Througput towards 5555x from 68k for Firewall contexts
If you were connecting a 5555x to a 6500, would you use a single port channel with 8 uplinks, or two 4 port etherchannels, with one representing the "out" and one representing the "in"
I intend to use ten or more contexts, and in the past have done this with a FWSM, which had a 6 gig etherchannel on the chassis backplane. I imagine that using one etherchannel would be similar to the FWSM approach.
Would there be any benefits in using 2 ether channels with a concept of in and out? If so why. Any design insight at the physical layer would be appreciated.
Or further to this - would you use 6 ports and keep 1 or 2 ports dedicated for the failover and state interfaces, rather than run these interfaces as sub-interfaces that traverse the switching infrastructure. - Update - have to use 6 links, not 8:
•If you use an EtherChannel interface for a failover or state link, then to prevent out-of-order packets, only one interface in the EtherChannel is used. If that interface fails, then the next interface in the EtherChannel is used. You cannot alter the EtherChannel configuration while it is in use as a failover link. To alter the configuration, you need to either shut down the EtherChannel while you make changes, or temporarily disable failover; either action prevents failover from occurring for the duration.
•Although you can configure failover and failover state links on a port channel link, this port channel cannot be shared with other firewall traffic.
I have attached a small diagram to explain the physical / logical differences. (6 interfaces total - as this would be dedicated failover link scenario)
Hi Nick
The Cisco recommendation was always to use an even number of ports in the etherchannel because this worked better with their load balancing algorithm but I'm not sure how relevant this is nowadays.
So leaving that aside personally I would use just one etherchannel between the firewall and the switch.
The issues with using two that I see are firstly unless your traffic patterns are 50/50 in terms of traffic going to and coming from the firewall you are not going to utilise the links evenly. For example an FTP request is small but the resulting download could be very large and a fair number of applications work like this.
Which would mean one etherchannel could be very heavily utilised, if not oversubscribed, while the other one could be just ticking along.
Secondly if you use two etherchannels a single port failure could have a much more pronounced effect on throughput especially if the etherchannel is the one being utilised more because of traffic direction.
You don't gain any extra redundancy from having two separate etherchannels so I personally can't see any advantages to it but that doesn't mean there aren't any so happy to discuss if you feel there are.
Obviously whichever you use spread the ports across modules for maximum redundancy.
I should say though that I have never done this where I needed that much throughput to a firewall other than using an FWSM which as you say does not have these concerns.
Edit - I assumed when you referred to in and out you were referring to traffic direction and it was not related to contexts. if I have misunderstood please clarify.
Jon
Similar Messages
-
STATIC IP issues from outside of firewall
Hi
I’m having one issue, we have static IP and we NAT the same to some local IP for our internal needs. Whenever we tried to reach the static IP from outside of firewall(some other network), it is working properly. But when we try to ping or use that static IP in internal LAN that is not working.
192.168.0.149 is internal LAN I have NAT to 202.xxx.xxx.xxx static IP with port 80.
Please help me on this.
here is the device running configuration
Result of the command: "show running-config"
: Saved
ASA Version 9.1(3)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
ip local pool clientpool 192.168.0.20-192.168.0.50 mask 255.255.255.0
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.0.5 255.255.255.0
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 202.53.82.98 255.255.255.240
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.5.1 255.255.255.0
ftp mode passive
dns domain-lookup outside
dns server-group PW
name-server 202.53.64.202
name-server 202.53.72.13
name-server 192.168.0.16
name-server 192.168.0.8
same-security-traffic permit intra-interface
object network PW-LAN
subnet 192.168.0.0 255.255.255.0
object network USA
subnet 192.168.2.0 255.255.255.0
object network 202.53.82.110
host 202.53.82.110
object network PWHYD
subnet 192.168.1.0 255.255.255.0
object network 192.168.0.151
host 192.168.0.151
object network 192.168.0.154
host 192.168.0.154
object network 192.168.0.156
host 192.168.0.156
object network 192.168.0.158
host 192.168.0.158
object network 192.168.0.159
host 192.168.0.159
object network 192.168.0.149
host 192.168.0.149
object network Rackspace
subnet 10.176.0.0 255.240.0.0
object network NETWORK_OBJ_10.176.0.0_12
subnet 10.176.0.0 255.240.0.0
object network 192.168.0.147_http
host 192.168.0.147
object service http
service tcp source eq www destination eq www
object network 192.168.0.14
host 192.168.0.14
object network 192.168.0.14_iCA
host 192.168.0.14
object network 192.168.0.159_http
host 192.168.0.159
object network 192.168.0.159_50100
host 192.168.0.159
object network 202.53.82.101
host 202.53.82.101
object network 192.168.0.159_8001
host 192.168.0.159
object network 192.168.0.192
host 192.168.0.192
object network 192.168.0.159_any
host 192.168.0.159
object network clientpool
range 192.168.0.20 192.168.0.50
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network 192.168.0.192_DEV
host 192.168.0.192
object-group network PW-All-Sites
network-object 192.168.0.0 255.255.255.0
network-object object PWHYD
network-object object USA
network-object object clientpool
access-list 100 extended permit ip any any
access-list 100 extended permit icmp any any
access-list l2l-list extended permit ip object-group PW-All-Sites 192.168.2.0 255.255.255.0
access-list outside_access_in extended permit ip any any
access-list outside_cryptomap extended permit ip object-group PW-All-Sites 192.168.1.0 255.255.255.0
access-list PW-VPN-Tunnel-ACL standard permit 192.168.0.0 255.255.255.0
access-list PW-VPN-Tunnel-ACL standard permit 192.168.1.0 255.255.255.0
access-list PW-VPN-Tunnel-ACL standard permit 192.168.2.0 255.255.255.0
access-list PW-VPN-Tunnel-ACL standard permit 10.176.0.0 255.240.0.0
access-list outside_cryptomap_3 extended permit ip object-group PW-All-Sites object Rackspace
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static PW-LAN PW-LAN destination static Rackspace Rackspace
nat (inside,outside) source static PW-LAN PW-LAN destination static PWHYD PWHYD
nat (inside,outside) source static PW-LAN PW-LAN destination static USA USA
nat (inside,outside) source dynamic PW-LAN interface
nat (any,inside) source dynamic clientpool interface
object network 192.168.0.151
nat (any,any) static 202.53.82.102 service tcp 3200 3200
object network 192.168.0.154
nat (any,any) static 202.53.82.104 service tcp 3201 3201
object network 192.168.0.156
nat (any,any) static 202.53.82.107 service tcp 3201 3201
object network 192.168.0.158
