Access rule ?

Hello all: I need to block several users from accessing web access. So I went in the set up two rules:
1. Default - Deny Everyone
2. Allow - Only people allowed to access
However, the above rules fail to block ANYONE. So did this:
1. Default - Deny Everyone
2. Allow - Only people allowed to access
3. Deny - Deny everyone except those in #2.
This works fine. Why did my first attempt fail? They seem to be very similar (logic wise that is).
Thanks, Chris.

Chris,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://forums.novell.com/

Similar Messages

  • ASA 5505, error in Access Rule

    Hello.
    Tha ASA 5505 is working, but I try to allow http and https from internet to a server running 2012 Essentials. The server has the internal IP 192.168.0.100. I have created an Object called SERVER with IP 192.168.0.100
    The outside Interface is called ICE
    I have configured NAT:
    I have also configured Access Rules:
    But when I test it With the Packet Tracer I get an error:
    Whats wrong With the Access Rule?
    I do prefer the ASDM :)
    Best regards Andreas

    Hello Jeevak.
    This is the running config (Vlan 13 (Interface ICE) is the one in use:
    domain-name DOMAIN.local
    names
    name 192.168.0.150 Server1 description SBS 2003 Server
    name 192.168.10.10 IP_ICE
    name x.x.x.0 outside-network
    name x.x.x.7 IP_outside
    name 192.168.0.100 SERVER description Hovedserver
    interface Vlan1
     nameif inside
     security-level 100
     ip address 192.168.0.1 255.255.255.0
    interface Vlan2
     description Direct Connect
     backup interface Vlan13
     nameif outside
     security-level 0
     pppoe client vpdn group PPPoE_DirectConnect
     ip address pppoe
    interface Vlan3
     description Gjestenettet
     nameif dmz
     security-level 50
     ip address 10.0.0.1 255.255.255.0
    interface Vlan13
     description Backupnett ICE
     nameif ICE
     security-level 0
     ip address IP_ICE 255.255.255.0
    interface Vlan23
     description
     nameif USER
     security-level 50
     ip address 10.1.1.1 255.255.255.0
    interface Ethernet0/0
     switchport access vlan 2
    interface Ethernet0/1
     switchport access vlan 13
    interface Ethernet0/2
     switchport access vlan 23
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
     switchport access vlan 3
    interface Ethernet0/7
     switchport access vlan 3
    ftp mode passive
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    dns domain-lookup dmz
    dns server-group DefaultDNS
     domain-name DOMAIN.local
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    access-list outside_access_in extended permit tcp any host IP_outside eq https
    access-list outside_access_in extended permit tcp any host IP_outside eq www
    access-list outside_access_in extended permit icmp any host IP_outside echo-reply
    access-list outside_access_in remark For RWW
    access-list outside_access_in remark For RWW
    access-list outside_access_in remark For RWW
    access-list outside_access_in remark For RWW
    access-list outside_access_in remark For RWW
    access-list outside_access_in remark For RWW
    access-list outside_access_in remark For RWW
    access-list outside_access_in remark For RWW
    access-list outside_access_in remark For RWW
    access-list outside_access_in remark For RWW
    access-list outside_access_in remark For RWW
    access-list outside_access_in remark For RWW
    access-list DOMAINVPN_splitTunnelAcl standard permit any
    access-list inside_nat0_outbound extended permit ip any 192.168.0.192 255.255.255.192
    access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.192 255.255.255.192
    access-list DOMAIN_VPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
    access-list ICE_access_in extended permit tcp any host IP_ICE eq https
    access-list ICE_access_in extended permit tcp any host IP_ICE eq www
    access-list ICE_access_in extended permit icmp any host IP_ICE echo-reply
    access-list ICE_access_in remark For RWW
    access-list ICE_access_in remark For RWW
    access-list USER_access_in extended permit ip any any
    pager lines 24
    logging enable
    logging asdm warnings
    mtu inside 1500
    mtu outside 1500
    mtu dmz 1500
    mtu ICE 1500
    mtu USER 1500
    ip local pool VPNPool 192.168.10.210-192.168.10.225 mask 255.255.255.0
    no failover
    monitor-interface inside
    monitor-interface outside
    monitor-interface dmz
    monitor-interface ICE
    monitor-interface USER
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit outside-network 255.255.255.0 outside
    icmp permit 192.168.10.0 255.255.255.0 ICE
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    global (ICE) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (dmz) 1 10.0.0.0 255.255.255.0
    nat (USER) 1 10.1.1.0 255.255.255.0
    static (inside,ICE) tcp interface www SERVER www netmask 255.255.255.255
    static (inside,outside) tcp interface www SERVER www netmask 255.255.255.255
    static (inside,ICE) tcp interface https SERVER https netmask 255.255.255.255
    static (inside,outside) tcp interface https SERVER https netmask 255.255.255.255
    access-group outside_access_in in interface outside
    access-group ICE_access_in in interface ICE
    access-group USER_access_in in interface USER
    route outside 0.0.0.0 0.0.0.0 x.x.x.1 1 track 123
    route ICE 0.0.0.0 0.0.0.0 192.168.10.1 254
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable
    http 192.168.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    sla monitor 1
     type echo protocol ipIcmpEcho x.x.x.1 interface outside
     num-packets 3
     frequency 10
    sla monitor schedule 1 life forever start-time now
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set pfs group1
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 40 set pfs group1
    crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    track 123 rtr 1 reachability
    no vpn-addr-assign local
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    management-access inside
    dhcpd auto_config outside
    dhcpd address 10.0.0.10-10.0.0.39 dmz
    dhcpd dns y.y.y.2 z.z.z.z interface dmz
    dhcpd lease 6000 interface dmz
    dhcpd enable dmz
    dhcpd address 10.1.1.100-10.1.1.120 USER
    dhcpd dns y.y.y.2 z.z.z.z interface USER
    dhcpd lease 6000 interface USER
    dhcpd domain USER interface USER
    dhcpd enable USER
    ntp server 64.0.0.2 source outside
    group-policy DOMAIN_VPN internal
    group-policy DOMAIN_VPN attributes
     dns-server value 192.168.0.150
     vpn-tunnel-protocol IPSec
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value DOMAIN_VPN_splitTunnelAcl
     default-domain value DOMAIN.local
    class-map inspection_default
     match default-inspection-traffic
    class-map imblock
     match any
    class-map P2P
     match port tcp eq www
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum 512
    policy-map type inspect im impolicy
     parameters
     match protocol msn-im yahoo-im
      drop-connection log
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect pptp
    policy-map type inspect http P2P_HTTP
     parameters
     match request uri regex _default_gator
      drop-connection log
     match request uri regex _default_x-kazaa-network
      drop-connection log
     match request uri regex _default_msn-messenger
      drop-connection log
     match request uri regex _default_gnu-http-tunnel_arg
      drop-connection log
    policy-map IM_P2P
     class imblock
      inspect im impolicy
     class P2P
      inspect http P2P_HTTP
    service-policy global_policy global
    service-policy IM_P2P interface inside
    prompt hostname context
    : end
    asdm image disk0:/asdm-524.bin
    asdm location Server1 255.255.255.255 inside
    asdm location IP_ICE 255.255.255.255 inside
    asdm location outside-network 255.255.255.0 inside
    asdm location SERVER 255.255.255.255 inside
    no asdm history enable
    What is wrong? Everything Works well except port forwarding.
    Andreas

  • Problem with nat / access rule for webserver in inside network asa 5505 7.2

    Hello,
    i have trouble setting up nat and access rule for webserver located in inside network.
    I have asa 5505 version 7.2 and it has to active interfaces, inside 192.168.123.0 and outside x.x.x.213
    Webserver has ip 192.168.123.11 and it needs to be accessed from outside, ip x.x.x.213.
    I have created an static nat rule with pat (as an appendix) and access rules from outside network to inside interface ip 192.168.123.11 (tcp 80) but no luck.
    What am i doing wrong?

