Destination port routing

Hello

I was wondering if this is a way to route outbound traffic on an ASA5520 based on the destination tcp port.

Say so my mail server must use one of the channels for smtp, and all www traffic uses another.

Thank you

Not yet. See the question & answer at this link.

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#PBR

It will be useful.

Tags: Cisco Security

Similar Questions

RSPAN - if the destination port is 'across' other switches 3560 X

3560 X

Having a configuration switch to a local port (source Gi0/14 - destination Gi0/20) SPAN.

It works very well.

Now, I need to send copies to * another * switch to that same destination port.

I know I can do RSPAN to do this, but I have two questions.

1. any question of having two different litters towards one destination?

2. each switch between the source switch and destination should any config? Or just the source button?

Mark,

You need to use a vlan between the switches to move the span.

See this guide for an example of a config

http://www.Cisco.com/en/us/docs/switches/LAN/catalyst3750x_3560x/software/release/12.2_53_se/configuration/guide/swspan.html#wp1317252

Kind regards
Alex.
Please evaluate the useful messages.

Copy Destinations of routes in Streets and Trips?

If I could, I click and drag to select the list of 100 sites, copy it to my Clipboard, and then paste it into the document (?), email, etc. How to copy the list? I do not need or want the map or directions, just the list (which has been optimized). THX

Hi all

I suggest to post questions related to Microsoft Streets and Trips on the forums of Streets and Trips is here:

http://social.Microsoft.com/forums/is/streetsandtrips/threads

Thank you!

Not active Ethernet E3200 ports if daisy chained with 2Wire modem/router?

I have a 2Wire 2700G - B DSL modem/4 port router provided by ATT. The WiFi range has a problem so I had a router Linksys E3200 to extend range. I ran the cable Cat5 100 feet across the House and connected the linksys E3200 Cat5 between one of the 4 Ethernet ports on my 2Wire and the Port of 'Internet' from the Linksys 3200. I put in place and seem to have a stronger second network access this router wireless (although it is not a Repeater, I alternate between two wifi networks as I walk home with my iphone).

I plugged in the Linksys E3200 ports WIRED devices wired Ethernet and they are not recognized by my PC as the devices connected to the 2Wire ethernet ports are. My PC is plugged into the port of 2Wire as well.

How can I activate the 4 ethernet ports on the 3200 to be additional ports to my home network as the 4 on the 2Wire?

http://homecommunity.Cisco.com/T5/wireless-routers/connecting-two-routers-wired-the-definitive-answe...

Port channel is not an option for the Destination RSPAN reflector Port

Hello

The trunk of our N3024 and N2048 is a channel port LAG (m 1).

When you set the destination to distance type VLAN, it ask Destination Port of reflector which I guess must be the chest. 1 Q. Among the registered interfaces, in. interfaces are not an option.

Why? How to proceed now?

Thank you!

I just checked and the switch will not let you set the destination to a vlan remote without going through a reflector port. The only thing I can think is to run another line between switches and use it as a reflector port. Or get rid of the channel port.

Ports 10/100/1000 on the cisco 2911 router does support etherchannel

Hello

I need like below

-Ethernet point to point leased - Line1

--------Trunk-------- 2911 Router 2911 Router-------Trunk-------------

-Ethernet point to point leased - Line2

I intend to use existing 3 onboard 10/100/1000 ports router 2911 for a configuration of trunk and etherchannel. Trunk connects to local lan conncts and etherchannel for remote sites. My doubt is can I configure 2911 as trunk ports on board and implement etherchannel? From now on, there will be no routing configuration in 2911.

Concerning

Siva K

Hi Siva,

> As of now, there is no routing configuration in 2911.

use a LAN switch for this or an etherswitch module installed in routers C2911

routed ports can be used only routed or bridiging (IRB) ports, you cannot configure the as trunks of L2, you can use them as a L3 port channel but not as a port-channel trunk L2.

Hope to help

Giuseppe

SG 300-28: duplication of port: loses the network connectivity of the destination host

Hello

We have two SG 300-28. On one of them, I have configured the port mirroring because a host behaves strangely. When I create the mirror, the host connected to the destination port is not available any longer, for example, it does not meet a ping. Port source packages appears on the port of destination, but no package intended to be the host itself. East - this behaviour right? I agreed that the host on the destination port is always accessible, as it would be without the mirror.

Bernd

HE Bernd,

Yes. This behavior is just. That's how Port Mirroring works. The host connected to the Destination port loses its connectivity and it can act as a monitoring device using programs like WireShark (and monitor packages coming to and from the Source port (s)). All configurations on the destination port are substituted.

