ASA 5510 context base configuration in HA Mode with two different subnet
Hi
Please someone help me to configure the Firewall ASA 5510 in context based configuration in HA Mode with two different subnet....
IP Details are below.....:
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.0 standby 10.10.10.3
interface Ethernet0/1
no nameif
security-level 0
no ip address
interface Ethernet0/1.101
description INSIDE1
vlan 101
nameif INSIDE1
security-level 90
ip address 172.22.0.2 255.255.255.0 standby 172.22.0.3
interface Ethernet0/1.102
description INSIDE2
vlan 102
nameif INSIDE2
security-level 80
ip address 172.22.1.2 255.255.255.0 standby 172.22.1.3
interface Ethernet0/3
description LAN Failover Interface
failover
failover lan unit primary
failover lan interface FAILOVER Ethernet0/3
failover replication http
failover interface ip FAILOVER 192.168.3.1 255.255.255.0 standby 192.168.3.2
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
Hi Sanjeev,
If it is a context based configuration that you are doing then, you would need to configure context on the ASA first, you can refer to this document for it:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml
Thanks,
Varun Rao
Security Team,
Cisco TAC
Similar Messages
-
Configuring one LDAP domain with two OU (one RO, another RW)
Hi Team,
My client is implementing NW 7.0 Enterprise Portal on SP14, AIX 5.3 & Oracle 10.2.0.4.
We're using MS-ADS LDAP as an UME data source. The client wishes to configure UME for one single ADS LDAP (domain) with two OU (NOT domains) such that:
1. One OU has read only access
2. Second OU has read/write access
Following is an illustration of the LDAP tree structure:
CORP_DOM
-- INT_USERS (CN=IntUsers, DC=CORP_DOM, DC=NET) - read-only
-- INT_GROUPS (CN=IntUsers, DC=CORP_DOM, DC=NET) - read-only
-- EXT_USERS (CN=ExtUsers, DC=CORP_DOM, DC=NET) - read/write
-- EXT_GROUPS (CN=ExtGrp, DC=CORP_DOM, DC=NET) - read/write
|-- SAccounts
|--
|--
Note the single LDAP domain, multiple user and group paths with different access privileges.
Based on what I've read so far, this does not seem feasible as the datasource configuration file has to have unique datasource id and the private section allows only one tag for user path and group path.
I checked OSS, SDN but could only find information on configuring multiple domain/LDAP and not one LDAP domain but two OU/CN.
Kindly let me know if anyone has come across or done such a configuration.
Thanks.Hi GLM,
You are right, access permissions to the OU are given to the service account used to access the directory from the portal.
The issue I have is not about granting permissions - its more about whether it is possible at all to configure UME for one single ADS LDAP (domain) containing two OU (NOT domains). I'd need to access the directory with two different service users having differen access privileges.
I don't see how it can be done, since the datasource id in the portal datasource configuration file has to be same as the domain and the private section allows only one tag for user path and group path.
Thanks. -
Can I configure a 79xx Phone with two busy trigger using UCCE 8.5?
Hi, my name is Eric and I've some doubts to configure my Phones. First of all, I will explain my environment below:
- UCCE 8.5
- CM 8.5
- CVP 8.0
I would like to know if it's supported if I configure a 79xx Phone with 2 busy triggers configuration, because the customer would like to the agent's phone receive two calls per line.
Thank you very much.Eric,
No, this is not supported and stated as such in cisco docs.
Customer will need to designate separate DN for ACD calls and separate DN for DID/personal calls.
HTH,
Chris -
Read Only/ Plan Mode Changes for a layout with two different queries
Hi,
I have a situvation where a layout opens in a read only mode and when
the users click on button plan, it changes to plan mode. The catch here however is the queries
for read mode and plan mode are slightly different, in the read only mode the query has subtotals
and other calculations that are not a part of the plan mode ( where they input forecasts).
I know if the read and plan query are the same, we can achieve this through the command
SET_DATA_ENTRY_MODE. In case they are different, as above, how can i achieve this.
Thanks
Rashmi.Say you are using two different queries as DP1 & DP2 for Display and Plan mode respectively. You also have one Analysis grid item in Web template which initially points to DP1.
On PLAN button call command SET_ITEM_PARAMETER to set the data provider of analysis item to DP2.
OR
You have only one dataprovider in your web template as DP1 initially pointing to Query 1 which you want to show in Display mode. Then on PLAN button call a command SET_DATA_PROVIDER_PARAMETERS to point the DP1 to 2nd query instead of 1st query. You can find this command under Commands for data Provider --> Basic data provider commands.