    Command:
    packet-tracer input outside tcp 188.x.x.213 www 192.168.123.11 www detailed
    Phase: 1
    Type: FLOW-LOOKUP
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Found no matching flow, creating a new flow
    Phase: 2
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   192.168.123.0   255.255.255.0   inside
    Phase: 3
    Type: ACCESS-LIST
    Subtype:
    Result: DROP
    Config:
    Implicit Rule
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0x35418d8, priority=500, domain=permit, deny=true
        hits=1, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=188.x.x.213, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0
    Result:
    input-interface: outside
    input-status: up
    input-line-status: up
    output-interface: inside
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule

  • High memory usage and error creating access rules

    Hi guys
    I'm having a problem with the memory and also trying to create some rules on the CISCO ASA. The version that I got installed was the 8.2.5.33 on a CISCO 5520 with 512 RAM, the memory usage is on 99% used, 1% free and because of that when I'm trying to create a new rule the firewall brings me the next error
    So what I did was a downgrade to the version 8.2 (4) 4 and the memory went down a little (82% used, 18% free) but I still got the error when I'm creating an access rule on the device. One thing and I'm not sure if this could affect on the performance are the number of access list and the object groups that are created.
    I already open a case with CISCO TAC and they are checking if the problem is with the memory capacity or maybe a memory leak.
    Also the doubt that I got is with the memory that I got now available should I can create access rules or 82 is still to hig to create a rule or and object group?
    Regards

    Hi,
    Can you check what is the amount of ACEs you have on the ACLs in use?
    I think if you use the command "show access-list " the first line should give you the total amount of ACEs in the ACL
    - Jouni

  • Not showing top 10 access rule after upgrade to 9.1(5)

    Hi
    I have recently upgraded ASA 5505 from 8.2 to 9.1 and the ASDM to 7.3 but I can no longer can view the Top 10 Access Rules on the home tab. Is it a bug or do I have to enable anything?
    I hope someone can help.

    Hi Andre
    for security reasons I cannot give you the Access rules page. FYI the logging is enabled
    However in the home page , when I click on show rule it says the following
    Unable to determine corresponding access rule The configuration in ASDM may be out of sync with the device. Please refreah configuration and try again
    I refreshed the screen and no change. Welcome any advise.

  • WRT110: I want to create an access rule for one client for one application during one time period

    I have a problem with one of the clients on my LAN which is running uTorrent to detriment of everyone else. It saturates the pipe. I have been unable to prod this user into bothering to tweak their settings to throttle bandwidth back and so have resorted to an access rule on the router which kicks that MAC address off during a particular time period during the day. But as irritated as I am about this slacker sense of outrageous entitlement, kicking them off entirely seems a tad heavy handed even for me.
    So, In the router I can create a rule per MAC address and specify time. But is it possible to limit this to denying uTorrent ONLY? And if so what port or port ranges would I use.
    Alternatively I already use a QoS setting for one of my VoIP TA's. Would I gain anything by degrading the application indirectly by creating a QoS = LOW for that port range? Again, I don't really care about any other application, just uTorrent and just that client. How much degradation is there really in setting QoS to LOW?

    Well it wont make much difference, when you enable QOS service on your router. Yes it is possible to Deny uTorrent application from your Router. When you are Under "Application and Gaming" Tab, Under "Blocked Application" you will find "Application Name" , "Port Range" and "Protocol" so you need to input under Application Name "uTorrent" and under port range you need to input the port number which uTorrent application use and then under protocol select "Both" and click on ADD. Then again in Application you will find uTorrent , select and click on (>>) right arrow so it will block that application on your Router. By doing this it will block uTorrent from your Router.

  • 5520 to 5525 all access rules being ignored.

