4500 IOS-XE: Crash on ACL configuration
Hi All ,
We have recently migrated from standalone to VSS on our C4500 switches with Sup 7-E.
but the switch crashes every time we edit or modify the ACL with below error message :
%SYS-3-BADBLOCK: Bad block pointer
%SYS-6-MTRACE: mallocfree: addr, pc
%SYS-6-BLKINFO: Corrupted next pointer blk
%SYS-6-MEMDUMP: 0x7E043FF8
We noticed that there is a new bug for this issue i.e
CSCun33897 Symptom:
A Catalyst 4500 series switch running IOS-XE may unexpectedly reboot when ACL configuration is applied to an interface.
but there is no fix available yet.
Please let me know if anyone had this kind of issue. Appreciate your suggestion and feedback on this issue .
Current used Image : cat4500e-universalk9.SPA.03.05.00.E.152-1.E.bin .
Thanks in advance .
its seems to be closely matching to the bug you mentioned
If you upload crashinfo i can look it and try to confirm.
Regards
Naveen
***rate if it is helpful***
Similar Messages
-
IMovie on iOS 8 crashes whenever I try to export the video project to iTunes
I need to transfer several iMovie projects from iPad to iMac to free lots of disk space.
But whenever I atempt to export an iMovie project to iTunes, the iMovie iOS app crashes.
Is there any other way how to transfer the project file?I'm sorry, but it still doesn't work. I deleted all Apple software off my computer and redownleaded the latest version of iTunes, but when I tried to sign in I still got this error:
Source
iTunes
Summary
Stopped working
Date
1/11/2012 4:15 PM
Status
Report sent
Description
Faulting Application Path: C:\Program Files (x86)\iTunes\iTunes.exe
Problem signature
Problem Event Name: BEX
Application Name: iTunes.exe
Application Version: 10.5.2.11
Application Timestamp: 4ee0844d
Fault Module Name: MSVCR80.dll
Fault Module Version: 8.0.50727.6195
Fault Module Timestamp: 4dcddbf3
Exception Offset: 00026b72
Exception Code: c000000d
Exception Data: 00000000
OS Version: 6.1.7601.2.1.0.768.3
Locale ID: 1033
Additional Information 1: efd8
Additional Information 2: efd88cbfd00a9ce0b0d647b39da62ec8
Additional Information 3: 8aaa
Additional Information 4: 8aaa4df80c1c69cc54d9f7ecd1699852
Extra information about the problem
Bucket ID: 2632024235
Any suggestions? -
Is it the new iPad Mini Retina or IOS 7 CRASHES CONSTANTLY
Is it the new iPad Mini Retina or IOS 7 CRASHES CONSTANTLY
I hate to, but I feel I am a guinea pig at 700.00 a crack 128gb mini.
I have 4 of them and THEY ALL DO IT. I have restored, setup as new ipad but nothing works.
also, the colors on the new ipad mini seem dull and off. I have a plum colored car and it looks brown on the mini.
Giving up...i bought an iPad Mini Retina earlier this week
came back home, updated to iOS 7.0.4 and it crashed many times, while browsing settings but also some apps
i had it exchanged because of a yellow tint on the screen
got a new one, under 7.0.3, also crashed several times, updated to 7.0.4, still crashing
wondering if the new 64-bit processor has something to do with the code used for iOS -
Is anybody else having their Adobe AIR iOS app crash within the first second of opening it?
Is anybody else having their Adobe AIR iOS app crash within the first second of opening it?
I am using iPhone 6, iOS 8.1.3, with a development certificate.
With Adobe AIR SDK 16.0.0.283 and now with 17.0.0.93, after compiling the app (whether in release mode or debug mode), before the app getTimer() can ever reach 999 milliseconds the app will crash. No matter what code I have, it is just crashing before the runtime can ever reach the first second.
Anybody else having this kind of behavior?Chris,
Thanks for your prompt reply. I have found the way to reproduce. It is about interfaces, and when I try to call a method through an interface the app crashes. I think that it is related to having an interface with many parameters. I have logged the bug here:
Bug#3935199 - iOS App crashes when calling an objects method through interface -
I have a question on how to setup an ACL configuration on the SLM2024. I originally got this switch to just be able to monitor network ups/downs on the ports. and this has worked great in diagnosing the problems I was having originally. Now however I have to setup something on here that I have never had to do, and am unsure how to do it.
