ASA5510 - Verifying NAT is fully disabled between two interfaces

Similar Messages

• NAT between two interfaces

  Good day,
  I would ask if it is possible to do NAT between two Interfaces on the same device?
  The problem is that I need access from my inside lan to the management interface on the ASA. We will not manage the ASA over the inside interface.
  This is my current NAT statement:
  nat (inside,mgmt) source static 172.20.200.0-24 192.168.3.222 destination static 192.168.3.0-24 192.168.3.0-24 unidirectional
  This is my PacketTracer output:
  Phase: 1Type: ROUTE-LOOKUPSubtype: inputResult: ALLOWConfig:Additional Information:in   192.168.3.0     255.255.255.0  mgmt
  Phase: 2Type: ACCESS-LISTSubtype: logResult: ALLOWConfig:access-group inside in interface insideaccess-list inside extended permit ip 172.20.200.0 255.255.255.0 anyAdditional Information:Phase: 3Type: IP-OPTIONSSubtype:Result: ALLOWConfig:Additional Information:Phase: 4Type: NATSubtype:Result: ALLOWConfig:nat (inside,mgmt) source static 172.20.200.0-24 192.168.3.222 destination static 192.168.3.0-24 192.168.3.0-24 unidirectionalAdditional Information:Static translate 172.20.200.1/0 to 192.168.3.222/0Phase: 5Type: USER-STATISTICSSubtype: user-statisticsResult: ALLOWConfig:Additional Information:Phase: 6Type: FLOW-CREATIONSubtype:Result: ALLOWConfig:Additional Information:New flow created with id 244039047, packet dispatched to next moduleResult:input-interface: insideinput-status: upinput-line-status: upoutput-interface: mgmtoutput-status: upoutput-line-status: upAction: allow
  So NAT seems to be working correct. I can reach other devices behind the mgmt network this is no problem. But I cant access the ASA on the mgmt interface 192.168.3.2.
  Clould it be a problem with the traffic flow? Because in the PacketTracer output I see on Phase1 a Route-Lookup and later on Phase4 the NAT statement.
  Is there a way to get this working?
  Many thanks for your feedback.
  Brgds,
  Markus

  Hi,
  To my understanding its not possible to connect to an ASA interface through interface other than the interface where the IP address is located.
  In other words you are not able to connect from behind "inside" to the IP address of "mgmt" interface
  I will try to find you a link to some Cisco documentation stating this. (I have never really had to find it though)
  - Jouni

• Load balancing between two interfaces on 2811

  Hi,
  We have a 2811 router with VPN and NAT configured. We have two internet connection from different ISPs. The speed of our original connection is 2MB up and down. The speed of our new connection is 1MB up and down. We want to configure load balancing between the two connections. Our new ISP has provided us with a CISCO 837 router. We want to connect that router into our 2811 on one of the free WIC card and then configure load balancing between the two interfaces on our 2811. The third interface has a local address configured. Please suggest where to start. I tried searching on net for any configuration example but I was unable to find any particular example with commands. I am new on CISCO platform. Any help will be hugely appreciated. Thanks in advance.

  Raju,
  you have two choices as far as I can see. If you want to use static routing over the WAN to your branch, you could duplicate your static routes to the branch and point them to the secondary router. You will have two identical sets of static routes in the primary router, one set pointing to the WAN interface and the other one pointing to the secondary router.
  ip route x.x.x.x "WAN-interface"
  ip route x.x.x.x "secondary router"
  ip route y.y.y.y "WAN-interface"
  ip route y.y.y.y "secondary router"
  etc.
  As a result the primary router will have two routes to the branch and will load-balance. If one next-hop fails (either the WAN interface or the secondary router), only the other will be used. If the next-hop comes back up, load-balancing will resume.
  The other choice would be to use EIGRP over the WAN, and make sure the two routers become EIGRP neighbors. Then you can use the "variance" command to achieve unequal cost load-balancing between the two routers. Let me know if you need more information about this, but i think static routes will be sufficient in your situation.
  HTH, Thomas

• View Mapping Result between two Interface Mappings in ccBPM

  Hello,
  I've got a ccBPM which does two interface mappings. The second one fails. When I redo the steps manually in the Interface Mapping test mode everything works fine. Anyway, I want to get the message from the failed BPM that got out of the first interface mapping, which worked fine in the BPM as well, before entering the second.
  Where can I get that message? In Monitoring I can only find messages that got sent.
  Thanks for you help!
  Regards,
  Dirk

