Additional problems with Nat
We are still having problems with a workstation sending out a virus through
our Nat. If I enable filtering and use the default filters along with
denying all traffic with the default exceptions would that be the next
logical step in resolving this.
mike berg wrote:
> We are still having problems with a workstation sending out a virus through
> our Nat. If I enable filtering and use the default filters along with
> denying all traffic with the default exceptions would that be the next
> logical step in resolving this.
Is this an SMPT mailer virus? If so, you need to block the abiity for
workstations to get to public servers on port 25. The default filters
and exceptions do *not* allow this traffic, so either your filtering is
not even working, or you have an exception allowing such traffic.
Jim
NSC SYsop
Similar Messages
-
hi Everyone,
I'm running a Cisco 3620 with two interfaces, a FE and an ADSL WIC, and I'm noticing some unexpected behaviour with NAT(ing) some UDP ports, here are the config rules in question:
ip nat inside source static udp 192.168.100.26 14000 interface Dialer1 14000
ip nat inside source static udp 192.168.100.26 14001 interface Dialer1 14001
ip nat inside source static udp 192.168.100.26 14001 interface Dialer1 14002
when I receive traffic through those ports, I see the following in
show ip nat translations | include 14000
udp 64.7.136.227:1038 192.168.100.26:14000 67.163.252.29:62564 67.163.252.29:62564
udp 64.7.136.227:1039 192.168.100.26:14000 67.163.252.29:62564 67.163.252.29:62564
udp 64.7.136.227:1040 192.168.100.26:14000 67.163.252.29:62564 67.163.252.29:62564
udp 64.7.136.227:1041 192.168.100.26:14000 67.163.252.29:62564 67.163.252.29:62564
udp 64.7.136.227:1042 192.168.100.26:14000 67.163.252.29:62564 67.163.252.29:62564
udp 64.7.136.227:1043 192.168.100.26:14000 67.163.252.29:62564 67.163.252.29:62564
udp 64.7.136.227:1044 192.168.100.26:14000 67.163.252.29:62564 67.163.252.29:62564
udp 64.7.136.227:14000 192.168.100.26:14000 --- ---
How can I make this NAT static so that every host originates from port 14000 rather then a dynamic one that is being assigned now?
Any help is greatly appreaciated.
AleksPerhaps I wasn't clear enough in what I needed it to do, here's a show ip nat translations for another (working) NAT
(d) port on the same router:
tcp 64.7.136.227:6667 192.168.100.199:6667 xxx.xxx.xxx.xxx:54375 xxx.xxx.xxx.xxx:54375
tcp 64.7.136.227:6667 192.168.100.199:6667 xxx.xxx.xxx.xxx:50183 xxx.xxx.xxx.xxx:50183
tcp 64.7.136.227:6667 192.168.100.199:6667 xxx.xxx.xxx.xxx:50891 xxx.xxx.xxx.xxx:50891
tcp 64.7.136.227:6667 192.168.100.199:6667 xxx.xxx.xxx.xxx:60443 xxx.xxx.xxx.xxx:60443
tcp 64.7.136.227:6667 192.168.100.199:6667 xxx.xxx.xxx.xxx:2897 xxx.xxx.xxx.xxx:2897
tcp 64.7.136.227:6667 192.168.100.199:6667 xxx.xxx.xxx.xxx:51890 xxx.xxx.xxx.xxx:51890
Notice how the forwarded port is the same on the router interface (64.7.136.227:6667) accross all of the connections that have connected. Now this NAT rule behaves as it should, same syntax used as for the one I originally posted
ip nat inside source static tcp 192.168.100.199 6667 interface Dialer1 6667
the only difference is that this one gets properly assigned to the requested port, whereas these rules
ip nat inside source static udp 192.168.100.26 14000 interface Dialer1 14000
ip nat inside source static udp 192.168.100.26 14001 interface Dialer1 14001
ip nat inside source static udp 192.168.100.26 14001 interface Dialer1 14002
have a dynamically assigned port on (64.7.136.227) interface, as the show ip nat translations shows:
udp 64.7.136.227:1038 192.168.100.26:14000 67.163.252.29:62564 67.163.252.29:62564
udp 64.7.136.227:1039 192.168.100.26:14000 67.163.252.29:62564 67.163.252.29:62564
udp 64.7.136.227:1040 192.168.100.26:14000 67.163.252.29:62564 67.163.252.29:62564
Basically how do I get the three rules to behave the same way as the one on top does...
