ASA rpf-check DROP, ASA checking NAT in the incorrect interface
Hi
My current architecture is :
Internet <--> FW <--> ASA <--> LAN
FW <--> ASA
we have two links between ASA and the FW, the corresponding ASA interfaces are "outside" and "vpn"
the "outside" interface is used for browsing Internet, also for making some services accessible to our partners by doing NAT to our servers
the "vpn" interface is used to grant access to our LANs from remote Offices
let say that firewall rules are OK and the remote offices have access to the whole LAN by port 80
below the current configuration :
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 192.168.11.2 255.255.255.0
interface GigabitEthernet0/2
nameif vpn
security-level 0
ip address 192.168.12.2 255.255.255.0
object-group network Inside_LANs
network-object 192.168.3.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
network-object 192.168.5.0 255.255.255.0
access-list Inside-to-outside extended permit icmp object-group Inside_LANs any echo
access-list Inside-to-outside extended permit udp any host TimeServer eq ntp
access-list Inside-to-outside extended permit ip object-group Inside_LANs any
global (outside) 1 interface
global (outside) 2 192.168.11.60 netmask 255.255.255.255
nat (inside) 1 access-list Inside-to-outside
nat (inside) 2 192.168.6.0 255.255.255.0
static (inside,outside) 192.168.11.10 192.168.2.10 netmask 255.255.255.255
static (inside,outside) 192.168.11.11 192.168.2.11 netmask 255.255.255.255
static (inside,outside) 192.168.11.12 192.168.2.12 netmask 255.255.255.255
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
route inside 192.168.3.0 255.255.255.0 192.168.1.1 1
route inside 192.168.4.0 255.255.255.0 192.168.1.1 1
route inside 192.168.5.0 255.255.255.0 192.168.1.1 1
route inside 192.168.6.0 255.255.255.0 192.168.1.1 1
route vpn 192.168.20.0 255.255.255.0 192.168.12.1 1
our problem is that packets are dropped from remote office to LAN, we are getting the rpf-check drop in packet tracer
example 1 (to a server without NAT 192.168.2.13) ---> connection OK (not dropped)
remote office 192.168.20.55 to 192.168.2.13
Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 access-list Inside-to-outside
match udp inside any inside host TimeServer eq 123
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
example 2 (to a server with static NAT 192.168.2.10) ---> connection OK (not dropped)
remote office 192.168.20.55 to 192.168.2.10
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) 192.168.11.10 192.168.2.10 netmask 255.255.255.255
match ip inside host 192.168.2.10 outside any
static translation to 192.168.11.10
translate_hits = 76643, untranslate_hits = 188597
Additional Information:
example 3 (to a host with dynamic ACL NAT 192.168.4.40) ---> connection NOK (dropped)
remote office 192.168.20.55 to 192.168.4.40
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 access-list Inside-to-outside
match ip inside 192.168.4.0 255.255.255.0 vpn any
dynamic translation to pool 1 (No matching global)
translate_hits = 1, untranslate_hits = 0
Additional Information:
example 4 (to a host with dynamic Network NAT 192.168.6.30) ---> connection NOK (dropped)
remote office 192.168.20.55 to 192.168.6.30
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 2 192.168.6.0 255.255.255.0
match ip inside 192.168.6.0 255.255.255.0 vpn any
dynamic translation to pool 2 (No matching global)
translate_hits = 117, untranslate_hits = 0
Additional Information:
our questions :
1) why ASA don't check the reverse path route before checking the NAT ?
if it does, the route back to the office is set to the "vpn" interface (route vpn 192.168.20.0 255.255.255.0 192.168.12.1 1), so ASA don't have to check NAT in other interface, currently it's checking the NAT in the "outside" interface even if it's not the route back to the office
2) why it's working for static NAT servers and Not working for the dynamic NAT ones ?
when ASA check a server with static NAT it find a match in the outside interface but even so it discard it and the connection Work. (example 2)
when ASA check a server/host with dynamic NAT (ACL or Network) if find a match in the outside interface but drop the connection
3) we know that this behavior can be solved by adding a NAT exception for the dynamic NAT in the "outside" interface (nat (inside) 0 access-list Inside-NAT-Exceptions) but :
why ASA checking the global NAT even if it's not the correct interface ?
Why it's working for static NAT and not working for the dynamic one ?
