Access to internal servers using public IP address
I have an ASA5540 on 8.2(5) and I am setting up a Guest Wireless network that is on the same interface as our corporate user network, but is completely segregated and uses Google Public DNS (8.8.8.8). I have this all set up, but the only thing I can't get is users on this network can not access our external facing DMZ web servers.
1) I have attempted to use DNS doctoring:
static (dmz,outside) external_ip internal_ip netmask 255.255.255.255 dns
(the rule was already in place, I just checked the dns box)
and when I do an nslookup, it does resolve the internal ip but the page wont load. If I type the internal IP into a browser, the page loads (I set up a rule to allow access from the guest network to the dmz network).
2) I wrote 1:1 static nat rules going the other way:
static (outside,dmz) internal_ip external_ip netmask 255.255.255.255
and pages still could not load.
From what I have read, either of these solutions should work, but neither of them do. What am I missing from this setup?
I contacted Cisco Support and they helped me with this.
First, I needed to create a static NAT rule on the internal interface to DMZ for the Guest network:
static (internal,dmz) WiFi-Guest WiFi-Guest netmask 255.255.255.0
After that, I could add in another static NAT rule for my DMZ servers on the internal interface in addition the the existing rules on the external. i.e.
static (dmz,internal) external_ip internal_ip netmask 255.255.255.255
Once both of those were complete, the pages could load from the DMZ, but not from the rest of the Internal network
Similar Messages
-
Using one public ip for ssh`ing to different internal servers using port-redirections
Hi, we are having a requirement to use the same public IP to ssh into different internal servers using port re-direction. So lets say from outside, if a user does ssh @ root 4.4.4.4 2222, it should go to a sshsrv1 and then ssh @ root 4.4.4.4 2223 to sshsrv2
My config is like this:-
object network sshsrv1
host 10.110.100.10
nat (inside,Outside) static 4.4.4.4 service tcp 22 2222
And then i allowed the object "sshsrv1" in my inbound acl from outside.
It dosen`t seem to work. Is this doeable?
Any suggestions??Hi,
Would need to see your NAT configurations.
There is a possibility that you have a NAT configuration that might be preventing this from working. Then again you are using an extra public IP address for this so it seems strange.
Could you try the "packet-tracer" command
packet-tracer input outside tcp 12345 2222
This should tell us if there is some problem in the ASA configurations.
- Jouni -
Getting error while accessing a webpage by using link local address of ipv6
Hello,
I want to access my login.jsp by using ipv6 address.
when i am accessing my web page by using loop back or localhost6(like the following) it is working.
http://[::1]:8080/test/login.jsp //for loopback
http://localhost6:8080/test/login.jsp
But when i am accessing my webpage by using link local address as following i am not getting my web page.
http://[fe80::201:6cff:fe0f:d7ae%eth0]:8080/test
or
http://[fe80::201:6cff:fe0f:d7ae]:8080/test
For the above case is there any solutions????Whatever i have mentioned these are correct. My ipv6 address is also correct.From browser only i am accessing.>
Not a Java issue, then. Your problem I'm afraid.
But how do you know they're correct? Given that one of them isn't working, I'd triple check it if I were you. -
BPF Package Manager won't open in remote connection using Public IP address
I have a problem to open BPF package manager.
Im able to open bpf package manager in my server and to all local bpc users but on the remote connection (vpn/web) they couldn't open the bpf.
Our server uses an private Ip address which is 10.1.25.81 (local LAN) but we also access BPC remotely using an
Public IP address (202.129.238.46 or http://servername.example.com/osft ) using a configuration of IP Forwarding in our router.
example:
(LAN)
User 1 on System 1 - does the BPF work?yes
User 1 on System 2 - does the BPF work?yes
User 2 on System 1 - does the BPF work?yes
User 2 on System 2 - does the BPF work?yes
(WAN/VPN)
User 1 on System 1 - does the BPF work?no
User 1 on System 2 - does the BPF work?no
User 2 on System 1 - does the BPF work?no
User 2 on System 2 - does the BPF work?noWhen you are performing installation of BPC or after if you are looking into Server Manager - Server Option you will see for application server, web server and reporting services server you have two fields where you can specify name for internal and nae Example for application server:
Application Server name: FQDN (or IP)
External Application Name: FQDN (or IP)
Normally we recommedn to use FQDN (Fully qualified DNS name)
because if the DNS entry are set correct then you will be able to connect from internal and also from external without any problem.
The system will provide every time the correct IP.
In my opinion you used IP and the problem it is that internal the external IP is not recognized.
Please verify the configuration and provide more information about the landscape.
Only in this way we will be able to provide you the right sugestions to fix this issue.
Kind Regards
Sorin Radulescu -
Access Remote DB Object using Public DB Link in Application Express -HTMLDB
How to access and list remote database objects in HTMLDB - V2 (Application Express).
I can query using Public DB Link with SQL.It is not possible. To create reports or forms on remote objects, create local views of the remote objects.
Mike -
Weird "relay access denied" error when using "%" in email address
Hi, I've written a solution that allows emails to be processed and redirected through my mail server. First, we receive mail at user%[email protected]. Then, we do some checks to make sure its legit, alter its content and re-send it to [email protected]. I posted another topic in this forum getting some advice as to how to build it, but it's all built and working well... or so I thought...
I initially had trouble with using the % symbol as the delimiter because of a default postfix behavior (postfix by default treats the % as my custom application is, which of course can be dangerous). However, I added "allowpercenthack = no" to main.cf and that seemed to allow postfix to not attempt to process it itself and let my application do the work.
However, if I now send mail now to my server (from another server) destined to user%[email protected], I (and my log) gets:
<user%[email protected]>: Relay access denied (in reply to RCPT TO command)
However, if I send to an address WITHOUT the %, like something [email protected], the whole thing works correctly.
HOWEVER, if I send messages WITH and WITHOUT the % from the command line while ON the server, I don't get these errors.
My main.cf has the following restrictions(s):
<pre>smtpdrecipientrestrictions = rejectnon_fqdnrecipient, checkrecipientaccess hash:/etc/postfix/access,
permit_mynetworks, rejectunauthdestination, rejectnon_fqdnsender,
rejectnon_fqdnhostname, rejectinvalidhostname, checkheloaccess hash:/etc/postfix/helo_access,
rejectrblclient zen.spamhaus.org, rejectrblclient bl.spamcop.net, rejectrblclient relays.ordb.org,
permit</pre>
I'm assuming that permit_mynetworks is allowing this to work from my server's command line, and therefore I'm suspecting rejectunauthdestination is what's killing my ability to use the % symbol. As a test, I removed rejectunauthdestination temporarily and reload postix. The next mail received triggered this error in the log:
Mar 16 12:24:28 server postfix/smtpd[1368]: fatal: parameter "smtpdrecipientrestrictions": specify at least one working instance of: checkrelaydomains, rejectunauthdestination, reject, defer or deferifpermit
Of course. I needed one of those directives. I didn't want reject, defer or deferifpermit, and documentation on checkrelaydomains was not available at http://www.postfix.org/postconf.5.html. However, I tried checkrelaydomains, and it seemed to work as expected permitting my % emails and rejecting stuff it should, but of course the 'gotcha' was that postfix's log now reflected:
Mar 16 12:33:08 server postfix/smtpd[1579]: warning: support for restriction "checkrelaydomains" will be removed from Postfix; use "rejectunauthdestination" instead
Mar 16 12:33:08 server postfix/smtpd[1579]: warning: restriction `rejectnon_fqdnsender' after `checkrelaydomains' is ignored
So, can anyone recommend a way I can polish up my restrictions to allow these % addresses without opening myself up for anything dangerous?
Side question: I placed `rejectnon_fqdnsender' after rejectunauthdestination destination because I didn't want to bother checking the sender unless I confirmed the recipient was at my server. Does that comment that it doesn't work after checkrelaydomains, mean that it also doesn't get processed after rejectunauthdestination?
MacBook Mac OS X (10.4.8)However, I added "allowpercenthack = no" to main.cf
and that seemed to allow postfix to not attempt to
process it itself and let my application do the
work.
However, if I now send mail now to my server (from
another server) destined to
user%[email protected], I (and my
log) gets:
Hardly ever had a need for this, but if I remember correctly you will need to set:
allowuntrustedrouting = yes
in main.cf
(No need for allowpercenthack (I think))
or you could create a hash table before rejectunauthdestination to return OK based on your needed patterns.
I think the first method will work though.
Side question: I placed `rejectnon_fqdnsender'
after rejectunauthdestination destination because I
didn't want to bother checking the sender unless I
confirmed the recipient was at my server. Does that
comment that it doesn't work after
checkrelaydomains, mean that it also doesn't get
processed after
checkrelaydomains is deprecated
You can place rejectnon_fqdnsender anywhere you like or even omit it, but I don't see why you would have to. -
International Travel Using Public WiFi and U.S. On...
I just installed Skype to use at public wifi's on a South America trip. I bought Skype credits, plan to use pay as you go, and set up a U.S online number. When I am in Ecuador as an example, I want to make calls to landlines back to the U.S., to other landlines and cells within country (Ecuador), and from Ecuador to landlines or cells in other South American countries.
Will my setup work for this? Will the rates be as if I'm in the U.S, and calling from the U.S. to Ecuador or the other countries?
Solved!
Go to Solution.It doesn't matter which country you are calling from. The rates are based on the country you are calling to, so for example the rates for calling to US are the same no matter where from the world you are calling.
There are currently some promotional rates for our users in US and Canada for making international calls, these rates are available only in US or Canada, but generally it does not matter which country you are located in.
You can check the rates on the following page:
http://www.skype.com/intl/en/prices/payg-rates/
Simply enter the country you want to call to, and the rates will be displayed. -
Managing Bandwidth of Public IP'd servers using 5505's
Hi
Summary: How to limit bandwith of servers with public ip addreses using 5505"s?
Our datacenter is trying to manage its bandwidth using its current infrastructure: Cisco 6509 with L3 Supervisor card, 2950/2960s (L2) and 5505's. We have several contiguous class C IPV4 address's allocated using different sized VLAN's. Servers behind 5505's' with private ip addresses have their bandwidth limited using class/policy map and police input police output commands. We now want use 5505's to limit the bandwidth of all servers with public IP addresses. I.E., put 5505's between the 6509 and the servers without changing the servers current ip addresses. There is only an outside interface and dmz interface. No inside interface and no NATing. I hope you can help.
Infrastructure:
ISP -- 6509/Sup Card --- 2950/2960S - VLAN's -- 5505
-- VLAN's -- 5505.
6509 default route: set ip route 0.0.0.0/0.0.0.0 yyy.xxx.144.1
Requirements: 2 public ip addresses in the DMZ with bandwidth limited to 10Mb.
First question:
The outside and dmz interfaces have to be different subnets (VLAN's), correct? For example:
6509 VLAN ip address: 200.200.200.0/24
outside inteface ip address: 200.200.200.2/29
dmz interface ip address: 200.200.200.129/29
Second question. How is the default route configured for the DMZ? What is the next hop?
route DMZ xxx.xxx.xxx.xxxx yyy.yyy.yyy.yyy <next hop>
Third question:
If two different subnets (vlan's) are required, can they be subnets of a larger VLAN?
200.200.200.0/22 - larger VLAN
200.200.200.0/30 - outside interface
200.200.200.0/28 - dmz
Forth question:
To access a highter security level from a lower security you need ACL's. Which means that the outside interface will need two IP address mapped to two addresses in the DMZ. One to one mapping. What would the ACL look like?
Any assistance in pointing me in the right direction is greatly appreciated.
All the bestHello,
First question:
The outside and dmz interfaces have to be different subnets (VLAN's), correct? For example:
6509 VLAN ip address: 200.200.200.0/24
outside inteface ip address: 200.200.200.2/29
dmz interface ip address: 200.200.200.129/29
Yes, unless running on transparent Mode.
Second question. How is the default route configured for the DMZ? What is the next hop?
route DMZ xxx.xxx.xxx.xxxx yyy.yyy.yyy.yyy
Do you reach the internet via the DMZ, if not why would you point the default route to the DMZ.
Third question:
If two different subnets (vlan's) are required, can they be subnets of a larger VLAN?
200.200.200.0/22 - larger VLAN
200.200.200.0/30 - outside interface
200.200.200.0/28 - dmz
No, they cannot overlap.
Forth question:
To access a highter security level from a lower security you need ACL's. Which means that the outside interface will need two IP address mapped to two addresses in the DMZ. One to one mapping. What would the ACL look like?
Yes, an ACL is required.
IF your dmz host is 10.10.10.1 and you want to access it from any outside user TCP on port 80 ( and if you are running 8.3 or higher) then
access-list out-in permit tcp any host 10.10.10.1 eq 80
access-group out-in in interface outside
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com -
Public ip address can't be used locally to access hosted websites
I have snow leopard server and I have successfully set up the server to be accessible via a public static ip address. Im hosting some test websites, and cannot access those sites locally using the public ip address, only using the private ip address. However, externally, I can access the sites using the public ip address.
In other words, while I'm at the office, I can only view the sites using the private ip address and not the public ip address. However, while I'm at home I can see the sites using the public ip address.
Why can't I access the public ip address locally?
I'm new to os x server ... New to any kind of server for that matter, so please keep explanations simple.
I'm at a serviced office, and the router here is not mine and I have no control over it. Some IT company manages it for the site, and they weren't very helpful. The basically told me there's nothing they can do and blamed Mac os x server - since they could just wash their hands of the matter since they don't deal with macs.
I was told by someone else, that this is common issue with some routers and that they could fix the issue on their end, but don't want to do it for what ever reason.
I could simply access the sites using the private ip address, but I'd rather use the public one as this is currently causing issues with some of the software we're using.
Any ideas how to resolve this?The IT company (shock, horror) apparently doesn't understand IP routing, or didn't understand what you were asking. This case has nothing to do with Mac OS X nor Mac OS X Server, and everything to do with the capabilities of the gateway box.
I'm here going to refer to the firewall / gateway / router / DHCP server / box at the edge of your network as a gateway, because I really don't want to type all that stuff each time I describe this box. Your particular box might or might not be capable of all that.
Why? Likely because your particular gateway device is not capable of detecting and reflecting the connections back toward the target server.
IP routing. In small words.
If an IP address is within a range of IP addresses designated by the subnet mask, the packet goes directly to the target host.
If an IP address is not within that range, the packet is sent to the gateway.
The gateway will then send the packet to the next router on the way to the target. With a typical low cost firewall gateway box, that next router is likely the ISP's routers. With a somewhat higher-end box and with a smarter router within the gateway, the packets can go to other IP routers.
If the gateway is implemented for it, the gateway router's own address(es) will be recognized, and reflected back inwards. That means the address is public IP address on the way out, and is NAT'd when reflected, and sent back at the target host via whatever local processing rules or local port-forwarding rules might be defined and present within the gateway box.
Now what usually happens here ([once you get the hang of setting up DNS services|http://labs.hoffmanlabs.com/node/1436]) is called split-horizon DNS, and that's where your public DNS domain is also mostly-duplicated as one of the domains on your LAN and thus reachable in your LAN domain, and your local DNS server in your Mac OS X Server is then configured to return a private IP address (and one within the range of addresses defined by your IP subnet mask), and which entirely bypasses your gateway and allows the packet to go directly to the target box. Put another way, with split-horizon DNS, you insinuate your LAN DNS server into the network and configure it to pass out (or spoof) IP name-to-address translations for your public DNS names, and pass out local (direct, LAN, private) IP addresses.
The other option is to see if the IT company can switch the gateway box into what's usually called "bridged" mode, or swap in a box that acts as a bridge and not a router, and to install your own gateway behind it. Not all boxes permit that, but some do. -
Configure WRT54G Wireless Router with PUBLIC IP address and use DHCP for internal computers
Hi,I have an Internet online service with 5 public IP addresses. The router and the AP are connected to a switch. I would like to configure a WRT54G wireless router with one of this IP public Address and use DHCP (with private ip address) for the computers that will connect to the AP. As the AP is connected to the switch it is possible that other wired computers that are connected to the same switch can obtain an IP address from the DHCP ?
Thansk in advance
Thanks for your help. Please correct me if Im wrong. After connecte the equipments the way you suggestI setup a static IP address (The public IP) in the WRT54GI enable DHCP in the WRT54G with a range from 10.10.0.100 to 10.10.0.200 (as an example) The gateway is the Public IP address right ? How do I route the 10.10.0.x addresses to the public IP address. Thansk again
-
Policy based NAT to share 1 public between to two internal servers
Hello all,
I would like to implement a solution that allows me to share a single public IP amongst two internal servers. One service uses a range of tcp ports.
