ACE 4710 - Continuing SSL Session Setup with Client Certificate Failures

Similar Messages

• Associate Session ID with Client ip for improved security

  Hi,
  Id like to know if it's possible to associate session id with some more info like client's ip address and user agent, to ensure that no one can access my app by cookie injection.
  Do anyone knows what's the best/recomended/iWouldDoThisIfIWhereYou approach?
  Thanks!

  I don't think I've seen anything like this with WebLogic Server. I think the right approach in this case is to use SSL with httpOnly (default) and then unless someone has local access to your machine or the remote server (you have bigger problems!) then they can't hijack your session with a man-in-the-middle.
  You can email me at my user id at oracle.com if you have a concrete requirement.

• In iPad how to use webdav nab   with client certificate

  I have created one webdav enable site in apple mac mini server using apache. The webdav site is secured with https as well as client certificate.
  While browsing the website using safari/IE everything is working fine,but with ipad's webdav utility it is not working.Client cert is not picking up by webdav nav tool, although the client ssl cert is installed in ipad.

  Hi Olek
  I Have a working WebDAV setup with tomcat 6.0
  the only problem is this only works on windows XP
  anyway here is the code,
      <servlet>
      <servlet-name>webdav</servlet-name>
      <servlet-class>org.apache.catalina.servlets.WebdavServlet</servlet-class>
      <init-param>
        <param-name>debug</param-name>
        <param-value>0</param-value>
      </init-param>
      <init-param>
        <param-name>listings</param-name>
        <param-value>true</param-value>
      </init-param>
      <!-- Uncomment this to enable read and write access -->
      <init-param>
        <param-name>readonly</param-name>
        <param-value>false</param-value>
      </init-param>
      <load-on-startup>1</load-on-startup>
    </servlet>
    <!-- The mapping for the webdav servlet -->
    <!-- Using /* as the mapping ensures that jasper, welcome files etc are
         over-ridden and all requests are processed by the webdav servlet.
         This also overcomes a number of issues with some webdav clients
         (including MS Webfolders) that do not respond correctly
  to the
         redirects (302) that result from using a mapping of / -->
    <servlet-mapping>
      <servlet-name>webdav</servlet-name>
      <url-pattern>/*</url-pattern>
    </servlet-mapping>put that in your web.xml file
  and here is a basic example of how to use it in a jsp.
  <%
  String networkPath = request.getScheme() + "://" + request.getServerName() + ":" + request.getServerPort() + request.getContextPath() + "/";
  %>
  <body onload="document.getElementById('anchor').click();">
      <a id="anchor" href="<%= networkPath %>Temp/Test/file.doc" folder= "<%= networkPath/Temp/Test/">
             Open in Web Folder View
      </a>
  </body>Hope this helps you

• HTTPS connection with client certificate not working in spartan

  Spartan does not show certificate for the user to select
  when I click the https link.
  The certificates (taken from a smartcard) are indeed present in the user CertStore.
  It works with IE 11 and Chrome.
  Has somebody any suggestions ?
  Thanks.

  in fact you are more using a reverse-proxy than a proxy since it is on the server part..
  You have to put all the SSL server part on the reserve-proxy itself and not on the final RSS feed. Then, the reverse-proxy will authenticate your client and gets its certificate. After that, either this proxy will open a plain connection (no ssl) towards the RSS, or you can also open a ssl connection but this means you must create a client certificate for the proxy. It just depends on the security level you need, and I used this solution many times in professional hosting.
  hope it helps !

• Problem with client certificate based authentication

  Hello.
  We are developing an AIR application that uses client
  certificates for authentication. We have written a simple test case
  to show the problem.
  <?xml version="1.0" encoding="utf-8"?>
  <mx:WindowedApplication xmlns:mx="
  http://www.adobe.com/2006/mxml"
  layout="absolute">
  <mx:Script>
  <![CDATA[
  import mx.controls.Alert;
  private function responseHandler(): void {
  Alert.show("Response received");
  ]]>
  </mx:Script>
  <mx:HTTPService id="exampleService"
  url="https://www1.aeat.es/pymes1/pacargoi.html"
  showBusyCursor="true"
  result="responseHandler()">
  </mx:HTTPService>
  <mx:Button label="Send"
  click="exampleService.send()"/>
  </mx:WindowedApplication>
  When we click on the button, it sends the request to the
  protected page and then (if you have CA emitted certificates) the
  dialog appears requesting the client certificate. And it works
  fine.
  But next time we click on the button, the dialog requesting
  the client certificate appears again.
  Is there a way to stop showing the dialog every time?
  Any help would be very appreciated.
  Thanks a lot for your support.
  Paco.