I have a computer that sends out a UDP broadcast that is causing our Xerox Phaser network printer to shutdown if it sees the broadcast. The Phaser is designed in a way that if it sees something on the network it thinks is harmful it will shut itself off to protect itself. and on startup if it sees something harmful it will not startup, it will go into an infinite restart loop.
After fully testing everything I can think of I got it down to a piece of software on the computer that sends the UDP broadcast. If this software is not running the printer works fine. Unfortunately the software needs to run 24/7, and we need to print.
Both the computer and printer have static ip addresses. and basically all I want to do is setup an ACL (at least thats what others have told me) to block communication between those two ip addresses so that the printer won't see the UDP broadcast anymore.
So my question is, would an ACL block that traffic? and if so how do I set it up? I looked in the manuals that came with the switch, and i'm not really seeing any information on how to do it. If anyone can give me some insight into what I need to do I would greatly appreciate it.
ThanksI have a question on how to setup an ACL configuration on the SLM2024. I originally got this switch to just be able to monitor network ups/downs on the ports. and this has worked great in diagnosing the problems I was having originally. Now however I have to setup something on here that I have never had to do, and am unsure how to do it.
I have a computer that sends out a UDP broadcast that is causing our Xerox Phaser network printer to shutdown if it sees the broadcast. The Phaser is designed in a way that if it sees something on the network it thinks is harmful it will shut itself off to protect itself. and on startup if it sees something harmful it will not startup, it will go into an infinite restart loop.
After fully testing everything I can think of I got it down to a piece of software on the computer that sends the UDP broadcast. If this software is not running the printer works fine. Unfortunately the software needs to run 24/7, and we need to print.
Both the computer and printer have static ip addresses. and basically all I want to do is setup an ACL (at least thats what others have told me) to block communication between those two ip addresses so that the printer won't see the UDP broadcast anymore.
So my question is, would an ACL block that traffic? and if so how do I set it up? I looked in the manuals that came with the switch, and i'm not really seeing any information on how to do it. If anyone can give me some insight into what I need to do I would greatly appreciate it.
Thanks -
Latest Revel IOS update crashes and won't install
I have been using Revel v 2.3.1-548 on iPhone 5 and iPad 3 without any issues. An update was released today (29 June) and this won't install and crashes the app on both devices so I have had to go back to the old version. Anyone else having this problem?
SteveDoes not work in Norway!
Med vennlig hilsen
Sincerely Yours,
Knut E. Fagerholm
[email protected]
+47 928 86 407
Sendt from my iPad.
Den 1. juli 2014 kl. 19:40 skrev dkbrillhart <[email protected]>:
Latest Revel IOS update crashes and won't install
created by dkbrillhart in Revel - View the full discussion
Thanks. That worked to restore the previous version from iTunes backup.
Please note that the Adobe Forums do not accept email attachments. If you want to embed a screen image in your message please visit the thread in the forum to embed the image at https://forums.adobe.com/message/6513742#6513742
Replies to this message go to everyone subscribed to this thread, not directly to the person who posted the message. To post a reply, either reply to this email or visit the message page:
To unsubscribe from this thread, please visit the message page at . In the Actions box on the right, click the Stop Email Notifications link.
Start a new discussion in Revel by email or at Adobe Community
For more information about maintaining your forum email notifications please go to http://forums.adobe.com/thread/416458?tstart=0. -
IOS 6 Crashes after moving Icons
Anyone else noticed that after dragging an app icon around various pages that IOS 6 crashes and reboots ?
The problem is software related and has to do partially with a kernal panic and way the cpu access the data. Some users have found the using reset all settings works and some users are finding that only restoring their phone works to stop the phone from going into a springboard reboot loop. It is definetly something that Apple is well aware of and is trading out handsets that have these problems, even though it is not a hardware issue or defect that cannot be solved.
