ZBFW - dmz-zone to in-zone access

Hi IOSers,
I have a Cisco 2901 which terminates a Class C address pool.
I have split the Class C address pool into 3 sub-nets and 2 zones and created a non-addressable pool (private pool):
dmz-zone : x.x.x.0 TO x.x.x.127 (x.x.x.0/25)
in-zone: x.x.x.128 TO x.x.x.159 (x.x.x.128/27) & x.x.x.160 TO x.x.x.191 (x.x.x.160/27)
private-zone: 192.168.x.0 TO 192.168.x.255 (192.168.x.0/24)
I have configured private-zone NAT to use address pool x.x.x.161 TO x.x.x.189 within the in-zone.
Within the:
dmz-zone - are servers for : DNS, Syslog, SIP & HTTP/HTTPS
in-zone - is a SMTP mail server which is behind VPN Gateway/NAT, TomCat (Application Server) and PostgreSQL Server
private-zone - is where all standard users are operating from and they can access the SIP & HTTP/HTTPS servers within dmz-zone
My problem is that I cannot seem to configure the ZBFW to allow the dmz-zone HTTP/HTTP server to redirect to in-zone TomCat server.
I do not want to make the TomCat server generally visible and am instead using the Apache proxy/ajp13 to connect from dmz-zone server to in-zone server.
However I cannot seem to get anything (including icmp) to work from dmz-zone to in-zone.
I have Policy:
POLICY-DMZ-IN (dmz-zone to in-zone) which has:
any any udp/tcp inspect
any any icmp inspect
unmatched traffic DROP/LOG
But I still cannot get anything from dmz-zone to in-zone...
Can anyone please advise...
Could the POLICY-DMZ-IN be being overridden by other dmz-zone to out-zone policies?
I think I am making a basically incorrect assumption somewhere ...
NOTE: I have routing rules for each of various sub-nets and all out-zone to dmz-zone, out-zone to in-zone and private-zone to out-zone, in-zone and dmz-zone routing works ok, so it appears problem is with ZBFW not routing table.
Thank for any expertise you can bring to help resolve this.
Regards,
Zebity.

