ASA 5510 context base configuration in HA Mode with two different subnet

Similar Messages

• Configuring one LDAP domain with two OU (one RO, another RW)

  Hi Team,
  My client is implementing NW 7.0 Enterprise Portal on SP14, AIX 5.3 & Oracle 10.2.0.4.
  We're using MS-ADS LDAP as an UME data source. The client wishes to configure UME for one single ADS LDAP (domain) with two OU (NOT domains) such that:
      1. One OU has read only access
      2. Second OU has read/write access
  Following is an illustration of the LDAP tree structure:
  CORP_DOM
  -- INT_USERS    (CN=IntUsers, DC=CORP_DOM, DC=NET) - read-only
  -- INT_GROUPS  (CN=IntUsers, DC=CORP_DOM, DC=NET) - read-only
  -- EXT_USERS    (CN=ExtUsers, DC=CORP_DOM, DC=NET) - read/write
  -- EXT_GROUPS  (CN=ExtGrp, DC=CORP_DOM, DC=NET) - read/write
     |-- SAccounts
     |--
     |--
  Note the single LDAP domain, multiple user and group paths with different access privileges.
  Based on what I've read so far, this does not seem feasible as the datasource configuration file has to have unique datasource id and the private section allows only one tag for user path and group path.
  I checked OSS, SDN but could only find information on configuring multiple domain/LDAP and not one LDAP domain but two OU/CN.
  Kindly let me know if anyone has come across or done such a configuration.
  Thanks.

  Hi GLM,
  You are right, access permissions to the OU are given to the service account used to access the directory from the portal.
  The issue I have is not about granting permissions - its more about whether it is possible at all to configure UME for one single ADS LDAP (domain) containing two OU (NOT domains). I'd need to access the directory with two different service users having differen access privileges.
  I don't see how it can be done, since the datasource id in the portal datasource configuration file has to be same as the domain and the private section allows only one tag for user path and group path.
  Thanks.

• Can I configure a 79xx Phone with two busy trigger using UCCE 8.5?

  Hi, my name is Eric and I've some doubts to configure my Phones. First of all, I will explain my environment below:
  - UCCE 8.5
  - CM 8.5
  - CVP 8.0
  I would like to know if it's supported if I configure a 79xx Phone with 2 busy triggers configuration, because the customer would like to the agent's phone receive two calls per line.
  Thank you very much.

  Eric,
  No, this is not supported and stated as such in cisco docs.
  Customer will need to designate separate DN for ACD calls and separate DN for DID/personal calls.
  HTH,
  Chris

• Read Only/ Plan Mode Changes for a layout with two different queries

  Hi,
  I have a situvation where a layout opens in a read only mode and when
  the users click on button plan, it changes to plan mode. The catch here however is the queries
  for read mode and plan mode are slightly different, in the read only mode the query has subtotals
  and other calculations that are not a part of the plan mode ( where they input forecasts).
  I know if the read and plan query are the same, we can achieve this through the command
  SET_DATA_ENTRY_MODE. In case they are different, as above, how can i achieve this.
  Thanks
  Rashmi.

  Say you are using two different queries as DP1 & DP2 for Display and Plan mode respectively. You also have one Analysis grid item in Web template which initially points to DP1.
  On PLAN button call command SET_ITEM_PARAMETER to set the data provider of analysis item to DP2.
  OR
  You have only one dataprovider in your web template as DP1 initially pointing to Query 1 which you want to show in Display mode. Then on PLAN button call a command SET_DATA_PROVIDER_PARAMETERS to point the DP1 to 2nd query instead of 1st query.  You can find this command under Commands for data Provider --> Basic data provider commands.
  Edited by: Deepti Maru on Nov 27, 2009 9:52 PM

• Configuring an Airport network with two separate nets...

  Hi,
  I need to configure my Airport Network to have two different local net: the first using 192.168.1.x, and the second using 192.168.2.x with the same gateway address in order that one net could not see the other one but both can use the same internet connection, connected to the main Airport Extreme through the wan port.
  Normally to make it I work I configure the subnet of the router in 255.255.0.0.
  But I can't find anything about the possibility to set up these LAN parameters (also the LAN IP of an Airport...!!!) on Airport Extreme.
  Is there a way I can't find? I hope it can be possible to set these basic parameters like in every 30$ cheapest router...
  Or maybe someone could help me to set up my network?
  Thanx in advance for any reply,
  Gab

  I have DSL service from AT&T in San Francisco that includes five static WAN IP addresses behind a single Internet connection with gross speeds of 6Mbps down and 768Kbps up. This kind of service may not be available to you in Italia.
  A fairly common use of this service is to provide a "public" Internet connection service for clients and guests while providing another "private" service restricted to employees and associates. Using up to five routers, you can set up to five different subnets that are independent of each other. All subnets share the same Internet pipeline, however.
  In my case, I use separate subnets for various testing purposes. For example, I might use a separate subnet to test various functions of a new router without fear of causing problems with my primary network.
  <Edited by Moderator>

• Cisco ASA 5510 Backup Interface configuration

  Hi Experts,
  I am a newbie with Cisco Firewalls, pls help.
  We have a BSNL Leased Line of 2MBPS with few Static IP's of Which 2 IP's are configured in Firewall 1 For the Outside Interface and one for publishing the DMZ server. Most of the times due to some reasons or the other the BSNL line is going down. so now I need to configure one another TATA Broadband 1MBPS Dialup Line as a Backup for the BSNL Line so as to provide a uninterupted Internet to our users.
  Pls guide me the Steps
  Thank in Advance.
  Anish N

  Hi Anish,
  Check the below mentioned link for configuration.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

• Configuring dedicated/shared mode with DBCA wizard

  Hello,
  I've tried to configure several instances with DBCA wizard, both in dedicated and shared mode :
  - when dedicated mode is selected, dispatchers parameter is set like this : "dispatchers=(PROTOCOL=TCP) (SERVICE=sidXDB)", and all connections at the instance will be in by default dedicated mode, even if the "shared_servers" parameters is greater than 0
  - when shared mode is selected, dispatchers parameter is set like this : "dispatchers=(PROTOCOL=TCP)"
  I thought that the instance would run automatically in shared mode if the "shared_servers" parameters is greater than 0, but that's untrue
  Besides, I don't understand the link between the "(SERVICE=sidXDB)" option, which seems to be related to the XML database, and the connection mode to the instance.
  This is quiet confusing to me, there is obviously something I don't know or I don't understand
  Can anyone make it clear to a Oracle beginner ?
  Thank you for help !
  regards,
  Antoine

  SHARED_SERVERS alone is not enough, it needs a corresponding dispatchers setting, something like 'dispatchers=(PROTOCOL=TCP)'. By default during a 10g database creation a XML DB is configured and 'dispatchers=(PROTOCOL=TCP) (SERVICE=sidXDB)' is dedicated to this XML DB, this dispatcher cannot serve any other database service. That means normal database connections are created as dedicated ones.
  Werner

• Full screen mode with two displays ?

  I use a second Apple Display with my iMac. When you enter into "full screen" with an app with Lion does it only become full screen on one of your displays leaving the other screen un-effected?  Or, does it black out the other screen?
  When you are in full screen mode can you place windows from the full screen app on the other display that is not in full screen mode?
  Thanks.
  Eli

  @captfred.
  I'm still running 10.6. 
  I find it strange that iPhoto 8.1 has the ability to enter full screen without disabling or effecting the other display. You can even take a separate iphoto window, the effects window for example, and drag it to the other display. All while in full screen mode.  Does this functionality disappear in Lion?
  Is this behavior app specific?
  eli

• Need help configuring: 2 wireless routers with 2 different SSID's on one network

  Hello everyone: 
  I've been reading around on the forum trying to find the answer to this question, but have not found any clear cut answer that satisfies all my requirements.  A more in-depth explanatiion.
  I have 1 IP address coming in via cable modem.  I want to configure two wireless routers (one secured with WPA-TKIP, and one unsecured--a "guest network" if you will) each with different SSID's.  The secured network would be for my server, home PC's, IP webcams, DynDNS updating; while having an unsecured wireless router that friends and family can access.  Ideally, I do not want anyone who accesses the unsecured wireless router to be able to get access into my secured network.
  Can someone please tell me if this is possible.  I think it is based on some posts I have already seen, but specific details about how to do it would be appreciated.  Additionally, my DynDNS has to still be able to update with my ISP's IP so that I can access my server and home webcams.
  EQUIPMENT
  2 - WRT54G
  1 - EZXS55W
  1 - WVC200
  1 - WVC54GC
  (all of my stuff --webcam, server, dyndns, etc -- is working currently on my secured network. I just need to add the unsecured network)
  I know this is a lot, but I would appreciate any help.  THANKS.
  Solved!
  Go to Solution.