Thank you,
Aleks -
Problem with nat / access rule for webserver in inside network asa 5505 7.2
Hello,
i have trouble setting up nat and access rule for webserver located in inside network.
I have asa 5505 version 7.2 and it has to active interfaces, inside 192.168.123.0 and outside x.x.x.213
Webserver has ip 192.168.123.11 and it needs to be accessed from outside, ip x.x.x.213.
I have created an static nat rule with pat (as an appendix) and access rules from outside network to inside interface ip 192.168.123.11 (tcp 80) but no luck.
What am i doing wrong?Command:
packet-tracer input outside tcp 188.x.x.213 www 192.168.123.11 www detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.123.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x35418d8, priority=500, domain=permit, deny=true
hits=1, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=188.x.x.213, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule -
When running on 8.4 i had a working config with the following scenario.
I have 2 interfaces configured as the outside interface.
One is connected to my internet connection
The other one is connected to a host that has a public ip.
The public host can access internet and also a PAT port on an internal host.
But after the upgrade the internal hosts can't access the external host but everything else on internet
packet-tracer input inside tcp 10.x.x.11 1024 x.x.x.89 22
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in x.x.x.0 255.255.240.0 outside
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate
If i add 1 to the destination ip:
packet-tracer input inside tcp 10.x.x.11 1024 x.x.x.90 22
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in x.x.x.0 255.255.240.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any4 any4
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic any interface
Additional Information:
Dynamic translate 10.x.x.11/1024 to x.x.x.80/1024
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source dynamic any interface
Additional Information:
Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 98586, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Nat rules:
nat (inside,outside) source static IPv6_HOST interface service https https
nat (inside,outside) source static IPv6_HOST interface service http http
nat (inside,outside) source static IPv6_HOST interface service ssh ssh
nat (inside,outside) source static INTERNAL interface destination static EXTERNAL EXTERNAL service apcupsd apcupsd
nat (inside,outside) source static IPv6_HOST interface destination static IPv6_POP IPv6_POP
nat (inside,outside) source dynamic any interface
The EXTERNAL is the host that is connected to an outside interface and that NAT rule works ok.
I can ping the EXTERNAL host from the ASA but not from the internal network.
Any ideas would be appreciated.Hmmm, by adding the following i got it working:
nat (inside,outside) source static IPv6_HOST interface service https https
nat (inside,outside) source static IPv6_HOST interface service http http
nat (inside,outside) source static IPv6_HOST interface service ssh ssh
nat (inside,outside) source static INTERNAL interface destination static EXTERNAL EXTERNAL service apcupsd apcupsd
nat (inside,outside) source static IPv6_HOST interface destination static IPv6_POP IPv6_POP
nat (inside,outside) source dynamic inside interface destination static EXTERNAL EXTERNAL
nat (inside,outside) source dynamic any interface
It is a bit complicated though since the EXTERNAL host get it's address via DHCP and so does the ASA. -
Problem with nat-ing on asa 5505
i have the asa5505 with asa8.4.2 and asdm 6.4.5. i use this asa5505 for connecting my network 192.168.0.0/24 with network 10.15.100.0/24. my wan port of asa5505 on network 10.13.74.0/24, lan port is on 192.168.0.0./24. this configuration worked ok until my isp changed router on address 10.13.74.1. i nat-ed on asa5505, i puted access policy and i had access network 10.15.100.0/24. but now i can't. the users from network can access devices on addresses 192.168.0.20 and 192.168.0.22 but i can't access the network 10.15.100.0/24. my configuration of asa5505 is:
Result of the command: "show runn": Saved:ASA Version 8.4(2) !hostname ciscoasaenable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1 nameif inside security-level 100 ip address 192.168.0.17 255.255.255.0 !interface Vlan2 nameif outside security-level 0 ip address 10.13.74.33 255.255.255.0 !ftp mode passiveobject network obj_any subnet 0.0.0.0 0.0.0.0object network server host 192.168.0.20object network sharepointdri host 192.168.0.22object network paragraflex host 192.168.0.20object network dri.local subnet 192.168.0.0 255.255.255.0object service ParagrafLex1 service tcp source eq 6190 description Odlazniobject service paragraf service tcp destination eq 6190 description dolazniobject network nonat host 192.168.0.20object network lokalnamreza range 192.168.0.1 192.168.0.254object network natnetwork subnet 192.168.0.0 255.255.255.0object network natmreze subnet 192.168.0.0 255.255.255.0object-group service DM_INLINE_SERVICE_2 service-object ip service-object icmp echo-reply service-object tcp object-group service DM_INLINE_SERVICE_1 service-object icmp echo-reply service-object tcp service-object ip service-object tcp destination eq domain service-object tcp destination eq ldap service-object object ParagrafLex1 object-group service DM_INLINE_SERVICE_8 service-object ip service-object tcp service-object icmp echo-replyobject-group service DM_INLINE_SERVICE_3 service-object tcp service-object tcp destination eq domain service-object tcp destination eq ldap object-group service DM_INLINE_SERVICE_4 service-object tcp service-object icmp echo-replyobject-group protocol DM_INLINE_PROTOCOL_2 protocol-object udp protocol-object tcpobject-group protocol TCPUDP protocol-object udp protocol-object tcpobject-group service DM_INLINE_SERVICE_5 service-object ip service-object icmp echo-replyobject-group protocol DM_INLINE_PROTOCOL_1 protocol-object ip protocol-object tcpobject-group service DM_INLINE_SERVICE_6 service-object ip service-object tcp service-object icmp echo-reply service-object icmp service-object tcp destination eq https object-group service DM_INLINE_SERVICE_7 service-object ip service-object tcp service-object icmp echo-reply service-object tcp destination eq https object-group network DM_INLINE_NETWORK_1 network-object 10.13.74.0 255.255.255.0 network-object 10.15.100.0 255.255.255.0object-group service DM_INLINE_SERVICE_9 service-object tcp-udp service-object tcp destination eq https service-object tcp destination eq domain object-group service DM_INLINE_SERVICE_10 service-object ip service-object tcp service-object icmp echo-replyobject-group service DM_INLINE_SERVICE_11 service-object ip service-object tcp service-object icmp echo-replyaccess-list nonat extended permit object-group DM_INLINE_SERVICE_8 192.168.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 access-list inside_access_out extended permit object-group DM_INLINE_SERVICE_6 any any access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 object dri.local 10.15.100.0 255.255.255.0 access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_7 any any access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_3 object dri.local 10.13.74.0 255.255.255.0 access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_4 any any access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_3 192.168.0.0 255.255.255.0 10.13.74.0 255.255.255.0 access-list outside_access_in_1 extended permit object paragraf any object server access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_1 any object server access-list outside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_1 any object sharepointdri access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_10 object natmreze any access-list outside_access_out extended permit object-group DM_INLINE_SERVICE_9 any any access-list outside_access_out extended permit object-group DM_INLINE_SERVICE_11 object natmreze 10.15.100.0 255.255.255.0 pager lines 24logging asdm informationalmtu inside 1500mtu outside 1500icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp outside 10.13.74.1 000d.bd64.a8e2 arp timeout 14400!object network server nat (inside,outside) static 10.13.74.34 dnsobject network sharepointdri nat (any,any) static 10.13.74.39object network nonat nat (inside,outside) static 192.168.0.20object network natmreze nat (any,any) static 10.13.74.42 dnsaccess-group inside_access_in in interface insideaccess-group inside_access_out out interface insideaccess-group outside_access_in_1 in interface outsideaccess-group outside_access_out out interface outsideroute outside 0.0.0.0 0.0.0.0 10.13.74.1 1route outside 10.15.100.0 255.255.255.0 10.13.74.1 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyuser-identity default-domain LOCALhttp server enablehttp 192.168.0.0 255.255.255.0 insideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart warmstarttelnet timeout 5ssh timeout 5console timeout 0dhcpd auto_config outside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512policy-map type inspect ftp paragraf parameterspolicy-map global_policy class inspection_default inspect dns inspect icmp inspect ip-options inspect netbios inspect tftp inspect h323 h225 inspect h323 ras !service-policy global_policy globalprompt hostname context state priority domain no call-home reporting anonymousCryptochecksum:61572938ed01b1c7447e43fcb2df4bc8: end
what i do? plz help me?