Thanks a lot
Hi,
It would be easier to troubleshoot if you shared the complete "packet-tracer" command you used and the full output of the command.
But to me the situation in its current form looks the following.
Example 1
To me it seems this is working as it should. Connection is coming from "vpn" to "inside". There is no "static" configurations between "vpn" and "inside" and there is no "nat" command for "vpn" interface so the traffic should pass normally without any NAT related conflicts/problems as the traffic does not match any NAT configuration.
Notice that the ASA might show some unrelated NAT information in the output of the "packet-tracer" command (commands related to other interfaces). In those NAT Phase sections there is a section saying "Additional Information:" If there is no text after this text that means that this NAT has not been applied. I am not sure why the ASA lists some NAT configurations in the output that are not related. I have seen this in many occasions and do not know the reason and I have not really put any time/effort into understanding why it shows the unrelated information in the output.
Example 2
This seems to be working as expected also.
According to the configuration provided there is no existing NAT configurations related to either the source or destination IP address on the ASA between "vpn" and "inside" interface so the traffic passes through the ASA without facing any conflicts with NAT configurations.
Again, the "packet-tracer" shows NAT information unrelated to this situation. And again the "Additional Information:" section lists no additional information so the NAT listed is not applied.
Example 3 and 4
These tests fail as expected since there is a Dynamic Policy PAT configuration for both internal destination hosts that the remote users are trying to connect to. The problem comes from the fact that the initial direction from remote to internal does not match any NAT configuration and the reverse direction from internal to remote matches the Dynamic Policy PAT and therefore the connection attempt is dropped. The connection must match the same NAT configuration on both directions.
In this situation you would either have to configure NAT0, Static NAT , Static PAT or Static Policy NAT/PAT which all would prevent the connection from matching to the Dynamic Policy PAT (But would match the mentioned type of NAT in both directions as they have higher priority than Dynamic Policy PAT). Typically the prefererred solution would be to use NAT0 though you naturally have the option to use a NAT address if there is any overlap.
Hope this helps :)
- Jouni
Similar Messages
-
NATting using the same interface ?
hi there,
I was wondering, is it possible to set up NAT/PAT for packets arriving/leaving (after being routed) the same interface , e.g. not going "through" the router ?
I think that this is not possible but I need to be sure... Any help ?
Thanks,
AlexThat is called nat on a stick.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml
Once you understand how to do this NAT will never confuse you again.
There may be a newer method with the new NAI interfaces in the latest IOS but I have not had time to test this and have not seen any documentation on using these new nat features for this purpose. -
Hi All,
Hoping someone can clear this up for me.
I am trying to setup a ASA 5510 with IOS 9.1 and having NAT issues.
The ASA is connected inside the LAN to separate a second LAN.
Internal (10.0.0.0/24) --> DG RTR (10.0.0.254) FE0/0--> FE0/1 (61.0.0.1/24) --> ASA outside (61.0.0.2/24) --> ASA Inside (192.168.1.0//24)
I keep getting Asymetric NAT rules matched for forward and reverse path flows when going from Internal to ASA Inside LAN
I fear it is my lack of understanding, when you have a router you can go between different LANs/subnets but with the ASA does it always NAT whatever happens?
If I statically NAT a device on the ASA Inside LAN I can get to the device via the 61.0.0.0 address and if I add what I believe to be an exemption rule to keep the translated packet the same as long as I specify something like Internal LAN to ASA Inside specific device it works but not if I do Internal LAN to ASA Inside LAN.
Hope that makes sense and someone can give me a clue to where I am going wrong with the setup / understanding.
If there are any good docs that might explain it would be appreciated as everything I have read so far has not given me an clarity.
Many thanksHi,
Just to clarify, are we talking about a situation the ASA is simply connected to an internal network (even though it might use public IP addresses)? Also, do you want to perform any NAT on this ASA or is there some separate firewall sitting at the edge of your network handling the external connectivity?
If the above things are true then you could simply leave your ASA NAT configuration totally blank and the ASA would not do any NAT to the traffic. This naturally would require that you make sure that routing for subnet 192.168.1.0/24 is handled on all the routers/devices on the network as this subnet would be directly visible with its original addresses (since we would leave the ASA NAT configuration blank). I manage a couple of environments where the customer has a internal ASA separating certain section of the LAN network and they dont have any NAT configurations.
