ASA 5505 getting dchp from the outside interface
Hi, i have this configuration on on the Asa client
: Savedz
: Written by enable_15 at 13:39:22.779 UTC Thu Aug 15 2013
ASA Version 8.2(5)
hostname Lakewood
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.100.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.100.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 172.100.2.50-172.100.2.125 inside
dhcpd auto_config outside interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
this asa client is getting dhcp from another asa on another location, the asa on the other side cannot ping devices on the client side
this is the server asa
ASA Version 8.2(1)
name 50.66.169.176 OutsideWorld
name 172.100.2.0 Lakewood
interface Vlan1
nameif inside
security-level 100
ip address 172.100.1.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 50.66.202 255.255.255.248
interface Vlan3
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
what type of configuration is this?
how can i get both sides to ping eachother and allow all the trafic?
thanks in advance.
Hi, i have this configuration on on the Asa client
: Savedz
: Written by enable_15 at 13:39:22.779 UTC Thu Aug 15 2013
ASA Version 8.2(5)
hostname Lakewood
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.100.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.100.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 172.100.2.50-172.100.2.125 inside
dhcpd auto_config outside interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
this asa client is getting dhcp from another asa on another location, the asa on the other side cannot ping devices on the client side
this is the server asa
ASA Version 8.2(1)
name 50.66.169.176 OutsideWorld
name 172.100.2.0 Lakewood
interface Vlan1
nameif inside
security-level 100
ip address 172.100.1.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 50.66.202 255.255.255.248
interface Vlan3
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
what type of configuration is this?
how can i get both sides to ping eachother and allow all the trafic?
thanks in advance.
Do you have a diagram of yourt setup and a more detailed description what you want to do?
The public interface of your main ASA looks like you are connecting to the internet. In that case, the IP address for the client has to come from the ISP and not from your main ASA.
Similar Messages
-
Relay settings to get mail from the outside world
Hello. First, let me say - I'm a mail newbie, so be gentle.
I've just recently set up my mail server, and I am having an issue where I can receive mail from some people and not from others. Those who cannot send me mail get an error about the relay not accepting it. In server admin, I have checked accept SMTP relays only from these hosts and networks, and I have put in 127.0.0.1/32 and my server's ip/32 (at the advice of apple tech support when I was configuring mail). Is something missing here that would allow me to receive mail from anyone? Thanks in advance for any help.Here you go. Thank you.
Admin$ postconf -n
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter =
daemon_directory = /usr/libexec/postfix
debugpeerlevel = 2
enableserveroptions = yes
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailboxsizelimit = 0
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
messagesizelimit = 10485760
mydestination = $myhostname,localhost.$mydomain,localhost,brainart.biz,www.artsmiths.biz,artsmi ths.biz,www.brainart.biz,mail.artsmiths.biz,smtp.artsmiths.biz,mail.brainart.biz ,smtp.brainart.biz
mydomain = artsmiths.biz
mydomain_fallback = localhost
myhostname = artsmiths.biz
mynetworks = 127.0.0.1/32,70.90.83.165/32
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpdpw_server_securityoptions = none
smtpdrecipientrestrictions = permitmynetworks,reject_unauthdestination,permit
smtpdsasl_authenable = no
smtpdtls_keyfile =
smtpduse_pwserver = no
unknownlocal_recipient_rejectcode = 550 -
How do I block pings from the outside to the ASA 5505 outside interface?
I was asked to block pings from the internet to the outside interface of our ASA-5505 firewall. I found a post that said to enter "icmp deny any outside", however that does not do it.
I created an ACL to try and do the trick, also to no avail:
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in in interface outside
access-group outside_in in interface outside
Anyone have a clue what I'm doing wrong? I'm not the firewall guy as you can tell. :/
Thanks in advance...
Block / Deny ICMP Echo (Ping) on Cisco ASA Outside Interface
Most networks that you protect with a Cisco ASA device, will probably want to deny ICMP (maybe not all ICMP types, but a lot of network admins will want to block ICMP Echo, etc.) on the outside interface. This will make the network harder to find through external enumeration, but not impossible.
ASA5505(config)#icmp deny any outside
You will deny ICMP on the outside interface, but if you include ICMP as a protocol in the default global policy map, you can ping from the inside to any host on the outside, and it will be permitted back through the ASA, as it knows about the previous ICMP “connectionYou are allowing echo-reply, thus it will reply to a ping
try this ACL:
icmp deny any echo-reply outside
From:
https://supportforums.cisco.com/thread/223769
Eric -
Hello Again!
I am a very new user of LabView, and last week I got the order to implement a Comunication with a CAN interface.