nat (any,any) static 202.53.82.109 service tcp 3222 3222
object network 192.168.0.159
nat (any,any) static 202.53.82.101 service tcp 3201 3201
object network 192.168.0.149
nat (inside,outside) static 202.53.82.100 service tcp www www
object network 192.168.0.147_http
nat (any,any) static 202.53.82.110 service tcp www www
object network 192.168.0.14
nat (any,any) static 202.53.82.99 service tcp https https
object network 192.168.0.14_iCA
nat (any,any) static 202.53.82.99 service tcp citrix-ica citrix-ica
object network 192.168.0.159_50100
nat (any,any) static 202.53.82.101 service tcp 50100 50100
object network 192.168.0.159_8001
nat (any,any) static 202.53.82.101 service tcp 8001 8001
object network 192.168.0.192_DEV
nat (any,any) static 202.53.82.106 service tcp 3201 3201
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 202.53.82.97 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server PW protocol radius
aaa-server PW (inside) host 192.168.0.16
key *****
user-identity default-domain LOCAL
http server enable
http 192.168.5.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set pwset esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set pwsethyd esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set RackspaceSet esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal RackSpaceSecure
protocol esp encryption 3des
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal pwhydsetsecure
protocol esp encryption 3des
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal secure
protocol esp encryption aes 3des des
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association replay disable
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outsidemap 1 match address l2l-list
crypto map outsidemap 1 set peer 63.82.1.98
crypto map outsidemap 1 set ikev1 transform-set pwset
crypto map outsidemap 1 set ikev2 ipsec-proposal secure
crypto map outsidemap 2 match address outside_cryptomap
crypto map outsidemap 2 set pfs
crypto map outsidemap 2 set peer 115.119.186.194
crypto map outsidemap 2 set ikev1 transform-set pwsethyd
crypto map outsidemap 3 match address outside_cryptomap_3
crypto map outsidemap 3 set peer 67.192.250.53
crypto map outsidemap 3 set ikev1 transform-set RackspaceSet
crypto map outsidemap 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outsidemap interface outside
crypto ca trustpoint ASDM_TrustPoint0
crl configure
crypto ca trustpoint ASDM_TrustPoint1
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
fqdn vpn.processweaver.com
subject-name CN=vpn.processweaver.com,OU=PWIT,O="ProcessWeaver,Inc",C=US,St=California,L=Fremont
keypair ciscovpn.key
no validation-usage
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint4
enrollment terminal
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint2
certificate ca 47869fe5
3082046a 30820352 a0030201 02020447 869fe530 0d06092a 864886f7 0d010105
05003048 310b3009 06035504 06130255 53312030 1e060355 040a1317 53656375
72655472 75737420 436f7270 6f726174 696f6e31 17301506 03550403 130e5365
63757265 54727573 74204341 301e170d 30383132 32323233 34373339 5a170d32
38313232 32323334 3733395a 3081ae31 0b300906 03550406 13025553 3111300f
06035504 08130849 6c6c696e 6f697331 10300e06 03550407 13074368 69636167
6f312130 1f060355 040a1318 54727573 74776176 6520486f 6c64696e 67732c20
496e632e 31363034 06035504 03132d54 72757374 77617665 204f7267 616e697a
6174696f 6e205661 6c696461 74696f6e 2043412c 204c6576 656c2032 311f301d
06092a86 4886f70d 01090116 10636140 74727573 74776176 652e636f 6d308201
22300d06 092a8648 86f70d01 01010500 0382010f 00308201 0a028201 0100e814
eea0da97 bd89bd0c cc8ddf08 fb060983 a823515b 013f34da 1f1f6ec1 e35865cb
0af9f387 c8c8faa1 ccf574e2 b8ae2d06 8480286f 5ac1225c 929442cd 1902125c
10627ea2 44fb165e 9c72b1ac ea04e615 aa99e85a f858b987 24e875cd 2588e258
925e8683 7f8a2353 ae8ae8a3 217e83af 40091849 afe1d05a b04f6fe2 31adf4f1
371fc92a e18bd68c 1231d427 1adfea6b 9e7853ed 9a19b0ce 45445b1b ef645921
fac7b7d1 d30c1ecb 88dafd23 3ff4ac2b a04d61d3 becade19 616124f1 f69cb496
bd9deb17 9f243978 e92350d3 015077d8 52642f3e 194f75b9 17b1da8d e0d0eddb
3713dc2f e05f8068 d7f487ba c11f1278 d0082717 7a98a69f d221ba4e 87bf0203
010001a3 81f43081 f1300f06 03551d13 0101ff04 05300301 01ff301d 0603551d
0e041604 145dd996 9a40c727 cb2c9ba2 eccf19ab c8afcc86 48301f06 03551d23
04183016 80144232 b616fa04 fdfe5d4b 7ac3fdf7 4c401d5a 43af300b 0603551d
0f040403 02010630 34060355 1d1f042d 302b3029 a027a025 86236874 74703a2f
2f63726c 2e736563 75726574 72757374 2e636f6d 2f535443 412e6372 6c305b06
03551d20 04543052 300c060a 2b060104 0181ed18 03003042 060f2b06 01040181
ed180303 03030404 03302f30 2d06082b 06010505 07020116 21687474 703a2f2f
7777772e 73656375 72657472 7573742e 636f6d2f 6c656761 6c2f300d 06092a86
4886f70d 01010505 00038201 010053f1 c8a017ec 6c8882b1 c024afd1 0858b32c
6f7bc15c 89926f88 fc4bc002 50932f5a 419859b6 e37f8c14 63777d45 3c88505e
a6815200 c8c5fe48 ee1f5dad de440b42 589ce167 5c43b6a0 8598ff16 d41a28be
76e12fe1 84f47eb9 27aa77cb 36b3fec3 fad217f6 e1624ed3 ccccb319 65d34ba8
e8b3d54c eaf64eae cbae3448 1f60cc58 e7e774c9 0135fd6a e0588ad2 16ebece9
3ebbf01d cfb6ff1e 0cb7bb39 e9b7981b c05221eb 3a3d7838 8ca9195f 27a4d07f
3661ab24 7e9ff82d 3f922963 becb10db 0d403602 a0d417a2 8d7f7e7c 99af455a
40cda26b 5cbe0ef3 d387fca1 10caaa33 b7ba4bc0 3da4218c 179ccfd8 bfe657fe
cdebfa30 1ad5fee8 2597a9be 3bea
quit
certificate 0649f9a965553e7df2709c06c4da1b09e17cd9
30820510 308203f8 a0030201 02021306 49f9a965 553e7df2 709c06c4 da1b09e1
7cd9300d 06092a86 4886f70d 01010505 003081ae 310b3009 06035504 06130255
53311130 0f060355 04081308 496c6c69 6e6f6973 3110300e 06035504 07130743
68696361 676f3121 301f0603 55040a13 18547275 73747761 76652048 6f6c6469
6e67732c 20496e63 2e313630 34060355 0403132d 54727573 74776176 65204f72
67616e69 7a617469 6f6e2056 616c6964 6174696f 6e204341 2c204c65 76656c20
32311f30 1d06092a 864886f7 0d010901 16106361 40747275 73747761 76652e63
6f6d301e 170d3134 30363131 30353330 33355a17 0d313530 32323331 31333033
355a3070 311e301c 06035504 030c1576 706e2e70 726f6365 73737765 61766572
2e636f6d 31163014 06035504 0a0c0d50 726f6365 73735765 61766572 31143012
06035504 070c0b53 616e7461 20436c61 72613113 30110603 5504080c 0a43616c
69666f72 6e696131 0b300906 03550406 13025553 30820122 300d0609 2a864886
f70d0101 01050003 82010f00 3082010a 02820101 00cc194c fbdd63f5 0b49141a
9d21063f a13136df e524cef9 c55e9331 e6c5bc67 43361421 cafb7dc1 d244942e
6fd02ee7 198e7f7e 48ca62c2 1c8e1a8e 20431d42 b24103f1 5fad9287 9f9dc2da
5002e0b4 cf14b414 31e0e691 26cfbc0c 1ee09d6d 8176a63d 6ad81c30 b2b69dbe
59ce7092 44c09e62 27f20c58 8bd8e38a a3d75a94 94bbca6f 7ad87b93 3892ddb0
3f00a693 e05b5fe8 7a71d36c 223e1ded 8afb8ee4 1eea579c 53d964df 467694e9
b7ffe4f9 22c6dd5e 33d0ffee 9fd57fed 621c62f1 4dc6f14e 6518de53 c2fd7d5d
b37913b8 69211fe5 e194a6bf f60bc88a 343a93dc 34526931 b41566e3 f38f219f
9a6cefd5 d6d60002 2442b3e5 b4096717 2ffea23d b1020301 0001a382 01623082
015e300b 0603551d 0f040403 0205a030 1d060355 1d250416 30140608 2b060105
05070302 06082b06 01050507 0301301d 0603551d 0e041604 14cd47cf 646a8932
7cecb024 9fd2a31a b54d73dc c0301f06 03551d23 04183016 80145dd9 969a40c7
27cb2c9b a2eccf19 abc8afcc 86483048 0603551d 20044130 3f303d06 0f2b0601
040181ed 18030303 03040403 302a3028 06082b06 01050507 0201161c 68747470
