Smtp only on 2nd Interface WAN traffic
We have a Sonicwall TZ600 and recently installed a 2nd RE ADSL on the X 2 interface. I want to route SMTP only (back and forth) traffic on the WAN and also including traffic HTTPS interface to specific sites.
Any ideas on how to implement this scenario?
You need a custom road policy. Links below will help you to set up the same.
How to route SMTP traffic through a specific interface (e.g. secondary WAN) (SW5733) only:
https://support.software.Dell.com/SonicWALL-TZ-series/KB/sw5733
How to route all traffic through the secondary WAN (SW11461) HTTP:
https://support.software.Dell.com/SonicWALL-TZ-series/KB/sw11461
NOTE: Above KB is for HTTP, you must select HTTPS during the creation of the traffic police.
Tags: Dell Tech
Similar Questions
-
traffic Windows 7 not out on the interface of traffic as it is assumed
Hi experts
I got this company of Win7. I want to install two network interfaces on it. A network interface will be for the management of the machine itself. and another interface for application traffic. I had an application that I run and which consumes a lot of bandwidth to the point that if I put everything on an interface I could lose the RDP connection.
Also, I have set up my IP of mgmt interface. and it works. I can RDP into it. But when I configure the 2nd interface with its IP address, the auto road which becomes forces added traffic to pass by my mgmt interface/IP, which is not what I want.
These two survey periods are two different subnets and they go to different switches. I did a simple sketch of my installation below to show what I'm trying to accomplish.
Under linux, I would just like to add a static route and who takes care of this, but how do I do that on Windows?
I follow this guide but still have the same problem:
http://Windows.Microsoft.com/en-CA/Windows/configuring-multiple-network-gateways#1TC=Windows-7
Hello
I understand the inconvenience caused.
For assistance, I suggest you to post the question on the link below. The link below is the link of support for TechNet Support forums. They are experts in your field of investigation and would be in a better position to answer your concerns.
Hope this Information is useful.
-
SFR detects only not all interfaces ASA
Hello!
We have, for me at least, a strange problem. We have two ASA5525-x to active / standby. Only a few interfaces (7 of 30) are captured by the SFR module (the same on both units). My experience is that only traffic entering and leaving on the known interfaces at SFR are handled properly. All other traffic is to expire. Of the SAA is in production (but of course without firepower).
Any idea on how to solve this problem?
ASA # sh version | I have system
System image file is "disk0: / asa952-smp - k8.bin.
ASA # sh run | I have the interface
interface GigabitEthernet0/0
interface GigabitEthernet0/1
interface GigabitEthernet0/2
interface GigabitEthernet0/3
interface GigabitEthernet0/4
interface GigabitEthernet0/5
interface GigabitEthernet0/6
interface GigabitEthernet0/7
interface Management0/0
Interface Port - Channel 1
Interface Port - channel1.2
Interface Port - channel1.3
Interface Port - channel1.4
Interface Port - channel1.5
Interface Port - channel1.6
Interface Port - channel1.7
Interface Port - channel1.8
Interface Port - channel1.9
Interface Port - channel1.10
Interface Port - channel1.12
Interface Port - channel1.14
Interface Port - channel1.16
Interface Port - channel1.18
Interface Port - channel1.102
Interface Port - channel1.104
Interface Port - channel1.106
Interface Port - channel1.108
Interface Port - channel1.112
Interface Port - channel1.114
Interface Port - channel1.200
Interface Port - channel1.204
Interface Port - channel1.205
Interface Port - channel1.206
Interface Port - channel1.207
Interface Port - channel1.208
Interface Port - channel1.209
Interface Port - channel1.253
Interface Port - channel1.254
Interface Port - channel1.999
> View version
----------------[ sfr1 ]-----------------
Model: ASA5525 (72) Version 6.0.0.1 (Build 26)
> Display interfaces
-------------------[ 10.002 ]-------------------
Physical interface: Port - channel1.2
Type: ASA
Security zone: no
Status: enabled
Load balancing mode: n/a
-------------[ 10.003 ]--------------
Physical interface: Port - channel1.3
Type: ASA
Security zone: no
Status: enabled
Load balancing mode: n/a
------------------[ 10.004 ]-------------------
Physical interface: Port - channel1.4
Type: ASA
Security zone: no
Status: enabled
Load balancing mode: n/a
-----------------[ 10.005 ]-----------------
Physical interface: Port - channel1.5
Type: ASA
Security zone: no
Status: enabled
Load balancing mode: n/a
-----------------[ 10.001 ]-----------------
Physical interface: Port-Channel 1
Type: ASA
Security zone: no
Status: enabled
Load balancing mode: n/a
---------------[ 10.006 ]----------------
Physical interface: Port - channel1.6
Type: ASA
Security zone: no
Status: enabled
Load balancing mode: n/a
---------------[ 10.209 ]---------------
Physical interface: Port - channel1.209
Type: ASA
Security zone: no
Status: enabled
Load balancing mode: n/a
---------------------[ cplane ]---------------------
Thank you for your time.