thanksPlease do this, and let me know how it goes
no access-list nonat extended permit object-group DM_INLINE_SERVICE_8 192.168.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
no access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_3 object dri.local 10.13.74.0 255.255.255.0
no access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_4 any any
no access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_3 192.168.0.0 255.255.255.0 10.13.74.0 255.255.255.0
access-list inside_access_in line 1 permit ip 192.168.0.0 255.255.255.0 any
access-list outside_access_in_1 line 1 permit ip any 192.168.0.0 255.255.255.0
no object network nonat
no access-group inside_access_out out interface inside
no access-group outside_access_out out interface outside
no route outside 10.15.100.0 255.255.255.0 10.13.74.1 1 -
Problem with NAT? can get to web server internally but not externally
We are trying to setup our helpdesk software website so external users
can access it. However, we have been unsuccessful. We don't have any
issues accessing it internally from our 10.1.1.X LAN
We have had our ISP setup a public DNS "A" record of
customerservice.amerinet-gpo.com which resolves to 198.88.234.40 and that
appears to be working.
Next we added a NAT to our Firewall to take 198.88.234.40 traffic and put
it to the local IP of 10.1.1.23 which is our local address for the
webserver running the helpdesk software.
We also made sure that BM filters are allowing traffic on ports 80 and
443 to the local IP as well.
We have 4 other webservers (on a separate servers than our helpdesk
software website) that are exposed to the outside in this same manner and
all work fine.
The helpdesk website is on Windows 2003 server SP1 running IIS 6.0. Our
firewall server is NetWare 6 SP5 and BM 3.7 SP3.
I have tried to just telnet to the public IP of 198.88.234.40 on port 80
and it times out. I can't understand why, and have checked my entries on
BM and even deleted and re did them 3 times to make sure I didn't make a
mistake. I even have another web server on that block NAT'd the same way
and it works (198.88.234.36), if you telnet to it on port 80 it goes
right away.
What else can I try? Any insight would be greatly appreciated!
Thanks,
SCOTT> > ok, the easiest way to calculate valid addresses is to use an IP
subnet
> > calculator. The one I like the most is the free utility by Wildpackets
> >
http://www.wildpackets.com/products/...tcalc/overview
> >
> > Anyway, with a 255.255.255.248 network mask the valid IP addresses
> > associated to the primary address of your BM server are in the range:
> > 198.88.234.33-198.88.234.38
> > therefore .40 isn't included. Actually .40 is the subnet identifier
of
> a
> > separate subnet. The addresses from .33 to .38 are the ones you can
use.
> >
> > --
> > Cat
> > NSC Volunteer Sysop
>
> I was mistaken, the subnet for that block is 255.255.255.240 so I was
> told by our ISP that our range was is 198.88.234.32 to 198.88.234.47
or
> 14 usable IPs since first and last are unusable.
>
> We have 3 different IP blocks from our ISP, the above 198.88.234.32 one
> with the 255.255.255.240 subnet, then a 199.217.136.184 with
> 255.255.255.248 subnet and finally a 198.88.233.1 with a
255.255.255.248
> subnet.
>
> So I think we should be able to use the 198.88.234.40 address.