733a2f2f 73736c2e 74727573 74776176 652e636f 6d2f4341 30370603 551d1104
30302e82 1576706e 2e70726f 63657373 77656176 65722e63 6f6d8215 7774732e
70726f63 65737377 65617665 722e636f 6d303506 03551d1f 042e302c 302aa028
a0268624 68747470 3a2f2f63 726c2e74 72757374 77617665 2e636f6d 2f4f5643
415f4c32 2e63726c 30360608 2b060105 05070101 042a3028 30260608 2b060105
05073001 861a6874 74703a2f 2f6f6373 702e7472 75737477 6176652e 636f6d2f
300d0609 2a864886 f70d0101 05050003 82010100 0785070e 045d6201 3ffc49b5
88808587 b6418d0e 87dc7ae8 3204563b 6e51ff93 25e8ad7a 9a11d439 2439a533
768477ca 902fdfbe f0c58a04 e15bf6a5 63829d4b a36c7ccc 0af9532b f39ec31d
21cd6b74 d3adffc2 5f8ee1c4 92c07ac6 ab547346 c740f477 857a82fd 897029d5
1cfa9b55 b1064ab7 1274556c 6a14f7a8 b8705cd4 51d6b7f4 0a024f6d 1818918c
0cb15bc5 cd301684 38c2dcb8 2585b44c 18808e1b 823a6043 28da0194 280fa6c9
80831cbc 1179be24 fc391e54 965761e5 e51031e1 0c76c65f 187922d0 96be80c9
3de9a56e 41d0fd3f 76afaf49 4bc4ff4c 213aa474 60a742ba 2a8fb3bd c9349da3
1ac96b24 7b99cba5 a28c6647 7803cf2c ee70540c
quit
crypto ikev2 policy 10
encryption 3des
integrity sha
group 2
prf sha
lifetime seconds 28800
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint2
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.5.2-192.168.5.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint2 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_PWSSL internal
group-policy GroupPolicy_PWSSL attributes
wins-server none
dns-server value 192.168.0.16
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value PW-VPN-Tunnel-ACL
default-domain value processw.local
webvpn
anyconnect keep-installer none
group-policy GroupPolicy_115.119.186.194 internal
group-policy GroupPolicy_115.119.186.194 attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy GroupPolicy_67.192.250.53 internal
group-policy GroupPolicy_67.192.250.53 attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy pw internal
group-policy pw attributes
dns-server value 192.168.0.16
vpn-tunnel-protocol ikev1 ikev2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value PW-VPN-Tunnel-ACL
default-domain none
username rajuvaradha password 6biM7HbMtaadT82k encrypted
username e172 password E1abOIw/eu.DKO/y encrypted
username e150 password dJMsBQfrQRISuR8n encrypted
username e134 password bLBixKKCoH5Udlk9 encrypted
username e182 password mirFopEi/OG0LT4d encrypted
username e192 password u2P6WXLa1k8.kA1w encrypted
username e184 password Rpt/S1N6et6Xwi7W encrypted
username u033 password pS5QN8QLvYFHJfoK encrypted
username u011 password HGFsDnR5XiFAzrcE encrypted
username u010 password 5R8mktMpyUYPCpTO encrypted
username u032 password rst8O1b/yrXsKVmu encrypted
username u002 password .u2izEtqOIC5D2fT encrypted
username admin password eY/fQXw7Ure8Qrz7 encrypted
username u012 password JClYI3r7x0T/ed26 encrypted
username u015 password 6tNvtB4hPcUNDyhE encrypted
username u014 password Wy6x8dPcSnMcAT1v encrypted
username u017 password xahCXrBaZWzW8aEp encrypted
username u006 password BCEOAmlRL6CbQfTV encrypted
username e006 password DG96SZQ2gBqIXEYv encrypted
username e034 password 1sG72DUjsY7nt81V encrypted
username u007 password vtcK6xerueHvqZJZ encrypted
username u016 password pZgySMnraNBlTTnL encrypted
username u025 password ulAXIX1u2.UD/KvT encrypted
username u008 password G4vmDF.mv3rXWa7h encrypted
username u019 password NxlycJwroZrzCSJ3 encrypted
username e019 password E9NaUPs18c0.PBnd encrypted
username u018 password 33CghGQSMjbWDfdb encrypted
username u009 password uaaSLEu55XXbD5Sr encrypted
username u028 password UMFMzXMs6He7.zR8 encrypted
username e097 password .UawdlGNiYnRHnzF encrypted
username e314 password ye2/LpVufAXvAUJ6 encrypted
username e327 password 6mKef3HGlnyb6hnu encrypted
username e343 password 0g33Wbvzi.NL1PjH encrypted
username e222 password e0.SFEwm1RqC6lLj encrypted
username e289 password /YrO2mEvMUr9zxq3 encrypted
username e201 password Eox2TB.HgdkKLuec encrypted
username e265 password fTk7Vxw0Z06AAbHi encrypted
username e251 password 6y7YjKQO1rP3nAQG encrypted
username e219 password p049Lf7jFLisN6UJ encrypted
username e269 password v7oFefIpmPGd307D encrypted
tunnel-group 63.82.1.98 type ipsec-l2l
tunnel-group 63.82.1.98 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group pw type remote-access
tunnel-group pw general-attributes
address-pool clientpool
default-group-policy pw
tunnel-group pw ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 115.119.186.194 type ipsec-l2l
tunnel-group 115.119.186.194 general-attributes
default-group-policy GroupPolicy_115.119.186.194
tunnel-group 115.119.186.194 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 67.192.250.53 type ipsec-l2l
tunnel-group 67.192.250.53 general-attributes
default-group-policy GroupPolicy_67.192.250.53
tunnel-group 67.192.250.53 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group PWSSL type remote-access
tunnel-group PWSSL general-attributes
address-pool clientpool
authentication-server-group PW LOCAL
default-group-policy GroupPolicy_PWSSL
tunnel-group PWSSL webvpn-attributes
group-alias PWSSL enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 1
Cryptochecksum:80663f0c45d0a6736344cf989a7af706
: endHi Marius,
Thanks for your suggestion
i have followed the same, but i'm still not able to access the static IP internal LAN. here is the running config out put.
Result of the command: "show running-config"
: Saved
ASA Version 9.1(3)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
ip local pool clientpool 192.168.0.20-192.168.0.50 mask 255.255.255.0
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.0.5 255.255.255.0
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 202.53.82.98 255.255.255.240
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.5.1 255.255.255.0
ftp mode passive
dns domain-lookup outside
dns server-group PW
name-server 202.53.64.202
name-server 202.53.72.13
name-server 192.168.0.16
name-server 192.168.0.8
same-security-traffic permit intra-interface
object network PW-LAN
subnet 192.168.0.0 255.255.255.0
object network USA
subnet 192.168.2.0 255.255.255.0
object network 202.53.82.110
host 202.53.82.110
object network PWHYD
subnet 192.168.1.0 255.255.255.0
object network 192.168.0.151
host 192.168.0.151
object network 192.168.0.154
host 192.168.0.154
object network 192.168.0.156
host 192.168.0.156
object network 192.168.0.158
host 192.168.0.158
object network 192.168.0.159
host 192.168.0.159
object network 192.168.0.149
host 192.168.0.149
object network Rackspace
subnet 10.176.0.0 255.240.0.0
object network NETWORK_OBJ_10.176.0.0_12
subnet 10.176.0.0 255.240.0.0
object network 192.168.0.147_http
host 192.168.0.147
object service http
service tcp source eq www destination eq www
object network 192.168.0.14
host 192.168.0.14
object network 192.168.0.14_iCA
host 192.168.0.14
object network 192.168.0.159_http
host 192.168.0.159
object network 192.168.0.159_50100
host 192.168.0.159
object network 202.53.82.101
host 202.53.82.101
object network 192.168.0.159_8001
host 192.168.0.159
object network 192.168.0.192
host 192.168.0.192
object network 192.168.0.159_any
host 192.168.0.159
object network clientpool
range 192.168.0.20 192.168.0.50
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network 192.168.0.192_DEV
host 192.168.0.192
object network 202.53.82.100
host 202.53.82.100