I believe the below will address what I need however - can I use the ‘object-group’ command or do I need to specify each tcp port separately?
This?
object-group service A_Bunch_O_Ports tcp
description Telemesis comms to-From Internet
port-object eq https
port-object eq www
port-object eq 8060
port-object eq 8070
access-list policyNAT-share extended permit tcp host 172.20.40.100 object-group A_Bunch_O_Ports host 1.2.3.4 object-group A_Bunch_O_Ports
access-list policyNAT-share extended permit tcp host 172.20.40.200 eq 25 host 1.2.3.4 eq 25
nat (inside) 3 access-list policyNAT-share
global (outside) 3 1.2.3.4 netmask 255.255.255.255
Or this?
access-list policyNAT-share extended permit tcp host 172.20.40.100 eq 443 host 1.2.3.4 eq 443
access-list policyNAT-share extended permit tcp host 172.20.40.100 eq 80 host 1.2.3.4 eq 80
access-list policyNAT-share extended permit tcp host 172.20.40.100 eq 8060 host 1.2.3.4 eq 8060
access-list policyNAT-share extended permit tcp host 172.20.40.100 eq 8070 host 1.2.3.4 eq 8070
access-list policyNAT-share extended permit tcp host 172.20.40.200 eq 25 host 1.2.3.4 eq 25
nat (inside) 3 access-list policyNAT-share
global (outside) 3 1.2.3.4 netmask 255.255.255.255Do you need both inbound and outbound connection for the server, or only outbound connection?
If you only need outbound connection, then you don't even need to specify the port on the access-list. You can just configure the following:
nat (inside) 3 172.20.40.100 255.255.255.255
nat (inside) 3 172.20.40.200 255.255.255.255
global (outside) 3 1.2.3.4 netmask 255.255.255.255
However if you need both inbound and outbound connection for the server, then you should configure the following:
static (inside,outside) tcp 1.2.3.4 443 172.20.40.100 443 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 80 172.20.40.100 80 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 8060 172.20.40.100 8060 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 8070 172.20.40.100 8070 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 25 172.20.40.200 25 netmask 255.255.255.255 -
Multiple Public IP Addresses To Be Used For DMZ - ASA 5505 - IOS 8.4(2)
I'm trying to figure out how to forward an IP address to my DMZ servers allowing me to use the ACL to control access to the servers within my DMZ interface (LAN). I can't figure out if the ASA handles that automatically when a NAT rule is created, or maybe when an ACL is created, or do I need to add it when configuring the interface (outside)? Ex: IP Address: 1.1.1.1, 2.2.2.2, 3.3.3.3
Notes:
- I'm using the ASDM but can use CLI if needed.
- All IP address are fictitious of course.
- I currently have a public IP address of 1.1.1.1 that is used for all traffic coming from the ASA (including my NATed inside traffic).
- My local LAN subnet is 10.10.10.0/24.
- My DMZ subnet for my servers is 10.10.20.0/24.
- I have an IP address I want to use (public) of 2.2.2.2 that would be forwarded to my DMZed server of 10.10.20.2.
- I have an IP address I want to use (public) of 3.3.3.3 that would be forwarded to my DMZed server of 10.10.20.3.Hi,
I am not sure if I understood you correctly.
Are you just asking how to configure Static NAT for your DMZ servers and allow traffic to them?
If so the basic NAT configuration format would be
object network SERVER-1
host 10.10.20.2
nat (DMZ,outside) static 2.2.2.2 dns
object network SERVER-2
host 10.10.20.3
nat (DMZ,outside) static 3.3.3.3 dns
The above 2 "object network" create the Static NAT between the internal private and external public IP addresses.
access-list OUTSIDE-IN remark Allow traffic to DMZ servers
access-list OUTSIDE-IN permit tcp any object SERVER-1 eq www
access-list OUTSIDE-IN permit tcp any object SERVER-2 eq ftp
access-group OUTSIDE-IN in interface outside
The above creates an ACL which allows for example HTTP traffic to SERVER-1 and FTP traffic to SERVER-2. Finally the last command attaches the ACL to the "outside" interface. If you already have an ACL attached to the "outside" interface then you naturally use that one.