  Hi,
  Please check in Runtime Workbench.
  Go to Adapter Engine --> Component Monitoring
  Now select your Adapter.
  Use Filter and below you will find message ids.
  select one and you can see the audit log..where your appln fails.
  You can also use SXMB_MONI.
  Select the message giving error and in that goto outbound tab..click on link...select view details image button...select the component with error and go to container tab of it....there you will find trace entry....where log of your error will be stored..
  Hope it helps.
  Best Of Luck
  Akhil
  Edited by: Akhil Rastogi on Mar 18, 2008 11:08 AM

• 'Only' NAT'd Traffic Allowed Between ASA Interfaces

  I've just setup (2) ASAs. In doing so, I've run into the same problem on each one (i.e., I must configure NAT on each interface for the traffic to flow between them)
  Accordingly to my literature and videos I've been through, I should not have to perform NAT for the traffic to move between the different interfaces.
  Questions:
  What have I done wrong?
  What do I need to do to have this run as I expected it would (*without NAT)? While it appears harmless to have it setup this way, it just doesn't look 'clean' to me.
  Notes about my configurations:
  Same security level traffic is permitted
  All interfaces have their security levels set to 100
  I've reset the ACLs to allow all traffic as well (*this is a lab)
  All tcp-udp traffic is inspected by default on ASAs
  Many thanks.
  Fred

  NAT-Control: NA, deprecated.
  Without Nat-Control: As I mentioned previously, I must use NAT, or the traffic will not flow between interfaces. This is my problem. It doesn't make sense that I should need to use NAT for traffic to flow between the different interfaces.
  Notes about my configurations:
  Same security level traffic is permitted
  All interfaces have their security levels set to 100
  I've reset the ACLs to allow all traffic as well (*this is a lab)
  All tcp-udp traffic is inspected by default on ASAs
  Questions:
  What have I done wrong?
  What do I need to do to have this run as I expected it would (*without NAT)? While it appears harmless to have it setup this way, it just doesn't look 'clean' to me.

• CISCO ASR901 BRIDGE BETWEEN 2 INTERFACES

  Hi All!
    I'm looking for some way to make a transparent bridge between two interfaces of a Cisco router ASR901 , is there any possibility? I ask this because I have a scenario where I would use the ASR901 to the following question :
  POP01 (                       ) ASR901  g0 / 6 -------- > ISG_7206
  POP02 ( MPLS CLOUD )               g0 / 7 -------- > ISG_7206
  POP03 (                       )
  The ASR901 will focus EoMPLS with other points in the network and pass on to ISG routers , ie , VLANs would have to be two ports with XConnect to a remote router , the configuration would be something like this :
  interface GigabitEthernet0/6
  Core description : MPLS CONC PPPOE02
  no ip address
  negotiation auto
  hold- queue 1024 in
  hold- queue 1024 in October
  service instance 4095 ethernet
    encapsulation dot1q 4094
    rewrite ingress tag pop 1 symmetric
  interface GigabitEthernet0/7
  Core description : 7206_PPPOE_01
  no ip address
  negotiation auto
  service instance 4095 ethernet
    encapsulation dot1q 4094
    rewrite ingress tag pop 1 symmetric
  end
  L2VPN XConnect context TEST
  ethernet interworking
  member 201.55.127.202 1212 encapsulation mpls group TEST
  member GigabitEthernet0 / 7 service -instance TEST 4095 group priority 1
  member GigabitEthernet0 / 6 service -instance 4095
  redundancy group delay 1 3 TEST
  But without an interface that was redundant of other , what I need is the 2 interfaces in " bridge " making a XConnect to a remote router , and these 2 interfaces connected ISGs in 2 to make a balance .