object network 149
host 192.168.0.149
object-group network PW-All-Sites
network-object 192.168.0.0 255.255.255.0
network-object object PWHYD
network-object object USA
network-object object clientpool
access-list 100 extended permit ip any any
access-list 100 extended permit icmp any any
access-list l2l-list extended permit ip object-group PW-All-Sites 192.168.2.0 255.255.255.0
access-list outside_access_in extended permit ip any any
access-list outside_cryptomap extended permit ip object-group PW-All-Sites 192.168.1.0 255.255.255.0
access-list PW-VPN-Tunnel-ACL standard permit 192.168.0.0 255.255.255.0
access-list PW-VPN-Tunnel-ACL standard permit 192.168.1.0 255.255.255.0
access-list PW-VPN-Tunnel-ACL standard permit 192.168.2.0 255.255.255.0
access-list PW-VPN-Tunnel-ACL standard permit 10.176.0.0 255.240.0.0
access-list outside_cryptomap_3 extended permit ip object-group PW-All-Sites object Rackspace
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static PW-LAN PW-LAN destination static Rackspace Rackspace
nat (inside,outside) source static PW-LAN PW-LAN destination static PWHYD PWHYD
nat (inside,outside) source static PW-LAN PW-LAN destination static USA USA
nat (inside,outside) source dynamic PW-LAN interface
nat (any,inside) source dynamic clientpool interface
nat (inside,inside) source static PW-LAN PW-LAN destination static 192.168.0.149 202.53.82.100
object network 192.168.0.151
nat (any,any) static 202.53.82.102 service tcp 3200 3200
object network 192.168.0.154
nat (any,any) static 202.53.82.104 service tcp 3201 3201
object network 192.168.0.156
nat (any,any) static 202.53.82.107 service tcp 3201 3201
object network 192.168.0.158
nat (any,any) static 202.53.82.109 service tcp 3222 3222
object network 192.168.0.159
nat (any,any) static 202.53.82.101 service tcp 3201 3201
object network 192.168.0.147_http
nat (any,any) static 202.53.82.110 service tcp www www
object network 192.168.0.14
nat (any,any) static 202.53.82.99 service tcp https https
object network 192.168.0.14_iCA
nat (any,any) static 202.53.82.99 service tcp citrix-ica citrix-ica
object network 192.168.0.159_50100
nat (any,any) static 202.53.82.101 service tcp 50100 50100
object network 192.168.0.159_8001
nat (any,any) static 202.53.82.101 service tcp 8001 8001
object network 192.168.0.192_DEV
nat (any,any) static 202.53.82.106 service tcp 3201 3201
object network 149
nat (any,any) static 202.53.82.100 service tcp www www
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 202.53.82.97 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server PW protocol radius
aaa-server PW (inside) host 192.168.0.16
key *****
user-identity default-domain LOCAL
http server enable
http 192.168.5.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set pwset esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set pwsethyd esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set RackspaceSet esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal RackSpaceSecure
protocol esp encryption 3des
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal pwhydsetsecure
protocol esp encryption 3des
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal secure
protocol esp encryption aes 3des des
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association replay disable
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outsidemap 1 match address l2l-list
crypto map outsidemap 1 set peer 63.82.1.98
crypto map outsidemap 1 set ikev1 transform-set pwset
crypto map outsidemap 1 set ikev2 ipsec-proposal secure
crypto map outsidemap 2 match address outside_cryptomap
crypto map outsidemap 2 set pfs
crypto map outsidemap 2 set peer 115.119.186.194
crypto map outsidemap 2 set ikev1 transform-set pwsethyd
crypto map outsidemap 3 match address outside_cryptomap_3
crypto map outsidemap 3 set peer 67.192.250.53
crypto map outsidemap 3 set ikev1 transform-set RackspaceSet
crypto map outsidemap 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outsidemap interface outside
crypto ca trustpoint ASDM_TrustPoint0
crl configure
crypto ca trustpoint ASDM_TrustPoint1
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
fqdn vpn.processweaver.com
subject-name CN=vpn.processweaver.com,OU=PWIT,O="ProcessWeaver,Inc",C=US,St=California,L=Fremont
keypair ciscovpn.key
no validation-usage
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint4
enrollment terminal
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint2
certificate ca 47869fe5
3082046a 30820352 a0030201 02020447 869fe530 0d06092a 864886f7 0d010105
05003048 310b3009 06035504 06130255 53312030 1e060355 040a1317 53656375
72655472 75737420 436f7270 6f726174 696f6e31 17301506 03550403 130e5365
63757265 54727573 74204341 301e170d 30383132 32323233 34373339 5a170d32
38313232 32323334 3733395a 3081ae31 0b300906 03550406 13025553 3111300f
06035504 08130849 6c6c696e 6f697331 10300e06 03550407 13074368 69636167
6f312130 1f060355 040a1318 54727573 74776176 6520486f 6c64696e 67732c20
496e632e 31363034 06035504 03132d54 72757374 77617665 204f7267 616e697a
6174696f 6e205661 6c696461 74696f6e 2043412c 204c6576 656c2032 311f301d
06092a86 4886f70d 01090116 10636140 74727573 74776176 652e636f 6d308201
22300d06 092a8648 86f70d01 01010500 0382010f 00308201 0a028201 0100e814
eea0da97 bd89bd0c cc8ddf08 fb060983 a823515b 013f34da 1f1f6ec1 e35865cb
0af9f387 c8c8faa1 ccf574e2 b8ae2d06 8480286f 5ac1225c 929442cd 1902125c
10627ea2 44fb165e 9c72b1ac ea04e615 aa99e85a f858b987 24e875cd 2588e258
925e8683 7f8a2353 ae8ae8a3 217e83af 40091849 afe1d05a b04f6fe2 31adf4f1
371fc92a e18bd68c 1231d427 1adfea6b 9e7853ed 9a19b0ce 45445b1b ef645921
fac7b7d1 d30c1ecb 88dafd23 3ff4ac2b a04d61d3 becade19 616124f1 f69cb496
bd9deb17 9f243978 e92350d3 015077d8 52642f3e 194f75b9 17b1da8d e0d0eddb
3713dc2f e05f8068 d7f487ba c11f1278 d0082717 7a98a69f d221ba4e 87bf0203
010001a3 81f43081 f1300f06 03551d13 0101ff04 05300301 01ff301d 0603551d
0e041604 145dd996 9a40c727 cb2c9ba2 eccf19ab c8afcc86 48301f06 03551d23
04183016 80144232 b616fa04 fdfe5d4b 7ac3fdf7 4c401d5a 43af300b 0603551d
0f040403 02010630 34060355 1d1f042d 302b3029 a027a025 86236874 74703a2f
2f63726c 2e736563 75726574 72757374 2e636f6d 2f535443 412e6372 6c305b06
03551d20 04543052 300c060a 2b060104 0181ed18 03003042 060f2b06 01040181
ed180303 03030404 03302f30 2d06082b 06010505 07020116 21687474 703a2f2f
7777772e 73656375 72657472 7573742e 636f6d2f 6c656761 6c2f300d 06092a86
4886f70d 01010505 00038201 010053f1 c8a017ec 6c8882b1 c024afd1 0858b32c
6f7bc15c 89926f88 fc4bc002 50932f5a 419859b6 e37f8c14 63777d45 3c88505e
a6815200 c8c5fe48 ee1f5dad de440b42 589ce167 5c43b6a0 8598ff16 d41a28be
76e12fe1 84f47eb9 27aa77cb 36b3fec3 fad217f6 e1624ed3 ccccb319 65d34ba8
e8b3d54c eaf64eae cbae3448 1f60cc58 e7e774c9 0135fd6a e0588ad2 16ebece9
3ebbf01d cfb6ff1e 0cb7bb39 e9b7981b c05221eb 3a3d7838 8ca9195f 27a4d07f
3661ab24 7e9ff82d 3f922963 becb10db 0d403602 a0d417a2 8d7f7e7c 99af455a
40cda26b 5cbe0ef3 d387fca1 10caaa33 b7ba4bc0 3da4218c 179ccfd8 bfe657fe
cdebfa30 1ad5fee8 2597a9be 3bea
quit
certificate 0649f9a965553e7df2709c06c4da1b09e17cd9
30820510 308203f8 a0030201 02021306 49f9a965 553e7df2 709c06c4 da1b09e1
7cd9300d 06092a86 4886f70d 01010505 003081ae 310b3009 06035504 06130255
53311130 0f060355 04081308 496c6c69 6e6f6973 3110300e 06035504 07130743