Hi Karthikeyan,
thank you for offering to look at this, I do all my configuration using CCP, which is a lot easier than pawing over IOS commands.
I have dumped out the config, but as it is hard to pull out the partiular part of the config, so find following screen snap & config:
The areas where I think there are problems are with "self" zone items (can I get rid of self zone case completely, with exception of blocking any external (DSL) access to self?)
and the dmz-zone to in-zone and in-zone to dmz-zone configs.
Building configuration...
Current configuration : 32292 bytes
! Last configuration change at 00:16:54 UTC Mon Jun 11 2012 by admin
! NVRAM config last updated at 07:37:35 UTC Sun Jun 10 2012 by admin
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname big
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 informational
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXX
no aaa new-model
no ipv6 cef
no ip source-route
ip cef
ip dhcp excluded-address 168.192.200.1 168.192.200.99
ip dhcp excluded-address 168.192.200.126 168.192.200.254
ip dhcp excluded-address 200.200.200.1 200.200.200.79
ip dhcp excluded-address 200.200.200.91 200.200.200.126
ip dhcp pool PRIVATE-POOL-1
   import all
   network 168.192.200.0 255.255.255.0
   domain-name in.froghop.com
   dns-server 200.200.200.20 200.200.200.4
   default-router 168.192.200.1
ip dhcp pool FROGHOP-POOL-2
   import all
   network 200.200.200.0 255.255.255.128
   domain-name froghop.com
   dns-server 200.200.200.20 200.200.200.4
   default-router 200.200.200.1
no ip bootp server
ip domain name froghop.com
ip name-server 200.200.200.4
ip name-server 200.200.200.20
ip inspect log drop-pkt
ip inspect audit-trail
ip inspect name CCP_MEDIUM appfw CCP_MEDIUM
ip inspect name CCP_MEDIUM dns
ip inspect name CCP_MEDIUM ftp
ip inspect name CCP_MEDIUM h323
ip inspect name CCP_MEDIUM sip
ip inspect name CCP_MEDIUM https
ip inspect name CCP_MEDIUM icmp
ip inspect name CCP_MEDIUM imap reset
ip inspect name CCP_MEDIUM pop3 reset
ip inspect name CCP_MEDIUM netshow
ip inspect name CCP_MEDIUM rcmd
ip inspect name CCP_MEDIUM realaudio
ip inspect name CCP_MEDIUM rtsp
ip inspect name CCP_MEDIUM esmtp
ip inspect name CCP_MEDIUM sqlnet
ip inspect name CCP_MEDIUM streamworks
ip inspect name CCP_MEDIUM tftp
ip inspect name CCP_MEDIUM tcp
ip inspect name CCP_MEDIUM udp
ip inspect name CCP_MEDIUM vdolive
ip inspect name dmzinspect tcp
ip inspect name dmzinspect udp
appfw policy-name CCP_MEDIUM
  application im aol
    service default action allow alarm
    service text-chat action allow alarm
    server permit name login.oscar.aol.com
    server permit name toc.oscar.aol.com
    server permit name oam-d09a.blue.aol.com
    audit-trail on
  application im msn
    service default action allow alarm
    service text-chat action allow alarm
    server permit name messenger.hotmail.com
    server permit name gateway.messenger.hotmail.com
    server permit name webmessenger.msn.com
    audit-trail on
  application http
    strict-http action allow alarm
    port-misuse im action reset alarm
    port-misuse p2p action reset alarm
    port-misuse tunneling action allow alarm
  application im yahoo
    service default action allow alarm
    service text-chat action allow alarm
    server permit name scs.msg.yahoo.com
    server permit name scsa.msg.yahoo.com
    server permit name scsb.msg.yahoo.com
    server permit name scsc.msg.yahoo.com
    server permit name scsd.msg.yahoo.com
    server permit name cs16.msg.dcn.yahoo.com
    server permit name cs19.msg.dcn.yahoo.com
    server permit name cs42.msg.dcn.yahoo.com
    server permit name cs53.msg.dcn.yahoo.com
    server permit name cs54.msg.dcn.yahoo.com
    server permit name ads1.vip.scd.yahoo.com
    server permit name radio1.launch.vip.dal.yahoo.com
    server permit name in1.msg.vip.re2.yahoo.com
    server permit name data1.my.vip.sc5.yahoo.com
    server permit name address1.pim.vip.mud.yahoo.com
    server permit name edit.messenger.yahoo.com
    server permit name messenger.yahoo.com
    server permit name http.pager.yahoo.com
    server permit name privacy.yahoo.com
    server permit name csa.yahoo.com
    server permit name csb.yahoo.com
    server permit name csc.yahoo.com
    audit-trail on
multilink bundle-name authenticated
parameter-map type inspect global
log dropped-packets enable
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-2085601892
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2085601892
revocation-check none
crypto pki certificate chain TP-self-signed-2085601892
certificate self-signed 01
  XXXXXXXX 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  4A6B4C93 CEE0C972 CEA5A38E 3C041EAD 803F43B2 DD121173 4302DC1E XXXXXXXX
  4F5E79FE 8C76B0EC BC5DD668 69BE1A
            quit
license udi pid CISCO2901/K9 sn FTXXXXXXXXXX
hw-module pvdm 0/0
username admin privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
redundancy
ip tcp synwait-time 10
no ip ftp passive
class-map type inspect match-any OPEN-TRAFFIC-OUT-190
match access-group name OPEN-TRAFFIC-OUT-190
class-map type inspect match-any SMTPS-TRAFFIC-IN
match access-group name SMTPS-IN
class-map type inspect match-all NAT-POOL-TCP-TRAFFIC-OUT
match access-group name NAT-POOL-TRAFFIC-OUT
match protocol tcp
class-map type inspect imap match-any ccp-app-imap
match  invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-all NAT-POOL-UDP-TRAFFIC-OUT
match access-group name NAT-POOL-TRAFFIC-OUT
match protocol udp
class-map type inspect match-all SELF-DNS-OUT
match access-group name SELF-DNS-OUT
match protocol dns
class-map type inspect match-any SMTP-PROTOCOL
match protocol smtp
class-map type inspect match-all ccp-cls-POLICY-DMZ-OUT-1
match class-map SMTP-PROTOCOL
match access-group name DMZ-MAIL-OUT
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any SIP-PROTOCOLS
match protocol sip
match protocol sip-tls
class-map type inspect match-all ccp-cls-POLICY-DMZ-OUT-2
match class-map SIP-PROTOCOLS
match access-group name DMS-SIP-TRAFFIC
class-map type inspect match-any OPEN-TRAFFIC-OUT-140
match access-group name OPEN-TRAFFIC-OUT-140
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect gnutella match-any ccp-app-gnutella
