ASA5515 v8.6(1)2 NAT dmz public server

Similar Messages

• Static NAT Question - Public to Inside ASA 9.1x

  Hi All.. I'm having  hard time wrapping my head around the post 8.2 nat statements, please help.
  I have a DMZ server that has a list of ports that need to be accessible from the outside from specific IP addresses (this is a video streaming relay server).  It also need to be able to push the stream to a specific IP address as well.  I can do identity nat, and it'll go out and I see it's using IP, but obviously traffic doesn't get in... I can use sample web server nat's I've found and it works for the web management port, 8088, but I can't figure out how to map multiple ports to it:
  Remote Public IP's: 77.88.99.11
  Local Public IP: 12.12.12.1
  Ports required:
  object-group service srvgp-stream-remote
   service-object tcp destination eq www
   service-object tcp destination eq https
   service-object tcp destionation eq 8088
   service-object tcp destination eq 1935
   service-object udp destination range 6970 9999
   service-object udp destination range 30000 65000
   service-object udp destination eq 554
  I can get this to work:
  object network server-external-ip
   host 12.12.12.1
  object network webserver
   host 192.168.1.100
   nat (dmz,outside) static server-external-ip service tcp 8088 8088
  access-list acl-outside extended permit tcp host 77.88.99.11 object AngelEye eq 8088
  But again, I have no idea how I would do such a thing with a list of required ports? I don't see that's an option in the syntax.  Additionally, would this  provide an 'identity nat' in case the server had to send info out to the public ip via these same ports or do you require a seperate identity nat to do this to the same public ip addresses?
  Any help is greatly appreciated.

  With that many ports, you should use the public IP exclusively for the Webserver:
  object network webserver
  host 192.168.1.100
  nat (dmz,outside) static server-external-ip
  If it's not possible to use that IP only for that server, you can configure manual-nat for these ports:
  nat (dmz,outside) source static webserver server-external-ip service srvgp-stream-remote srvgp-stream-remote

• Configuring a5505 setup public server + DMZ

  Please bear with me, as am I utter new to the a5505 and Cisco products in general.
  Setup:
  LAN (192.168.1.X, with .3 as gateway)
  DMZ (192.168.2.X with .1 as gateway)
  WAN (X.X.X.146 as primary public IP, .145 as gateway and .147-150 as additional public IPs)
  I want to set it up so that X.146 is where all my outbound traffic appears to originate.
  I want tcp HTTPS and SMTP to be allowed from the WAN (via the X.147 IP) to a specific server (192.168.1.11) on the LAN.
  Also, HTTP traffic to X.148, X.149 and X.150 should go to DMZ and 192.168.2.8, 192.168.2.15 and 192.168.2.18 respectively, but I haven't added that to my config yet. Looking to get the HTTPS and SMTP ones working first, then I'll fix the others (one step at a time)
  I've got contact with the outside world when I've configured it using the ASDMs "Public Server" interface, but it refuses to properly establish the connection, I get a "SYN timeout".
  I'm sure it is a simple mistake I've made someplace, but some of this stuff is greek to me sofar, I must admit..
  My config:
  : Saved
  ASA Version 8.2(5)
  hostname kcisco
  enable password X encrypted
  passwd X encrypted
  names
  name X.X.X.144 outside-network
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  switchport access vlan 5
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.3 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address X.X.X.146 255.255.255.248
  interface Vlan5
  description DMZ interface
  no forward interface Vlan1
  nameif DMZ
  security-level 50
  ip address 192.168.2.1 255.255.255.0
  ftp mode passive
  clock timezone GMT 0
  object-group service DM_INLINE_SERVICE_0
  service-object gre
  service-object tcp eq pptp
  service-object udp eq isakmp
  service-object udp eq 1701
  service-object udp eq 1723
  service-object udp eq 4500
  object-group service DM_INLINE_TCP_1 tcp
  port-object eq https
  port-object eq smtp
  object-group service DM_INLINE_TCP_3 tcp
  port-object eq https
  port-object eq smtp
  access-list outside_access extended permit tcp any object-group DM_INLINE_TCP_3 host X.X.X.147 object-group DM_INLINE_TCP_1 
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu DMZ 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) X.X.X.147 192.168.1.11 netmask 255.255.255.255
  access-group outside_access in interface outside
  route outside 0.0.0.0 0.0.0.0 X.X.X.145 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:cc8458013e545e2e7ba1e2c0caa3dd6a
  : end
  no asdm history enable