Kind regards
Erik Qvam
Hello
What is the version of the ASA? There is an existing bug that is fixed at 9.5 (2.6) and above.
https://BST.cloudapps.Cisco.com/bugsearch/bug/CSCut40770
Rate if helps.
Yogesh
-
Interface VLAN traffic information
Hi all
Could someone please advice what traffic demonstrated Interface VLAN?
For example, I have two interfaces, VLAN 10, and I created the layer 3 Interface VLAN 10.
If I monitor the traffic of 10 to VLAN, the two interfaces combined traffic statistics?
Thank you
Prasanna Kumar deully
Oh sorry I thought you meant span monitor where you register the interface traffic combined with the terms of a vlan
To answer your question, it will display the number of ip layer 3 traffic in packets to all interfaces grouped under the vlan, then Yes, the two interfaces will show the interface of layer 3 vlan, some platforms will also show some L2 information like below and its shows 30 sec count on VLAN interfaces, but number five on the physical interface FA0/1
Vlan149 is up, line protocol is up
Material is EtherSVI, the address is 0008.e3ff.fd90 (bia 0008.e3ff.fd90)
The Internet address is x.x.x.x/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
KeepAlive not supported
Type of the ARP: ARPA, ARP Timeout 04:00
Last entry of 00:00:14, exit ever, blocking of output never
Last clearing of "show interface" counters 24w4d
Input queue: 0/75/0/0 (size/max/drops/dumps); Total output drops: 0
Strategy of queues: fifo
Output queue: 0/40 (size/max)
30 second entry rate 2134000 bps, 381 packets/s
exit rate of 30 seconds 2019000 bps, 460 packets/s
L2 switching: ucast: 30595061 pkt, 2268569227 bytes - mcast: 0 pkt, 0 bytes
L3 in Switched: ucast: 5882988002 pkt, 1908218042989 bytes - mcast: 1623 pkt, 775020 bytes
L3 on Switched: ucast: 5579358870 pkt, 1872959920772 bytes - mcast: 322 pkt, 138259 bytes
5886751734 packets input, 1885010127367 bytes, 0 no buffer
Received 0 emissions (28 of IP multicasts)
0 Runts, 0 giants, 0 shifters
entry 0, 0 CRC errors, frame 0, saturation 0, 0 ignored
5618600472 packets output, 1854023804196 bytes, 0 underruns
0 output errors, 0 interface resets
output buffer, the output buffers 0 permuted 0 failures -
Clientless SSL VPN - Source interface when traffic leaves firewall
Hi all
I'm trying to implement rules in my perimeter firewall WAN for all traffic coming from the Internet Firewall VPN.
If the internet firewall is also the VPN endpoint. The user connects to the internet firewall through WebVPN clientless and undergoes several bookmarks that are the WAN customer servers.
Now, I have a network firewall that must act as a second layer to filter traffic. I have to so allow rules for all the bookmarks that users access through to the WAN. The question here is what would be the source IP address of the traffic coming from the ASA of the Internet and going to the bookmark/Wan Server? Wouldn't be outside (internet access) interface or the interface inside?
Thank you!
Kind regards
Riou
Hey riri,.
Referring to this document , he stated-
"In a connection WebVPN, the security apparatus is as a proxy between the end user's web browser and web server target."
This implies that ASA will act in proxy on the request of the WebVPN user to the destination. This proxy request will depend on the accessibility of the destination server. If the resources are available that inside the interface, then the source will be inside interface and same DMZ if the resources are accessed through the DMZ.
I tested, but for your confirmation, you can run a capture wireshark on the LAN interfaces and you can see HTTP requests being mandated by the ASA LAN interfaces.
Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
Manager tasks shows Firefox loaded as a service, but a of threads waiting to complete. There is no application shown in the Task Manager (which seems reasonable that Firefox has not loaded).
There is no error message. The 'circle of rotation of microsoft"is going for a few seconds, then disappears as if the schedule.