    I copied my config from my old 5520 to our new 5525 and when I cut over to it from the inside out I could get to the internet no problem but from the outside in none of our access rules were working.  Could someone take a look at our config and maybe inlighten me on the problem please.  Thanks,
    http://www.ebay.com/itm/290951611556?ssPageName=STRK:MEWNX:IT&_trksid=p3984.m1497.l2649
    : Saved
    : Written by admin at 02:33:30.875 EDT Mon Sep 30 2013
    ASA Version 8.6(1)2
    hostname ColASA01-HA
    domain-name corp.COMPANY.com
    names
    name 172.22.5.133 ColBarracuda description Colo Barracuda Internal
    name 74.XXX.XXX.133 ColBarracuda- description Colo Barracuda External
    name 74.XXX.XXX.132 ColVPN- description Colo VPN External
    name 172.22.5.138 ww2 description ww2 Internal
    name 74.XXX.XXX.138 ww2- description ww2 External
    name 172.22.5.139 www1 description www1 Internal
    name 74.XXX.XXX.139 www1- description www1 External
    name 172.22.5.140 www1-COMPANY.co.uk description www1 COMPANY.co.uk Internal
    name 172.22.5.143 ColSysAid description ColSysAid Internal
    name 74.XXX.XXX.143 ColSysAid- description ColSysAid External
    name 172.22.5.141 Colww3 description Colww3 Internal
    name 74.XXX.XXX.141 Colww3- description Colww3 External
    name 10.1.1.100 Facts description Facts Internal
    name 74.XXX.XXX.135 Facts- description Facts External
    name 74.XXX.XXX.144 ftp.boundree.co.uk- description ftp.COMPANY.co.uk External
    name 172.22.5.144 ftp.COMPANY.co.uk description ftp.COMPANY.co.uk Internal
    name 10.101.0.24 Dubmss01 description Voicemail Server - Internal
    name 74.XXX.XXX.145 Dubmss01- description Voicemail Sever - External
    name 172.22.5.146 ColBI01 description ColBI01 Internal
    name 74.XXX.XXX.146 ColBI01- description ColBI01 External
    name 172.22.5.147 ColMOSS01 description ColMOSS01 Internal
    name 74.XXX.XXX.147 ColMOSS01- description ColMOSS01 External
    name 172.22.5.149 ambutrak description AmbuTRAK Internal
    name 74.XXX.XXX.149 ambutrak- description AmbuTRAK External
    name 172.22.5.136 NSTrax description NSTrax Internal
    name 74.XXX.XXX.136 NSTrax- description NSTrax External
    name 172.22.5.150 btmu description BTMU Internal
    name 74.XXX.XXX.150 btmu- description BTMU External
    name 172.22.5.155 w2k-isoft description w2k-isoft Internal
    name 74.XXX.XXX.155 w2k-isoft- description w2k-isoft External
    name 172.22.5.142 Colexch01 description Colexch01 Internal
    name 172.22.5.151 Coltixdb description Coltxdb Internal
    name 74.XXX.XXX.151 Coltixdb- description Coltixdb External
    name 172.22.5.156 colexcas description colexcas Internal
    name 74.XXX.XXX.156 colexcas- description colexcas External
    name 172.22.3.74 colexcas01 description colexcas01 Internal
    name 172.22.3.75 colexcas02 description colexcas02 Internal
    name 172.22.5.157 ColFTP01 description ColFTP01 Internal
    name 74.XXX.XXX.157 ColFTP01- description ColFTP01 External
    name 172.22.5.158 www.COMPANY.com description www.COMPANY.com Internal
    name 74.XXX.XXX.158 www.COMPANY.com- description www.COMPANY.com External
    name 172.22.5.159 act.COMPANY.com description COMPANY ACT Internal - colww4
    name 74.XXX.XXX.159 act.COMPANY.com- description COMPANY ACT External
    name 172.22.3.93 test.COMPANY.com description test.COMPANY.com Internal
    name 172.22.5.161 ColdevAS2 description ColdevAS2 Internal
    name 74.XXX.XXX.160 Rewards.COMPANY.com- description COMPANY Rewards External
    name 74.XXX.XXX.153 as2.COMPANY.com- description as2.COMPANY.com External
    name 74.XXX.XXX.161 as2test.COMPANY.com- description as2test.COMPANY.com External
    name 172.22.5.153 colas2 description colas2 Internal
    name 172.22.5.160 colww5 description colww5 Internal
    name 172.22.3.91 colexcas01NLB description colexcas01 NLB Interface
    name 172.22.3.92 colexcas02NLB description colexcas02 NLB Interface
    name 172.22.3.100 ColVPN description Colo VPN Internal
    name 172.22.5.134 intra.COMPANY.com description on NewPortal
    name 74.XXX.XXX.134 intra.COMPANY.com- description It's on NewPortal
    name 10.1.0.80 asgard description asgard Internal
    name 74.XXX.XXX.163 www.COMPANY.net- description www.COMPANY.net External
    name 172.22.5.165 crmws.COMPANY.com description ColCrmRouter01 Internal
    name 74.XXX.XXX.165 crmws.COMPANY.com- description ColCrmRouter01 External
    name 10.1.5.137 dubngwt description Test Next Gen Web Farm Internal
    name 74.XXX.XXX.137 dubngwt- description Test Next Gen Web Farm External
    name 10.1.0.87 dubexcas description Dublin CAS NLB
    name 10.1.0.85 dubexcas01 description Dublin CAS Server
    name 10.1.0.86 dubexcas02 description Dublin CAS Server
    name 74.XXX.XXX.166 collync01- description Lync Edge Server External
    name 74.XXX.XXX.167 coltmg01- description TMG Server External
    name 172.23.2.166 collync01 description Lync Edge Server DMZ
    name 172.23.2.167 coltmg01 description TMG Server DMZ
    name 172.22.5.168 COMPANYfed.com description COMPANYfed.com Internal
    name 74.XXX.XXX.168 COMPANYfed.com- description COMPANYfed.com External
    name 172.22.3.60 www1.COMPANY.com description www1.COMPANY.com Internal
    name 74.XXX.XXX.169 www1.COMPANY.com- description www1.COMPANY.com External
    name 172.22.3.63 www1.COMPANYfed.com description www1.COMPANYfed.com Internal
    name 74.XXX.XXX.171 www1.COMPANYfed.com- description www1.COMPANYfed.com External
    name 172.22.3.61 www2.COMPANY.com description www2.COMPANY.com Internal
    name 74.XXX.XXX.170 www2.COMPANY.com- description www2.COMPANY.com External
    name 172.22.3.64 www2.COMPANYfed.com description www2.COMPANYfed.com Internal
    name 74.XXX.XXX.172 www2.COMPANYfed.com- description www2.COMPANYfed.com External
    name 172.22.5.154 COMPANY.com description COMPANY.com Web Farm Production
    name 74.XXX.XXX.154 COMPANY.com- description COMPANY.com Web Farm Outside
    name 184.XXX.XXX.226 PMISonicWALL description PMI SonicWALL
    name 10.10.0.0 PMI_SonicWALL-Subnet description PMI LAN
    name 10.1.0.0 DublinData description Dublin Data Network
    name 10.2.0.0 SouthavenData description Southaven Data Network
    name 10.0.0.0 BrentwoodData description Brentwood Data Network
    name 10.8.0.0 GilbertData description Gilbert Data Network
    name 10.101.0.0 DublinVoIP description Dublin VoIP Network
    name 10.110.0.0 PMI_SonicWALL-VOICSubnet
    name 172.24.3.50 ColUT04-PCITrust
    name 172.22.3.31 coldc01
    name 172.22.3.4 coldc02
    name 172.22.3.23 ColWSUS02 description Windows Update Server
    name 74.XXX.XXX.175 monitor.COMPANY.com- description PRTG Network Monitor
    name 172.22.3.150 ColPRTG01 description PRTG Monitor
    dns-guard
    interface GigabitEthernet0/0
    description Connected to Internet via COLRTR01
    speed 100
    duplex full
    shutdown
    nameif outside
    security-level 0
    ip address 74.XXX.XXX.130 255.255.255.192 standby 74.XXX.XXX.176
    ospf cost 10
    interface GigabitEthernet0/1
    description Connected to Colo LAN
    speed 100
    duplex full
    nameif inside
    security-level 100
    ip address 172.22.1.8 255.255.0.0 standby 172.22.1.50
    ospf cost 10
    authentication key eigrp 10 Fiyalt1 key-id 1
    authentication mode eigrp 10 md5
    interface GigabitEthernet0/2
    nameif DMZ
    security-level 10
    ip address 172.23.2.1 255.255.255.0 standby 172.23.2.50
    ospf cost 10
    interface GigabitEthernet0/3
    description Connected to COLSW01 port 9 - PCI Trust Area (no internet)
    nameif Colo_PCI_Trust
    security-level 100
    ip address 172.24.3.1 255.255.255.0 standby ColUT04-PCITrust
    ospf cost 10
    interface GigabitEthernet0/4
    shutdown
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/5
    shutdown
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/6
    shutdown
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/7
    description LAN/STATE Failover Interface
    interface Management0/0
    nameif management
    security-level 100
    ip address 10.1.200.20 255.255.0.0 standby 10.1.200.21
    ospf cost 10
    management-only
    boot system disk0:/asa861-2-smp-k8.bin
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns server-group DefaultDNS
    domain-name corp.COMPANY.com
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object network obj-172.22.255.0
    subnet 172.22.255.0 255.255.255.0
    object network PMI_SonicWALL-Subnet
    subnet 10.10.0.0 255.255.0.0
    object network obj-172.24.3.0
    subnet 172.24.3.0 255.255.255.0
    object network ColWSUS02
    host 172.22.3.23
    object network ambutrak
    host 172.22.5.149
    object network ambutrak-
    host 74.XXX.XXX.149
    object network btmu
    host 172.22.5.150
    object network btmu-
    host 74.XXX.XXX.150
    object network ColBarracuda
    host 172.22.5.133
    object network ColBarracuda-
    host 74.XXX.XXX.133
    object network ColBI01
    host 172.22.5.146
    object network ColBI01-
    host 74.XXX.XXX.146
    object network colexcas
    host 172.22.5.156
    object network colexcas-
    host 74.XXX.XXX.156