  Thanks, fixed that at least.
  But still no further in getting the connection to be established.
  I see this in my logs:
  6 Oct 09 2012 15:29:22  Z.Z.Z.Z 42061 192.168.1.11 443 Built inbound TCP connection 1064 for outside:Z.Z.Z.Z/42061 (Z.Z.Z.Z/42061) to inside:192.168.1.11/443 (X.X.X.147/443)
  6 Oct 09 2012 15:29:52  Z.Z.Z.Z 42061 192.168.1.11 443 Teardown TCP connection 1064 for outside:Z.Z.Z.Z/42061 to inside:192.168.1.11/443 duration 0:00:30 bytes 0 SYN Timeout
  (Z.Z.Z.Z is the outside host I am testing from)
  (I've connected the mailserver to the firewall and configured it to use the FW gateway (192.168.1.3)

• Nat (DMZ,outside) source dynamic any interface

  Hi Everyone,
  Need to confirm NAT  statement below
  nat (DMZ,outside) source dynamic any interface   in version 9.1.
  So above line means NAT from  DMZ  to outside.
  Need to know  that source here means that we are NATing IP from DMZ?
  any interface means NAT IP will be of outside interface IP?
  Regards
  MAhesh

  Hi Mahesh,
  The below NAT configuration
  nat (DMZ,outside) source dynamic any interface
  Means the following
  The NAT configuration is for connection between "DMZ" and "outside".  Basicly for connection FROM "DMZ" to "outside"
  The translation is a "dynamic" translation
  It accepts "any" source address from behind the "DMZ" interface
  It uses the "outside" "interface" IP address as the PAT address
  So its a basic Dynamic PAT translations for the hosts behind "DMZ" interface and accepts any source address/network you might have behind "DMZ"
  - Jouni

• NAT for Exchange Server

  Am I correct that I need to NAT a public address to the private address of
  my Windows server in order to have a fully functional Exchange server
  in-house?
  My ISP tells me I can give them the required information and they will
  switch from them providing email to us handling it in-house but I have never
  done this before.
  TIA for any pointers.
  -S-

  Steve,
  > Am I correct that I need to NAT a public address to the private address of
  > my Windows server in order to have a fully functional Exchange server
  > in-house?
  in general, yes.
  > My ISP tells me I can give them the required information and they will
  > switch from them providing email to us handling it in-house but I have never
  > done this before.
  I tend to be very skeptical about ISP's skills, therefore I'd be careful
  about what they say and recommend. It's up to you (since you're the one
  who has been dealing with them before) to decide if they're experienced
  and trustworthy enough :-)
  Said that, there is a configuration that allows you to retrieve your
  messages from the ISP regularly, without having your server being
  directly accessible through a public IP address (think about a PO box
  instead of your standard mailbox in front of your house).
  Essentially the ISP stores the incoming messages for you, and your
  server will "get them" at regular intervals. Since the connection is
  initiated by your server, you don't need to have a public IP address.
  (you don't need a public IP address to SEND e-mails, so that's not an
  issue).
  I've never ran a mail server in this configuration, since it's usually
  more typical for very small businesses, but it's possible.
  Cat
  NSC Volunteer Sysop

• Cisco ASA 9.1(1) Cannot Ping Public Server

  Cisco ASA 9.1(1) I have defined a public server.  Ping from outside fails.  Packet Tracer shows the following:

  Thank you for responding, Vibhor:  Here are the pertinent NAT statements in my running configuration:
  object network Grede-Test-Server
  host xx.xx.xx.xx (Public IP Address)
  description Grede Test Server Menocon
  object network Grede-Test-Server-Private
  host 10.1.104.21
  description Grede-Test Server
  nat (Inside-Test,Outside) source static Grede-Test-Server-Private Grede-Test-Server
  Cheers,
  M.