The problems you mention in the post are probably due to Dynamic PAT configuration which means that your LAN can access the other parts of the Internal network but no connection is possible from the Internal network to this separate LAN behind the ASA. The reason there is that the connection from Internal LAN to the separate LAN wont match any NAT configuration but the return traffic (reverse check that the ASA does) will match the Dynamic PAT and that is why the traffic is dropped.
Static NAT done to the hosts behind the ASA will naturally help since there wont be any problems with the translation in that case in either direction.
You could take a look at a NAT Document I wrote way back in 2013. Though it wont really answer your specific questions here but perhaps it might be of help at some point
https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli
Hope this helps :)
- Jouni -
Hi!
What does the above statement mean?
I am trying to nat some traffic but the packet tracer shows that packets get dropped at the NAT rpf-check step.
/LajjaHello Lajja1234,
It means that on the way back ( the returning traffic) there is no valid NAT for that traffic,
You can post the traffic that you want to allow and the packet tracer, I will then provide you what you need
Regards -
i have an ASA 5520 ver 8.4 with the following config
WAN
207.211.25.34
Production
10.11.12.1 255.255.255.0
Mgmt
10.11.11.1 255.255.255.0
i need to create a peer-2-peer VPN to a remote site ASP16 from both Prod and Mgmt
what would my nat statement look like ?
currently i have the following but can only ping from Mgmt not Prod (ASP17 is an network object group that contain the Prod and Mgmt subnets )
nat (Production,WAN) source static ASP17_VPN ASP17_VPN destination static ASP16 ASP16 no-proxy-arp route-lookup
nat (Mgmt,WAN) source static ASP17_VPN ASP17_VPN destination static ASP8_Prod ASP8_ProdHello Tejas,
After reading your configuration I can see that the crypto-maps are applyed to the outside interface, and the Access-list for the interesting traffic has both networks (Managment and production) so you should be able to access the other network from this site.
Can you do the following packet tracers to see the features the ICMP packet is hitting when the Request is sent.
I will need the output of the following commands:
1- Packet-tracer input Mgmt icmp 10.11.34.15 8 0 10.30.6.15
2-Packet-tracer input Production icmp 10.11.35.15 8 0 10.30.6.15
Please rate helpful posts,
Julio!! -
Cisco ASA 5510 Natting 2 internal ip to 1 public ip
Hi Guys,
I have a doubt on how do nat 2 internal ip addresses to 1 public ip for FTP uses.
As I know Cisco ASA cannot use to nat 2 internal ips to 1 public ip as the ASA cannot read the host header. It there anyway to control it by using acl or network object group?
My current configuration for nat 1 internal ip to 1 public ip:
static (firewall-dmz,firewall-outside) tcp 210.19.xx.xx 21 172.16.101.11 21 netmask 255.255.255.255 dns
Thank you for your help.
Cheers
TommyYes it is possible . See if this helps. I'm not in front of my ASA right now, but I think this is the old and new way. If you are actually using the interface address, you might need to use the "interface" keyword
Pre 8.3
static (inside,outside) tcp 1.1.1.1 80 192.168.1.100 8080 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.1 8080 192.168.1.101 8080 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.1 25 192.168.1.102 25 netmask 255.255.255.255
8.3 and Later
object network obj-192.168.1.100
host 192.168.1.100
nat (inside,outside) static 1.1.1.1 service tcp 8080 80
object network obj-192.168.1.101
host 192.168.1.101
nat (inside,outside) static 1.1.1.1 service tcp 8080 8080
object network obj-192.168.1.102
host 192.168.1.102
nat (inside,outside) static 1.1.1.1 service tcp 25 25
If you are using the interface address--
static (inside,outside) tcp interface 80 192.168.1.100 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.1.101 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 25 192.168.1.102 25 netmask 255.255.255.255
8.3 and Later
object network obj-192.168.1.100
host 192.168.1.100
nat (inside,outside) static interface service tcp 8080 80
object network obj-192.168.1.101
host 192.168.1.101
nat (inside,outside) static interface service tcp 8080 8080
object network obj-192.168.1.102
host 192.168.1.102
nat (inside,outside) static interface service tcp 25 25 -
Hello All,
Im having an issue setting up Access through our firewall for external usage. Im not sure if its even possible.
So....
