BM 3.9 Access Rules
Hi!,
Im having a problem with BM 3.9 access rules. When I create a Rule and
then I try to modify the rule I only have a blank Screen and I couldn't
modify the rules.
and in Logger screen I see Device Choosen is null.
Any Idea.
I have BM 3.9 on Netware 6.5.6 and all teh post support pack required.
I have Imanager 2.6 support pack 4.
Thanks.
Please have a look at the recent thread iManager Java Error in this
newsgroup. Perhaps your issue is related.
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***
Similar Messages
-
ASA 5505, error in Access Rule
Hello.
Tha ASA 5505 is working, but I try to allow http and https from internet to a server running 2012 Essentials. The server has the internal IP 192.168.0.100. I have created an Object called SERVER with IP 192.168.0.100
The outside Interface is called ICE
I have configured NAT:
I have also configured Access Rules:
But when I test it With the Packet Tracer I get an error:
Whats wrong With the Access Rule?
I do prefer the ASDM :)
Best regards AndreasHello Jeevak.
This is the running config (Vlan 13 (Interface ICE) is the one in use:
domain-name DOMAIN.local
names
name 192.168.0.150 Server1 description SBS 2003 Server
name 192.168.10.10 IP_ICE
name x.x.x.0 outside-network
name x.x.x.7 IP_outside
name 192.168.0.100 SERVER description Hovedserver
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface Vlan2
description Direct Connect
backup interface Vlan13
nameif outside
security-level 0
pppoe client vpdn group PPPoE_DirectConnect
ip address pppoe
interface Vlan3
description Gjestenettet
nameif dmz
security-level 50
ip address 10.0.0.1 255.255.255.0
interface Vlan13
description Backupnett ICE
nameif ICE
security-level 0
ip address IP_ICE 255.255.255.0
interface Vlan23
description
nameif USER
security-level 50
ip address 10.1.1.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 13
interface Ethernet0/2
switchport access vlan 23
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
switchport access vlan 3
interface Ethernet0/7
switchport access vlan 3
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup dmz
dns server-group DefaultDNS
domain-name DOMAIN.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any host IP_outside eq https
access-list outside_access_in extended permit tcp any host IP_outside eq www
access-list outside_access_in extended permit icmp any host IP_outside echo-reply
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list DOMAINVPN_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.168.0.192 255.255.255.192
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.192 255.255.255.192
access-list DOMAIN_VPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list ICE_access_in extended permit tcp any host IP_ICE eq https
access-list ICE_access_in extended permit tcp any host IP_ICE eq www
access-list ICE_access_in extended permit icmp any host IP_ICE echo-reply
access-list ICE_access_in remark For RWW
access-list ICE_access_in remark For RWW
access-list USER_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm warnings
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu ICE 1500
mtu USER 1500
ip local pool VPNPool 192.168.10.210-192.168.10.225 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
monitor-interface ICE
monitor-interface USER
icmp unreachable rate-limit 1 burst-size 1
icmp permit outside-network 255.255.255.0 outside
icmp permit 192.168.10.0 255.255.255.0 ICE
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (ICE) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 10.0.0.0 255.255.255.0
nat (USER) 1 10.1.1.0 255.255.255.0
static (inside,ICE) tcp interface www SERVER www netmask 255.255.255.255
static (inside,outside) tcp interface www SERVER www netmask 255.255.255.255
static (inside,ICE) tcp interface https SERVER https netmask 255.255.255.255
static (inside,outside) tcp interface https SERVER https netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group ICE_access_in in interface ICE
access-group USER_access_in in interface USER
route outside 0.0.0.0 0.0.0.0 x.x.x.1 1 track 123
route ICE 0.0.0.0 0.0.0.0 192.168.10.1 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 1
type echo protocol ipIcmpEcho x.x.x.1 interface outside
num-packets 3
frequency 10
sla monitor schedule 1 life forever start-time now
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
track 123 rtr 1 reachability
no vpn-addr-assign local
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd address 10.0.0.10-10.0.0.39 dmz
dhcpd dns y.y.y.2 z.z.z.z interface dmz
dhcpd lease 6000 interface dmz
dhcpd enable dmz
dhcpd address 10.1.1.100-10.1.1.120 USER
dhcpd dns y.y.y.2 z.z.z.z interface USER
dhcpd lease 6000 interface USER
dhcpd domain USER interface USER
dhcpd enable USER
ntp server 64.0.0.2 source outside
group-policy DOMAIN_VPN internal
group-policy DOMAIN_VPN attributes
dns-server value 192.168.0.150
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DOMAIN_VPN_splitTunnelAcl
default-domain value DOMAIN.local
class-map inspection_default
match default-inspection-traffic
class-map imblock
match any
class-map P2P
match port tcp eq www
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect im impolicy
parameters
match protocol msn-im yahoo-im
drop-connection log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
policy-map type inspect http P2P_HTTP
parameters
match request uri regex _default_gator
drop-connection log
match request uri regex _default_x-kazaa-network
drop-connection log
match request uri regex _default_msn-messenger
drop-connection log
match request uri regex _default_gnu-http-tunnel_arg
drop-connection log
policy-map IM_P2P
class imblock
inspect im impolicy
class P2P
inspect http P2P_HTTP
service-policy global_policy global
service-policy IM_P2P interface inside
prompt hostname context
: end
asdm image disk0:/asdm-524.bin
asdm location Server1 255.255.255.255 inside
asdm location IP_ICE 255.255.255.255 inside
asdm location outside-network 255.255.255.0 inside
asdm location SERVER 255.255.255.255 inside
no asdm history enable
What is wrong? Everything Works well except port forwarding.
Andreas -
Problem with nat / access rule for webserver in inside network asa 5505 7.2
Hello,
i have trouble setting up nat and access rule for webserver located in inside network.
I have asa 5505 version 7.2 and it has to active interfaces, inside 192.168.123.0 and outside x.x.x.213
Webserver has ip 192.168.123.11 and it needs to be accessed from outside, ip x.x.x.213.
I have created an static nat rule with pat (as an appendix) and access rules from outside network to inside interface ip 192.168.123.11 (tcp 80) but no luck.
What am i doing wrong?Command:
packet-tracer input outside tcp 188.x.x.213 www 192.168.123.11 www detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.123.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x35418d8, priority=500, domain=permit, deny=true
hits=1, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=188.x.x.213, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule -
High memory usage and error creating access rules
Hi guys
I'm having a problem with the memory and also trying to create some rules on the CISCO ASA. The version that I got installed was the 8.2.5.33 on a CISCO 5520 with 512 RAM, the memory usage is on 99% used, 1% free and because of that when I'm trying to create a new rule the firewall brings me the next error
So what I did was a downgrade to the version 8.2 (4) 4 and the memory went down a little (82% used, 18% free) but I still got the error when I'm creating an access rule on the device. One thing and I'm not sure if this could affect on the performance are the number of access list and the object groups that are created.
I already open a case with CISCO TAC and they are checking if the problem is with the memory capacity or maybe a memory leak.