• Client Installation on DMZ workgroup server

  Hi,
  Please let me know how the DMZ workgroup client communicate with SCCM 2012 server which is in domain.
  Also what client installation properties we need to mentioned while manully installing the client on DMZ workgroup server.
  Whether PKI certificate will required for authentication?
  I thing only http 80 port will required for communication, please correct if I am wrong.
  Please suggest.
  Regards
  Parag

  A client in a workgroup and / or dmz has the same port requirements as any other client. For a complete list see:
  http://technet.microsoft.com/en-us/library/hh427328.aspx;
  For some guidance on installing a client on a workgroup server see:
  http://technet.microsoft.com/en-us/library/gg712298.aspx;
  It's not a ConfigMgr requirement that a client in a workgroup requires a PKI certificate.
  The key is that the clients in the dmz can communicate and resolve the management point.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• Conect clients to public server!

  Hi everybody!
  I want to conect clients to one public server. I read SAP meterrial and they constraint that SAP Business One does not support Microsoft Windows XP operating system in a server
  configuration either as the SAP Business One Server or as a standalone system. I don't understand.
  Could you explain for me!

  Hello,
  you are right. The XP can't be used as server, means that you use it as server standalone and there is no client. You must use server that its OS is W2K3 standard or enterprise edition.
  Actually SBO server standalone means that you install SQL server 2005 developer edition, SBO server and license server. if you use another XP and install SBO client there, you will fail to connect to server standalone. This server standalone also means that it will not publish in the LAN or WAN system
  Rgds,

• New BM3.9 Install - Site 2 Site via PAT/NAT/DMZ?

  We are setting up 2 new BM3.9 VMs (initially for Site 2 Site VPN) for a client but there ADSL Routers at each site only have Single Static IPs which are bound to the Router's Public address. I believe the Routers are also providing 'Dynamic NAT' for outbound traffic.
  Would it be possible to set-up a Site 2 Site VPN and perhaps get the Routers to pass all VPN traffic (either using PAT or an all traffic DMZ LAN scenario) to the BM Servers. I am presuming within the Site 2 Site config of VPN Server - Site A you would point it at the Public address of Router - Site B (instead of the BM Server Public).....and vice versa.
  Any comments would be greatly appreciated.
  Cheers,
  Richard.

  In article <[email protected]>, Rsargeant wrote:
  > Would it be possible to set-up a Site 2 Site VPN and perhaps get the
  > Routers to pass all VPN traffic (either using PAT or an all traffic DMZ
  > LAN scenario) to the BM Servers. I am presuming within the Site 2 Site
  > config of VPN Server - Site A you would point it at the Public address
  > of Router - Site B (instead of the BM Server Public).....and vice
  > versa.
  >
  Yes, it should work. While I've only configured one end of this (example
  in my book of one BM server behind a Linksys port-forwarding router), it
  should be ok to do on both ends. As long as you forward the proper ports
  (or ALL traffic) to the BM, it will get the VPN traffic. The VPN
  responses from the server tell the other side what public IP address to
  use, which as you have surmised should be the public address of the
  router in this case.
  Craig Johnson
  Novell Support Connection SysOp
  *** For a current patch list, tips, handy files and books on
  BorderManager, go to http://www.craigjconsulting.com ***

• NAT, DMZ single interface two firewalls... Create Edge topology

  Hello,
  I have a two firewall DMZ so I'm strugging  to understand why the toplogy builder is asking me for the "Internal" IP of the edge server...  the edge server is not internal (by design) it's in the perimeter network (DMZ) it does not
  have an internal interface nor am I interested in giving it one (that's why I have firewalls).... Its NAT'd..
  Is this explained somewhere ? How do I setup the topology wizard to understand my  firewall configuration.. I see the NAT'd external IP.. obviously that's on the public side...
  Thanks for help,
  Steve Lithgow

  Anthony's two posts win the PRIZE !  Ben get's runner-up !
  It still baffles me why it is necessary to have an additional network in my DMZ. You are not increasing your level of security by increasing the complexity (security by obfuscation).   The internal network can have persistent routes to the
  DMZ IP of the Edge Server as well as firewall rules governing traffic by source IP to the internal network from the DMZ.  A host with two interfaces that becomes compromised is no more secure than one with a single interface.  Our firewall rules 
  are not based on "networks" to from DMZ.. they are based on source/destination IP's.
  So basically..  my point is MS should not ASSume a particular firewall configuration and force this via the Topology builder... just my .02  
  Can anyone tell me if MS is doing some memory level protection in the Edge server to that masks the external facing process from internal ones or something really special?  My guess is that the edge server is NOT ISA/TMG so......
  To someone else's point..   that stated "You don't want the edge server to be your firewall"  my response is you dang right ! But... in essence that is what you are doing by placing an internal interface on the edge server , firewall rules/routes
  or not.  That is what you are doing is  creating a firewall leg on the edge server. 
  Thanks for all then FAST help !  Though I 'm still shaking my head a bit....
  Steve Lithgow