Edited by: Deepti Maru on Nov 27, 2009 9:52 PM -
Configuring an Airport network with two separate nets...
Hi,
I need to configure my Airport Network to have two different local net: the first using 192.168.1.x, and the second using 192.168.2.x with the same gateway address in order that one net could not see the other one but both can use the same internet connection, connected to the main Airport Extreme through the wan port.
Normally to make it I work I configure the subnet of the router in 255.255.0.0.
But I can't find anything about the possibility to set up these LAN parameters (also the LAN IP of an Airport...!!!) on Airport Extreme.
Is there a way I can't find? I hope it can be possible to set these basic parameters like in every 30$ cheapest router...
Or maybe someone could help me to set up my network?
Thanx in advance for any reply,
GabI have DSL service from AT&T in San Francisco that includes five static WAN IP addresses behind a single Internet connection with gross speeds of 6Mbps down and 768Kbps up. This kind of service may not be available to you in Italia.
A fairly common use of this service is to provide a "public" Internet connection service for clients and guests while providing another "private" service restricted to employees and associates. Using up to five routers, you can set up to five different subnets that are independent of each other. All subnets share the same Internet pipeline, however.
In my case, I use separate subnets for various testing purposes. For example, I might use a separate subnet to test various functions of a new router without fear of causing problems with my primary network.
<Edited by Moderator> -
Cisco ASA 5510 Backup Interface configuration
Hi Experts,
I am a newbie with Cisco Firewalls, pls help.
We have a BSNL Leased Line of 2MBPS with few Static IP's of Which 2 IP's are configured in Firewall 1 For the Outside Interface and one for publishing the DMZ server. Most of the times due to some reasons or the other the BSNL line is going down. so now I need to configure one another TATA Broadband 1MBPS Dialup Line as a Backup for the BSNL Line so as to provide a uninterupted Internet to our users.
Pls guide me the Steps
Thank in Advance.
Anish NHi Anish,
Check the below mentioned link for configuration.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml -
Configuring dedicated/shared mode with DBCA wizard
Hello,
I've tried to configure several instances with DBCA wizard, both in dedicated and shared mode :
- when dedicated mode is selected, dispatchers parameter is set like this : "dispatchers=(PROTOCOL=TCP) (SERVICE=sidXDB)", and all connections at the instance will be in by default dedicated mode, even if the "shared_servers" parameters is greater than 0
- when shared mode is selected, dispatchers parameter is set like this : "dispatchers=(PROTOCOL=TCP)"
I thought that the instance would run automatically in shared mode if the "shared_servers" parameters is greater than 0, but that's untrue
Besides, I don't understand the link between the "(SERVICE=sidXDB)" option, which seems to be related to the XML database, and the connection mode to the instance.
This is quiet confusing to me, there is obviously something I don't know or I don't understand
Can anyone make it clear to a Oracle beginner ?
Thank you for help !
regards,
AntoineSHARED_SERVERS alone is not enough, it needs a corresponding dispatchers setting, something like 'dispatchers=(PROTOCOL=TCP)'. By default during a 10g database creation a XML DB is configured and 'dispatchers=(PROTOCOL=TCP) (SERVICE=sidXDB)' is dedicated to this XML DB, this dispatcher cannot serve any other database service. That means normal database connections are created as dedicated ones.
Werner -
Full screen mode with two displays ?
I use a second Apple Display with my iMac. When you enter into "full screen" with an app with Lion does it only become full screen on one of your displays leaving the other screen un-effected? Or, does it black out the other screen?
When you are in full screen mode can you place windows from the full screen app on the other display that is not in full screen mode?
Thanks.
Eli@captfred.
I'm still running 10.6.
I find it strange that iPhoto 8.1 has the ability to enter full screen without disabling or effecting the other display. You can even take a separate iphoto window, the effects window for example, and drag it to the other display. All while in full screen mode. Does this functionality disappear in Lion?
Is this behavior app specific?
eli -
Need help configuring: 2 wireless routers with 2 different SSID's on one network
Hello everyone:
I've been reading around on the forum trying to find the answer to this question, but have not found any clear cut answer that satisfies all my requirements. A more in-depth explanatiion.
I have 1 IP address coming in via cable modem. I want to configure two wireless routers (one secured with WPA-TKIP, and one unsecured--a "guest network" if you will) each with different SSID's. The secured network would be for my server, home PC's, IP webcams, DynDNS updating; while having an unsecured wireless router that friends and family can access. Ideally, I do not want anyone who accesses the unsecured wireless router to be able to get access into my secured network.
