Applying Extended ACL close to Destination

Similar Messages

• Standard and Extended ACLs?

  I just want to know that if extended IP access lists can do all tasks, I mean extended access lists have a lot of controlling parameters, then why people use Standard Access lists instead of Extended access lists.
  I just want to know that in which scenario we should use STD ACLs instead of EXTD ACLs, what special advantage of using STD over EXTD ACLs,
  Please reply.

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  To summarize what the other posters have already noted, the two principle reasons why one might use a standard ACL (which could also be functionally accomplished) by an extended ACL are 1) some commands that rely on ACLs might still only support standard ACLs (more likely in older IOS versions) and 2) a standard ACL might be just a little clearer to understand.
  Another (hopefully needless) reason why you might want to use a standard ACL, when an extended ACL would do, could be the device's processing performance might be better with a standard ACL.
  Logically the standard ACL ACE:
  access-list 10 permit host 1.1.1.1
  should be the same as this extended ACL ACE:
  permit ip host 1.1.1.1 any
  But a "dumb" implementation of processing the extended ACL might wildcard compare the destination IP and other optional parameters while the standard ACL only examines the source IP.  Should this happen?  No, but such might happen because of different generations of code and/or different teams working on ACL processing.
  BTW, if there is a significant performance difference, it's just as possible extended works better.
  Again, this is very extreme and unlikely, but this could be a reason to use one form of ACL vs. the other when both can provide the same filtering.  (Also, if this is "discovered", it's very likely to be very device and IOS version specific.  Personally I would consider taking "advantage" of such a discovery poor practice, except in extreme situations.)

• WAAS: Standard vs Extended ACL's for WCCP Transparent Redirection

  I've come across a number of implementations where the ACL's associated with services 61 & 62 are using extended access-list. I am writing with specific reference to wccp configured in promiscuous mode.
  Since WCCP will only redirect TCP, and the WAAS solution in general applies only to TCP - then is there really a need for extended acls for redirection?. Furthermore, in a simple implementation you do not need separate acls linked to 61 & 62 - i don't think so.
  Standard acls parse the filteration process more quickly than extended.
  thanks
  Ajaz

  The extended access-lists are used because some TCP traffic does not to be optimized (telnet, BGP, SNMP, ...), or some hosts have compressed traffic for any application and need to be excluded from redirection. Besides that standard access-lists can be used.

• Extended ACL TCP port control

  Hi all,
  I have configured an acl to control traffic going in/out of an interface via tcp ports. However, after applying the acl to the interface, i find that eventhough ports are allowed, traffic is blocked by the acl.
  I suspected that it could be the initial tcp handshake (SYN, SYNACK, ACK etc) is not being allowed (due to the implicit deny). When i included that in the acl, it worked. Is this a necessary step in an acl that controls by tcp port?
  Reason is, some of the acl configured with tcp port control has not been configured to allow SYN, ACK etc but it works when some of these ACLs are applied to other interface.

  Hi,
  Thanks for the response. As far as the config of the ACL, it's quite straight forward with the thing i'm trying to achieve. 1.1.1.190 & 1.1.1.192 are Mail servers. The objective is to control both .190 & .192. The config is as below:
  interface Vlan2
  description For Mail
  ip address 1.1.1.129 255.255.255.0
  ip access-group 2002 in
  end
  C6500#sh access-li 2002
  Extended IP access list 2002
  10 permit icmp any any (272 matches)
  20 permit tcp host 1.1.1.0 any syn (10467 matches)
  30 permit tcp host 1.1.1.0 any ack (781 matches)
  40 permit tcp host 1.1.1.190 eq smtp any
  50 permit tcp host 1.1.1.190 eq pop3 any
  60 permit tcp host 1.1.1.192 eq smtp any
  70 permit tcp host 1.1.1.192 eq pop3 any (4 matches)
  80 permit ip host 1.1.1.183 2.2.0.0 0.0.255.255 (19 matches)
  When I first created this ACL, without the SYN & ACK configured, users failed to connect to the servers. I personally believe users could connect, but it's the return packets from the servers that might have gotten blocked by the ACL. However, after I added in the SYN & ACK, all went well. I could see counters incrementing for the SYN & ACK as well.
  Whereas, some other applications that use some custom ports, ie. 10000, 10001, didn't seem to need the explicit configuration of the SYN/ACKs & the ACL worked well.