It happens after 2nd & subsequent charges after reboot. Firefox seems to work the first time after reboot. It happened only after upgrade to 42. Clean installation makes no difference. Chrome works OK
Worked well up until the 42 update. Tried to do a clean install with the box to inform Mozilla erased.
Maybe Firefox started using a port that is blocked by the antivirus? I don't get no logging for the virus scanner showing what it to be blocked. A comprehensive analysis reveals nothing.
Operating system is Windows 10 (64-bit)Abandoned trying to actually find what is actually happening. Changed software virus scanner.
I think (and this is just a guess) is that to integrate with windows update update 42 change the output method to the telemetry file the antivirus does not. It is perhaps that the antivirus cannot manage that file or property, but it does not record the fact, a failure of the antivirus.
There is a hint of doubt in my mind when an upgrade causes a system that works to fail in a non traceable method. -
Only CM, multiple interfaces
Hi guys.
I have an environment with a single CM and multiple devices.
The plant manager has two management interfaces (an interface in the primary CPE) and other secondary CPE. It is this way because we are unable to use the local switch in order to create a single management VLAN.
CPE2 - CM - CPE1
I am ready to provide redundancy for the central Manager (connectivity) and in addition, the main important thing, provide redundancy for remote devices (if the first goes down, the devices should not lose connectivity with the CM).
If possible, how can I achieve this? (primary/stanby?)
The devices are also installed in this way (two connected to two different CPE management interfaces).
The optimization is done online.Thanks in advance
Hi Ronaldo,
Not sure that I have understood your topology, but if your two CPE are just separate layer 2 way, you should look into setting up watch on the CM and the accelerators interface, see [1, 2].
If, however, two SCE must be mapped different layer 3, there is no way to get this working, you can only save an accelerator with a single CM at a time (based on the IP address or host name). Having two different couche3 would be like having two IP addresses and names of two host during the same CM, well.
If you want redundancy for the CM database this way, you can examine a CM Eve as well, see [3, 4]. You would need another device of WAAS to do this, however.
Let me know, if this can help, or if I understood.
Kind regards
Michael[1] WAAS 4.x: http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/waas/v441/configuration/guide/cnfg/network.html#wp1041450
[2] WAAS 5.x: http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/waas/v531/configuration/guide/cnfg/network.html#wp1041450
[3] WAAS 4.x: http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/waas/v441/configuration/guide/cnfg/maint.html#wp1159476
[4] 5.x WAAS: http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/waas/v531/configuration/guide/cnfg/maint.html#wp1159476 -
Two interfaces WAN ISP in the same network
Hello world
I am faced with a really simple but delicate scenario. My ISP gives me IP addresses public 2, both in the same network. They also gave me the default gateway which is of course in the same network too.
I need two fully operational ip addresses, but I realized that I can't have two interfaces (routed interfaces) in the same network segment. I have just a single router (Cisco 2911). A friend told me that I might be able to set this up using VRF, but as far as I have read, there is no way to use VRF to achieve this.
Is it possible to use two (or more) ip addresses to redirect traffic to the same default gateway in the same router?
Thank you!
Miguel
Hi Miguel,.
If you want just your 2911 have set up two public IP addresses, you can set one of them as secondary IP address. Suppose that 192.0.2.1/29 is your default gateway, and 192.0.2.2/29 and 192.0.2.3/29 are your IP addresses. So to have both configured, you'd:
interface Gigabit0/0/0 ip address 192.0.2.2 255.255.255.248 ip address 192.0.2.3 255.255.255.248 secondary
And voila - that should do the trick :) Best regards, Peter -
ASA 5510 using only the GB interfaces
I am looking for should I use a 5510 to activate two interfaces for VPN connections broadband from only a few sites. Our 5505 s (I have dozens) can not manage speeds of more than 100 MB and I have now a few FIOS beyond that--150 to 300mpbs. I want a 5510 basis who needs to manage a few voice / data sites and just use two interfaces. A basic 5510 allow 2 gigabytes or just ports FE interfaces? I have to be able to use 2 GB interfaces and no one else. I don't know that the 5510 will probably support the same QOS settings that I use on the 5505 s... I just need more speed interface so that I'm not bottlenecking data (I know I could use several 5505 s and extend the charges but is not how I want to do it for other reasons). Thank you
Hello
To my knowledge the ASA5510 supports 2 x 1 Gbps interfaces when you the Security license for the SAA. The basic license counts 100Mbps interfaces.