  Hi,
  This discussion is for IOS-XR related questions. You should post your question under Service Provider > MPLS.
  thanks,
  rivalino

• CISCO ASR901 BRIDGE BETWEEN 2 INTERFACES WITH XCONNECT

  Hi All!
    I'm looking for some way to make a transparent bridge between two interfaces of a Cisco router ASR901 , is there any possibility? I ask this because I have a scenario where I would use the ASR901 to the following question :
  POP01 (                            )  ASR901  g0 / 6 -------- > ISG_7206
  POP02 ( MPLS CLOUD )                   g0 / 7 -------- > ISG_7206
  POP03 (                            )
  The ASR901 will focus EoMPLS with other points in the network and pass on to ISG routers , ie , VLANs would have to be two ports with XConnect to a remote router , the configuration would be something like this :
  interface GigabitEthernet0/6
  Core description : MPLS CONC PPPOE02
  no ip address
  negotiation auto
  hold- queue 1024 in
  hold- queue 1024 in October
  service instance 4095 ethernet
    encapsulation dot1q 4094
    rewrite ingress tag pop 1 symmetric
  interface GigabitEthernet0/7
  Core description : 7206_PPPOE_01
  no ip address
  negotiation auto
  service instance 4095 ethernet
    encapsulation dot1q 4094
    rewrite ingress tag pop 1 symmetric
  end
  L2VPN XConnect context TEST
  ethernet interworking
  member 201.55.127.202 1212 encapsulation mpls group TEST
  member GigabitEthernet0 / 7 service -instance TEST 4095 group priority 1
  member GigabitEthernet0 / 6 service -instance 4095
  redundancy group delay 1 3 TEST
  But without an interface that was redundant of other , what I need is the 2 interfaces in " bridge " making a XConnect to a remote router , and these 2 interfaces connected ISGs in 2 to make a balance .

  Hello,
  I do not believe that the ASR901 will do this without help from an upstream device. If I understand correctly, you want to build a bridge-domain with 3 EFPs: 2 physical ports, and one pseudowire. As of the last IOS revision that I have configured on this platform, the 901 doesn't support the pseudowire on a bridge-domain, only a service instance.
  It seems to me that you would need an upstream box involved to support this.
  Either:
  Build 2 pseudowires to an upstream box that supports this configuration (like an ME 3600x, ME3800x, or 9k).
  or
  Associate both service instances to a common bridge domain that is extended to an upstream box that is initiating the pseudowire. More platforms would support this, since it does not require supporting the pseudowire on a bridge domain.
  ...Unless you are looking to build an LACP channel-group on the interfaces connected to the ISGs to load-balance. The 901 supports LACP, and it also supports building an EFP (service instance) on the channel-group interface. This technically makes the 2 physical interfaces one EFP. The part of this that I have not tried is building a pseudowire on an EFP on a channel-group.
  Hope this helps.
  Jason

• Problems getting static NAT to work between two internal lans

  Hi, I'm trying the old problem of routing between two internal LANs. This on cli 8.6(1)2. I have three interfaces/LANs; outside is to the internet, inside is the rack in the datacentre and office is a dedicated ethernet link to our office. What I want to do is allow all (for now) traffic betrween office and inside. There's a million hits on this on the 'net but I can't get it to work. Packet trace shows packets accepted from office to inside but blocked from inside to office. Both static nats are set up identically. Here's the output of show nat after packet traces in both directions. It clearly shows that inside to office isn't hitting the nat policy. I enclose what I think are the relevant bits of my config. Full config less passwords + crypto attached.
  Manual NAT Policies (Section 1)
  1 (office) to (inside) source static inside-office inside-office   destination static inside-ld5 inside-ld5 no-proxy-arp route-lookup
      translate_hits = 0, untranslate_hits = 3
  2 (inside) to (office) source static inside-ld5 inside-ld5   destination static inside-office inside-office no-proxy-arp route-lookup
      translate_hits = 0, untranslate_hits = 0
  interface GigabitEthernet0/0
  nameif inside-ld5
  security-level 100
  ip address 10.20.15.2 255.255.255.0
  interface GigabitEthernet0/6
  nameif office
  security-level 100
  ip address 10.20.11.9 255.255.255.0
  object network inside-ld5
  subnet 10.20.15.0 255.255.255.0
  object network inside-office
  subnet 10.20.11.0 255.255.255.0
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  nat (office,inside) source static inside-office inside-office destination static inside-ld5 inside-ld5 no-proxy-arp route-lookup
  nat (inside,office) source static inside-ld5 inside-ld5 destination static inside-office inside-office no-proxy-arp route-lookup