• Extended ACL permit ip and allowed ports

                     Hi everyone
  Need to confirm if we have extended ACL with object group below
  access-list xy_access_in extended permit ip object-group xy_subnets object-group cisco_ynetworks
  will above ACL allow all the ports  on the destination object group?
  Thanks
  mahesh

  And to illustrate the situation above
  Situation 1 - Only allow rule exists on the ACL
  object-group network SOURCE
  network-object 10.10.10.0 255.255.255.0
  network-object 10.10.20.0 255.255.255.0
  object-group network DESTINATION
  network-object 10.10.100.0 255.255.255.0
  network-object 10.10.200.0 255.255.255.0
  access-list SOURCE-IN permit ip object-group SOURCE object-group DESTINATION
  The above ACL would
  Allow ALL TCP/UDP source and destination ports
  Allow those from the source networks of SOURCE to the destination networks of DESTINATION
  Situation 2 - Deny rules exist before the allowing rule
  object-group network SOURCE
  network-object 10.10.10.0 255.255.255.0
  network-object 10.10.20.0 255.255.255.0
  object-group network DESTINATION
  network-object 10.10.100.0 255.255.255.0
  network-object 10.10.200.0 255.255.255.0
  access-list SOURCE-IN deny ip host 10.10.10.10 host 10.10.100.100
  access-list SOURCE-IN deny tcp host 10.10.10.10 host 10.10.200.200 eq 80
  access-list SOURCE-IN permit ip object-group SOURCE object-group DESTINATION
  The above ACL would
  First block ALL TCP/UDP traffic from host 10.10.10.10 to host 10.10.100.100
  It would also block TCP traffic from host 10.10.10.10 to host 10.10.200.200 on the destination port TCP/80
  It would then allow ALL TCP/UDP traffic from the source networks of SOURCE to the destination networks of DESTINATION
  The key thing to notice ofcourse would be that we have blocked some traffic on the first 2 lines of the ACL and then allowed ALL TCP/UDP traffic.
  So host 10.10.10.10 cant communicate with host 10.10.100.100 on any port since the "deny" rule for that is at the top of the ACL BEFORE the rule that allows ALL TCP/UDP traffic between these networks.
  In the other case the TCP/80 destination traffic from host 10.10.10.10 to host 10.10.200.200 would be blocked BUT rest of the TCP/UDP traffic would be allowed by the rule using the "object-group"
  - Jouni

• Extended ACL Issue

  I have a question, I am trying to make an extended ACL to deny HTTP, Telnet, and FTP traffic from the internet to PC1 in the one exercise I am doing.
  I made the following ACL and applied it to the loopback interface on R2 (where the ISP is coming in from the "cloud") PC1 is connected to R1 which is obviously connected to R2.
  ip-access-list extended ACL_TCP
  deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 established
  permit tcp any any established
  Is there a better way to do this? Does this extended ACL work for my purpose?

  What direction did you apply this? I'm assuming in the inbound direction?
  Take the established keyword off. That's generally to allow return traffic on an interface that's denying traffic.
  Try the following:
  ip access-list ext ACL_TCP
  deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 eq http
  deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 eq ftp
  deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 eq telnet
  Apply to your loopback:
  ip access-group ACL_TCP in
  Next question:
  Why do you have an acl applied to your loopback and not the physical interface that your internet connection comes in on? Normally, you would apply to say s0/0 (serial interface) that has your public ip assigned to it. That may be why it's not working. You actually have the acl applied to LoopbackX?
  HTH,
  John