• Need help setting up static NAT to internal server

  One of my internal servers requires it to be available to the internet I am having a hard time allowing it to be NATed through my Ciscc 2801 router. It seems as though im missing something small. From what I can gather it seems as though its as issue with ACL, but im not sure. I have ran the following command: ip nat inside source static tcp 192.168.5.1 ***WAN IP Address*** 8443 extendable Then I tried to add it to the ACL
  via this command: access-list 150 permit tcp any host ***WAN IP Address*** eq 8443
  Here is a copy of my config. Please advise. Thanks.
  IP    172.19.3.x
  sub 255.255.255.128
  GW 172.19.3.129
  Ciscso 2801 Router
  Current configuration : 11858 bytes
  version 12.4
  service timestamps debug datetime localtime
  service timestamps log datetime localtime show-timezone
  service password-encryption
  hostname router-2801
  boot-start-marker
  boot-end-marker
  logging message-counter syslog
  logging buffered 4096
  aaa new-model
  aaa authentication login userauthen group radius local
  aaa authorization network groupauthor local
  aaa session-id common
  clock timezone est -5
  clock summer-time zone recurring last Sun Mar 2:00 1 Sun Nov 2:00
  dot11 syslog
  ip source-route
  ip dhcp excluded-address 172.19.3.129 172.19.3.149
  ip dhcp excluded-address 172.19.10.1 172.19.10.253
  ip dhcp excluded-address 172.19.3.140
  ip dhcp ping timeout 900
  ip dhcp pool DHCP
     network 172.19.3.128 255.255.255.128
     default-router 172.19.3.129
     domain-name domain.local
     netbios-name-server 172.19.3.7
     option 66 ascii 172.19.3.225
     dns-server 172.19.3.140 208.67.220.220 208.67.222.222
  ip dhcp pool VoiceDHCP
     network 172.19.10.0 255.255.255.0
     default-router 172.19.10.1
     dns-server 208.67.220.220 8.8.8.8
     option 66 ascii 172.19.10.2
     lease 2
  ip cef
  ip inspect name SDM_LOW cuseeme
  ip inspect name SDM_LOW dns
  ip inspect name SDM_LOW ftp
  ip inspect name SDM_LOW h323
  ip inspect name SDM_LOW https
  ip inspect name SDM_LOW icmp
  ip inspect name SDM_LOW imap
  ip inspect name SDM_LOW pop3
  ip inspect name SDM_LOW netshow
  ip inspect name SDM_LOW rcmd
  ip inspect name SDM_LOW realaudio
  ip inspect name SDM_LOW rtsp
  ip inspect name SDM_LOW esmtp
  ip inspect name SDM_LOW sqlnet
  ip inspect name SDM_LOW streamworks
  ip inspect name SDM_LOW tftp
  ip inspect name SDM_LOW tcp
  ip inspect name SDM_LOW udp
  ip inspect name SDM_LOW vdolive
  no ip domain lookup
  ip domain name domain.local
  multilink bundle-name authenticated
  key chain key1
  key 1
     key-string 7 06040033484B1B484557
  crypto pki trustpoint TP-self-signed-3448656681
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3448bb6681
  revocation-check none
  rsakeypair TP-self-signed-344bbb56681
  crypto pki certificate chain TP-self-signed-3448656681
  certificate self-signed 01
    3082024F
              quit
  username admin privilege 15 password 7 F55
  archive
  log config
    hidekeys
  crypto isakmp policy 10
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp key XXXXX address 209.118.0.1
  crypto isakmp key xxxxx address SITE B Public IP
  crypto isakmp keepalive 40 5
  crypto isakmp nat keepalive 20
  crypto isakmp client configuration group IISVPN
  key 1nsur3m3
  dns 172.19.3.140
  wins 172.19.3.140
  domain domain.local
  pool VPN_Pool
  acl 198
  crypto isakmp profile IISVPNClient
     description VPN clients profile
     match identity group IISVPN
     client authentication list userauthen
     isakmp authorization list groupauthor
     client configuration address respond
  crypto ipsec transform-set myset esp-3des esp-md5-hmac