Can someone please tell me if this is possible. I think it is based on some posts I have already seen, but specific details about how to do it would be appreciated. Additionally, my DynDNS has to still be able to update with my ISP's IP so that I can access my server and home webcams.
EQUIPMENT
2 - WRT54G
1 - EZXS55W
1 - WVC200
1 - WVC54GC
(all of my stuff --webcam, server, dyndns, etc -- is working currently on my secured network. I just need to add the unsecured network)
I know this is a lot, but I would appreciate any help. THANKS.
Solved!
Go to Solution.You must have the main WRT54G router connected to the modem. Set up the secured wireless network on the main router. Connect all your wireless computers or devices to the main secured wireless network.
Let's consider the IP address of the main router is 192.168.1.1.
Now connect only one computer to the Port 1 on second wireless router.
Open the setup page of the second wireless router. Change the wireless settings, SSID, unsecured.
Change the IP address of the second router to 192.168.2.1. Save the settings.
Connect the cable from the Ethernet port on the main router to the Internet port on second wireless router.
Power cycle the second wireless router.
Now the guest computers connected to the second wireless unsecured wireless network will be able to access the Internet only. They will not able to see the computers or devices connected to the first wireless router. -
Configuration EWA in clien with two solution manager
Hello
I have a question I am activating EWA ¡on SOlman but I have two solman fo the same company, el first is for management r3 system and second is for management xrpm,bw,portal system.
The EWA is running in the first solman, and the saprouter I think is here too. So I want to activate the EWA in the second solman in the guide I have this note 33135 an this talks about connetion with SAP.
Is possible that the EWA in two solman for the same client.
Addionaly the Should the rscctool report run in the satellites systems too?
Thanks
DSHello Danny,
There should be no conflicts providing you keep a few things in mind.
On the Satellite, in SDCCN > Setting> Task>Specific> RFC Destination
Please make sure that you define one Solution Manager system as the Master. This will be the Solution Manger system that will schedule an SDCCN EarlyWatch Allert task automatically on the Satellite, throught the Maintenance Package, so it needs tol be the one specificed in the Mainatence Package task. In other words you set up the recommended EWA Activation as documented at http://service.sap.com/ewa for one Solution Manager system.
Then for additional Solutioin Manager systems you would create an SDCCN Task in the same way you would generate an ad hoc EWA report, only you would choose the RFC Destination for the second ( and/or subsequent) Solution Manager systems, and you would specify it as a periodic task so it would reschedule itself each week, so to affect automation of the sending of the SDNNC session data to the other Solution Manager Systems.
This way you will not have conflicts between the solution manager systems.
Regards,
Paul -
How do I configure my email page for two different email addresses?
I would like to have mail sent to two different email addresses, on my email page using Thunderbird.
How do I do that?There is no "New-existing Mail Account"
-
Ace module in bridged mode with client nat
Could someone confirm whatever a NAT is supported for ACE-20 module, please?
Let me to explain technical details.
I do need to convert working CSM(SLB) config to ACE configuration and I am not quite sure
if the configuration below is correct. ACE module should be configured in bridge mode with two
vlans - vlan 36 (client) and vlan 436 (server) - bridged with interface bvi 36.
NAT on ACE configurad as "nat dynamic 1025 vlan 436" into corresponding
"policy-map type loadbalance"
Could you check two parts of configs and advise me if the ACE config is
properly converted from CSM and will be working in the same way (especialy for NAT).
Thank you in advance.