match  file-transfer
class-map type inspect match-any OPENDIR-PROTOCOLS
match protocol kerberos
match protocol ldap
match protocol ldaps
match protocol ldap-admin
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match  service any
match  service text-chat
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match  service any
class-map type inspect match-any SYSLOG-PROTOCOL
match protocol syslog
class-map type inspect match-any ICMP-PROTOCOLS
match protocol icmp
class-map type inspect match-all SELF-ICMP
match access-group name SELF-ICMP-TRAFFIC
match class-map ICMP-PROTOCOLS
class-map type inspect match-any DMZ-DNS
match protocol dns
class-map type inspect match-all OPENDIR-OUT
match class-map OPENDIR-PROTOCOLS
match access-group name OPENDIR-TRAFFIC
class-map type inspect match-all SMTPS-TRAFFIC
match class-map SMTPS-TRAFFIC-IN
match protocol tcp
class-map type inspect match-any TRUSTED-HOSTS
match access-group name TRUSTED-HOSTS
match protocol udp
match protocol tcp
match protocol icmp
class-map type inspect match-any TRANSPORT-PROTOCOLS
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match  service any
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map type inspect match-any WEB-PROTOCOLS
match protocol http
match protocol https
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map type inspect match-any SELF-DNS-IN
match access-group name SELF-DNS-IN
match protocol dns
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any OPEN-TRAFFIC-IN-140
match access-group name OPEN-TRAFFIC-IN-140
class-map type inspect match-all SYSLOG-IN-DMZ
match access-group name SYSLOG-TRAFFIC
match class-map SYSLOG-PROTOCOL
class-map type inspect pop3 match-any ccp-app-pop3
match  invalid-command
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match  file-transfer
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match  service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match  service text-chat
match  service any
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-1
match class-map SMTP-PROTOCOL
match access-group name SMTP-TRAFFIC
class-map type inspect match-any DNS-PROTOCOL
match protocol dns
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-2
match class-map ICMP-PROTOCOLS
match access-group name IN-ZONE-ICMP
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ACCESS-PROTOCOLS
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-3
match class-map ACCESS-PROTOCOLS
match access-group name DMZ-ZONE-TRAFFIC
class-map type inspect http match-any ccp-app-httpmethods
match  request method bcopy
match  request method bdelete
match  request method bmove
match  request method bpropfind
match  request method bproppatch
match  request method connect
match  request method copy
match  request method delete
match  request method edit
match  request method getattribute
match  request method getattributenames
match  request method getproperties
match  request method index
match  request method lock
match  request method mkcol
match  request method mkdir
match  request method move
match  request method notify
match  request method options
match  request method poll
match  request method propfind
match  request method proppatch
match  request method put
match  request method revadd
match  request method revlabel
match  request method revlog
match  request method revnum
match  request method save
match  request method search
match  request method setattribute
match  request method startrev
match  request method stoprev
match  request method subscribe
match  request method trace
match  request method unedit
match  request method unlock
match  request method unsubscribe
class-map type inspect edonkey match-any ccp-app-edonkey
match  file-transfer
match  text-chat
match  search-file-name
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all PUSH-NOTIFICATIONS
match access-group name PUSH-NOTIFICATIONS
match protocol tcp
class-map type inspect http match-any ccp-http-blockparam
match  request port-misuse im
match  request port-misuse p2p
match  req-resp protocol-violation
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match  file-transfer
class-map type inspect match-all DEST-DNS
match access-group name DEST-DNS
match class-map DNS-PROTOCOL
class-map type inspect aol match-any ccp-app-aol
match  service text-chat
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect edonkey match-any ccp-app-edonkeychat
match  search-file-name
match  text-chat
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-1
match class-map SYSLOG-PROTOCOL
match access-group name DMZ-SYSLOG
class-map type inspect match-any FTP-PROTOCOL
match protocol ftp
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-2
match class-map ICMP-PROTOCOLS
match access-group name DMZ-ICMP
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-3
match class-map WEB-PROTOCOLS
match access-group name DMZ-WEB
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-4
match class-map SIP-PROTOCOLS
match access-group name DMZ-SIP
class-map type inspect match-any TIME-PROTOCOLS
match protocol ntp
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-5
match class-map DMZ-DNS
match access-group name DMZ-DNS-TRAFFIC
class-map type inspect http match-any ccp-http-allowparam
match  request port-misuse tunneling
class-map type inspect fasttrack match-any ccp-app-fasttrack
match  file-transfer
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-6
match class-map ACCESS-PROTOCOLS
match access-group name IN-ZONE-TRAFFIC
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
  inspect
class class-default
  pass
policy-map type inspect POLICY-PRIVATE-TRANSIT
class type inspect ACCESS-PROTOCOLS
  pass log
class class-default
  drop
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
  log
  allow
class type inspect edonkey ccp-app-edonkeydownload
  log
  allow
class type inspect fasttrack ccp-app-fasttrack
  log
  allow
class type inspect gnutella ccp-app-gnutella
  log
  allow
class type inspect kazaa2 ccp-app-kazaa2
  log
  allow
policy-map type inspect POLICY-IN-SELF
class type inspect ICMP-PROTOCOLS
  inspect
class class-default
  drop log
policy-map type inspect POLICY-SELF-IN