  crypto dynamic-map Dynamic 5
  set transform-set myset
  set isakmp-profile IISVPNClient
  qos pre-classify
  crypto map VPN 10 ipsec-isakmp
  set peer 209.118.0.1
  set peer SITE B Public IP
  set transform-set myset
  match address 101
  qos pre-classify
  crypto map VPN 65535 ipsec-isakmp dynamic Dynamic
  track 123 ip sla 1 reachability
  delay down 15 up 10
  class-map match-any VoiceTraffic
  match protocol rtp audio
  match protocol h323
  match protocol rtcp
  match access-group name VOIP
  match protocol sip
  class-map match-any RDP
  match access-group 199
  policy-map QOS
  class VoiceTraffic
      bandwidth 512
  class RDP
      bandwidth 768
  policy-map MainQOS
  class class-default
      shape average 1500000
    service-policy QOS
  interface FastEthernet0/0
  description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_INSIDE$
  ip address 172.19.3.129 255.255.255.128
  ip access-group 100 in
  ip inspect SDM_LOW in
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  interface FastEthernet0/0.10
  description $ETH-VoiceVLAN$$
  encapsulation dot1Q 10
  ip address 172.19.10.1 255.255.255.0
  ip inspect SDM_LOW in
  ip nat inside
  ip virtual-reassembly
  interface FastEthernet0/1
  description "Comcast"
  ip address PUB IP 255.255.255.248
  ip access-group 102 in
  ip inspect SDM_LOW out
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map VPN
  interface Serial0/1/0
  description "Verizon LEC Circuit ID: w0w13908 Site ID: U276420-1"
  bandwidth 1536
  no ip address
  encapsulation frame-relay IETF
  frame-relay lmi-type ansi
  interface Serial0/1/0.1 point-to-point
  bandwidth 1536
  ip address 152.000.000.18 255.255.255.252
  ip access-group 102 in
  ip verify unicast reverse-path
  ip inspect SDM_LOW out
  ip nat outside
  ip virtual-reassembly
  frame-relay interface-dlci 500 IETF
  crypto map VPN
  service-policy output MainQOS
  interface Serial0/2/0
  description "PAETEC 46.HCGS.788446.CV (Verizon ID) / 46.HCGS.3 (PAETEC ID)"
  ip address 123.252.123.102 255.255.255.252
  ip access-group 102 in
  ip inspect SDM_LOW out
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  crypto map VPN
  service-policy output MainQOS
  ip local pool VPN_Pool 172.20.3.130 172.20.3.254
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 50.00.000.110 track 123
  ip route 0.0.0.0 0.0.0.0 111.252.237.000 254
  ip route 122.112.197.20 255.255.255.255 209.252.237.101
  ip route 208.67.220.220 255.255.255.255 50.78.233.110
  no ip http server
  no ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip flow-top-talkers
  top 20
  sort-by bytes
  ip nat inside source route-map COMCAST interface FastEthernet0/1 overload
  ip nat inside source route-map PAETEC interface Serial0/2/0 overload
  ip nat inside source route-map VERIZON interface Serial0/1/0.1 overload
  ip nat inside source static tcp 172.19.3.140 21 PUB IP 21 extendable
  ip access-list extended VOIP
  permit ip 172.20.3.0 0.0.0.127 host 172.19.3.190
  permit ip host 172.19.3.190 172.20.3.0 0.0.0.127
  ip radius source-interface FastEthernet0/0
  ip sla 1
  icmp-echo 000.67.220.220 source-interface FastEthernet0/1
  timeout 10000
  frequency 15
  ip sla schedule 1 life forever start-time now
  access-list 23 permit 172.19.3.0 0.0.0.127
  access-list 23 permit 172.19.3.128 0.0.0.127
  access-list 23 permit 173.189.251.192 0.0.0.63
  access-list 23 permit 107.0.197.0 0.0.0.63
  access-list 23 permit 173.163.157.32 0.0.0.15
  access-list 23 permit 72.55.33.0 0.0.0.255
  access-list 23 permit 172.19.5.0 0.0.0.63
  access-list 100 remark "Outgoing Traffic"
  access-list 100 deny   ip 67.128.87.156 0.0.0.3 any
  access-list 100 deny   ip host 255.255.255.255 any
