTERNET1
crypto isakmp enable INTERNET2
crypto isakmp policy 3
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
track 1 rtr 123 reachability
telnet 172.x.0.0 255.255.0.0 LOCAL
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 LAN
ssh timeout 60
ssh version 2
console timeout 0
management-access LAN
vpdn group ENLACE-ADSL-BACKUP request dialout pppoe
vpdn group ENLACE-ADSL-BACKUP localname cajacomala
vpdn group ENLACE-ADSL-BACKUP ppp authentication pap
vpdn group ADSL-4M-MAIN request dialout pppoe
vpdn group ADSL-4M-MAIN localname cajaprovidencia
vpdn group ADSL-4M-MAIN ppp authentication pap
vpdn username cajacomala password ***** store-local
vpdn username cajaprovidencia password ***** store-local
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-
rate 200
wccp 97 redirect-list clients group-list wsa
wccp interface LAN 97 redirect in
webvpn
group-policy DfltGrpPolicy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
nem enable
group-policy sucursales internal
group-policy sucursales attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value sucursales
group-policy vpntelco internal
group-policy vpntelco attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpntelco
group-policy vpn-comala internal
group-policy vpn-comala attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpntelco
group-policy coyuca internal
group-policy coyuca attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
nem enable
username telco password Jbsl8uLRrOXXvHMU encrypted privilege 15
username telco attributes
vpn-group-policy vpn-comala
username providencia password ****** encrypted
username admin password UxD2e5tNdy.HlZqZ encrypted privilege 15
username coyuca password HzvJv/pjSBW6LHTo encrypted
username coyuca attributes
vpn-group-policy coyuca
username corporativo password PEjH0LFRulhoPfas encrypted privilege 0
username corporativo attributes
vpn-group-policy vpntelco
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****
tunnel-group vpntelco type remote-access
tunnel-group vpntelco general-attributes
address-pool telcopool
default-group-policy vpntelco
tunnel-group vpntelco ipsec-attributes
pre-shared-key *****
tunnel-group coyuca type remote-access
tunnel-group coyuca general-attributes
default-group-policy coyuca
tunnel-group coyuca ipsec-attributes
pre-shared-key *****
tunnel-group sucursales type remote-access
tunnel-group sucursales general-attributes
address-pool sucursales
default-group-policy sucursales
tunnel-group sucursales ipsec-attributes
pre-shared-key *****
tunnel-group vpn-comala type remote-access
tunnel-group vpn-comala general-attributes
address-pool telcopool
default-group-policy vpn-comala
tunnel-group vpn-comala ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect im bloqueo_msn
description bloqueo_msn
parameters
match protocol msn-im yahoo-im
drop-connection log
policy-map type inspect dns MY_DNS_INSPECT_MAP
parameters
message-length maximum 65000
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect dns MY_DNS_INSPECT_MAP
policy-map type inspect skinny Skinny
parameters
message-id max 0x141
timeout media 0:01:00
timeout signaling 0:05:00
rtp-conformance
policy-map type inspect sip SIP_Policy
description Providencia VPN
parameters
max-forwards-validation action drop log
state-checking action drop log
rtp-conformance
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:aa9eceecd7d6eedb30bc4f14e2b6bc03
: end
Attached you'll find both WSA and ASA config files and a topology diagram.
Thank you very much for your Help.
Best Regards.
Note: Both DSL connections belong to the same ISP, that's why the default routes use the same gateway but different interface.
- Labels:
-
Web Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-30-2013 02:21 PM
Hi Luis,
The internet "failover" should be totally transparent for the WSA since it should be always routing traffic to same internal address.. From the WSA config is 192.168.75.254 which is through the management interface of the WSA. The first thing that comes to my mind is that the Backup lonk fails when it is set as the active link.
Have you tried to bypass the WSA?
Are you able to ping the internet from the ASA when the primary link is down?
Saludos!
Luis Silva
"If you need PDI (Planning, Design, Implement) assistance feel free to reach"
http://www.cisco.com/web/partners/tools/pdihd.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide