SA 540 Firewall
Hi all,
I am having trouble configuring the firewall for the SA 540.
client 1 (160.222.46.154) ----- switch ------ sa 540 ------ cisco 887 W ------ client 2 (50.0.0.10).
client 1 can ping client 2, however client 2 cannot ping client 1. The default outbound policy (allow all) is set on the sa 540, and I have tried configuring a blanket ipv4 rule on the sa 540 to allow 'all' to 'any' (for all services) related to traffic from the WAN to LAN, and visa versa. The output from the logs are as follows:
Fri Jan 7 13:43:04 2000(GMT +1000) WARN FIREWALL 50.0.0.10 160.222.46.154 [firewall] LOG_PACKET[DROP] IN=WAN OUT=WAN SRC=50.0.0.10 DST=160.222.46.154 PROTO=ICMP TYPE=8 CODE=0
Component: KERNEL
Fri Jan 7 13:43:09 2000(GMT +1000) WARN FIREWALL 50.0.0.10 160.222.46.154 [firewall] LOG_PACKET[DROP] IN=WAN OUT=WAN SRC=50.0.0.10 DST=160.222.46.154 PROTO=ICMP TYPE=8 CODE=0
Component: KERNEL
Fri Jan 7 13:43:14 2000(GMT +1000) WARN FIREWALL 50.0.0.10 160.222.46.154 [firewall] LOG_PACKET[DROP] IN=WAN OUT=WAN SRC=50.0.0.10 DST=160.222.46.154 PROTO=UDP SPT=60737 DPT=53
Component: KERNEL
I set up a new vlan on the cisco 887 W, in the 160.222.46.x address space, and connected a spare port directly to the sa 540 and had no problem testing connectivity to any device via ping. Obviously the zone communication is LAN to LAN and firewall treats the traffice differently.
I assumed that creating an all encompassing rule to allow all trafiic, for all services, between the LAN and WAN (in both directions) would be equivalent to placing the appliance in PASS THROUGH mode?
Also there is no securtiy set on the 887 W or the switch.
Any help would be appreciated.
Regards
Marc
On closer analysis and with some help from Experts Exchange it did seem non sensical to have both the IN and OUT as the WAN interface, but I had literally exhausted every avenue possible bar 1- changing the routing mode to CLASSIC and configuring a static route (which was at a higher administrative level than my RIP advertised routes) and took preferece when forwarding the packets.
Now the SA540 firewall rules work as I would expect and I can route between all zones. To summise it appears as if the Double NAT from the router (887W) and then the SA540 was the issue, and the innability to configure any workaround in the interface of the SA54O firewall rules.
It really makes you appreciate the power of the command line and the full scope of CIsco's command line options. Does anybody know if (and how) it would be possible to configure Double NAT on the SA540?
Regards
Marc
Similar Messages
-
SA 540 INBOUND FIREWALL RULES NOT WORKING
Hi all,
I am having trouble configuring the firewall for the SA 540.
client 1 (160.222.46.154) ----- switch ------ sa 540 ------ cisco 887 W ------ client 2 (50.0.0.10).
client 1 can ping client 2, however client 2 cannot ping client 1. The default outbound policy (allow all) is set on the sa 540, and I have tried configuring a blanket ipv4 rule on the sa 540 to allow 'all' to 'any' (for all services) related to traffic from the WAN to LAN, and visa versa. The output from the logs are as follows:
Fri Jan 7 13:43:04 2000(GMT +1000) WARN FIREWALL 50.0.0.10 160.222.46.154 [firewall] LOG_PACKET[DROP] IN=WAN OUT=WAN SRC=50.0.0.10 DST=160.222.46.154 PROTO=ICMP TYPE=8 CODE=0
Component: KERNEL
Fri Jan 7 13:43:09 2000(GMT +1000) WARN FIREWALL 50.0.0.10 160.222.46.154 [firewall] LOG_PACKET[DROP] IN=WAN OUT=WAN SRC=50.0.0.10 DST=160.222.46.154 PROTO=ICMP TYPE=8 CODE=0
Component: KERNEL
Fri Jan 7 13:43:14 2000(GMT +1000) WARN FIREWALL 50.0.0.10 160.222.46.154 [firewall] LOG_PACKET[DROP] IN=WAN OUT=WAN SRC=50.0.0.10 DST=160.222.46.154 PROTO=UDP SPT=60737 DPT=53
Component: KERNEL
Basically any connection identified as coming in from the WAN (i.e. IN=WAN) is dropped. I set up a new vlan on the cisco 887 W, in the 160.222.46.x address space, and connected a spare port directly to the sa 540 and had no problem testing connectivity to any device via ping. Obviously the zone communication is LAN to LAN and firewall treats the traffice differently.
I assumed that creating an all encompassing rule to allow all trafiic, for all services, between the LAN and WAN (in both directions) would be equivalent to placing the appliance in PASS THROUGH mode? There is no securtiy set on the 887 W or the switch.
Also is anybody could explain what 'SELF' means in the conttext IN=SELF or OUT=SELF it would be much appreciated. Firmware is latest.
Thank you.
Regards
MarcOn closer analysis and with some help from Experts Exchange it did seem non sensical to have both the IN and OUT as the WAN interface, but I had literally exhausted every avenue possible bar 1- changing the routing mode to CLASSIC and configuring a static route (which was at a higher administrative level than my RIP advertised routes) and took preferece when forwarding the packets.
Now the SA540 firewall rules work as I would expect and I can route between all zones. To summise it appears as if the Double NAT from the router (887W) and then the SA540 was the issue, and the innability to configure any workaround in the interface of the SA54O firewall rules.
It really makes you appreciate the power of the command line and the full scope of CIsco's command line options. Does anybody know if (and how) it would be possible to configure Double NAT on the SA540?
Regards
Marc -
Hello,
I am trying to add this to my network to appy updates, but I can not ping it
cable is plugged into
interface FastEthernet0/1/0
IP is set to 192.168.5.89, however, I can not ping it
Any help wold be appreciated
below is config
Y log 2014.02.11 10:02:32 =~=~=~=~=~=~=~=~=~=~=~=
sh run
Building configuration...
Current configuration : 27488 bytes
! Last configuration change at 07:00:20 PST Tue Feb 11 2014 by cisco
! NVRAM config last updated at 06:58:27 PST Tue Feb 11 2014 by cisco
! NVRAM config last updated at 06:58:27 PST Tue Feb 11 2014 by cisco
version 15.1
parser config cache interface
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service internal
service compress-config
service sequence-numbers
hostname UC540
boot-start-marker
boot-end-marker
enable secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY
aaa new-model
aaa authentication login default local
aaa session-id common
clock timezone PST -8 0
clock summer-time PST recurring
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-2376605861
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2376605861
revocation-check none
rsakeypair TP-self-signed-2376605861
crypto pki certificate chain TP-self-signed-2376605861
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32333736 36303538 3631301E 170D3133 31313139 31383237
31355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33373636
30353836 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A947 09E3A67F 8F386B05 DC2FE1E8 82CD59E5 F84B3E33 5B95F255 5A7A0466
1073EC90 E8D8205A 751A8B20 914D433A 26F6C1E2 F3E66244 F6418D65 95A70C99
CD666A2D 1DEB63DF 01C7A702 9DA940C1 2C1FCAAB EB3B9DF4 B497512B BB2AADB8
9EC414FE 7A421872 9A80937E 1779321C 294897AE B36F3F43 C40493A8 4A09D7F2
F7BD0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 148A5149 D23AC6AB 0502C4EE BC1EF6BF B03864F2 24301D06
03551D0E 04160414 8A5149D2 3AC6AB05 02C4EEBC 1EF6BFB0 3864F224 300D0609
2A864886 F70D0101 05050003 81810086 FC3081CF 02EFA373 4D4DC28A 6A8FA889
6FBCF449 4EADC98C C5564721 F8DF4F2F 0A883B51 E7822376 76E77B8D 952FC122
CECF2C0A 8478344E 3F3786B3 5DA154DD C85C28AD 7B2C7CF6 62885E60 813C7FEB
FAC18A09 0F4066CC B26BAD36 1CC8EAB7 27D166B1 D815C462 ED045303 1619CD87
5361402D 06A839E9 AF8392DE 742AF8
quit
dot11 syslog
dot11 ssid cisco-data
authentication open
dot11 ssid cisco-voice
vlan 100
authentication open
ip source-route
ip cef
ip dhcp relay information trust-all
ip dhcp excluded-address 10.1.1.1 10.1.1.10
ip dhcp excluded-address 192.168.10.1 192.168.10.10
ip dhcp pool phone
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
option 150 ip 10.1.1.1
ip dhcp pool data
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
ip inspect WAAS flush-timeout 10
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp router-traffic
ip inspect name SDM_LOW vdolive
no ipv6 cef
multilink bundle-name authenticated
stcapp ccm-group 1
stcapp
voice call send-alert
voice rtp send-recv
voice service voip
sip
no update-callerid
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g729r8
voice register global
mode cme
source-address 10.1.1.1 port 5060
load 9971 sip9971.9-2-2
load 9951 sip9951.9-2-2
load 8961 sip8961.9-2-2
voice translation-rule 1000
rule 1 /.*/ //
voice translation-profile nondialable
translate called 1000
voice-card 0
fax interface-type fax-mail
license udi pid UC540W-FXO-K9 sn FGL174721CZ
archive
log config
logging enable
logging size 600
hidekeys
username cisco privilege 15 secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY
ip tftp source-interface Loopback0
bridge irb
interface Vlan1
ip address 192.168.5.89 255.255.255.0
ip access-group 101 in
bridge-group 1
interface Loopback0
description $FW_INSIDE$
ip address 10.1.10.2 255.255.255.252
ip access-group 101 in
ip nat inside
ip virtual-reassembly in
interface FastEthernet0/0
description $FW_OUTSIDE$
no ip address
ip access-group 104 in
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
interface Integrated-Service-Engine0/0
ip unnumbered Loopback0
ip nat inside
ip virtual-reassembly in
service-module ip address 10.1.10.1 255.255.255.252
service-module ip default-gateway 10.1.10.2
interface FastEthernet0/1/0
no ip address
macro description cisco-phone
spanning-tree portfast
interface FastEthernet0/1/1
switchport voice vlan 100
no ip address
macro description cisco-phone
spanning-tree portfast
interface FastEthernet0/1/2
switchport voice vlan 100
no ip address
macro description cisco-phone
spanning-tree portfast
interface FastEthernet0/1/3
switchport voice vlan 100
no ip address
macro description cisco-phone
spanning-tree portfast
interface FastEthernet0/1/4
switchport voice vlan 100
no ip address
macro description cisco-phone
spanning-tree portfast
interface FastEthernet0/1/5
switchport voice vlan 100
no ip address
macro description cisco-phone
spanning-tree portfast
interface FastEthernet0/1/6
switchport voice vlan 100
no ip address
macro description cisco-phone
spanning-tree portfast
interface FastEthernet0/1/7
switchport voice vlan 100
no ip address
macro description cisco-phone
spanning-tree portfast
interface FastEthernet0/1/8
switchport mode trunk
switchport voice vlan 100
no ip address
macro description cisco-switch
interface Dot11Radio0/5/0
no ip address
ssid cisco-data
ssid cisco-voice
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
antenna receive right
antenna transmit right
interface Dot11Radio0/5/0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0/5/0.100
encapsulation dot1Q 100
bridge-group 100
bridge-group 100 subscriber-loop-control
bridge-group 100 spanning-disabled
bridge-group 100 block-unknown-source
no bridge-group 100 source-learning
no bridge-group 100 unicast-flooding
interface Vlan1
ip address 192.168.5.214 255.255.255.0
ip access-group 101 in
bridge-group 1
interface Vlan100
no ip address
bridge-group 100
bridge-group 100 spanning-disabled
interface BVI1
description $FW_INSIDE$
ip access-group 102 in
ip nat inside
ip virtual-reassembly in
interface BVI100
description $FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
ip access-group 103 in
ip nat inside
ip virtual-reassembly in
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http path flash:/gui
ip dns server
ip nat inside source list 1 interface FastEthernet0/0 overload
ip route 10.1.10.1 255.255.255.255 Integrated-Service-Engine0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 10.1.10.0 0.0.0.3
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 192.168.10.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 101 permit udp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 101 deny ip 192.168.10.0 0.0.0.255 any
access-list 101 deny ip 10.1.1.0 0.0.0.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 deny ip 10.1.10.0 0.0.0.3 any
access-list 102 deny ip 10.1.1.0 0.0.0.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp 10.1.10.0 0.0.0.3 any eq 2000
access-list 103 permit udp 10.1.10.0 0.0.0.3 any eq 2000
access-list 103 permit udp any 10.1.10.0 0.0.0.3 range 16384 32767
access-list 103 permit udp 10.1.10.0 0.0.0.3 range 16384 32767 any
access-list 103 deny ip 192.168.10.0 0.0.0.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 deny ip 10.1.10.0 0.0.0.3 any
access-list 104 deny ip 192.168.10.0 0.0.0.255 any
access-list 104 deny ip 10.1.1.0 0.0.0.255 any
access-list 104 permit udp any eq bootps any eq bootpc
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip any any
snmp-server community public RO
tftp-server flash:/phones/6901_6911/SCCP6911.9-1-1-0.loads alias SCCP6911.9-1-1-0.loads
tftp-server flash:/phones/6901_6911/SCCP6901.9-1-1-0.loads alias SCCP6901.9-1-1-0.loads
tftp-server flash:/phones/6901_6911/KNL6911SCCP.9-1-1-0.zz.sgn alias KNL6911SCCP.9-1-1-0.zz.sgn
tftp-server flash:/phones/6901_6911/KNL6901SCCP.9-1-1-0.zz.sgn alias KNL6901SCCP.9-1-1-0.zz.sgn
tftp-server flash:/phones/6901_6911/BFS6911SCCP.9-1-1-0.zz.sgn alias BFS6911SCCP.9-1-1-0.zz.sgn
tftp-server flash:/phones/6901_6911/APP6911SCCP.9-1-1-0.zz.sgn alias APP6911SCCP.9-1-1-0.zz.sgn
tftp-server flash:/phones/6901_6911/APP6901SCCP.9-1-1-0.zz.sgn alias APP6901SCCP.9-1-1-0.zz.sgn
tftp-server flash:/phones/69xx/SCCP69xx.9-1-1-2-sr.loads alias SCCP69xx.9-1-1-2-sr.loads
tftp-server flash:/phones/69xx/BOOT69xx.0-0-0-14.zz.sgn alias BOOT69xx.0-0-0-14.zz.sgn
tftp-server flash:/phones/69xx/DSP69xx.0-0-0-4.zz.sgn alias DSP69xx.0-0-0-4.zz.sgn
tftp-server flash:/phones/69xx/SCCP69xx.9-1-1-2-sr.zz.sgn alias SCCP69xx.9-1-1-2-sr.zz.sgn
tftp-server flash:/phones/521_524/cp524g-8-1-17.bin alias cp524g-8-1-17.bin
tftp-server flash:/phones/525/spa525g-7-4-9c.bin alias spa525g-7-4-9c.bin
tftp-server flash:/phones/50x-30x/spa50x-30x-7-4-9c.bin alias spa50x-30x-7-4-9c.bin
tftp-server flash:/phones/7906_7911/apps11.9-2-1TH1-13.sbn alias apps11.9-2-1TH1-13.sbn
tftp-server flash:/phones/7906_7911/cnu11.9-2-1TH1-13.sbn alias cnu11.9-2-1TH1-13.sbn
tftp-server flash:/phones/7906_7911/cvm11sccp.9-2-1TH1-13.sbn alias cvm11sccp.9-2-1TH1-13.sbn
tftp-server flash:/phones/7906_7911/dsp11.9-2-1TH1-13.sbn alias dsp11.9-2-1TH1-13.sbn
tftp-server flash:/phones/7906_7911/jar11sccp.9-2-1TH1-13.sbn alias jar11sccp.9-2-1TH1-13.sbn
tftp-server flash:/phones/7906_7911/SCCP11.9-2-1S.loads alias SCCP11.9-2-1S.loads
tftp-server flash:/phones/7906_7911/term06.default.loads alias term06.default.loads
tftp-server flash:/phones/7906_7911/term11.default.loads alias term11.default.loads
tftp-server flash:/phones/7914/S00105000400.sbn alias S00105000400.sbn
tftp-server flash:/phones/7915/B015-1-0-4.SBN alias B015-1-0-4.SBN
tftp-server flash:/phones/7916/B016-1-0-4.SBN alias B016-1-0-4.SBN
tftp-server flash:/phones/7921/APPS-1.4.1SR1.SBN alias APPS-1.4.1SR1.SBN
tftp-server flash:/phones/7921/CP7921G-1.4.1SR1.LOADS alias CP7921G-1.4.1SR1.LOADS
tftp-server flash:/phones/7921/GUI-1.4.1SR1.SBN alias GUI-1.4.1SR1.SBN
tftp-server flash:/phones/7921/TNUXR-1.4.1SR1.SBN alias TNUXR-1.4.1SR1.SBN
tftp-server flash:/phones/7921/SYS-1.4.1SR1.SBN alias SYS-1.4.1SR1.SBN
tftp-server flash:/phones/7921/TNUX-1.4.1SR1.SBN alias TNUX-1.4.1SR1.SBN
tftp-server flash:/phones/7921/WLAN-1.4.1SR1.SBN alias WLAN-1.4.1SR1.SBN
tftp-server flash:/phones/7925/APPSH-1.4.1SR1.SBN alias APPSH-1.4.1SR1.SBN
tftp-server flash:/phones/7925/CP7925G-1.4.1SR1.LOADS alias CP7925G-1.4.1SR1.LOADS
tftp-server flash:/phones/7925/GUIH-1.4.1SR1.SBN alias GUIH-1.4.1SR1.SBN
tftp-server flash:/phones/7925/JSYSH-1.4.1SR1.SBN alias JSYSH-1.4.1SR1.SBN
tftp-server flash:/phones/7925/JUIH-1.4.1SR1.SBN alias JUIH-1.4.1SR1.SBN
tftp-server flash:/phones/7925/SYSH-1.4.1SR1.SBN alias SYSH-1.4.1SR1.SBN
tftp-server flash:/phones/7925/TNUXH-1.4.1SR1.SBN alias TNUXH-1.4.1SR1.SBN
tftp-server flash:/phones/7925/TNUXRH-1.4.1SR1.SBN alias TNUXRH-1.4.1SR1.SBN
tftp-server flash:/phones/7925/WLANH-1.4.1SR1.SBN alias WLANH-1.4.1SR1.SBN
tftp-server flash:/phones/7931/apps31.9-1-1TH1-16.sbn alias apps31.9-1-1TH1-16.sbn
tftp-server flash:/phones/7931/cnu31.9-1-1TH1-16.sbn alias cnu31.9-1-1TH1-16.sbn
tftp-server flash:/phones/7931/cvm31sccp.9-1-1TH1-16.sbn alias cvm31sccp.9-1-1TH1-16.sbn
tftp-server flash:/phones/7931/dsp31.9-1-1TH1-16.sbn alias dsp31.9-1-1TH1-16.sbn
tftp-server flash:/phones/7931/jar31sccp.9-1-1TH1-16.sbn alias jar31sccp.9-1-1TH1-16.sbn
tftp-server flash:/phones/7931/SCCP31.9-1-1SR1S.loads alias SCCP31.9-1-1SR1S.loads
tftp-server flash:/phones/7931/term31.default.loads alias term31.default.loads
tftp-server flash:/phones/7936/cmterm_7936.3-3-21-0.bin alias cmterm_7936.3-3-21-0.bin