    object network ColMOSS01
    host 172.22.5.147
    object network ColMOSS01-
    host 74.XXX.XXX.147
    object network COMPANY.com
    host 172.22.5.154
    object network COMPANY.com-
    host 74.XXX.XXX.154
    object network Coltixdb
    host 172.22.5.151
    object network Coltixdb-
    host 74.XXX.XXX.151
    object network Colww3
    host 172.22.5.141
    object network Colww3-
    host 74.XXX.XXX.141
    object network ColSysAid
    host 172.22.5.143
    object network ColSysAid-
    host 74.XXX.XXX.143
    object network ColVPN
    host 172.22.3.100
    object network ColVPN-
    host 74.XXX.XXX.132
    object network colas2
    host 172.22.5.153
    object network as2.COMPANY.com-
    host 74.XXX.XXX.153
    object network Dubmss01
    host 10.101.0.24
    object network Dubmss01-
    host 74.XXX.XXX.145
    object network Facts
    host 10.1.1.100
    object network Facts-
    host 74.XXX.XXX.135
    object network ftp.COMPANY.co.uk
    host 172.22.5.144
    object network ftp.boundree.co.uk-
    host 74.XXX.XXX.144
    object network NSTrax
    host 172.22.5.136
    object network NSTrax-
    host 74.XXX.XXX.136
    object network w2k-isoft
    host 172.22.5.155
    object network w2k-isoft-
    host 74.XXX.XXX.155
    object network www1
    host 172.22.5.139
    object network www1-
    host 74.XXX.XXX.139
    object network ww2
    host 172.22.5.138
    object network ww2-
    host 74.XXX.XXX.138
    object network ColFTP01
    host 172.22.5.157
    object network ColFTP01-
    host 74.XXX.XXX.157
    object network www.COMPANY.com
    host 172.22.5.158
    object network www.COMPANY.com-
    host 74.XXX.XXX.158
    object network act.COMPANY.com
    host 172.22.5.159
    object network act.COMPANY.com-
    host 74.XXX.XXX.159
    object network colww5
    host 172.22.5.160
    object network Rewards.COMPANY.com-
    host 74.XXX.XXX.160
    object network ColdevAS2
    host 172.22.5.161
    object network as2test.COMPANY.com-
    host 74.XXX.XXX.161
    object network intra.COMPANY.com
    host 172.22.5.134
    object network intra.COMPANY.com-
    host 74.XXX.XXX.134
    object network asgard
    host 10.1.0.80
    object network www.COMPANY.net-
    host 74.XXX.XXX.163
    object network crmws.COMPANY.com
    host 172.22.5.165
    object network crmws.COMPANY.com-
    host 74.XXX.XXX.165
    object network dubngwt
    host 10.1.5.137
    object network dubngwt-
    host 74.XXX.XXX.137
    object network COMPANYfed.com
    host 172.22.5.168
    object network COMPANYfed.com-
    host 74.XXX.XXX.168
    object network www1.COMPANYfed.com
    host 172.22.3.63
    object network www1.COMPANYfed.com-
    host 74.XXX.XXX.171
    object network www2.COMPANYfed.com
    host 172.22.3.64
    object network www2.COMPANYfed.com-
    host 74.XXX.XXX.172
    object network www1.COMPANY.com
    host 172.22.3.60
    object network www1.COMPANY.com-
    host 74.XXX.XXX.169
    object network www2.COMPANY.com
    host 172.22.3.61
    object network www2.COMPANY.com-
    host 74.XXX.XXX.170
    object network ColPRTG01
    host 172.22.3.150
    object network monitor.COMPANY.com-
    host 74.XXX.XXX.175
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network collync01
    host 172.23.2.166
    object network collync01-
    host 74.XXX.XXX.166
    object network coltmg01
    host 172.23.2.167
    object network coltmg01-
    host 74.XXX.XXX.167
    object-group service DM_INLINE_SERVICE_1
    service-object gre
    service-object tcp destination eq pptp
    object-group service Barracuda tcp
    port-object eq 8000
    object-group service DM_INLINE_TCP_1 tcp
    port-object eq www
    port-object eq https
    port-object eq smtp
    port-object eq ssh
    group-object Barracuda
    object-group service DM_INLINE_TCP_2 tcp
    port-object eq www
    port-object eq https
    port-object eq smtp
    object-group service DM_INLINE_TCP_3 tcp
    port-object eq www
    port-object eq https
    port-object eq smtp
    object-group service DM_INLINE_TCP_5 tcp
    port-object eq www
    port-object eq https
    object-group service DM_INLINE_TCP_7 tcp
    port-object eq www
    port-object eq https
    object-group service mySQL tcp
    description mySQL Database
    port-object eq 3306
    object-group service DM_INLINE_TCP_9 tcp
    port-object eq www
    port-object eq https
    object-group service DM_INLINE_TCP_10 tcp
    port-object eq www
    port-object eq https
    object-group service DM_INLINE_TCP_11 tcp
    port-object eq www
    port-object eq https
    object-group service DM_INLINE_TCP_12 tcp
    port-object eq www
    port-object eq https
    object-group service as2 tcp
    description as2
    port-object eq 4080
    port-object eq 5080
    port-object eq https
    port-object eq 6080
    object-group network DM_INLINE_NETWORK_2
    network-object host ColBarracuda
    network-object host ww2
    network-object host www1
    network-object host colexcas01
    network-object host colexcas02
    network-object host colexcas
    network-object host test.COMPANY.com
    network-object host colexcas01NLB
    network-object host colexcas02NLB
    network-object host dubexcas01
    network-object host dubexcas02
    network-object host dubexcas
    object-group service SQLServer tcp
    description Microsoft SQL Server
    port-object eq 1433
    object-group service DM_INLINE_TCP_13 tcp
    port-object eq www
    port-object eq https
    port-object eq smtp
    object-group service DM_INLINE_TCP_14 tcp
    port-object eq www
    port-object eq https
    object-group service DM_INLINE_TCP_15 tcp
    port-object eq www
    port-object eq https
    object-group network DM_INLINE_NETWORK_1
    network-object host as2.COMPANY.com-
    network-object host as2test.COMPANY.com-
    object-group service DM_INLINE_TCP_6 tcp
    port-object eq www
    port-object eq https
    object-group service rdp tcp
    description Remote Desktop Protocol
    port-object eq 3389
    object-group service DM_INLINE_TCP_8 tcp
    port-object eq www
    port-object eq https
    object-group service DM_INLINE_TCP_16 tcp
    port-object eq www
    port-object eq https
    object-group service DM_INLINE_TCP_17 tcp
    port-object eq www
    port-object eq https
    object-group service DM_INLINE_TCP_4 tcp
    port-object eq www
    port-object eq https
    object-group service LyncEdge tcp-udp
    description sip-tls, 443, 444, rtp 50000-59999, stun udp 3478
    port-object eq 3478
    port-object eq 443
    port-object eq 444
    port-object range 50000 59999
    port-object eq 5061
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    object-group service DM_INLINE_TCP_18 tcp
    port-object eq www
    port-object eq https
    object-group service DM_INLINE_TCP_19 tcp
    port-object eq www
    port-object eq https
    object-group service DM_INLINE_TCP_20 tcp
    port-object eq www
    port-object eq https
    object-group service DM_INLINE_TCP_21 tcp
    port-object eq www
    port-object eq https
    object-group service DM_INLINE_TCP_22 tcp
    port-object eq www
    port-object eq https
    object-group network PMIVPNNetworks
    description VPN Networks to PMI
    network-object BrentwoodData 255.255.0.0
    network-object DublinData 255.255.0.0
    network-object SouthavenData 255.255.0.0
    network-object GilbertData 255.255.0.0
    network-object 172.22.0.0 255.255.0.0
    network-object DublinVoIP 255.255.0.0
    object-group network PMI_SonicWALL-Subnets
    network-object PMI_SonicWALL-Subnet 255.255.0.0
    network-object PMI_SonicWALL-VOICSubnet 255.255.0.0
    object-group network COLDCs
    network-object host coldc01
    network-object host coldc02
    access-list inside_access_in remark Allow SMTP from certain servers.
    access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 any eq smtp
    access-list inside_access_in remark No SMTP except from allowed servers
    access-list inside_access_in extended deny tcp any any eq smtp log errors
    access-list inside_access_in extended permit ip any any
    access-list inside_access_in remark For debugging (can enable logging)
    access-list inside_access_in extended deny ip any any
    access-list outside_access_in remark Allow Ping
    access-list outside_access_in extended permit icmp any any
    access-list outside_access_in remark Allow VPN
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object ColVPN-
    access-list outside_access_in remark Allow SMTP, HTTP, and HTTPS to the Exchange CAS NLB Cluster
    access-list outside_access_in extended permit tcp any object colexcas- object-group DM_INLINE_TCP_13
    access-list outside_access_in remark Allow SMTP, SSH, and Web
    access-list outside_access_in extended permit tcp any object ColBarracuda- object-group DM_INLINE_TCP_1
    access-list outside_access_in remark Allow HTTP and HTTPS to AmbuTRAK
    access-list outside_access_in extended permit tcp any object ambutrak- object-group DM_INLINE_TCP_10
    access-list outside_access_in remark Allow SMTP, HTTP and HTTPS to ww2
    access-list outside_access_in extended permit tcp any object ww2- object-group DM_INLINE_TCP_2