Those are just simple examples.
Please let me know if I understood you incorrectly if I missed something
- Jouni -
How Can i Use two Different Public IP Addresses no my DMZ with ASA Firewall.
How To Using Two Different Public IP Address on My DMZ with ASA 5520
Postado por jorge decimo decimo em 28/Jan/2013 5:51:28
Hi everyone out there.
can any one please help me regarding this situation that im looking for a solution
My old range of public ip address are finished, i mean (the 41.x.x.0 range)
So now i still need to have in my DMZ another two servers that will bring some new services.
Remember that those two server, will need to be accessable both from inside and from outside users (Internet users) as well.
So as i said, my old range of public ip address is finished and we asked the ISP to gives some additional public
ip address to address the need of the two new servers on DMZ. and the ISP gave us the range of 197.216.1.24/29
So my quation is, on reall time world (on the equipment) how can i Use two different public ip address on the same DMZ
on Cisco ASA 5520 v8??
How my configuration should look like?
I was told about implementing static nat with Sub Interfaces on both Router and ASA interface
Can someone please do give me a help with a practical config sample please. i can as well be reached at [email protected]
attached is my network diagram for a better understanding
I thank every body in advance
JorgeHi,
So looking at your picture you have the original public IP address range configured on the OUTSIDE and its used for NAT for different servers behind the ASA firewall.
Now you have gotten a new public IP address range from the ISP and want to get it into use.
How do you want to use this IP address range? You want to configure the public IP addresses directly on the servers or NAT them at the ASA and have private IP addresses on the actual servers (like it seems to be for the current server)?
To get the routing working naturally the only thing needed between your Router and Firewall would be to have a static route for the new public network range pointing towards your ASA OUTSIDE IP address. The routing between your Router and the ISP core could either be handled with Static Routing or Dynamic Routing.
So you dont really need to change the interface configuration between the Router and ASA at all. You just need a Static route pointing the new public IP address towards the ASA outside IP address.
Now when the routing is handled between the ISP - ISP/Your Router - Your Firewall, you can then consider how to use those IP addresses.
Do you want to use the public IP addresses DIRECTLY on the HOSTS behind the firewall?This would require you to either configure a new physical interface with the new public IP address range OR create a new subinterface with the new public IP addresses range AND then configure the LAN devices correspondingly to the chosen method on the firewall
Do you want to use the public IP addresses DIRECLTY on the ASA OUTSIDE as NAT IP addresses?This would require for you to only start configuring Static NAT for the new servers between the inside/dmz and outside interface of the ASA. The format would be no different from the previous NAT configuration other than for the different IP addresses ofcourse
Of the above ways
The first way is good because the actual hosts will have the public IP addresses. Therefore you wont run into problems with DNS when the LAN users are trying to access the server.
The second way is the one requiring the least amount of configurations/changes on the ASA. In this case though you might run into problem with DNS (to which I refer above) as the server actually has a private IP address but the public DNS might reply to the LAN hosts with a public IP address and therefore connections from LAN could fail. This is because LAN users cant connect to the servers OUTSIDE NAT IP address (unless you NAT the server to public IP address towards LAN also)
Hopefully the above was helpfull. Naturally ask more specific questions and I'll answer them. Hopefully I didnt miss something. But please ask more
I'm currently at Cisco Live! 2013 London so in the "worst case" I might be able to answer on the weekend at earliest.
- Jouni -
Can't Access Internal Servers From Behind An ASA 5505
Hi all.
I am having some trouble accessing some backup Email (Outlook Web Access) and Citrix servers located behind an ASA 5505 firewall at a remote datacentre. Simply put, when I go to the specific URL (e.g. https://citrixdr.xxx.co.uk) I do not arrive at the splash page, I just get a message saying that the server took too long to respond in the web browser. I'm wondering whether I have missed something on the configuraiton or the firewall itself is not letting my requests through.
The remote servers are located at a remote Disaster Recovery site and use the subnet 192.168.4.0/24. I am at head office which is connected to the DR site via a VPN using 192.168.1.0/24.
My running configuration is below, if anyone could have a browse through it it would be much appreciated.