class type inspect OPEN-TRAFFIC-OUT-190
  pass
class type inspect ccp-icmp-access
  inspect
class class-default
  drop
policy-map type inspect POLICY-DMZ-OUT
class type inspect TIME-PROTOCOLS
  inspect
class type inspect WEB-PROTOCOLS
  inspect
class type inspect FTP-PROTOCOL
  inspect
class type inspect ccp-cls-POLICY-DMZ-OUT-2
  inspect
class type inspect ccp-cls-POLICY-DMZ-OUT-1
  inspect
class type inspect PUSH-NOTIFICATIONS
  inspect
class type inspect DEST-DNS
  inspect
class class-default
  drop log
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
  log
  allow
class type inspect msnmsgr ccp-app-msn
  log
  allow
class type inspect ymsgr ccp-app-yahoo
  log
  allow
class type inspect aol ccp-app-aol-otherservices
  log
  reset
class type inspect msnmsgr ccp-app-msn-otherservices
  log
  reset
class type inspect ymsgr ccp-app-yahoo-otherservices
  log
  allow
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
  log
  allow
class type inspect http ccp-app-httpmethods
  log
  allow
class type inspect http ccp-http-allowparam
  log
  allow
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
  log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
  log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
  drop log
class type inspect ICMP-PROTOCOLS
  inspect
class type inspect ccp-protocol-http
  inspect
  service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
  inspect
  service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
  inspect
  service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
  inspect
  service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
  inspect
  service-policy im ccp-action-app-im
class type inspect ccp-sip-inspect
  inspect
class type inspect ccp-h323-inspect
  inspect
class type inspect ccp-h323annexe-inspect
  inspect
class type inspect ccp-h225ras-inspect
  inspect
class type inspect ccp-h323nxg-inspect
  inspect
class type inspect ccp-skinny-inspect
  inspect
class type inspect ccp-insp-traffic
  inspect
class class-default
  drop log
policy-map type inspect POLICY-PRIVATE-IN-DMZ
class type inspect TRANSPORT-PROTOCOLS
  inspect
class type inspect ICMP-PROTOCOLS
  inspect
class class-default
  drop log
policy-map type inspect POLICY-IN-OUT
class type inspect OPEN-TRAFFIC-OUT-140
  pass log
class type inspect WEB-PROTOCOLS
  inspect
class type inspect OPENDIR-OUT
  inspect
class type inspect DEST-DNS
  inspect
class type inspect PUSH-NOTIFICATIONS
  inspect
class class-default
  drop log
policy-map type inspect ccp-permit
class class-default
  drop
policy-map type inspect POLICY-DMZ-SELF
class type inspect ICMP-PROTOCOLS
  inspect
class type inspect TRANSPORT-PROTOCOLS
  inspect
class class-default
  drop log
policy-map type inspect POLICY-SELF-OUT
class type inspect SELF-DNS-OUT
  pass
class type inspect TIME-PROTOCOLS
  pass
class type inspect NAT-POOL-UDP-TRAFFIC-OUT
  inspect
class type inspect NAT-POOL-TCP-TRAFFIC-OUT
  inspect
class class-default
  drop log
policy-map type inspect POLICY-OUT-SELF
class type inspect SELF-DNS-IN
  pass
class type inspect TIME-PROTOCOLS
  pass
class type inspect SELF-ICMP
  inspect
class class-default
  drop log
policy-map type inspect POLICY-IN-DMZ
class type inspect SYSLOG-IN-DMZ
  pass
class type inspect ICMP-PROTOCOLS
  inspect
class class-default
  drop log
policy-map type inspect POLICY-DMZ-IN
class type inspect TRANSPORT-PROTOCOLS
  inspect
class type inspect ICMP-PROTOCOLS
  inspect
class class-default
  drop log
policy-map type inspect ccp-permit-dmzservice
class type inspect ccp-cls-ccp-permit-dmzservice-4
  inspect
class type inspect ccp-cls-ccp-permit-dmzservice-1
  pass
class type inspect ccp-cls-ccp-permit-dmzservice-3
  inspect
class type inspect ccp-cls-ccp-permit-dmzservice-5
  inspect
class type inspect ccp-cls-ccp-permit-dmzservice-2
  inspect
class class-default
  drop log
policy-map type inspect ccp-pol-outToIn
class type inspect OPEN-TRAFFIC-IN-140
  pass
class type inspect ccp-cls-ccp-pol-outToIn-1
  inspect
class type inspect ccp-cls-ccp-pol-outToIn-2
  inspect
class type inspect SMTPS-TRAFFIC
  inspect
class type inspect SMTPS-TRAFFIC-IN
  pass log
class class-default
  drop log
policy-map sdmappfwp2p_CCP_MEDIUM
class sdm_p2p_edonkey
class sdm_p2p_gnutella
class sdm_p2p_kazaa
class sdm_p2p_bittorrent
zone security dmz-zone
zone security in-zone
zone security out-zone
zone security PRIVATE-ZONE
zone security PRIVATE-IN
zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone
service-policy type inspect ccp-permit-dmzservice
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect POLICY-IN-OUT
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ZP-DMZ-IN source dmz-zone destination in-zone
service-policy type inspect POLICY-DMZ-IN
zone-pair security ZP-DMZ-OUT source dmz-zone destination out-zone
service-policy type inspect POLICY-DMZ-OUT
zone-pair security ZP-IN-DMZ source in-zone destination dmz-zone
service-policy type inspect POLICY-IN-DMZ
zone-pair security ZP-OUT-SELF source out-zone destination self
service-policy type inspect POLICY-OUT-SELF
zone-pair security ZP-SELF-OUT source self destination out-zone
service-policy type inspect POLICY-SELF-OUT
zone-pair security ZP-PRIVATE-OUT source PRIVATE-ZONE destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ZP-PRIVATE-IN source PRIVATE-ZONE destination in-zone
service-policy type inspect POLICY-PRIVATE-IN-DMZ
zone-pair security ZP-PRIVATE-DMZ source PRIVATE-ZONE destination dmz-zone
service-policy type inspect POLICY-PRIVATE-IN-DMZ
zone-pair security ZP-IN-SELF source in-zone destination self
service-policy type inspect POLICY-IN-SELF
zone-pair security ZP-SELF-IN source self destination in-zone
service-policy type inspect POLICY-SELF-IN
zone-pair security ZP-DMZ-SELF source dmz-zone destination self
service-policy type inspect POLICY-DMZ-SELF
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
interface Loopback0
ip address 200.200.200.190 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
zone-member security in-zone
interface Null0
no ip unreachables
interface GigabitEthernet0/0
description $ETH-LAN$$FW_INSIDE$
ip address 200.200.200.130 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security in-zone