tftp-server flash:/phones/7937/apps37sccp.1-4-4-0.bin alias apps37sccp.1-4-4-0.bin
tftp-server flash:/phones/7940_7960/P00308010200.bin alias P00308010200.bin
tftp-server flash:/phones/7940_7960/P00308010200.loads alias P00308010200.loads
tftp-server flash:/phones/7940_7960/P00308010200.sb2 alias P00308010200.sb2
tftp-server flash:/phones/7940_7960/P00308010200.sbn alias P00308010200.sbn
tftp-server flash:/phones/7941_7961/apps41.9-1-1TH1-16.sbn alias apps41.9-1-1TH1-16.sbn
tftp-server flash:/phones/7941_7961/cnu41.9-1-1TH1-16.sbn alias cnu41.9-1-1TH1-16.sbn
tftp-server flash:/phones/7941_7961/cvm41sccp.9-1-1TH1-16.sbn alias cvm41sccp.9-1-1TH1-16.sbn
tftp-server flash:/phones/7941_7961/dsp41.9-1-1TH1-16.sbn alias dsp41.9-1-1TH1-16.sbn
tftp-server flash:/phones/7941_7961/jar41sccp.9-1-1TH1-16.sbn alias jar41sccp.9-1-1TH1-16.sbn
tftp-server flash:/phones/7941_7961/SCCP41.9-1-1SR1S.loads alias SCCP41.9-1-1SR1S.loads
tftp-server flash:/phones/7941_7961/term41.default.loads alias term41.default.loads
tftp-server flash:/phones/7941_7961/term61.default.loads alias term61.default.loads
tftp-server flash:/phones/7942_7962/apps42.9-1-1TH1-16.sbn alias apps42.9-1-1TH1-16.sbn
tftp-server flash:/phones/7942_7962/cnu42.9-1-1TH1-16.sbn alias cnu42.9-1-1TH1-16.sbn
tftp-server flash:/phones/7942_7962/cvm42sccp.9-1-1TH1-16.sbn alias cvm42sccp.9-1-1TH1-16.sbn
tftp-server flash:/phones/7942_7962/dsp42.9-1-1TH1-16.sbn alias dsp42.9-1-1TH1-16.sbn
tftp-server flash:/phones/7942_7962/jar42sccp.9-1-1TH1-16.sbn alias jar42sccp.9-1-1TH1-16.sbn
tftp-server flash:/phones/7942_7962/SCCP42.9-1-1SR1S.loads alias SCCP42.9-1-1SR1S.loads
tftp-server flash:/phones/7942_7962/term42.default.loads alias term42.default.loads
tftp-server flash:/phones/7942_7962/term62.default.loads alias term62.default.loads
tftp-server flash:/phones/7945_7965/apps45.9-1-1TH1-16.sbn alias apps45.9-1-1TH1-16.sbn
tftp-server flash:/phones/7945_7965/cnu45.9-1-1TH1-16.sbn alias cnu45.9-1-1TH1-16.sbn
tftp-server flash:/phones/7945_7965/cvm45sccp.9-1-1TH1-16.sbn alias cvm45sccp.9-1-1TH1-16.sbn
tftp-server flash:/phones/7945_7965/dsp45.9-1-1TH1-16.sbn alias dsp45.9-1-1TH1-16.sbn
tftp-server flash:/phones/7945_7965/jar45sccp.9-1-1TH1-16.sbn alias jar45sccp.9-1-1TH1-16.sbn
tftp-server flash:/phones/7945_7965/SCCP45.9-1-1SR1S.loads alias SCCP45.9-1-1SR1S.loads
tftp-server flash:/phones/7945_7965/term45.default.loads alias term45.default.loads
tftp-server flash:/phones/7945_7965/term65.default.loads alias term65.default.loads
tftp-server flash:/phones/7970_7971/apps70.9-1-1TH1-16.sbn alias apps70.9-1-1TH1-16.sbn
tftp-server flash:/phones/7970_7971/cnu70.9-1-1TH1-16.sbn alias cnu70.9-1-1TH1-16.sbn
tftp-server flash:/phones/7970_7971/cvm70sccp.9-1-1TH1-16.sbn alias cvm70sccp.9-1-1TH1-16.sbn
tftp-server flash:/phones/7970_7971/dsp70.9-1-1TH1-16.sbn alias dsp70.9-1-1TH1-16.sbn
tftp-server flash:/phones/7970_7971/jar70sccp.9-1-1TH1-16.sbn alias jar70sccp.9-1-1TH1-16.sbn
tftp-server flash:/phones/7970_7971/SCCP70.9-1-1SR1S.loads alias SCCP70.9-1-1SR1S.loads
tftp-server flash:/phones/7970_7971/term70.default.loads alias term70.default.loads
tftp-server flash:/phones/7970_7971/term71.default.loads alias term71.default.loads
tftp-server flash:/phones/7975/apps75.9-1-1TH1-16.sbn alias apps75.9-1-1TH1-16.sbn
tftp-server flash:/phones/7975/cnu75.9-1-1TH1-16.sbn alias cnu75.9-1-1TH1-16.sbn
tftp-server flash:/phones/7975/cvm75sccp.9-1-1TH1-16.sbn alias cvm75sccp.9-1-1TH1-16.sbn
tftp-server flash:/phones/7975/dsp75.9-1-1TH1-16.sbn alias dsp75.9-1-1TH1-16.sbn
tftp-server flash:/phones/7975/jar75sccp.9-1-1TH1-16.sbn alias jar75sccp.9-1-1TH1-16.sbn
tftp-server flash:/phones/7975/SCCP75.9-1-1SR1S.loads alias SCCP75.9-1-1SR1S.loads
tftp-server flash:/phones/7975/term75.default.loads alias term75.default.loads
tftp-server flash:/phones/8961/dkern8961.100609R2-9-2-2.sebn alias dkern8961.100609R2-9-2-2.sebn
tftp-server flash:/phones/8961/kern8961.9-2-2.sebn alias kern8961.9-2-2.sebn
tftp-server flash:/phones/8961/rootfs8961.9-2-2.sebn alias rootfs8961.9-2-2.sebn
tftp-server flash:/phones/8961/sboot8961.031610R1-9-2-2.sebn alias sboot8961.031610R1-9-2-2.sebn
tftp-server flash:/phones/8961/sip8961.9-2-2.loads alias sip8961.9-2-2.loads
tftp-server flash:/phones/8961/skern8961.022809R2-9-2-2.sebn alias skern8961.022809R2-9-2-2.sebn
tftp-server flash:/phones/9951/dkern9951.100609R2-9-2-2.sebn alias dkern9951.100609R2-9-2-2.sebn
tftp-server flash:/phones/9951/kern9951.9-2-2.sebn alias kern9951.9-2-2.sebn
tftp-server flash:/phones/9951/rootfs9951.9-2-2.sebn alias rootfs9951.9-2-2.sebn
tftp-server flash:/phones/9951/sboot9951.031610R1-9-2-2.sebn alias sboot9951.031610R1-9-2-2.sebn
tftp-server flash:/phones/9951/sip9951.9-2-2.loads alias sip9951.9-2-2.loads
tftp-server flash:/phones/9951/skern9951.022809R2-9-2-2.sebn alias skern9951.022809R2-9-2-2.sebn
tftp-server flash:/phones/9971/dkern9971.100609R2-9-2-2.sebn alias dkern9971.100609R2-9-2-2.sebn
tftp-server flash:/phones/9971/kern9971.9-2-2.sebn alias kern9971.9-2-2.sebn
tftp-server flash:/phones/9971/rootfs9971.9-2-2.sebn alias rootfs9971.9-2-2.sebn
tftp-server flash:/phones/9971/sboot9971.031610R1-9-2-2.sebn alias sboot9971.031610R1-9-2-2.sebn
tftp-server flash:/phones/9971/sip9971.9-2-2.loads alias sip9971.9-2-2.loads
tftp-server flash:/phones/9971/skern9971.022809R2-9-2-2.sebn alias skern9971.022809R2-9-2-2.sebn
tftp-server flash:/ringtones/Analog1.raw alias Analog1.raw
tftp-server flash:/ringtones/Analog2.raw alias Analog2.raw
tftp-server flash:/ringtones/AreYouThere.raw alias AreYouThere.raw
tftp-server flash:/ringtones/DistinctiveRingList.xml alias DistinctiveRingList.xml
tftp-server flash:/ringtones/RingList.xml alias RingList.xml
tftp-server flash:/ringtones/AreYouThereF.raw alias AreYouThereF.raw
tftp-server flash:/ringtones/Bass.raw alias Bass.raw
tftp-server flash:/ringtones/CallBack.raw alias CallBack.raw
tftp-server flash:/ringtones/Chime.raw alias Chime.raw
tftp-server flash:/ringtones/Classic1.raw alias Classic1.raw
tftp-server flash:/ringtones/Classic2.raw alias Classic2.raw
tftp-server flash:/ringtones/ClockShop.raw alias ClockShop.raw
tftp-server flash:/ringtones/Drums1.raw alias Drums1.raw
tftp-server flash:/ringtones/Drums2.raw alias Drums2.raw
tftp-server flash:/ringtones/FilmScore.raw alias FilmScore.raw
tftp-server flash:/ringtones/HarpSynth.raw alias HarpSynth.raw
tftp-server flash:/ringtones/Jamaica.raw alias Jamaica.raw
tftp-server flash:/ringtones/KotoEffect.raw alias KotoEffect.raw
tftp-server flash:/ringtones/MusicBox.raw alias MusicBox.raw
tftp-server flash:/ringtones/Piano1.raw alias Piano1.raw
tftp-server flash:/ringtones/Piano2.raw alias Piano2.raw
tftp-server flash:/ringtones/Pop.raw alias Pop.raw
tftp-server flash:/ringtones/Pulse1.raw alias Pulse1.raw
tftp-server flash:/ringtones/Ring1.raw alias Ring1.raw
tftp-server flash:/ringtones/Ring2.raw alias Ring2.raw
tftp-server flash:/ringtones/Ring3.raw alias Ring3.raw
tftp-server flash:/ringtones/Ring4.raw alias Ring4.raw
tftp-server flash:/ringtones/Ring5.raw alias Ring5.raw
tftp-server flash:/ringtones/Ring6.raw alias Ring6.raw
tftp-server flash:/ringtones/Ring7.raw alias Ring7.raw
tftp-server flash:/ringtones/Sax1.raw alias Sax1.raw
tftp-server flash:/ringtones/Sax2.raw alias Sax2.raw
tftp-server flash:/ringtones/Vibe.raw alias Vibe.raw
tftp-server flash:/Desktops/CampusNight.png
tftp-server flash:/Desktops/TN-CampusNight.png
tftp-server flash:/Desktops/CiscoFountain.png
tftp-server flash:/Desktops/TN-CiscoFountain.png
tftp-server flash:/Desktops/CiscoLogo.png
tftp-server flash:/Desktops/TN-CiscoLogo.png
tftp-server flash:/Desktops/Fountain.png
tftp-server flash:/Desktops/TN-Fountain.png
tftp-server flash:/Desktops/MorroRock.png
tftp-server flash:/Desktops/TN-MorroRock.png
tftp-server flash:/Desktops/NantucketFlowers.png
tftp-server flash:/Desktops/TN-NantucketFlowers.png
tftp-server flash:Desktops/320x212x16/List.xml
tftp-server flash:Desktops/320x212x12/List.xml
tftp-server flash:Desktops/320x216x16/List.xml
tftp-server flash:/bacdprompts/en_bacd_allagentsbusy.au alias en_bacd_allagentsbusy.au
tftp-server flash:/bacdprompts/en_bacd_disconnect.au alias en_bacd_disconnect.au
tftp-server flash:/bacdprompts/en_bacd_enter_dest.au alias en_bacd_enter_dest.au
tftp-server flash:/bacdprompts/en_bacd_invalidoption.au alias en_bacd_invalidoption.au