>
> SCOTT
>
I was really hoping that we had the wrong sub net in BM for the
198.88.234.32 block! When I read your post last night, I thought that's
gotta be it...sadly I checked and it does have it as 255.255.255.240 when
I look in inetcfg under bindings. I even checked our Cisco router as
well to make sure it had the sub net correct since this is the first time
I've tried to use an IP above 198.88.234.36. The router looked fine as
well. Is there anyplace else that this could be wrong, maybe a config
file on BM or something?
Thx,
SCOTT V. -
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;}
I am not an IT manager, but I am trying to set up an additional route through our router for RDP using NAT. I have successfully set up two other workstations doing this, but the third is not working. I set the first two up by forwarding the public IP address on a port to the internal IP address on the RDP port 3389. The two other workstations are set up this way and work great. The third is set up the same way, but I cannot get in from outside. I can RDP to the workstation from inside the local network. Our network has no it manager.Hello,
from what I can see in your non-working configuration, you are using the same address space on two different interfaces:
interface FastEthernet0/0
ip address 63.245.89.83 255.255.255.248
interface FastEthernet1/0
description connected to metrored
ip address 63.245.89.82 255.255.255.248
The router should actually generate an error message telling you that there is an overlapping address space once you try and 'no shut' the FastEthernet1/0 interface.
Regards,
GP -
Problems with NAT and xbox live
i could once connect to xbox live using my westell 6100g which i received as an upgrade from the regular 6100 about 5 days ago. It worked fine yesterday and today it decided to change my NAT from "Open" to "Moderate".
how can i access my NAT so i can fix this frustrating problem? or how can i fix this ? I tried microsofts solutions including port forwarding but nothing works. my guess is my only option is to change the NAT but the interface of westell 6100's page is barely user friendly, and im a tech savvy guy. any help ?Your other thread
http://www.dslreports.com/forum/remark,24291307
If you are the original poster (OP) and your issue is solved, please remember to click the "Solution?" button so that others can more easily find it. If anyone has been helpful to you, please show your appreciation by clicking the "Kudos" button. -
Additional Problem with Smartform Chinese Character Output
Hi all!
This is a follow-up to my earlier question about output of Chinese Characters in Smartforms.
As a recap, my problem is to correctly output Chinese characters in my Smartform using English logon. Using the OSS Note: 776507 that Anji sent, I managed to output in my Smartform preview the Chinese characters. However, when I print a hardcopy, I still get the # characters.
I tried uploading the font that outputs the chinese characters on MS Office, specifically Arial Unicode MS. It was automatically assigned to the printer driver (I think).
Is there anything I am doing or did wrong?
Thanks in advance for the help. Points for any useful answer.Hi Pat,
I have installed the lastest version of Adobe Reader (10.0.1) and Adobe Reader Font Pack (Asian Font Pack) and the results are as below:
tested that the file (.pdf) cannot be displayed correctly
It is appreciate if you have any idea for the issue. Thanks.
Just let you know that the simplified chinese characters may inserted by the software (Free PDF Reader and Writer - Nitro Reader 3.1.1.3). -
Ai CS6 continues to not work- additional problem with plug-ins.
These messages came up while trying to open these two files. They open after clicking OK, but the applicaion bar is completley blank and with no tools showing.
Watch Illustrator as it boots to see of if initialzing plug ins is showing, or if it acts as if shift is being held down and boots really quick (most your keys commands would not work then).
Applications >> utilities >> disk Utility >> repair Permissions.
Reset your prefs: immediately after booting Ilustrator, hold down 3 keys: shift, command, opt
Go to applications >> Illustrator 6 >> Plug ins >> Illustrator Filters (is offset path there?) if not you may have something wrong with your install and many of your plug ins may be missing. The plug ins mentioned are mostly in 3 of the folders.
Check that your plug ins don't say somehting liek size is 0k. Here is the info for my plug in. -
Problem with no nat after upgrade version
Hello Guys...