We have 1 external IP, say 80.80.80.80.
We have 3 internal Servers (10.0.0.1, 10.0.0.2, 10.0.0.3), 2 running web apps on ports 443 and one on 445.
We have 2 external locations (source IPs) London (50.50.50.50), Reading (60.60.60.60).
I want to be able to match the source address either london and reading and direct to the correct internal server, so 10.0.0.1 is for london and 10.0.0.2 is for reading both using the same IP and ports?
Is this possible, can the NAT rulles match on source IP?
Cheers
CraigHi,
Below is some configurations I tested when a similiar question was asked on these forums.
In the below configurations I attempted to test a situation where the where the source address from the public network would define which NAT would be used and therefore to which LAN host the connection woulld be forwarded to. Also the situation was limited to using only the single IP address configured on the ASA "outside/WAN" interface.
To my understanding this solution is hardly ideal when considering the firewall operation. I think the firewall actually warns about the overlaps and actually shows overlapping translations on the firewall.
Still I was able to test this from 2 different external hosts at the same time on my home network and it was working. I havent tested this in active use so I cant say for certain what kind of problems you might run into or if there is perhaps problems with the operation when multiple hosts are connecting and attempting all the different connections the NAT configurations are used for.
So below are the example configurations and later the clarifications on what they are supposed to do. This should be easy to apply to your specific setup
EDIT: The naming and parameters referring to destination and source might be a bit confusing. Naturally you can use the object names that make the most sense to you.
object network SOURCE1
host 1.2.3.4
object network SOURCE2
host 5.6.7.8
object network SERVER1
host 10.10.10.10
object network SERVER2
host 10.10.10.20
object service VNC
service tcp source eq 5900
nat (LAN,WAN) source static SERVER1 interface destination static SOURCE1 SOURCE1 service VNC VNC
nat (LAN,WAN) source static SERVER2 interface destination static SOURCE2 SOURCE2 service VNC VNC
access-list WAN-IN extended permit tcp object SOURCE1 object SERVER1 eq 5900
access-list WAN-IN extended permit tcp object SOURCE2 object SERVER2 eq 5900
access-group WAN-IN in interface WAN
Where
SOURCE1 / SOURCE2 = contains the users public source IP address
SERVER1 / SERVER2 = contains the servers local IP address to which SOURCE1/SOURCE2 is connecting to
VNC = contains the service that is to be forwarded
LAN = is my "inside" interface
WAN = is my "outside" interface
WAN-IN = is my "outside" inbound ACL
The above NAT commands basically state that
Translation will happen between LAN and WAN interface
The SERVER1 / SERVER2 will be translated to the WAN interface IP address ("interface" parameter) when the other end of the connection is SOURCE1 / SOURCE2 and the service used is TCP/5900 (both mapped and real service is TCP/5900)
Hopefully the information has been helpfull
- Jouni -
ASA supports NAT in bridge mode??
any one know if an ASA supports NAT in bridge mode? especially the 5580 series x??
Hi Hans,
Yes it does, from version 8.0 and higher.
Unsupported Features
These features are not supported in transparent mode:
NAT /PAT
NAT is performed on the upstream router.
Note: Starting with ASA/PIX 8.0(2), NAT/PAT is supported in the transparent firewall.
Here is the document:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml#visits
Mike -
Public Pool, 2 ASAs, Static NAT ...
I am looking for help on a mixture of Routing and Switching and Firewalling ...
So I have a router connected to the ISP ... the router is also connected to a switch. Into that switch I have pugged two ASAs. A 5505 and 5520.
I was given a /27 (255.255.255.224), 30 address block from the ISP. Let's say the last octet of the router is .1, the ASA#1 is .2, and ASA #2 is .3.
Now I wan't to use the rest of the addresses for Static NAT (the IP addresses are publically registered to their own domain names).
Can I use any of the rest of the addresses .4 through .30, on either ASA in Static NAT (1 to 1 translation)? Possibly even move them back and forth between ASAs?
How does the router know which as ASA it needs to forward the packet to if it is destined for .12 for example? Does the ASA send out an ARP message for each of its static addresses that it is using? They packets aren't broadcast to the subnet, are they?
Or is this a Layer 3 problem. Do I have to segment my /27 into two /28's on my router (requiring an additional interface and use of another IP address)?
I was trying to debate if I could possibly model this in GNS3.