• Use extended ACL with NAT

  Believe it or not, once in a while, i fumble with some basic concepts. Here is one, on our perimeter FW, ASA, there are these NATTING configured.
  I just couldnt figure out why they use extended ACL for the sources? isnt the standard one good enough?
  thanks in advance,
  Han                  
  access-list dmz_nat0_outbound extended permit ip any 1XX.169.0.0 255.255.0.0
  access-list dmz_nat0_outbound extended permit ip any 10.48.240.0 255.255.255.0
  access-list dmz_nat0_outbound extended permit ip any 10.48.243.0 255.255.255.0
  access-list inside_nat0_outbound_5 extended permit ip any 172.17.13.0 255.255.255.0
  access-list inside_nat0_outbound_5 extended permit ip any 192.168.12.0 255.255.255.0
  access-list inside_nat0_outbound_5 extended permit ip any 192.168.221.0 255.255.255.0
  global (Outside) 2 2XX.YY.13.244 netmask 255.255.255.0
  global (Outside) 1 2XX.YY.13.12 netmask 255.255.255.255
  nat (inside) 0 access-list inside_nat0_outbound_5
  nat (inside) 1 0.0.0.0 0.0.0.0
  nat (dmz) 0 access-list dmz_nat0_outbound
  nat (dmz) 2 0.0.0.0 0.0.0.0

  Hi Han,
  If you go for the standard ACL then you cannot specify the destination subnets and ports. You can specify only the source and the destination is considered any by default.
  standard ACL:
  access-list 10 standard permit ip 172.16.0.0
  Extended ACL:
  access-list abc permit tcp 172.16.0.0 255.255.255.0 10.0.0.0 255.255.255.0 eq 80
  This is how it differs. In your scenario destination is specific rather the source is any. So you have the extended ACL in picture for that. Hope this clears you.
  Please do rate if the given information helps.
  By
  Karthik

• Dynamically adding to PDF after applying Extended Reader Rights

  All,
       I've created a PDF with a digital signature in Acrobat X Pro and applied the extended Reader rights. What I am trying (and failing) to do now is add new pages to the PDF via a Java library (BFO) on a server. When a user eventually brings up the PDF in Reader, they receive a warning about how the extended rights have been revoked since the PDF has been modified. Is there any way to maintain the rights while building the PDFs? Or is the only way to dynamically build a PDF with a digital signature that can be user-signed in Reader through the LiveCycle/ADEP services?

  You have to prepare the PDF BEFORE you add the extended Rights.  Once it's been rights enabled, you can't modify it w/o breaking the rights.
  From: Adobe Forums <[email protected]<mailto:[email protected]>>
  Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>>
  Date: Mon, 14 Nov 2011 14:32:38 -0800
  To: Leonard Rosenthol <[email protected]<mailto:[email protected]>>
  Subject: Dynamically adding to PDF after applying Extended Reader Rights
  Dynamically adding to PDF after applying Extended Reader Rights
  created by j.ross.e<http://forums.adobe.com/people/j.ross.e> in Acrobat SDK - View the full discussion<http://forums.adobe.com/message/4025497#4025497