Take a look at this document for more information on licensing above
http://www.Cisco.com/en/us/docs/security/ASA/asa82/license/license82.html#wp190732
Its a document from the 8.2 version but its still even to 9.x on the license requirement more security get the 2 x 1 Gbps interfaces
The documentation for ASA5500 series promises an 300Mbps for the ASA5510 model flow, but I guess that's a value of location. In the most recent document, two values of max flow max and Multiprotocol are given.
Here's a link to the document
-Jouni
-
Hello!
I use Line Flow - generic, Bill only with workflow online Interface of the inventory in the sales order and when I book the order lines batch controlled items are not reserved, I still need to keep an inventory of the booking form. How to automate this when booking?
Thank you
Jon
Auto is by setting the value in the OM system settings > booking closing time (ours is R12.1.3).
-
A PIX-to-PIX VPN can allow traffic in only one direction?
Here is the configuration of the PIX 501 that accepts incoming VPN tunnels of the other PIX dynamic-ip. Everything works very well, allowing traffic to flow both ways after that the tunnel rises. But then I somehow limit or prevent the traffic that originates on the PIX (192.168.27.2) to go to other networks of PIX? In other words, if a tunnel exists (192.168.3.0 to 192.168.27.0), I only want to allow network traffic to access the network 27.0 3.0, and I want to anyone on the network 27.0 access network 3.0.
Thanks for any comments.
pixfirewall # sh conf
: Saved
: Written by enable_15 at 13:29:50.396 UTC Saturday, July 3, 2010
6.3 (4) version PIX
interface ethernet0 car
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the encrypted password
encrypted passwd
pixfirewall hostname
.com domain name
fixup protocol dns-maximum length 4096
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
access-list 101 permit ip 192.168.27.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 102 permit ip 192.168.27.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list 102 permit ip 192.168.27.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 102 permit ip 192.168.27.0 255.255.255.0 192.168.7.0 255.255.255.0
pager lines 24
ICMP deny everything outside
Outside 1500 MTU
Within 1500 MTU
IP address outside xxx.xxx.xxx.248 255.255.255.255
IP address inside 192.168.27.2 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
IP local pool ippool 10.10.10.1 - 10.10.10.254
PDM logging 100 information
history of PDM activate
ARP timeout 14400
NAT (inside) - 0 102 access list
Route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 1
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp - esp-md5-hmac gvnset
Crypto-map dynamic dynmap 10 transform-set gvnset
gvnmap 10 card crypto ipsec-isakmp dynamic dynmap
gvnmap interface card crypto outside
ISAKMP allows outside
ISAKMP key * address 0.0.0.0 netmask 0.0.0.0
ISAKMP identity address
ISAKMP keepalive 60
ISAKMP nat-traversal 20
part of pre authentication ISAKMP policy 9
encryption of ISAKMP policy 9
ISAKMP policy 9 md5 hash
9 2 ISAKMP policy group
ISAKMP policy 9 life 86400
vpngroup address ippool pool gvnclient
vpngroup dns 192.168.27.1 Server gvnclient
vpngroup gvnclient wins server - 192.168.27.1
vpngroup gvnclient by default-domain '.com'
vpngroup split tunnel 101 gvnclient
vpngroup idle 1800 gvnclient-time
vpngroup password gvnclient *.
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 30
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 30
management-access inside
Console timeout 0
Terminal width 80
Cryptochecksum:
pixfirewall #.Of course, without a doubt capable.
You can configure the inside interface access list to deny traffic from 192.168.27.0/24 to 192.168.3.0/24, and then allow anything else.
Example:
access list for the Interior-acl deny ip 192.168.27.0 255.255.255.0 192.168.3.0 255.255.255.0
the Interior-acl ip access list allow a whole
group-access Interior-acl in the interface inside
Hope that helps.
-
Maxum interfaces for the load balancing wan
Hi all
You know the interfaces maximum wan that I can use for load balancing?
Hi Iimran,
Lets say your sonicwall has N interfaces. You can use the interfaces wan (N-1) for load balancing
Kind regards
Barath R
#IWork4Dell
-
How to choose right for the WAN Interface MTU size?
Hello
I would like to know How to determine the right size MTU to set in the properties of the WAN interface (in my case, NSA appliances).
First of all. I noticed that with SonicOS Enhanced 5.9.x, there is a Tool of diagnosis called PMTU discovery:
This tool is not available with SonicOS Enhanced 5.8.x.
I guess using this built-in tool is a way to determine the right MTU size to apply.
Second, for SonicOS versions that do not have this tool and to understand just how to manually determine the size MTU, I would like to know what is the method to follow.
On the Internet, I found this method by using the ping-f-l command. Once you have determined the largest possible packet size, it ask you to Add 28 to that number and you get the MTU size to define the interface.