CSM config
=======
vlan 36 client
ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
gateway 10.36.3.1
vlan 436 server
ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
natpool WEB-MAIL 10.36.3.100 10.36.3.100 netmask 255.255.255.0
sticky 30 netmask 255.255.255.255 address source timeout 60
probe SHAREPOINT tcp
interval 30
failed 120
open 3
port 80
probe WEBMAIL-443 tcp
interval 5
failed 60
open 2
port 443
serverfarm WEBMAIL-443
nat server
nat client WEB-MAIL
predictor leastconns
real 10.36.3.101 443
inservice
real 10.36.3.102 443
inservice
probe WEBMAIL-443
serverfarm WEBMAIL-80
nat server
nat client WEB-MAIL
predictor leastconns
real 10.36.3.101 80
inservice
real 10.36.3.102 80
inservice
probe SHAREPOINT
vserver WEBMAIL-443
virtual 10.36.3.100 tcp https
serverfarm WEBMAIL-443
sticky 60 group 30
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
vserver WEBMAIL-80
virtual 10.36.3.100 tcp www
serverfarm WEBMAIL-80
replicate csrp connection
persistent rebalance
inservice
ACE config
=======
probe tcp WEBMAIL-443
interval 5
open 2
passdetect interval 60
port 443
probe tcp SHAREPOINT
interval 30
open 3
passdetect interval 120
port 80
serverfarm host WEBMAIL-443
predictor leastconns
probe WEBMAIL-443
rserver 10-36-3-101 443
inservice
rserver 10-36-3-102 443
inservice
serverfarm host WEBMAIL-80
predictor leastconns
probe SHAREPOINT
rserver 10-36-3-101 80
inservice
rserver 10-36-3-102 80
inservice
class-map match-all WEBMAIL-80
match virtual-address 10.36.3.100 tcp eq www
class-map match-all WEBMAIL-443
match virtual-address 10.36.3.100 tcp eq https
sticky ip-netmask 255.255.255.255 address source 30
serverfarm WEBMAIL-443
replicate sticky
timeout 60
policy-map type loadbalance first-match WEBMAIL-80
class class-default
serverfarm WEBMAIL-80
nat dynamic 1025 vlan 436 serverfarm primary
policy-map type loadbalance first-match WEBMAIL-443
class class-default
sticky-serverfarm 30
nat dynamic 1025 vlan 436 serverfarm primary
parameter-map type http HTTP_ADV_OPT
persistence-rebalance
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-80
loadbalance vip inservice
loadbalance vip icmp-reply active
class WEBMAIL-443
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-443
loadbalance vip inservice
loadbalance vip icmp-reply active
interface vlan 36
bridge-group 36
service-policy input IFVLAN36-POLICY
mac-sticky enable
no shutdown
interface vlan 436
bridge-group 36
nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0
no shutdown
interface bvi 36
ip address 10.36.3.3 255.255.255.0
peer ip address 10.36.3.4 255.255.255.0
no shutdownHello F.Makarenko-
You will want to use PAT while you do nat, so change the natpool configuration to this:
nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0 pat
You also need to apply the nat like this:
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-80
loadbalance vip inservice
loadbalance vip icmp-reply active
nat dynamic 1025 vlan 436
class WEBMAIL-443
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-443
loadbalance vip inservice
loadbalance vip icmp-reply active
nat dynamic 1025 vlan 436
If you are going to build out a lot of classes, you can instead do source nat like this:
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-80
loadbalance vip inservice
loadbalance vip icmp-reply active
class WEBMAIL-443
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-443
loadbalance vip inservice
loadbalance vip icmp-reply active
class class-default
nat dynamic 1025 vlan 436
Regards,
Chris Higgins -
Cisco 2960S Configured in Transparent mode
I have a Cisco 2960S gig switch configured in transparent mode with multiple vlans configured. I have printers that I can ping, the ports shows up but on the printer it says offline. Any idea what could be causing this?
If your printer and your PCs are all in the same subnet and only the printer is not working then VTP mode Transparent has nothing to do with your issue.
I'd be keen to know if you have a firewall blocking anything from the IP address of the printer? Maybe the IP subnet mask or default gateway of the printer is not working?