  access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
  access-list 100 permit tcp host 172.19.3.190 any eq smtp
  access-list 100 permit tcp host 172.19.3.137 any eq smtp
  access-list 100 permit tcp any host 66.251.35.131 eq smtp
  access-list 100 permit tcp any host 173.201.193.101 eq smtp
  access-list 100 permit ip any any
  access-list 100 permit tcp any any eq ftp
  access-list 101 remark "Interesting VPN Traffic"
  access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
  access-list 101 permit ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
  access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.10
  access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.11
  access-list 101 permit tcp any any eq ftp
  access-list 101 permit tcp any any eq ftp-data
  access-list 102 remark "Inbound Access"
  access-list 102 permit udp any host 152.179.53.18 eq non500-isakmp
  access-list 102 permit udp any host 152.179.53.18 eq isakmp
  access-list 102 permit esp any host 152.179.53.18
  access-list 102 permit ahp any host 152.179.53.18
  access-list 102 permit udp any host 209.000.000.102 eq non500-isakmp
  access-list 102 permit udp any host 209.000.000.102 eq isakmp
  access-list 102 permit esp any host 209.000.000.102
  access-list 102 permit ahp any host 209.000.000.102
  access-list 102 permit udp any host PUB IP eq non500-isakmp
  access-list 102 permit udp any host PUB IP eq isakmp
  access-list 102 permit esp any host PUB IP
  access-list 102 permit ahp any host PUB IP
  access-list 102 permit ip 72.55.33.0 0.0.0.255 any
  access-list 102 permit ip 107.0.197.0 0.0.0.63 any
  access-list 102 deny   ip 172.19.3.128 0.0.0.127 any
  access-list 102 permit icmp any any echo-reply
  access-list 102 permit icmp any any time-exceeded
  access-list 102 permit icmp any any unreachable
  access-list 102 permit icmp any any
  access-list 102 deny   ip any any log
  access-list 102 permit tcp any host 172.19.3.140 eq ftp
  access-list 102 permit tcp any host 172.19.3.140 eq ftp-data established
  access-list 102 permit udp any host SITE B Public IP  eq non500-isakmp
  access-list 102 permit udp any host SITE B Public IP  eq isakmp
  access-list 102 permit esp any host SITE B Public IP
  access-list 102 permit ahp any host SITE B Public IP
  access-list    102  permit tcp any host public ip eq 8443
  access-list 110 remark "Outbound NAT Rule"
  access-list 110 remark "Deny VPN Traffic NAT"
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
  access-list 110 deny   ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
  access-list 110 deny   ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.11
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.10
  access-list 110 permit ip 172.19.3.128 0.0.0.127 any
  access-list 110 permit ip 172.19.10.0 0.0.0.255 any
  access-list 198 remark "Networks for IISVPN Client"
  access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
  access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
  access-list 199 permit tcp any any eq 3389
  route-map PAETEC permit 10
  match ip address 110
  match interface Serial0/2/0
  route-map COMCAST permit 10
  match ip address 110
  match interface FastEthernet0/1
  route-map VERIZON permit 10
  match ip address 110
  match interface Serial0/1/0.1
  snmp-server community 123 RO
  radius-server host 172.19.3.7 auth-port 1645 acct-port 1646 key 7 000000000000000
  control-plane
  line con 0
  line aux 0
  line vty 0 4
  access-class 23 in
  privilege level 15
  transport input telnet ssh
  line vty 5 15
  access-class 23 in
  privilege level 15
  transport input telnet ssh
  scheduler allocate 20000 1000
  ntp server 128.118.25.3
  ntp server 217.150.242.8
  end

