Access to internal servers using public IP address

Similar Messages

• Using one public ip for ssh`ing to different internal servers using port-redirections

  Hi, we are having a requirement to use the same public IP to ssh into different internal servers using port re-direction. So lets say from outside, if a user does ssh @ root 4.4.4.4 2222, it should go to a sshsrv1 and then ssh @ root 4.4.4.4 2223 to sshsrv2
  My config is like this:-
  object network sshsrv1
  host 10.110.100.10
  nat (inside,Outside) static 4.4.4.4 service tcp 22 2222
  And then i allowed the object "sshsrv1" in my inbound acl from outside.
  It dosen`t seem to work. Is this doeable?
  Any suggestions??

  Hi,
  Would need to see your NAT configurations.
  There is a possibility that you have a NAT configuration that might be preventing this from working. Then again you are using an extra public IP address for this so it seems strange.
  Could you try the "packet-tracer" command
  packet-tracer input outside tcp 12345 2222
  This should tell us if there is some problem in the ASA configurations.
  - Jouni

• Getting error while accessing a webpage by using link local address of ipv6

  Hello,
  I want to access my login.jsp by using ipv6 address.
  when i am accessing my web page by using loop back or localhost6(like the following) it is working.
  http://[::1]:8080/test/login.jsp //for loopback
  http://localhost6:8080/test/login.jsp
  But when i am accessing my webpage by using link local address as following i am not getting my web page.
  http://[fe80::201:6cff:fe0f:d7ae%eth0]:8080/test
  or
  http://[fe80::201:6cff:fe0f:d7ae]:8080/test
  For the above case is there any solutions????

  Whatever i have mentioned these are correct. My ipv6 address is also correct.From browser only i am accessing.>
  Not a Java issue, then. Your problem I'm afraid.
  But how do you know they're correct? Given that one of them isn't working, I'd triple check it if I were you.

• BPF Package Manager won't open in remote connection using Public IP address

  I have a problem to open BPF package manager.
  Im able to open bpf package manager in my server and to all local bpc users but on the remote connection (vpn/web) they couldn't open the bpf.
  Our server uses an private Ip address which is 10.1.25.81 (local LAN) but we also access BPC remotely using an
  Public IP address (202.129.238.46 or http://servername.example.com/osft ) using a configuration of IP Forwarding in our router.
  example:
  (LAN)
  User 1 on System 1 - does the BPF work?yes
  User 1 on System 2 - does the BPF work?yes
  User 2 on System 1 - does the BPF work?yes
  User 2 on System 2 - does the BPF work?yes
  (WAN/VPN)
  User 1 on System 1 - does the BPF work?no
  User 1 on System 2 - does the BPF work?no
  User 2 on System 1 - does the BPF work?no
  User 2 on System 2 - does the BPF work?no

  When you are performing installation of BPC or after if you are looking into Server Manager - Server Option you will see for application server, web server and reporting services server you have two fields where you can specify name for internal and nae Example for application server:
  Application  Server name: FQDN (or IP)
  External Application Name: FQDN (or IP)
  Normally we recommedn to use FQDN (Fully qualified DNS name)
  because if the DNS entry are set correct then you will be able to connect from internal and also from external without any problem.
  The system will provide every time the correct IP.
  In my opinion you used IP and the problem it is that internal the external IP is not recognized.
  Please verify the configuration and provide more information about the landscape.
  Only in this way we will be able to provide you the right sugestions to fix this issue.
  Kind Regards
  Sorin Radulescu

• Access Remote DB Object using Public DB Link in Application Express -HTMLDB

  How to access and list remote database objects in HTMLDB - V2 (Application Express).
  I can query using Public DB Link with SQL.