    access-list outside_access_in remark Allow SMTP, HTTP and HTTPS to www1
    access-list outside_access_in extended permit tcp any object www1- object-group DM_INLINE_TCP_3
    access-list outside_access_in remark Allow portal.bouindtree.com to COLMOSS01
    access-list outside_access_in extended permit tcp any object ColMOSS01- object-group DM_INLINE_TCP_9
    access-list outside_access_in remark Allow HTTP and HTTPS to ems.COMPANY.com
    access-list outside_access_in extended permit tcp any object Colww3- object-group DM_INLINE_TCP_5
    access-list outside_access_in remark Allow HTTP and HTTPS to helpdesk.COMPANY.com
    access-list outside_access_in extended permit tcp any object ColSysAid- object-group DM_INLINE_TCP_7
    access-list outside_access_in remark Allow SSH to Facts
    access-list outside_access_in extended permit tcp any object Facts- eq ssh inactive
    access-list outside_access_in remark Allow mySQL to NSTrax for IQ
    access-list outside_access_in extended permit tcp any object NSTrax- object-group mySQL inactive
    access-list outside_access_in remark Allow FTP to ftp.COMPANY.co.uk
    access-list outside_access_in extended permit tcp any object ftp.boundree.co.uk- eq ftp inactive
    access-list outside_access_in remark Allow IMAP to the Voice Mail Server
    access-list outside_access_in extended permit tcp any object Dubmss01- eq imap4
    access-list outside_access_in remark Permit HTTPS to ColBI01 for https://reports.COMPANY.com
    access-list outside_access_in extended permit tcp any object ColBI01- eq https inactive
    access-list outside_access_in remark Allow FTP to btmu.COMPANY.com
    access-list outside_access_in extended permit tcp any object btmu- eq ftp
    access-list outside_access_in remark Allow HTTP and HTTPS to colngwt - the Test Next Gen Web Farm
    access-list outside_access_in extended permit tcp any object dubngwt- object-group DM_INLINE_TCP_17 inactive
    access-list outside_access_in remark Allow HTTP and HTTPS to COMPANYfed.com
    access-list outside_access_in extended permit tcp any object COMPANYfed.com- object-group DM_INLINE_TCP_18
    access-list outside_access_in remark Allow HTTP and HTTPS to colngwp - the Next Gen Web Farm
    access-list outside_access_in extended permit tcp any object COMPANY.com- object-group DM_INLINE_TCP_11
    access-list outside_access_in remark Allow HTTP and HTTPS to Colww5, which is one of our web servers.
    access-list outside_access_in remark rewards.COMPANY.com is going live first on this web server.
    access-list outside_access_in extended permit tcp any object Rewards.COMPANY.com- object-group DM_INLINE_TCP_12
    access-list outside_access_in remark Allow HTTP and HTTPS to act.COMPANY.com
    access-list outside_access_in extended permit tcp any object act.COMPANY.com- object-group DM_INLINE_TCP_15
    access-list outside_access_in remark Allow AS2 (443, 4080, 5080, 6080) to the AS2 Production and Test Machines
    access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 object-group as2
    access-list outside_access_in remark Allow HTTP and HTTPS to www.COMPANY.com
    access-list outside_access_in extended permit tcp any object www.COMPANY.com- object-group DM_INLINE_TCP_14
    access-list outside_access_in remark Allow AS2 to w2k-isoft
    access-list outside_access_in extended permit tcp any object w2k-isoft- object-group as2
    access-list outside_access_in remark All SQL Server (SSL) to Coltixdb
    access-list outside_access_in extended permit tcp any object Coltixdb- object-group SQLServer
    access-list outside_access_in remark Allow FTP to ColFTP01
    access-list outside_access_in extended permit tcp any object ColFTP01- eq ftp
    access-list outside_access_in remark allow http/https access in intra.COMPANY.com
    access-list outside_access_in extended permit tcp any object intra.COMPANY.com- object-group DM_INLINE_TCP_6
    access-list outside_access_in remark Allow http and https to asgard
    access-list outside_access_in extended permit tcp any object www.COMPANY.net- object-group DM_INLINE_TCP_8
    access-list outside_access_in remark Allow HTTP and HTTPS to ColCrmRouter01 (crmws.COMPANY.com)
    access-list outside_access_in extended permit tcp any object crmws.COMPANY.com- object-group DM_INLINE_TCP_16
    access-list outside_access_in remark Allow HTTP and HTTPS to coltmg01
    access-list outside_access_in extended permit tcp any object coltmg01- object-group DM_INLINE_TCP_4
    access-list outside_access_in remark Allow Lync Edgel traffic to collync01
    access-list outside_access_in extended permit object-group TCPUDP any object collync01- object-group LyncEdge
    access-list outside_access_in remark Allow HTTP and HTTPS to www1.COMPANY.com
    access-list outside_access_in extended permit tcp any object www1.COMPANY.com- object-group DM_INLINE_TCP_19
    access-list outside_access_in remark Allow HTTP and HTTPS to www2.COMPANY.com
    access-list outside_access_in extended permit tcp any object www2.COMPANY.com- object-group DM_INLINE_TCP_20
    access-list outside_access_in remark Allow HTTP and HTTPS to www1.COMPANYfed.com
    access-list outside_access_in extended permit tcp any object www1.COMPANYfed.com- object-group DM_INLINE_TCP_21
    access-list outside_access_in remark Allow HTTP and HTTPS to www2.COMPANYfed.com
    access-list outside_access_in extended permit tcp any object www2.COMPANYfed.com- object-group DM_INLINE_TCP_22
    access-list outside_access_in extended permit tcp any object monitor.COMPANY.com- eq www
    access-list outside_access_in remark For debugging (can enable logging)
    access-list outside_access_in extended deny ip any any
    access-list inside_nat0_outbound extended permit ip any 172.22.255.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip object-group PMIVPNNetworks object PMI_SonicWALL-Subnet
    access-list inside_nat0_outbound remark Domain Controller one to many rule so PCI Trust servers can reslove DNS names and authenticate.
    access-list inside_nat0_outbound extended permit ip object-group COLDCs 172.24.3.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip object ColWSUS02 172.24.3.0 255.255.255.0
    access-list outside_1_cryptomap extended permit ip object-group PMIVPNNetworks object-group PMI_SonicWALL-Subnets
    access-list Colo_PCI_Trust_access_in extended permit ip any any
    pager lines 24
    logging enable
    logging asdm warnings
    logging mail critical
    logging from-address [email protected]
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    mtu Colo_PCI_Trust 1500
    mtu management 1500
    ip local pool vpnphone-ip-pool 172.22.255.1-172.22.255.254 mask 255.255.255.0
    failover
    failover lan unit primary
    failover lan interface HA GigabitEthernet0/7
    failover key Fiyalt!
    failover link HA GigabitEthernet0/7
    failover interface ip HA 172.16.200.1 255.255.255.248 standby 172.16.200.2
    no monitor-interface DMZ
    no monitor-interface Colo_PCI_Trust
    no monitor-interface management
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any inside
    icmp permit 172.24.3.0 255.255.255.0 Colo_PCI_Trust
    asdm image disk0:/asdm-66114.bin
    asdm location ColVPN- 255.255.255.255 inside
    asdm location ColBarracuda- 255.255.255.255 inside
    asdm location ColBarracuda 255.255.255.255 inside
    asdm location ww2- 255.255.255.255 inside
    asdm location www1- 255.255.255.255 inside
    asdm location ww2 255.255.255.255 inside
    asdm location www1 255.255.255.255 inside
    asdm location Colww3- 255.255.255.255 inside
    asdm location Colww3 255.255.255.255 inside
    asdm location ColSysAid- 255.255.255.255 inside
    asdm location ColSysAid 255.255.255.255 inside
    asdm location Facts 255.255.255.255 inside
    asdm location Facts- 255.255.255.255 inside
    asdm location NSTrax- 255.255.255.255 inside
    asdm location ftp.boundree.co.uk- 255.255.255.255 inside
    asdm location ftp.COMPANY.co.uk 255.255.255.255 inside
    asdm location Dubmss01 255.255.255.255 inside
    asdm location Dubmss01- 255.255.255.255 inside
    asdm location ColBI01- 255.255.255.255 inside
    asdm location ColBI01 255.255.255.255 inside
    asdm location ColMOSS01 255.255.255.255 inside
    asdm location ColMOSS01- 255.255.255.255 inside
    asdm location ambutrak- 255.255.255.255 inside
    asdm location ambutrak 255.255.255.255 inside
    asdm location NSTrax 255.255.255.255 inside
    asdm location btmu- 255.255.255.255 inside
    asdm location btmu 255.255.255.255 inside
    asdm location COMPANY.com- 255.255.255.255 inside
    asdm location COMPANY.com 255.255.255.255 inside
    asdm location as2.COMPANY.com- 255.255.255.255 inside
    asdm location colas2 255.255.255.255 inside
    asdm location w2k-isoft- 255.255.255.255 inside
    asdm location w2k-isoft 255.255.255.255 inside
    asdm location Coltixdb- 255.255.255.255 inside
    asdm location Coltixdb 255.255.255.255 inside
    asdm location colexcas- 255.255.255.255 inside
    asdm location colexcas01 255.255.255.255 inside
    asdm location colexcas02 255.255.255.255 inside
