Cisco ASA: Assign same rule sets to multiple interfaces
Hi guys,
We want to connect to physical interfaces from ASA to each Nexus core, so is there any possibility to assign same rule set to both interfaces simultaneously? (a kind of zone aggregation).
Regards.
Jesus
Hi
What is Your ASA Code running on your ASA appliance , From ASA code 8.3 you can have global access rule .
lobal access rules.
8.3(1)
Global access rules were introduced.
The following command was modified: access-group.
Interface access rules are bound to any interface at the time of their creation. Without binding them to an interface, you can not create them. This differs from the Command Line example. With CLI, you first create the access list with the access listcommand, and then bind this access list to an interface with the access-group command. ASDM 6.3 and later, the access list is created and bound to an interface as a single task. This applies to the traffic flowing through that specific interface only.
Global access rules are not bound to any interface. They can be configured through the ACL Manager tab in the ASDM and are applied to the global ingress traffic. They are implemented when there is a match based on the source, the destination, and the protocol type. These rules are not replicated on each interface, so they save memory space.
When both these rules are to be implemented, interface access rules normally takes the precedence over the global access rules.
HTH
Sandy
Similar Messages
-
How can we assign one attribute set to multiple business partners at a time ?
How can we assign one attribute set to multiple business partners at a time ? Is it possible ? Can anyone explain me ?
Hello,
please refer to the following thread:
How can we assign one Attribute Set to multiple Business Partners at a time? Is it possible?
best regards,
Johannes -
Same rule set for two apply processes
Hi!
Can anyone tell me whether it is possible to use the same rule set and all rules in it for two apply processes? It would be easy for me to use such configuration, because sometimes I create LCRs myself, sometimes Oracle captures them. They're exactly the same.
And second question - I tried the above configuration, but the apply process for user created LCRs aborts when it sees first message. Error is: "ORA-00600: internal error code, arguments: [knlcfpactx:any_knlso], [], [], [], [], [], [], []". Oracle MetaLink and Google know nothing about this error. I also don't know if it's somehow connected with these rule sets or is it a problem within my procedure which creates LCRs.
GreetingsI'm answering myself. Yes, it is possible, to use the same rule set for different processes. It is said in the documentation. It is also possible to use one rule in several rule sets according to documentation.
And it seems that it has nothing to do with my ORA-00600 error. -
Cannot assign same MAC address to multiple ephones
Hello,
When i try to add a telephone IP to CME i got this message
MAC address is already assigned with ephone 28.
Cannot assign same MAC address to multiple ephones
i delete the ephone 28 with this command
#ephone 28
#no mac-adress
#exit
no ephone 28
and i try to add my phone i have always the same error message.
and when i tap #show runing config i cant find no ephone with 28
could you help me please.
Thank youAssign a dummy mac address to ephone 28.
-
How can we assign one Attribute Set to multiple Business Partners at a time? Is it possible?
Hi,
Can we assign attribute set to multiple business partners at a time, is it possible in Marketing. I got an interview question please tell me if you know the answer. Thank you in advance.sh
Regards
Kishor Kumar.Hi Kishor ,
We can assign attribute set to multiple business partner at a time using Report " Assignment of an attribute value to allbusiness partners in a target group".
This report can be access from sap guid Marketing->Tools->exter tools.
Regards,
Anju -
Using the same correlation set to multiple instances of the same process
Hi all,
Assuming that I have a Purchase Order with multiple items and I have a BPEL process that is triggered for each item.
When the Purchase Order is cancelled by the customer, I want to cancel all BPEL process that is still running. I'm using SOA Suite 11.1.1.2.
My first attempt was to use an event handler associated to a cancellation operation, but I couldn't do this because when the second BPEL instance was started, a conflictingReceive BPEL Fault is triggered. This occurs because BPEL can't have more than one active receive/on message using the same correlation set.
Another way to do this is using a different correlation set for each instance (somethig like a composite key - Purchase Order ID + Item ID, i.e), but in this way I need to know all composite key in advance and send one message to each instance specifically.
Anyone have any suggestion of how to cancel more then one instance of the same BPEL process using Event or a generic way that does not need to send one message for each instance?
Events work very well to start more then one BPEL process but does not work well to receive an intermediate message during process execution because in this case we need correlation set to associate the event with the correct instance and BPEL does not support more then one instance of the same BPEL process waiting for the same correlation set.
Any suggestion will be very welcome.
Thanks in advance,
RafaelNever mind. I got it.