  It is not possible. To create reports or forms on remote objects, create local views of the remote objects.
  Mike

• Weird "relay access denied" error when using "%" in email address

  Hi, I've written a solution that allows emails to be processed and redirected through my mail server. First, we receive mail at user%[email protected]. Then, we do some checks to make sure its legit, alter its content and re-send it to [email protected]. I posted another topic in this forum getting some advice as to how to build it, but it's all built and working well... or so I thought...
  I initially had trouble with using the % symbol as the delimiter because of a default postfix behavior (postfix by default treats the % as my custom application is, which of course can be dangerous). However, I added "allowpercenthack = no" to main.cf and that seemed to allow postfix to not attempt to process it itself and let my application do the work.
  However, if I now send mail now to my server (from another server) destined to user%[email protected], I (and my log) gets:
  <user%[email protected]>: Relay access denied (in reply to RCPT TO command)
  However, if I send to an address WITHOUT the %, like something [email protected], the whole thing works correctly.
  HOWEVER, if I send messages WITH and WITHOUT the % from the command line while ON the server, I don't get these errors.
  My main.cf has the following restrictions(s):
  <pre>smtpdrecipientrestrictions = rejectnon_fqdnrecipient, checkrecipientaccess hash:/etc/postfix/access,
  permit_mynetworks, rejectunauthdestination, rejectnon_fqdnsender,
  rejectnon_fqdnhostname, rejectinvalidhostname, checkheloaccess hash:/etc/postfix/helo_access,
  rejectrblclient zen.spamhaus.org, rejectrblclient bl.spamcop.net, rejectrblclient relays.ordb.org,
  permit</pre>
  I'm assuming that permit_mynetworks is allowing this to work from my server's command line, and therefore I'm suspecting rejectunauthdestination is what's killing my ability to use the % symbol. As a test, I removed rejectunauthdestination temporarily and reload postix. The next mail received triggered this error in the log:
  Mar 16 12:24:28 server postfix/smtpd[1368]: fatal: parameter "smtpdrecipientrestrictions": specify at least one working instance of: checkrelaydomains, rejectunauthdestination, reject, defer or deferifpermit
  Of course. I needed one of those directives. I didn't want reject, defer or deferifpermit, and documentation on checkrelaydomains was not available at http://www.postfix.org/postconf.5.html. However, I tried checkrelaydomains, and it seemed to work as expected permitting my % emails and rejecting stuff it should, but of course the 'gotcha' was that postfix's log now reflected:
  Mar 16 12:33:08 server postfix/smtpd[1579]: warning: support for restriction "checkrelaydomains" will be removed from Postfix; use "rejectunauthdestination" instead
  Mar 16 12:33:08 server postfix/smtpd[1579]: warning: restriction `rejectnon_fqdnsender' after `checkrelaydomains' is ignored
  So, can anyone recommend a way I can polish up my restrictions to allow these % addresses without opening myself up for anything dangerous?
  Side question: I placed `rejectnon_fqdnsender' after rejectunauthdestination destination because I didn't want to bother checking the sender unless I confirmed the recipient was at my server. Does that comment that it doesn't work after checkrelaydomains, mean that it also doesn't get processed after rejectunauthdestination?
  MacBook   Mac OS X (10.4.8)  

  However, I added "allowpercenthack = no" to main.cf
  and that seemed to allow postfix to not attempt to
  process it itself and let my application do the
  work.
  However, if I now send mail now to my server (from
  another server) destined to
  user%[email protected], I (and my
  log) gets:
  Hardly ever had a need for this, but if I remember correctly you will need to set:
  allowuntrustedrouting = yes
  in main.cf
  (No need for allowpercenthack (I think))
  or you could create a hash table before rejectunauthdestination to return OK based on your needed patterns.
  I think the first method will work though.
  Side question: I placed `rejectnon_fqdnsender'
  after rejectunauthdestination destination because I
  didn't want to bother checking the sender unless I
  confirmed the recipient was at my server. Does that
  comment that it doesn't work after
  checkrelaydomains, mean that it also doesn't get
  processed after
  checkrelaydomains is deprecated
  You can place rejectnon_fqdnsender anywhere you like or even omit it, but I don't see why you would have to.

• International Travel Using Public WiFi and U.S. On...

  I just installed Skype to use at public wifi's on a South America trip.  I bought Skype credits, plan to use pay as you go, and set up a U.S online number.  When I am in Ecuador as an example, I want to make calls to landlines back to the U.S., to other landlines and cells within country (Ecuador), and from Ecuador to landlines or cells in other South American countries.
  Will my setup work for this?  Will the rates be as if I'm in the U.S, and calling from the U.S. to Ecuador or the other countries?
  Solved!
  Go to Solution.