Also the doubt that I got is with the memory that I got now available should I can create access rules or 82 is still to hig to create a rule or and object group?
RegardsHi,
Can you check what is the amount of ACEs you have on the ACLs in use?
I think if you use the command "show access-list " the first line should give you the total amount of ACEs in the ACL
- Jouni -
Not showing top 10 access rule after upgrade to 9.1(5)
Hi
I have recently upgraded ASA 5505 from 8.2 to 9.1 and the ASDM to 7.3 but I can no longer can view the Top 10 Access Rules on the home tab. Is it a bug or do I have to enable anything?
I hope someone can help.Hi Andre
for security reasons I cannot give you the Access rules page. FYI the logging is enabled
However in the home page , when I click on show rule it says the following
Unable to determine corresponding access rule The configuration in ASDM may be out of sync with the device. Please refreah configuration and try again
I refreshed the screen and no change. Welcome any advise. -
I have a problem with one of the clients on my LAN which is running uTorrent to detriment of everyone else. It saturates the pipe. I have been unable to prod this user into bothering to tweak their settings to throttle bandwidth back and so have resorted to an access rule on the router which kicks that MAC address off during a particular time period during the day. But as irritated as I am about this slacker sense of outrageous entitlement, kicking them off entirely seems a tad heavy handed even for me.
So, In the router I can create a rule per MAC address and specify time. But is it possible to limit this to denying uTorrent ONLY? And if so what port or port ranges would I use.
Alternatively I already use a QoS setting for one of my VoIP TA's. Would I gain anything by degrading the application indirectly by creating a QoS = LOW for that port range? Again, I don't really care about any other application, just uTorrent and just that client. How much degradation is there really in setting QoS to LOW?Well it wont make much difference, when you enable QOS service on your router. Yes it is possible to Deny uTorrent application from your Router. When you are Under "Application and Gaming" Tab, Under "Blocked Application" you will find "Application Name" , "Port Range" and "Protocol" so you need to input under Application Name "uTorrent" and under port range you need to input the port number which uTorrent application use and then under protocol select "Both" and click on ADD. Then again in Application you will find uTorrent , select and click on (>>) right arrow so it will block that application on your Router. By doing this it will block uTorrent from your Router.
-
5520 to 5525 all access rules being ignored.
I copied my config from my old 5520 to our new 5525 and when I cut over to it from the inside out I could get to the internet no problem but from the outside in none of our access rules were working. Could someone take a look at our config and maybe inlighten me on the problem please. Thanks,
http://www.ebay.com/itm/290951611556?ssPageName=STRK:MEWNX:IT&_trksid=p3984.m1497.l2649
: Saved
: Written by admin at 02:33:30.875 EDT Mon Sep 30 2013
ASA Version 8.6(1)2
hostname ColASA01-HA
domain-name corp.COMPANY.com
names
name 172.22.5.133 ColBarracuda description Colo Barracuda Internal
name 74.XXX.XXX.133 ColBarracuda- description Colo Barracuda External
name 74.XXX.XXX.132 ColVPN- description Colo VPN External
name 172.22.5.138 ww2 description ww2 Internal
name 74.XXX.XXX.138 ww2- description ww2 External
name 172.22.5.139 www1 description www1 Internal
name 74.XXX.XXX.139 www1- description www1 External
name 172.22.5.140 www1-COMPANY.co.uk description www1 COMPANY.co.uk Internal
name 172.22.5.143 ColSysAid description ColSysAid Internal
name 74.XXX.XXX.143 ColSysAid- description ColSysAid External
name 172.22.5.141 Colww3 description Colww3 Internal
name 74.XXX.XXX.141 Colww3- description Colww3 External
name 10.1.1.100 Facts description Facts Internal
name 74.XXX.XXX.135 Facts- description Facts External
name 74.XXX.XXX.144 ftp.boundree.co.uk- description ftp.COMPANY.co.uk External
name 172.22.5.144 ftp.COMPANY.co.uk description ftp.COMPANY.co.uk Internal
name 10.101.0.24 Dubmss01 description Voicemail Server - Internal
name 74.XXX.XXX.145 Dubmss01- description Voicemail Sever - External
name 172.22.5.146 ColBI01 description ColBI01 Internal
name 74.XXX.XXX.146 ColBI01- description ColBI01 External
name 172.22.5.147 ColMOSS01 description ColMOSS01 Internal
name 74.XXX.XXX.147 ColMOSS01- description ColMOSS01 External
name 172.22.5.149 ambutrak description AmbuTRAK Internal
name 74.XXX.XXX.149 ambutrak- description AmbuTRAK External
name 172.22.5.136 NSTrax description NSTrax Internal
name 74.XXX.XXX.136 NSTrax- description NSTrax External
name 172.22.5.150 btmu description BTMU Internal
name 74.XXX.XXX.150 btmu- description BTMU External
name 172.22.5.155 w2k-isoft description w2k-isoft Internal
name 74.XXX.XXX.155 w2k-isoft- description w2k-isoft External
name 172.22.5.142 Colexch01 description Colexch01 Internal
name 172.22.5.151 Coltixdb description Coltxdb Internal
name 74.XXX.XXX.151 Coltixdb- description Coltixdb External
name 172.22.5.156 colexcas description colexcas Internal
name 74.XXX.XXX.156 colexcas- description colexcas External
name 172.22.3.74 colexcas01 description colexcas01 Internal
name 172.22.3.75 colexcas02 description colexcas02 Internal
name 172.22.5.157 ColFTP01 description ColFTP01 Internal
name 74.XXX.XXX.157 ColFTP01- description ColFTP01 External
name 172.22.5.158 www.COMPANY.com description www.COMPANY.com Internal
name 74.XXX.XXX.158 www.COMPANY.com- description www.COMPANY.com External
name 172.22.5.159 act.COMPANY.com description COMPANY ACT Internal - colww4
name 74.XXX.XXX.159 act.COMPANY.com- description COMPANY ACT External
name 172.22.3.93 test.COMPANY.com description test.COMPANY.com Internal
name 172.22.5.161 ColdevAS2 description ColdevAS2 Internal
name 74.XXX.XXX.160 Rewards.COMPANY.com- description COMPANY Rewards External
name 74.XXX.XXX.153 as2.COMPANY.com- description as2.COMPANY.com External
name 74.XXX.XXX.161 as2test.COMPANY.com- description as2test.COMPANY.com External
name 172.22.5.153 colas2 description colas2 Internal
name 172.22.5.160 colww5 description colww5 Internal
name 172.22.3.91 colexcas01NLB description colexcas01 NLB Interface
name 172.22.3.92 colexcas02NLB description colexcas02 NLB Interface
name 172.22.3.100 ColVPN description Colo VPN Internal
name 172.22.5.134 intra.COMPANY.com description on NewPortal
name 74.XXX.XXX.134 intra.COMPANY.com- description It's on NewPortal
name 10.1.0.80 asgard description asgard Internal
name 74.XXX.XXX.163 www.COMPANY.net- description www.COMPANY.net External
name 172.22.5.165 crmws.COMPANY.com description ColCrmRouter01 Internal
name 74.XXX.XXX.165 crmws.COMPANY.com- description ColCrmRouter01 External