Research I have done into this problem has shown that the problem is partially related to how much data the cpu is going through and how hot the device has become. If you are having any springboard boot related issues take your phone out of its case and allow for the phone to cool down to normal temperture (powering down is highly recommended, but some people cannot live without their phone being on) before you start to mess around with your phone again. The way that iOS 6 uses the Springboard is different than iOS 4 and partially different than 5 that system messages and notifications were taken out of Springboard control and are part of their own processes. The gpu and cpu both have to render the moving of apps and incoming email, messages and any other notifications. Allowing for your iPhone/iPad to cool down will do wonders for all of the Springboard related issues. -
After updating to iOS 6 crashes has increased significantly
Many apps need to be updated to run well on iOS 6. I get a notice about an available update almost any day.
But I've not really noticed too many crashed since updating to iOS 6 so I suspect that you are experiencing some unusual behavior.
First thing to try is a reboot of your device. Press and hold the Home and Sleep buttons simultaneously ignoring the red slider until the Apple logo appears. Let go of the buttons and let the devise restart. See if that fixes your problem. -
Hello everyone,
I have a doubt about the ACL configuring in my ASA
I have this acl witch it means that 10.10.11.2 can do www to the host 10.10.10.1
access-list 100 extended permit tcp host 10.10.11.2 host 10.10.10.1 eq www
and
access-list 100 extended permit tcp host 10.10.10.1 eq www host 10.10.11.2 (hitcnt=31)
witch it means that the host 10.10.10.1 can make www to the host 10.10.11.2
the host 10.10.10.1 can't do www to the host 10.10.11.2, but the host 10.10.11.2 can do, and the second ACL have hits.
is ti right?
Thanks.If you want to allow hosts 10.10.10.1 to hit 10.10.11.2 on www then you should change the syntax to:
access-list 100 extended permit tcp host 10.10.10.1 host 10.10.11.2 eq www
Your original syntax:
access-list 100 extended permit tcp host 10.10.10.1 eq www host 10.10.11.2
By placing the "eq www" after the source IP, you are telling the ASA that the source port is 80/www. Instead, you want the destination port to be "80/www" and as a result, you need to place is after the destination IP.
Also, you can always use the "packet-tracer" command to see exactly what is blocking your traffic :)
Thank you for rating helpful posts! -
iOS 5.1 or iPhone Configuration Profile 3.5 for Windows has not fixed the issue with apply Proxy Settings via a Configuration Profile. Has anyone else got the same issue? Are Mac users got this issue?
This seems to be working for me now but will keep monitoring it the next couple of times I use it to make sure its not a one time thing
-
I received a message that iOS had crashed and a number to call for restoration I paid 60$ Was I ripped off
I received a message that iOS had crashed and a number to call for restoration I paid 60$ Was I ripped off
-
I have a message on my Ipad that states my IOS has crashed due to a 3rd party. It refers to my tablet as a phone (sorry, don't have an Iphone. It gives a number to call for support but I know it's a scam. Is there a solution to get rid of it as it has locked up my Safari.
1. Reset the iPad
Press and hold the Sleep/Wake button on your iPad,
simultaneously press and hold down the “Home” button” until the screen turns off.
Turn it back on.
2. Clear information from your device
iOS 7
Tap Settings > Safari > Clear History > Clear Cookies and Data. -
For those that may be having trouble using large svg files, e.g. iOS browser crashes, it appears that despite the fact that this was believed to have been fixed in the 2014.1 update, Edge Animate may still be importing the files at 10x their original dimensions and then scaling them to 10% so that they appear normal. A 500px wide image for example would be imported at 5000px which is too large for iOS devices to cope with - it may load OK, but changing the orientation or pinch-zooming could cause the browser, or even the whole OS, to reboot.
There is a simple solution fortunately: change the scale to 100% and change the dimensions to the correct pixel size.The crash isn't dependent on internet connection. It happens on either wifi & cellular. The internet connection is fine. The address bar squishes up into the area where the time/batt info is and the browser coughs up a fur ball - everything in the browser freezes, but does not effect other operations of the phone. So it is browser specific. The issue has occured when I access a web page that is bookmarked, and if I access a link through email. I haven't added any new aps or altered the phone in any way. Over the course of a year owning the phone, the only variable since the browser freeze has been updating the phone to the latest iOS.
-
Hello I've a newly configured 5510 would appreciate a look over of the configuration and some questions I have: Its a long post and I appreciate anyone taking time to read through it.
My goals are the following:
to make the inside network 10.20.145.0 to allow internet access - as long as the connection starts inside
To allow neighbor network that comes in through outside interface origin 170.20.0.0/16 access to the 10.20.145.0 (bidirectional)
The tunnel from neighbor lan to inside lan happens through vpn concentrator that has external ip address and 77.76.19.35
Allow certain devices on the DMZ to access the internet and allow outside to inside connections on certain ports
Much of the settings I have configured are coming from juniper that is currently online but needs to be replaced.
The network is set up as below for a chart of traffic:
ISP ---- Internet router ---- switch (3 active connections) 1. firewall 2. internet router 3. vpn concentrator
There is an internal 3750 that I have configured with ip 10.20.145.15 since it comes up often
I'm using pub IPs on the machines on the DMZ though I'm thinking of changing that to an internal vlan and than nating it out. Well here's what I have so far:
=================================================================================================
ASA Version 8.3(2)
hostname ASA
domain-name a.domain.com
enable password l4Tu/tqHeN0MdD7t encrypted
passwd dL9fmCBkHiwx4Iib encrypted
names
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
interface GigabitEthernet1/0
description outside-interface-connected-to-internet-switch
speed 1000
duplex full
shutdown
nameif outside
security-level 0
ip address 76.77.19.34 255.255.255.240
interface GigabitEthernet1/1
description inside-int-10.20.145-network
speed 1000
duplex full
shutdown
nameif inside
security-level 100
ip address 10.20.145.3 255.255.255.192
interface GigabitEthernet1/2
shutdown
nameif DMZ
security-level 50
ip address 76.77.19.49 255.255.255.240
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone EST -5
lock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 76.77.6.11
name-server 66.72.76.84
name-server 4.2.2.1
name-server 8.8.8.8
domain-name a.domain.com
object network Inside_lan
subnet 10.20.145.0 255.255.255.0
object network NET-neighbor
subnet 170.20.0.0 255.255.0.0
description neighbor_LAN
object network 76.77.19.44_cake
host 76.77.19.44
description cake
object network 76.77.19.59
host 76.77.19.59
description streaming
object network 76.77.19.61
host 76.77.19.61
description streaming
object network cindy
host 50.56.249.224
description cindy
object-group network internal-LAN
network-object object Inside_lan
object-group service 3306 tcp
description 3306
port-object eq 3306
object-group service 4567 tcp
description 4567
port-object eq 4567
object-group icmp-type ICM
description ICM_basic
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
icmp-object unreachable
object-group service Retriever_SVC tcp
description Retriever
port-object range 8000 8001
object-group service Production tcp
description PM
port-object range www www
object-group service RDP tcp
description RDP
port-object eq 3389
object-group service Streaming tcp
description streaming server
port-object eq 7009
object-group service UDP123 udp
description 123
port-object eq ntp
object-group service affordable tcp
description affordable legacy
port-object eq 85
object-group service market tcp
description ports for market dmz
port-object eq 2189
port-object eq 2190
port-object eq 2192
port-object eq 2194
object-group service messenger tcp
description air messenger
port-object eq 444
object-group service traffic-701 tcp
description 701
port-object eq 701
object-group service ntp1 udp
description ntp-udp-1
group-object UDP123
object-group service payroll tcp
description payroll port
port-object eq 714
object-group service snmp-udp udp
description snmp udp 1
port-object eq snmp
object-group service vitrol tcp
description vitrol custom
port-object eq 5986
object-group service webconferrence tcp
description webconference legacy port
port-object eq 1417
port-object eq 407
object-group service webmail tcp
description webmail ports
port-object eq 2095
object-group service INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
object-group service INLINE_SERVICE_1