  I have just sent a Feature Request/Bug Report with the
  following text:
  "We are experiencing a problem using AIR with a server that
  requires authentication via client certificate.
  The dialog for selecting the client certificate appears every
  time that the AIR application interacts with the server (not only
  the first time).
  Steps to reproduce bug:
  1. Install Apache HTTP Server with SSL and require client
  certificate in order to authenticate.
  2. Develop an AIR Application that connects to this server
  (HTTPService or RemoteObject have been tested with the same
  result).
  3. Every time that the AIR application connect to the
  server, the dialog appears in order the user to select the client
  certificate.
  Results: This makes the AIR application unusable.
  Expected results: The dialog requesting the client
  certificate should appear the first time only."
  Thanks,
  Paco.

• Proxy https connection with client certificate credentials

  Hello, we are building a application like netvibes/iGoogle which allows users to have portlets with rss feeds in them. The portlets are all loaded using ajax and therefore, the RSS feeds must exist on the same domain as the portal. If they don't, you run into problems with cross-domain security issues with ajax. Usually to get around this you just proxy the connection on the server which is very simple with rss feeds that are exposed via http. We however have many feeds that are exposed via https. These feeds likely require a client certificate to authenticate them. Therefore, just doing a basic proxy (take the distant url and open a new connection on the server) won't work because it will build the new connection with the servers credentials and not the users.
  Is there a way to build the connection on the server using the users credentials?? How can we proxy this connection over https?
  If anyone has ideas, please let me know.
  Thanks!

  in fact you are more using a reverse-proxy than a proxy since it is on the server part..
  You have to put all the SSL server part on the reserve-proxy itself and not on the final RSS feed. Then, the reverse-proxy will authenticate your client and gets its certificate. After that, either this proxy will open a plain connection (no ssl) towards the RSS, or you can also open a ssl connection but this means you must create a client certificate for the proxy. It just depends on the security level you need, and I used this solution many times in professional hosting.
  hope it helps !

• Lowest cost SSL accelerator for HTTPS client certificate auth testing

  Hi,
  I need to test some some https connections that use client certificate authentication and need a low cost ebay-purchasable cisco ssl box (I think).
  My understanding is that some Cisco products can terminate https connections (once client cert auth is successful) and then pass on the http connection with a cookie value set with the Subject DN information from the client certificate - correct me if I'm wrong :).
  So any suitable kit for this?
  Thanks,
  Marc.

  Hi Oliver,
  Have a look at this http://forum.java.sun.com/thread.jsp?forum=2&thread=258908
  You may find the answer to your question there.
  Majid.

• Project Server 2010 Web services access with Client Certificate Authentication

  We switched our SharePoint/Project Server 2010 farm to use client certificate authentication with Active Directory Federation Services (AD FS) 2.0, which is working without issue. We have some administrative Project Server Interface (PSI)
  web service applications that no longer connect to server with the new authentication configuration.  Our custom applications are using the WCF interface to access the public web services.
  Please let us know if it is possible to authenticate with AD FS 2.0 and then call
  Project Server web services. Any help or coding examples would be greatly appreciated.

  what is the error occurred when the custom PSI app connects?
  can you upload the ULS logs here for research?
  What is the user account format you specified in the code for authentication?
  For proper authorization, the “user logon account” in PWA for the user needs to be changed from domain\username to the claims token (e.g.
  'I:0#.w|mybusinessdomain\ewmccarty').
  It requires you to manually call the UpnLogon method of
  “Claims to Windows Token Service”. if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)  
  {  var identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity;  }  
  if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)
  var identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity;
  Than you need to extract UPN-Claim from the identity.
  Upload the verbose log if possible.
  Did you see this?
  http://msdn.microsoft.com/en-us/library/ff181538(v=office.14).aspx
  Cheers. Happy troubleshooting !!! Sriram E - MSFT Enterprise Project Management

• Mobile safari no longer able to authenticate with client certificate in ios 5...

  was working in 4.3.5 on iPad, but no more. Imported the cert with ipcu but Safari  seems to not recognize that there is a cert installed. All certs are using sha1

  Some additional info - the imported certificate works fine for Activesync, VPN, and WiFi, so I know it is installed correctly.  When connecting to a web server that requires the certificate, the following is logged in the IPCU console:
  MobileSafari[368] <Warning>: no itentities, but we have a challenge <NSURLAuthenticationChallenge: 0x2eeea0>
  So to me, it looks like the Web server is requesting the client certificate, but mobilesafari does not see the identity certificate I imported.