  It doesn't matter which country you are calling from. The rates are based on the country you are calling to, so for example the rates for calling to US are the same no matter where from the world you are calling.
  There are currently some promotional rates for our users in US and Canada for making international calls, these rates are available only in US or Canada, but generally it does not matter which country you are located in.
  You can check the rates on the following page:
  http://www.skype.com/intl/en/prices/payg-rates/
  Simply enter the country you want to call to, and the rates will be displayed.

• Managing Bandwidth of Public IP'd servers using 5505's

  Hi
  Summary: How to limit bandwith of servers with public ip addreses using 5505"s?
  Our datacenter is trying to manage its bandwidth using its current infrastructure: Cisco 6509 with L3 Supervisor card, 2950/2960s (L2) and 5505's. We have several contiguous class C IPV4 address's allocated using different sized VLAN's. Servers behind 5505's' with private ip addresses have their bandwidth limited using class/policy map and police input police output commands. We now want use 5505's to limit the bandwidth of all servers with public IP addresses. I.E., put 5505's between the 6509 and the servers without changing the servers current ip addresses. There is only an outside interface and dmz interface. No inside interface and no NATing.  I hope you can help.
  Infrastructure:
  ISP  --  6509/Sup Card --- 2950/2960S -  VLAN's  -- 5505
                                     -- VLAN's -- 5505.
  6509 default route: set ip route 0.0.0.0/0.0.0.0         yyy.xxx.144.1
  Requirements: 2 public ip addresses in the DMZ with bandwidth limited to 10Mb.
  First question:
  The outside and dmz interfaces have to be different subnets (VLAN's), correct? For example:
  6509 VLAN ip address:       200.200.200.0/24
  outside inteface ip address: 200.200.200.2/29
  dmz interface ip address:    200.200.200.129/29
  Second question. How is the default route configured for the DMZ? What is the next hop?
  route DMZ xxx.xxx.xxx.xxxx yyy.yyy.yyy.yyy <next hop>
  Third question:
  If two different subnets (vlan's) are required, can they be subnets of a larger VLAN?
  200.200.200.0/22 - larger VLAN
  200.200.200.0/30 - outside interface
  200.200.200.0/28 - dmz
  Forth question:
  To access a highter security level from a lower security you need ACL's. Which means that the outside interface will need two IP address mapped to two addresses in the DMZ. One to one mapping. What would the ACL look like?
  Any assistance in pointing me in the right direction is greatly appreciated.
  All the best

  Hello,
  First question:
  The outside and dmz interfaces have to be different subnets (VLAN's), correct? For example:
  6509 VLAN ip address:       200.200.200.0/24
  outside inteface ip address: 200.200.200.2/29
  dmz interface ip address:    200.200.200.129/29
  Yes, unless running on transparent Mode.
  Second question. How is the default route configured for the DMZ? What is the next hop?
  route DMZ xxx.xxx.xxx.xxxx yyy.yyy.yyy.yyy
  Do you reach the internet via the DMZ, if not why would you point the default route to the DMZ.
  Third question:
  If two different subnets (vlan's) are required, can they be subnets of a larger VLAN?
  200.200.200.0/22 - larger VLAN
  200.200.200.0/30 - outside interface
  200.200.200.0/28 - dmz
  No, they cannot overlap.
  Forth question:
  To  access a highter security level from a lower security you need ACL's.  Which means that the outside interface will need two IP address mapped  to two addresses in the DMZ. One to one mapping. What would the ACL look  like?
  Yes, an ACL is required.
  IF your dmz host is 10.10.10.1 and you want to access it from any outside user TCP on port 80 ( and if you are running 8.3 or higher) then
  access-list out-in permit tcp any host 10.10.10.1 eq 80
  access-group out-in in interface outside
  Rate all of the helpful posts!!!
  Regards,
  Jcarvaja
  Follow me on http://laguiadelnetworking.com