Case study:
In my business, there are 2 sites: 1 in China and 1 in South Korea. Both have a firewall SonicWALL NSA.
To determine the MTU size that is applicable from the Chinese site, I get the same results with the 2 methods mentioned above.
With the help of the PMTU discovery:
I get 2 IPs: 8.8.8.8 and the Korean FW IP WAN. I get the same result: 1500.
However, I noticed that the MTU size should be set to its maximum (1500) of size on the properties of the interface WAN for this test to work properly. Indeed, when I put in 1404 to test, PMTU discovery find 1404 such as MTU size:
With the help of ping - f - l:
When you use the ping with FW Korea WAN IP method, I found 1472 as the maximum packet size:
According to the method I've read on the Internet, adding 28 will make me a MTU of 1500, same size as the PMTU discovery method.
My question is: can you confirm that these 2 methods are correct determine the MTU size to set the WAN interface? Especially the one with the ping command? If not, how do?
Thanks in advance for your comments.
I can tell you that as technicians, we use the way to CMD line to adjust the MTU on WAN interfaces. We saw this as a number to work with.
Thank you
Ben D
#Iwork4Dell -
RV180W and counter traffic WAN (bug?)
Hello!
I have rv180w (firmware 1.0.1.9) and 1 Gbps internet.
When I turn the traffic WAN, WAN speed meter down to 100 Mbps.
I have not found any suggestions in the official documentation.
Is this a feature bug or undocumented?
Hello, this is a documented problem
WAN Download won't exceed 60Mbps for the RV180 when WAN Traffic Meter is enable.
WAN Download won't exceed 90Mbps for the RV180W when WAN Traffic Meter is enable.
- Firmware's: 1.0.0.30 and 1.0.1.9;
-Tom
Please evaluate the useful messages -
Several DMVPN Instances on the same WAN Interface
Hi people,
Is it possible to run several Instances of DMVPN on one WAN Interface? We can for example configure 3 Tunnels on a router using a same Interface WAN but running Instances separated from EIGRP for each Tunnel? Kindly let me know, Alioune
Hi Martin,
Yes, you can create DMVPN as you say with a WAN interface it's possible... you can have several interfaces tunnel pointed a WAN interface as the source interface, which is located in a public area... with different public ip as destination tunnel...
Tunnel1 interface
Description * A - VPN Tunnel *.
bandwidth 100000
IP vrf forwarding Red
IP 10.0.252.2 255.255.255.252
no ip redirection
no ip unreachable
no ip proxy-arp
IP mtu 1500
load-interval 60
source of tunnel GigabitEthernet0/0 (WAN Interface)
tunnel destination 1.1.1.1
protection of ipsec profile dmvpn tunnel
!
Tunnel1 interface
Description * B - VPN Tunnel *.
bandwidth 100000
IP vrf forwarding Red
IP 10.0.252.5 255.255.255.252
no ip redirection
no ip unreachable
no ip proxy-arp
IP mtu 1500
load-interval 60
source of tunnel GigabitEthernet0/0 (WAN Interface)
tunnel destination 2.1.1.1
protection of ipsec profile dmvpn tunnel
!
like the above... example...
Please rate if the information provided is useful!
Maybe you are looking for
-
What available security software works on OS10.4?
I have an iMac G5, 1.7 Mhz, 17 '' who stop working when it turned out to be very young at 10 years. Now, 19 months later, I got it working again and would like to get security software to be considered again on the internet. I bought almost Kapersky,
-
GFWL will not install, error comes from wllogin_64.msi
The other day, I bought several games on steam, but I can't play most of them because they require GFWL.When I try to install GFWL (or any direct product that requires wllogin) it always gives me an error.Also tried installing wllogin_64.msi manually
-
How to add a mic on Canon EOS 1200D?
Hello I belong to the consumer of the Canon EOS 1200D with EF 18-55 MM Kit lens. I noticed that it doesn't have an audio input. However, I like to record the audio of my table mixer and video of my digital SLR simultaneeously without video editing. I
-
disconnected the cable plug location unknown
I'm working on a HP Slimline S5113W, that does not illuminate. I deleted food and tested it and it seems OK. I put it all back together and I have a son that I don't know where to put. It's the front set of SD USB card, two blue and black wires endin
-
I get the following MSG: Teh diskett evil lies in the drivve. Insert %2 (flight series # 3%) in drive %1. Error (0 X 80070022) the disc that I use is a Cd - R (and in fact, every time I use it I tells me that it is not formatted)