  You must have the main WRT54G router connected to the modem. Set up the secured wireless network on the main router. Connect all your wireless computers or devices to the main secured wireless network.
  Let's consider the IP address of the main router is 192.168.1.1.
  Now connect only one computer to the Port 1 on second wireless router.
  Open the setup page of the second wireless router. Change the wireless settings, SSID, unsecured.
  Change the IP address of the second router to 192.168.2.1. Save the settings.
  Connect the cable from the Ethernet port on the main router to the Internet port on second wireless router.
  Power cycle the second wireless router.
  Now the guest computers connected to the second wireless unsecured wireless network will be able to access the Internet only. They will not able to see the computers or devices connected to the first wireless router.

• Configuration EWA in clien with  two solution manager

  Hello
  I have a question I am activating EWA ¡on SOlman  but  I have  two  solman  fo  the same company, el first  is for management r3 system and second  is for management xrpm,bw,portal system.
  The EWA is  running  in the first  solman, and the saprouter I think  is here too. So I want to activate the EWA in the second  solman in the guide  I have this note 33135 an this talks about connetion with SAP.
  Is possible that the EWA   in two solman for the same client.
  Addionaly the Should  the rscctool report  run in the  satellites systems too?
  Thanks
  DS

  Hello Danny,
  There should be no conflicts providing you keep a few things in mind.
  On the Satellite, in SDCCN > Setting> Task>Specific> RFC Destination
  Please make sure that you define one Solution Manager system as the Master. This will be the Solution Manger system that will schedule an SDCCN EarlyWatch Allert task automatically on the Satellite, throught the Maintenance Package, so it needs tol be the one specificed in the Mainatence Package task. In other words  you set up the recommended EWA Activation as documented at http://service.sap.com/ewa for one Solution Manager system.
  Then for additional Solutioin Manager systems you would create an SDCCN Task in the same way you would generate an ad hoc EWA report, only you would choose the RFC Destination for the second ( and/or subsequent) Solution Manager systems, and you would specify it as a periodic task so it would reschedule itself each week, so to affect automation of the sending of the SDNNC session data to the other Solution Manager Systems.
  This way you will not have conflicts between the solution manager systems.
  Regards,
  Paul

• How do I configure my email page for two different email addresses?

  I would like to have mail sent to two different email addresses, on my email page using Thunderbird.
  How do I do that?

  There is no "New-existing Mail Account"