I put the iisforward.dll and .ini is a seperate folder, and edited the iisproxy.ini's to include the portnumber like this. And I changed the hostheaders in IIS to Site1, Site2 etc
vhost1=Site1:80
Site1:80=C:\Sites\Site1\iisproxy.ini
vhost2=Site2:80
Site2:80=C:\Sites\Site2\iisproxy.ini
vhost3=Site3:80
Site3:80=C:\Sites\Site3\iisproxy.ini -
Cisco ASA 8.2 55xx connect 2 inside interfaces together
Hi all,
I have some problem with my Cisco ASA 8.2 5510. I have to know how shoud i connect 2 inside interfaces together. I am writing what i have.
I have 5 network connection on Cisco ASA.
1. Interface Ethernet 0/0 - outside 200.200.200.200 255.255.255.240
2. Interface Ethernet 0/1 - 1_firm 10.0.1.1 255.255.255.0
3. Interface Ethernet 0/2 - 2_firm 192.168.1.1 255.255.255.0
4. Interface Ethernet 0/3 - DMZ-Server 10.10.10.1 255.255.255.0 (Just one Server)
5. Management - no need
I have to connect 2 Interfaces, (1_firm) with Interface (2_firm). I've tried
"route 1_firm 192.168.1.0 255.255.255.0 10.0.1.1" ,
but i resiving following error "Cannot add route,connected route exists".
But i have no route configuration. What i have cheking? Or maked i some wrong?
Thank you for your helpHi Jennifer,
Thanks for your answer.
Sec. Level 90 .
Can you write me correct NAT and exeption configuration? That is my conf.
This is my test Firewall system
ciscoasa(config)# sh run
: Saved
ASA Version 8.0(2)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
interface Ethernet0/0
nameif outisde
security-level 0
ip address 200.100.100.200 255.255.255.240
interface Ethernet0/1
nameif vpm
security-level 90
ip address 192.168.1.1 255.255.255.0
interface Ethernet0/2
nameif wundplan
security-level 90
ip address 10.0.1.1 255.255.255.0
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
boot config disk0:/.private/startup-config
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list wundplan_access_in extended permit ip 10.0.1.0 255.255.255.0 any
access-list vpm_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list outisde_access_in extended permit ip any 200.100.100.192 255.255.255.240
access-list wundplan_nonat extended permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outisde 1500
mtu vpm 1500
mtu wundplan 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (outisde) 101 interface
global (wundplan) 1 10.0.1.0 netmask 255.255.0.0
access-group outisde_access_in in interface outisde
access-group vpm_access_in in interface vpm
access-group wundplan_access_in in interface wundplan
route outisde 0.0.0.0 0.0.0.0 200.100.100.199 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.1.0 255.255.255.0 wundplan
http 192.168.1.0 255.255.255.0 vpm
http 10.0.0.0 255.255.255.0 wundplan
http 192.168.0.0 255.255.255.0 vpm
http redirect wundplan 80
http redirect vpm 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:5cd35a1417360a176153562a9c67e266
: end
Thynk you very mach. -
Cisco ASA won't send Syslog out management interface
I have been trying to get my ASA to send syslog out of the management interface without any luck. When I do a packet tracer it says that the global implicit deny rule is blocking it, but I tried to add a permit all in front of it and it still blocks it. Everything is configured correctly from what I can tell and the static routes and routing are correct. This has me baffled. Does anyone know what might be causing this or what I should look at in the config to get this working?
Hi Mark,
Talking of packet tracer, it would give you correct output for a through the box traffic, not for to the box or from the box traffic.
So firstly we have two questions:
1) Is this a through the box traffic, then you need to permit the traffic through ACL(if from lower sec level to higher) and add a NAT statement(depending on the ASA IOS Version you are using anything above 8.2.5 wont require a NAT).
2) If this is a syslog from the firewall scenario, then you need to make sure to get the following logging configuration on ASA
-enable logging
-logging host management X.X.X.X --------(X.X.X.X is the ip of the syslog server)
-logging trap debugging ----------(debugging is the level, you could use any other too, but to check would sugest this one)
-Further if you have already sorted out till here, get us the following outputs:
-show run
-show logging
-show logging queue
Hope it helps
Cheers,
Naveen
Please Rate Helpful posts. -
Include multiple sub-interfaces in Cisco ASA for VPN tunnel
I am trying to create a VPN tunnel between two Cisco ASAs where one ASA has multiple sub-interfaces.