service-object tcp
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq echo
service-object udp destination eq ntp
service-object udp destination eq radius
service-object udp destination eq radius-acct
service-object udp destination eq syslog
object-group network INLINE_NETWORK_1
network-object host 76.57.19.53
network-object host 255.255.255.255
object-group service INLINE_TCP_2 tcp
group-object Streaming
group-object vitrol
object-group service INLINE_SERVICE_2
service-object ip
service-object tcp
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq ssh
access-list internet extended permit ip object Inside_lan interface outside
access-list internet extended permit object-group DM_INLINE_SERVICE_1 object Inside_lan any
access-list syndicaster extended permit tcp object Cindy object Inside_lan object-group INLINE_TCP_1
access-list streaming extended permit tcp interface DMZ any object-group Streaming
access-list streaming59 extended permit tcp object 76.77.19.59 interface outside object-group Streaming
access-list streaming_outside_in extended permit tcp interface outside object-group INLINE_NETWORK_1 object-group DM_INLINE_TCP_2
access-list neighbor extended permit object-group INLINE_SERVICE_2 object NET-neighbor object Inside_lan
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
object network Inside_lan
nat (any,outside) dynamic interface
access-group neighbor in interface outside
access-group neighbor out interface inside
route outside 0.0.0.0 0.0.0.0 76.77.19.33 1
route inside 10.0.0.0 255.255.255.0 10.20.145.4 1
route inside 10.0.1.0 255.255.255.0 10.20.145.2 1
route inside 10.20.145.0 255.255.255.0 10.20.145.15 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.20.145.39 255.255.255.255 inside
telnet timeout 5
ssh 10.20.145.39 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd dns 76.77.6.11 64.22.16.84
dhcpd domain a domain
dhcpd option 6 ip 4.2.2.1
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username joe password m6OO.pH/13qc7ypS encrypted privilege 15
username bob password N./x1Ut.gM.QGZLa encrypted privilege 15
username bill password uZjIWeHtovCOweHJ encrypted
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:06eb82d8d8a3ae82352512cd707e7f4a
========================================================================================================================================================
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list internet; 14 elements; name hash: 0xb30cf7fe
access-list internet line 1 extended permit ip object Inside_lan interface outside 0xe073f975
access-list internet line 1 extended permit ip 10.20.1450 255.255.255.0 interface outside (hitcnt=0) 0xe073f975
access-list internet line 2 extended permit object-group INLINE_SERVICE_1 object Inside_lan any 0x2e33ca08
access-list internet line 2 extended permit tcp 10.20.145.0 255.255.255.0 any (hitcnt=0) 0xa576d14f
access-list internet line 2 extended permit icmp 10.20.145.0 255.255.255.0 any echo-reply (hitcnt=0) 0x15cccd5c
access-list internet line 2 extended permit icmp 10.20.145.0 255.255.255.0 any traceroute (hitcnt=0) 0x8aab2f53
access-list internet line 2 extended permit icmp 10.20.145.0 255.255.255.0 any unreachable (hitcnt=0) 0xe02606e1
access-list internet line 2 extended permit tcp 10.20.145.0 255.255.255.0 any eq ftp (hitcnt=0) 0x6d0043b6
access-list internet line 2 extended permit tcp 10.20.145.0 255.255.255.0 any eq ftp-data (hitcnt=0) 0xce904411
access-list internet line 2 extended permit tcp 10.20.145.0 255.255.255.0 any eq www (hitcnt=0) 0x1ddebc69
access-list internet line 2 extended permit tcp 10.20.145.0 255.255.255.0 any eq https (hitcnt=0) 0x1a3b15bc
access-list internet line 2 extended permit udp 10.20.145.0 255.255.255.0 any eq echo (hitcnt=0) 0xadc66030
access-list internet line 2 extended permit udp 10.20.145.0 255.255.255.0 any eq ntp (hitcnt=0) 0xa67a4406
access-list internet line 2 extended permit udp 10.20.145.0 255.255.255.0 any eq radius (hitcnt=0) 0x230419e6
access-list internet line 2 extended permit udp 10.20.145.0 255.255.255.0 any eq radius-acct (hitcnt=0) 0xa8ae0824