duplex auto
speed auto
no mop enabled
interface GigabitEthernet0/1
description $ETH-LAN$$FW_INSIDE$
ip address 168.192.200.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security PRIVATE-ZONE
duplex auto
speed auto
no mop enabled
interface FastEthernet0/2/0
description $ETH-LAN$$FW_INSIDE$
ip address 192.168.1.160 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security PRIVATE-ZONE
duplex auto
speed auto
no mop enabled
interface FastEthernet0/2/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
no mop enabled
interface ATM0/3/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
interface ATM0/3/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
interface GigabitEthernet0/0/0
interface GigabitEthernet0/0/1
interface GigabitEthernet0/0/2
interface GigabitEthernet0/0/3
interface Virtual-Template1 type serial
description $FW_INSIDE$
ip unnumbered Loopback0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security in-zone
interface Vlan1
description $ETH-4ESG$$INTF-INFO-10/100/1000 Ethernet$$ETH-LAN$FW-DMZ$$FW_INSIDE$
ip address 200.200.200.1 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
zone-member security dmz-zone
interface Dialer0
description $FW_OUTSIDE$
ip address 210.210.210.154 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password 7 XXXXXXXXXXXXXXXX
ppp pap sent-username [email protected] password 7 XXXXXXXXXXXX
service-policy input sdmappfwp2p_CCP_MEDIUM
service-policy output sdmappfwp2p_CCP_MEDIUM
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip flow-top-talkers
top 200
sort-by bytes
cache-timeout 500
ip dns server
ip nat pool NAT-POOL1 200.200.200.161 200.200.200.189 netmask 255.255.255.224
ip nat inside source route-map SDM_RMAP_1 pool NAT-POOL1
ip route 0.0.0.0 0.0.0.0 210.210.210.1
ip route 10.210.210.0 255.255.255.0 192.168.1.1 permanent
ip route 192.168.1.0 255.255.255.0 FastEthernet0/2/0 permanent
ip route 168.192.200.0 255.255.255.0 GigabitEthernet0/1 permanent
ip route 200.200.200.0 255.255.255.128 Vlan1 permanent
ip route 200.200.200.128 255.255.255.224 GigabitEthernet0/0 permanent
ip route 200.200.200.160 255.255.255.224 Loopback0 permanent
ip access-list extended DEST-DNS
remark CCP_ACL Category=1
permit udp any any eq domain
ip access-list extended DMS-SIP-TRAFFIC
remark CCP_ACL Category=128
permit ip host 200.200.200.30 any
permit ip host 200.200.200.40 any
ip access-list extended DMZ-DNS-TRAFFIC
remark CCP_ACL Category=128
permit ip any host 200.200.200.20
ip access-list extended DMZ-ICMP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended DMZ-MAIL-OUT
remark CCP_ACL Category=128
permit ip any host 230.211.70.60
permit ip any host 230.250.90.137
ip access-list extended DMZ-SIP
remark CCP_ACL Category=128
permit ip any host 200.200.200.40
permit ip any host 200.200.200.30
ip access-list extended DMZ-SYSLOG
remark CCP_ACL Category=128
permit ip 230.211.70.0 0.0.0.255 host 200.200.200.32
permit ip 200.200.200.128 0.0.0.127 host 200.200.200.32
ip access-list extended DMZ-WEB
remark CCP_ACL Category=128
permit ip any host 200.200.200.35
permit ip any host 200.200.200.20
ip access-list extended DMZ-ZONE-TRAFFIC
remark CCP_ACL Category=128
permit ip 200.200.200.0 0.0.0.128 any
ip access-list extended ESP-TRAFFIC
remark CCP_ACL Category=1
permit esp any any
ip access-list extended IN-ZONE-ICMP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended IN-ZONE-TRAFFIC
remark CCP_ACL Category=128
permit ip host 200.200.200.140 any
ip access-list extended NAT-POOL-TRAFFIC-IN
remark CCP_ACL Category=128
permit ip any 0.0.0.0 255.255.255.224
ip access-list extended NAT-POOL-TRAFFIC-OUT
remark CCP_ACL Category=128
permit ip 0.0.0.30 255.255.255.224 any
ip access-list extended OPEN-TRAFFIC-IN-140
remark CCP_ACL Category=1
permit udp host 230.211.70.60 host 200.200.200.140 eq isakmp
permit esp host 230.211.70.60 host 200.200.200.140
permit ip host 230.211.70.10 host 200.200.200.140
permit tcp host 230.211.70.35 host 200.200.200.140
deny   ip host 230.211.70.60 host 200.200.200.140
ip access-list extended OPEN-TRAFFIC-OUT-140
remark CCP_ACL Category=1
permit udp host 200.200.200.140 host 230.211.70.60 eq isakmp
permit esp host 200.200.200.140 host 230.211.70.60
permit ip host 200.200.200.140 host 230.211.70.10
permit tcp host 200.200.200.140 host 230.211.70.35
deny   ip host 200.200.200.140 host 230.211.70.60
ip access-list extended OPENDIR-TRAFFIC
remark CCP_ACL Category=128
permit ip any host 230.211.70.10
ip access-list extended PUSH-NOTIFICATIONS
remark CCP_ACL Category=1
permit tcp any any eq 5223
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SELF-DNS-IN
remark CCP_ACL Category=1
permit udp any eq domain any
ip access-list extended SELF-DNS-OUT
remark CCP_ACL Category=128
permit ip any host 200.200.200.20
permit ip any host 200.200.200.4
ip access-list extended SELF-ICMP-TRAFFIC
remark CCP_ACL Category=128
permit ip any host 200.200.200.190
ip access-list extended SMTP-TRAFFIC
remark CCP_ACL Category=128
permit ip any host 200.200.200.140
ip access-list extended SMTPS-IN
remark CCP_ACL Category=1
permit tcp any any eq 465
permit tcp any any eq 587
ip access-list extended SMTPS-OUT
remark CCP_ACL Category=1
permit tcp any eq 465 any
permit tcp any eq 587 any
ip access-list extended SYSLOG-TRAFFIC
remark CCP_ACL Category=128
permit ip any host 200.200.200.32
ip access-list extended TRUSTED-HOSTS
remark CCP_ACL Category=128
permit ip host 230.211.70.35 any
permit ip host 230.211.70.60 any
logging 200.200.200.32
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 168.192.200.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 210.210.210.0 0.0.0.255 any
access-list 100 permit ip 200.200.200.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=2
access-list 102 permit ip 168.192.200.0 0.0.0.255 any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 102
control-plane
banner login ^CThis device is propoerty of FROGHOP and all activity is logged.^C
line con 0
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
scheduler allocate 20000 1000
ntp update-calendar
ntp server 192.189.54.17
ntp server 192.189.54.33
ntp server 203.161.12.165
ntp server 130.102.2.123
end
Thanks in advance for any tips.
Regards,
John.