name 10.1.5.137 dubngwt description Test Next Gen Web Farm Internal
name 74.XXX.XXX.137 dubngwt- description Test Next Gen Web Farm External
name 10.1.0.87 dubexcas description Dublin CAS NLB
name 10.1.0.85 dubexcas01 description Dublin CAS Server
name 10.1.0.86 dubexcas02 description Dublin CAS Server
name 74.XXX.XXX.166 collync01- description Lync Edge Server External
name 74.XXX.XXX.167 coltmg01- description TMG Server External
name 172.23.2.166 collync01 description Lync Edge Server DMZ
name 172.23.2.167 coltmg01 description TMG Server DMZ
name 172.22.5.168 COMPANYfed.com description COMPANYfed.com Internal
name 74.XXX.XXX.168 COMPANYfed.com- description COMPANYfed.com External
name 172.22.3.60 www1.COMPANY.com description www1.COMPANY.com Internal
name 74.XXX.XXX.169 www1.COMPANY.com- description www1.COMPANY.com External
name 172.22.3.63 www1.COMPANYfed.com description www1.COMPANYfed.com Internal
name 74.XXX.XXX.171 www1.COMPANYfed.com- description www1.COMPANYfed.com External
name 172.22.3.61 www2.COMPANY.com description www2.COMPANY.com Internal
name 74.XXX.XXX.170 www2.COMPANY.com- description www2.COMPANY.com External
name 172.22.3.64 www2.COMPANYfed.com description www2.COMPANYfed.com Internal
name 74.XXX.XXX.172 www2.COMPANYfed.com- description www2.COMPANYfed.com External
name 172.22.5.154 COMPANY.com description COMPANY.com Web Farm Production
name 74.XXX.XXX.154 COMPANY.com- description COMPANY.com Web Farm Outside
name 184.XXX.XXX.226 PMISonicWALL description PMI SonicWALL
name 10.10.0.0 PMI_SonicWALL-Subnet description PMI LAN
name 10.1.0.0 DublinData description Dublin Data Network
name 10.2.0.0 SouthavenData description Southaven Data Network
name 10.0.0.0 BrentwoodData description Brentwood Data Network
name 10.8.0.0 GilbertData description Gilbert Data Network
name 10.101.0.0 DublinVoIP description Dublin VoIP Network
name 10.110.0.0 PMI_SonicWALL-VOICSubnet
name 172.24.3.50 ColUT04-PCITrust
name 172.22.3.31 coldc01
name 172.22.3.4 coldc02
name 172.22.3.23 ColWSUS02 description Windows Update Server
name 74.XXX.XXX.175 monitor.COMPANY.com- description PRTG Network Monitor
name 172.22.3.150 ColPRTG01 description PRTG Monitor
dns-guard
interface GigabitEthernet0/0
description Connected to Internet via COLRTR01
speed 100
duplex full
shutdown
nameif outside
security-level 0
ip address 74.XXX.XXX.130 255.255.255.192 standby 74.XXX.XXX.176
ospf cost 10
interface GigabitEthernet0/1
description Connected to Colo LAN
speed 100
duplex full
nameif inside
security-level 100
ip address 172.22.1.8 255.255.0.0 standby 172.22.1.50
ospf cost 10
authentication key eigrp 10 Fiyalt1 key-id 1
authentication mode eigrp 10 md5
interface GigabitEthernet0/2
nameif DMZ
security-level 10
ip address 172.23.2.1 255.255.255.0 standby 172.23.2.50
ospf cost 10
interface GigabitEthernet0/3
description Connected to COLSW01 port 9 - PCI Trust Area (no internet)
nameif Colo_PCI_Trust
security-level 100
ip address 172.24.3.1 255.255.255.0 standby ColUT04-PCITrust
ospf cost 10
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/7
description LAN/STATE Failover Interface
interface Management0/0
nameif management
security-level 100
ip address 10.1.200.20 255.255.0.0 standby 10.1.200.21
ospf cost 10
management-only
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name corp.COMPANY.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-172.22.255.0
subnet 172.22.255.0 255.255.255.0
object network PMI_SonicWALL-Subnet
subnet 10.10.0.0 255.255.0.0
object network obj-172.24.3.0
subnet 172.24.3.0 255.255.255.0
object network ColWSUS02
host 172.22.3.23
object network ambutrak
host 172.22.5.149
object network ambutrak-
host 74.XXX.XXX.149
object network btmu
host 172.22.5.150
object network btmu-
host 74.XXX.XXX.150
object network ColBarracuda
host 172.22.5.133
object network ColBarracuda-
host 74.XXX.XXX.133
object network ColBI01
host 172.22.5.146
object network ColBI01-
host 74.XXX.XXX.146
object network colexcas
host 172.22.5.156
object network colexcas-
host 74.XXX.XXX.156
object network ColMOSS01
host 172.22.5.147
object network ColMOSS01-
host 74.XXX.XXX.147
object network COMPANY.com
host 172.22.5.154
object network COMPANY.com-
host 74.XXX.XXX.154
object network Coltixdb
host 172.22.5.151
object network Coltixdb-
host 74.XXX.XXX.151
object network Colww3
host 172.22.5.141
object network Colww3-
host 74.XXX.XXX.141
object network ColSysAid
host 172.22.5.143
object network ColSysAid-
host 74.XXX.XXX.143
object network ColVPN
host 172.22.3.100
object network ColVPN-
host 74.XXX.XXX.132
object network colas2
host 172.22.5.153
object network as2.COMPANY.com-
host 74.XXX.XXX.153
object network Dubmss01
host 10.101.0.24
object network Dubmss01-
host 74.XXX.XXX.145
object network Facts
host 10.1.1.100
object network Facts-
host 74.XXX.XXX.135
object network ftp.COMPANY.co.uk
host 172.22.5.144
object network ftp.boundree.co.uk-
host 74.XXX.XXX.144
object network NSTrax
host 172.22.5.136
object network NSTrax-
host 74.XXX.XXX.136
object network w2k-isoft
host 172.22.5.155
object network w2k-isoft-
host 74.XXX.XXX.155
object network www1
host 172.22.5.139
object network www1-
host 74.XXX.XXX.139
object network ww2
host 172.22.5.138
object network ww2-
host 74.XXX.XXX.138
object network ColFTP01
host 172.22.5.157
object network ColFTP01-
host 74.XXX.XXX.157
object network www.COMPANY.com
host 172.22.5.158
object network www.COMPANY.com-
host 74.XXX.XXX.158
object network act.COMPANY.com
host 172.22.5.159
object network act.COMPANY.com-
host 74.XXX.XXX.159
object network colww5
host 172.22.5.160
object network Rewards.COMPANY.com-
host 74.XXX.XXX.160
object network ColdevAS2
host 172.22.5.161
object network as2test.COMPANY.com-
host 74.XXX.XXX.161
object network intra.COMPANY.com
host 172.22.5.134
object network intra.COMPANY.com-
host 74.XXX.XXX.134
object network asgard
host 10.1.0.80
object network www.COMPANY.net-
host 74.XXX.XXX.163
object network crmws.COMPANY.com
host 172.22.5.165
object network crmws.COMPANY.com-
host 74.XXX.XXX.165
object network dubngwt
host 10.1.5.137
object network dubngwt-
host 74.XXX.XXX.137
object network COMPANYfed.com
host 172.22.5.168
object network COMPANYfed.com-
host 74.XXX.XXX.168
object network www1.COMPANYfed.com
host 172.22.3.63
object network www1.COMPANYfed.com-
host 74.XXX.XXX.171
object network www2.COMPANYfed.com
host 172.22.3.64
object network www2.COMPANYfed.com-
host 74.XXX.XXX.172
object network www1.COMPANY.com
host 172.22.3.60
object network www1.COMPANY.com-
host 74.XXX.XXX.169
object network www2.COMPANY.com
host 172.22.3.61
object network www2.COMPANY.com-
host 74.XXX.XXX.170
object network ColPRTG01
host 172.22.3.150
object network monitor.COMPANY.com-
host 74.XXX.XXX.175
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network collync01
host 172.23.2.166
object network collync01-
host 74.XXX.XXX.166
object network coltmg01
host 172.23.2.167
object network coltmg01-
host 74.XXX.XXX.167
object-group service DM_INLINE_SERVICE_1