• Troubles with client certificates in Windows Phone 8.1 WebViews

  Hi,
  I'm having difficulties using a client certificate in Windows Phone 8.1 WebViews.
  My code works fine in my Windows 8.1 App but i get a WebErrorStatus=[CertificateIsInvalid] in WebView.NavigationCompleted in WP.
  I'm using this code to import my certificate :
  await CertificateEnrollmentManager.ImportPfxDataAsync(certificateBase64, certificatePassword, ExportOption.NotExportable, KeyProtectionLevel.NoConsent, InstallOptions.None, "MyClientCertificate");
  I have no problem using this cert in HttpClient with either Windows 8.1 or Windows Phone 8.1.
  I don't understand why it doesn't work with the WebView control only on Windows Phone.

  Tried it with no success.
  But I just found this : https://blogs.msdn.com/b/wsdevsol/archive/2014/07/31/programmatically-create-and-configure-a-client-certificate-for-use-in-your-windows-runtime-based-app.aspx?Redirected=true
  With the note at the bottom: 
  Note: For Windows Phone 8.1, you need to attach the Client Certificate programmatically. For Windows, once you install the Client Certificate to the app container
  store and do not attach the client certificate with the HttpClient request, the HttpClient class will automatically detect that there is a single certificate installed in the app container store and forward it to the server. However in the case of Windows
  Phone 8.1, there is no such “automatic” selection of the certificate and one MUST provide the certificate programmatically.
  Since there seems to be nothing to attach a custom HttpBaseProtocolFilter to a WebView, it doesn't seem possible atm.

• IOS 4.3 upgrade breaking ActiveSync profiles with client certificates

  After upgrading iOS iPhones from 4.2 to 4.3 they are unable to authenticate to ActiveSync. The ActiveSync profiles on the phones have a client certificate associated with them and the ActiveSync server requires client certs for authentication. I am also unable to remove the profiles from the iphone that include the client cert/activesync profile.
  Anyone else experiencing this problem. I am 3 for 3 so far, all three have the same issue. I have only been able to get around the issue by restoring a 4.2 backup which enabled me to remove the profiles and install new ones.

  Hi all,
  Apple have come back to us about the case we opened.
  In our profile we have two payloads configured, the activesync payload (with a user certificate) and the credentials payload which has a user certificate and our enterprise root certs.
  The Apple engineers are saying the issue is the user cert in the Credentials payload. Apparently in 4.3 they have made some changes here.
  (when I say User cert I mean a certificate with a usage of client auth, and also in our case we have the users UPN in the subject line (or you can enter it as a SAN), so every user has a cert)
  Apple say 4.3 upgrade should be Ok without this cert in the payload.
  It will be tomorrow before I can test this.
  But the thing is, we need that cert in there because we have extra security (cert auth) on some of our public mobile focused websites, i.e. the sites challenge for a certificate (and then challenge for credentials).
  So we may have a work around (that requires new profiles loaded) but going forward we still need to see some sort of fix, i.e. no need to reload profiles (4.3.x ?).
  I'll post here when I get more info ... and thanks to Jeremy at Apple for calling me yesterday and going through it, much appreciated.
  Cheers,
  Aengus

• IOPS with client certificate

  hi,
  i have a servlet that calls a corba service via IOPS using weblogic's internal
  ORB. doing SSL without client certificate works fine - but when the server requests
  a client certificate in the SSL handshake, the call fails. on the server i see,
  that no certificate has been sent.
  in the debug output of the client there is the following exception:
  <May 27, 2004 10:39:36 AM PDT> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: CertificateRequest>
  <May 27, 2004 10:39:36 AM PDT> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: ServerHelloDone>
  <May 27, 2004 10:39:36 AM PDT> <Debug> <TLS> <000000> <........... Eating Exception
  java.lang.ArrayIndexOutOfBoundsException: 1 >= 1
  at java.util.Vector.elementAt(Vector.java:427)
  at com.certicom.tls.interfaceimpl.CertificateSupport.getAuthChain(Unknown Source)
  is this a known issue? or do i just have to fix my config somehow... i'm using
  weblogic 8.1sp2
  thanks