  Hi Kevin,
  because your interfaces inside and office are in same security level and you have enabled same-security-traffic permit inter-interface, traffic should simply flow between this interfaces. So i think you don't need NAT between this two subnets if there is not other reason to do so.
  Then you just configure ACL which will permit traffic you want between this LANs. In this case both netwroks are directly conneted so routing should work(instead of NAT).
  Best Regards,
  Jan

• Site to Site VPN Between Two ASA 5505's Up But Not Passing Traffic

  hello,
  i am setting up a site to site vpn between two asa 5505's.  the tunnel is up but i cannot get it to pass traffic and i have run out of ideas at this point.  i am on site as i am posting this question and only have about 4 hours left to figure this out, so any help asap is greatly appreciated.  i'll post the configs below along with the output of sh crypto isakmp sa and sh ipsec sa.
  FYI the asa's are different versions, one is 9.2 the other is 8.2
  Note: 1.1.1.1 = public ip for Site A 2.2.2.2 = public ip for site B
  Site A running config:
  Result of the command: "sh run"
  : Saved
  ASA Version 8.2(2)
  hostname csol-asa
  enable password WI19w3dXj6ANP8c6 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 192.168.1.0 san_antonio_inside
  interface Vlan1
   nameif inside
   security-level 100
   ip address 192.168.2.1 255.255.255.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address 1.1.1.1 255.255.255.248
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns domain-lookup inside
  dns server-group DefaultDNS
   name-server 24.93.41.125
   name-server 24.93.41.126
  object-group network NETWORK_OBJ_192.168.2.0_24
  access-list inside_access_out extended permit ip any any
  access-list outside_access_out extended permit ip any any
  access-list outside_access_in extended permit icmp any any
  access-list outside_access_in_1 extended permit icmp any interface outside
  access-list outside_access_in_1 extended permit tcp any interface outside eq pop3
  access-list outside_access_in_1 extended permit tcp any interface outside eq 8100
  access-list outside_access_in_1 extended permit udp any interface outside eq 8100
  access-list outside_access_in_1 extended permit udp any interface outside eq 1025
  access-list outside_access_in_1 extended permit tcp any interface outside eq 1025
  access-list outside_access_in_1 extended permit tcp any interface outside eq 5020
  access-list outside_access_in_1 extended permit tcp any interface outside eq 8080
  access-list outside_access_in_1 extended permit tcp any interface outside eq www
  access-list outside_access_in_1 extended permit ip san_antonio_inside 255.255.255.0 any
  access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 host san_antonio_inside
  access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat-control
  global (inside) 2 interface
  global (outside) 101 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 101 0.0.0.0 0.0.0.0
  static (inside,outside) tcp interface pop3 192.168.2.249 pop3 netmask 255.255.255.255
  static (inside,outside) tcp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
  static (inside,outside) udp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
  static (inside,outside) udp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
  static (inside,outside) tcp interface 5020 192.168.2.8 5020 netmask 255.255.255.255
  static (inside,outside) tcp interface 8080 192.168.2.251 8080 netmask 255.255.255.255
  static (inside,inside) tcp interface www 192.168.2.8 www netmask 255.255.255.255
  static (inside,outside) tcp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
  access-group inside_access_out out interface inside
  access-group outside_access_in_1 in interface outside
  route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  http 2.2.2.2 255.255.255.255 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map1 1 match address outside_1_cryptomap_1
  crypto map outside_map1 1 set peer 2.2.2.2
  crypto map outside_map1 1 set transform-set ESP-3DES-SHA
  crypto map outside_map1 interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.2.30-192.168.2.155 inside
  dhcpd dns 24.93.41.125 24.93.41.126 interface inside
  dhcpd domain corporatesolutionsfw.local interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
   anyconnect-essentials
  group-policy DfltGrpPolicy attributes
  tunnel-group 2.2.2.2 type ipsec-l2l
  tunnel-group 2.2.2.2 ipsec-attributes
   pre-shared-key *****
  prompt hostname context
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:021cf43a4211a99232849372c380dda2
  : end
  Site A sh crypto isakmp sa:
  Active SA: 1
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1   IKE Peer: 2.2.2.2
      Type    : L2L             Role    : responder
      Rekey   : no              State   : MM_ACTIVE
  Site A sh ipsec sa:
  Result of the command: "sh ipsec sa"
  interface: outside
      Crypto map tag: outside_map1, seq num: 1, local addr: 1.1.1.1
        access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
        local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (san_antonio_inside/255.255.255.0/0/0)
        current_peer: 2.2.2.2
        #pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
        #pkts decaps: 239, #pkts decrypt: 239, #pkts verify: 239
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 1.1.1.1, remote crypto endpt.: 71.40.110.179
        path mtu 1500, ipsec overhead 58, media mtu 1500