service-object gre
service-object tcp destination eq pptp
object-group service Barracuda tcp
port-object eq 8000
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq smtp
port-object eq ssh
group-object Barracuda
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
port-object eq smtp
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
port-object eq smtp
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_7 tcp
port-object eq www
port-object eq https
object-group service mySQL tcp
description mySQL Database
port-object eq 3306
object-group service DM_INLINE_TCP_9 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_10 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_11 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_12 tcp
port-object eq www
port-object eq https
object-group service as2 tcp
description as2
port-object eq 4080
port-object eq 5080
port-object eq https
port-object eq 6080
object-group network DM_INLINE_NETWORK_2
network-object host ColBarracuda
network-object host ww2
network-object host www1
network-object host colexcas01
network-object host colexcas02
network-object host colexcas
network-object host test.COMPANY.com
network-object host colexcas01NLB
network-object host colexcas02NLB
network-object host dubexcas01
network-object host dubexcas02
network-object host dubexcas
object-group service SQLServer tcp
description Microsoft SQL Server
port-object eq 1433
object-group service DM_INLINE_TCP_13 tcp
port-object eq www
port-object eq https
port-object eq smtp
object-group service DM_INLINE_TCP_14 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_15 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_1
network-object host as2.COMPANY.com-
network-object host as2test.COMPANY.com-
object-group service DM_INLINE_TCP_6 tcp
port-object eq www
port-object eq https
object-group service rdp tcp
description Remote Desktop Protocol
port-object eq 3389
object-group service DM_INLINE_TCP_8 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_16 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_17 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_4 tcp
port-object eq www
port-object eq https
object-group service LyncEdge tcp-udp
description sip-tls, 443, 444, rtp 50000-59999, stun udp 3478
port-object eq 3478
port-object eq 443
port-object eq 444
port-object range 50000 59999
port-object eq 5061
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_18 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_19 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_20 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_21 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_22 tcp
port-object eq www
port-object eq https
object-group network PMIVPNNetworks
description VPN Networks to PMI
network-object BrentwoodData 255.255.0.0
network-object DublinData 255.255.0.0
network-object SouthavenData 255.255.0.0
network-object GilbertData 255.255.0.0
network-object 172.22.0.0 255.255.0.0
network-object DublinVoIP 255.255.0.0
object-group network PMI_SonicWALL-Subnets
network-object PMI_SonicWALL-Subnet 255.255.0.0
network-object PMI_SonicWALL-VOICSubnet 255.255.0.0
object-group network COLDCs
network-object host coldc01
network-object host coldc02
access-list inside_access_in remark Allow SMTP from certain servers.
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 any eq smtp
access-list inside_access_in remark No SMTP except from allowed servers
access-list inside_access_in extended deny tcp any any eq smtp log errors
access-list inside_access_in extended permit ip any any
access-list inside_access_in remark For debugging (can enable logging)
access-list inside_access_in extended deny ip any any
access-list outside_access_in remark Allow Ping
access-list outside_access_in extended permit icmp any any
access-list outside_access_in remark Allow VPN
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object ColVPN-
access-list outside_access_in remark Allow SMTP, HTTP, and HTTPS to the Exchange CAS NLB Cluster
access-list outside_access_in extended permit tcp any object colexcas- object-group DM_INLINE_TCP_13
access-list outside_access_in remark Allow SMTP, SSH, and Web
access-list outside_access_in extended permit tcp any object ColBarracuda- object-group DM_INLINE_TCP_1
access-list outside_access_in remark Allow HTTP and HTTPS to AmbuTRAK
access-list outside_access_in extended permit tcp any object ambutrak- object-group DM_INLINE_TCP_10
access-list outside_access_in remark Allow SMTP, HTTP and HTTPS to ww2
access-list outside_access_in extended permit tcp any object ww2- object-group DM_INLINE_TCP_2
access-list outside_access_in remark Allow SMTP, HTTP and HTTPS to www1
access-list outside_access_in extended permit tcp any object www1- object-group DM_INLINE_TCP_3
access-list outside_access_in remark Allow portal.bouindtree.com to COLMOSS01
access-list outside_access_in extended permit tcp any object ColMOSS01- object-group DM_INLINE_TCP_9
access-list outside_access_in remark Allow HTTP and HTTPS to ems.COMPANY.com
access-list outside_access_in extended permit tcp any object Colww3- object-group DM_INLINE_TCP_5
access-list outside_access_in remark Allow HTTP and HTTPS to helpdesk.COMPANY.com
access-list outside_access_in extended permit tcp any object ColSysAid- object-group DM_INLINE_TCP_7
access-list outside_access_in remark Allow SSH to Facts
access-list outside_access_in extended permit tcp any object Facts- eq ssh inactive
access-list outside_access_in remark Allow mySQL to NSTrax for IQ
access-list outside_access_in extended permit tcp any object NSTrax- object-group mySQL inactive
access-list outside_access_in remark Allow FTP to ftp.COMPANY.co.uk
access-list outside_access_in extended permit tcp any object ftp.boundree.co.uk- eq ftp inactive
access-list outside_access_in remark Allow IMAP to the Voice Mail Server
access-list outside_access_in extended permit tcp any object Dubmss01- eq imap4
access-list outside_access_in remark Permit HTTPS to ColBI01 for https://reports.COMPANY.com
access-list outside_access_in extended permit tcp any object ColBI01- eq https inactive
access-list outside_access_in remark Allow FTP to btmu.COMPANY.com
access-list outside_access_in extended permit tcp any object btmu- eq ftp
access-list outside_access_in remark Allow HTTP and HTTPS to colngwt - the Test Next Gen Web Farm
access-list outside_access_in extended permit tcp any object dubngwt- object-group DM_INLINE_TCP_17 inactive
access-list outside_access_in remark Allow HTTP and HTTPS to COMPANYfed.com
access-list outside_access_in extended permit tcp any object COMPANYfed.com- object-group DM_INLINE_TCP_18
access-list outside_access_in remark Allow HTTP and HTTPS to colngwp - the Next Gen Web Farm
access-list outside_access_in extended permit tcp any object COMPANY.com- object-group DM_INLINE_TCP_11
access-list outside_access_in remark Allow HTTP and HTTPS to Colww5, which is one of our web servers.