tftp-server flash:/bacdprompts/en_bacd_music_on_hold.au alias en_bacd_music_on_hold.au
tftp-server flash:/bacdprompts/en_bacd_options_menu.au alias en_bacd_options_menu.au
tftp-server flash:/bacdprompts/en_bacd_welcome.au alias en_bacd_welcome.au
tftp-server flash:/bacdprompts/en_bacd_xferto_operator.au alias en_bacd_xferto_operator.au
radius-server attribute 31 send nas-port-detail
control-plane
bridge 1 route ip
bridge 100 route ip
voice-port 0/0/0
timeouts ringing infinity
caller-id enable
voice-port 0/0/1
timeouts ringing infinity
caller-id enable
voice-port 0/0/2
timeouts ringing infinity
caller-id enable
voice-port 0/0/3
timeouts ringing infinity
caller-id enable
voice-port 0/1/0
connection plar 201
caller-id enable
voice-port 0/1/1
connection plar 202
caller-id enable
voice-port 0/1/2
connection plar 203
caller-id enable
voice-port 0/1/3
connection plar 204
caller-id enable
voice-port 0/4/0
auto-cut-through
signal immediate
input gain auto-control -15
description Music On Hold Port
sccp local Loopback0
sccp ccm 10.1.1.1 identifier 1 version 3.1
sccp
sccp ccm group 1
associate ccm 1 priority 1
dial-peer voice 1 pots
service stcapp
port 0/0/0
dial-peer voice 2 pots
service stcapp
port 0/0/1
dial-peer voice 3 pots
service stcapp
port 0/0/2
dial-peer voice 4 pots
service stcapp
port 0/0/3
dial-peer voice 5 pots
description ** MOH Port **
destination-pattern ABC
port 0/4/0
no sip-register
dial-peer voice 6 pots
description tcatch all dial peer for BRI/PRIv
translation-profile incoming nondialable
incoming called-number .%
direct-inward-dial
dial-peer voice 50 pots
destination-pattern 9T
port 0/1/0
no sip-register
dial-peer voice 51 pots
destination-pattern 9T
port 0/1/1
no sip-register
dial-peer voice 52 pots
destination-pattern 9T
port 0/1/2
no sip-register
dial-peer voice 53 pots
destination-pattern 9T
port 0/1/3
no sip-register
no dial-peer outbound status-check pots
telephony-service
video
fxo hook-flash
max-ephones 40
max-dn 300
ip source-address 10.1.1.1 port 2000
auto assign 1 to 1 type bri
calling-number initiator
service phone videoCapability 1
service phone ehookenable 1
service dnis overlay
service dnis dir-lookup
service dss
timeouts interdigit 5
system message UC540
load 7914 S00105000400
load 7915-12 B015-1-0-4
load 7915-24 B015-1-0-4
load 7916-12 B016-1-0-4
load 7916-24 B016-1-0-4
load 7906 SCCP11.9-2-1S
load 7911 SCCP11.9-2-1S
load 7921 CP7921G-1.4.1SR1
load 7925 CP7925G-1.4.1SR1
load 7931 SCCP31.9-1-1SR1S
load 7936 cmterm_7936.3-3-21-0
load 7937 apps37sccp.1-4-4-0
load 7960-7940 P00308010200
load 7941 SCCP41.9-1-1SR1S
load 7941GE SCCP41.9-1-1SR1S
load 7942 SCCP42.9-1-1SR1S
load 7945 SCCP45.9-1-1SR1S
load 7961 SCCP41.9-1-1SR1S
load 7961GE SCCP41.9-1-1SR1S
load 7962 SCCP42.9-1-1SR1S
load 7965 SCCP45.9-1-1SR1S
load 7970 SCCP70.9-1-1SR1S
load 7971 SCCP70.9-1-1SR1S
load 7975 SCCP75.9-1-1SR1S
load 521G-524G cp524g-8-1-17
load 525G spa525g-7-4-9c
load 501G spa50x-30x-7-4-9c
load 502G spa50x-30x-7-4-9c
load 504G spa50x-30x-7-4-9c
load 508G spa50x-30x-7-4-9c
load 509G spa50x-30x-7-4-9c
load 525G2 spa525g-7-4-9c
load 301 spa50x-30x-7-4-9c
load 303 spa50x-30x-7-4-9c
load 6921 SCCP69xx.9-1-1-2-sr
load 6941 SCCP69xx.9-1-1-2-sr
load 6961 SCCP69xx.9-1-1-2-sr
load 6901 SCCP6901.9-1-1-0
load 6911 SCCP6911.9-1-1-0
time-zone 5
keepalive 30 auxiliary 4
max-conferences 8 gain -6
call-forward pattern .T
call-forward system redirecting-expanded
moh flash:/media/music-on-hold.au
multicast moh 239.10.16.16 port 2000
web admin system name cisco secret 5 $1$ggNp$IbROiocdPgBNld7DZVYAC1
dn-webedit
time-webedit
transfer-system full-consult dss
transfer-pattern 9.T
transfer-pattern .T
secondary-dialtone 9
night-service day Sun 17:00 09:00
night-service day Mon 17:00 09:00
night-service day Tue 17:00 09:00
night-service day Wed 17:00 09:00
night-service day Thu 17:00 09:00
night-service day Fri 17:00 09:00
night-service day Sat 17:00 09:00
fac standard
create cnf-files version-stamp Jan 01 2002 00:00:00
ephone-template 15
button-layout 7931 2
ephone-dn 9
number BCD no-reg primary
description MoH
moh out-call ABC
ephone 1
device-security-mode none
mac-address C600.FB6A.0001
max-calls-per-button 2
type anl
ephone 2
device-security-mode none
mac-address C600.FB6A.0002
max-calls-per-button 2
type anl
ephone 3
device-security-mode none
mac-address C600.FB6A.0003
max-calls-per-button 2
type anl
ephone 4
device-security-mode none
mac-address C600.FB6A.0000
max-calls-per-button 2
type anl
ephone 5
device-security-mode none
mac-address 001E.F7C4.64B2
type 7940
banner login ^CUC500 Base Config - Manufacturing 8.6.0 ^C
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
transport preferred none
transport input all
line vty 5 100
transport preferred none
transport input all
ntp master
endKevin,
here you go
I am plugged into fa0/1/0, a second or two after I plug in I loose the link light
We have another UC 540 on the same subent, I am plugged into a POE trunked switcch port on a cisco ESW-540-24p, the switch is not reporting any errors....
Thanks for any help
UC540#
UC540#show inventory
NAME: "UC540W-FXO-K9 Chassis", DESCR: "UC540W-FXO-K9 Chassis"
PID: UC540W-FXO-K9 , VID: V01, SN: FGL174721CZ
Interface IP-Address OK? Method Status Prot ocol
In0/0 10.1.10.2 YES unset up up
Vlan1 192.168.5.110 YES manual up down
NVI0 10.1.10.2 YES unset up up
BVI100 10.1.1.1 YES NVRAM up up
Loopback0 10.1.10.2 YES NVRAM up up -
SA 540 Configuration w/CradlePoint MBR1200
Currently, we have a business internet account (via AT&T) with a Netopia router bridged to a CradlePoint MBR1200 to provide for EVDO failover capability. We are looking to open the CradlePoint up totally (i.e., no NAT, DHCP, Firewall) etc.., and have it connect directly to the WAN port of our Cisco SA 540. The private IP of the MBR1200 is currently 192.168.1.1 (which we would like to leave at). Provided that the MBR1200 is serving basically as a switch from the Netopia/Internet, is it feasible to set the Cisco SA540's IP to 192.168.1.3, enable VPN, DHCP, NAT, etc...to provide for our LAN. If so, what should our gateway and dns be set to (currently both are set to 192.168.1.1). If there's a better solution (given the hardware that we have), please share your thoughts. Also, as we are running a Windows 2008 Server/AD, what would be the benefit of using RADIUS for VPN as opposed to just Active Directory combined with VPNSSL (local accounts). I'm in a bit of a pickle, as I cannot test (24/7 uptime required) prior to implementation...and even then, I have only a two hour window to accomplish this task. Any and all suggestions/hints/ideas are both welcome and appreciated.
Thanks, mtr
p.s., FWIW, I have a block of public IP addresses for use as needed...thanks again.Hi Keith...
I just happened to be looking for some help setting up a "site to site" vpn from my 871w to my cradlepoint mbr1200 and came across your post. Firstoff, I'm no authority by any means but I was curious as to how you have things configure.
Is your netopia in a bridge mode and passing traffic to your mbr1200? Also, how does your SA fit into the picture? Are you going to keep the netopia bridged, followed by connecting the WAN of the SA to the Netopioa, followed by hanging the mbr1200 off one of the SA's LAN ports?
Just curious...
Jay -
Use an SRP 520 or 540 series to limit download.
Hello there,
I have an SRP 527 and I wish to connect this to my shop as that this has the features where I can create a multiple WiFi SSIDs.
That has been created successfully and quite easily however what I wanted to do is to limit data dowload to my customers because free WiFi is not really free WiFi.
This would be like an Internet Cafe scenario where my customers come in and have their services attended to, while they are waiting, they can connect using the Free WiFi available basically for Facebook, twitter, e-mails or web browsing however I wish to avoid massive downloads that will be costly to me.
I also wish to upgrade to the SRP 540 series and I know the programming is quite different however the same for that?
Can anyone please help???
Kindest RegardsHi Paul,
The SRP500 isn't able to control download volume on a per user basis. You can restrict access to specific websites or application if you wish using the Internet Access Control feature under Network Setup > Firewall. You can also use this feature to block any access to the Internet outside of your business hours if you wish.