I am trying to get Information from a CAN interface, that works as a "slave", as it is said in the very short handbook. This means it only responds, when it is asked to.
As i want to get the 20 different datas periodicaly it would be fine to do this in a kind of loop. This means:
-tell the interface to send data1
-read data 1
-tell the interface to send data 2
Are there any examples or ideas, how to create similar loops?
As I am absolutely no expert in computing, it would be nice if you answer with very little technical terms...
Thanks RTHi RT,
Try the attached example, which writes a remote frame to your slave and reads the response. It is doing this 20 times in a for loop and a specified timing.
Hope that helps.
DirkW
Attachments:
CAN Receive Periodic using Remote.vi 97 KB -
Get certificate from the browser
Hi friends!,
I am working with an application to get files from the client machine, to sign those files with the client's certificate and send those sign to the server.
The application get the client's certificate from a key store, but I want the applet will get the certificate from the browser.
Is that possible?.
Thanks and sorry for my little english. Greetings from Venezuela.If all you're looking for is Client SSL Authentication, then you don't need to access the digital certificates through an applet; just enable ClientAuth on your web-server and let the browser handle it for you. While I haven't tried this with Chrome, Safari or Opera, I know for a fact that this works on Firefox and IE.
If you're trying to access the digital certificates/keys in the browser-keystore for digitally signing some content that the applet creates, you're going to have far more difficulty. About 10-12 years ago, Netscape provided an API that allowed you to digitally sign text-content through JavaScript. That died a quiet death, I think, since I don't know of anyone who used that capability (outside of test environments).
Years later, Mozilla added the ability to digitally sign XML content using XForms; there is even an add-on for Thunderbird (which uses the same libraries as Firefox for PKCS work): https://addons.mozilla.org/en-US/thunderbird/addon/4522/.
However, to the best of my knowledge, the only way you can get an applet to access the borwser's keystore today is to have the security policy on the client-machine modified to provide access to the local file-system, and the applet then pretty much deals with the keystore and its objects through JCE.
But, if I'm reading your post correctly, I think all you're looking for is SSL ClientAuth, for which you don't need to do anything other than enable it on your web-server that hosts the applets, and let the browser do the heavy lifting.
Arshad Noor
StrongAuth, Inc. -
Do I need to get authorization from the software owner?
I am using Captivate to do a software simulation. Do I have to get authorization from the software owner for sale my simulation of his software? Is the screencapture are copyrighted?
Thank you.I'm actually trying to find out about using screenshots of Adobe software. I've done some Premiere Pro tutorials and I'd like to monetize them on YouTube but their conditions state "You can monetize videos showing software user interface only if you have a contract with the publisher or you have paid a licensing fee".
I'm hoping that Adobe's Permissions and trademark guidelines (http://www.adobe.com/misc/permissions.html) would be enough but there's a problem there too. Adobe's conditions state "Your use must contain the entire screenshot. You may not use portions of the screenshots". That's hopelessly restrictive - obviously I want to be able to zoom in and show closeups of the interface. There's a form to apply for special permission (http://www.adobe.com/misc/pdfs/PermissionRequestForm.pdf) but it's not practical (e.g. every single usage must be renewed annually). I can't believe that all those tutorial producers on YouTube are jumping through these hoops to get the right permissions.
So what is everyone doing? Just ignoring the whole permission thing and hoping for the best? -
Best Practices for configuring ICMP from the outside
Question,
Are there any best practices or best recommendations on how ICMP should be configured from the outside? I have been cleaning up the rules on our ASA as a lot were simply ported over years ago when we retired our PIX. I noticed that there is a rule to allow ICMP any any and began to wonder how this works when the rules above are specific IP addresses and specific ports. This in thurn started me looking to see if there was any documentation or anything to help me determine a best practice. Anyone know of anything?
As a second part how does this flow on a firewall if all the addresses are natted? It the ICMP traffic simply passed through the NAT and the destiantion simply responds?
BrentHere you go, bro!
http://checkthenetwork.com/networksecurity%20Cisco%20ASA%20Firewall%20Best%20Practices%20for%20Firewall%20Deployment%201.asp#_Toc218778855
access-list inside permit icmp any any echo
access-list inside permit icmp any any echo-reply
access-list inside permit icmp any any unreachable
access-list inside permit icmp any any time-exceeded
access-list inside permit icmp any any packets-too-big
access-list inside permit udp any any eq 33434 33464
access-list deny icmp any any log
P/S: if you think this comment is useful, please do rate them nicely :-) -
Blocking unsolicited echo-reply from the outside of firewall
What is the easiest way to stop unsolicited icmp echo-reply packets coming from the outside of an Cisco ASA 5500 firewall?
Hi,
The firewall should now allow any ICMP Echo replys through the firewall if it hasnt seen a Echo for that same reply.
Instead of allowing Inbound ICMP from the WAN with an ACL you should configure ICMP Inspection
In a very default ASA configuration they would be added in the following way
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
Hope this helps
- Jouni -
Recieving accordion event from the "outside"
hi;
i am using the accordion and need to keep track of events,
specificaly, the only thing i need right now is to know the new
currentPanelIndex of the accordion after someone clicked a panel.
what is the best way to do this?
i already tried hacking the spry.js(hacked into the openPAnel
function), it worked but i do not want to touch the JS file (so i
dont have to do this on every upgrade). i
also tried doing it from the "outside" but i could not get
it to work (after creating the accordion, i took the panels from
the accordion, looped and got the tab from each panel and used
addEventListener(tab,'click',myfunc,false) but in the first
iteration after the call to addEventListener the loop did not
continue ).
any help is appreciated.
thanks,You can extend it from the outside by defining a function
that overrides openPanel() with a function that calls the original
openPanel() and then executes whatever code you want. The function
would look something like this:
function ExtendOpenPanel(acc)
var realFunc = acc.openPanel;
acc.openPanel = function(panel) {
realFunc.call(acc, panel);
/* Add your code or function call here! */
Then call the function after you create the widget:
var acc1 = new Spry.Widget.Accordion("acc1");
ExtendOpenPanel(acc1);
--== Kin ==-- -
Is there another way of getting apps from the appstore without putting your credit card number in, ive heard about the itunes gift card thing can anybody just give me more info about that and how i can buy free things free things from the appstore...pls help as im only a teenager and have no credit credit and my parents dont trust me with theres and they dont care about the fact that you can set up a password/.... PLEASE SOMEONE HELP I WILL BE SO GRATEFUL... And i would really like to get the iphone 4 but if there is no way of etting apps without your credit number then i would have to get a samsung galaxy s3 maybe ...
You can set up an Apple ID without a credit card.
Create iTunes Store account without credit card - Support - Apple - http://support.apple.com/kb/ht2534 -
Powerpivot Error on Refresh -- "We couldn't get data from the data model..."
I'm using Excel 2013 and Windows 8.1. I have a spreadsheet I've been using for over a year, and I've just started getting this error message when I try to refresh the data.
"We couldn't get data from the Data Model. Here's the error message we got:
The 'attributeRelationship' with 'AttributeID' - 'PuttDistCat9' doesn't exist in the collection"
Any idea how I can fix this problem? I haven't changed anything related to that particular attribute. All the data is contained in separate sheets in the workbook, so there are no external sources of data.
Thanks.
JeanThanks for all the suggestions.
I found a slightly older version of the spreadsheet that still refreshes properly, so I don't think I have any issues with the version of Excel or Power Query. (I've had this same error before, and I believe I applied the hotfix at that time.)
I think this problem started after I updated a number of the date filters in the pivot tables. I haven't made any changes to the data model, and the only updates I've made were to add data (which I do all the time), and to change the date filters on
the pivot tables.
As suggested, I added a new pivot table querying one table (the table with the attribute that shows up in the error message), and it worked fine. I can also refresh this pivot table.
Then I tried adding a pivot table which went against several tables in the data model (including the table in question). The pivot table seemed to return that data properly. However, when I tried to refresh it, I got the same error message ("we
couldn't get data from the data model...").
Dany also suggested running the queries one at a time to see which one is in error. Without checking all the pivot tables, it appears that any which use the table "HolePlayedStrokes" generate the error (this is the table with the attribute
mentioned in the error message). Pivot Tables without that particular table seem to refresh OK. Unfortunately, that is the main table in my data model, so most of the pivot tables use it.
Any other suggestions? I'd be happy to send a copy of the spreadsheet.
Thanks for all the help.
Jean -
My iphone won't let me get apps from the store and it says my country is not valid I have changed it and it says my postcode o wrong
Also see the link below.
http://support.apple.com/kb/HT5018?viewlocale=en_US -
Could you please tell me why as a Brit resident in Japan therefore having a billing address that is Japanese is forced to only get service from the Japanese online store? Is there not some way of allowing me to select movies and music to buy and download from other stores. Why do am i forced to try to nread Japanese when I have selected English as my language. The price for Downloads is no different and even if it was I am happy to pay. This also applies to Movie rental which is crazy and extremely restrictive. I a supposed GLOBAL community why does Apple do this.
You can buy ONLY from the itunes store of your country of residence (As proven by valid billing address of credit card) and ONLY while inside the borders of that country.