Similar Messages

  • Load Balance guest Internet access via two different DMZ zones at two sites

    Hi Sir,
    My customer has the following unified wireless guest access requirement:
    - There are 2 internet links and dmz zones at two different locations, Site A and Site B
    - Data centre is at Site A
    - WiSM is proposed to be installed at the Cat 6500 in Site A
    - Lightweight AP are distributed across Site A, Site B and other branches
    - Only one anchor WLC is proposed at Site A, DMZ zone to provide guest internet access
    My customer would like to load balance the guest via the two internet link at Site A and Site B but with the same SSID across all locations. Can it be done since only one anchor at Site A? How about puttting another anchor WLC at Site B, DMZ zone? But how can i establish two EoIP tunnel to two different anchor WLC from a single WiSM?
    Thanks for your help
    Delon

    You can... but you can't control where the traffic will flow. The wlc will determine which DMZ wlc it will use. The wlc will load balance, but traffic in site A might go to site B. I currently have deployed that senerio in multiple client installations....

  • Accessing a oracle DB from web AS in a DMZ zone

    Hi all,
    I using a webdynpro application where the backend is a oracle system.This system is different from the server.
    say the Web AS server is SYS1
    and the server which has oracle as SYS2.
    I have created a DB in oracle DB of SYS2 and created a SID,user etc.
    When i connect to this DB from inside a network there is no problem in connecting.But i have a requirement where the webAS server (SYS1 ) is placed outside the local network we are in  i.e its placed in a DMZ zone. Now when i run the applcation the data from the oracle DB is not accessible..Are there any settings in visual admn which i shud enable.(I have opened the ports 1521 and 1527 also !)
    And one more point ..I am not using a datasource. I am using EJB where i am directly using the driver manager class with system ip to connect to the oracle system.
    how do i solve the problem
    Regards
    Bharathwaj
    Message was edited by: Bharathwaj R

    Hi,
    Are you able to ping from SYS1 to SYS2.
    If yes then you will be able to access the SYS2 otherwise seek help from network Administrator to do the settings at his end so that you can ping from SYS1 to SYS2. or make that machine internet enbale so that you can access it directly over the internet.
    Alok Sahu

  • OSB doesn't work with DMZ zone

    Hello all,
    I have a configured DMZ zone at our network infra. But after our web service doesn't work.
    We have a two ip address, which are public (x.x.x.x) and osb (y.y.y.y).
    This is my hosts config:
    127.0.0.1 localhost.localdomain localhost
    y.y.y.y     osb-domain    osb-domain.mnOur web service endpoint url is:
    <WL5G3N0:service name="demoSOAPQSService">
    <WL5G3N0:port binding="WL5G3N1:demoSOAP" name="demoSOAPQSPort">
    <WL5G3N2:address location="http://osb-domain:7001/OSB_Project/demo/ProxyService/demo"/>
    </WL5G3N0:port>
    </WL5G3N0:service>I'm getting following error:
    Exception in thread "main" com.sun.xml.ws.client.ClientTransportException: HTTP transport error: java.net.ConnectException: Connection refused: connect
         at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:138)
         at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:187)
         at com.sun.xml.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:124)
         at com.sun.xml.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:121)
         at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:866)
         at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:815)
         at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:778)
         at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:680)
         at com.sun.xml.ws.client.Stub.process(Stub.java:272)
         at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:153)
         at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:115)
         at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:95)
         at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:136)
         at $Proxy29.hello(Unknown Source)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:597)
         at weblogic.wsee.jaxws.spi.ClientInstanceInvocationHandler.invoke(ClientInstanceInvocationHandler.java:84)
         at $Proxy30.hello(Unknown Source)
         at a.RegisterUsersWSPortClient.main(RegisterUsersWSPortClient.java:13)
    Caused by: java.net.ConnectException: Connection refused: connect
         at java.net.PlainSocketImpl.socketConnect(Native Method)
         at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:351)
         at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:213)
         at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:200)
         at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:366)
         at java.net.Socket.connect(Socket.java:529)
         at java.net.Socket.connect(Socket.java:478)
         at sun.net.NetworkClient.doConnect(NetworkClient.java:163)
         at sun.net.www.http.HttpClient.openServer(HttpClient.java:394)
         at sun.net.www.http.HttpClient.openServer(HttpClient.java:529)
         at sun.net.www.http.HttpClient.<init>(HttpClient.java:233)
         at sun.net.www.http.HttpClient.New(HttpClient.java:306)
         at sun.net.www.http.HttpClient.New(HttpClient.java:323)
         at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:970)
         at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:911)
         at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:836)
         at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1014)
         at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:126)
         ... 20 moreIt works with web service test of OSB Console. But it's not working from client application (x.x.x.x ip).
    It was working before DMZ configuration.
    Are there any other configurations required?
    BR,
    Eba

    Hi Eba,
    It's not clear from where you are trying to access OSB. I believe from outside the DMZ.
    First step, make sure that Weblogic is listening to your y.y.y.y address, and not only 127.0.0.1
    1) Run netstat -na | grep 7001
    You should see which IP addresses weblogic bound on port 7001
    Hopefully you will se y.y.y.y
    Try to connect using telnet from the OSB server itself: telnet y.y.y.y 7001
    If that doesn't work, make sure that in the weblogic server config, the listen address is either empty, or it has y.y.y.y (better to leave it empty).
    2) If you can connect from the local server to port 7001 using y.y.y.y address, then try to connect from your remote server
    If it fails, probably is config issue in the router/firewall
    Regards,
    Fabio

  • Moving SharePoint Form to another DMZ zone

    Hi,
    We have SharePoint application deployed on DMZ zone.So entire farm (WFE, APP & DB server)  is under DMZ zone. however for some reason client is looking to move entire farm to another DMZ zone. I would like to know what are the aspects we need to
    consider for this activity.
    Best Regards,
    Safder

    A few things come to mind:
    Active Directory location & firewall access
    Network Routing
    Reverse Proxies (if applicable)
    Network Load Balancers
    Server name / DNS / IP changes
    URL changes (if needed)
    Dimitri Ayrapetov (MCSE: SharePoint)

  • WLC sitting in a DMZ zone on an ASA

    I am trying to figure out a way to do a Guest Network without using an ACL tied to the SSID. (Customer's request) Its a layer 3 network and they suggested creating a DMZ zone off their ASA and connecting the WLC there that way its outside their network and can go straight to the internet.
    I have never done this before ... so does anyone know if this would work? Any config guides or explanations would be great.
    Thanks

    Often times, when you hear about a controller in the DMZ, it is part of a pair of internal/external controllers. The internal controller sits within your network and a guest wlan tunnels to the external(dmz) controller (which doesn't actually have any APs on it).
    If you have only one controller, then doing either the trunked vlan, or port 2 straight to the DMZ will work.
    I often see the guest in VLAN 10 (for example), and instead of vlan 10 having a routed interface on the network, it is only layer 2 with a port in access vlan10 that connects to the DMZ of the firewall.