• Public ip address can't be used locally to access hosted websites

  I have snow leopard server and I have successfully set up the server to be accessible via a public static ip address. Im hosting some test websites, and cannot access those sites locally using the public ip address, only using the private ip address. However, externally, I can access the sites using the public ip address.
  In other words, while I'm at the office, I can only view the sites using the private ip address and not the public ip address. However, while I'm at home I can see the sites using the public ip address.
  Why can't I access the public ip address locally?
  I'm new to os x server ... New to any kind of server for that matter, so please keep explanations simple.
  I'm at a serviced office, and the router here is not mine and I have no control over it. Some IT company manages it for the site, and they weren't very helpful. The basically told me there's nothing they can do and blamed Mac os x server - since they could just wash their hands of the matter since they don't deal with macs.
  I was told by someone else, that this is common issue with some routers and that they could fix the issue on their end, but don't want to do it for what ever reason.
  I could simply access the sites using the private ip address, but I'd rather use the public one as this is currently causing issues with some of the software we're using.
  Any ideas how to resolve this?

  The IT company (shock, horror) apparently doesn't understand IP routing, or didn't understand what you were asking. This case has nothing to do with Mac OS X nor Mac OS X Server, and everything to do with the capabilities of the gateway box.
  I'm here going to refer to the firewall / gateway / router / DHCP server / box at the edge of your network as a gateway, because I really don't want to type all that stuff each time I describe this box. Your particular box might or might not be capable of all that.
  Why? Likely because your particular gateway device is not capable of detecting and reflecting the connections back toward the target server.
  IP routing. In small words.
  If an IP address is within a range of IP addresses designated by the subnet mask, the packet goes directly to the target host.
  If an IP address is not within that range, the packet is sent to the gateway.
  The gateway will then send the packet to the next router on the way to the target. With a typical low cost firewall gateway box, that next router is likely the ISP's routers. With a somewhat higher-end box and with a smarter router within the gateway, the packets can go to other IP routers.
  If the gateway is implemented for it, the gateway router's own address(es) will be recognized, and reflected back inwards. That means the address is public IP address on the way out, and is NAT'd when reflected, and sent back at the target host via whatever local processing rules or local port-forwarding rules might be defined and present within the gateway box.
  Now what usually happens here ([once you get the hang of setting up DNS services|http://labs.hoffmanlabs.com/node/1436]) is called split-horizon DNS, and that's where your public DNS domain is also mostly-duplicated as one of the domains on your LAN and thus reachable in your LAN domain, and your local DNS server in your Mac OS X Server is then configured to return a private IP address (and one within the range of addresses defined by your IP subnet mask), and which entirely bypasses your gateway and allows the packet to go directly to the target box. Put another way, with split-horizon DNS, you insinuate your LAN DNS server into the network and configure it to pass out (or spoof) IP name-to-address translations for your public DNS names, and pass out local (direct, LAN, private) IP addresses.
  The other option is to see if the IT company can switch the gateway box into what's usually called "bridged" mode, or swap in a box that acts as a bridge and not a router, and to install your own gateway behind it. Not all boxes permit that, but some do.

• Configure WRT54G Wireless Router with PUBLIC IP address and use DHCP for internal computers

  Hi,I have an Internet online service with 5 public IP addresses. The router and the AP are connected to a switch. I would like to configure a WRT54G wireless router with one of this IP public Address and use DHCP (with private ip address)  for the computers that will connect to the AP. As the AP is connected to the switch it is possible that other wired computers that are connected to the same switch can obtain an IP address from the DHCP ?
   Thansk in advance
   

  Thanks for your help. Please correct me if Im wrong. After connecte the equipments the way you suggestI setup a static IP address (The public IP)  in the WRT54GI enable DHCP in the WRT54G with a range from 10.10.0.100 to 10.10.0.200 (as an example) The gateway is the Public IP address right ? How do I route the 10.10.0.x addresses to the public IP address. Thansk again 