access-list outside_access_in remark rewards.COMPANY.com is going live first on this web server.
access-list outside_access_in extended permit tcp any object Rewards.COMPANY.com- object-group DM_INLINE_TCP_12
access-list outside_access_in remark Allow HTTP and HTTPS to act.COMPANY.com
access-list outside_access_in extended permit tcp any object act.COMPANY.com- object-group DM_INLINE_TCP_15
access-list outside_access_in remark Allow AS2 (443, 4080, 5080, 6080) to the AS2 Production and Test Machines
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 object-group as2
access-list outside_access_in remark Allow HTTP and HTTPS to www.COMPANY.com
access-list outside_access_in extended permit tcp any object www.COMPANY.com- object-group DM_INLINE_TCP_14
access-list outside_access_in remark Allow AS2 to w2k-isoft
access-list outside_access_in extended permit tcp any object w2k-isoft- object-group as2
access-list outside_access_in remark All SQL Server (SSL) to Coltixdb
access-list outside_access_in extended permit tcp any object Coltixdb- object-group SQLServer
access-list outside_access_in remark Allow FTP to ColFTP01
access-list outside_access_in extended permit tcp any object ColFTP01- eq ftp
access-list outside_access_in remark allow http/https access in intra.COMPANY.com
access-list outside_access_in extended permit tcp any object intra.COMPANY.com- object-group DM_INLINE_TCP_6
access-list outside_access_in remark Allow http and https to asgard
access-list outside_access_in extended permit tcp any object www.COMPANY.net- object-group DM_INLINE_TCP_8
access-list outside_access_in remark Allow HTTP and HTTPS to ColCrmRouter01 (crmws.COMPANY.com)
access-list outside_access_in extended permit tcp any object crmws.COMPANY.com- object-group DM_INLINE_TCP_16
access-list outside_access_in remark Allow HTTP and HTTPS to coltmg01
access-list outside_access_in extended permit tcp any object coltmg01- object-group DM_INLINE_TCP_4
access-list outside_access_in remark Allow Lync Edgel traffic to collync01
access-list outside_access_in extended permit object-group TCPUDP any object collync01- object-group LyncEdge
access-list outside_access_in remark Allow HTTP and HTTPS to www1.COMPANY.com
access-list outside_access_in extended permit tcp any object www1.COMPANY.com- object-group DM_INLINE_TCP_19
access-list outside_access_in remark Allow HTTP and HTTPS to www2.COMPANY.com
access-list outside_access_in extended permit tcp any object www2.COMPANY.com- object-group DM_INLINE_TCP_20
access-list outside_access_in remark Allow HTTP and HTTPS to www1.COMPANYfed.com
access-list outside_access_in extended permit tcp any object www1.COMPANYfed.com- object-group DM_INLINE_TCP_21
access-list outside_access_in remark Allow HTTP and HTTPS to www2.COMPANYfed.com
access-list outside_access_in extended permit tcp any object www2.COMPANYfed.com- object-group DM_INLINE_TCP_22
access-list outside_access_in extended permit tcp any object monitor.COMPANY.com- eq www
access-list outside_access_in remark For debugging (can enable logging)
access-list outside_access_in extended deny ip any any
access-list inside_nat0_outbound extended permit ip any 172.22.255.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group PMIVPNNetworks object PMI_SonicWALL-Subnet
access-list inside_nat0_outbound remark Domain Controller one to many rule so PCI Trust servers can reslove DNS names and authenticate.
access-list inside_nat0_outbound extended permit ip object-group COLDCs 172.24.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object ColWSUS02 172.24.3.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip object-group PMIVPNNetworks object-group PMI_SonicWALL-Subnets
access-list Colo_PCI_Trust_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm warnings
logging mail critical
logging from-address [email protected]
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu Colo_PCI_Trust 1500
mtu management 1500
ip local pool vpnphone-ip-pool 172.22.255.1-172.22.255.254 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface HA GigabitEthernet0/7
failover key Fiyalt!
failover link HA GigabitEthernet0/7
failover interface ip HA 172.16.200.1 255.255.255.248 standby 172.16.200.2
no monitor-interface DMZ
no monitor-interface Colo_PCI_Trust
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit 172.24.3.0 255.255.255.0 Colo_PCI_Trust
asdm image disk0:/asdm-66114.bin
asdm location ColVPN- 255.255.255.255 inside
asdm location ColBarracuda- 255.255.255.255 inside
asdm location ColBarracuda 255.255.255.255 inside
asdm location ww2- 255.255.255.255 inside
asdm location www1- 255.255.255.255 inside
asdm location ww2 255.255.255.255 inside
asdm location www1 255.255.255.255 inside
asdm location Colww3- 255.255.255.255 inside
asdm location Colww3 255.255.255.255 inside
asdm location ColSysAid- 255.255.255.255 inside
asdm location ColSysAid 255.255.255.255 inside
asdm location Facts 255.255.255.255 inside
asdm location Facts- 255.255.255.255 inside
asdm location NSTrax- 255.255.255.255 inside
asdm location ftp.boundree.co.uk- 255.255.255.255 inside
asdm location ftp.COMPANY.co.uk 255.255.255.255 inside
asdm location Dubmss01 255.255.255.255 inside
asdm location Dubmss01- 255.255.255.255 inside
asdm location ColBI01- 255.255.255.255 inside
asdm location ColBI01 255.255.255.255 inside
asdm location ColMOSS01 255.255.255.255 inside
asdm location ColMOSS01- 255.255.255.255 inside
asdm location ambutrak- 255.255.255.255 inside
asdm location ambutrak 255.255.255.255 inside
asdm location NSTrax 255.255.255.255 inside
asdm location btmu- 255.255.255.255 inside
asdm location btmu 255.255.255.255 inside
asdm location COMPANY.com- 255.255.255.255 inside
asdm location COMPANY.com 255.255.255.255 inside
asdm location as2.COMPANY.com- 255.255.255.255 inside
asdm location colas2 255.255.255.255 inside
asdm location w2k-isoft- 255.255.255.255 inside
asdm location w2k-isoft 255.255.255.255 inside
asdm location Coltixdb- 255.255.255.255 inside
asdm location Coltixdb 255.255.255.255 inside
asdm location colexcas- 255.255.255.255 inside
asdm location colexcas01 255.255.255.255 inside
asdm location colexcas02 255.255.255.255 inside
asdm location colexcas 255.255.255.255 inside
asdm location ColFTP01- 255.255.255.255 inside
asdm location ColFTP01 255.255.255.255 inside
asdm location www.COMPANY.com- 255.255.255.255 inside
asdm location www.COMPANY.com 255.255.255.255 inside
asdm location act.COMPANY.com- 255.255.255.255 inside
asdm location act.COMPANY.com 255.255.255.255 inside
asdm location Rewards.COMPANY.com- 255.255.255.255 inside
asdm location colww5 255.255.255.255 inside
asdm location as2test.COMPANY.com- 255.255.255.255 inside
asdm location ColdevAS2 255.255.255.255 inside
asdm location test.COMPANY.com 255.255.255.255 inside
asdm location colexcas01NLB 255.255.255.255 inside
asdm location colexcas02NLB 255.255.255.255 inside
asdm location ColVPN 255.255.255.255 inside
asdm location intra.COMPANY.com- 255.255.255.255 inside
asdm location intra.COMPANY.com 255.255.255.255 inside
asdm location asgard 255.255.255.255 inside
asdm location www.COMPANY.net- 255.255.255.255 inside
asdm location crmws.COMPANY.com- 255.255.255.255 inside
asdm location crmws.COMPANY.com 255.255.255.255 inside