Im having problems with nat after upgrade....
source = 10.11.7.14
destination = 10.0.32.10
the next hop for 10.0.32/24 is 10.0.5.1, by inside interface. My firewall Pings this 10.0.5.1. When I change the router to doesnt pass by firewall, the connection works from source to destination, works!
In log, im receiving this message:
6
Nov 23 2012
15:24:54
302303
spbwts02_0303
55517
10.0.32.10
80
Built TCP state-bypass connection 249015 from dmz:spbwts02_0303/55517 (spbwts02_0303/55517) to inside:10.0.32.10/80 (10.0.32.10 /80)
6
Nov 23 2012
15:27:29
302304
spbwts02_0303
51123
10.0.32.10
80
Teardown TCP state-bypass connection 242785 from dmz:spbwts02_0303/51123 to inside:10.0.32.10/80 duration 1:00:10 bytes 0 Connection timeout
In 8.2 I had this NAT:
DMZ interface:
Exempt 10.0.32.0/24 10.11.7.0/24 (outbound)
I have a bypass for those networks and services. I guess I dont need bypass because the packet comes from dmz and goes to inside, right? Anyway, I removed bypass and nothing happen!
And now, in 8.4(5) I have:
DMZ Inside obj-10.11.7.0/24 obj-10.0.32.0/24 any original original
What can be my problem?route, look:
Before:
route inside 10.0.32.0 255.255.255.0 10.11.5.1 1
Now and working:
route inside 10.0.32.0 255.255.255.0 10.11.2.3 1
I dont have an interface in the 10.11.5.0 network. I guess when someone configured the route, put this 10.11.5.1 as gateway, but I dont know how it was working.
Now, I changed to 10.11.2.3 and OK. My firewall has an interface in 10.11.2.0 newtork.
But the bypass is a mistery to me yet! -
Two Cisco ASA 5505, IPSec Multiple Subnets, Problem with Phase2, DSL
Hi all.
we have following IPSec configuration:
ASA Site 1:
Cisco Adaptive Security Appliance Software Version 9.1(1)
crypto ipsec ikev1 transform-set TSAES esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set TSMD5 esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal PropAES256
access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.28.60.0 255.255.254.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.99.0 255.255.255.0
access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.99.0 255.255.255.0
crypto map CMVPN 5 match address SITE_2
crypto map CMVPN 5 set peer IP_SITE2
crypto map CMVPN 5 set ikev2 ipsec-proposal PropAES256
crypto map CMVPN interface OUTSIDE
route OUTSIDE 172.27.97.0 255.255.255.0 citic-internet-gw 255
route OUTSIDE 172.27.99.0 255.255.255.0 citic-internet-gw 255
tunnel-group IP_SITE2 type ipsec-l2l
tunnel-group IP_SITE2 general-attributes
default-group-policy VPN_S2S_WAN
tunnel-group IP_SITE2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
ASA Site 2:
Cisco Adaptive Security Appliance Software Version 9.1(4)
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.28.60.0 255.255.254.0
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.27.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.22.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.27.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.22.0.0 255.255.0.0
crypto map CMVPN 10 match address SITE_1
crypto map CMVPN 10 match address SITE_1
crypto map CMVPN 10 set peer IP_SITE1
crypto map CMVPN 10 set ikev2 ipsec-proposal IKEV2AES
crypto map CMVPN 10 set reverse-route
crypto map CMVPN interface OUTSIDE
tunnel-group IP_SITE1 type ipsec-l2l
tunnel-group IP_SITE1 general-attributes
default-group-policy VPN_S2S_WAN
tunnel-group IP_SITE1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
We are not able to reach from 172.22.20.x ips 172.27.99.x.
It seems so that the phase2 for this subnet is missing…...... as long as we try to reach from 172.27.99.x any ip in 172.22.20.x.
We are using similar configuration on many sites and it works correctly expect sites with DSL line.
We can exclude problem with NAT,ACL or routing. The connection is working fine as long as “we open all phase 2 manually” . After re-open (idle timeout) the tunnel the problem comes back.
Thanks in advance for your help.
Regards.