68696361 676f3121 301f0603 55040a13 18547275 73747761 76652048 6f6c6469
6e67732c 20496e63 2e313630 34060355 0403132d 54727573 74776176 65204f72
67616e69 7a617469 6f6e2056 616c6964 6174696f 6e204341 2c204c65 76656c20
32311f30 1d06092a 864886f7 0d010901 16106361 40747275 73747761 76652e63
6f6d301e 170d3134 30363131 30353330 33355a17 0d313530 32323331 31333033
355a3070 311e301c 06035504 030c1576 706e2e70 726f6365 73737765 61766572
2e636f6d 31163014 06035504 0a0c0d50 726f6365 73735765 61766572 31143012
06035504 070c0b53 616e7461 20436c61 72613113 30110603 5504080c 0a43616c
69666f72 6e696131 0b300906 03550406 13025553 30820122 300d0609 2a864886
f70d0101 01050003 82010f00 3082010a 02820101 00cc194c fbdd63f5 0b49141a
9d21063f a13136df e524cef9 c55e9331 e6c5bc67 43361421 cafb7dc1 d244942e
6fd02ee7 198e7f7e 48ca62c2 1c8e1a8e 20431d42 b24103f1 5fad9287 9f9dc2da
5002e0b4 cf14b414 31e0e691 26cfbc0c 1ee09d6d 8176a63d 6ad81c30 b2b69dbe
59ce7092 44c09e62 27f20c58 8bd8e38a a3d75a94 94bbca6f 7ad87b93 3892ddb0
3f00a693 e05b5fe8 7a71d36c 223e1ded 8afb8ee4 1eea579c 53d964df 467694e9
b7ffe4f9 22c6dd5e 33d0ffee 9fd57fed 621c62f1 4dc6f14e 6518de53 c2fd7d5d
b37913b8 69211fe5 e194a6bf f60bc88a 343a93dc 34526931 b41566e3 f38f219f
9a6cefd5 d6d60002 2442b3e5 b4096717 2ffea23d b1020301 0001a382 01623082
015e300b 0603551d 0f040403 0205a030 1d060355 1d250416 30140608 2b060105
05070302 06082b06 01050507 0301301d 0603551d 0e041604 14cd47cf 646a8932
7cecb024 9fd2a31a b54d73dc c0301f06 03551d23 04183016 80145dd9 969a40c7
27cb2c9b a2eccf19 abc8afcc 86483048 0603551d 20044130 3f303d06 0f2b0601
040181ed 18030303 03040403 302a3028 06082b06 01050507 0201161c 68747470
733a2f2f 73736c2e 74727573 74776176 652e636f 6d2f4341 30370603 551d1104
30302e82 1576706e 2e70726f 63657373 77656176 65722e63 6f6d8215 7774732e
70726f63 65737377 65617665 722e636f 6d303506 03551d1f 042e302c 302aa028
a0268624 68747470 3a2f2f63 726c2e74 72757374 77617665 2e636f6d 2f4f5643
415f4c32 2e63726c 30360608 2b060105 05070101 042a3028 30260608 2b060105
05073001 861a6874 74703a2f 2f6f6373 702e7472 75737477 6176652e 636f6d2f
300d0609 2a864886 f70d0101 05050003 82010100 0785070e 045d6201 3ffc49b5
88808587 b6418d0e 87dc7ae8 3204563b 6e51ff93 25e8ad7a 9a11d439 2439a533
768477ca 902fdfbe f0c58a04 e15bf6a5 63829d4b a36c7ccc 0af9532b f39ec31d
21cd6b74 d3adffc2 5f8ee1c4 92c07ac6 ab547346 c740f477 857a82fd 897029d5
1cfa9b55 b1064ab7 1274556c 6a14f7a8 b8705cd4 51d6b7f4 0a024f6d 1818918c
0cb15bc5 cd301684 38c2dcb8 2585b44c 18808e1b 823a6043 28da0194 280fa6c9
80831cbc 1179be24 fc391e54 965761e5 e51031e1 0c76c65f 187922d0 96be80c9
3de9a56e 41d0fd3f 76afaf49 4bc4ff4c 213aa474 60a742ba 2a8fb3bd c9349da3
1ac96b24 7b99cba5 a28c6647 7803cf2c ee70540c
quit
crypto ikev2 policy 10
encryption 3des
integrity sha
group 2
prf sha
lifetime seconds 28800
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint2
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.5.2-192.168.5.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint2 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_PWSSL internal
group-policy GroupPolicy_PWSSL attributes
wins-server none
dns-server value 192.168.0.16
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value PW-VPN-Tunnel-ACL
default-domain value processw.local
webvpn
anyconnect keep-installer none
group-policy GroupPolicy_115.119.186.194 internal
group-policy GroupPolicy_115.119.186.194 attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy GroupPolicy_67.192.250.53 internal
group-policy GroupPolicy_67.192.250.53 attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy pw internal
group-policy pw attributes
dns-server value 192.168.0.16
vpn-tunnel-protocol ikev1 ikev2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value PW-VPN-Tunnel-ACL
default-domain none
username rajuvaradha password 6biM7HbMtaadT82k encrypted
username e172 password E1abOIw/eu.DKO/y encrypted
username e150 password dJMsBQfrQRISuR8n encrypted
username e134 password bLBixKKCoH5Udlk9 encrypted
username e182 password mirFopEi/OG0LT4d encrypted
username e192 password u2P6WXLa1k8.kA1w encrypted
username e184 password Rpt/S1N6et6Xwi7W encrypted
username u033 password pS5QN8QLvYFHJfoK encrypted
username u011 password HGFsDnR5XiFAzrcE encrypted
username u010 password 5R8mktMpyUYPCpTO encrypted
username u032 password rst8O1b/yrXsKVmu encrypted
username u002 password .u2izEtqOIC5D2fT encrypted
username admin password eY/fQXw7Ure8Qrz7 encrypted
username u012 password JClYI3r7x0T/ed26 encrypted
username u015 password 6tNvtB4hPcUNDyhE encrypted
username u014 password Wy6x8dPcSnMcAT1v encrypted
username u017 password xahCXrBaZWzW8aEp encrypted
username u006 password BCEOAmlRL6CbQfTV encrypted
username e006 password DG96SZQ2gBqIXEYv encrypted
username e034 password 1sG72DUjsY7nt81V encrypted
username u007 password vtcK6xerueHvqZJZ encrypted
username u016 password pZgySMnraNBlTTnL encrypted
username u025 password ulAXIX1u2.UD/KvT encrypted
username u008 password G4vmDF.mv3rXWa7h encrypted
username u019 password NxlycJwroZrzCSJ3 encrypted
username e019 password E9NaUPs18c0.PBnd encrypted
username u018 password 33CghGQSMjbWDfdb encrypted
username u009 password uaaSLEu55XXbD5Sr encrypted
username u028 password UMFMzXMs6He7.zR8 encrypted
username e097 password .UawdlGNiYnRHnzF encrypted
username e314 password ye2/LpVufAXvAUJ6 encrypted
username e327 password 6mKef3HGlnyb6hnu encrypted
username e343 password 0g33Wbvzi.NL1PjH encrypted
username e222 password e0.SFEwm1RqC6lLj encrypted
username e289 password /YrO2mEvMUr9zxq3 encrypted
username e201 password Eox2TB.HgdkKLuec encrypted
username e265 password fTk7Vxw0Z06AAbHi encrypted
username e251 password 6y7YjKQO1rP3nAQG encrypted
username e219 password p049Lf7jFLisN6UJ encrypted
username e269 password v7oFefIpmPGd307D encrypted
tunnel-group 63.82.1.98 type ipsec-l2l
tunnel-group 63.82.1.98 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group pw type remote-access
tunnel-group pw general-attributes
address-pool clientpool
default-group-policy pw
tunnel-group pw ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 115.119.186.194 type ipsec-l2l
tunnel-group 115.119.186.194 general-attributes
default-group-policy GroupPolicy_115.119.186.194
tunnel-group 115.119.186.194 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 67.192.250.53 type ipsec-l2l
tunnel-group 67.192.250.53 general-attributes
default-group-policy GroupPolicy_67.192.250.53
tunnel-group 67.192.250.53 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group PWSSL type remote-access
tunnel-group PWSSL general-attributes
address-pool clientpool
authentication-server-group PW LOCAL
default-group-policy GroupPolicy_PWSSL
tunnel-group PWSSL webvpn-attributes
group-alias PWSSL enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 1
Cryptochecksum:3b6339b71a4cf924c7b30056a3e6fc31
: end -
Hello everyone,
I have the following scenario:
We're using "Oracle SOA Suite 11g 11.1.1.7.0" (Patched w/ 17893896) mainly for a BPM/Human workflow composite. Former, we were having the error bellow:
<Mar 16, 2015 1:13:03 PM BRT> <Error> <oracle.soa.services.workflow.query> <BEA-000000> <<.> Verification Service cannot resolve user identity. User weblogic cannot be found in the identity repository. Workflow Context token cannot be null in request.