These are the terms of the itunes store. -
I'd like to get sound from the tv for my keynote presentations. Is there a way to do this via the hdmi connection? Or do I need to connect an 'audio-out? Thanks in advance for your help
the hdmi should transfer both sound and picture
http://store.apple.com/us/product/HFQL2VC/A/moshi-mini-displayport-to-hdmi-adapt er-4k?fnode=a8e08a2bb3c16bf3cd606aecff68b12c10fe327cd7b063c9bbc492e57158bbfa0778 d5b941eb2a8c1c5f2e25e51cf7b82e193c9a722651b3fc2694996f7b5281b8bf4338c46284247b76 ccce6907fa6caee062d974158ee4d0336fca558384426e7a6c6cbf3ee58c8f53f8db53c9ef91
Supports multi-channel digital audio output on compatible devices
make sure your ipad is not muted
make sure you volume is not all the way down
make sure audio play out of the ipad when not connected to the hdmi adapter
if you did and it don't work then it's likely an issue with the connetor
or the tv or it's settings -
Open script cannot get connection from the brower helper after 15 seconds.
Error:
===
Open script cannot get connection from the brower helper after 15 seconds. Do you want to continue waiting for the browser to load?
Please Note:
========
1. I have tried this only on IE
2. I am running OATS on a Remote desktop
Situation:
======
Trying to stop the recording
Try to get xpath of an object using Inspect Path
Setup details
========
Windows XP 5.1 Service Pack 3, x86
OpenScript 12.1.0.1.383
Internet Explorer 8.0.6001.18702
FireFox 13.0.1
Mitigation steps done till now:
==================
1. Disabled windows firewall
2. Disable XSS filter setting
3. Restarted the ATS services (3 of them)
4. Run the Open Script Diagnosis Tool (PS: There are 3 errros even after running it. The 3 errros are listed in the workspace_log log file snippet below...)
Error in worspace_log:
=============
To Change setting:
Go to Tools > Internet Options and Choose Security Tab
Select the Zone to modify and Press Custom level
Find Enable XSS filter Setting - Select Disable and click Ok
!ENTRY oracle.oats.scripting.diagnosisTool.api.DiagnosisExecutor 4 0 2012-07-09 17:08:52.594
!MESSAGE Failure found when diagnosing Oracle EBS/Forms Load Testing Forms LT Diagnoser
!ENTRY oracle.oats.scripting.diagnosisTool.api.DiagnosisExecutor 4 0 2012-07-09 17:08:52.594
!MESSAGE Did not auto-fix the problem.
!ENTRY oracle.oats.scripting.diagnosisTool.api.DiagnosisExecutor 4 0 2012-07-09 17:08:52.594
!MESSAGE Suggestion for fixing: Please change your Java proxy setting to Use Browser Settings
Aprreciate help on this.To resolve this, you need to reconfigure the "Oracle Application Testing Suite Helper Service" (OATSHelperSvr) to start as a user who has privledges to run open script tests rather than the default SYSTEM user.
Reconfiguring the OATSHelperSvr Service:
1. Open the services panel (Start > Run > services.msc)
2. Find the Oracle Application Testing Suite Helper Service
3. Right Click > Properties then select the Log On Tab
4. Specify an interactive user that has rights to run OpenScript (test by logging in as that user and running tests):
5. Click OK
6. Restart the service after dialogs are closed by Right Click > Restart
7. You should now repeat this process for the "Oracle Application Testing Suite Agent Service" (eLoadAgentMon) Service (Two services in
total)
You should now retry running the test in Oracle Test Manager
Maybe you are looking for
-
How to get rid of someone else's MAC ID on my computer and iphone
Hello Everyone, I have not yet been able to register my apple computer (notebook), which i bought now a few years back. Trouble is that a person who was house/cat sitting for me, must have used my computer without my permision and now his email shows
-
New GL acc for COGS with same movement type
Hi I have a requirement where i want to assign the new GL account to the COGS simulataneouly using the existing one. i dont want to create a new movement type. i want to use a same movement type, same valution class. Can this be met by using a new A
-
Problems acessing a webservice
Hello, I created a web service from a java Bean using the web service cration wizard from netweaver. The deployment is ok, I find my webservice on the web services list in the web services navigator, but when I click on it in order to test it, I got
-
How can i search for wifi using Nokia 9500 Communi...
my phone was just given to me by my cousin though its used and cant find its manual i wanted to know how to search wifi using this device. unfortunately my cousin had left the country and i cant ask him how.. if someone can help me it will be much ap
-
Download video files from youtube
What is the best way to download video files from youtube. Thank you in advance, Kevin Davis