  • Setting multiple R12 iModules on same external tier which is in DMZ Zone

    Experts,
    Could some one guide me on how to setup more than one iModules on same external tier which is in DMZ Zone.
    We have already setup iStore and its working fine.
    Now we would like to extend it to other modules like : iPayables, iReceivables and iRecruitment.
    Our current setup is :
    Whenever external users try to access iStore : https://iStore.domain.com, It reaches F5 Load Balancer using SSL Port 443.
    LB has the redirection rule setup to http://hostname.internal.domain.com:8000, with the help of 8000 port the requests reaches External Web Tier in DMZ Zone and gets served.
    If we need to deploy/enable another iModules, how the setup needs to be served.
    We referred the Metalink Note: 380490.1 for iStore setup.
    Please advise as I am new to these external web tier setup.
    Regards,
    RR.

    >
    Yes, We have un-commented and written the rule as below for iStore as per the Metalink note.
    RewriteRule ^/$ https://iStore.domain.com/OA_HTML/ibeCZzpHome.jsp [R,L]
    However I am worried more about the defining routing rules in the reverse proxy:
    as of now F5 mapping has -- https://iStore.domain.com:443 -> http://hostname.internal.domain.com:8000
    Would it fine if we write the mapping as https://iStore.domain.com:443 -> http://hostname.internal.domain.com:8002
    Apologies if my understanding is wrong, as updated I am new to this external tier setups.
    Regards,
    RR.
    >
    Hi,
    From your reverse proxy server setting it looks like you are planning on using module name in the url (i.e. https://iStore.domain.com:443) - in my case
    what I did was I used a more generic url (e.g. https://sswa.domain.com - sswa meaning self service web apps) that way my url was not dependent upon a particular
    module from the reverse proxy server. Since you mentioned change of port from 8000 (port pool zero) to 8002 (port pool two) - were you using
    port 8000 and now planning on changing
    your port on the system where you were already running iStore or is this for a non production/test system?
    Hope this helps :-)
    Regards,

  • WAS or Dialog instance in DMZ zone

    Hello All,
    Please clarify me by answering the following question.
    I have a plan to use the erecuting functionality without Portal system and have plans to use this functionality outside the intranet. ( Note : Not planned to move the back end system to DMZ zone)
    So kindly suggest me with your valuable points.
    The options which we have are.
    1. Installing WAS 7.00 engine in DMZ zone and Using this ICM in Erecruting system (back end) by changing the ICM host parameter
    2. Installing Dialog Instance and requesting all the erecruting request will send to dialog instance which will be placed in DMZ zone.
    Will the above 2 option will work out for my case? Looking for your suggestions
    Vijay

    hi,
    to install an application server in DMZ, confirm that you will get the port 445 open.
    The TCP port 445 is required to access the sapmnt directory, which contains u201CSAP profilesu201D.
    or,
    alternative you place an application server lan which will communicate to CI and reverse proxy server (in DMZ)
    request flow:
    Internet>reverse proxy->application server--->Database server.
    -gokul

  • DMZ Zone

    Hi ,
    i am  using  Cisco  Asa 5510  firewall  in my  Network  with  Inside  and  outside  interfaces.
    There is a  Requirement  for  DMZ Zone   for   servers   having  Public ip addressess.All the  users  will  access the  servers  seat  in the Inside interface and  from  internet  as well.
    please advice  the command.Enclosed  the ASA Config.
    Regards,
    Saroj

    I'd use the ASDM, create a new IF with security level 50, after that create the objects and firewall rules (incl. NAT), thats all.

  • Dmz zone for pix525 not working

    Dear Guys
    as i am having pix 525 with inside,outside,dmz,from inside i cant access or i cant ping to the dmz zone plz help me.
    interface Ethernet0
    nameif outside
    security-level 0
    ip address 212.x.x.131 255.255.255.240 standby 212.x.x.132
    interface Ethernet1
    nameif dmz
    security-level 70
    ip address 10.80.64.254 255.255.252.0 standby 10.80.64.253
    interface GigabitEthernet0
    nameif inside
    security-level x
    ip address 10.80.56.254 255.255.252.0 standby 10.80.56.253

    You need to setup a translation between the interfaces. Does this help?
    static (inside,dmz) 10.80.56.0 10.80.56.0 netmask 255.255.252.0

  • ASA DMZ zone and Unix proxy server

    Hi.
    i have router which all nat translation done at here. i have a asa and core sw.
    192.168.1930.0/24 subnet my user and some server are located at this subnet. this subnet created at core sw.
    int vlan 393
    ip address 192.168.193.1 255.255.255.0
    core sw connected to asa inside interface.asa inside interface ip 172.30.30.1 and at core sw site this port access vlan 8 which is
    int vlan 8
    ip address 172.30.30.2
    at core sw at i have a default route to asa.
    ip route 0.0.0.0 0.0.0.0 172.30.30.1
    and asa site
    route inside 192.168.193.0 255.255.255.0 172.30.30.2
    all of them are ok.
    i think that is ok.
    at asa i have dmz zone which ip address:
    interface Ethernet0/1
    description connect to CoreSW
    nameif inside
    security-level 100
    ip address 172.30.30.1 255.255.255.0 standby 172.30.30.3
    interface Ethernet0/2
    description DMZ zone connect mail server
    nameif DMZ
    security-level 50
    ip address 172.16.10.1 255.255.255.0 standby 172.16.10.2
    my proxy server inside interface connected to asa dmz zone and ip address 172.16.10.254 and outside interface is connected asa outside site which mean that is same subnet of asa outside interface which is 10.0.0.254 and then 10.0.0.254 i do static nat at router. i have no problem at nat translation.
    i want my 192.168.193.0 subnet pass througth from proxy when this subnet want to connet internet.
    i wrote
    static (inside,DMZ) 192.168.193.0 192.168.193.0 netmask 255.255.255.0
    and access-list
    access-list from_dmz_to_in extended permit ip host 172.16.10.254 any
    access-group from_dmz_to_in in interface DMZ
    at this time what is up?
    the user can not access internet and what i do? i wrote proxy server inside ip and default port 3128 at user internet explorer properties.
    internet explorerr--tools-properties-connection-lan settting and show there 172.16.10.254 and port 3128.
    at this time my user connect internet when i wrote this. when i remove this they can not connect internet
    but i  do not  want write anything at my user. how i solved this?
    after that one problem occur.
    when my server to  do nslookup it can not work.
    i thnik that it is true because we have only one port 3128 is open and my server need udp 53.so it can not work
    how i solve this issue?
    as you see my access-list all of is open and i do
    static (inside,DMZ) 192.168.193.0 192.168.193.0 netmask 255.255.255.0
    it is this wrong proxy connection???
    musti change proxy server inside interface to other device or asa other interface?
    thanks.