The web interface for the SRP540 is practically identical to that of the SRP520. The SRP540 also includes a Guest WiFi feature that allows you to limit guest access with a password and allow them a set period of time to use the service.
Regards,
Andy -
SA 540 Can't get port forwarding to work.
Now that the DMZ port doesn't seem to work, I have placed our Web and CRM server on a VLAN. I have created a firewall forwarding rule -> WAN to LAN HTTP allow always and pointed it to the internal IP address.
When I type in our domain name in the browser I only get the Cisco remote management page, no forwarding to the web server.
What am I doing wrong?
I have tried to disable the remote management, but that still doesn't change anything. (btw, how do I change which port the RMON uses, it's grayed out in the setup page)
SA 540 firmware 1.0.39No it does not work from outside my devise, I just get to the RMON page, no forwarding to my Web server at all. I've taken all FW rules away and just have the WAN to LAN allow HTTP "ip address of server" but still nothing.
I got confirmation that the DMZ/Optional port does not work, I can't SSL from our Apple computers to our Network, and now it seems like we can't get our Web or e-mail servers working either if there is not port forwarding. On top of this, it now also seems like the SA 540 is blocking EDNS packets, slowing down our DNS server. Please tell me that there is something to be done, it can't be that Cisco have put a "Pro" devise out where only 9 out of 10 ports work and that you can not host Web, email or CRM servers because there is no port forwarding, not to mention it only supports IE browsers for SSL.
I don't mean to sound cranky, but we have spend so much time trying to get this devise to work, please help. (I wish I could give you some logs, but logging doesn't seem to work either) -
UC 540 Bandwidth Speed Trouble and MTU settings
I have a UC540 that is having a bandwidth problem. When I device is connected directly to the cable modem we see around 30Mbps. When the cable modem is plugged into the wan interface on the UC540 and then a computer is plugged into one of the lan switch ports we are seeing an average of 15Mbps. So it seems I am losing half of my internet speed through the UC 540. I have tried disabling the firewall and they on average only nets a 3Mbps gain. Cisco SMB support suggested adjusting the MTU setting lower but could not instruct me how to do so. I need help changing the MTU setting on the UC 540 and also would open to suggestions as to what is causing me to lose 15Mbps of bandwidth speed through the UC 540.
IOS Version 15.0(1)XA2. The wan is a cablevision cable modem internet connection with a dynamic ip address. The internal lan is dhcp and has a voice and data vlan. Nothing fancy much beyond that.
-
SA 540 and DMZ Issue for Wireless Guest Access
I have hooked up a Wireless AP into the Optional Port setup as DMZ on the SA 540. My goal is to provide internet access to wireless guest users without giving them access to the entire LAN. The internet access for the wireless guest users is painfully slow. It takes 5 minutes to access Google. Has anybody else had issues with slowness. I am able to successfully ping websites and retrieve their IP address, but it won't connect to any websites via web browsers. Just to humor myself, I configured firewall rules to allow DMZ full access to the LAN and WAN. I am still having the same results. Any thoughts and suggestions?
Hi,
I'm not the one with the AP problem, I just have the same issue with the DMZ port. I think you have to forget about the whole AP issue here since the problem is with the DMZ port on the SA500.
I have my Web and Mail server set up on the DMZ port, I can ping and resolve Domain names to the outside world, but trying to reach anything with a browser takes foreeever. On, eg. www.apple.com I just get a few lines from their web page (so there is a connection) and then it halts to a stop (takes about 5 min).
I also tried to move my laptop to the DMZ, just to make sure there is no problem with the server, and it has the same issue.
To summarize, I have about 16 Mb connection on my LAN and on my DMZ i can't even load a full web page.
Firmware 1.0.39
BTW, when I upgraded the firmware it wiped my configuration, but it kept my firewall rules in place, even though they weren't shown in the Firewall table. e.g. I could still access my DMZ from my LAN. I had to hard reset the router from the hardware reset button on the router before that changed and the router was completely reset. -
Unable to see interface on ASA 5510 Firewall
Hi All,
I am unable to see 4th interface on my firewall i.e fastether0/3 on my firewall ASA 5510.
Below is the output.
ciscoasa# sh int ip br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 x.x.x.x YES CONFIG up up
Ethernet0/1 x.x.x.x YES CONFIG up up
Ethernet0/2 unassigned YES unset administratively down down
Internal-Control0/0 127.0.1.1 YES unset up up
Internal-Data0/0 unassigned YES unset up up
Management0/0 192.168.1.1 YES CONFIG up up
Please suggest what could be the reason.
Regards
PankajHi Ramraj,
Even i have the base license for my ASA 5510 which is showing all the 4 interfaces in sh ver. I don't think so license would be an issue. There should be some IOS code bug that needs to be upgraded. If this goes for an OS upgrade it should get resolved.
Its not showing up in sh ver . As Karsten said he might be running on old IOS version.
fy-a# sh ver
Cisco Adaptive Security Appliance Software Version 8.4(4)1
Device Manager Version 6.4(5)
Compiled on Thu 14-Jun-12 11:20 by builders
System image file is "disk0:/asa844-1-k8.bin"
Config file at boot was "startup-config"
fy-a up 1 day 1 hour
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
0: Ext: Ethernet0/0 : address is 2c54.2d0c.8f1a, irq 9
1: Ext: Ethernet0/1 : address is 2c54.2d0c.8f1b, irq 9
2: Ext: Ethernet0/2 : address is 2c54.2d0c.8f1c, irq 9
3: Ext: Ethernet0/3 : address is 2c54.2d0c.8f1d, irq 9
4: Ext: Management0/0 : address is 2c54.2d0c.8f1e, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 50 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 0 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has a Base license.
Serial Number: JMX1AXXXXX
Running Permanent Activation Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Configuration register is 0x1
Configuration has not been modified since last system restart.
fy-a#
Ramraj please do correct me if am wrong.
Please do rate if the given information helps.
By
Karthik -
Firewall reverse routing issue:
Dear Friends,
I am using ASA 5505 with base license and ISP connected directly on the firewall.While L# switch is connected through firewall also.
my configuration is :
ASA Version 7.2(4)
hostname CiscoFirewall03316
domain-name default.domain.invalid
enable password Ko5SCsPM2YQ1wt2G encrypted
passwd Ko5SCsPM2YQ1wt2G encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 10.192.32.11 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 112.23.24.25 255.255.255.248
interface Vlan10
no nameif
security-level 90
ip address 192.168.0.3 255.255.240.0
<--- More --->
interface Vlan50
no nameif
security-level 80
ip address 10.195.32.15 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 10
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 50
interface Ethernet0/6
interface Ethernet0/7
<--- More --->
ftp mode passive
clock timezone IST 5 30
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 121.242.190.181
name-server 121.242.190.210
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list in_out extended permit ip any any
access-list out_in extended permit ip any any
access-list out_in extended permit ip any 112.23.24.25 255.255.255.248
access-list cisco_splitTunnelAcl standard permit 0.0.0.0 255.255.255.0
access-list cisco_splitTunnelAcl_1 standard permit any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ciscouser 10.10.10.240-10.10.10.249 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
<--- More --->
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group in_out in interface inside
access-group out_in in interface outside
route inside 192.168.0.0 255.255.240.0 192.168.0.2 1
route outside 0.0.0.0 0.0.0.0 112.23.24.25 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.192.32.0 255.255.255.0 inside
http 112.23.24.0 255.255.255.248 outside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
<--- More --->
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set TRANS_ESP_DES_SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
client-update enable
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
<--- More --->
telnet 10.192.32.0 255.255.255.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet 112.23.24.0 255.255.255.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server none
vpn-tunnel-protocol l2tp-ipsec
group-policy cisco internal
group-policy cisco attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cisco_splitTunnelAcl_1
username test password tFqxsrS5ErBk4STW encrypted privilege 0
username test attributes
vpn-group-policy cisco
username admin password V5OS2TRb/vQZ7oZ9 encrypted
username ciscouser password 6aU35/UOvPoumpKWCFYSig== nt-encrypted privilege 0
username ciscouser attributes
vpn-group-policy DefaultRAGroup
<--- More --->
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup general-attributes
address-pool ciscouser
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
<--- More --->
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map type inspect im Google
parameters
match protocol msn-im yahoo-im
drop-connection log
service-policy global_policy global
prompt hostname context
Cryptochecksum:a883391680fa205ee31f05881761958c
: end
Everything is running fine on vlan 1 but vlan 10 is not running from user end.there is no ping from inside of 192.168.0.2
Please advise me.ThanksThere are 2 conflicting configuration:
interface Vlan10
no nameif
security-level 90
ip address 192.168.0.3 255.255.240.0
and "route inside 192.168.0.0 255.255.240.0 192.168.0.2 1"
How do you want to connect VLAN 10? is it on its own interface on the firewall? if it is, then you would need to configure a name for it, via the nameif command, and remove the above route inside
if it is going to be a routed subnet via the inside interface, then the above route needs to be modified as follows:
route inside 192.168.0.0 255.255.240.0 10.192.32.x
--> 10.192.32.x needs to be the next hop which is your L3 switch vlan 1 interface ip
and you would also need to shutdown interface vlan 10 on the ASA and remove the IP Address. -
Why cant i ping any host/servers behing my Firewall Cisco 5505
Can anyone please help me to figure out what in my configuration of the Cisco asa 5505 is wrong or missing. I have multiple host behind my firewall these hosts run different websites on port 80. I am able to ping the server from one to another but I am not able to ping the servers from the internet. I am using static NAT. Is there a translation issue going on here. Please help me!