Jan
ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2
Session Type: LAN-to-LAN Detailed
Connection : IP ASA Site 2
Index : 3058 IP Addr : IP ASA Site 2
Protocol : IKEv2 IPsec
Encryption : IKEv2: (1)AES256 IPsec: (3)AES256
Hashing : IKEv2: (1)SHA512 IPsec: (3)SHA1
Bytes Tx : 423634 Bytes Rx : 450526
Login Time : 19:59:35 HKT Tue Apr 29 2014
Duration : 1h:50m:45s
IKEv2 Tunnels: 1
IPsec Tunnels: 3
IKEv2:
Tunnel ID : 3058.1
UDP Src Port : 500 UDP Dst Port : 500
Rem Auth Mode: preSharedKeys
Loc Auth Mode: preSharedKeys
Encryption : AES256 Hashing : SHA512
Rekey Int (T): 86400 Seconds Rekey Left(T): 79756 Seconds
PRF : SHA512 D/H Group : 5
Filter Name :
IPv6 Filter :
IPsec:
Tunnel ID : 3058.2
Local Addr : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 22156 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607648 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 312546 Bytes Rx : 361444
Pkts Tx : 3745 Pkts Rx : 3785
IPsec:
Tunnel ID : 3058.3
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 22165 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607952 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 50014 Bytes Rx : 44621
Pkts Tx : 496 Pkts Rx : 503
IPsec:
Tunnel ID : 3058.4
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 22324 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607941 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 61074 Bytes Rx : 44461
Pkts Tx : 402 Pkts Rx : 437
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 6648 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :
.... after ping from 172.27.99.x any ip in 172.22.20.x.
ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2
Session Type: LAN-to-LAN Detailed
Connection : IP ASA Site 2
Index : 3058 IP Addr : IP ASA Site 2
Protocol : IKEv2 IPsec
Encryption : IKEv2: (1)AES256 IPsec: (4)AES256
Hashing : IKEv2: (1)SHA512 IPsec: (4)SHA1
Bytes Tx : 784455 Bytes Rx : 1808965
Login Time : 19:59:35 HKT Tue Apr 29 2014
Duration : 2h:10m:48s
IKEv2 Tunnels: 1
IPsec Tunnels: 4
IKEv2:
Tunnel ID : 3058.1
UDP Src Port : 500 UDP Dst Port : 500
Rem Auth Mode: preSharedKeys
Loc Auth Mode: preSharedKeys
Encryption : AES256 Hashing : SHA512
Rekey Int (T): 86400 Seconds Rekey Left(T): 78553 Seconds
PRF : SHA512 D/H Group : 5
Filter Name :
IPv6 Filter :
IPsec:
Tunnel ID : 3058.2
Local Addr : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 20953 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4606335 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 652492 Bytes Rx : 1705136
Pkts Tx : 7419 Pkts Rx : 7611
IPsec:
Tunnel ID : 3058.3
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 20962 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607942 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 60128 Bytes Rx : 52359
Pkts Tx : 587 Pkts Rx : 594
IPsec:
Tunnel ID : 3058.4
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 21121 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607931 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 70949 Bytes Rx : 50684
Pkts Tx : 475 Pkts Rx : 514
IPsec:
Tunnel ID : 3058.5
Local Addr : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 28767 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4608000 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 961 Bytes Rx : 871
Pkts Tx : 17 Pkts Rx : 14
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 7852 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :Hi,
on 212 is see
tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
tunnel-group 195.xxx.xxx.xxx ipsec-attributes
pre-shared-key
When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.