    asdm location colexcas 255.255.255.255 inside
    asdm location ColFTP01- 255.255.255.255 inside
    asdm location ColFTP01 255.255.255.255 inside
    asdm location www.COMPANY.com- 255.255.255.255 inside
    asdm location www.COMPANY.com 255.255.255.255 inside
    asdm location act.COMPANY.com- 255.255.255.255 inside
    asdm location act.COMPANY.com 255.255.255.255 inside
    asdm location Rewards.COMPANY.com- 255.255.255.255 inside
    asdm location colww5 255.255.255.255 inside
    asdm location as2test.COMPANY.com- 255.255.255.255 inside
    asdm location ColdevAS2 255.255.255.255 inside
    asdm location test.COMPANY.com 255.255.255.255 inside
    asdm location colexcas01NLB 255.255.255.255 inside
    asdm location colexcas02NLB 255.255.255.255 inside
    asdm location ColVPN 255.255.255.255 inside
    asdm location intra.COMPANY.com- 255.255.255.255 inside
    asdm location intra.COMPANY.com 255.255.255.255 inside
    asdm location asgard 255.255.255.255 inside
    asdm location www.COMPANY.net- 255.255.255.255 inside
    asdm location crmws.COMPANY.com- 255.255.255.255 inside
    asdm location crmws.COMPANY.com 255.255.255.255 inside
    asdm location dubngwt- 255.255.255.255 inside
    asdm location dubngwt 255.255.255.255 inside
    asdm location dubexcas01 255.255.255.255 inside
    asdm location dubexcas02 255.255.255.255 inside
    asdm location dubexcas 255.255.255.255 inside
    asdm location collync01- 255.255.255.255 inside
    asdm location coltmg01- 255.255.255.255 inside
    asdm location collync01 255.255.255.255 inside
    asdm location coltmg01 255.255.255.255 inside
    asdm location COMPANYfed.com- 255.255.255.255 inside
    asdm location COMPANYfed.com 255.255.255.255 inside
    asdm location www1.COMPANY.com- 255.255.255.255 inside
    asdm location www2.COMPANY.com- 255.255.255.255 inside
    asdm location www1.COMPANYfed.com- 255.255.255.255 inside
    asdm location www2.COMPANYfed.com- 255.255.255.255 inside
    asdm location www1.COMPANY.com 255.255.255.255 inside
    asdm location www2.COMPANY.com 255.255.255.255 inside
    asdm location www1.COMPANYfed.com 255.255.255.255 inside
    asdm location www2.COMPANYfed.com 255.255.255.255 inside
    asdm location PMI_SonicWALL-Subnet 255.255.0.0 inside
    asdm location PMISonicWALL 255.255.255.255 inside
    asdm location BrentwoodData 255.255.0.0 inside
    asdm location GilbertData 255.255.0.0 inside
    asdm location coldc01 255.255.255.255 inside
    asdm location coldc02 255.255.255.255 inside
    asdm location ColWSUS02 255.255.255.255 inside
    asdm location monitor.COMPANY.com- 255.255.255.255 inside
    asdm location ColPRTG01 255.255.255.255 inside
    no asdm history enable
    arp timeout 14400
    nat (inside,any) source static any any destination static obj-172.22.255.0 obj-172.22.255.0 no-proxy-arp
    nat (inside,any) source static PMIVPNNetworks PMIVPNNetworks destination static PMI_SonicWALL-Subnet PMI_SonicWALL-Subnet no-proxy-arp
    nat (inside,any) source static COLDCs COLDCs destination static obj-172.24.3.0 obj-172.24.3.0 no-proxy-arp
    nat (inside,any) source static ColWSUS02 ColWSUS02 destination static obj-172.24.3.0 obj-172.24.3.0 no-proxy-arp
    object network ambutrak
    nat (inside,outside) static ambutrak-
    object network btmu
    nat (inside,outside) static btmu-
    object network ColBarracuda
    nat (inside,outside) static ColBarracuda-
    object network ColBI01
    nat (inside,outside) static ColBI01-
    object network colexcas
    nat (inside,outside) static colexcas-
    object network ColMOSS01
    nat (inside,outside) static ColMOSS01-
    object network COMPANY.com
    nat (inside,outside) static COMPANY.com-
    object network Coltixdb
    nat (inside,outside) static Coltixdb-
    object network Colww3
    nat (inside,outside) static Colww3-
    object network ColSysAid
    nat (inside,outside) static ColSysAid-
    object network ColVPN
    nat (inside,outside) static ColVPN-
    object network colas2
    nat (inside,outside) static as2.COMPANY.com-
    object network Dubmss01
    nat (inside,outside) static Dubmss01-
    object network Facts
    nat (inside,outside) static Facts-
    object network ftp.COMPANY.co.uk
    nat (inside,outside) static ftp.COMPANY.co.uk-
    object network NSTrax
    nat (inside,outside) static NSTrax-
    object network w2k-isoft
    nat (inside,outside) static w2k-isoft-
    object network www1
    nat (inside,outside) static www1-
    object network ww2
    nat (inside,outside) static ww2-
    object network ColFTP01
    nat (inside,outside) static ColFTP01-
    object network www.COMPANY.com
    nat (inside,outside) static www.COMPANY.com-
    object network act.COMPANY.com
    nat (inside,outside) static act.COMPANY.com-
    object network colww5
    nat (inside,outside) static Rewards.COMPANY.com-
    object network ColdevAS2
    nat (inside,outside) static as2test.COMPANY.com-
    object network intra.COMPANY.com
    nat (inside,outside) static intra.COMPANY.com-
    object network asgard
    nat (inside,outside) static www.COMPANY.net-
    object network crmws.COMPANY.com
    nat (inside,outside) static crmws.COMPANY.com-
    object network dubngwt
    nat (inside,outside) static dubngwt-
    object network COMPANYfed.com
    nat (inside,outside) static COMPANYfed.com-
    object network www1.COMPANYfed.com
    nat (inside,outside) static www1.COMPANYfed.com-
    object network www2.COMPANYfed.com
    nat (inside,outside) static www2.COMPANYfed.com-
    object network www1.COMPANY.com
    nat (inside,outside) static www1.COMPANY.com-
    object network www2.COMPANY.com
    nat (inside,outside) static www2.COMPANY.com-
    object network ColPRTG01
    nat (inside,outside) static monitor.COMPANY.com-
    object network obj_any
    nat (inside,outside) dynamic 74.XXX.XXX.131
    object network collync01
    nat (DMZ,outside) static collync01-
    object network coltmg01
    nat (DMZ,outside) static coltmg01-
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    access-group Colo_PCI_Trust_access_in in interface Colo_PCI_Trust
    router eigrp 10
    no auto-summary
    eigrp router-id 172.22.1.8
    network 172.22.0.0 255.255.0.0
    route outside 0.0.0.0 0.0.0.0 74.XXX.XXX.129 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server Colo protocol radius
    aaa-server Colo (inside) host coldc02
    timeout 5
    key Bound/\Tree
    radius-common-pw Bound/\Tree
    aaa-server Colo (inside) host coldc01
    timeout 5
    key Bound/\Tree
    user-identity default-domain LOCAL
    http server enable
    http 172.22.0.0 255.255.0.0 inside
    http DublinData 255.255.0.0 inside
    http DublinData 255.255.0.0 management
    snmp-server host inside 10.1.0.59 community public
    snmp-server host inside ColPRTG01 community public
    snmp-server location Columbus, OH - Colo
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer PMISonicWALL
    crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
    crypto map outside_map 1 set nat-t-disable
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ikev1 enable outside
    crypto ikev1 enable inside
    crypto ikev1 policy 30
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 28800
    telnet BrentwoodData 255.0.0.0 inside
    telnet coldc02 255.255.255.255 inside
    telnet DublinData 255.255.0.0 management
    telnet timeout 5
    ssh 172.22.0.0 255.255.0.0 inside
    ssh DublinData 255.255.0.0 inside
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    ntp server 74.14.179.211 source outside prefer
    ntp server 69.64.72.238 source outside prefer
    ntp server coldc02 source inside
    ntp server 74.120.8.2 source outside prefer
    ntp server 108.61.56.35 source outside prefer
    ntp server coldc01 source inside
    webvpn
    group-policy GroupPolicy_74.XXX.XXX.130 internal
    group-policy GroupPolicy_74.XXX.XXX.130 attributes
    vpn-tunnel-protocol ikev1
    group-policy VPNPHONE internal
    group-policy VPNPHONE attributes
    dns-server value 172.22.3.4 172.22.3.31
    vpn-tunnel-protocol ikev1
    default-domain value corp.COMPANY.com
    tunnel-group VPNPHONE type remote-access
    tunnel-group VPNPHONE general-attributes
    address-pool vpnphone-ip-pool
    authentication-server-group Colo
    default-group-policy VPNPHONE
    tunnel-group VPNPHONE ipsec-attributes
    ikev1 pre-shared-key *
    tunnel-group 184.XXX.XXX.226 type ipsec-l2l
    tunnel-group 184.XXX.XXX.226 ipsec-attributes
    ikev1 pre-shared-key *
    peer-id-validate nocheck
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns migrated_dns_map_1
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns migrated_dns_map_1
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect tftp
      inspect http
      inspect icmp
      inspect pptp
      inspect icmp error
      inspect ip-options
    class class-default
    service-policy global_policy global
    smtp-server 172.22.5.156
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly 18
      subscribe-to-alert-group configuration periodic monthly 18
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:65e78911eefb94bd98892700b143f716
    : end