========
CISCOASACLOUD# show run
CISCOASACLOUD# show running-config
: Saved
ASA Version 9.0(1)
hostname CISCOASACLOUD
enable password ************* encrypted
passwd ************* encrypted
names
ip local pool VPN_IP_POOL 10.0.2.50-10.0.2.75 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.0.2.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 82.94.XX.XX 255.255.255.0
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 194.109.104.104
name-server 194.109.9.99
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network VPN_NETWORK
subnet 10.0.2.0 255.255.255.0
object network NETWORK_OBJ_10.0.2.0_24
subnet 10.0.2.0 255.255.255.0
object network NETWORK_OBJ_10.0.2.0_25
subnet 10.0.2.0 255.255.255.128
object network SERVER2003_HTTP
host 10.0.2.104
object network SERVER2003_HTTPS
host 10.0.2.104
object network SERVER2004_HTTP
host 10.0.2.105
object network SERVER2004_HTTPS
host 10.0.2.105
object network SERVER2002_HTTP
host 10.0.2.103
object network SERVER2002_HTTPS
host 10.0.2.103
object network SERVER2002_NAGIOS
host 10.0.2.103
object network SERVER2003_NAGIOS
host 10.0.2.104
object network SERVER2002_NAGIOS_NSCP
host 10.0.2.103
object network SERVER2003_NAGIOS_NSCP
host 10.0.2.104
object network SERVER2004_NAGIOS
host 10.0.2.105
object network SERVER3001_NAGIOS
host 10.0.2.202
object network SERVER2001_NAGIOS
host 10.0.2.102
object network SERVER3001_HTTP
host 10.0.2.202
object network SERVER3001_HTTPS
host 10.0.2.202
object network SERVER2004_FTP
host 10.0.2.105
object network SERVER2004_FTP_TCP
host 10.0.2.105
object network SERVER2004_FTP_SSL
host 10.0.2.105
object network SERVER2005_HTTP
host 10.0.2.106
object network SERVER2005_HTTPS
host 10.0.2.106
object network SERVER3001_ICMP
host 10.0.2.201
access-list Default_Tunnel_Group_Name_VPN_splitTunnelAcl standard permit 10.0.2.0 255.255.255.0
access-list OutsideToInside extended permit tcp any host 10.0.2.104 eq www
access-list OutsideToInside extended permit tcp any host 10.0.2.104 eq https
access-list OutsideToInside extended permit tcp any host 10.0.2.105 eq www
access-list OutsideToInside extended permit tcp any host 10.0.2.105 eq https
access-list OutsideToInside extended permit tcp any host 10.0.2.103 eq www
access-list OutsideToInside extended permit tcp any host 10.0.2.103 eq https
access-list OutsideToInside extended permit tcp any host 10.0.2.102 eq 12489
access-list OutsideToInside extended permit tcp any host 10.0.2.103 eq 12489
access-list OutsideToInside extended permit tcp any host 10.0.2.104 eq 12489
access-list OutsideToInside extended permit tcp any host 10.0.2.105 eq 12489
access-list OutsideToInside extended permit tcp any host 10.0.2.202 eq 12489
access-list OutsideToInside extended permit tcp any host 10.0.2.202 eq www
access-list OutsideToInside extended permit tcp any host 10.0.2.202 eq https
access-list OutsideToInside extended permit tcp any host 10.0.2.105 eq ftp
access-list OutsideToInside extended permit tcp any host 10.0.2.105 eq ftp-data
access-list OutsideToInside extended permit tcp any host 10.0.2.105 eq 990
access-list OutsideToInside extended permit tcp any host 10.0.2.106 eq www
access-list OutsideToInside extended permit tcp any host 10.0.2.106 eq https
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static VPN_NETWORK VPN_NETWORK route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.0.2.0_24 NETWORK_OBJ_10.0.2.0_24 destination static NETWORK_OBJ_10.0.2.0_25 NETWORK_OBJ_10.0.2.0_25 no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
object network SERVER2003_HTTP
nat (inside,outside) static 82.94.XXX.XXX service tcp www www
object network SERVER2003_HTTPS
nat (inside,outside) static 82.94.XXX.XXX service tcp https https
object network SERVER2004_HTTP
nat (inside,outside) static 82.94.XXX.XXX service tcp www www
object network SERVER2004_HTTPS
nat (inside,outside) static 82.94.XXX.XXX service tcp https https
object network SERVER2002_HTTP
nat (inside,outside) static 82.94.XXX.XXX service tcp www www
object network SERVER2002_HTTPS
nat (inside,outside) static 82.94.XXX.XXX service tcp https https
object network SERVER2002_NAGIOS
nat (inside,outside) static 82.94.XXX.XXX service tcp 12489 12489
object network SERVER2003_NAGIOS
nat (inside,outside) static 82.94.XXX.XXX service tcp 12489 12489
object network SERVER2004_NAGIOS
nat (inside,outside) static 82.94.XXX.XXX service tcp 12489 12489
object network SERVER3001_NAGIOS
nat (inside,outside) static 82.94.XXX.XXX service tcp 12489 12489
object network SERVER2001_NAGIOS
nat (inside,outside) static 82.94.XXX.XXX service tcp 12489 12489
object network SERVER3001_HTTP
nat (inside,outside) static 82.94.XXX.XXX service tcp www www
object network SERVER3001_HTTPS
nat (inside,outside) static 82.94.XXX.XXX service tcp https https
object network SERVER2004_FTP
nat (inside,outside) static 82.94.XXX.XXX service tcp ftp ftp
object network SERVER2004_FTP_TCP
nat (inside,outside) static 82.94.XXX.XXX service tcp ftp-data ftp-data
object network SERVER2004_FTP_SSL
nat (inside,outside) static 82.94.XXX.XXX service tcp 990 990
object network SERVER2005_HTTP
nat (inside,outside) static 82.94.XXX.XXX service tcp www www
object network SERVER2005_HTTPS
nat (inside,outside) static 82.94.XXX.XXX service tcp https https
access-group inside_access_in in interface inside
access-group OutsideToInside in interface outside
route outside 0.0.0.0 0.0.0.0 82.94.XXX.XXX 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http XXX.XXX.XXX.XXX 255.255.255.255 outside
http XXX.XXX.XXX.XXX 255.255.255.255 outside
http XXX.XXX.XXX.XXX 255.255.255.255 outside
http XXX.XXX.XXX.XXX 255.255.255.255 outside
http 10.0.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.0.2.0 255.255.255.0 inside
ssh XXX.XXX.XXX.XXX 255.255.255.255 outside
ssh XXX.XXX.XXX.XXX 255.255.255.255 outside
ssh XXX.XXX.XXX.XXX 255.255.255.255 outside
ssh XXX.XXX.XXX.XXX 255.255.255.255 outside
ssh timeout 60
console timeout 0
management-access inside
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 213.132.202.192 source outside
ntp server 72.251.252.11 source outside
ntp server 131.211.8.244 source outside
group-policy Default_Tunnel_Group_Name_VPN internal
group-policy Default_Tunnel_Group_Name_VPN attributes
dns-server value 194.109.104.104 194.109.9.99
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
Default_Tunnel_Group_Name_VPN_splitTunnelAcl
username ******* password ************* encrypted privilege 0
username ******* attributes
vpn-group-policy Default_Tunnel_Group_Name_VPN
username ******* password ************* encrypted privilege 15
username ******* password ************* encrypted privilege 0
username ******* attributes
vpn-group-policy Default_Tunnel_Group_Name_VPN
username ******* password ************* encrypted privilege 0
username ******* attributes
vpn-group-policy Default_Tunnel_Group_Name_VPN
tunnel-group Default_Tunnel_Group_Name_VPN type remote-access
tunnel-group Default_Tunnel_Group_Name_VPN general-attributes
address-pool VPN_IP_POOL
default-group-policy Default_Tunnel_Group_Name_VPN
tunnel-group Default_Tunnel_Group_Name_VPN ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp error
inspect ftp
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:655f9d00d6ed1c593506cbf9a876cd49
: end
CISCOASACLOUD#Hi Ron,
I have found the solution!
Indeed I had to extend my access-list on my outside interface!!!
I have succeeded using ASDM.
First I created a NEW network object for each of my servers. When you create a new object you will be asked for the internal IP address and "this is where the magic happens" you have to set the NAT IP address (the external address) !!!
Secondly I extended my access-list on my outside interface by defining every server and the required service (echo, echo-reply) in the "Public server list". When I performed these 2 steps I was able to ping the server from the internet.
My access-list looks the following now:
access-list OutsideToInside extended permit icmp any4 object SERVER2003 object-group DM_INLINE_ICMP_2
access-list OutsideToInside extended permit icmp any4 object SERVER2002 object-group DM_INLINE_ICMP_1
access-list OutsideToInside extended permit icmp any4 object SERVER2004 object-group DM_INLINE_ICMP_0
object network SERVER2004
nat (inside,outside) static 82.94.xxx.xxx
object network SERVER2002
nat (inside,outside) static 82.94.xxx.xxx
object network SERVER2003
nat (inside,outside) static 82.94.xxx.xxx -
I can't access my itunes store, it says I don't have an internet connection but I do. I tried updating to the newest version of itunes, turned off my firewall, checked to make sure itunes was allowed in my internet options. what else can i do?
Hello bigblue8
Check out the following articles for troubleshooting access to the iTunes Store. The first one will probably get you started enough to get it taken care of. If it does not the follow up article should definitely solve it for you.
Can't connect to the iTunes Store
http://support.apple.com/kb/ts1368
iTunes: Advanced iTunes Store troubleshooting
http://support.apple.com/kb/ts3297
Thanks for using Apple Support Communities.
Regards,
-Norm G. -
How do I change my firewall settings to allow Spotify?
I get a message pop up that says.... A firewall may be blocking Spotify. Please update your firewall to allow Spotify (error 101)
Please help I am so terrible with anything other then the basics.
I found my firewall settings but I could only figure out how to turn them on and off. This did not help.
I need it explained to me in the most simpilist of ways.
Thank youPlease read this whole message before doing anything.
I've tested these instructions only with the Safari web browser. If you use another browser, they may not work as described.
This procedure is a diagnostic test. It won’t solve your problem. Don’t be disappointed when you find that nothing has changed after you complete it.
Third-party system modifications are a common cause of usability problems. By a “system modification,” I mean software that affects the operation of other software — potentially for the worse. The following procedure will help identify which such modifications you've installed. Don’t be alarmed by the complexity of these instructions — they’re easy to carry out and won’t change anything on your Mac.
These steps are to be taken while booted in “normal” mode, not in safe mode. If you’re now running in safe mode, reboot as usual before continuing.
Below are instructions to enter some UNIX shell commands. The commands are harmless, but they must be entered exactly as given in order to work. If you have doubts about the safety of the procedure suggested here, search this site for other discussions in which it’s been followed without any report of ill effects.
Some of the commands will line-wrap or scroll in your browser, but each one is really just a single line, all of which must be selected. You can accomplish this easily by triple-clicking anywhere in the line. The whole line will highlight, and you can then copy it. The headings “Step 1” and so on are not part of the commands.