• Catalyst 3560 Extended ACLs

  I have a VoIP / QoS situation I just discovered on the Cat 3560's. In this case, a particular manufacturer's IP Phones do not tag CoS or DSCP. As such, I have defined extended ACL's/Policies on the Cat 3560 switches to detect and mark traffic from the IP Phones. My policies are designed to identify and mark Call Bearer with DSCP 46 and Call Control traffic with DSCP 26 based upon source address and UDP port. What I see however, is that all VoIP traffic is marked at DSCP 46, and nothing is marked at 26. (It's not so bad having control and bearer marked with DSCP EF, but I like to put call control in a different queue when possible.)
  I am looking for confirmaton of the following theory. I suspect that the 3560's ((C3560-IPBASEK9-M), Version 12.2(25)SED) are not layer 4 aware, thus extended access lists function only as standard access lists - (even though the switch allows me to create an extended ACL). As such, my attempt to identify call bearer and call signalling based upon UDP port will not work.
  Below is the ACL / Policy config. Note that on downstream routers, I only see DSCP 46 and never match DSCP 26 (af31). From the switch, using "sh mls qos interface statistics", I see no traffic with DSCP 26 at all (output attached).
  I believe this is because the switch is only reading the layer 3 portion of the ACL. Since both ACL 101 and ACL 102 have the same layer 3 source adress, then all classified traffic will match class "IngressVoiceBearer" and get marked with 46.
  access-list 101 remark Voice Bearer Signalling
  access-list 101 permit udp 192.168.100.0 0.0.0.255 any eq 5004
  access-list 102 remark Call Control Signalling (udp 5440-5445)
  access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5440
  access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5441
  access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5442
  access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5443
  access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5444
  access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5445
  class-map match-any IngressCallControlSignalling
  match access-group 102
  class-map match-any IngressVoiceBearer
  description All Inbound Voice Bearer traffic on UDP 5004
  match access-group 101
  policy-map IngressVoIP
  class IngressVoiceBearer
  set dscp ef
  class IngressCallControlSignalling
  set dscp af31
  class class-default
  set dscp default
  Switch Output:
  switch#sh mls qos int g0/1 statistics
  GigabitEthernet0/1
  dscp: outgoing
  0 - 4 : 12359302 0 0 0 0
  5 - 9 : 0 0 0 0 0
  10 - 14 : 0 0 0 0 0
  15 - 19 : 0 0 0 0 0
  20 - 24 : 0 0 0 0 0
  25 - 29 : 0 0 0 0 0
  30 - 34 : 0 0 0 0 0
  35 - 39 : 0 0 0 0 0
  40 - 44 : 0 0 0 0 0
  45 - 49 : 0 1837749 0 9716 0
  50 - 54 : 0 0 0 0 0
  55 - 59 : 0 0 0 0 0
  60 - 64 : 0 0 0 0

  Are the ports correct for the call control ACL? In the Cisco VoIP world we use an ACL like this for call control:
  ip access-list extended VOICE-CONTROL
  permit tcp any any range 2000 2002
  permit tcp any range 2000 2002 any
  permit tcp any any range 11000 11999
  permit tcp any any range 1718 1720
  permit udp any any range 1718 1719
  permit udp any any range 2427 2428
  permit tcp any any range 2443 2445
  permit tcp any any range 5555 5599
  But Cisco uses different protocols. Your ACL is configured correctly and the 3560 is supposed to support extended ACLs. Does your 3560 have an enhanced image or a standard image?
  Are these Avaya phones? I have had to do software updates on Avaya phones to get them to behave correctly.
  -Mark

• Displaying  "Your Session is going to time out , Extend or Close" dialog ?

  Hi!
  we have a requirement to display a warning message to users just (1 minute) before the session is going to time out, and ask the user if he wants to extend the session or close the session( in which case we close the browser window). We have come up with a probable solution but would like to know what other people are doing/will do in similar scenarios.
  Here is what we came up with:
  1. On every page load we set/update a cookie which is meant to track the session time out. And we have a javascript timer that counts down user's inactivity. If any PPR occurs on the page, then we plan to add a hook to the PPR javascript calls so that we can update the time out cookie not only on page load/refreash but also on every PPR call made to the server.
  We have a worry that we are doing everything on the client side solely depending on javascript.Is our approach in the right direction? Is there any better way to achieve the same? Are there any pitfalls/security issues involved in our design?
  2. I have read in some articles/forum threads that we can poll the server on a regualr interval to find out the time remaining for the session to expire and once we get time to last minute we can display a javascript popup to the user. But I have a doubt that wouldn't polling itself refresh the user activity on the server and reset the session timeout to normal on every poll? In that case wouldn't we always get the same time-remaining info for every poll? Have I mis-understood some thing here? can some one explain how to implement the session time out based on polling to the server?
  3. Any new ideas are welcome!
  Thanks and Regards,
  Samba