Let me know if you need assistance,

HTH,

Vijay

Please note the useful messages

On the Maximum of Source Ports on a Port Destination ESW 520 24 P

The ESW 520 24 P does support mirrored 20 Ports traffic at the Port of Destination 1?

Hi Andy

Without media ESW mirroring groups each of which can mirror 8 ports to a destination port.

It is fine for normal problem determination purposes. I can guess your application.

What about Dave

Issue of router EA6350

I know how to do this on my router which goes to the big pile of junk in the sky,

But I don't know where or how doing it on the EA6350 AC1200 + Linksys router I bought.

Here's what to do. "

EchoLink requires that your router or firewall to allow incoming and outgoing UDP ports 5198 and 5199, and outbound TCP port 5200. If you use a home network router, you also need to configure the router for 'before' ports UDP 5198 and 5199 to the computer on which EchoLink is running.

This can be summed up as:

Allow the UDP destination ports 5198-5199 between Internet and PC in both directions
Allow TCP (source port requested, the destination port 5200) PC to Internet

An instruction step by step would be great.

Thank you

Bob

You can make forwarding ports 5198-5199 port beach.

1. go to the page Linksys WiFi Smart of the EA6300, and then click Security.

2. under Security, click on apps and games tab. Then, triggering Port Range subtab.

3. type any name of the Application (EchoLink). Put 5198 - 5199 times triggered and transferred ports.

4. check enable and click Save.

For 5200 port, you can transfer using simple Port Forwarding.

1. under Security, click on apps and games tab. So, simple Port Forwarding subtab.

2. enter any name (EchoLink) application. Put on (source port) and an external Port 5200 on Internal Port.

3. set the TCP protocol and the IP address of the PC.

4. check enable and click Save.

Hope that helps.

RV180 router: impossible to get Inter-VLAN routing to work.

I've been hit in this now for two days and just can't get Inter-VLAN routing to work on this router.

Here is the place is:.

Updated to the latest firmware of Cisco (1.0.1.9).
From default settings, I added 2 VLAN as follows:

VLAN (id = 1) default: dhcpmode = port IP=192.168.1.1/24 from server 1
VLAN vlan2 (id = 2): dhcpmode = port IP=192.168.2.1/24 from Server 2
VLAN vlan3 (id = 3): dhcpmode = port IP=192.168.3.1/24 Server 3

(without link)
WAN port
|
Routing/NAT
|
--------------------------------------
VLAN ip 192.168.1.1 192.168.2.1 192.168.3.1
name of VLAN by default vlan2, vlan3
VLAN id ID = 1 ID = 2 ID = 3
Inter-VLAN only routing Yes Yes
Excluded excluded unidentified 1 port
2 excluded excluded Untagged port
Port 3 unmarked excluded except
Port 4 (not interest) without excluded tag excluded
--------- -------- --------
1 2 3 Port port
| | |
AdminPC PC3 PC2
192.168.2.191 192.168.3.181

PC2 is assigned an IP address of 192.168.2.191 (DGW = 192.168.2.1) - OK
PC3 is assigned an IP address of 192.168.3.181 (DGW = 192.168.3.1) - OK

(IP 192.168.2.191) PC2 can ping 192.168.2.1 and 192.168.3.1 - OK
(IP 192.168.3.181) PC3 can ping 192.168.3.1 and 192.168.2.1 - OK

BUT...
PC2 cannot ping PC3 - don't DO NOT WORK
PC3 can not ping PC2 - don't DO NOT WORK

(does not work in gateway and router Mode)

CAN SOMEONE HELP ME UNDERSTAND WHY?

Your help is very appreciated.

I bought this unit specifically because she supported routing inter - VLAN!