PS the reason for doing this is for dissaster recovery, moving servers between racks without changing IP address scheme (the private addressing scheme behind each ASA is identical), etc.
Thanks so much for the help,
Matt
CCNP, CCDP, CCIP, ASA SpecialistCan I use any of the rest of the addresses .4 through .30, on either ASA in Static NAT (1 to 1 translation)? Possibly even move them back and forth between ASAs?
--> YES you can
How does the router know which as ASA it needs to forward the packet to if it is destined for .12 for example? Does the ASA send out an ARP message for each of its static addresses that it is using? They packets aren't broadcast to the subnet, are they?
--> YES, the ASA will send out an ARP to tell the router that it has that particular static address
Or is this a Layer 3 problem. Do I have to segment my /27 into two /28's on my router (requiring an additional interface and use of another IP address)?
--> NO, you don't have to segment the /27 into /28 -
ASA NAT when not on interface network
We are trying to restructure our edge network. The ASA with NATs is currently on a natural /24, as is its upstream router. We are trying to change the ASA and router to reside on a /28 that is part of the existing /24. In so doing we have added routes to the router to send traffic for the NAT range to the ASA's new 'outside' IP:
Router IP: 10.10.10.226/28, HSRP IP 10.10.10.225
ASA IP: 10.10.10.228/28 stby 10.10.10.229
ip route 10.10.10.0 255.255.255.128 10.10.10.228 250 (High AD so as not to interfere with BGP later)
ip route 10.10.10.128 255.255.255.192 10.10.10.228 250 (High AD so as not to interfere with BGP later)
ASA NATs: 10.10.10.11-.135
From the ASA configured this way, we can ping the router IP fine.
One thing we thought of after backing this out (it didn't work) is to change our statics to route to the *interface* instead of the actual ASA IP, but I don't know if that will work either.
Should either of these methods work?
Thanks - PaulPaul
One thing we thought of after backing this out (it didn't work) is to change our statics to route to the *interface* instead of the actual ASA IP, but I don't know if that will work either.
Not sure i understand the above statement but in terms of what you originally tried then it should work as the ASA often handles IPs that are not assigned to an interface in terms of NAT.
Difficult to say why it didn't work. It is always a good idea to clear existing xlates and arp caches etc. but you may have done that anyway.
What exactly didn't work ?
Jon -
Connecting ASA from inside of the network
The LAN has 10.10.10.0/24 ip pool and ASA has 10.10.11.0/24 pool. When i connect to the ASA from the inside of the network , i can't get to any node in the network but i can when i am outside of the network. I need to connect to all nodes even when I am inside of the network connecting to ASA. please advise.
John,
Understand now, Hmmm.. indeed strange, this is what we could do to try isolating the problem and try confirming some local connectivity.
since 10.10.10.0/24 is routed through the ASA firewall 10.10.10.254 as all hosts default gateway load your asdm real time log and note traffic while trying to ping from user labtop to any other hosts on the same 10.10.10.0/24 segment, I am sure you have probably checked but from the users labtop have you verify machine is getting proper 10.10.10.x address with correct mask and DG given from ASA DHCP, if ASA is your inside DHCP server go to ASA command lline and issue.
asa#show dhcpd binding - to confirm hosts IP assigement is there for
try pinging from the ASA itself towards that particular users 10.10.10.X address to confirm local connectivity from asa to labtop.
Also from the labtop take note of complete output of ipconfig : and note all its current adapter bindings .
c:\ipconfig /all
It seems this could be more of a settings issues on the machines but confirm above.
Also what ASA code version ? show ver
and what version os VPN client ?
Rgds
Jorge -
ASA 5505 getting dchp from the outside interface
Hi, i have this configuration on on the Asa client
: Savedz
: Written by enable_15 at 13:39:22.779 UTC Thu Aug 15 2013
ASA Version 8.2(5)
hostname Lakewood
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.100.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.100.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 172.100.2.50-172.100.2.125 inside
dhcpd auto_config outside interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
this asa client is getting dhcp from another asa on another location, the asa on the other side cannot ping devices on the client side
this is the server asa
ASA Version 8.2(1)
name 50.66.169.176 OutsideWorld
name 172.100.2.0 Lakewood
interface Vlan1
nameif inside
security-level 100
ip address 172.100.1.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 50.66.202 255.255.255.248
interface Vlan3
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
what type of configuration is this?
how can i get both sides to ping eachother and allow all the trafic?
thanks in advance.