• Ace module in bridged mode with client nat

  Could someone confirm whatever a NAT is supported for ACE-20 module, please?
  Let me to explain technical details.
  I do need to convert working CSM(SLB) config to ACE configuration and I am not quite sure
  if the configuration below is correct. ACE module should be configured in bridge mode with two
  vlans - vlan 36 (client) and vlan 436 (server) - bridged with interface bvi 36.
  NAT on ACE configurad as "nat dynamic 1025 vlan 436" into corresponding
  "policy-map type loadbalance"
  Could you check two parts of configs and advise me if the ACE config is
  properly converted from CSM and will be working in the same way (especialy for NAT).
  Thank you in advance.
  CSM config
  =======
  vlan 36 client
    ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
    gateway 10.36.3.1
  vlan 436 server
    ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
  natpool WEB-MAIL 10.36.3.100 10.36.3.100 netmask 255.255.255.0
  sticky 30 netmask 255.255.255.255 address source timeout 60
  probe SHAREPOINT tcp
    interval 30
    failed 120
    open 3
    port 80
  probe WEBMAIL-443 tcp
    interval 5
    failed 60
    open 2
    port 443
  serverfarm WEBMAIL-443
    nat server
    nat client WEB-MAIL
    predictor leastconns
    real 10.36.3.101 443
     inservice
    real 10.36.3.102 443
     inservice
    probe WEBMAIL-443
  serverfarm WEBMAIL-80
    nat server
    nat client WEB-MAIL
    predictor leastconns
    real 10.36.3.101 80
     inservice
    real 10.36.3.102 80
     inservice
    probe SHAREPOINT
  vserver WEBMAIL-443
    virtual 10.36.3.100 tcp https
    serverfarm WEBMAIL-443
    sticky 60 group 30
    replicate csrp sticky
    replicate csrp connection
    persistent rebalance
    inservice
  vserver WEBMAIL-80
    virtual 10.36.3.100 tcp www
    serverfarm WEBMAIL-80
    replicate csrp connection
    persistent rebalance
    inservice
  ACE config
  =======
  probe tcp WEBMAIL-443
    interval 5
    open 2
    passdetect interval 60
    port 443
  probe tcp SHAREPOINT
    interval 30
    open 3
    passdetect interval 120
    port 80
  serverfarm host WEBMAIL-443
    predictor leastconns
    probe WEBMAIL-443
    rserver 10-36-3-101 443
      inservice
    rserver 10-36-3-102 443
      inservice
  serverfarm host WEBMAIL-80
    predictor leastconns
    probe SHAREPOINT
    rserver 10-36-3-101 80
      inservice
    rserver 10-36-3-102 80
      inservice
  class-map match-all WEBMAIL-80
    match virtual-address 10.36.3.100 tcp eq www
  class-map match-all WEBMAIL-443
    match virtual-address 10.36.3.100 tcp eq https
  sticky ip-netmask 255.255.255.255 address source 30
    serverfarm WEBMAIL-443
    replicate sticky
    timeout 60
  policy-map type loadbalance first-match WEBMAIL-80
    class class-default
      serverfarm WEBMAIL-80
      nat dynamic 1025 vlan 436 serverfarm primary
  policy-map type loadbalance first-match WEBMAIL-443
    class class-default
      sticky-serverfarm 30
      nat dynamic 1025 vlan 436 serverfarm primary
  parameter-map type http HTTP_ADV_OPT
    persistence-rebalance
  policy-map multi-match IFVLAN36-POLICY
  class WEBMAIL-80
      appl-parameter http advanced-options HTTP_ADV_OPT
      loadbalance policy WEBMAIL-80
      loadbalance vip inservice
      loadbalance vip icmp-reply active
    class WEBMAIL-443
      appl-parameter http advanced-options HTTP_ADV_OPT
      loadbalance policy WEBMAIL-443
      loadbalance vip inservice
      loadbalance vip icmp-reply active
  interface vlan 36
    bridge-group 36
    service-policy input IFVLAN36-POLICY
    mac-sticky enable
    no shutdown
  interface vlan 436
    bridge-group 36
    nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0
    no shutdown
  interface bvi 36
    ip address 10.36.3.3 255.255.255.0
    peer ip address 10.36.3.4 255.255.255.0
    no shutdown

  Hello F.Makarenko-
    You will want to use PAT while you do nat, so change the natpool configuration to this:
     nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0 pat
    You also need to apply the nat like this:
  policy-map multi-match IFVLAN36-POLICY
  class WEBMAIL-80
      appl-parameter http advanced-options HTTP_ADV_OPT
      loadbalance policy WEBMAIL-80
      loadbalance vip inservice
      loadbalance vip icmp-reply active
      nat dynamic 1025 vlan 436
    class WEBMAIL-443
      appl-parameter http advanced-options HTTP_ADV_OPT
      loadbalance policy WEBMAIL-443
      loadbalance vip inservice
      loadbalance vip icmp-reply active
      nat dynamic 1025 vlan 436
  If you are going to build out a lot of classes, you can instead do source nat like this:
  policy-map multi-match IFVLAN36-POLICY
  class WEBMAIL-80
      appl-parameter http advanced-options HTTP_ADV_OPT
      loadbalance policy WEBMAIL-80
      loadbalance vip inservice
      loadbalance vip icmp-reply active
  class WEBMAIL-443
      appl-parameter http advanced-options HTTP_ADV_OPT
      loadbalance policy WEBMAIL-443
      loadbalance vip inservice
      loadbalance vip icmp-reply active
  class class-default
      nat dynamic 1025 vlan 436
  Regards,
  Chris Higgins

• Cisco 2960S Configured in Transparent mode

  I have a Cisco 2960S gig switch configured in transparent mode with multiple vlans configured. I have printers that I can ping, the ports shows up but on the printer it says offline. Any idea what could be causing this?

  If your printer and your PCs are all in the same subnet and only the printer is not working then VTP mode Transparent has nothing to do with your issue. 
  I'd be keen to know if you have a firewall blocking anything from the IP address of the printer?  Maybe the IP subnet mask or default gateway of the printer is not working?  
  What do you get when you do a "sh mac-address interface <PRINTER port>"?