Vlaminck

---------------------------------------------------------------------------

Support information:

Screenshots:
Belonging to a VLAN:
VLAN ID Description Inter VLAN device Port 1 Port 2 Port 3 Port 4
Routing Mgment
1 default disabled enabled unmarked excluded excluded unlabeled
2 active active VLAN2 excluded unmarked excluded excluded
Unmarked 3 VLAN3 active active excluded excluded excluded

Several subnets VLAN:
VLAN ID IP address Subnet Mask DHCP DNS Proxy Mode status
1 192.168.1.1 255.255.255.0 DHCP Server enabled
2 192.168.2.1 255.255.255.0 DHCP Server enabled
3 192.168.3.1 255.255.255.0 DHCP Server enabled

Routing table (Bridge Mode)

Destination Gateway Genmask Metric Ref use Interface Type flags
127.0.0.1 127.0.0.1 255.255.255.255 1 0 0 static lo upward, gateway, host
192.168.3.0 0.0.0.0 255.255.255.0 0 0 0 dynamic bdg3 to the TOP
192.168.2.0 0.0.0.0 255.255.255.0 0 0 0 dynamic bdg2 upward
192.168.1.0 0.0.0.0 255.255.255.0 0 0 0 static bdg1 to the TOP
192.168.1.0 192.168.1.1 255.255.255.0 1 0 0 static bdg1 upward, gateway
127.0.0.0 0.0.0.0 255.0.0.0 0 0 0 lo dynamic

Routing table (router Mode)

(Ditto)

Hello

It's not because the pings are allowed on the same subnet that they come from a different subnet.

You probably have a firewall problem windows software because that by default, it removes a different subnet icmp echoes.

Concerning

Alain

Remember messages useful rate.

blocked ports affecting http

On recommendation of Cisco, I have blocked ports TCP 3127-3199 out my interface "inside". Seems that these are commonly used for mydoom ports. Now, when the user's browser uses these ports as source ports they don't have until it exceeds this window. Has anyone seen elsewhere this problem and how do you work around it?

Roland,

A MyDoom attack can be launched from the outside (entering your local network) or inside (out to your local network).

IF YOU WANT TO BLOCK INCOMING OF MYDOOM ATTACKS:

If this traffic passes through a firewall, then by default, the sessions opened from the outside are blocked unless explicitly allowed entering. If you use a router with ACL, then you must configure an ACL in the INCOMING direction and apply it to the interface from the OUTSIDE as such:

--------------------------

For routers:

access-list 111 tcp refuse any any 3127 3199 Beach

interface

IP access-group 111 to

--------------------------

In this case, you'll experience the question that you're already because when a web server returns a bunch of session to the client (browser), then the destination ports match the ACL and the router will drop the session. To remedy this, we can apply an IOS Firewall to the external interface of the router. The ACL to block incoming attacks of MyDoom cannot while the router will maintain session state information in its table.

IF YOU WANT TO BLOCK OUTBOUND MYDOOM ATTACKS:

Then the ACL must be applied 'in' on the 'inside' interface

--------------------------

For the PIX Firewall:

access-list 111 tcp refuse any any 3127 3199 Beach

access ip-list 111 allow a whole

Access-group 111 in the interface inside

--------------------------

--------------------------

For the router:

access-list 111 tcp refuse any any 3127 3199 Beach

interface

IP access-group 111 to

--------------------------

This should provide you with enough information to work on your issue.

Paragraphs

Direct specific ports down a VPN L2L

I have a client who is trying to use an ISP hosted web filtering and content management a gateway, the ISP wants to use and L2L ISPEC VPN on site at their front door to control the traffic. Today we have the tunnel with an ACL test for peripheral test side customer down the tunnel, but that it blocks all traffic that is not being analyzed. The problem is that they are on an ASA 5510 with 8.2.2. You cannot add ports tcp in the ACL sheep, it error when you try to apply the nat 0 access-list statement sheep (inside). We can define the ports to go down the VPN traffic interesting ACL with number, but there is no way to send just the web ports down the VPN and allow the other ports on regular overflow interface NAT I was look in 8.4 and see if it allows a policy NAT (twice the NAT for virtual private networks) to set a port to a range of IPS (IE (: nat static destination WEBINSPECT-WEBINSPECT (indoor, outdoor) static source a whole) but who only define as web ports.

I do not have an ASA test to use, but I guess that vpn l2l will be only by IP and I can not define a port tunnel.

In any case, it is a strange, but the ideas are welcome. I don't think it's possible, but I thought I'd see if anyone encountered at the front.