access-list internet line 2 extended permit udp 10.20.145.0 255.255.255.0 any eq syslog (hitcnt=0) 0x051c7ef5
access-list cindy; 2 elements; name hash: 0x807c55e5
access-list cindy line 1 extended permit tcp object cindy object Inside_lan object-group DM_INLINE_TCP_1 0xe35e702c
access-list cindy line 1 extended permit tcp host 50.56.249.224 10.20.145.0 255.255.255.0 eq ftp (hitcnt=0) 0x64b321cc
access-list cindy line 1 extended permit tcp host 50.56.249.224 10.20.145.0 255.255.255.0 eq ftp-data (hitcnt=0) 0x55109118
access-list streaming; 1 elements; name hash: 0xfd34cf16
access-list streaming line 1 extended permit tcp interface DMZ any object-group Streaming_custom 0x8b2e87d1
access-list streaming line 1 extended permit tcp interface DMZ any eq 7009 (hitcnt=0) 0xb13a2776
access-list streaming59; 1 elements; name hash: 0x959c1f3b
access-list streaming59 line 1 extended permit tcp object 76.77.19.59 interface outside object-group Streaming_custom 0xc173840d
access-list streaming59 line 1 extended permit tcp host 76.77.19.59 interface outside eq 7009 (hitcnt=0) 0x84cd9084
access-list streaming_outside_in; 4 elements; name hash: 0x3f86c9d4
access-list streaming_outside_in line 1 extended permit tcp interface outside object-group INLINE_NETWORK_1 object-group DM_INLINE_TCP_2
access-list streaming_outside_in line 1 extended permit tcp interface outside host 206.57.19.53 eq 7009 (hitcnt=0) 0x06c04720
access-list streaming_outside_in line 1 extended permit tcp interface outside host 206.57.19.53 eq 5986 (hitcnt=0) 0x9ae9047e
access-list streaming_outside_in line 1 extended permit tcp interface outside host 255.255.255.255 eq 7009 (hitcnt=0) 0x5e3553e8
access-list streaming_outside_in line 1 extended permit tcp interface outside host 255.255.255.255 eq 5986 (hitcnt=0) 0x1f5d8fd9
access-list neighbor; 7 elements; name hash: 0xc99eb2b4
access-list neighbor line 1 extended permit object-group INLINE_SERVICE_2 object NET-neighbor object Inside_lan 0xc9688a21
access-list neighbor line 1 extended permit ip 170.20.0.0 255.255.0.0 10.20.145.0 255.255.255.0 (hitcnt=0) 0xe1e8b995
access-list neighbor line 1 extended permit tcp 170.20.0.0 255.255.0.0 10.20.145.0 255.255.255.0 (hitcnt=0) 0x462beedc
access-list neighbor line 1 extended permit tcp 170.20.0.0 255.255.0.0 10.20.145.0 255.255.255.0 eq ftp (hitcnt=0) 0xf238c75e
access-list neighbor line 1 extended permit tcp 170.20.0.0 255.255.0.0 10.20.145.0 255.255.255.0 eq ftp-data (hitcnt=0) 0x266e675b
access-list neighbor line 1 extended permit tcp 170.20.0.0 255.255.0.0 10.20.145.0 255.255.255.0 eq www (hitcnt=0) 0x8627ec0a
access-list neighbor line 1 extended permit tcp 170.20.0.0 255.255.0.0 10.20.145.0 255.255.255.0 eq https (hitcnt=0) 0x3cae424a
access-list neighbor line 1 extended permit tcp 170.20.0.0 255.255.0.0 10.20.145.0 255.255.255.0 eq ssh (hitcnt=0) 0xcb6666b3Hi,
For the Default Dynamic PAT rule that you are asking for the single "inside" network I would suggest the following
First remove the current NAT configurations
nat (inside,outside) source dynamic any interface
object network Inside_lan
nat (any,outside) dynamic interface
Then reconfigure the NAT in the following way
object-group network DEFAULT-PAT-SOURCE
network-object 10.20.145.0 255.255.255.0
nat (inside,outside) after-auto sourece dynamic DEFAULT-PAT-SOURCE interface
This will create and "object-group" for the networks or hosts that should be PATed to the "outside" interface IP address when accessing the Internet. If you want more internal networks to get PATed the same way, you simply add the network under the "object-group" among the already existing "inside" network.
The "after-auto" parameter also makes sure that this NAT rule doesnt override any other future rules. The parameter in question moves the NAT rule at the bottom of the NAT rules so its one of the last matched agains when traffic arrives on the firewall from behind "inside"
With regards to the neighbor network of 172.20.0.0/16, is this some network that is going to be behind a L2L VPN or is simply almost directly behind the "outside" interface?