asdm location dubngwt- 255.255.255.255 inside
asdm location dubngwt 255.255.255.255 inside
asdm location dubexcas01 255.255.255.255 inside
asdm location dubexcas02 255.255.255.255 inside
asdm location dubexcas 255.255.255.255 inside
asdm location collync01- 255.255.255.255 inside
asdm location coltmg01- 255.255.255.255 inside
asdm location collync01 255.255.255.255 inside
asdm location coltmg01 255.255.255.255 inside
asdm location COMPANYfed.com- 255.255.255.255 inside
asdm location COMPANYfed.com 255.255.255.255 inside
asdm location www1.COMPANY.com- 255.255.255.255 inside
asdm location www2.COMPANY.com- 255.255.255.255 inside
asdm location www1.COMPANYfed.com- 255.255.255.255 inside
asdm location www2.COMPANYfed.com- 255.255.255.255 inside
asdm location www1.COMPANY.com 255.255.255.255 inside
asdm location www2.COMPANY.com 255.255.255.255 inside
asdm location www1.COMPANYfed.com 255.255.255.255 inside
asdm location www2.COMPANYfed.com 255.255.255.255 inside
asdm location PMI_SonicWALL-Subnet 255.255.0.0 inside
asdm location PMISonicWALL 255.255.255.255 inside
asdm location BrentwoodData 255.255.0.0 inside
asdm location GilbertData 255.255.0.0 inside
asdm location coldc01 255.255.255.255 inside
asdm location coldc02 255.255.255.255 inside
asdm location ColWSUS02 255.255.255.255 inside
asdm location monitor.COMPANY.com- 255.255.255.255 inside
asdm location ColPRTG01 255.255.255.255 inside
no asdm history enable
arp timeout 14400
nat (inside,any) source static any any destination static obj-172.22.255.0 obj-172.22.255.0 no-proxy-arp
nat (inside,any) source static PMIVPNNetworks PMIVPNNetworks destination static PMI_SonicWALL-Subnet PMI_SonicWALL-Subnet no-proxy-arp
nat (inside,any) source static COLDCs COLDCs destination static obj-172.24.3.0 obj-172.24.3.0 no-proxy-arp
nat (inside,any) source static ColWSUS02 ColWSUS02 destination static obj-172.24.3.0 obj-172.24.3.0 no-proxy-arp
object network ambutrak
nat (inside,outside) static ambutrak-
object network btmu
nat (inside,outside) static btmu-
object network ColBarracuda
nat (inside,outside) static ColBarracuda-
object network ColBI01
nat (inside,outside) static ColBI01-
object network colexcas
nat (inside,outside) static colexcas-
object network ColMOSS01
nat (inside,outside) static ColMOSS01-
object network COMPANY.com
nat (inside,outside) static COMPANY.com-
object network Coltixdb
nat (inside,outside) static Coltixdb-
object network Colww3
nat (inside,outside) static Colww3-
object network ColSysAid
nat (inside,outside) static ColSysAid-
object network ColVPN
nat (inside,outside) static ColVPN-
object network colas2
nat (inside,outside) static as2.COMPANY.com-
object network Dubmss01
nat (inside,outside) static Dubmss01-
object network Facts
nat (inside,outside) static Facts-
object network ftp.COMPANY.co.uk
nat (inside,outside) static ftp.COMPANY.co.uk-
object network NSTrax
nat (inside,outside) static NSTrax-
object network w2k-isoft
nat (inside,outside) static w2k-isoft-
object network www1
nat (inside,outside) static www1-
object network ww2
nat (inside,outside) static ww2-
object network ColFTP01
nat (inside,outside) static ColFTP01-
object network www.COMPANY.com
nat (inside,outside) static www.COMPANY.com-
object network act.COMPANY.com
nat (inside,outside) static act.COMPANY.com-
object network colww5
nat (inside,outside) static Rewards.COMPANY.com-
object network ColdevAS2
nat (inside,outside) static as2test.COMPANY.com-
object network intra.COMPANY.com
nat (inside,outside) static intra.COMPANY.com-
object network asgard
nat (inside,outside) static www.COMPANY.net-
object network crmws.COMPANY.com
nat (inside,outside) static crmws.COMPANY.com-
object network dubngwt
nat (inside,outside) static dubngwt-
object network COMPANYfed.com
nat (inside,outside) static COMPANYfed.com-
object network www1.COMPANYfed.com
nat (inside,outside) static www1.COMPANYfed.com-
object network www2.COMPANYfed.com
nat (inside,outside) static www2.COMPANYfed.com-
object network www1.COMPANY.com
nat (inside,outside) static www1.COMPANY.com-
object network www2.COMPANY.com
nat (inside,outside) static www2.COMPANY.com-
object network ColPRTG01
nat (inside,outside) static monitor.COMPANY.com-
object network obj_any
nat (inside,outside) dynamic 74.XXX.XXX.131
object network collync01
nat (DMZ,outside) static collync01-
object network coltmg01
nat (DMZ,outside) static coltmg01-
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group Colo_PCI_Trust_access_in in interface Colo_PCI_Trust
router eigrp 10
no auto-summary
eigrp router-id 172.22.1.8
network 172.22.0.0 255.255.0.0
route outside 0.0.0.0 0.0.0.0 74.XXX.XXX.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Colo protocol radius
aaa-server Colo (inside) host coldc02
timeout 5
key Bound/\Tree
radius-common-pw Bound/\Tree
aaa-server Colo (inside) host coldc01
timeout 5
key Bound/\Tree
user-identity default-domain LOCAL
http server enable
http 172.22.0.0 255.255.0.0 inside
http DublinData 255.255.0.0 inside
http DublinData 255.255.0.0 management
snmp-server host inside 10.1.0.59 community public
snmp-server host inside ColPRTG01 community public
snmp-server location Columbus, OH - Colo
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer PMISonicWALL
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 1 set nat-t-disable
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
telnet BrentwoodData 255.0.0.0 inside
telnet coldc02 255.255.255.255 inside
telnet DublinData 255.255.0.0 management
telnet timeout 5
ssh 172.22.0.0 255.255.0.0 inside
ssh DublinData 255.255.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 74.14.179.211 source outside prefer
ntp server 69.64.72.238 source outside prefer
ntp server coldc02 source inside
ntp server 74.120.8.2 source outside prefer
ntp server 108.61.56.35 source outside prefer
ntp server coldc01 source inside
webvpn
group-policy GroupPolicy_74.XXX.XXX.130 internal
group-policy GroupPolicy_74.XXX.XXX.130 attributes
vpn-tunnel-protocol ikev1
group-policy VPNPHONE internal
group-policy VPNPHONE attributes
dns-server value 172.22.3.4 172.22.3.31
vpn-tunnel-protocol ikev1
default-domain value corp.COMPANY.com
tunnel-group VPNPHONE type remote-access
tunnel-group VPNPHONE general-attributes
address-pool vpnphone-ip-pool
authentication-server-group Colo
default-group-policy VPNPHONE
tunnel-group VPNPHONE ipsec-attributes
ikev1 pre-shared-key *
tunnel-group 184.XXX.XXX.226 type ipsec-l2l
tunnel-group 184.XXX.XXX.226 ipsec-attributes
ikev1 pre-shared-key *
peer-id-validate nocheck
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect tftp
inspect http
inspect icmp
inspect pptp
inspect icmp error
inspect ip-options
class class-default
service-policy global_policy global
smtp-server 172.22.5.156
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 18
subscribe-to-alert-group configuration periodic monthly 18
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:65e78911eefb94bd98892700b143f716
: endHi,
Any ASA using software 8.3 or above that does Static NAT between private and public IP addresses (or any NAT at all) and you want to allow traffic from public network to those Static NATed servers you will need to use the local/real IP address in the ACL statements.