Hello

Well to give you a simple example where we use the double NAT / manual transmission NAT to handle traffic

For example a configuration example I just did on my 8.4 (5) ASA

The following configuration will
- Set the 'object' that contains the source network for NAT
- Set the 'object' that contains the service for NAT
- Define the real NAT
The real NAT is going to make any connection from the network under 'Wireless' network object to the destination port TCP/80 will be sent 'WAN' interface without NAT

Of course it is the next step with VPN L2L network under 'network wireless of the object' would correspond to the ACL of VPN L2L. But that seemed straight forward for you already

the subject wireless network

10.0.255.0 subnet 255.255.255.0

service object WWW

Service tcp destination eq www

NAT (WLAN, WAN) static source without WIRE WIRELESS WWW WWW service

The following configuration will
- Define the "object-group", that defines networks of the source of the rule by default PAT for Internet traffic
- Set the 'object' for the PAT address (could just use 'interface' instead of the 'object')
- Define the real NAT
The NAT configuration will just make a rule by default PAT for the wireless network. The key thing to note here is that we use the setting "auto after." This basically inserts the NAT rule to the priority of the very bottom of the ASA.

object-group, network WIRELESS-network

object-network 10.0.255.0 255.255.255.0

network of the PAT object - 1.1.1.1

host 1.1.1.1

NAT (WLAN, WAN) after the automatic termination of wireless - NETWORK PAT dynamic source - 1.1.1.1

Now we can use the command "packet - trace" to confirm that the NAT works as expected.

WWW TEST-TRAFFIC

ASA (config) # packet - trace 12355 1.2.3.4 entry WLAN tcp 10.0.255.100 80

Phase: 1

Type: UN - NAT

Subtype: static

Result: ALLOW

Config:

NAT (WLAN, WAN) static source without WIRE WIRELESS WWW WWW service

Additional information:

NAT divert on the output WAN interface

Untranslate 1.2.3.4/80 to 1.2.3.4/80

Phase: 2

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional information:

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

NAT (WLAN, WAN) static source without WIRE WIRELESS WWW WWW service

Additional information:

Definition of static 10.0.255.100/12355 to 10.0.255.100/12355

Phase: 4

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional information:

Phase: 5

Type: NAT

Subtype: rpf check

Result: ALLOW

Config:

NAT (WLAN, WAN) static source without WIRE WIRELESS WWW WWW service

Additional information:

Phase: 6

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional information:

Phase: 8

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional information:

Phase: 9

Type: CREATING STREAMS

Subtype:

Result: ALLOW

Config:

Additional information:

New workflow created with the 1727146 id, package sent to the next module

Result:

input interface: WLAN

entry status: to the top

entry-line-status: to the top

the output interface: WAN

the status of the output: to the top

output-line-status: to the top

Action: allow

TEST FTP - TRAFFIC

ASA (config) # packet - trace entry tcp 10.0.255.100 WLAN 12355 1.2.3.4 21

Phase: 1

Type:-ROUTE SEARCH

Subtype: entry

Result: ALLOW

Config:

Additional information:

in 0.0.0.0 0.0.0.0 WAN

Phase: 2

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional information:

Phase: 3

Type: INSPECT

Subtype: inspect-ftp

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

Policy-map global_policy

class inspection_default

inspect the ftp

global service-policy global_policy

Additional information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

NAT (WLAN, WAN) after the automatic termination of wireless - NETWORK PAT dynamic source - 1.1.1.1

Additional information:

Definition of dynamic 10.0.255.100/12355 to 1.1.1.1/12355

Phase: 5

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional information:

Phase: 6

Type: NAT

Subtype: rpf check

Result: ALLOW

Config:

NAT (WLAN, WAN) after the automatic termination of wireless - NETWORK PAT dynamic source - 1.1.1.1

Additional information:

Phase: 7

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional information:

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional information:

Phase: 9

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional information:

Phase: 10

Type: CREATING STREAMS

Subtype:

Result: ALLOW

Config:

Additional information:

New workflow created with the 1727154 id, package sent to the next module

Result:

input interface: WLAN

entry status: to the top

entry-line-status: to the top

the output interface: WAN

the status of the output: to the top

output-line-status: to the top

Action: allow

As you can see traffic TCP/80 corresponds to rule on the other. And the FTP used for example corresponds to rule by default PAT as expected.

If you want to know a little more about the new NAT 8.3 format + you can check a document I created

https://supportforums.Cisco.com/docs/doc-31116

Hope this helps you, please mark it as answered in the affirmative or rate of answer.

Naturally ask more if necessary

-Jouni

IOS NXOS VPC PORT channel

Hello

I have a pair of Nexus 5 K in an area of the VPC and few 2960's as members of the VPC, with a port to the domain channel.