LM-DR-ASA5505# show run
: Saved
ASA Version 8.2(5)
hostname xxx
domain-name xxx.local
enable password 9tc.bMMQOdcEzWlK encrypted
passwd zh5kKKD1zRf47kwr encrypted
names
name 216.82.240.0 MLT1
name 67.219.240.0 MLT2
name 85.158.136.0 MLT3
name 95.131.104.0 MLT4
name 46.226.48.0 MLT5
name 117.120.16.0 MLT6
name 193.109.254.0 MLT7
name 194.106.220.0 MLT8
name 195.245.230.0 MLT9
name 103.3.96.0 MLT10
name xxx.xxx.xxx.xxx citrixdr.xxx.co.uk
name xxx.xxx.xxx.xxx maildr.xxx.co.uk
name xxx.xxx.xxx.xxx webmaildr.xxx.co.uk
name 192.168.4.23 LON-EXCH-03
name 192.168.4.30 Citrix-Access-Gateway
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.4.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.248
ftp mode passive
dns server-group DefaultDNS
domain-name xxx.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM-INLINE-SERVICE
service-object icmp
service-object tcp eq www
service-object tcp eq https
object-group network VPN-REMOTE
network-object 192.168.1.0 255.255.255.0
object-group protocol PROTOCOL-LIST
protocol-object ip
protocol-object icmp
protocol-object pim
protocol-object pcp
protocol-object snp
protocol-object udp
protocol-object igmp
protocol-object ipinip
protocol-object gre
protocol-object esp
protocol-object ah
protocol-object tcp
protocol-object eigrp
protocol-object ospf
protocol-object igrp
protocol-object nos
object-group service DM-INLINE-TCP-1 tcp
port-object eq https
port-object eq smtp
object-group service DM-INLINE-TCP-2 tcp
port-object eq www
port-object eq https
object-group network MESSAGE-LABS-TOWERS
network-object MLT1 255.255.240.0
network-object MLT2 255.255.240.0
network-object MLT3 255.255.248.0
network-object MLT4 255.255.248.0
network-object MLT5 255.255.248.0
network-object MLT6 255.255.248.0
network-object MLT7 255.255.254.0
network-object MLT8 255.255.254.0
network-object MLT9 255.255.254.0
network-object MLT10 255.255.252.0
access-list inside-access-in extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside-access-in extended permit ip any any
access-list inside-access-in extended permit ip 192.168.4.0 255.255.255.0 any
access-list inside-access-in extended permit icmp any any
access-list outside-access-in extended permit object-group DM-INLINE-SERVICE any any
access-list outside-access-in extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside-access-in extended permit icmp 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside-access-in extended permit tcp any host webmaildr.xxx.co.uk object-group DM-INLINE-TCP-2
access-list outside-access-in extended permit tcp any host maildr.xxx.co.uk object-group DM-INLINE-TCP-1
access-list outside-access-in extended permit tcp any host citrixdr.xxx.co.uk eq https
access-list outside-access-in extended permit tcp object-group MESSAGE-LABS-TOWERS host LON-EXCH-03 eq smtp
access-list outside-1-cryptomap extended permit ip 192.168.4.0 255.255.255.0 host xxx.xxx.xxx.xxx
access-list outside-1-cryptomap extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside-nat0-outbound extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list testcap extended permit icmp host 192.168.1.11 host 192.168.4.1
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside-nat0-outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp citrixdr.xxx.co.uk https Citrix-Access-Gateway https netmask 255.255.255.255
static (inside,outside) tcp maildr.xxx.co.uk smtp LON-EXCH-03 smtp netmask 255.255.255.255
static (inside,outside) tcp webmaildr.xxx.co.uk https LON-EXCH-03 https netmask 255.255.255.255
access-group inside-access-in in interface inside
access-group outside-access-in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route outside 192.168.1.0 255.255.255.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http xxx.xxx.xxx.xxx 255.255.255.255 outside
http 192.168.4.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside-map 1 match address outside-1-cryptomap
crypto map outside-map 1 set peer xxx.xxx.xxx.xxx
crypto map outside-map 1 set transform-set ESP-3DES-SHA
crypto map outside-map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.4.0 255.255.255.0 inside
telnet 0.0.0.0 0.0.0.0 inside
telnet xxx.xxx.xxx.xxx 255.255.255.255 outside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.4.0 255.255.255.0 inside
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username xxx password LUZB8j2zj03xvSeF encrypted
username xxx password RxEDmrZ7KCRzPu4T encrypted
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
pre-shared-key *****
class-map inspection_default
policy-map global_policy
class inspection_default
inspect icmp
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:61e54b16fb87f1e6fa3b8d520e87ddc0
: endHi Jouni, thanks for your response.