Note: If you have more than one user account, Step 2 must be taken as an administrator. Ordinarily that would be the user created automatically when you booted the system for the first time. The other steps should be taken as the user who has the problem, if different. Most personal Macs have only one user, and in that case this paragraph doesn’t apply.
Launch the Terminal application in any of the following ways:
☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.
When you launch Terminal, a text window will open with a line already in it, ending either in a dollar sign (“$”) or a percent sign (“%”). If you get the percent sign, enter “sh” and press return. You should then get a new line ending in a dollar sign.
Step 1
Triple-click the line of text below on this page to select it:
kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}' | open -ef
Copy the selected text to the Clipboard by pressing the key combination command-C. Then click anywhere in the Terminal window and paste (command-V). A TextEdit window will open with the output of the command. If the command produced no output, the window will be empty. Post the contents of the TextEdit window (not the Terminal window), if any — the text, please, not a screenshot. You can then close the TextEdit window. The title of the window doesn't matter, and you don't need to post that. No typing is involved in this step.
Step 2
Repeat with this line:
{ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix\.cron)|org\.(amav|apac|cups|isc|ntp|postf|x)/{print $3}'; echo; sudo defaults read com.apple.loginwindow LoginHook; echo; sudo crontab -l; } 2> /dev/null | open -ef
This time you'll be prompted for your login password, which you do have to type. Nothing will be displayed when you type it. Type it carefully and then press return. You may get a one-time warning to be careful. Heed that warning, but don't post it. If you see a message that your username "is not in the sudoers file," then you're not logged in as an administrator.
Note: If you don’t have a login password, you’ll need to set one before taking this step. If that’s not possible, skip to the next step.
Step 3
{ launchctl list | sed 1d | awk '!/0x|com\.apple|org\.(x|openbsd)/{print $3}'; echo; crontab -l 2> /dev/null; } | open -ef
Step 4
ls -A /e*/{cr,la,mach}* {,/}Lib*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta}* L*/Fonts .la* 2> /dev/null | open -ef
Important: If you formerly synchronized with a MobileMe account, your me.com email address may appear in the output of the above command. If so, anonymize it before posting.
Step 5
osascript -e 'tell application "System Events" to get name of login items' | open -ef
Remember, steps 1-5 are all copy-and-paste — no typing, except your password. Also remember to post the output.
You can then quit Terminal. -
Can we do a Secure FTP for an XML file from ABAP when firewall is enabled?
Hi all,
I have a requirement to send an XML file to an External FTP Server which is out of our corporate network and our firewall is enabled.
I have to send an XML file with Purchase Order details. I completed that with the help of this blog https://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/2657. [original link is broken] [original link is broken] [original link is broken]
Now I need to FTP the XML file that is generated. How should I be doing this? Can some of help me with this?
I need to do a Secure FTP to the external non SAP server which is out of our corporate network and our firewall is enabled. Can some one tell me if SFTP is possible in ABAP.
This is not a web service. I am working on dropping an XML file in an external FTP serveru2026 I have searched the forums but still in a confusion if weather Secure FTP is possible in ABAP or not when our company firewall is enabledu2026
If some one encountered this situation earlier please help,,,..any help will be highly appreciated.
Regards,
Jessica SamThanks a lot for your valuable suggestions Richu2026
I agree with you Rich that web services would be a better option. But I need to send this file to an external third party and they dont have web services.
They are telling us that either we can send them an XML file or a CSV file in the format that they want. We decided to go with XML file format.
I am done with formatting the Purchase Order details in the format that they want. Now the challenge is that I need to send this FTP file to them and it should be a Secure FTP when our fire wall is enabled,
When you say
1) Run an ABAP program to generate the XML file and put it on the local PC
2) Log into the FTP site via some FTP client, could simply be windows as well.
3) Manually cut/paste the file from the PC to the FTP site.
For Step 1 running ABAP Program can I schedule a batch job?
For Step 2 and Step 3 can I automate it in any other way..if not in ABAP?
Can I advice my company to follow any alternate method in which they can automate this step 2 and step 3u2026if not in ABAP can it be possible in any other way as the third party does not have web services I now have no other alternative.
Please Helpu2026
Regards,
Jessica Sam -
Lenovo W-540 Review
Note: This review was originally written for the W-540 sales page, but it was way too long to be accepted. I am posting it here, hoping it will provide something of a guide for those interested in this computer. The intention is to post a short review on the sales page, with instructions for navigating to this complete version.
dlane_W540
INTRODUCTION
I’ve been using my W-540 for about five weeks now, so I think I have enough experience with it to make some comments. I decided on a W-series when the W-530 was current. I was happily using a T410i (my 4th Lenovo laptop) until increasingly heavy Photoshop work slowed it down to the point that I was falling asleep watching it crank away. The W-540 replaced the W-530 in the Lenovo line-up as I was considering what to do, so I started watching for reviews. At that time there were only 5 of them on the web site—most seemed to be from power users who had issues with…well...anything that was different from their favorite older model. I was surprised to see such inflexibility among professionals when it came to new stuff. On the other hand, it is not hard to understand resistance to having to deal with a new thought process in order to accomplish the same tasks that were coming automatically before.
While I am not a programmer or cad cam user, I spend much of each day in front of a computer keyboard. So, instead of pretending to be an expert, I will try to speak for those who just need a fast, configurable computer with a top-flight screen, and who are willing to deal with a learning curve to get used to it. This, then, will look at my experience with the computer in light of comments I read on the web—a review of reviews, so to speak. Later on, I’d also like to offer some advice for configuring the unit.
For reference, my W-540 has the i7-4800MQ chip, the K2100 video card, and the IPS high res screen (with the color sensor). It also has an SSD main drive, and a 500GB hard drive in the Ultrabay. I’m running Windows 7, with 16GB of memory.
THE CASE
It is clear that the current line of Lenovo laptops have as design goals light weight and compact dimensions relative to their screen sizes. They went with a “carbon fiber reinforced plastic” material, so I’m not surprised that it is thin and a bit more bendy in spots than the older units. This 15-inch computer (with a number pad) weighs only 4 oz. more than my 14-inch T410i. The guts of both are mounted to a magnesium structure frame. The lighter weight is welcome, and after a few weeks of traveling with the computer I am confident that it is a sturdy and robust design. The case surfaces at first feel a bit odd to the touch, and look to be thin, but the workmanship is excellent. The whole idea with carbon fiber is to add strength without needing thickness and weight, so what first concerned me is now a source of pleasure.
THE KEYBOARD
There are some gripes about the keyboard out there. Some can’t accommodate the reality that to include a number pad, the qwerty part has to be offset to the left. Just align your fingers to the ridges on the F and J keys, or to the eraser head, or two the ridge on the down arrow. In writing this review, I’ve gone from finding the off-set position to be slightly irritating, to not noticing it at all.
Key spacing and feel seem fine to me. I work with at least two different keyboards during an average day, so again, it’s just something you get used to. The Delete, Backspace, Home, and End keys are in very different positions from the T410i, which is taking some learning on my part. It could well be that these are the new “standard” positions for these keys on 15” Lenovos.
I read a review that downgraded the machine because the keys were sticking. The reviewer also mentioned that the end panel did not fit well. The fix for the sticking keys is on the web—just re-setting the position of the keyboard bezel. I have a hunch it got knocked out of place during shipping—probably the same event that knocked the end panel out of whack. No problem with mine.
NIGHT LIGHT
Older ThinkPads had a nice night-light mounted next to the camera on the lid. In contrast, the keys on the W-540 are lit from below. Either style serves the purpose, although I happen to like the lid-mounted light better, since it would also light the touch pad, and my fingers. That said, the characters “printed” on the surface of the keys now have to actually go all the way through the surface (and be translucent) to allow the light to come through from the underneath. Thus, I would imagine the key’s characters will never wear out.
FUNCTION KEYS
I read some complaints about the row of function keys. A one-finger click now activates the icons on the keys (brightness, volume, Wi-Fi, etc.) You must press the Fn key to access the traditional F1 to F12 functions. It’s backwards to what I’m used to. The Fn key can be locked, though, giving you the standard one-touch access to F1-F12. A light shows on the key when locked, and the lock holds through a re-boot. So, if your software relies heavily on function keys, the computer can respond traditionally. On the other hand, there are some neat things available on the function keys. You have one click access to Control Panel, to the “computer” screen, to your list of active programs, and to the windows “search” function. For general use I leave the computer as is, with the icons on the function keys active. I use function keys frequently in Photoshop, so I lock the Fn key down when I boot that program.
HARD DRIVE ACTIVITY LIGHT
There is much hand-wringing about the lack of a light telling when the hard drive is spinning. When I read about it I was sure it would be a major irritation, but I’ve only noticed it once since working with the machine. It seems almost everything has some sort of “wait” graphic these days—a spinning circle, or something. Besides, this thing has an SSD for a main drive. It is very fast to accomplish things, so the value of a light to indicate that the computer is working (when nothing else is changing on screen) is questionable.
NUMLOCK AND CAPSLOCK
NumLock and CapsLock have icons that appear (and hold) on screen when those keys are activated. I suppose if you use software that is active in the bottom right-hand corner of the screen, AND requires a lot of numeric entry there (or full caps text) it could be an issue. Someone in a review mentioned the icon covers part of the scroll bar in a particular app, but it is not one I use. Besides, if you use the touch pad as intended, you will never have to navigate to a scroll bar. Hard to figure why they didn’t just add little lights to the keys, though.
THE TOUCH PAD – OH MY!
Of all the features on the W-540 the touch pad has generated the most controversy, so I’d like to spend some time discussing it. There are five “button functions” now integrated into a single touch pad. The top three are for the eraser head, and the bottom two are for the touch pad. Having to tilt a big touch pad, as opposed to pressing a much smaller button, certainly takes more energy. It feels more clunky and noisy than the old system, which seems to be irritating the Lenovo faithful who were hoping the W-540 would be essentially a W-530 with the latest processors, and a cutting edge feature set.
For those preferring the touch pad, there are no markings where the buttons used to be. Even worse for traditionalists, the lower left corner of the touch pad is active for moving the cursor, so when you hit that same spot to left-click, the cursor tends to move about a half inch on screen—enough to get you the wrong menu item. The expert reviewers appeared to assume this was some sort of defect which rendered the W-540 unacceptable. I think they are missing the point. The new machine offers more inputting options through the touch pad than the old ones, so it has potential of being faster to work with—but only if the user is willing to learn a couple of new tricks, and to tailor the software to support them.