Topology is:

5K 1 and 5 K 2 in the area of the VPC

VPC 5 1 K and 5 K 2 to 2960

2960 a gi0/1 and gi0/2 in 1 port channel

Gi0/1 5 k 1, gi0/2 5 k 2

I know what I'm going to ask can be completely against the purpose of the VPC, but I'm looking for a way to promote gi0/1 for traffic, rather than balancing on gi0/1 and gi0/2. The reaon for this is I want to take advantage of the absence of loop that provides mail ORDER, but would also like to have a link primary and secondary, as the majority of traffic should in fact go through 5K 1, rather than 5 K 2.

Any suggestion is welcome.

Thanks in advance

Anthony

Hi Anthony,.

The Cisco NX - OS software load balance traffic across all operational interfaces in a portchannel by chopping the addresses in a numeric value that selects one of the links in the channel. Port channels provides default load balancing. It uses IP addresses, MAC addresses or layer port numbers 4 to select the port-channel-balancing link of the load. The port-channel load balancing uses the source or destination or port addresses, or both the source and ports or destination addresses.

You can configure the mode of load balancing to be applied to all port channels that are configured on all of the device, or the specified modules. Each module configuration takes precedence over the configuration of load balancing for the entire device. You can configure a single mode of load balancing for the whole device, a different mode for specified

modules and another mode of the other specified modules. You can not configure the port-channel load balancing method.

You can configure the type of balancing algorithm used. You can choose the balancing algorithm that determines which Member port to select for the evacuation traffic by looking at the fields of the frame.

Note: The mode of load balancing by default for layer 3 interfaces is the IP source and destination address, and the mode of the load balancing by default for non - IP interfaces is the source MAC address and destination.

The configuration mode, you can try different method of load-balancing,

port-channel - the balance of the load {dest-ip-port | dest-ip-port-vlan |}

destination-ip-vlan. destination-mac | destination-port | source-dest-ip-port | source-dest-ip-port-vlan. source-dest-ip-vlan. source-dest-mac | source-dest-port | Source-ip-port | Source-ip-port-vlan. Source-ip-vlan. source-mac | source-port} [number of the module]

To sum up: I can't tell which port would be chosen, it depends purely on image type you send with the combination method of load balancing.

After you change you know also from the command which link takes the traffic.

NEXUS2-SPAN # show the port-channel - the balance of the charge-transfer port-channel 71 src - ip 1.1.1.1 route dst - ip 2.2.2.2 VLANs 51 2 interface module

Module 2: Missing params will be substituted by 0.

Load balancing algorithm: src - dst ip-l4port

RBH: port id out 0xb0: Ethernet8/8

We can try also to rework the same NLB on the 2960 also. Is it purely depends on the algorithm of load balancing. Below is for 2960 balancing tweaking,

http://www.Cisco.com/en/us/docs/switches/LAN/catalyst2960/software/release/12.2_53_se/configuration/guide/swethchl.html

Even after doing this that I wouldn't say 100 percent, he would choose a link.

I hope this helps!

Thank you

Richard.

* Rate if this is useful

Canvio Office 3 to drive external HARD of office appearing does not in the router links

Nice day!

I have 2 Toshiba Canvio Desk 3TO external Desktop USB 3.0 Hard Drive

They work well, but not appearing is not in 2 my TP routers links (Archer C7 v2 AC1750 and 1043ND WR) via a USB port router

I tried to change sizes particion to 1.5 GB, but everything is still.
Also tried convert FAT 32 partition. All the same

Maybe someone knows how to solve this problem?

Hello

In my opinion your problem isn't related to the Toshiba product. Of course you use the Toshiba HDD external HARD drive seems to work fine in the computer but from my point of few, the question could be linked to this problem of compatibility between the router and the drive HARD or maybe you forgot certain essential options of router.

Have you read the manual of the router tp-link? Have you followed exactly the configuration procedure?

The tp-link router isn't I known but I guess that there must be an option (shared storage, etc.) which must be activated and configured.

Nighthawk meets the 42443 port 7000

My nighthawk meets the connection to port 42443.

I don't know what it is.

When I tried in the future, the port has had effect 0.

When I tried to BLOCK the port - router says I can't until it is used.

What is this PORT? How can I disable it?

Telnet XX. XX. XX. XX 42443
Try the XX. XX. XX. XX...
Connected to XX. XX. XX. XX.
[Escape character is ' ^]'.

Connection closed by foreign host.

Its clearly answered him... Not good...

Some external scanner said I do not have the analysis due to this port.

I think I have the latest firmware running.

How can I disable this port?

Thank you

Jerry

Hi all

42443 port is used by the Kwlit function.

It can be closed by disabling the DLNA.

Destination port routing

Similar Questions

Maybe you are looking for