• Policy based NAT to share 1 public between to two internal servers

  Hello all,
  I would like to implement a solution that allows me to share a single public IP amongst two internal servers. One service uses a range of tcp ports.
  I believe the below will address what I need however - can I use the ‘object-group’ command or do I need to specify each tcp port separately?
  This?
  object-group service A_Bunch_O_Ports tcp
  description Telemesis comms to-From Internet
  port-object eq https
  port-object eq www
  port-object eq 8060
  port-object eq 8070
  access-list policyNAT-share extended permit tcp host 172.20.40.100 object-group A_Bunch_O_Ports host 1.2.3.4 object-group A_Bunch_O_Ports
  access-list policyNAT-share extended permit tcp host 172.20.40.200 eq 25 host 1.2.3.4 eq 25
  nat (inside) 3 access-list policyNAT-share
  global (outside) 3 1.2.3.4 netmask 255.255.255.255
  Or this?
  access-list policyNAT-share extended permit tcp host 172.20.40.100 eq 443 host 1.2.3.4 eq 443
  access-list policyNAT-share extended permit tcp host 172.20.40.100 eq 80 host 1.2.3.4 eq 80
  access-list policyNAT-share extended permit tcp host 172.20.40.100 eq 8060 host 1.2.3.4 eq 8060
  access-list policyNAT-share extended permit tcp host 172.20.40.100 eq 8070 host 1.2.3.4 eq 8070
  access-list policyNAT-share extended permit tcp host 172.20.40.200 eq 25 host 1.2.3.4 eq 25
  nat (inside) 3 access-list policyNAT-share
  global (outside) 3 1.2.3.4 netmask 255.255.255.255

  Do you need both inbound and outbound connection for the server, or only outbound connection?
  If you only need outbound connection, then you don't even need to specify the port on the access-list. You can just configure the following:
  nat (inside) 3 172.20.40.100 255.255.255.255
  nat (inside) 3 172.20.40.200 255.255.255.255
  global (outside) 3 1.2.3.4 netmask 255.255.255.255
  However if you need both inbound and outbound connection for the server, then you should configure the following:
  static (inside,outside) tcp 1.2.3.4 443 172.20.40.100 443 netmask 255.255.255.255
  static (inside,outside) tcp 1.2.3.4 80 172.20.40.100 80 netmask 255.255.255.255
  static (inside,outside) tcp 1.2.3.4 8060 172.20.40.100 8060 netmask 255.255.255.255
  static (inside,outside) tcp 1.2.3.4 8070 172.20.40.100 8070 netmask 255.255.255.255
  static (inside,outside) tcp 1.2.3.4 25 172.20.40.200 25 netmask 255.255.255.255

• Multiple Public IP Addresses To Be Used For DMZ - ASA 5505 - IOS 8.4(2)

  I'm trying to figure out how to forward an IP address to my DMZ servers allowing me to use the ACL to control access to the servers within my DMZ interface (LAN).  I can't figure out if the ASA handles that automatically when a NAT rule is created, or maybe when an ACL is created, or do I need to add it when configuring the interface (outside)?  Ex: IP Address: 1.1.1.1, 2.2.2.2, 3.3.3.3
  Notes:
  - I'm using the ASDM but can use CLI if needed.
  - All IP address are fictitious of course.
  - I currently have a public IP address of 1.1.1.1 that is used for all traffic coming from the ASA (including my NATed inside traffic).
  - My local LAN subnet is 10.10.10.0/24.
  - My DMZ subnet for my servers is 10.10.20.0/24.
  - I have an IP address I want to use (public) of 2.2.2.2 that would be forwarded to my DMZed server of 10.10.20.2.
  - I have an IP address I want to use (public) of 3.3.3.3 that would be forwarded to my DMZed server of 10.10.20.3.

  Hi,
  I am not sure if I understood you correctly.
  Are you just asking how to configure Static NAT for your DMZ servers and allow traffic to them?
  If so the basic NAT configuration format would be
  object network SERVER-1
  host 10.10.20.2
  nat (DMZ,outside) static 2.2.2.2 dns
  object network SERVER-2
  host 10.10.20.3
  nat (DMZ,outside) static 3.3.3.3 dns
  The above 2 "object network" create the Static NAT between the internal private and external public IP addresses.
  access-list OUTSIDE-IN remark Allow traffic to DMZ servers
  access-list OUTSIDE-IN permit tcp any object SERVER-1 eq www
  access-list OUTSIDE-IN permit tcp any object SERVER-2 eq ftp
  access-group OUTSIDE-IN in interface outside
  The above creates an ACL which allows for example HTTP traffic to SERVER-1 and FTP traffic to SERVER-2. Finally the last command attaches the ACL to the "outside" interface. If you already have an ACL attached to the "outside" interface then you naturally use that one.
  Those are just simple examples.
  Please let me know if I understood you incorrectly if I missed something
  - Jouni

• How Can i Use two Different Public IP Addresses no my DMZ with ASA Firewall.