ORABPEL-30511
When that error ocurred, no one was able to use the system (BPM/Human Workflow).
I opened an SR, and after some analysis from the support, it recommended me to set up "virtualize=true" in EM, and restarting the domain. Then it started logging the following:
connection to ldap://[10.200.10.57]:7001 as cn=Admin.
javax.naming.NamingException: No LDAP connection available to process request for DN: cn=Admin.
Looking up on support KB, I found this note Doc ID 1545680.1 and increased from Max size of Connection Pool 10 to 200. That did work successfully! Problem now is that the <SERVER>_diagnostic.log is being filled up with the following error:
[2015-03-31T16:03:46.421-03:00] [soa_server2] [ERROR] [] [oracle.soa.services.workflow.verification] [tid: [ACTIVE].ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: e0194e38aa6c9a2f:39fc1ff9:14c5def5247:-8000-00000000000a5653,0] [APP: soa-infra] <.> validateContextToken: workflow session was not found for given context. Create a new workflow session with token=51490173-e3d0-41dd-ae99-983915aa8454;;G;;Z+P7Oe9ABnoTUQD9ECryEW2l0/8yRcqPDyZsOWBCuzMmRgA3Qsj601TxmWQ87z2MjuwW5AH+KzgjIwkPmhJFdpc1FrE6Y/MrN1bxIDHJWu2/zP3iSNwKD07hRrh/U37Ea0TvaQyuaHJIog9y3Ptmzw==
One important point is that we're using only the embedded WLS ldap. So I am not 100% sure if we should be using the virtualize flag=true, once all docs I read point out that this should be done when using multi-ldap providers.
Also, I only got this error in the "diagnostic.log".
Although, no user has complained about using the system, I really want to work it out. Anyone has any suggestions?
Thanks in advance!I have moved your thread from Certification to SOA Suite to get proper assistance.
Thanks,
Lisa -
How To Create ABAP Code For HR Context Sensitive Structural Authorization
Hello,
We have created a HR Custom Program which IS NOT built off the PCH or PNP Logical Database. As a result, we need to manually create ABAP code for HR Context Sensitive Structural Authorization Check in our custom HR program. Via HR Context Sensitive Structural Authorizations, we are restricting access to personnel numbers and the underlying HRP* tables.
Any assistance would be greatly appreciated with the identification of the SAP standard function modules (Ex. RH_STRU_AUTHORITY_CHECK, HR_CHECK_AUTHORITY_INFTY, HR_CHECK_AUTHORITY_INFTY , etc) used in HR Context Sensitive Structural Authorization Check, how they are used to control HR Structural authorization (P_ORGINCON), and some sample code.
Thank you in advance for all your assistance,
Ken BowersHello Ken
You can use the interface methods IF_EX_HRPAD00AUTH_CHECK to get the same structural authorization as you can see in PA20/PA30. You need to use the methods set_org_assignment and check_authorization for this purpose. For more information you can refer to include FP50PE21 from line 237 onwards till 270.
Regards
Ranganath -
Issue with Adobe flex data.xml file not reachable from bsp behind firewall
Hi Gurus,
I have a problem with the <mx:HTTPService> tag the following is the actual tag,
<mx:HTTPService
id="Srv"
url="data.xml"
useProxy="false"
method="POST" result="resultHandler(event)"/>
When accessed locally I can see the data in the flex as the data.xml can be reached. when the same is accessed from internet behind firewall, the url is entirely different and the .swf file in the BSP page cannot access the data.xml. I cannot give the absolute url in the tag as the BSP page application is accessed differently in different servers. any help on this would be greatly appreciated
Thanks
AkbarSorry somehow I missed this question, an even easier way to do this is to allow your Flash movie to "script" ( this is the default behavior for a Flex application ) and then call some javascript to obtain exactly what the page URL is and then go from there to get your data:
import flash.external.ExternalInterface;
import mx.utils.URLUtil;
var
if(ExternalInterface.available){
pageURL = ExternalInterface.call("window.location.href.toString");
// Do whatever you need with the URL here.
var serverName:String = URLUtil.getServerNameWithPort(pageURL);
-d -
Hi
Using SDDM 3.3.
How does one get to synchronise changes/differences in 'contexts' (defined in physical model - Oracle DB)?
I have tried to synchronize both ways, i.e. model to db and db to model, but never does it show the DDL necessary to create the missing context.
Yes, Context is selected/ticked under preferences for Oracle DB synchronization preferences.
Thank you & RegardsHi Philip
If I use the "generate DDL" option from the toolbar, it does generate DDL for the context I have in the physical model. I can select/deselect them in the DDL Generation Options window.
Why then would it not generate DDL when comparing the model with the database, i.e. using the "synchronise data dictionary to model" option? It successfully generates a 'patch'/change script for tables, views, packages, etc.?
Thank you & Regards
PS. I am asking for a way to get it to generate me a complete 'patch'/change script. -
Non static method cannot be referenced from a non static context
Dear all
I am getting the above error message in my program.
public void testing(Vector XY){
RecStore.checkUnits(XY);
}method checkUnits is non static and cannont be called from a non static context. I don't see the word static anywhere...
I have done a wider search throughout the main class and I'm haven't got any static their either.
Any ideas?
Thanks
DanYup
I had pared down my code, infact it is being called from within a large if statement.Irrelevant.
But the same thing still holds that there is no static keyword used.Read my previous post. Calling checkUnits using the class name:
RecStore.checkUnits(XY);implies a static context--in order for that call to work, checkUnits must be static. That's what your error message is saying--you are trying to call the non-static method "checkUnits" from the static context of using the class name "RecStore." -
Upgrading license for more context cisco asa 5580
Hi guys:
This is the situation I got to firewalls with failover and I need to upgrade the license so I can get more context (right now I have 5 context and I need 10) so I was looking at the procedure and I'm not sure If I need to restart the device or not. I was looking at this procedure:
Upgrading the License for a Failover using ASDM (No Reload Required)
Use the following procedure using ASDM if your new license does not require you to reload. This procedure ensures that there is no downtime.
•1. On the active unit, choose Configuration > Device Management > High Availability > Failover > Setup, and uncheck the Enable Failover check box. Now click Apply. The standby unit remains in a pseudo-standby state. Deactivating failover on the active unit prevents the standby unit from attempting to become active during the period when the licenses do not match.
•2. Choose Configuration > Device Management > Licensing > Activation Key, and enter the new activation key that you obtained with the active unit serial number. Now click Update Activation Key.
•3. Log into the standby unit by double-clicking its address in the Device List. If the device is not in the Device List, click Add to add the device. You might be prompted for credentials to log in.
•4. Choose Configuration > Device Management > Licensing > Activation Key, and enter the new activation key that you obtained with the standby unit serial number. Now click Update Activation Key.
•5. Log into the active unit again by double-clicking its address in the Device List. Choose Configuration > Device Management > High Availability > Failover > Setup, and re-check the Enable Failover check box.
•6. Click Apply. This completes the procedure.
link: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00806b1c0f.shtml#norelasdm
But then I checked on the cisco web page that there are some license that need to reload I see this:
All models
Downgrading any license (for example, going from 10 contexts to 2 contexts).
Note If a temporary license expires, and the permanent license is a downgrade, then you do not need to immediately reload the security appliance; the next time you reload, the permanent license is restored.
link: https://www.cisco.com/en/US/docs/security/asa/asa81/license/license81.html
So I just want to know if I'm UPGRADING from 5 to 10 context the reload applies to my situation or not?
RegardsNo reload is required when you are upgrading from 5 to 10 security context license.
Reload is only required on the following feature:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/license.html#wp1361750
Hope this helps. -
ClassNotFoundException for initial-context-factory using foreign JMS p.
Hi,
I am currently working on migrating an application from weblogic 9 to weblogic 10 and I bumped into this issue while MDB connecting to JMS.