In general the NAT format for this kind NAT is
object network NEIGHBOR
subnet 172.20.0.0 255.255.0.0
object-group network NEIGHBOR-SOURCE
network-object 10.20.145.0 255.255.255.0
nat (inside,outside) source static NEIGHBOR-SOURCE NEIGHBOR-SOURCE destination static NEIGHBOR NEIGHBOR
I basically use an "object network" to define the remote network and "object-group network" to define the source network for this NAT. I use "object-group" for the source again because it leaves us room to add more networks under it if needed. Notice that "object network" can only hold one subnet/range/host while "object-group network" can hold pretty much as many as you want.
I think the ACL configurations will have to be looked through also.
Notice that if you want to control traffic from a behind "outside" for example, then you can only use 1 interface bound ACL to control that traffic. So every rule from "outside" to "inside" or to "dmz" has to be in the same ACL. Also this ACL would be attached to the "outside" interface in "in" direction. For example "access-group OUTSIDE-IN in interface outside"
If we are talking about VPN connections configured directly to the ASA there are some other options compared to the above.
But as I said its better that your needs regards the ACL rules are gone through more in depth to really know how we should configure them as I am myself not sure what all the above ACL are supposed to do.
One final question for you. You have this network directly on the "inside" interface 10.20.145.3 255.255.255.192. But you also talk about it with mask /24. Is the ASA "inside" connected to some internal L3 device which hosts rest of the segments of this whole /24 network as currently the "inside" interface holds /26.
Is ANY users/networks behind the ASA "inside" interface using the ASA directly as their gateway? I noticed that you setup would seem to have (as I mentioned in another thread to you) several devices on connected by the same LAN network (Router,VPN,firewall). What I fear will happen is that IF any "inside" users uses the ASA as their gateway and has to be routed back through the ASA "inside" interface to some other gateway that this will result in asymmetric routing and the ASA doesnt really handle that kind of situation that well.
- Jouni -
4500 series switches crashing when under load
Dear support community,
We are a small group of network managers and we recently came across a problem in our planned network upgrade considering the 4500 series switches. Six of these switches are configured as VSS redundancy resulting in 3 VSS units connected over double-link fiberoptic port-channels (1+1) building a ring topology.
As soon as we put load (3,5Gbit/s) on one of the port-channels between two VSS, one unit (both main and stdby switches) crashes almost immediately and then reboots. This first happened a few weeks ago, yesterday when testing it happened again but on another VSS connected to the first one. I was able to recover the crashinfo files from both units, they are are attached to this post aswell as the show tech_support output from the one that crashed yesterday.
Unfortunately we don't have the tools and knowledge for analyzing the files and we would appreciate your help. Thank you in advance.
Max S.Wow. You're running a very old IOS.
If you need to stay with 3.4.X then go with 3.4.5, which is a maintenance release (fixes a few bugs). Read the Release Notes for more information.
Maybe you are looking for
-
How to install and reconfigure a new hard drive?
How to install and reconfigure a new hard drive? I installed a new hard drive from best buy for my "vintage" MacBook laptop. When I turned on the laptop and the flashing folder appeared, I need help? I looked online for some clues. I put in the sof
-
Can I use the timestamp of a Network published global variable to reduce network traffic?
I would like to use a couple of network-published global variables that will contain large clusters of data. I want to host them on one device but read them from several - consider a distributed control system. The data will update very infrequentl
-
Hi All, Im facing a peculiar problem. Im getting some data from one Function module into one variable. Sometimes the variable is having values such as 0, 0.0, 0.00 like that.(system is still considering 0.0 as a value) If such is a case I dont want t
-
Simple Question--hard answer?
This should not be that hard, so I'm guessing I'm just blind. Someone emails me a stupid, funny song/ad/random mp3. I click on it. Its added to my iTunes library. Why? What makes iTunes think I want to add EVERY mp3 I double click on to my iTunes lib
-
Hi all ... I'm using database triggers BEFORE LOGOFF and AFTER LOGON to monitorize who and with what program logged to database,killing the sessions made by unauthorized programs . I'm using a select like: SELECT SID, serial#, osuser, machine, progra