    Hi,
    Any ASA using software 8.3 or above that does Static NAT between private and public IP addresses (or any NAT at all) and you want to allow traffic from public network to those Static NATed servers you will need to use the local/real IP address in the ACL statements.
    If your ASA5520 was running 8.3 or above software levels then there should be no major changes compared to an ASA5525-X running 8.6 software level.
    The only situation I can think of right now is if you had used ASA5520 with software 8.2 or below BUT in that case you WOULD NOT have been able to directly copy/paste the configuration to the ASA5525-X device as the lowest software level that the ASA5525-X supports is 8.6(1)
    So I am kind of wondering what the situation has actually been.
    But one thing is certain. You need to use the real/local IP address of the server in the ACL rules even if you are allowing traffic from the public/external network.
    The "packet-tracer" test used to simulate a connection coming to one of your Static NAT public IP address should also tell if your ACLs are configured correctly, among other things.
    - Jouni

  • GRC AC 10:How to generate Access Rule? No output from User or Risk Analysis

    Hello Gurus,
    We have done configuration of GRC AC 10, and uploaded files via
    SoD rules -->Upload Rules
    After that we generated SoD rules for Risk Id : B001 and B002
    Now when we go to NWBC --> Reports & Analytics >Access Dashboards>Access Rule Library
    The report shows (for Group Rule level : Action)
    Number of Active rules : 0
    Number of Disabled Rules : 0
    Number of Functions :  151
    Where as for Group Rule level : Action Risk
    The report shows
    Number of Active Risk : 42
    Disabled risk : 161
    Nmr. of functions : 151 .
    When we perform Risk Analysis at User Level or Role Level, the output is empty !!!
    Note: All the background jobs have run successfully.
    Also the SoD files also have been uploaded successfully.
    Will you please guide how can i activate the "rules" for the uploaded risk ??
    regards,
    Victor

    Hello Victor/ Inder,
    For Risk ID B001functions are BS02 and BS11 if you open any one of them you can see system maintained as SAP BASIS which is SAP_BAS_LG (logical connector group).
    Post installation you can check in SPRO>Governance, Risk and Compliance-> common Component---> integration framework-> maintain connector and connector types->select SAP and click Define connector Group.
    BUSINESS     Business Roles     SAP
    SAP_BAS_LG     SAP Basis     SAP
    SAP_CRM_LG     SAP CRM     SAP
    SAP_ECC_LG     SAP ECCS     SAP
    SAP_HR_LG     SAP HR     SAP
    SAP_NHR_LG     SAP R3 - NON HR Basis Logical Group     SAP
    SAP_R3_LG     SAP R3     SAP
    SAP_SRM_LG     SAP SRM     SAP
    (If not present then manually you can create the same)
    Select SAP_BAS_LG and put connector type as SAP,  select SAP_BAS_LG and click Assign Connector group to group types as AM & LG, then click on Assign Connector to connector group and maintain you connector.
    Post this activity re generate SOD for B001 and then check for user level and role level analysis.
    Hope it will resolve your issue.
    Regards,
    Sudesh

  • RV180W - Access Rules Don't Work

    Hi,
    We have a RV180W and the Access Rules will not work.  I'm trying to block HTTP and HTTPS services for a specific workstation on our LAN, but the access rules don't seem to be working.  I've also tried blocking different services as well as ANY service, but it's not working.  I've tried rebooting the router after adjusting settings; I've tried adjusting services from the Port Forwarding menu first; and a couple weeks ago, I upgraded the firmware to version 1.0.2.6 and repeated all the previous steps.  Nothing seems to be working.  So far the only solution I could come up with is to block the workstation's MAC address altogether, but I don't want that because I still need it to hit the internet for other services.
    Thank you,
    Ryan

    These are the Access Rules I've tried (firmware v1.0.2.6):
    Outbound:
    Inbound along with the auto added Port Forwarding setting:

  • BM 3.9 Access Rules Work Only Once

    What I want:
    Access Rule that blocks ALL attempts to download in a browser any file that ends with a specific extension (.exe for example).
    What I have:
    Access Rule:
    Type: Port
    Source DNS Hostname: Any
    Destination DNS Hostname: *.exe
    Origin Server Port: 1-65535
    Action: Deny Access
    What is happening:
    I apply the rule and test and I am denied the first attempt.
    When another attempt is made, the action is allowed.
    Monitor shows the following error message when rules changes are applied:
    Unable to read configuration from NDS (error - -672)
    Note: I just removed ALL rules listed in iManager, saved and I am still able to access web pages. I though that by default access is denied?

    In article <[email protected]>, Johnefleming
    wrote:
    > I apply the rule and test and I am denied the first attempt.
    > When another attempt is made, the action is allowed.
    >
    > Monitor shows the following error message when rules changes are
    > applied:
    >
    > Unable to read configuration from NDS (error - -672)
    >
    Do you have a replica on the server?
    A 672 error sounds like something fundamentally wrong is going on with
    NDS on that server. You should have a replica on it that holds the
    server objects at least.
    Craig Johnson
    Novell Support Connection SysOp
    *** For a current patch list, tips, handy files and books on
    BorderManager, go to http://www.craigjconsulting.com ***

  • Applying new access rules fails.