  Hi,
  well, if you use the af:poll command then the session will never expire because from a server point of view the user frequently sends a request. So if you prefer this option then you will have to expire the session programmatically calling invalidate() on the session
  javaScript is the only option I can imagine that works without polling.
  Frank

• Extended acl - multiple ports on same acl line

  hello
  i'm working on a (long) acl and have started looking at putting multiple ports on the same line
  e.g.
  instead of:
  ip access-list extended test3
  permit tcp any host 10.10.10.1 eq 80
  permit tcp any host 10.10.10.1 eq 443
  i'd use:
  ip access-list extended test3
  permit tcp any host 10.10.10.1 eq 80 443
  its shortening the acl considerably but the question is:
  does this method reduce the TCAM resources required (compared to writing the acl in long hand)?
  what are the maximum number of ports that can be included on the same line - is it platform/ios dependant?
  thanks
  andy

  Hello
  No. I went ahead with the acl with multiple ports in each ACE and it worked fine. It was deployed on an old WS-C3750G-24PS-E and worked pretty well. When I checked the tcam on the switch I got the following output:
  Cisco3750#show platform tcam utilization
  CAM Utilization for ASIC# 0                      Max            Used
                                                           Masks/Values    Masks/values
  IPv4 security aces:                          1024/1024         33/33
  Note: Allocation of TCAM entries per feature uses
  a complex algorithm. The above information is meant
  to provide an abstract view of the current TCAM utilization
  As there were other ACLs on the switch it was difficult to gauge if the multiple ports per ACE approach to ACLs actually saved any TCAM resources. If you find anything out post back - I'd be interested to hear.
  thanks
  Andy

• Sign tools disabled after applying extended features to document.

  I have a form that I need to be able to save date typed into the fillable fields and I also need to sign this document.  I need to sign the document using the sign tools panel, so that I can apply a ink signature and use the Signed. Proceed to Send feature.  This way I can save a flattend copy of the form after it has been filled in and signed.  If I do not enable extended features I am able to use the Sign tools paned, but I am not able to save a copy.  If I enable extended features, I can not use the Sign tools panel and can only sign from the Extended tools.  The problem is this takes away the ability to use the Signed. Proceed to Send feature.  When I click on the Sign tool button I get a warning telling me "The security setting on this document prevents adding and/or placing a signature on it from Adobe Reader." 
  I don't need to use the digital signature feature, I need to be able to have three people apply a ink signature to a form, and then be able to flatten the form.

  I use the forms to document training for 8 people on a weekly basis.  Which is why I need to be able to save a copy of the form.  The document then needs to be signed by the student, the supervisor, and myself.  From there the document gets efiled, but it needs to be stored in a flattened state.  So the Save a copy after the "Signed. Proceed to Send" allows me to save a flattened copy.  On the computer I use to have the form signed I do not have Acobrat Pro installed so I do not have the option of flattening the document by choosing the save to pdf from the print screen.

• Extended ACL and FTP

  We have adjusted our ACL and removed permitting tcp any any gt 1023 and replaced it with the any any established command but this broke ftp. The ACL is applied out on the ethernet interface into the local network. How do I securely add FTP?
  permit tcp any any established

  Maybe this link should help.
  http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml
  Also what we do is define a range of ports for passive ftp. For example 6000 to 6100.
  So instead you use
  access-list 100 permit tcp any host 192.168.1.100 gt 1023
  You should use
  access-list 100 permit tcp any host 192.168.1.100 range 6000 6100
  But, in my opinion, from the server's view, active FTP is more secure than passive.
  Hope this helps