  If you are planning to use the fa0/1 interface IP itself then the configuration would be:
  ip nat inside source static tcp 172.19.3.133 8443 interface fa0/1 8443 extendable
  Assuming that you would like to port forward TCP/8443.
  Then the ACL should be written:
  ip access-list extended 102
    2 permit tcp any host eq 8443

• Public Server on 2 external interfaces

  I suspect this is relatively simple, but I'm brand new to the Cisco line (and to the forums), so my apologies if I'm unclear or in violation of forum etiquette.
  I have an ASA5515 which will be using 2 external interfaces, and I need to make a single internal server available to the outside world on both interfaces.  I can accomplish this easily for the main external interface (the faster circuit), but I'm running into issues getting connections through on the backup circuit.  Here's the interface configuration:
  interface GigabitEthernet0/0
  description ISP-2
  nameif backup
  security-level 0
  ip address 10.177.188.22 255.255.255.248
  interface GigabitEthernet0/1
  description ISP-1
  nameif outside
  security-level 0
  ip address 10.131.225.158 255.255.255.240
  interface GigabitEthernet0/2
  description LAN
  nameif inside
  security-level 100
  ip address 192.168.2.250 255.255.255.0
  I'd like outside (internet) users to be able to make an HTTP request on port 80 to 10.131.225.146, which comes in GigabitEthernet 0/1, gets translated to the internal web server at 192.168.2.1:80, and then any response traffic leaves GigabitEthernet 0/1, looking to the user like it originated form 10.131.225.146.
  Additionally, I'd like the same user to be able to make an HTTP request on port 80 to 10.177.188.18, which comes in GigabitEthernet0/0, goes through the above translation, and then response packets exit via GigabitEthernet0/0.
  I've been able to get most of the above working, but when working on the NAT rule for the backup side, packet-tracer tells me that my NAT is fine (it NATs the packet from 192.168.2.1:80 to 10.177.188.18:80, but it wants to then route that packet through the outside interface (GigabitEthernet0/1)
  While I've been able to find many references to this on-line (such as this blog post), they all appear to be outdated, using pre-8.3 syntax.
  I suspect I'm close on this, but I can't seem to get that last piece to make everything 'click'.  Any help would be greatly appreciated.

  Basically you need three elements in your config:
  An ACL-Entry on both interfaces allowing the needed traffic.
  Two NAT-statements, one for each external interface.
  A route to the Backup-NH with a higher AD.
  object network SERVER-VIA-OUTSIDE
  host 192.168.2.1
  nat (inside,outside) static 10.131.225.146 service tcp 80 80
  object network SERVER-VIA-BACKUP
  host 192.168.2.1
  nat (inside,backup) static 10.177.188.18 service tcp 80 80
  access-list OUTSIDE-IN extended permit tcp any object SERVER-VIA-OUTSIDE eq 80
  access-list BACKUP-IN extended permit tcp any object SERVER-VIA-BACKUP eq 80
  access-group OUTSIDE-IN in interface outside
  access-group BACKUP-IN in interface outside
  route outside 0.0.0.0 0.0.0.0 NH-ON-OUTSIDE 1
  route backup 0.0.0.0 0.0.0.0 NH-ON-BACKUP 100

• Fails to connect to the Oracle yum public server

  Hello,
  I would like to connect to the Oracle public yum server so I can install packages from the Oracle Linux via a yum client for my RHEL 5.4
  I am trying to download and copy the appropriate yum configuration file in place, by running the following commands as root:
  Oracle Linux 5
  # cd /etc/yum.repos.d
  # wget http://public-yum.oracle.com/public-yum-el5.repo
  --2011-10-29 15:53:41-- http://public-yum.oracle.com/public-yum-el5.repo
  Resolving public-yum.oracle.com... 141.146.44.34
  Connecting to public-yum.oracle.com|141.146.44.34|:80... failed: Connection timed out.
  Retrying.
  It disabled the Linux firewall by /etc/init.d/iptables stop but it still doesn't help.
  Thank you.

  feverlove wrote:
  --2011-10-29 15:53:41-- http://public-yum.oracle.com/public-yum-el5.repo
  Resolving public-yum.oracle.com... 141.146.44.34
  Connecting to public-yum.oracle.com|141.146.44.34|:80... failed: Connection timed out.This has nothing to do with the firewall (which only blocking incoming traffic, not outgoing traffic by default) and all to do with your routing. You have DNS properly configured, but you need to double-check your default gateway and other settings to make sure you can connect to a server on the internet directly. If you need to use a proxy server to make connections, you will have to configure that as well.