Turns out that the Citrix Access Gateway wasn't set up until yesterday evening and by then I had stopped trying for the day. It is now set up and external access is available.
Further to this, my colleague forgot to inform me of the change of I.P. address of the Exchange server. This meant that Webmail requests were pointing to an I.P. address that didn't exist.
I have reconfigured the firewall this morning and external access for Webmail is also working correctly. -
Can't access webacc on server public ip address
This is new server with a fresh SLES11sp2 OES11sp1 install with GW2012 sp2.
All is working well except even a local workstation cannot access webacc using the server public ip. Server is behind a router. Makes no difference if firewalls are on or off. Same issue from a remote workstation on another network, i.e., cannot connect to webacc using the test server's public ip from a browser. Just one nic in the server and one private ip.
FYI, same issue exists for imanager, i.e., no public ip address access even from a local workstation, so I am thinking it may be a SLES network card configuration issue, but that's just because I seem to remember under Netware 6.5 I had to make some inetcfg configurations to relay through the router. Router is an older Linksys WRT610N as this is just a test system for the time being.
I started an SR and they couldn't suggest any fixes other than to tinker with the router. I have both the to default values and open in the router's port forwarding section.
Ideas? Including switching to a newer router (I'm trying to keep it under $300.00) if you have any suggestions. This server will be for no more than 10 workstations local (mixed wireless and wired) and/or remote workstations for very trusted users.
Help Mr. Wizard!!!
thanks.
johnbOn 10/04/2013 16:26, jbeuhler wrote:
> The sp2 is not a typo. I had a SR with a GW2012 sp1 problem during
> install, encountering a "line173 error" involving a python subdirectory,
> even using the --text switch. The engineer (the SR went up) gave me the
> link to try sp2. It installed okay, still a little glitch but I figured
> out how to get around the line 173 error by installing all of the GW
> products one after another without configuring in between product
> installs and then going back to do the product configurations, instead
> of install, configure, etc for each product. The SR said the line 173
> install error is a known error but not currently under review for a
> fix.
>
> If you would pass this post on the beta reporting or send me that
> direction I would appreciate it.
>
>
> I am assuming from your response that my problem is not a recognized
> problem?
I wouldn't assume that but since you're running software that's not
publicly released I'd go back to your SR/contact with this issue.
HTH.
Simon
Novell Knowledge Partner
Do you work with Novell technologies at a university, college or school?
If so, your campus could benefit from joining the Technology Transfer
Partner (TTP) program. See novell.com/ttp for more details.
Maybe you are looking for
-
Crystal report on top of a BW query
Hi, We are using BO XI3 with the SAP integration kit. We have built crystal reports on top of BW queries in Crystal Reports 2008 (installed with the SAP integration kit). Queries work fine when we launch them with the client of Crystal reports. Probl
-
Purchase order history not displayed in correct sequence
Hi all, We are on SRM 7.1 ECS. The issue we are facing is that the follow on documents for the PO i.e. confirmatin and Invoice are not displayed in the correct sequence i.e. the sequence in which the documents are displayed is : Invoice>confirmation>
-
Router Crashes after entering "show run" or similar commands
Hello, Im having a problem with my Company router C3845-ADVSECURITYK9-M, software Version 15.1(4)M. After i issue "show run" it tends to crash in middle of output, router restarts itself to be precise....same thing happened when i tried "show stack"
-
Hello experts, I have a normal ABAP report with a selection screen. On this screen I have two input fields, field_A and field_B. In field_A the user can choose from one of 4 pre-set values (A, B, C, D). Now, depending on this value choosen for field_
-
GarageBand was in my toolbar, and now it's not. How do I find it?
This probably qualifies as a moronic question, but Garage Band recently disappeared from my tool bar / dock and I'd like to get it back. I can't find it in Applications and Spotlight doesn't locate it either. I suspect that means I have to reinstall