• Extended ACL for DHCP

  Hi,
  I'm having a problem creating an ACL to allow DHCP.
  I want to secure a VLAN running across our Cisco wireless network infrastructure to limit access as much as I can.
  Restricting access to limited ip addresses and ports is straightforward, but I can't seem to get the ACL correct to allow clients to obtain ip addresses via DHCP.
  I seem to remember that the ACL for DHCP was a little odd -this is what I currently have:
  permit udp any host 172.16.30.4 log
  permit tcp any host 172.16.30.4 log
  permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.4 eq domain established log
  permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.27 eq 8080 log
  permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.82 eq 443 log
  deny ip any any (28 matches)
  172.16.30.4 is the DHCP server, and I would like to limit this to only the ports required for DHCP, but I haven't specified whilst debugging this problem - my inital config was for ports 67 and 68.
  I'm seeing traffic being logged against the deny ip any any, so I know the client is trying to send to the correct network etc.
  The IP helper address is configured on the interface and is 172.16.30.4.
  Can some one let me know what I'm missing.
  Cheers,
  Steve

  Hi,
  Thanks for the response - I'll try the ACL for DHCP shortly.
  With regard to the ACL:
  permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.4 eq domain established log
  you are correct, that is for DNS.
  However, on reflection I believe I will need tcp and udp for this rule as the client device will update DNS dynamically when it obtains an IP address from DHCP and I seem to recall DNS updates require tcp port 53?
  Cheers,
  Steve

• How to configure appli specific Queue & Topics in destinations-service.xml

  Hello All,
  I am trying to configure JBoss Messaging 1.4.5GA in JBoss-4.3.0 (Enterprie Edition).
  I am Configuring my application specific Queue and Topics in destinations-service.xml , but Queue is not getting register in jboss.
  I am getting following error in jboss :
  [ServiceConfigurator] Problem configuring service jboss.messaging.destination:service=Queue,name=jms/servers/logmon/MonitorInQueue
  org.jboss.deployment.DeploymentException: Exception setting attribute javax.management.Attribute@1e32382 on mbean jboss.messaging.destination:service=Queue,name=jms/servers/logmon/MonitorInQueue; - nested throwable: (javax.management.AttributeNotFoundException: not found: DestinationManager)
  at org.jboss.system.ServiceConfigurator.setAttribute(ServiceConfigurator.java:698)
  at org.jboss.system.ServiceConfigurator.configure(ServiceConfigurator.java:380)
  at org.jboss.system.ServiceConfigurator.internalInstall(ServiceConfigurator.java:460)
  at org.jboss.system.ServiceConfigurator.install(ServiceConfigurator.java:171)
  at org.jboss.system.ServiceController.install(ServiceController.java:226)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:585)
  My destinations-service.xml is unsder "jboss-4.3.0\server\MySiteServer\deploy\jboss-messaging.sar" , not in deploy directory of jboss.
  Is it right plcae to configure destination queue and topics ??
  My destinations-service.xml is like given below :
  <?xml version="1.0" encoding="UTF-8"?>
  <server>
  <mbean code="org.jboss.jms.server.destination.QueueService"
  name="jboss.messaging.destination:service=Queue,name=jms/servers/logmon/MonitorInQueue"
  xmbean-dd="xmdesc/Queue-xmbean.xml"> ( what is this line for ??)
  <depends optional-attribute-name="ServerPeer">jboss.messaging:service=ServerPeer</depends>
  <depends>jboss.messaging:service=PostOffice</depends>
  <depends optional-attribute-name="DestinationManager">jboss.messaging:service=DestinationManager</depends>
  <depends optional-attribute-name="SecurityManager">jboss.messaging:service=SecurityManager</depends>
  <attribute name="SecurityConf">
  <security>
  <role name="guest" read="true" write="true"/>
  <role name="publisher" read="true" write="true" create="false"/>
  <role name="noacc" read="false" write="false" create="false"/>
  </security>
  </attribute>
  </mbean>
  </server>
  Please help me in configuring DestinationManager and SecurityManager also !!!
  You can view attached destinations-service.xml.
  Thanks in advance for your efforts to resolve my problem, Thanks !!!
  Regards,
  Rahul Aahir
  mailme :[email protected]
  Attachments:
  destinations-service.xml (20.2 K)
  Edited by: Rahul_Aahir9885 on Sep 16, 2010 9:31 AM

  Unless there happen to be any JBoss experts reading this, you may have more success asking your question in a JBoss-specific forum.