Say, In Cisco ASA 5550(in datacentre), I created multiple subinterfaces with VLAN ID as below:
Inside, int0/1 : 10.1.1.0/24
DMZ, int0/1.100: 10.1.100.0/24 (VLAN 100)
Production, int 0/1.101 : 10.1.101.0/24 (VLAN 101)
Management, int 0/1.102: 10.1.102.0/24 (VLAN 102)
And another Cisco ASA 5505 is only configured with 1 x inside interface Inside, int 0/1: 192.168.1.0/24
So far, I have only been able to provide outside access to one of the sub-interfaces as NAT rule on inside interface didn't work for VLANs. Hence had to issue Global NAT rule to be applied on Production subinterface so that production VLAN can have outside access. I have managed to establish VPN tunnel between two ASAs on Production sub-interface only, Source interface = Production subinterface
Additional settings:
Have ACL to allow all sub interfaces to access outsite ( lower security level)
NAT rules is configured on Production subinterface with Source NAT Type as Dynamic PAT; when this was configured with source interface as inside, PCs behind various VLAN coun't access internet.
I want to establish a site-to-site VPN tunnel with multiple sub-interfaces of Cisco ASA 5550 to Cisco ASA 5505. Would you please suggest what I am missing in my configuration? I need to be able to access multiple VLANs of datacentre from remote site.I am trying to create a VPN tunnel between two Cisco ASAs where one ASA has multiple sub-interfaces.
Say, In Cisco ASA 5550(in datacentre), I created multiple subinterfaces with VLAN ID as below:
Inside, int0/1 : 10.1.1.0/24
DMZ, int0/1.100: 10.1.100.0/24 (VLAN 100)
Production, int 0/1.101 : 10.1.101.0/24 (VLAN 101)
Management, int 0/1.102: 10.1.102.0/24 (VLAN 102)
And another Cisco ASA 5505 is only configured with 1 x inside interface Inside, int 0/1: 192.168.1.0/24
So far, I have only been able to provide outside access to one of the sub-interfaces as NAT rule on inside interface didn't work for VLANs. Hence had to issue Global NAT rule to be applied on Production subinterface so that production VLAN can have outside access. I have managed to establish VPN tunnel between two ASAs on Production sub-interface only, Source interface = Production subinterface
Additional settings:
Have ACL to allow all sub interfaces to access outsite ( lower security level)
NAT rules is configured on Production subinterface with Source NAT Type as Dynamic PAT; when this was configured with source interface as inside, PCs behind various VLAN coun't access internet.
I want to establish a site-to-site VPN tunnel with multiple sub-interfaces of Cisco ASA 5550 to Cisco ASA 5505. Would you please suggest what I am missing in my configuration? I need to be able to access multiple VLANs of datacentre from remote site. -
Cisco ASA, skipping real source port number with PAT.
Hi Experts,
Cisco ASA configuration guide says:
"PAT translates multiple real addresses to a single mapped IP address by translating the real address and source port to the mapped address and a unique port. If available, the real source port number is used for the mapped port. "
Is it possible to skip this ? I do not want to use real source port number. The issue is, when I have a PAT entry with real source port (port 5060), - SIP session doesn't work. With all the other ports numbers,- everything works.Hi,
Notice that the configuration you try does not modify the real source port at all.
Since you are using the same "object" for the real/mapped service then the configuration above matches traffic where the connections destination is "any" and the destination is "udp 6000 65535" and only when the source is "udp sip" and in that event it keeps the exact same "udp sip" source port as you are using the same "object".
I am not sure if its a software or configuration related issue but I have not gotten this to work reliably on my ASA. I might have to try some other software level.
I guess you would want to match the SIP source port in the Dynamic PAT and avoid using the SIP port as the mapped port?. With that in mind I was thinking something like this
object service UDP-SIP
service udp source eq sip
object service UDP-SIP-MAPPED
service udp source range 30000 31000
nat (VoiP,outside) source dynamic <source network object> interface service UDP-SIP UDP-SIP-MAPPED
Though it seems the above configuration seems to be bypassed by the ASA completely and it seems to use the identical source port as the mapped port even though it matches the configuration.
If I were to change the above configuration from "dynamic" to "static" then the configuration matches but it uses only the first mapped "source" port of "30000". I guess it would only use a different mapped port if you used multiple real source ports also instead of the current single source port "sip".
nat (VoiP,outside) source static <source network object> interface service UDP-SIP UDP-SIP-MAPPED unidirectional
Example from my own ASA.
DYNAMIC
- Matches the configuration but doesnt map the port at all
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN,WAN) source dynamic LAN-NETWORK interface service SIP SIP-MAPPED
Additional Information:
Dynamic translate 10.0.0.123/5060 to <my pat ip>/5060
STATIC
- Matches the configuration and maps the source port but only uses the first mapped port from the range
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN,WAN) source static LAN-NETWORK interface service SIP SIP-MAPPED unidirectional
Additional Information:
Static translate 10.0.0.123/5060 to <my pat ip>/30000
I am not really sure if this configuration is reliable at all but its the only thing I can think of at the moment.