If your ASA5520 was running 8.3 or above software levels then there should be no major changes compared to an ASA5525-X running 8.6 software level.
The only situation I can think of right now is if you had used ASA5520 with software 8.2 or below BUT in that case you WOULD NOT have been able to directly copy/paste the configuration to the ASA5525-X device as the lowest software level that the ASA5525-X supports is 8.6(1)
So I am kind of wondering what the situation has actually been.
But one thing is certain. You need to use the real/local IP address of the server in the ACL rules even if you are allowing traffic from the public/external network.
The "packet-tracer" test used to simulate a connection coming to one of your Static NAT public IP address should also tell if your ACLs are configured correctly, among other things.
- Jouni -
GRC AC 10:How to generate Access Rule? No output from User or Risk Analysis
Hello Gurus,
We have done configuration of GRC AC 10, and uploaded files via
SoD rules -->Upload Rules
After that we generated SoD rules for Risk Id : B001 and B002
Now when we go to NWBC --> Reports & Analytics >Access Dashboards>Access Rule Library
The report shows (for Group Rule level : Action)
Number of Active rules : 0
Number of Disabled Rules : 0
Number of Functions : 151
Where as for Group Rule level : Action Risk
The report shows
Number of Active Risk : 42
Disabled risk : 161
Nmr. of functions : 151 .
When we perform Risk Analysis at User Level or Role Level, the output is empty !!!
Note: All the background jobs have run successfully.
Also the SoD files also have been uploaded successfully.
Will you please guide how can i activate the "rules" for the uploaded risk ??
regards,
VictorHello Victor/ Inder,
For Risk ID B001functions are BS02 and BS11 if you open any one of them you can see system maintained as SAP BASIS which is SAP_BAS_LG (logical connector group).
Post installation you can check in SPRO>Governance, Risk and Compliance-> common Component---> integration framework-> maintain connector and connector types->select SAP and click Define connector Group.
BUSINESS Business Roles SAP
SAP_BAS_LG SAP Basis SAP
SAP_CRM_LG SAP CRM SAP
SAP_ECC_LG SAP ECCS SAP
SAP_HR_LG SAP HR SAP
SAP_NHR_LG SAP R3 - NON HR Basis Logical Group SAP
SAP_R3_LG SAP R3 SAP
SAP_SRM_LG SAP SRM SAP
(If not present then manually you can create the same)
Select SAP_BAS_LG and put connector type as SAP, select SAP_BAS_LG and click Assign Connector group to group types as AM & LG, then click on Assign Connector to connector group and maintain you connector.
Post this activity re generate SOD for B001 and then check for user level and role level analysis.
Hope it will resolve your issue.
Regards,
Sudesh -
RV180W - Access Rules Don't Work
Hi,
We have a RV180W and the Access Rules will not work. I'm trying to block HTTP and HTTPS services for a specific workstation on our LAN, but the access rules don't seem to be working. I've also tried blocking different services as well as ANY service, but it's not working. I've tried rebooting the router after adjusting settings; I've tried adjusting services from the Port Forwarding menu first; and a couple weeks ago, I upgraded the firmware to version 1.0.2.6 and repeated all the previous steps. Nothing seems to be working. So far the only solution I could come up with is to block the workstation's MAC address altogether, but I don't want that because I still need it to hit the internet for other services.
Thank you,
RyanThese are the Access Rules I've tried (firmware v1.0.2.6):
Outbound:
Inbound along with the auto added Port Forwarding setting: -
BM 3.9 Access Rules Work Only Once
What I want:
Access Rule that blocks ALL attempts to download in a browser any file that ends with a specific extension (.exe for example).
What I have:
Access Rule:
Type: Port
Source DNS Hostname: Any
Destination DNS Hostname: *.exe
Origin Server Port: 1-65535
Action: Deny Access
What is happening:
I apply the rule and test and I am denied the first attempt.
When another attempt is made, the action is allowed.
Monitor shows the following error message when rules changes are applied:
Unable to read configuration from NDS (error - -672)
Note: I just removed ALL rules listed in iManager, saved and I am still able to access web pages. I though that by default access is denied?In article <[email protected]>, Johnefleming
wrote:
> I apply the rule and test and I am denied the first attempt.
> When another attempt is made, the action is allowed.
>
> Monitor shows the following error message when rules changes are
> applied:
>
> Unable to read configuration from NDS (error - -672)
>
Do you have a replica on the server?
A 672 error sounds like something fundamentally wrong is going on with
NDS on that server. You should have a replica on it that holds the
server objects at least.
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com *** -
Applying new access rules fails.
Netware 6.5 SP6 BM 3.9
Ok, new problem. I am trying to add some new access rules to the list in a particular container. When I have defined the rule and click apply I get the following message - Unknown system error. This doesnt happen on the other container which already has rules defined in it. Are the rules from the higher level container being propogated down the tree as I assumed they would be ?
---treename 2 explicit deny rules for the whole company
------it This container to be exempt. cant add rule to allow all.
------helpdesk
------etc
Another aside seems to be that even though "Enforce Access Rules" is always on sometimes the rules do not work and sometimes they do.