        current outbound spi: C1074C40
        current inbound spi : B21273A9
      inbound esp sas:
        spi: 0xB21273A9 (2987553705)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 1691648, crypto-map: outside_map1
           sa timing: remaining key lifetime (kB/sec): (3914989/27694)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0xFFFFFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0xC1074C40 (3238480960)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 1691648, crypto-map: outside_map1
           sa timing: remaining key lifetime (kB/sec): (3914999/27694)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
  Site B running config:
  Result of the command: "sh run"
  : Saved
  : Serial Number: JMX184640WY
  : Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
  ASA Version 9.2(2)4
  hostname CSOLSAASA
  enable password WI19w3dXj6ANP8c6 encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  names
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
   nameif inside
   security-level 100
   ip address 192.168.1.1 255.255.255.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address 2.2.2.2 255.255.255.248
  ftp mode passive
  object network NETWORK_OBJ_192.168.1.0_24
   subnet 192.168.1.0 255.255.255.0
  object network mcallen_network
   subnet 192.168.2.0 255.255.255.0
  access-list outside_cryptomap extended permit ip object NETWORK_OBJ_192.168.1.0_24 object mcallen_network
  access-list outside_access_in extended permit ip object mcallen_network 192.168.1.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-731-101.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mcallen_network mcallen_network no-proxy-arp route-lookup
  nat (inside,outside) after-auto source dynamic any interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal DES
   protocol esp encryption des
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
   protocol esp encryption 3des
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
   protocol esp encryption aes
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
   protocol esp encryption aes-192
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
   protocol esp encryption aes-256
   protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto map outside_map3 1 match address outside_cryptomap
  crypto map outside_map3 1 set peer 1.1.1.1
  crypto map outside_map3 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map3 interface outside
  crypto ca trustpool policy
  crypto ikev2 policy 1
   encryption aes-256
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 10
   encryption aes-192
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 20
   encryption aes
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 30
   encryption 3des
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 40
   encryption des
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev1 enable outside
  crypto ikev1 policy 120
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  telnet timeout 5
  ssh stricthostkeycheck
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd address 192.168.1.200-192.168.1.250 inside
  dhcpd dns 24.93.41.125 24.93.41.126 interface inside
  dhcpd domain CSOLSA.LOCAL interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
   anyconnect-essentials
  group-policy DfltGrpPolicy attributes
   vpn-tunnel-protocol ikev1
  tunnel-group 1.1.1.1 type ipsec-l2l
  tunnel-group 1.1.1.1 ipsec-attributes
   ikev1 pre-shared-key *****
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  prompt hostname context
  no call-home reporting anonymous
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:4e058021a6e84ac7956dca0e5a143b8d
  : end
  Site B sh crypto isakmp sa:
  Result of the command: "sh crypto isakmp sa"
  IKEv1 SAs:
     Active SA: 1
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1   IKE Peer: 1.1.1.1
      Type    : L2L             Role    : initiator
      Rekey   : no              State   : MM_ACTIVE
  There are no IKEv2 SAs
  Site B sh ipsec sa:
  Result of the command: "sh ipsec sa"
  interface: outside
      Crypto map tag: outside_map3, seq num: 1, local addr: 71.40.110.179
        access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
        local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
        current_peer: 1.1.1.1
        #pkts encaps: 286, #pkts encrypt: 286, #pkts digest: 286
        #pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 286, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #TFC rcvd: 0, #TFC sent: 0
        #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
        path mtu 1500, ipsec overhead 58(36), media mtu 1500
        PMTU time remaining (sec): 0, DF policy: copy-df
        ICMP error validation: disabled, TFC packets: disabled
        current outbound spi: B21273A9
        current inbound spi : C1074C40
      inbound esp sas:
        spi: 0xC1074C40 (3238480960)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, IKEv1, }
           slot: 0, conn_id: 28672, crypto-map: outside_map3
           sa timing: remaining key lifetime (kB/sec): (4373999/27456)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000003
      outbound esp sas:
        spi: 0xB21273A9 (2987553705)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, IKEv1, }
           slot: 0, conn_id: 28672, crypto-map: outside_map3
           sa timing: remaining key lifetime (kB/sec): (4373987/27456)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001