• ASA 5505: VPN Access to Different Subnets

  Hi All-
  I'm trying to figure out how to configure our ASA so that remote users can have VPN access to two different subnets (office LAN and phone LAN).  Currently, I have 3 VLANs setup -- VLAN 1 (inside), VLAN 2 (outside), VLAN 13 (phone LAN).  Essentially, remote users should be able to access their PC (192.168.1.0 /24) and also access the office phone system (192.168.254.0 /24).  Is this even possible?  Below is the configurations on our ASA,
  Thanks in advance:
  ASA Version 8.2(5)
  names
  name 10.0.1.0 Net-10
  name 20.0.1.0 Net-20
  name 192.168.254.0 phones
  name 192.168.254.250 PBX
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  switchport access vlan 3
  interface Ethernet0/6
  interface Ethernet0/7
  switchport access vlan 13
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.98 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address X.X.139.79 255.255.255.224
  interface Vlan3
  no nameif
  security-level 50
  ip address 192.168.5.1 255.255.255.0
  interface Vlan13
  nameif phones
  security-level 100
  ip address 192.168.254.200 255.255.255.0
  ftp mode passive
  object-group service RDP tcp
  port-object eq 3389
  object-group service DM_INLINE_SERVICE_1
  service-object ip
  service-object tcp eq ssh
  access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 192.168.1.0 255.255.255.0
  access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 phones 255.255.255.0
  access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224
  access-list inside_access_in extended permit ip any any
  access-list Split_Tunnel_List standard permit Net-10 255.255.255.224
  access-list phones_nat0_outbound extended permit ip any Net-10 255.255.255.224
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host Mac any
  pager lines 24
  logging enable
  logging timestamp
  logging monitor errors
  logging history errors
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu phones 1500
  ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (inside) 10 interface
  global (outside) 1 interface
  global (phones) 20 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  nat (outside) 10 access-list vpn_nat_inside outside
  nat (phones) 0 access-list phones_nat0_outbound
  nat (phones) 1 0.0.0.0 0.0.0.0
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 X.X.139.65 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication enable console LOCAL
  aaa authentication ssh console LOCAL
  aaa authorization command LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment self
  subject-name CN=pas-asa.null
  keypair pasvpnkey
  crl configure
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 28800
  vpn-sessiondb max-session-limit 10
  telnet timeout 5
  ssh 192.168.1.100 255.255.255.255 inside
  ssh 192.168.1.0 255.255.255.0 inside
  ssh Mac 255.255.255.255 outside
  ssh timeout 60
  console timeout 0
  dhcpd auto_config inside
  dhcpd address 192.168.1.222-192.168.1.223 inside
  dhcpd dns 64.238.96.12 66.180.96.12 interface inside
  threat-detection basic-threat
  threat-detection statistics host
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ssl trust-point ASDM_TrustPoint0 outside
  webvpn
  enable outside
  anyconnect-essentials
  svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
  svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
  svc enable
  tunnel-group-list enable
  group-policy SSLClientPolicy internal
  group-policy SSLClientPolicy attributes
  wins-server none
  dns-server value 64.238.96.12 66.180.96.12
  vpn-access-hours none
  vpn-simultaneous-logins 3
  vpn-idle-timeout none
  vpn-session-timeout none
  ipv6-vpn-filter none
  vpn-tunnel-protocol svc
  group-lock value PAS-SSL-VPN
  default-domain none
  vlan none
  nac-settings none
  webvpn
    svc mtu 1200
    svc keepalive 60
    svc dpd-interval client none
    svc dpd-interval gateway none
    svc compression none
  group-policy DfltGrpPolicy attributes
  dns-server value 64.238.96.12 66.180.96.12
  vpn-tunnel-protocol IPSec svc webvpn
  tunnel-group DefaultRAGroup general-attributes
  address-pool SSLClientPool-10
  tunnel-group DefaultRAGroup ipsec-attributes
  pre-shared-key *****
  tunnel-group PAS-SSL-VPN type remote-access
  tunnel-group PAS-SSL-VPN general-attributes
  address-pool SSLClientPool-10
  default-group-policy SSLClientPolicy
  tunnel-group PAS-SSL-VPN webvpn-attributes
  group-alias PAS_VPN enable
  group-url https://X.X.139.79/PAS_VPN enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  privilege cmd level 3 mode exec command perfmon
  privilege cmd level 3 mode exec command ping
  privilege cmd level 3 mode exec command who
  privilege cmd level 3 mode exec command logging
  privilege cmd level 3 mode exec command failover
  privilege cmd level 3 mode exec command packet-tracer
  privilege show level 5 mode exec command import
  privilege show level 5 mode exec command running-config
  privilege show level 3 mode exec command reload
  privilege show level 3 mode exec command mode
  privilege show level 3 mode exec command firewall
  privilege show level 3 mode exec command asp
  privilege show level 3 mode exec command cpu
  privilege show level 3 mode exec command interface
  privilege show level 3 mode exec command clock
  privilege show level 3 mode exec command dns-hosts
  privilege show level 3 mode exec command access-list
  privilege show level 3 mode exec command logging
  privilege show level 3 mode exec command vlan
  privilege show level 3 mode exec command ip
  privilege show level 3 mode exec command ipv6
  privilege show level 3 mode exec command failover
  privilege show level 3 mode exec command asdm
  privilege show level 3 mode exec command arp
  privilege show level 3 mode exec command route
  privilege show level 3 mode exec command ospf
  privilege show level 3 mode exec command aaa-server
  privilege show level 3 mode exec command aaa
  privilege show level 3 mode exec command eigrp
  privilege show level 3 mode exec command crypto
  privilege show level 3 mode exec command vpn-sessiondb
  privilege show level 3 mode exec command ssh
  privilege show level 3 mode exec command dhcpd
  privilege show level 3 mode exec command vpnclient
  privilege show level 3 mode exec command vpn
  privilege show level 3 mode exec command blocks
  privilege show level 3 mode exec command wccp
  privilege show level 3 mode exec command dynamic-filter
  privilege show level 3 mode exec command webvpn
  privilege show level 3 mode exec command module
  privilege show level 3 mode exec command uauth
  privilege show level 3 mode exec command compression
  privilege show level 3 mode configure command interface
  privilege show level 3 mode configure command clock
  privilege show level 3 mode configure command access-list
  privilege show level 3 mode configure command logging
  privilege show level 3 mode configure command ip
  privilege show level 3 mode configure command failover
  privilege show level 5 mode configure command asdm
  privilege show level 3 mode configure command arp
  privilege show level 3 mode configure command route
  privilege show level 3 mode configure command aaa-server
  privilege show level 3 mode configure command aaa
  privilege show level 3 mode configure command crypto
  privilege show level 3 mode configure command ssh
  privilege show level 3 mode configure command dhcpd
  privilege show level 5 mode configure command privilege
  privilege clear level 3 mode exec command dns-hosts
  privilege clear level 3 mode exec command logging
  privilege clear level 3 mode exec command arp
  privilege clear level 3 mode exec command aaa-server
  privilege clear level 3 mode exec command crypto
  privilege clear level 3 mode exec command dynamic-filter
  privilege cmd level 3 mode configure command failover
  privilege clear level 3 mode configure command logging
  privilege clear level 3 mode configure command arp
  privilege clear level 3 mode configure command crypto
  privilege clear level 3 mode configure command aaa-server
  prompt hostname context
  no call-home reporting anonymous