Hi, i have this configuration on on the Asa client
: Savedz
: Written by enable_15 at 13:39:22.779 UTC Thu Aug 15 2013
ASA Version 8.2(5)
hostname Lakewood
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.100.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.100.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 172.100.2.50-172.100.2.125 inside
dhcpd auto_config outside interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
this asa client is getting dhcp from another asa on another location, the asa on the other side cannot ping devices on the client side
this is the server asa
ASA Version 8.2(1)
name 50.66.169.176 OutsideWorld
name 172.100.2.0 Lakewood
interface Vlan1
nameif inside
security-level 100
ip address 172.100.1.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 50.66.202 255.255.255.248
interface Vlan3
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
what type of configuration is this?
how can i get both sides to ping eachother and allow all the trafic?
thanks in advance.Do you have a diagram of yourt setup and a more detailed description what you want to do?
The public interface of your main ASA looks like you are connecting to the internet. In that case, the IP address for the client has to come from the ISP and not from your main ASA. -
How do can I have the form fill in a check box if the user has entered text in a textbox?
I have a form that is submitting an xml data file that is picked up by MS Word and used to populate a document. However, there's a 'Miscellaneous' field where the user can type in addtional information that would not drop easily into the Word document (exceptions, items not on the drop down lists, etc.). I'd like to test to see if that Miscellaneous field has infomation in it and if it does, to set a invisible checkbox to "1" so that I can insert a text message in the Word document that there's additional information in the .pdf form that will have to be addressed manually in the Word document.
I've tried
if(Misc.rawValue !== "")
otherinfo.rawValue = 1;
but while it doesn't generate a Javascript error, it doesn't set the value either, and I haven't found any function that checks for whether a field is empty. I'm sure there's got to be a way to do this, but I'm stumped. Any help greatly appreciated!
BillIt appears you are using LiveCycle Designer, so you will have to use the syntax of FormCalc or LiveCycle Designer JavaScript.
For FormCalc:
if(HasValue(Misc)) then
otherinfo = 1
else
otherinfo = 0
endif
For JavaScript
if(HasValue(Misc.rawValue))
otherinfo.rawValue = 1;
else
otherinfo.rawValue = 0;
I added code to clear the check box if the user clears the field. -
Working with iDVD on a project, there is a box in the lower left corner and sometimes another in the lower right corner. Scrolling over the one in the lower left corner, I get a message indicating that this box hides or shows the intro movie. I have checked and unchecked the box, but see nothing different in the project. Nor can I figure out what is meant by "intro movie." Can anyone explain?
Go to iDVD Help and type in Intro Movie, and you will get the full version of this:
Many iDVD themes have “motion menus” that include animations or video that loop, or play repeatedly, until the viewer clicks a menu button. Themes with motion menus have a motion icon in the lower-right corner.
In addition to background video, iDVD motion menus may also feature an intro, or short animation, that plays once before the part that loops. Other motion menus also include an “outro” that plays after the viewer clicks a button, serving as a transition between the menu and the selected content.
An example of an iDVD 6.0 theme with an intro and an outro is Reflection White Main. In this theme, the first drop zones appear in the intro, and the buttons and title appear just before the looping part of the background video. In the outro, everything flies offscreen after the viewer clicks a button.
iDVD provides tools for viewing these motion menus without going into preview mode, which is especially helpful when you are filling drop zones, and for turning the intro or outro off.
Here are ways to view and edit the background movie:
◼
Drag the diamond-shaped motion playhead along the scrubber bar (shown below), to view the background movie, stopping wherever you like.
(If you don’t see the motion playhead in iDVD, choose View > Show Motion Playhead.)
◼
Deselect the checkboxes at the left and right end of the scrubber bar if you don’t want to use the intro or outro, respectively, in your DVD menu.
The scrubber bar shows the intro and outro as shaded areas at the beginning and end.
You can also control the intro and outro from the Menu Info window. With your pointer over the menu (and with no buttons or text objects selected), press Command-I to open that window. Select or deselect the Intro and Outro checkboxes in the Background section of the window.