The larger touch pad has a nice feel to it, and a huge variety of adjustments in the “mouse” menu. You can left and right click in silence with one and two-finger taps on the touch pad. You can enlarge the screen image (or the reverse) with pinching motions as you would on a cell phone. You can also scroll with a slow, two-fingered swipe. Finally, a double tap anchors the cursor for dragging. So, in use, there is no need for traditional touch pad left or right buttons, and, with silent taps, you can work unobtrusively. All of this works nicely with software like Photoshop. However, as delivered (and depending on the size and shape of your hands) word processing can be a problem.
I have read comments about the cursor jumping around. It happens when typing as your hands rub over the touch pad. This was not a problem with previous models. The touch pad on those was an inch narrower, so even larger hands missed it. It may take some experimenting to get rid of it, but you have plenty of tools to work with. There is a software adjustment to make the touchpad insensitive to something larger than a finger. Another adjustment varies the touch pad’s sensitivity to finger pressure. Still further adjustments allow you to desensitize the areas of the touch pad your hands are likely to activate—giving the same effect as a smaller touch pad. My large hands tend to hover across the top corners of the touch pad, so I’ve desensitized those areas with good results. Be sure you are using the latest driver.
Of course, all of this goes away with an external mouse plugged in, so there is a work-around as you figure out what’s best for you. Having one-touch access to the Control Panel (via the Fn keys) makes it easy to jump to the Mouse settings as you experiment. Having adapted to the new surface of the touch pad, I enjoy using it.
THE OPTIONAL HIGH RESOLUTION SCREEN
I read that a high-res screen would create problems with icons appearing small, and with some software being difficult to scale. In spite of assurances to the contrary by Lenovo sales reps, there have been issues. If you want to feel secure, search the web for compatibility issues between your favorite software and high-resolution screens. Photoshop CS5 editing tools were too small to use with the screen set on full resolution. Quicken was also not happy. On the other hand most any web content, and Office 2013 programs (at least Word and Excel) readily scale up and down to fill the screen. Backing the resolution down to 1920 x 1080 brought the two errant programs back into range.
So, the obvious question is: Why bother with the high res screen? The standard screen is 1920 x 1080. The answer is that this is an IPS type screen—the same technology used in preferred stand-alone monitors. The blacks are really black, and you can view images from most any angle with reasonable fidelity. So, this is a beautiful screen, even when not taking advantage of its full resolution. Photos look wonderful, so I’m very comfortable at the lower resolution setting. Besides, from the Windows Desktop, a two-fingered click on the pad brings up a submenu that gets you directly to the “screen resolution” function. You can switch it around in a few seconds if necessary, although your desktop icons may shift to accommodate. One other thing: The screen surface is not a glossy finish, but neither is it as “matte” as other Lenovo screens. I mention this because there is conflicting information out there. Finally, I have a hunch that “standard” screens will become more high-resolution as time goes on, and the software developers will find ways to take advantage of it. Thus, the high-res screen is something of a hedge toward keeping the W-540 current for a longer period of time.
For what it’s worth, I have not used the standard screen, so I cannot comment on it, other than to say that other reviewers seem to like it.
COLOR CALIBRATION
The screen calibration device (Color Sensor) is well worth it for those who want to be sure their photographic prints match what the screen is showing. It is far easier to use than external devices. Calibration needs to be done regularly (especially with a new monitor). You can set your preferred interval (days or months) in the software. The software pops up at the specified time, you close the top and listen to it softly chirp for a little over a minute, and it’s done.
ODDS AND ENDS
This computer has no latch. I’ve carried it around a bit, and welcome the ease of opening. I don’t see a downside.
The power supply transformer on the power cord is huge relative to my older Lenovos, but about the same size as a friend’s earlier W-series. Lenovo shows no DC adapter for this computer. I suppose you could use a DC-AC inverter if you need to use the computer in a DC environment, but I asked the question on the Lenovo web site and did not get a useful answer.
I am not qualified to evaluate the microphones, camera, or speakers, other than to say that the built-in audio set-up seems quiet and robust compared to the T410i. There are lots of adjustments in the Dolby Home Theater software. Speaker output comes from slots on the front/bottom surface of the case, so, in addition to the software options, the quality of the sound can be changed by moving the computer closer or farther from the edge of your desk or table.
The left-side USB ports (one type 2 and one type 3) are close enough together to create physical interference if both are used at the same time. There are two more on the right side—spread farther apart, so it’s not a big deal.
The audio output is a single jack meant for a headphone/mike combination. My T410i is also like that. I’ve come to recognize this as appropriate for a business-oriented computer. A regular set of headphones works fine, but I’d be cautious if you intend to use a plug-in, external microphone with the unit.
CONFIGURATION SUGGESTIONS
If you are in a hurry, take Lenovo’s advice and buy one of the more standard packages. You can easily find them on line at Lenovo retailers. Expect an unpredictable wait time if you go outside the norms. In my imagination, the Lenovo people in the U.S. had a bunch of parts which they assembled to order. As it turned out, my order was “sent to manufacturing,” where the unit was built to spec. There were a couple of revisions to the estimated delivery date, but finally I received notification that the unit had been shipped….from Shanghai, via Alaska. Exact delivery predictions at the time of ordering for this sort of thing must be difficult.
This is my first computer with a solid state drive (SSD). It boots from cold in about 30 seconds, and does a restart cycle in well under a minute (including log-in with the fingerprint reader). Fully waking up from sleep is only a few seconds. Back-ups are satisfyingly fast through the USB-3 ports. This sort of speed, along with the typical on-screen parade of graphics during the process is why a light to tell you the hard drive is spinning is of questionable value. But yes, I’d still like to have one—just because I’m used to it.
ULTRABAY IN NAME ONLY
The Ultrabay set-up on the W-540 (and T540p, for that matter) is different than earlier computers that feature a release latch on the bottom of the unit. Instead of a latch, Ultrabay components for the W-540 are secured to the computer with a tiny screw. The screw can only be accessed by removing the large hatch cover (two screws) underneath the computer. The carbon fiber reinforced plastic hatch cover is thin, and a bit finicky to work with. The sales staff at Lenovo thought there was an external catch, but there is not. They were misinformed, and I actually called to correct them once I had my computer. Thus, no matter what anyone tells you, you CANNOT buy a W-540 and think you will easily swap a DVD drive with, say, a second hard drive. It’s minor surgery, best done with a jeweler’s screwdriver and some fine needle nose pliers.
Be sure to read the User Guide to keep from breaking the hatch cover. When I ordered mine, they shipped the Ultrabay carrier and the hard drive from the US, so they arrived early. I had to install them myself and found manipulating the tiny screws and pulling the hatch cover to be a bit scary.
……Not exactly what you would call “convenient.”
CONCLUSION
When I first started looking into a photography-optimized computer, the question was whether to custom build a desktop, or to buy a top-line laptop. The W-series laptops offered the processing speed and graphics card that I needed, in a portable package. When the W-540 came out, it offered an IPS screen, which sealed the deal for me. Now that I’ve used it as intended—processed some photos with it, done some writing, watched a movie or two, and carried it around—I’m convinced that Lenovo’s compromises were good ones for my uses. They have done their job of providing a modern PC, with an eye toward conservative design, modern materials, and with a touch pad that reflects the direction software developers are going. I needed to do a little catching up, reprogramming my fingers to feel comfortable with the new keyboard set-up, and tailoring the touchpad software for my hands. It was a small price to pay to make the most of what the W-540 offers in speed, monitor accuracy, and portability.
And I no longer fall asleep waiting for Photoshop to complete a task.Very good write-up. I've had my W540 for almost a week. My thoughts:
The Case: The screen feels a bit flimsy to me, I think that's due to small hinges mounted near the edges.
The Keyboard: I don't mind the offset keyboard, my current and previous Dells have had these, but they were 17.3" and 17" screens. I'm in engineering so I'd much rather have the extra numbers keypad than a centred keyboard. Although I don't like the CTRL and FN keys being the other way around.
Night light: Haven't really noticed not having one as I haven't had one in the past. My Dell has backlight keys.
Function keys: Don't particularly like this but once I found they could be locked on using the FN / Esc combo I just use this. It stays locked even if I reboot which is handy.
Hard drive activity light would be handy, as would numbers and caps lock. I've disabled the on-screen notification, that was just a pain. Sort of cr*p you would expect from Microsoft and all their silly tips, etc. that I disable as well.
Touchpad: I've commented elsewhere that this is the worse I've even seen. Absolutely useless. I've disabled both the touchpad and touchstick (again, useless) and just use a mouse.
Screen: Dreadful! I've got the 1920 x 1080 LCD. The icon size is ok, I've got it set to the smallest I can. However the screen looks washed out at the bottom. Again, I've posted about this before.
Mine doesn't have a SSD and only has 4 GB of memory, so I find it very slow. This is not a workstation unless you go for all the bells and whistles, otherwise it's ok for MS Ofifice and the internet but not for serious work. Forget programs such as AutoCAD and the like, too slow and the screen is too poor.
Anyway, thats my opinion, I'm sure others will love this unit and disagree with me.
Maybe you are looking for
-
Macbook pro connects to iphone through bluetooth but can't access the internet
Hello, I have a macbook pro 10.6 and an iphone 3gs 4.3.3. I used to be able to connect the macbook to the iphone through bluetooth using personal hotspot and access the internet but one day it just stopped working. I have tried turning them off and o
-
I have deleted my App Store. How do I get it back again?
I have deleted my App Store. Can someone tell me how to get it back?
-
Why can't Firefox addons website recognize I'm using Firefox 5?
I have been using Firefox 5 for some months now, but since last week, Firefox addons website doesn't recognize it as Firefox 5. For example, every time I try to install recently updated theme, there is a message saying it is "Not available for Firefo
-
How do I preserve the side by side translation format for lyrics..
When copying and pasting? I copied and pasted from here ( http://en.wikipedia.org/wiki/VeniSancteSpiritus ) to the 'lyrics' part of my song in iTunes and it became just one column like this when there should be two: For example: Veni, Sancte Spiritus
-
Access IBM button doesn't work
For some reason my Access IBM button doesn't work. I'm not sure if it has ever worked. This is a refurbished ThinkPad R50, Windows XP Pro. Is there any way to fix it? Thanks.....