Hope this helps :)
- Jouni -
Rule set - Fundamentals - 46C ECC6 Upgrade impact
Hi,
Am on CC 4.0 FF3.0, SP 12
1.Am I right to say that the rule set contains objects /tcds ?
2. During the upgrde from 46C to ECC6.0 many objects are present, how much is the impact if I use the same rule set as 46C on ECC6 ?
3. Do I really need to change the rule set now or can i defer it - to a date when i get to the GRC 53?
ThanksHi George,
Please find my response below:
1.Am I right to say that the rule set contains objects /tcds ? Yes. Rule set contains all the rules which in turn contains combinations of objects and tcodes which poses risks.
2. During the upgrde from 46C to ECC6.0 many objects are present, how much is the impact if I use the same rule set as 46C on ECC6 ? The same rule set will work but it won't have all the new tcodes or objects.
3. Do I really need to change the rule set now or can i defer it - to a date when i get to the GRC 53? *As long as you don't use new tcodes/objects from ECC, it should be fine. If you have to follow SOX then your auditors might not agree with thi
Regards,
Alpesh -
Hi Friends,
Can we assign same ISO code to multiple UOM's???. If so, what will be the efeect??
Thanks in advance,
Steve.Hi,
Assignment of same ISO code to multiple UoM can be done, but the primary code checkbox must be ticked only for one, else would cause conflict for EDI.
The SAP help reads as below:
An ISO code can be assigned to several internal measurement units.
Use
The ISO code is important for EDI. It is used to convert the internal SAP
measurement units into standard measurement units. Data exchange
via EDI requires internal measurement units to be converted into standard
measurement units.
Hope the above answers your query.
Regards,
Vivek -
Link State Tracking in Cisco ASA
Dear ASA Guru,
Is there any feature like Link State Tracking in Catalyst for Cisco ASA. I want to shutdown another interface if one interface is down in Cisco ASA.
Best Regards,
Rizal FerdiyanAFAIK - this is not an available feature.
HTH> -
Cisco ASA 5505 VPN Anyconnect no address assignment
I have a problem with ip assigment via anyconnect. I always get the message no assigned address via anyconnect. I assigned to my profile for vpn a address pool, but it's still not working. Here is my config:
hostname firewall
domain-name ITTRIPP.local
enable password 8K8UeTZ9KV5Lvofo encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool 192.168.178.0 192.168.178.151-192.168.178.171 mask 255.255.255.255
ip local pool net-10 10.0.0.1-10.0.0.10 mask 255.255.255.0
ip local pool SSL-POOL 172.16.1.1-172.16.1.254 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
description Private Interface
nameif inside
security-level 100
ip address 192.168.178.10 255.255.255.0
ospf cost 10
interface Vlan2
description Public Interface
nameif outside
security-level 0
ip address 192.168.177.2 255.255.255.0
ospf cost 10
interface Vlan3
description DMZ-Interface
nameif dmz
security-level 0
ip address 10.10.10.2 255.255.255.0
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup dmz
dns server-group DefaultDNS
name-server 192.168.178.3
name-server 192.168.177.1
domain-name ITTRIPP.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network 192.168.178.x
subnet 192.168.178.0 255.255.255.0
object network NETWORK_OBJ_192.168.178.0_26
subnet 192.168.178.0 255.255.255.192
object service teamviewer
service tcp source eq 5938
object service smtp_tls
service tcp source eq 587
object service all_tcp
service tcp source range 1 65535
object service udp_all
service udp source range 1 65535
object network NETWORK_OBJ_192.168.178.128_26
subnet 192.168.178.128 255.255.255.192
object network NETWORK_OBJ_10.0.0.0_28
subnet 10.0.0.0 255.255.255.240
object-group service Internet-udp udp
description UDP Standard Internet Services
port-object eq domain
port-object eq ntp
port-object eq isakmp
port-object eq 4500
object-group service Internet-tcp tcp
description TCP Standard Internet Services
port-object eq www
port-object eq https
port-object eq smtp
port-object eq 465
port-object eq pop3
port-object eq 995
port-object eq ftp
port-object eq ftp-data
port-object eq domain
port-object eq ssh
port-object eq telnet
object-group user DM_INLINE_USER_1
user LOCAL\admin
user LOCAL\lukas
user LOCAL\sarah
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq ssh
object-group service 192.168.178.network tcp
port-object eq 5000
port-object eq 5001
object-group service DM_INLINE_SERVICE_1
service-object object smtp_tls
service-object tcp destination eq imap4
service-object object teamviewer
object-group service DM_INLINE_SERVICE_2
service-object object all_tcp
service-object object udp_all