  Hi Keegan,
  Your tunnel is up and encrypting traffic one way, the other end is not able to encrypt the traffic.
  I would suggest to do a 'clear xlate'?  Sometimes if you setup the nonat configuration after you've attempted other configurations, you need to 'clear xlate' before the previous NAT configuration is cleared and the new one works.
  HTH
  "Please rate useful posts"

• Etherchannel between two 2950 switches

  I have a etherchannel defined between 2 L2 switches using LACP as shown below. The etherchannel works fine, however when I hard code speed/duplex on both ends the etherchannel fails. What is causing this behaviour?
  SW02:
  interface Port-channel5
  interface GigabitEthernet1/0/1
  switchport mode trunk
  channel-group 5 mode active
  interface GigabitEthernet1/0/2
  switchport mode trunk
  channel-group 5 mode active
  SW02:
  interface Port-channel5
  interface GigabitEthernet1/0/1
  switchport mode trunk
  channel-group 5 mode active
  interface GigabitEthernet1/0/2
  switchport mode trunk
  channel-group 5 mode active

  Thank you for the rating.
  Regarding your replacement scenario, I'll give the standard engineering answer ("it depends"), but actually follow up with something I hope is more helpful.    I'm sincerely interested to see other's viewpoint on this as well, as it has changed over the years.
  Many years ago (let's say a decade) I ran into problems with some devices not being able to auto-negotiate properly.  There was a tendancy for devices to fail or negotiate to half-duplex mode when a full-duplex connection was warranted.  At the time, the problems we experienced were mainly with traffic shaping devices and some other gear.  There were others using fixed settings as a standard practice, and we did the same since we had verifiable issues.
  Fast forward to now.  I personally have not experienced auto-negotiation problems in a long time and am reading more from others in the field that auto-negotiation is the way to go (such as from the link provided).  Indeed, I've now run into the opposite scenario: I had a particular situation where a link between two devices defaulted to half-duplex EVEN THOUGH they were both set to 100/Full.  It turned out to be a race condition between a device and a Cisco router...the other device booted faster, didn't see anything on the link, and "helpfully" dropped down to half-duplex.  I confirmed the issue with the device vendor, who recommended setting ports to auto-negotiate as the fix (their software would not be updated for a bit of time).
  I would recommend auto-negotiate as a standard practice, with the exception of areas where you have encountered specific problems.  Those latter cases should be caught through your pre-deployment testing, and discussed with the respective vendors so that you fully understand why the devices are behaving the way they are so that the proper mitigation measures can be put in place (i.e. - It is going to act the same way every time, and you can work with that).
  Good luck!  -Ed

• Help !!! Static route between two router WRT160NL

  Hi all,
  I have my internet connection connect to my main Linksys router WRT160NL  (192.168.1.1) with 192.168.1.x.
  My 2nd Linksys router connect to the first one as Gateway as well.
  The 2nd router has its WAN ip of 192.168.1.100 and it's local subnet as 192.168.2.x.
  My machines at 192.168.2.x can get to the internet and connect to all machines in the 192.168.1.x network.
  However, the 1.x network can't access the machines on the 2's network. And because of that, i can not sharing or printing between two network.
  I try to add static routes on my main router (192.168.1.1) with the route: 192.168.2.0 mask 255.255.255.0 and defaute gateway 192.168.1.100
  However, the route not work still.
  anyway to make sure that the 1.x network able to access the 2.x network and from 2.x   access 1.x for sharing files and printing.
  thanks for your help!
  Solved!
  Go to Solution.