  "yves" <[email protected]> writes:
  java.lang.ArrayIndexOutOfBoundsException: 1 >= 1
  at java.util.Vector.elementAt(Vector.java:427)
  at com.certicom.tls.interfaceimpl.CertificateSupport.getAuthChain(Unknown Source)
  is this a known issue? or do i just have to fix my config somehow... i'm using
  weblogic 8.1sp2Its not an issue that I know about but it looks like an SSL
  problem. You should probably contact support.
  Thanks
  andy

• ACE 4710 VIP not pingable even with "always" selected.

  Hello, I have a somewhat complicated setup in order to allow one particular VIP to answer for the same serverfarm on two different ports (this was a previous question here.) Here is the scrubbed config below. The setup works, but the issue is that the VIP does not reply to pings. We use both the servers and the vip for monitoring internally. It is still operational on the ports it is balancing, but no setting for ping seems to work (Active, Primary, or Always.) What am I doing wrong here? The other sites I use stickys with respond for their VIPs. I'm assuming this one does not due to the more complicated policy map.
  probe http HTML-Site-Up_200
    description This probe is to verify HTTP operation via site-up.html check
    port 80
    interval 5
    faildetect 2
    passdetect interval 10
    request method get url /site-up.html
    expect status 200 200
    open 2
  probe icmp ICMP-Ping
    interval 5
    faildetect 2
    passdetect interval 10
  probe tcp RAW-TCP-81
    port 81
    interval 10
    faildetect 2
    passdetect interval 20
    connection term forced
    open 1
  rserver host psc-us-EQUIPprd1
    description EQUIP Prod, server 1
    ip address 10.1.1.84
    inservice
  rserver host psc-us-EQUIPprd2
    description EQUIP Prod, server 2
    ip address 10.1.1.85
    inservice
  serverfarm host EQUIPPROD
    description EQUIP Prod Server Pool
    predictor leastconns
    probe HTML-Site-Up_200
    probe ICMP-Ping
    probe RAW-TCP-81
    rserver psc-us-EQUIPprd1
      probe ICMP-Ping
      probe HTML-Site-Up_200
      probe RAW-TCP-81
      inservice
    rserver psc-us-EQUIPprd2
      probe ICMP-Ping
      probe HTML-Site-Up_200
      probe RAW-TCP-81
      inservice
  serverfarm host EQUIPPROD-CUSTOMER-81
    description EQUIP Customer Site Server Pool, port 81
    predictor leastconns
    probe RAW-TCP-81
    rserver psc-us-EQUIPprd1 81
      probe RAW-TCP-81
      inservice
    rserver psc-us-EQUIPprd2 81
      probe RAW-TCP-81
      inservice
  sticky ip-netmask 255.255.255.255 address source Sticky_EQUIPPROD
    timeout 180
    replicate sticky
    serverfarm EQUIPPROD
  class-map type http loadbalance match-all EQUIP_81_Redirect
    2 match http header Host header-value ".*equiponline.com"
  class-map type http loadbalance match-all EQUIP_81_Redirect_Full
    2 match http header Host header-value ".*www.equiponline.com"
  class-map match-all VIP-EQUIPPROD
    2 match virtual-address 10.1.1.97 any
  policy-map type loadbalance first-match VIP-EQUIPPROD-l7slb
    class EQUIP_81_Redirect
      serverfarm EQUIPPROD-CUSTOMER-81
    class EQUIP_81_Redirect_Full
      serverfarm EQUIPPROD-CUSTOMER-81
    class class-default
      sticky-serverfarm Sticky_EQUIPPROD
  policy-map multi-match global
    class VIP-EQUIPPROD
      loadbalance vip inservice
      loadbalance policy VIP-EQUIPPROD-l7slb
      loadbalance vip icmp-reply
      nat dynamic 13 vlan 1000
  interface vlan 1000
    nat-pool 13 10.1.1.97 10.1.1.97 netmask 255.255.255.0 pat