    Netware 6.5 SP6 BM 3.9
    Ok, new problem. I am trying to add some new access rules to the list in a particular container. When I have defined the rule and click apply I get the following message - Unknown system error. This doesnt happen on the other container which already has rules defined in it. Are the rules from the higher level container being propogated down the tree as I assumed they would be ?
    ---treename 2 explicit deny rules for the whole company
    ------it This container to be exempt. cant add rule to allow all.
    ------helpdesk
    ------etc
    Another aside seems to be that even though "Enforce Access Rules" is always on sometimes the rules do not work and sometimes they do.
    Any help much appreciated.

    JeffSheehan,
    It appears that in the past few days you have not received a response to your posting. That concerns us, and has triggered this automated reply.
    Has your problem been resolved? If not, you might try one of the following options:
    - Visit http://support.novell.com/ to search the knowledgebase and check the other support options available on that page under "Self Support" and "Support Programs".
    - You could also try posting your message again. Make sure it is posted in the correct newsgroup. (http://support.novell.com/forums)
    If this is a reply to a duplicate posting, please ignore and accept our apologies and rest assured we will issue a stern reprimand to our posting bot.
    Good luck!
    Your Novell Product Support Forums Team
    http://support.novell.com/forums/

  • RV082 Access Rules

    Good Day To All,
         We recently purchased a RV082 Firewall Router and I am having the headache of a lifetime with the access rules and port forwarding. I have read EVERY post possible and still cannot come to a conclusion of what I am doing wrong...
    First Question is the MAIL SERVER.. I could not get our email server to talk when setting this device to DMZ so for the time being I put it on LAN2 and attempted to set up an access rule Port 25 to the IP of the mail server. NO GO.. I had to port forward or it would not work.
    Now I want to deny access on port 25 over WAN1 201.X.X.108 but allow access over port 25 on WAN2 201.X.X.109 and this is where it's a NO GO. It doesnt matter what order I put the rules in, its still a no go. Furthermore if I take out the port forward 25 and put in the rules to allow ANY source to reach 25 on the mail server it ALSO does not work...
    This is what I have now and I can still access the email server on EITHER WAN address. I have tried to specifically DENY WAN1 but still no luck.
    FORWARD:
    PORT 25 to 192.168.0.221 is ENABLED
    ACCESS RULES: (in this order)
    ACTION: ALLOW
    SERVICE: SMTP:25
    SOURCE INTERFACE: WAN2
    SOURCE: ANY
    DESTINATION: 192.168.0.221
    TIME: ALWAYS
    ACTION: ALLOW
    SERVICE: SMTP:25
    SOURCE INTERFACE: LAN
    SOURCE: 192.168.0.221
    DESTINATION: ANY
    TIME: ALWAYS
    ACTION: DENY
    SERVICE: SMTP:25
    SOURCE INTERFACE: ANY
    SOURCE: ANY
    DESTINATION: ANY
    TIME: ALWAYS
    Now Second Question is pretty much the same but with SSH on port 22. I did this as a test and enabled SSH to the mail server.
    FORWARD:
    NOTHING SET
    ACTION: ALLOW
    SERVICE: SSH:22
    SOURCE INTERFACE: ANY
    SOURCE: ANY
    DESTINATION: 192.168.0.221
    TIME: ALWAYS
    Why would this not work? The ONLY was I can get an SSH:22 to work is if I port forward it and then the access rule when set to DENY ALL it still allows it on both WAN1 and WAN2...
    CONFUSED!
    HELP!
    PLEASE!
    The Screen shot was my last attempt at making SSH work...

    Esentially what I am trying to accomplish is to NOT have the port forward set. But in every case so far it seems as if the access rules DO NOT WORK at all.
    Even if I set SSH:22 to port forward and set a firewall rule to DENY ANY ANY ANY to ANY I can still SSH to the box

  • My Router Access Rule is getting deleted

    Hello,
    I set up an xbox360 with a static IP address on my home network.  My firewall is set to maximum and I need to set up some access rules for xbox live.  This was not difficult but what I've found is that after a few days the access rule is suddenly absent from the list (but the port forwarding rule remains).  why is this occurring?  This is an Actiontec router from Verizon.  
    Thanks

    Make sure to change the control password of the router, if you have not already.
    Look in the router in Advanced, for that setting.
    If you are the original poster (OP) and your issue is solved, please remember to click the "Solution?" button so that others can more easily find it. If anyone has been helpful to you, please show your appreciation by clicking the "Kudos" button.

  • Using domain names in access rules

    In an access-rule, is there a way to define a host by using its FQDN, without the IOS resolving the name to an IP address? My problem is that I'm trying to give my home PC secure access to my router's SDM, but my ISP changes my IP address every few days. I have DDNS service from no-ip.com, so I have a valid FQDN that never changes. Is this possible? I have a Cisco 2811 with IOS version 12.4(3g). Any help or advise will be appreciated.

    Agreed, you have to have some semblence of an IP address segment. In my part of the world we pay the extra $9.99 to get a static IP Address from a local ISP. When it comes to having reliable remote access to the network we have to administer and maintain, it's worth it.

  • Source IP Address Access Rule Not Working

    I'm trying to create and access rule that denies certain source IP addresses
    from making SMTP connections to my email server. I create the access rule
    and put it at the top of the list but the connections are still happening.
    It's a deny rule to block Port, Service: SMTP, Origin Server Port 25, TCP &
    UDP, Specified 'ip addresses', Destination 'any'. Granted I have my email
    NATed through a secondary IP address to the email server. Any ideas why this
    isn't working? Thanks.

    It's a GWIA.
    >>> On 11/22/2006 at 11:27 AM, in message
    <bw19h.1043$[email protected]>, Jim
    Michael<[email protected]> wrote:
    > Adrian van Ravesteyn wrote:
    >> OK, that makes sense. Is there a way I can limit access for certain ip
    >> addresses on this NATed interface?
    >
    > Giving access to "all but a few" is a problem, but limiting access to
    > "all but a few" is relatively easy (you just create the exceptions you
    > need, with the allowed source IPs). You're better off blocking specific
    > IPs at your SMTP server. Is your mail server a GroupWise GWIA, or
    > something else?

  • Internal error: Unable to find the access rule.

    I have a Cisco ASA 5550 and using ASDM 6.2.
    Opening the ASDM, in Firewall Dashboard, in Top 10 Access Rules, show the second rule with more hit: "interface X | source: any | Dest: any | Service: ip | Action: Permit.
    During the day, the hits increase and decrease.
    Well, the problem: That rule there isn't.
    When I click with the right mouse button and click on show rule, a message is displayed:
    "Internal error: Unable to find the access rule."
    I can't find the rule in Configuration Mode and in Console Mode.
    Well, the rule there isn't.
    What can I do for this rule disappears from the Top 10 Dashboard?

    I suggest opening a case with Cisco TAC.  This could be an issue with the device itself.
    Please remember to select a correct answer and rate helpful posts

Maybe you are looking for

  • How do i edit my billing info if my credit card associated with apple id expired and i have a duty to app store from the time when i had the old credit card?

    how do i edit my billing info if my credit card associated with apple id expired and i have a duty to app store from the time when i had the old credit card? so the thing is a few days ago i made an app store purchase and i didn't know i was running

  • Error in MSSQL Code unable to figure out error

    I have a program, that updates a table, it inserts the following: strSQL = "INSERT INTO test-vm_info(info, DateTime) VALUES ('Program Started','1/10/2015 9:29:50 PM')" it fails with error:  Incorrect syntax near '-'. I created the database with the -

  • Query is returning data very slowly

    Hi, Please advise for the solution. Thanks in advance. The problem is that the queries returning data very very slow. Let me explain further, There is one major table that is storing master data (Main Transaction) and its detail data (Child Records)

  • Flash/XML doesn't update on Website?

    Please help! I'm working on a school website and have a 'Stop Press' panel on the home page which is used for breaking news e.g. School Closed Due to Snow.... The home.htm file contains a flash insert to do the animation which in-turn is supplied wit

  • Security update 2008-002 wont install

    how does one delete the package so i can try downloading it again? when i run software update, and select reboot, it tries to run the installer script and it complains about the security certificate, and tells me to contact the software publisher and