• DMZ - DNS Server, Mail Server, Web Server, FTP Server

  Hi,
  I am looking at a router to support around 20-30 people. I have a DNS Server, Mail Server, Web Server, FTP Server (all on one box (PC). I was wondering how everyones experiences with DMZ and port forwarding have been with these protocols with Airport and supporting a group of this size? Do you forsee issues? Will the new Airport handle these requirements better?
  Thanks

  A record for mail.mydomain.com going for ip 199.99.99.999
  MX record for mail.mydomain.com with destionation as mail.mydomain.com
  That doesn't quite make sense. There must be an A record for "server.mydomain.com" or you wouldn't be able to reach it at all. You want the MX record to point to that.

• Public, Server Permissions, and Endpoints

  I am seeking a good discussion of how to handle the impact of revoking connect to endpoint permissions for the public role. Up to this point, I've encountered several resources, including the Microsoft documentation, that recommend removing all server
  permissions from public. I find this amusing due to the fact that all other logins inherit their permissions on the various endpoints from public. Of course, if I revoke connect for the endpoints from public, only system administrators can connect.
  None of the sources that I've found address handling this issue. This reminds me a bit of the old South Park episode with the Underpants Gnomes and their business plan: Step 1 - Underpants, Step 2 - ?, Step 3 - Profit! In this case, it is
  Step 1 - Revoke rights from public, Step 2 - ?, Step 3 - Security!
  There is a comment on the SQL Server 2008 on-line documentation that recommends granting connect to endpoint to specific logins, but it does not supply any detail. I understand that Step 2 is highly dependent on factors that vary from location to location,
  and application to application.
  My question is whether there is a resource that details the considerations for granting connect to endpoint for the various endpoints and logins? I am looking for answers to questions like:
  Is there a case in which one would have a login that was not granted connect to any endpoint?
  Do logins like ##MS_PolicyTsqlExecutionLogin## need these rights, and if so, to which endpoints specifically?
  I have a number of others, but I was hoping someone could provide me with a resource from which I could draw this information without having to chase all over the documentation. Thanks in advance!

  Rick,
  First, thanks so much for the helpful reply! It validates what I was thinking.
  For versions 2008, 2008 R2, and 2012, if you follow Administer Servers by Using Policy-Based Management -> Monitor and Enforce Best Practices by Using Policy-Based Management -> Server public Permissions, it advises, "Do not grant server permissions
  to the server public role." The links below are for the 2012 version of this page:
  http://technet.microsoft.com/en-us/library/cc645930.aspx
  http://msdn.microsoft.com/en-us/library/cc645930(v=sql.110).aspx
  You and "Quantum John" are listed as authors of a comment on the 2008 version of this page (http://technet.microsoft.com/en-us/library/cc645930(v=sql.100).aspx) that acknowledge
  this problem. The last part of that comment is:
  However, as mentioned in Harry Zheng's post on Dosql (http://dosql.com/cms/index.php?option=com_content&view=article&id=96:sql-server-best-practice-policy-public-not-granted-server-permissions&catid=40:microsoft-sql-server&Itemid=41),
  executing the following command:
  REVOKE CONNECT ON ENDPOINT::[TSQL Default TCP] FROM public
  while best practice, is nevertheless liable to get you in deep trouble on a production server unless you also execute:
  GRANT CONNECT ON ENDPOINT::[TSQL Default TCP] to [loginname]
  for each of your logins, because without this, no-one except sysadmins will have permission to connect to your instance via TCP.
  It refers to performing the revoke connect on endpoint as best practice, which we agree is arguable. Unfortunately, Harry Zheng's post is a dead link. None of the later editions of this page are commented on in any way.
  Further, the policy referenced by this documentation, "Public Not Granted Server Permissions," is distributed with SQL Server and evaluates @PublicServerRoleIsGranted. It flags this policy as failed if any connect to endpoint is granted to public.
  Fortunately, I'm one of those that insists on testing before moving forward with any change. I also cannot leave gaps in my knowledge unfilled, which is why I posted. Again, thanks for the assistance!