  Output from that class from the show service-policy command. And no, it doesn't appear to be pingable from the ACE.
      class: VIP-EQUIPPROD
        nat:
          nat dynamic 13 vlan 1000
          curr conns       : 361       , hit count        : 116690    
          dropped conns    : 5         
          client pkt count : 4815293   , client byte count: 739114009           
          server pkt count : 7281612   , server byte count: 8753101386          
          conn-rate-limit      : 0         , drop-count : 0         
          bandwidth-rate-limit : 0         , drop-count : 0         
       VIP Address:    Protocol:  Port:
       10.1.1.97    any
        loadbalance:
          L7 loadbalance policy: VIP-EQUIPPROD-l7slb
          Regex dnld status    : SUCCESSFUL
          VIP ICMP Reply       : ENABLED
          VIP State: INSERVICE
          VIP DWS state: DWS_DISABLED
          Persistence Rebalance: ENABLED
          curr conns       : 392       , hit count        : 134300    
          dropped conns    : 431       
          client pkt count : 4869950   , client byte count: 741545220           
          server pkt count : 7281612   , server byte count: 8753101386          
          conn-rate-limit      : 0         , drop-count : 0         
          bandwidth-rate-limit : 0         , drop-count : 0         
          L7 Loadbalance policy : VIP-EQUIPPROD-l7slb
            class/match : EQUIP_81_Redirect
              LB action :
                 primary serverfarm: EQUIPPROD-CUSTOMER-81
                      state: UP
                  backup serverfarm : -
              hit count        : 12602     
              dropped conns    : 0         
              compression      : off
            class/match : EQUIP_81_Redirect_Full
              LB action :
                 primary serverfarm: EQUIPPROD-CUSTOMER-81
                      state: UP
                  backup serverfarm : -
              hit count        : 0         
              dropped conns    : 0         
              compression      : off
            class/match : class-default
              LB action: :
                 sticky group: Sticky_EQUIPPROD
                    primary serverfarm: EQUIPPROD
                      state:UP
                    backup serverfarm : -
              hit count        : 107831    
              dropped conns    : 5         
              compression      : off
        compression:
          bytes_in  : 0                          bytes_out : 0                   
          Compression ratio : 0.00%
                  Gzip: 0               Deflate: 0         
        compression errors:
          User-Agent  : 0               Accept-Encoding    : 0         
          Content size: 0               Content type       : 0         
          Not HTTP 1.1: 0               HTTP response error: 0         
          Others      : 0         
  pscaceinside01/Prod# ping 10.1.1.97
   Pinging 10.51.221.97 with timeout = 2, count = 5, size = 100 ....
  No response received from 10.1.1.97 within last 2 sec
  No response received from 10.1.1.97 within last 2 sec
  No response received from 10.1.1.97 within last 2 sec
  No response received from 10.1.1.97 within last 2 sec
  No response received from 10.1.1.97 within last 2 sec
  5 packet sent, 0 responses received, 100% packet loss
  For what it's worth, none of my VIP's are pingable from the ACE. I think that has to do with me being in one-arm configuration, and using the NAT addresses per VIP. But all other VIPs are pingable from other sources on the subnet. With the exception of this VIP.