  How To Using Two Different Public IP Address on My DMZ with ASA 5520
  Postado por jorge decimo decimo em 28/Jan/2013 5:51:28
  Hi everyone out there.
  can any one please help me regarding this situation that im looking for a solution
  My old range of public ip address are finished, i mean (the 41.x.x.0 range)
  So now i still need to have in my DMZ another two servers that will bring some new services.
  Remember that those two server, will need to be accessable both from inside and from outside users (Internet users) as well.
  So as i said, my old range of public ip address is finished and we asked the ISP to gives some additional public
  ip address to address the need of the two new servers on DMZ. and the ISP gave us the range of 197.216.1.24/29
  So my quation is, on reall time world (on the equipment) how can i Use two different public ip address on the same DMZ
  on Cisco ASA 5520 v8??
  How my configuration should look like?
  I was told about implementing static nat with Sub Interfaces on both Router and ASA interface
  Can someone please do give me a help with a practical config sample please. i can as well be reached at [email protected]
  attached is my network diagram for a better understanding
  I thank every body in advance
  Jorge

  Hi,
  So looking at your picture you have the original public IP address range configured on the OUTSIDE and its used for NAT for different servers behind the ASA firewall.
  Now you have gotten a new public IP address range from the ISP and want to get it into use.
  How do you want to use this IP address range? You want to configure the public IP addresses directly on the servers or NAT them at the ASA and have private IP addresses on the actual servers (like it seems to be for the current server)?
  To get the routing working naturally the only thing needed between your Router and Firewall would be to have a static route for the new public network range pointing towards your ASA OUTSIDE IP address. The routing between your Router and the ISP core could either be handled with Static Routing or Dynamic Routing.
  So you dont really need to change the interface configuration between the Router and ASA at all. You just need a Static route pointing the new public IP address towards the ASA outside IP address.
  Now when the routing is handled between the ISP - ISP/Your Router - Your Firewall, you can then consider how to use those IP addresses.
  Do you want to use the public IP addresses DIRECTLY on the HOSTS behind the firewall?This would require you to either configure a new physical interface with the new public IP address range OR create a new subinterface with the new public IP addresses range AND then configure the LAN devices correspondingly to the chosen method on the firewall
  Do you want to use the public IP addresses DIRECLTY on the ASA OUTSIDE as NAT IP addresses?This would require for you to only start configuring Static NAT for the new servers between the inside/dmz and outside interface of the ASA. The format would be no different from the previous NAT configuration other than for the different IP addresses ofcourse
  Of the above ways
  The first way is good because the actual hosts will have the public IP addresses. Therefore you wont run into problems with DNS when the LAN users are trying to access the server.
  The second way is the one requiring the least amount of configurations/changes on the ASA. In this case though you might run into problem with DNS (to which I refer above) as the server actually has a private IP address but the public DNS might reply to the LAN hosts with a public IP address and therefore connections from LAN could fail. This is because LAN users cant connect to the servers OUTSIDE NAT IP address (unless you NAT the server to public IP address towards LAN also)
  Hopefully the above was helpfull. Naturally ask more specific questions and I'll answer them. Hopefully I didnt miss something. But please ask more
  I'm currently at Cisco Live! 2013 London so in the "worst case" I might be able to answer on the weekend at earliest.
  - Jouni