  Hi Jouni-
  Yes, with the current configs remote users only have access to the 'inside' LAN (192.168.1.0).  The digital PBX on the 'phone' LAN (192.168.254.0) is not reachable through their VPN session.
  Per you recommendation, I removed the following configs from my ASA:
  global (phones) 20 interface
  ... removing this configuration didn't make a difference -- I was still able to ping the inside LAN, but not the phone LAN.
  global (inside) 10 interface
  nat (outside) 10 access-list vpn_nat_inside outside
  .... removing these two configurations caused the inside LAN to be unreachable.  The phone LAN was not reachable, either.  So, I put the '10' configurations back.
  The ASDM syslog is showing the following when I try to ping the PBX (192.168.254.250) through the VPN session:
  "portmap translation creation failed for icmp src outside:10.0.1.1 dest phones:PBX (type 8, code 0)"
  What do you think?
  Thanks!

• BPEL with TWO data base polling adapters????

  Hi,
  Can some one tell, Is it possible to have two data base polling adapters in one BPEl process??
  What I am trying to do is , simultaneoulsy polling two independent data base tables in one bpel with two receive activities, but it did not work as BPEl should have only one start activity.
  Please post your ideas , if we can achive this.
  Thanks,
  Kumar

  So, are you trying to detect the fact that two different rows in two different tables were both inserted? If so are they related some how? Are they parent child? Is one guaranteed to appear before the other?
  I'm thinking two processes with database adapters that in turn call a third process which has two receives which are connected via a correlation set.
  Another solution would be database triggers that look for the existence of both rows before inserting into a third table -- this third table would drive the database adapter.