[Loaded cz.jaksky.riskscenario.beans.RiskScenarioServiceLocalHome from file:/C:/SVN/app-WLS10-FRESH/app-deploy/servers/myserver/tmp/_WL_user/performance/nyubkw/point-interfaces.jar]
<17-Sep-2012 11:01:27 o'clock CEST> <Warning> <EJB> <BEA-010061> <The Message-Driven EJB: PerformanceAsyncRequestBean is unable to connect to the JMS destination: wls.AsyncQueue. The Error was:
javax.naming.NoInitialContextException: Cannot instantiate class: cz.jaksky.common.jms.JMSInitialContextFactory [Root exception is java.lang.ClassNotFoundException: cz.jaksky.common.jms.JMSInitialContextFactory]
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:657)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.InitialContext.<init>(InitialContext.java:197)
at weblogic.deployment.jms.ForeignOpaqueReference.getReferent(ForeignOpaqueReference.java:182)
at weblogic.jndi.internal.WLNamingManager.getObjectInstance(WLNamingManager.java:96)
at weblogic.jndi.internal.ServerNamingNode.resolveObject(ServerNamingNode.java:377)
at weblogic.jndi.internal.BasicNamingNode.resolveObject(BasicNamingNode.java:856)
at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:209)
at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:214)
at weblogic.jndi.internal.WLEventContextImpl.lookup(WLEventContextImpl.java:254)
at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:411)
at javax.naming.InitialContext.lookup(InitialContext.java:392)
at weblogic.jms.common.CDS$2.run(CDS.java:486)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.jms.common.CrossDomainSecurityManager.runAs(CrossDomainSecurityManager.java:131)
at weblogic.jms.common.CDS.lookupDestination(CDS.java:480)
at weblogic.jms.common.CDS.lookupDDAndCalloutListener(CDS.java:345)
at weblogic.jms.common.CDS.access$100(CDS.java:41)
at weblogic.jms.common.CDS$DDListenerRegistrationTimerListener.timerExpired(CDS.java:193)
at weblogic.timers.internal.TimerImpl.run(TimerImpl.java:273)
at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:207)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:176)
Caused by: java.lang.ClassNotFoundException: cz.jaksky.common.jms.JMSInitialContextFactory
at java.net.URLClassLoader$1.run(URLClassLoader.java:202)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
at java.lang.ClassLoader.loadClass(ClassLoader.java:307)
at java.lang.ClassLoader.loadClass(ClassLoader.java:248)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:247)
at com.sun.naming.internal.VersionHelper12.loadClass(VersionHelper12.java:46)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:654)
... 23 more
I am using foreign JMS provider with provided mapping. Config follows:
ejb-jar.xml:
<enterprise-beans>
<message-driven>
<ejb-name>PortfolioRetrieverAsyncRequestBean</ejb-name>
<ejb-class>cz.jaksky.common.async.AsynchronousRequestMessageBean</ejb-class>
<transaction-type>Bean</transaction-type>
<acknowledge-mode>Auto-acknowledge</acknowledge-mode>
<message-driven-destination>
<destination-type>javax.jms.Queue</destination-type>
<subscription-durability>Durable</subscription-durability>
</message-driven-destination>
<message-selector>
<![CDATA[ Service IN ('PortfolioRetriever')
AND MessageType = 'request'
AND BigBox = FALSE
]]>
</message-selector>
</message-driven>
</enterprise-beans>
weblogic-ejb-jar.xml:
<weblogic-enterprise-bean>
<ejb-name>PortfolioRetrieverAsyncRequestBean</ejb-name>
<message-driven-descriptor>
<pool>
<max-beans-in-free-pool>64</max-beans-in-free-pool>
<initial-beans-in-free-pool>1</initial-beans-in-free-pool>
</pool>
<destination-jndi-name>wls.AsyncQueue</destination-jndi-name>
<initial-context-factory>weblogic.jndi.WLInitialContextFactory</initial-context-factory>
<connection-factory-jndi-name>ServiceLocatorAsyncQueueFactory</connection-factory-jndi-name>
</message-driven-descriptor>
<dispatch-policy>PortfolioAsyncQueueWorkManager</dispatch-policy>
</weblogic-enterprise-bean>
jmsconfig-jms.xml
<foreign-server name="TibjmsAsyncServer">
<default-targeting-enabled>true</default-targeting-enabled>
<foreign-destination name="AsyncQueue.LOCAL.prgdwm355410.7001">
<local-jndi-name>wls.AsyncQueue</local-jndi-name>
<remote-jndi-name>AsyncQueue.LOCAL.prgdwm355410.7001</remote-jndi-name>
</foreign-destination>
<foreign-connection-factory name="FTQueueConnectionFactory">
<local-jndi-name>ServiceLocatorAsyncQueueFactory</local-jndi-name>
<remote-jndi-name>FTQueueConnectionFactory</remote-jndi-name>
</foreign-connection-factory>
<initial-context-factory>cz.jaksky.common.jms.JMSInitialContextFactory</initial-context-factory>
<connection-url>tcp://JUSD-FTPOIA.jaksky.com:22542,tcp://JUSD-FTPOB.jaksky.com:22543</connection-url>
</foreign-server>
Module containing this MDB is packed as an ear file with following structure:
APP-INF/lib/modules.jar - contains AsynchronousRequestMessageBean class
APP-INF/lib/interface.jar - contains JMSInitialContextFactory (class used for initial-context-factory)
portfolio-async.jar
META-INF/ejb-jar.xml content pasted above
META-INF/webogic-ejb-jar.xml content pasted above
Weblogic system classpath doesn't contain any application sepcific libraries.
This set up was working for weblogic 9 without any problem. I am just wondering what the problem is whether I am faceing class loading issue or JMS configuration issue and how to resolve it.
Edited by: user13047709 on 18-Sep-2012 07:15
Edited by: user13047709 on 18-Sep-2012 07:16Hi,
When working with a non-WebLogic JNDI provider (or a non-WebLogic JMS provider), the non-WebLogic client classes must be made available to the classloader of the calling application in WebLogic Server. This is usually accomplished by adding them to the system classpath.
In your case, WebLogic is looking for a proprietary/foreign JNDI Context Factory class named "cz.jaksky.common.jms.JMSInitialContextFactory", which means you need to make sure that a jar/dir that contains the non-WebLogic class "JMSInitialContextFactory.class" is in the classpath.
The configuration for this should be similar in WL9 and WL10. It could be that your classpath is already setup to reference the foreign class, but it refers to a directory/jar that you haven't setup yet on your WL10 host.
HTH,
Tom -
Title field appears to be limited in acceptable symbols, so, the proper title would be `sudo mount` from Apache's (mod_php) context is successful, but not applied to whole system.
Apache is run as http:http, http is added to sudoers as http ALL=(ALL) NOPASSWD: ALL.
Now, drop the "insecurity" bucket, I know how insecure it is. This is for a different kind of environment - a NAS (as in Network Attached Storage), that has a web-based OS on top of it, written in PHP for the sake of simplicty and team scalability. The Web OS and NAS together make up for Mobotix IP camera storage and configuration.
I've already asked 2 questions on Stack Exchange network - http://stackoverflow.com/questions/1959 … h-nopasswd and here http://unix.stackexchange.com/questions … le-by-root, where I've explained the situation in great detail (at least I think I have).
Now, assuming that more experienced users do not camp Stack Exchange, I'm giving a hot here. Arch is the distro under the NAS, so...
Basically, the problems description can be narrowed down to:
Performing a `sudo mount /dev/sdb1 /mnt/firstdrive` in a web-request by PHP's exec mounts the filesystem successfully.
Though, it appears that the mount is made private for the running user.
Private as in... Logging in @ TTY0 with root and running lsblk or cat /proc/mounts does not show the mountpoint.
That breaks down some of the subsequent functionality required for some of the NAS'es processes.
What could be the reason for `mount`/`umount` not executed system-wide?
How come commands like `parted`, `dd`, `mdadm`, `mkdir` execute as expected?
How do I overcome the issue?
P.S. Excuse the quirky environment, but, it actually works flawlessly (we've shipped about 30 units now, with no complaints, am refactoring/majorly upgrading now, hence the problem) and is very pleasant for quick extensions/modifications.
Thanks in advance!
Last edited by psycketom (2013-10-30 12:27:51)Okay, now I'm really amazed.