• Can't Access Internal Servers From Behind An ASA 5505

  Hi all.
  I am having some trouble accessing some backup Email (Outlook Web Access) and Citrix servers located behind an ASA 5505 firewall at a remote datacentre. Simply put, when I go to the specific URL (e.g. https://citrixdr.xxx.co.uk) I do not arrive at the splash page, I just get a message saying that the server took too long to respond in the web browser. I'm wondering whether I have missed something on the configuraiton or the firewall itself is not letting my requests through.
  The remote servers are located at a remote Disaster Recovery site and use the subnet 192.168.4.0/24. I am at head office which is connected to the DR site via a VPN using 192.168.1.0/24.
  My running configuration is below, if anyone could have a browse through it it would be much appreciated.
  LM-DR-ASA5505# show run
  : Saved
  ASA Version 8.2(5)
  hostname xxx
  domain-name xxx.local
  enable password 9tc.bMMQOdcEzWlK encrypted
  passwd zh5kKKD1zRf47kwr encrypted
  names
  name 216.82.240.0 MLT1
  name 67.219.240.0 MLT2
  name 85.158.136.0 MLT3
  name 95.131.104.0 MLT4
  name 46.226.48.0 MLT5
  name 117.120.16.0 MLT6
  name 193.109.254.0 MLT7
  name 194.106.220.0 MLT8
  name 195.245.230.0 MLT9
  name 103.3.96.0 MLT10
  name xxx.xxx.xxx.xxx citrixdr.xxx.co.uk
  name xxx.xxx.xxx.xxx maildr.xxx.co.uk
  name xxx.xxx.xxx.xxx webmaildr.xxx.co.uk
  name 192.168.4.23 LON-EXCH-03
  name 192.168.4.30 Citrix-Access-Gateway
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.4.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address xxx.xxx.xxx.xxx 255.255.255.248
  ftp mode passive
  dns server-group DefaultDNS
  domain-name xxx.local
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object-group service DM-INLINE-SERVICE
  service-object icmp
  service-object tcp eq www
  service-object tcp eq https
  object-group network VPN-REMOTE
  network-object 192.168.1.0 255.255.255.0
  object-group protocol PROTOCOL-LIST
  protocol-object ip
  protocol-object icmp
  protocol-object pim
  protocol-object pcp
  protocol-object snp
  protocol-object udp
  protocol-object igmp
  protocol-object ipinip
  protocol-object gre
  protocol-object esp
  protocol-object ah
  protocol-object tcp
  protocol-object eigrp
  protocol-object ospf
  protocol-object igrp
  protocol-object nos
  object-group service DM-INLINE-TCP-1 tcp
  port-object eq https
  port-object eq smtp
  object-group service DM-INLINE-TCP-2 tcp
  port-object eq www
  port-object eq https
  object-group network MESSAGE-LABS-TOWERS
  network-object MLT1 255.255.240.0
  network-object MLT2 255.255.240.0
  network-object MLT3 255.255.248.0
  network-object MLT4 255.255.248.0
  network-object MLT5 255.255.248.0
  network-object MLT6 255.255.248.0
  network-object MLT7 255.255.254.0
  network-object MLT8 255.255.254.0
  network-object MLT9 255.255.254.0
  network-object MLT10 255.255.252.0
  access-list inside-access-in extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
  access-list inside-access-in extended permit ip any any
  access-list inside-access-in extended permit ip 192.168.4.0 255.255.255.0 any
  access-list inside-access-in extended permit icmp any any
  access-list outside-access-in extended permit object-group DM-INLINE-SERVICE any any
  access-list outside-access-in extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
  access-list outside-access-in extended permit icmp 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
  access-list outside-access-in extended permit tcp any host webmaildr.xxx.co.uk object-group DM-INLINE-TCP-2
  access-list outside-access-in extended permit tcp any host maildr.xxx.co.uk object-group DM-INLINE-TCP-1
  access-list outside-access-in extended permit tcp any host citrixdr.xxx.co.uk eq https
  access-list outside-access-in extended permit tcp object-group MESSAGE-LABS-TOWERS host LON-EXCH-03 eq smtp
  access-list outside-1-cryptomap extended permit ip 192.168.4.0 255.255.255.0 host xxx.xxx.xxx.xxx
  access-list outside-1-cryptomap extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
  access-list 101 extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
  access-list inside-nat0-outbound extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
  access-list testcap extended permit icmp host 192.168.1.11 host 192.168.4.1
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any outside
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside-nat0-outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) tcp citrixdr.xxx.co.uk https Citrix-Access-Gateway https netmask 255.255.255.255
  static (inside,outside) tcp maildr.xxx.co.uk smtp LON-EXCH-03 smtp netmask 255.255.255.255
  static (inside,outside) tcp webmaildr.xxx.co.uk https LON-EXCH-03 https netmask 255.255.255.255
  access-group inside-access-in in interface inside
  access-group outside-access-in in interface outside
  route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
  route outside 192.168.1.0 255.255.255.0 xxx.xxx.xxx.xxx 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http xxx.xxx.xxx.xxx 255.255.255.255 outside
  http 192.168.4.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside-map 1 match address outside-1-cryptomap
  crypto map outside-map 1 set peer xxx.xxx.xxx.xxx
  crypto map outside-map 1 set transform-set ESP-3DES-SHA
  crypto map outside-map interface outside
  crypto isakmp enable inside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet 192.168.1.0 255.255.255.0 inside
  telnet 192.168.4.0 255.255.255.0 inside
  telnet 0.0.0.0 0.0.0.0 inside
  telnet xxx.xxx.xxx.xxx 255.255.255.255 outside
  telnet timeout 5
  ssh 192.168.1.0 255.255.255.0 inside
  ssh 192.168.4.0 255.255.255.0 inside
  ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
  ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
  ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
  ssh timeout 5
  ssh version 2
  console timeout 0
  management-access inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  username xxx password LUZB8j2zj03xvSeF encrypted
  username xxx password RxEDmrZ7KCRzPu4T encrypted
  tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
  tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  policy-map global_policy
  class inspection_default
    inspect icmp
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:61e54b16fb87f1e6fa3b8d520e87ddc0
  : end