If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
Regards,
Abaji. -
Restart problem with cd in drive
So it all started when trying to close a program and the system wouldn't allow it. I tried to restart it but it wouldn't do it. So I shut it down by holding the power button. When restarting it sent me to a blue screen with the spinner, then eventually to a screen with the arrow...but nothing else loaded. An additional problem with this, is the cd in the disc drive, so I can't use reboot discs. I tried holding shift to send me to safe mode, but it didn't work. Then I tried to eject the disc using the mouse button. After I did this, when restarting, it sends me to a system needs to restart screen! So now I have the restart screen, and a cd in the drive! How can this be fixed!?
hi there-
try booting to open firmware holding apple-option-o-f and then type in the following command-
eject cd (hit return)
reboot (hit return)
then i suggest you try the steps outlined in this article for the blue screen. http://docs.info.apple.com/article.html?artnum=106464 if nothing else works, you will have to archive and install the operating system. here is an article which outlines that procedure. http://docs.info.apple.com/article.html?artnum=107120. you will have to reinstall third party software and do software update afterwards, but it will in almost every instance resolve the blue screen issue. good luck to you. [ 8 ) ] -
PI Demo Examples problems with executing CTC template for client setup
Dear SAP community,
I use PI 7.30 SP 4 and get the following exception if I use the CTC template to set up the PI demo examples in client 105
and 106
Web Services Configuration
Description
Exception in step "SRT_TECHNICAL_SETUP"
Exception details : java.lang.Exception: BAPIRET2 SRT_ADMIN 050 Could not create service destination
State
Step was skipped
In client 107, the template works after I delete the SAP_WSRT user. In clients 105 and 106, this leads to the exception above,
If the SAP_WSRT user exists, I get the exception that this user alreadz exists if I run the template.
What should I do to fix this problem and properly implement the template on all clients?
PS: I use admin users with SAP_ALL rights. Maybe I use the wrong master password, because I use the one of my SAP_ALL user. This works at least for using the template within client107.
AndreasHi Mark,
in my case the workaround of deleting the service user works only in Client 107.
The additional problem with a missing service destination occurs already after deleting the service user in Clients 105 and 106. Will this additional problem also be treated in the new note?
Joerg-Joachim Klossika already added the workaround to this note for the existing service user I proposed to him.
I still cannot resolve the problem with the missing service destination.
regards
Andreas -
A problem with small circles drawing...
I can't draw small circles and dots. Don't advise me to use the zoom. Is it a normal issue for Samsung Note 10.1 or Photoshop Touch?
I have the same problem on my samsung galaxy note 10.1 and PS touch v 1.2.0 (can't upgrade it without new official firmware).
And I really don't know how to post screenshot with items that cannot be painted with your software.
On this device drawing is done with stylus (If you dont know). Stylus provide great precision and allow to paint small details.
The problem is that brush does not start drawing immediately after stylus touching the screen. Instead of this it waits until user will move stylus away from start point by 3 millimiters. And only after that photoshop will draw the first segment of line. If you try to draw small circle with diameter of 3 mm photoshop will draw just start point. Because stylus will never leave 3 mm area around touching point. this also means that you can't draw lines with length less than 3mm. And this also means that every line will start with 3mm straight segment. So you can't draw small details.
This small thing (and also bugs with smudge and blur tools and opacity problems with brush and awful color picking tool) made painting with photoshop really tricky.
Maybe you made this 3mm margin to make your color picker work (which pick color only after touching the screen and then pressing side button). But it is unobvious for users (as you can see by questions on yor forums) and bring some additional problems with painting (as you can see in this post).
And what is really terrible is that I can't just delete your useless software without root rights because it was preinstalled by samsung.
Best regards.
Maybe you are looking for
-
Button is not working in ZCI layout type form
Dear Friends I am struggeling with one problem in my form, I have one form called zptrv_expense_form. It is given by SAP only i need to add two buttons named approve and reject. i did and make them as submit button and proved them the url
-
Running a single program on several clients
Hi, I'm making a program which is going to be put on a server. The users will have this server mapped as a network drive (say, P:). For the user to run the program, she/he will run a bat-file (which sets 'PATH' to include JRE (which is also on the se
-
I need help please. Exactly what my title says. It makes me close the program whenever I join/try to get on Photoshop CC 2014 and says it has "stopped working."
-
When we go for lsmw apart from call transaction and session method in bdc?
Hi Experts,
-
Can the text in the header row be slanted?
In Excel the text in the header row can be slanted at an angle in order to show a long header text in a narrow column. Can this be done in Numbers?