  In gateway the router does NAT which makes the LAN side inaccessible from the WAN side unless you configure port forwarding or similar. If it wouldn't do so your 192.168.1 LAN would be accessible from the internet. Static routing won't change this.
  You have to disable NAT (aka switch to router mode) on the second router. You have to set up a static route on the main router then. However, most likely your network 192.168.2.* won't have internet anymore because the main router will only do NAT for 192.168.1.* and not for 192.168.2.*.
  Thus, if possible set up the second router as access point only and run a single LAN.

• Sharing iPhoto Library between Two User Accounts

  Is there any way to fully share a single iPhoto library between two user accounts on one machine (iMac 2.0GHz dual core Intel, 10.5.1, iPhoto '08), without using an external drive (because I don't have one)? By share, I mean each user has full rights and priveledges to the entire library, regardless of who uploaded the pics. Holding down the option key on iPhoto startup does not work because my wife can't access the pics I loaded even though she's pointing to the shared library in a shared folder.

  If you want the other user to have the same access to the library as you: to be able to add, edit, organise, keyword etc. then:
  Quit iPhoto in both accounts
  Move the iPhoto Library Folder to an external HD set to ignore permissions. *You could also use a dmg*.
  (Some people have had success putting the library in the Users/ Shared folder. If you do this make sure the file permissions are set to allow read/write access to everyone. But that's unlikely to work on 10.5 because of the way that the permissions have changed with the new OS.)
  In each account in turn: Hold down the option (or alt) key and launch iPhoto. From the resulting dialogue, select 'Choose Library' and navigate to the new library location. From that point on, this will be the default library location. Both accounts will have full access to the library, in fact, both accounts will 'own' it.
  However, there is a catch with this system and it is a significant one. iPhoto is not a multi-user app., it does not have the code to negotiate two users simultaneously writing to the database, and trying will cause db corruption. So only one user at a time, and back up, back up back up.
  Regards
  TD

• Communication between Two WebLogic instances on the same machine

  Hi,
  We're having a problem with communication between two copies of Weblogic on
  the same machine. They are configured with seperate ports (regular and SSL).
  Independantly, they run fine. I can access EJBs running on either of them.
  The problem is that a bean in one of them has code which attempts to access
  an EJB on the other one. The procude fails when trying to obtain the initial
  context. This same code works if compilied independantly of WebLogic on the
  same machine.
  Are there any known issues regards communication between two running
  instances of Weblogic on the same machine?
  Thanks in advance,
  Randy Yarger
  marchFIRST
  [email protected]

  Thanks for the prompt reply.
  There is one IP address (internal address 10.227.1.34) one the machine. WLS1
  is set up at ports 7001 and 5133. WLS2 is setup at ports 7004 and 7005.
  When WLS1 attempts to obtain a context to WLS2 with the URL
  t3://10.227.1.34:7004/ it pauses for a long period of time. Running truss
  on the both WLS processes shows communication occuring between the two
  followed by long periods of silence. Finally WLS2 spits out the error
  ConnectionException[7001,7001,5133,5133,7001,7001] (paraphrased, I can get
  the entire error if it would help).
  After another long pause, WLS1 quits trying with the error 'Server
  10.227.1.34:7004 not found' (again paraphrased).
  Among the things we've tried:
  * Changing the URL from the IP to 127.0.0.1
  * Enabling/disabling SSL on either or both WLSs.
  * Changing the server name in WLS2's copy of weblogic.properties from
  'myserver' to 'myserver2' (previously they were both 'myserver')
  * Upgrading WLS2 to 5.1.0sp5 (Tried upgrading WLS1, but was getting class
  not found errors and quit because that WLS is being used by other people)
  This is a Solaris server. WLS1 is running 5.1.0 and WLS2 is running 5.1.0sp5
  Any suggestions would be appreciated.
  Best,
  Randy Yarger
  marchFIRST
  [email protected]
  "Michael Girdley" <[email protected]> wrote in message
  news:[email protected]...
  >
  >
  There should not be. What is your network configuration? Are they on
  separate IP addresses?
  Thanks,
  Michael
  Michael Girdley
  BEA Systems Inc
  "Randy Jay Yarger" <[email protected]> wrote in message
  news:[email protected]...
  Hi,
  We're having a problem with communication between two copies of Weblogicon
  the same machine. They are configured with seperate ports (regular andSSL).
  Independantly, they run fine. I can access EJBs running on either of
  them.
  The problem is that a bean in one of them has code which attempts toaccess
  an EJB on the other one. The procude fails when trying to obtain theinitial
  context. This same code works if compilied independantly of WebLogic onthe
  same machine.
  Are there any known issues regards communication between two running
  instances of Weblogic on the same machine?
  Thanks in advance,
  Randy Yarger
  marchFIRST
  [email protected]