  Hi Jouni, thanks for your response.
  Turns out that the Citrix Access Gateway wasn't set up until yesterday evening and by then I had stopped trying for the day. It is now set up and external access is available.
  Further to this, my colleague forgot to inform me of the change of I.P. address of the Exchange server. This meant that Webmail requests were pointing to an I.P. address that didn't exist.
  I have reconfigured the firewall this morning and external access for Webmail is also working correctly.

• Can't access webacc on server public ip address

  This is new server with a fresh SLES11sp2 OES11sp1 install with GW2012 sp2.
  All is working well except even a local workstation cannot access webacc using the server public ip. Server is behind a router. Makes no difference if firewalls are on or off. Same issue from a remote workstation on another network, i.e., cannot connect to webacc using the test server's public ip from a browser. Just one nic in the server and one private ip.
  FYI, same issue exists for imanager, i.e., no public ip address access even from a local workstation, so I am thinking it may be a SLES network card configuration issue, but that's just because I seem to remember under Netware 6.5 I had to make some inetcfg configurations to relay through the router. Router is an older Linksys WRT610N as this is just a test system for the time being.
  I started an SR and they couldn't suggest any fixes other than to tinker with the router. I have both the to default values and open in the router's port forwarding section.
  Ideas? Including switching to a newer router (I'm trying to keep it under $300.00) if you have any suggestions. This server will be for no more than 10 workstations local (mixed wireless and wired) and/or remote workstations for very trusted users.
  Help Mr. Wizard!!!
  thanks.
  johnb

  On 10/04/2013 16:26, jbeuhler wrote:
  > The sp2 is not a typo. I had a SR with a GW2012 sp1 problem during
  > install, encountering a "line173 error" involving a python subdirectory,
  > even using the --text switch. The engineer (the SR went up) gave me the
  > link to try sp2. It installed okay, still a little glitch but I figured
  > out how to get around the line 173 error by installing all of the GW
  > products one after another without configuring in between product
  > installs and then going back to do the product configurations, instead
  > of install, configure, etc for each product. The SR said the line 173
  > install error is a known error but not currently under review for a
  > fix.
  >
  > If you would pass this post on the beta reporting or send me that
  > direction I would appreciate it.
  >
  >
  > I am assuming from your response that my problem is not a recognized
  > problem?
  I wouldn't assume that but since you're running software that's not
  publicly released I'd go back to your SR/contact with this issue.
  HTH.
  Simon
  Novell Knowledge Partner
  Do you work with Novell technologies at a university, college or school?
  If so, your campus could benefit from joining the Technology Transfer
  Partner (TTP) program. See novell.com/ttp for more details.