What do you get when you do a "sh mac-address interface <PRINTER port>"? -
ASA 5505: VPN Access to Different Subnets
Hi All-
I'm trying to figure out how to configure our ASA so that remote users can have VPN access to two different subnets (office LAN and phone LAN). Currently, I have 3 VLANs setup -- VLAN 1 (inside), VLAN 2 (outside), VLAN 13 (phone LAN). Essentially, remote users should be able to access their PC (192.168.1.0 /24) and also access the office phone system (192.168.254.0 /24). Is this even possible? Below is the configurations on our ASA,
Thanks in advance:
ASA Version 8.2(5)
names
name 10.0.1.0 Net-10
name 20.0.1.0 Net-20
name 192.168.254.0 phones
name 192.168.254.250 PBX
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 13
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.98 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address X.X.139.79 255.255.255.224
interface Vlan3
no nameif
security-level 50
ip address 192.168.5.1 255.255.255.0
interface Vlan13
nameif phones
security-level 100
ip address 192.168.254.200 255.255.255.0
ftp mode passive
object-group service RDP tcp
port-object eq 3389
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp eq ssh
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 192.168.1.0 255.255.255.0
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 phones 255.255.255.0
access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list inside_access_in extended permit ip any any
access-list Split_Tunnel_List standard permit Net-10 255.255.255.224
access-list phones_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host Mac any
pager lines 24
logging enable
logging timestamp
logging monitor errors
logging history errors
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu phones 1500
ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 1 interface
global (phones) 20 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 access-list vpn_nat_inside outside
nat (phones) 0 access-list phones_nat0_outbound
nat (phones) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.139.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=pas-asa.null
keypair pasvpnkey
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
vpn-sessiondb max-session-limit 10
telnet timeout 5
ssh 192.168.1.100 255.255.255.255 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh Mac 255.255.255.255 outside
ssh timeout 60
console timeout 0
dhcpd auto_config inside
dhcpd address 192.168.1.222-192.168.1.223 inside
dhcpd dns 64.238.96.12 66.180.96.12 interface inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
wins-server none
dns-server value 64.238.96.12 66.180.96.12
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
ipv6-vpn-filter none
vpn-tunnel-protocol svc
group-lock value PAS-SSL-VPN
default-domain none
vlan none
nac-settings none
webvpn
svc mtu 1200
svc keepalive 60
svc dpd-interval client none
svc dpd-interval gateway none
svc compression none
group-policy DfltGrpPolicy attributes
dns-server value 64.238.96.12 66.180.96.12
vpn-tunnel-protocol IPSec svc webvpn
tunnel-group DefaultRAGroup general-attributes
address-pool SSLClientPool-10
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group PAS-SSL-VPN type remote-access
tunnel-group PAS-SSL-VPN general-attributes
address-pool SSLClientPool-10
default-group-policy SSLClientPolicy
tunnel-group PAS-SSL-VPN webvpn-attributes
group-alias PAS_VPN enable
group-url https://X.X.139.79/PAS_VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymousHi Jouni-
Yes, with the current configs remote users only have access to the 'inside' LAN (192.168.1.0). The digital PBX on the 'phone' LAN (192.168.254.0) is not reachable through their VPN session.
Per you recommendation, I removed the following configs from my ASA:
global (phones) 20 interface
... removing this configuration didn't make a difference -- I was still able to ping the inside LAN, but not the phone LAN.
global (inside) 10 interface
nat (outside) 10 access-list vpn_nat_inside outside
.... removing these two configurations caused the inside LAN to be unreachable. The phone LAN was not reachable, either. So, I put the '10' configurations back.
The ASDM syslog is showing the following when I try to ping the PBX (192.168.254.250) through the VPN session:
"portmap translation creation failed for icmp src outside:10.0.1.1 dest phones:PBX (type 8, code 0)"
What do you think?
Thanks! -
BPEL with TWO data base polling adapters????
Hi,
Can some one tell, Is it possible to have two data base polling adapters in one BPEl process??
What I am trying to do is , simultaneoulsy polling two independent data base tables in one bpel with two receive activities, but it did not work as BPEl should have only one start activity.
Please post your ideas , if we can achive this.
Thanks,
KumarSo, are you trying to detect the fact that two different rows in two different tables were both inserted? If so are they related some how? Are they parent child? Is one guaranteed to appear before the other?
I'm thinking two processes with database adapters that in turn call a third process which has two receives which are connected via a correlation set.
Another solution would be database triggers that look for the existence of both rows before inserting into a third table -- this third table would drive the database adapter.
Maybe you are looking for
-
My address bar has disappeared in Safari 5.1. When I click "Customize Toolbar" to fix it, the Home and arrow buttons become unusable--they just click but nothing happens.See image below. I have to close the window and open a new one to get the butto
-
Remote desktop (and VNC) show black screen
I am using Remote Desktop (or VNC) on a 10.6 laptop to access my 10.6 Mac Pro at work. The desktop Mac is up and awake because I can connect to it by SFTP and pull down files. But when I make a Remote Desktop connection, all I see is a black screen a
-
Ipod Touch 2nd gen. Backlight and App Problem
I bought an iPod touch 2nd gen. from a friend and it worked completely fine. But today, my iPod's backlight just randomly shut off. I can see the apps and everything works perfectly fine, the screen is just very dim. The iPod is jailbroken. Does anyo
-
Hi all, Please can you help? No matter what settings I use in my print options in InDesign CC 2014 (v.10), ALL transparent images with a drop shadow are printing with a white box behind the image. If I remove the drop shadow, all prints fine. I know
-
Hi, I'm running LR 3.4 64bit on a PC. My external drive starting generating error messages so I went out a purchased a 2nd external drive (3TB Seagate) to migrate my image Catalog over. Within LR's Import dialog screen I selected the Source drive (