• OBIEE 11G - Issue passing parameters between two reports

  Hi folks,
  I am struggling to pass parameters between two reports in OBIEE 11G.
  My first report contains the following columns: Rolling Year Type (VCHAR), Year(VCHAR), Month(VCHAR), Cost(Double).
  My second report contains the following columns: Rolling Year Type(VCHAR), Year(VCHAR), Month(VCHAR), Category(VCHAR), Cost(Double).
  My requirement is to pass the Rolling Year Type, Year and Month values from report 1 to report 2.
  On the Month column properties of report 1, I have created an Action Link called 'Drill to Category'. I have clicked on 'Navigate to BI Content' and selected Report 2.
  Then on Report 2, I have included three filters: Rolling Year Type is prompted, Year is prompted, Month is promted.
  When I run the report I always get the following error:
  The specified criteria didn't result in any data. This is often caused by applying filters and/or selections that are too restrictive or that contain incorrect values. Please check your Analysis Filters and try again. The filters currently being applied are shown below.
  When I check the cursor cache, the filter values are correct. Does anybody have any idea why Report 2 does not display?
  When I remove the Month filter, the report works correctly.
  I have since changed the third filter to be Month No and although Report 2 does display, it does not pick up the filter on the Month No.
  I initially thought this may have been a caching issue and so I have disabled BI Server Cache but this does not fix my problem.
  This was never an issue on OBIEE 10G as I found it very easy to navigate between two requests.
  Has anyone else experienced problems with passing parameters between two request in 11G?
  Any help appreciated.
  Thanks
  Gavin

  Hi,
  I once tried this kind of requirement(with dashboard prompts though) and hit at similar issue. I later found out that the problem is with the space in the parameter values. Can you please let me know, if the same is the case with you?
  Suppose the parameter passed is "Jan 2010", but the report on the destination takes the value as "Jan" & "2010". Yes, it kind of split the parameter value to two based on space. I think we can notice the filters the destination report got, by enabling filter view.
  In this case, since you pass only value at a time, could you try placing the parameter value anyway in double quotes? I think the Server then will understand it as one value.
  Thank you,
  Dhar

• Cannot get Telnet to work between two servers on same subnet

  I need to test if communication is open on port 8444 between two servers.
  I installed telnet client on a Server 2008 R2 server and telnet server on a Server 2008 SP2 server.  I also manually started the Telnet service that was set to disabled on the SP2 server.  I disabled the Windows firewall on both servers.  They
  are both on the same subnet so they don't need to go through any routers and I can ping successfully.
  When I try to telnet to the remote server by typing telnet "ip address" 8444, I get an error that says "Could not open connection to host, on port 8444:  Connection failed.
  I tried other ports like port 80 and got the same error.
  What else is needed to get this to work?

  VMs have nothing to do with it, as long as there's network communication between the servers.
  As I said, there must be a service or application listening on that port for it to respond. For example, try this:
  C:\> telnet
  When the telnet prompt opens, type in:
  open mail.messaging.microsoft.com 25
  If it works, you should see this:
  220 CH1EHSMHS035.bigfish.com Microsoft ESMTP MAIL Service ready at Thu, 7 Feb 2013 00:57:33 +0000
  That means that Microsoft's mail servers are LISTENING on port 25 and it responded. And note, telnetting to port 25 is a non-default telnet port, because port 23 is the default telnet port. When you type in a space and then a port number, you're telling
  the telnet client to use that port.
  That is the SAME THING if some sort of application or service is listening on port 8444 on that other server you're trying to telnet to. If there is no app or service listening, it will just time out.
  And no, installing the TELNET service on that sercver will NOT answer to any port other than 23. The telnet service by default, uses TCP 23, unless you specify otherwise.
  So once again, what service or app on that server is supposed to be listening on 8444?
  Ace Fekay
  MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
  This post is provided AS-IS with no warranties or guarantees and confers no rights.