NOTE: If you drag your own movie to a motion menu background, the outro is automatically removed. To customize the background and keep the outro, use a still image in the menu background instead of a movie. -
How to change the check box with the push button in itrator table rows
Hi all,
I want to change the check box of the itrator table rows with push button/ some thing better as to give
the table view more good look and user friendly.
Does any one has tried any other option in table view in place of check box
Thanks
BhagatThere are various objects which you can create via iterators. Please see the application SBSPEXT_TABLE for more details.
DATA: lo_text TYPE REF TO cl_htmlb_textview,
lo_ddlb TYPE REF TO cl_htmlb_dropdownlistbox,
lo_input TYPE REF TO cl_htmlb_inputfield,
lo_button TYPE REF TO cl_htmlb_button,
lo_chk_bx TYPE REF TO cl_htmlb_checkbox.
row_ref = p_row_data_ref.
CASE p_column_key.
WHEN 'EFF_DATE'. " Input field
CREATE OBJECT lo_input.
lo_input->id = p_cell_id.
lo_input->type = 'DATE'.
lo_input->showhelp = 'TRUE'.
lo_input->width = '60'.
lo_input->invalid = 'true'.
p_class = `ao`.
lo_input->value = get_column_value( p_column_key ).
p_replacement_bee = lo_input.
WHEN 'NEW_LOC'. " Drop down list box
CREATE OBJECT lo_ddlb.
GET REFERENCE OF gt_persa INTO lo_ddlb->table.
lo_ddlb->id = p_cell_id.
lo_ddlb->nameofkeycolumn = 'NAME'.
lo_ddlb->nameofvaluecolumn = 'VALUE'.
lo_ddlb->selection = get_column_value( p_column_key ).
lo_ddlb->selection = 'DUMMY'.
p_replacement_bee = lo_ddlb.
WHEN 'MON' . " Check box
CREATE OBJECT lo_chk_bx.
lo_chk_bx->id = p_cell_id.
lo_chk_bx->checked = get_column_value( p_column_key ).
p_replacement_bee = lo_chk_bx.
WHEN 'NEW_MGR_SRCH'. " Button
CREATE OBJECT lo_button.
lo_button->id = p_cell_id.
lo_button->text = 'Search Mgr'.
lo_button->onclientclick = 'script'.
p_replacement_bee = lo_button.
WHEN OTHERS. " Text
CREATE OBJECT lo_text.
lo_text->id = p_cell_id.
lo_text->wrapping = 'FALSE'.
lo_text->text = get_column_value( p_column_key ).
lo_text->design = 'STANDARD'.
lo_text->textcolor = 'POSITIVE'.
p_replacement_bee = lo_text.
ENDCASE.
Thanks
A
Maybe you are looking for
-
How to import a virtual machine to a Hyper-V server by programme on Windows server 2012 ?
Hi As we know, Hyper-V of Windows server 2012 can support importing a VM without exporting it first manually now. So I try to code a programme to do it. I use the method "ExportVirtualSystemEx" of "Msvm_VirtualSystemManagementService". referenced by
-
REUSE_ALV_GRID_DISPLAY - Save as Excel - Default Extension Issue
Hi Team, Greetings for the Day !! I have an issue with saving ALV Grid Output file as XLS. As I click the "Save Local File" Icon and select the Radio button for "Spreadsheet", in the next pop up for file path and file name, the extension ".txt" comes
-
Hello I have no internet connection anymore after migrating to 10.8.3 W-LAN is connected to my W-LAN Router and I am able to connect to my NAS, no problem. Connecting with a windows based PC is no problem. Apple help desk has no answer yet ....... Ha
-
Need help converting MS SQL query into Oracle, Function 'WHERE' issues
SELECT PERS_NBR, PAY_ID, PAY_CODE, LOGICAL_DATE, LOGICAL_DATE AS END_DATE, PCNAMES + REPLICATE(',', 39 - (LEN(PCNAMES) - LEN(REPLACE(PCNAMES, ',', '')))) AS PC_NAMES_FINAL FROM (SELECT DISTINCT A.PAY_ID, A.PAY_CODE, A.PERS_NBR, A.LOGICAL_DATE, PCNAME
-
Hi, I am using JDeveloper 10.1.3.04 and wanted to add and run test cases using JUnit. Added a test class is no problem, easily located the JUnit Test Case class. But there is no where in JDeveloper that I could find to run this JUnit test case so tha