• SJSWS 7 u4 reverse proxy setup with client ip forwarding

  Hi,
  I am trying to set up a reverse proxy to glassfish enterprise 2.1 so that it will pass on the client ip address.
  I have added this line to my obj.conf file:
  ObjectType fn="forward-ip" hdr="Client-ip"
  Entire obj.conf below:
  <Object name="default">
  AuthTrans fn="match-browser" browser="*MSIE*" ssl-unclean-shutdown="true"
  NameTrans fn="ntrans-j2ee" name="j2ee"
  NameTrans fn="pfx2dir" from="/mc-icons" dir="/usr/webserver7/lib/icons" name="es-internal"
  NameTrans fn="map" from="/" name="reverse-proxy-/" to="http:/"
  PathCheck fn="uri-clean"
  PathCheck fn="check-acl" acl="default"
  PathCheck fn="find-pathinfo"
  PathCheck fn="find-index-j2ee"
  PathCheck fn="find-index" index-names="index.html,home.html,index.jsp"
  ObjectType fn="forward-ip" hdr="Client-ip"
  ObjectType fn="type-j2ee"
  ObjectType fn="type-by-extension"
  ObjectType fn="force-type" type="text/plain"
  Service method="(GET|HEAD)" type="magnus-internal/directory" fn="index-common"
  Service method="(GET|HEAD|POST)" type="*~magnus-internal/*" fn="send-file"
  Service method="TRACE" fn="service-trace"
  Error fn="error-j2ee"
  AddLog fn="flex-log"
  </Object>
  <Object name="j2ee">
  Service fn="service-j2ee" method="*"
  </Object>
  <Object name="es-internal">
  PathCheck fn="check-acl" acl="es-internal"
  </Object>And have added this property to the both of the glassfish http-listeners:
  authPassthroughEnabled=true
  However the when I use this piece of code:
  System.out.println(FacesContext.getCurrentInstance().getExternalContext().getRequest().getRemoteAddr())I see this in my glassfish logs
  [#|2009-03-26T17:32:47.457+1300|WARNING|sun-appserver2.1|org.apache.coyote.tomcat5.CoyoteRequest|_ThreadID=21;_ThreadName
  =httpSSLWorkerThread-8181-2;_RequestID=11ab6ecf-254c-4255-98d3-48856ab99b61;|PWC4013: Unable to determine client remote a
  ddress from proxy (returns null)|#]
  [#|2009-03-26T17:32:47.457+1300|INFO|sun-appserver2.1|javax.enterprise.system.stream.out|_ThreadID=21;_ThreadName=httpSSL
  WorkerThread-8181-2;|
  127.0.1.1 ip address|#]
  There are no messages in the webserver logs
  Can anybody see something that I am doing wrong?
  Thanks in advance for your help,
  Gareth

  If Admin server shows its enabled, then it is enabled.
  You can add forward-ip line in obj.conf manually and restart the server just to be sure.
  Look at [http://forums.sun.com/thread.jspa?threadID=5344683|http://forums.sun.com/thread.jspa?threadID=5344683]. It says (in glassfish)
  "Add this property to all <http-listener> elements in your domain.xml:
  {code}<property name="authPassthroughEnabled" value="true"/>"                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               

• ACE 4710 A3 outbound static NAT with Port redirection

  Hi
  I have asked this question before, but as I have not get far with it I am going to try to be more specific this time.
  I have a server that needs to do an outbound connection to a mail server. The connection has to be initiated to port 26, that then will be NATed to the external IP and port 26 redirected to port 25 for the SMTP connection.
  When I try to configure this:
  ACE-2/TEST(config-pmap-c)# nat static x.x.x.x netmask 255.255.255.255 tcp eq 23 vlan 99
  I get the error: Error: Invalid real port configured for NAT static
  Any ideas what it means anyone?

  Right. Forget about the previous question. I have an update.
  I get this output on show nat policies at the moment:
  NAT object ID:39 mapped_if:19 policy_id:50 type:STATIC static_xlate_id:64
  ID:64 Static port translation
  Real addr:172.21.7.11 Real port:26 Real interface:18
  Mapped addr:x.x.x.x Mapped port:25 Mapped interface:19
  Netmask:255.255.255.255
  where x.x.x.x - is the Public, external IP address on the ACE.
  I need the traffic FROM the 172.21.7.11 server going anywhere TO port 26 to be remapped to x.x.x.x port 25. At the moment it does not do it. The service policy on the inside doesn't even get a hit when I am telnetting from the 172.21.7.11 server on port 26 to the outside world. It does get hits when I telnet to x.x.x.x external IP address from outside.
  Something is telling me I am looking at it from a wrong direction altogether.
  This is the config I have at the moment:
  access-list 130 line 20 extended permit ip any any
  access-list Source_NAT line 10 extended permit tcp host 172.21.7.11 eq 26 any
  class-map match-any Class_Port26
  2 match access-list Source_NAT
  policy-map multi-match Policy_Port26_Static
  class Class_Port26
  nat static x.x.x.x netmask 255.255.255.255 tcp eq smtp vlan 99
  interface vlan 107
  ip address 172.21.7.2 255.255.255.240
  peer ip address 172.21.7.1 255.255.255.240
  access-group input 130
  service-policy input Policy_Port26_Static
  no shutdown
  No server farms, no load balancing. Just that.
  Any ideas?