I thought that there are problems with EUID's and what not, so, I compiled Apache with `-DBIG_SECURITY_HOLE` to make it run as root.
Same problem remains, it mounts, but somewhere "behind the scenes".
Why doesn't mount work system-wide in Apache's context?
Update:
I've find out what's happening in "technical" terms. Apache appears to be running in it's own mount namespace.
Querying cat /proc/<apaches-main-or-child-pid>/mounts display the mount.
Now, how'd I make the namespaced mount to reflect whole system?
Last edited by psycketom (2013-10-30 11:01:23) -
Can not get application bc4j for adding context root file
Hi all,
Can someone help me on this,
i got this this error while trying to run my web based reporting:
06/08/21 18:01:04 [SEVERE]: Error instantiating application at file:/C:/Documents and Settings/Bryan1/Desktop/Pattern Maching JSP 2006Feb/jdevstudio1013/jdev/system/oracle.j2ee.10.1.3.34.12/embedded-oc4j/applications/bc4j.ear: Unable to get ApplicationConfig for bc4j : Error creating deployment directory: IO Error: The system cannot find the path specified.
06/08/21 18:01:04 [SEVERE]: Error instantiating application at file:/C:/Documents and Settings/Bryan1/Desktop/Pattern Maching JSP May2006/jdevstudio1013/jdev/system/oracle.j2ee.10.1.3.34.12/embedded-oc4j/applications/ITS.ear: Unable to get ApplicationConfig for ITS : Error creating deployment directory: IO Error: The system cannot find the path specified.
2006-08-21 18:01:07.265 WARNING J2EE_OJR0007 Can not get application bc4j for adding context root file:/C:/Pattern Maching JSP May2006/jdevstudio1013/jdev/system/oracle.j2ee.10.1.3.34.12/embedded-oc4j/config/default-web-site.xml
Ready message received from Oc4jNotifier.
Embedded OC4J startup time: 5282 ms.
Target URL -- http://192.168.2.55:8988/Trans-Reporting-context-root/login.jsp
06/08/21 18:01:07 Oracle Containers for J2EE 10g (10.1.3.0.0) - Developer Preview initializedIF i run http://192.168.2.55:8080/Reporting/login.jsp from web browser then is ok, but cannot straight run from JDeveloper? How to set the path?
rgds,
bryanDear Frank,
Thanks for ur reply but i still failed to access to my login.jsp
I already select RUN from menu then clean <XXXX.jpr>, then rebuild the project and Run the project but still have the same problem.
rgds,
bryan -
ICMP Best Practices for Firewall
Hello,
Is there a such Cisco documentation for ICMP best practices for firewall?
ThanksHello Joe,
I havent look for such a document but what I can tell you is the following?
ICMP is a protocol that let us troubleshoot or test whether IP routing is good on our network or if a host is live on our network so I can tell you that from that perspective this is definetly something good (Not to mention some of the other good usage that we can provide to this protocol such for PATH MTU Discovery, etc).
But you also have to be careful with this protocol as we all know it's also used to scan or discover hosts on our network.. Even to perform DoS attacks (Smurf attack, etc).
So what's the whole point of this post:
Well at least on my opinion I would allow ICMP on my network but I would definetly permit only the right ICMP code messages and I would protect my network against any known vulnerability regarding DoS attacks with ICMP, In this case I will still take advantage of the really useful protocol while protecting my enviroment,
Hope that I could help
For Networking Posts check my blog at http://laguiadelnetworking.com/
Cheers,
Julio Carvajal Segura -
Question in regard to management VLAN for each Context in ACE module
Dear Pros,
I know this will be a simple questions to answer, and I have searched the forum, but I am not able to find the answer I need.
1) Does the ACE module require an Management IP address for each Context? Should the same VLAN be applied to each context, with larger size subnet to supply host address?
2) If it does require that, what IP address should I used for default route in each context.
I will be utilizing "Bridge Mode" for my application to transition the current network from Foundry to ACE. I will later on apply the "Routed Mode" model.
Each ACE module will have 3 seperate Context, for a total of 4 including the Admin.
Any suggestions or if you can point me to location as always will be greatly apprecaited.
Thanks and best regards.
Raman AzizianHi,
you have several options to choose from.
1. Use Admin context for management
You can use the Admin context for management. Give it an IP address in your managment VLAN, default route to upstream router, and login and change to contexts from there.
+ Easy and straightforward
- snmp and syslog are using the ip from each individual context and not the management IP
2. Use a Large subnet and assign an IP address in each context for management.
You can configure 1 managment VLAN and assign an IP address to each context in this subnet. Create static routes to the management stations that need to access this management address.
+ each context has its own managment address
- static routes need to be added
3. Use your client-side ip address (or BVI) as management address.
You management traffic will be inline and use the same path as your data. Default route is already configured and also valid for the management.
+ no static routes needed
- inline management
Personally, I choose option 1. That is, if the people that need to manage the ACE is the same team.
If other teams (serverteam for context 1, other serverteam for context 2) need to manage the ACE, than I would choose option 3.
HTH,
Dario -
Hi All
I hope you can help with a number of questions I have around our existing Cisco firewall and the use of Contexts.
We have a router with an inside interface eg A.A.A.A connected to a L2 switch then to a Cisco 5550 firewall. The link in place between the switch and the firewall is a trunk.
The firewall is running in routed context mode already with just 1 context in place (besides admin).
The existing context has a number of logical interfaces assigned to it with incoming traffic to the firewall using a certain vlan on a sub interface 1.182. Sub interface 1.182 is a member of a redundant logical interface on the incoming physical interface 0/0.
There is a route in place on the router forwarding all traffic to an IP address on the firewall within context 1 – eg A.A.A.254 on logical interface 1.182
The problem is that we would now like to create another context on the firewall (context 2).
I’d like to know the best way to complete this task – whether I can re-use the existing incoming logical interface 1.182 that is used in Context1 or whether to create another sub interface eg 1.183 or alternatively use a completely different physical interface on the firewall and add another Ethernet connection to the switch.
If I can use the same logical interface used in Context 1, from what I have already read then I would need to make sure that the MAC address on the new context interface is different to the MAC in context 1 ?
Can I assign a different IP address to this shared logical interface within my new context2 ? and does it need to be in the same subnet as already used between the router and the firewall ie A.A.A.A.x – I would suspect so.
Also I guess I would need to put another static route on the router directing my required traffic to my IP address within Context 2?
Please could someone help with some guidance? The problem that I have is that I naturally want to avoid causing any upset to the existing Context1 and how it currently receives its traffic.
thanksIf you are sharing a physical interface among contexts, the recommended practice is to manually assign unique MAC addresses. Reference.
It's not really necessary to use subinterfaces on the ASA unless a single physical interface in a given context is serving multiple logical interfaces. If the upstream device is a router then subinterfaces are used there in your example. If a switch, then a trunk. -
Ports from isp for the VPN less (Expreeway C&E ) cisco jabber.
Hi Team
What ports need to open from isp for configuring the VPN less (Expreeway C&E ) cisco jabber?
Regards,Hi Waqas,
Please check the following
http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-1/Cisco-Expressway-IP-Port-Usage-for-Firewall-Traversal-Deployment_Guide-X8-1.pdf
HTH
Manish
Maybe you are looking for
-
My iPhone 4s is turning off although it has 30% charge
my iPhone 4s is turning off although it has 30% charge
-
UNCAUGHT_EXCEPTION during Transaction SPROXY
Hi , while exectuing sproxy transaction its giving a short dump. please see the dump below. Runtime Errors UNCAUGHT_EXCEPTION Except. CX_SRAPI_PRECONDITION_VIOLAT
-
Two work items are generating in approver inbox ?
Hi Experts, iam working on PR Workflow. I used the user decision to the Approver for approving. when i relased in me54n. it will go to the approver. but every time two work items are generated in Approver inbox. I used the Responsible agent and poss
-
MultiDPIBitmapSource with states
Hi All, What's the proper way to use the MultiDPIBitmapSource class with state changes: I'm making a simple button skin that just uses an image and changes the image source based on state. The following code doesn't capture state. The image will stay
-
Why do I get this message when trying to post?
I am logged in and trying to post a question about an error message and I am getting: "You are not allowed to create or update this content" What am I doing incorrectly?