    There is 2 way the proxy server can work, ie: either transparent or explicit proxy.
    From your explaination, explicit proxy works just fine when you configure the proxy settings on your browser.
    The reason why transparent proxy does not work is because:
    1) When user browser connects to the Internet, the ASA default gateway is via the outside interface, that is why the Internet traffic is not being routed transparently towards your proxy server which is connected to the DMZ interface.
    The static NAT statement configured on the ASA does not perform redirection. If you would like to transparently route the internet traffic towards the proxy server on DMZ, you would need to route the traffic towards the proxy server. With the current topology that you have, it is not achievable on the ASA. ASA does not support Policy Based Routing, nor it supports WCCP when the user and the proxy server is on different interfaces.
    2) Also need to find out if the proxy server itself supports transparent proxy.
    Otherwise, since explicit proxy works, why don't you just push the proxy settings to the browser via Active Directory Group Policy?

  • Needing to create a DMZ zone/vlan on a small ASA.

    Hopefully an easy question as this is not my forte.
    I have an a small ASA-5505 running 8.2(2).
    I have 2 vlans
    inside 192.168.58.0/24 – security level 25
    outside 25.65.25.134/30 – security level 0
    I want to create a small DMZ with the public range I was given, a /29 block that is being forwarded to me. 
    How do I setup a DMZ zone to account for this block when I am connecting over a /30 network.

    Your ISP should have a route for that new subnet pointing to the outside interface of your ASA.
    So you can then either allocate the public IPs to the actual machines in which case you need one IP for the DMZ interface on the ASA or you can give your DMZ machines private IPs and just use the new IPs in your NAT statements on the ASA.
    Up to but you don't need to assign any IP from the new block to an actual interface if you don't want to.
    Jon

  • Urgent: What ports should be required in DMZ zone?

    Hi,
    I am thinking the ports question might need to posted here. Please have a look on my posting in the following link:
    Urgent: What ports should be required in DMZ zone?
    Thanks and Regards,

    Thanks, Ravi.
    The environment I am working now won't allow me to guess and test. We are on the project and to submit a change request would take very long. So I need submit all neccessary ports correctly at one time.
    Could anybody give me any suggestion? I read the TCP/IP ports for SAP documentation. But I don't think it can answer my questions above.

  • Exchange servers in DMZ zone

    is it's right practice whether all exchange 2010 role servers in Dmz zone??
    or need to place only cas server in DMZ ZOne??

    Hello,
    It is required to place at least one writable Domain Controller with Global Catalog in every Ad site where Exchange servers are going to be deployed.
    Hope it helps,
    Adam
    www.codetwo.com
    If this post helps resolve your issue, please click the "Mark as Answer" or "Helpful" button at the top of this message. By marking a post as Answered, or Helpful you help others
    find the answer faster.

  • XI in DMZ Zone

    Hi,
    Can we put the XI server in DMZ Zone? Thank you.
    Rgds,
    Hapizorr

    Hi Hapizorr,
    Proxies and application gateways are placed in the outer DMZ, providing acess control between Internet and internal networks.  In an inner DMZ, an Integration Server is placed.  It exchanges documents with external partners and the business system in the server LAN.
    Refer to the recommendations given in the SAP WAS Security Guide in the Web Infrastructure Concepts for SAP WAS for the protection of the Integration Server and the business systems.
    I hope this helps.
    Regards.
    Praveen

Maybe you are looking for

  • How to determine the sender business system for ABAP client proxy

    Hi All, I have one doubt: when the client proxy sends the message to XI, how could i know what is the sender business system name for it? Is it the logical system which is reflected in Technical System? let's say if i have the ABAP system, the techni

  • Halt/Reboot fails if triggered after Suspend and Resume

    I'm using arch linux with gnome-shell and pm-utils. Halt/Reboot works alright normally, but when the sytem suspends and resumes, and then is halted/rebooted, the same fails. The screen shows an indication (message on console) that it's halting/reboot

  • Problems with mplayer CVS version

    Hi everyone, Do you know how to change the audio channel with mplayer? For exemple, I want to change an audio from french to english... The both audio track is in the matroska of course And do you know how to change subtitle?? Thanks Kingboxer

  • Incorrect Date in Portal Production

    Problem is that the date is incorrect in the portal banner. eg. it now says feb. 02 when it's actually the 12th??? Anyone have ideas why it's doing this. I read about turning caching off but that is only a quick fix. It seems that different dates exi

  • Screen and projector problems

    This morning while using a projector I have used before only the screensaver would project. Things would appear normally on the MacAir screen but only the screensaver would appear through the projector. It is a screensaver I have had for  a long time