Any help much appreciated.JeffSheehan,
It appears that in the past few days you have not received a response to your posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com/ to search the knowledgebase and check the other support options available on that page under "Self Support" and "Support Programs".
- You could also try posting your message again. Make sure it is posted in the correct newsgroup. (http://support.novell.com/forums)
If this is a reply to a duplicate posting, please ignore and accept our apologies and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://support.novell.com/forums/ -
Good Day To All,
We recently purchased a RV082 Firewall Router and I am having the headache of a lifetime with the access rules and port forwarding. I have read EVERY post possible and still cannot come to a conclusion of what I am doing wrong...
First Question is the MAIL SERVER.. I could not get our email server to talk when setting this device to DMZ so for the time being I put it on LAN2 and attempted to set up an access rule Port 25 to the IP of the mail server. NO GO.. I had to port forward or it would not work.
Now I want to deny access on port 25 over WAN1 201.X.X.108 but allow access over port 25 on WAN2 201.X.X.109 and this is where it's a NO GO. It doesnt matter what order I put the rules in, its still a no go. Furthermore if I take out the port forward 25 and put in the rules to allow ANY source to reach 25 on the mail server it ALSO does not work...
This is what I have now and I can still access the email server on EITHER WAN address. I have tried to specifically DENY WAN1 but still no luck.
FORWARD:
PORT 25 to 192.168.0.221 is ENABLED
ACCESS RULES: (in this order)
ACTION: ALLOW
SERVICE: SMTP:25
SOURCE INTERFACE: WAN2
SOURCE: ANY
DESTINATION: 192.168.0.221
TIME: ALWAYS
ACTION: ALLOW
SERVICE: SMTP:25
SOURCE INTERFACE: LAN
SOURCE: 192.168.0.221
DESTINATION: ANY
TIME: ALWAYS
ACTION: DENY
SERVICE: SMTP:25
SOURCE INTERFACE: ANY
SOURCE: ANY
DESTINATION: ANY
TIME: ALWAYS
Now Second Question is pretty much the same but with SSH on port 22. I did this as a test and enabled SSH to the mail server.
FORWARD:
NOTHING SET
ACTION: ALLOW
SERVICE: SSH:22
SOURCE INTERFACE: ANY
SOURCE: ANY
DESTINATION: 192.168.0.221
TIME: ALWAYS
Why would this not work? The ONLY was I can get an SSH:22 to work is if I port forward it and then the access rule when set to DENY ALL it still allows it on both WAN1 and WAN2...
CONFUSED!
HELP!
PLEASE!
The Screen shot was my last attempt at making SSH work...Esentially what I am trying to accomplish is to NOT have the port forward set. But in every case so far it seems as if the access rules DO NOT WORK at all.
Even if I set SSH:22 to port forward and set a firewall rule to DENY ANY ANY ANY to ANY I can still SSH to the box -
My Router Access Rule is getting deleted
Hello,
I set up an xbox360 with a static IP address on my home network. My firewall is set to maximum and I need to set up some access rules for xbox live. This was not difficult but what I've found is that after a few days the access rule is suddenly absent from the list (but the port forwarding rule remains). why is this occurring? This is an Actiontec router from Verizon.
ThanksMake sure to change the control password of the router, if you have not already.
Look in the router in Advanced, for that setting.
If you are the original poster (OP) and your issue is solved, please remember to click the "Solution?" button so that others can more easily find it. If anyone has been helpful to you, please show your appreciation by clicking the "Kudos" button. -
Using domain names in access rules
In an access-rule, is there a way to define a host by using its FQDN, without the IOS resolving the name to an IP address? My problem is that I'm trying to give my home PC secure access to my router's SDM, but my ISP changes my IP address every few days. I have DDNS service from no-ip.com, so I have a valid FQDN that never changes. Is this possible? I have a Cisco 2811 with IOS version 12.4(3g). Any help or advise will be appreciated.
Agreed, you have to have some semblence of an IP address segment. In my part of the world we pay the extra $9.99 to get a static IP Address from a local ISP. When it comes to having reliable remote access to the network we have to administer and maintain, it's worth it.
-
Source IP Address Access Rule Not Working
I'm trying to create and access rule that denies certain source IP addresses
from making SMTP connections to my email server. I create the access rule
and put it at the top of the list but the connections are still happening.
It's a deny rule to block Port, Service: SMTP, Origin Server Port 25, TCP &
UDP, Specified 'ip addresses', Destination 'any'. Granted I have my email
NATed through a secondary IP address to the email server. Any ideas why this
isn't working? Thanks.It's a GWIA.
>>> On 11/22/2006 at 11:27 AM, in message
<bw19h.1043$[email protected]>, Jim
Michael<[email protected]> wrote:
> Adrian van Ravesteyn wrote:
>> OK, that makes sense. Is there a way I can limit access for certain ip
>> addresses on this NATed interface?
>
> Giving access to "all but a few" is a problem, but limiting access to
> "all but a few" is relatively easy (you just create the exceptions you
> need, with the allowed source IPs). You're better off blocking specific
> IPs at your SMTP server. Is your mail server a GroupWise GWIA, or
> something else? -
Internal error: Unable to find the access rule.
I have a Cisco ASA 5550 and using ASDM 6.2.
Opening the ASDM, in Firewall Dashboard, in Top 10 Access Rules, show the second rule with more hit: "interface X | source: any | Dest: any | Service: ip | Action: Permit.
During the day, the hits increase and decrease.
Well, the problem: That rule there isn't.
When I click with the right mouse button and click on show rule, a message is displayed:
"Internal error: Unable to find the access rule."
I can't find the rule in Configuration Mode and in Console Mode.
Well, the rule there isn't.
What can I do for this rule disappears from the Top 10 Dashboard?I suggest opening a case with Cisco TAC. This could be an issue with the device itself.
Please remember to select a correct answer and rate helpful posts
Maybe you are looking for
-
Having followed the instructions for "if you have never synced your device to itunes" and my computer displayed the message that the device has been restored, my phone is still saying its disabled and I should connect to itunes. What do I do now??
-
Reccomendations needed for NVIDIA GeForce 7300 GT replacement.
I just had my third NVIDIA GeForce 7300 GT graphics card fail (got them replaced through Apple Care which has now expired). I need to get a replacement graphics card but do not want another one of these! Specs on my '07 Mac Pro: Model Name: Mac
-
Firefox Sync alerts "Incorrect password or username" every time it starts.
Every time I start Firefox, I get the following error message from Sync: "Sync encountered an error while connecting:Incorrect account name or password. Please try again. [Preferences]" In my about:log-sync, these lines appear: <pre>Sync.Service DEBU
-
Monitor event id rule vs monitor
Hi! Should I use a unit monitor or a rule to monitor event ID? I know I can do it with both, but what is best practice?
-
Website not displaying in IE 9
My website suddenly stopped displaying in IE 9 (it works in mozilla and chrome). I get a blank screen displaying only the background. A clue might be that 'live view' gives me a blank. It worked prior to changes I made, but I did not keep a backup