object-group service DM_INLINE_SERVICE_3
service-object object all_tcp
service-object object smtp_tls
service-object object teamviewer
service-object object udp_all
service-object tcp destination eq imap4
object-group service vpn udp
port-object eq 1701
port-object eq 4500
port-object eq isakmp
object-group service openvpn udp
port-object eq 1194
access-list NAT-ACLs extended permit ip 192.168.178.0 255.255.255.0 any
access-list inside-in remark -=[Access Lists For Outgoing Packets from Inside in terface]=-
access-list inside-in extended permit udp 192.168.178.0 255.255.255.0 any object -group Internet-udp
access-list inside-in extended permit tcp 192.168.178.0 255.255.255.0 any object -group Internet-tcp
access-list inside-in extended permit icmp 192.168.178.0 255.255.255.0 any
access-list inside-in extended permit udp 192.168.178.0 255.255.255.0 any eq sip
access-list inside-in extended permit object-group DM_INLINE_SERVICE_1 192.168.1 78.0 255.255.255.0 any
access-list inside-in extended permit object-group DM_INLINE_SERVICE_2 192.168.1 78.0 255.255.255.0 any
access-list outside-in remark -=[Access Lists For Incoming Packets on OUTSIDE in terface]=-
access-list outside-in extended permit icmp any 192.168.178.0 255.255.255.0 echo -reply
access-list outside-in extended permit tcp object-group-user DM_INLINE_USER_1 an y host 192.168.178.95 object-group DM_INLINE_TCP_1
access-list outside-in extended permit tcp any host 192.168.178.95 object-group 192.168.178.network
access-list outside-in extended permit tcp any 192.168.178.0 255.255.255.0 eq si p
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0. 251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Nam e Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0. 252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbi os-ns
access-list dmz_access_in remark -=[Access Lists For Outgoing Packets from DMZ i nterface]=-
access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_3 10.10 .10.0 255.255.255.0 any
access-list dmz_access_in extended permit icmp 10.10.10.0 255.255.255.0 any
access-list dmz_access_in extended permit tcp 10.10.10.0 255.255.255.0 any objec t-group Internet-tcp
access-list dmz_access_in extended permit udp 10.10.10.0 255.255.255.0 any objec t-group Internet-udp
pager lines 24
logging enable
logging buffer-size 30000
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.16 8.178.0_26 NETWORK_OBJ_192.168.178.0_26 no-proxy-arp route-lookup
nat (dmz,outside) source static any any destination static NETWORK_OBJ_192.168.1 78.0_26 NETWORK_OBJ_192.168.178.0_26 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.16 8.178.128_26 NETWORK_OBJ_192.168.178.128_26 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.0.0 .0_28 NETWORK_OBJ_10.0.0.0_28 no-proxy-arp route-lookup
object network 192.168.178.x
nat (inside,outside) dynamic interface
nat (dmz,outside) after-auto source dynamic 192.168.178.x interface
access-group inside-in in interface inside
access-group outside-in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 192.168.177.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ITTRIPP protocol ldap
aaa-server ITTRIPP (inside) host 192.168.178.3
ldap-base-dn CN=Users,DC=ITTRIPP,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Administrator,DC=ITTRIPP,DC=local
server-type microsoft
user-identity default-domain LOCAL
eou allow none
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 5
http server enable
http 192.168.178.0 255.255.255.0 inside
http redirect outside 80
http redirect inside 80
http redirect dmz 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-A ES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-A ES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES2 56 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map dmz_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map dmz_map interface dmz
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=firewall
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
fqdn l1u.dyndns.org
email [email protected]
subject-name CN=l1u.dyndns.org,OU=VPN Services,O=ITTRIPP,C=DE,St=NRW,L=PLBG,EA= [email protected]
serial-number
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 6a871953
308201cf 30820138 a0030201 0202046a 87195330 0d06092a 864886f7 0d010105
0500302c 3111300f 06035504 03130866 69726577 616c6c31 17301506 092a8648
86f70d01 09021608 66697265 77616c6c 301e170d 31343033 30373039 31303034
5a170d32 34303330 34303931 3030345a 302c3111 300f0603 55040313 08666972
6577616c 6c311730 1506092a 864886f7 0d010902 16086669 72657761 6c6c3081
9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100c0 8f17fa6c
2f227dd9 9d2856e1 b1f8193b 13c61cfe 2d6cbf94 62373535 71db9ac7 5f4ad79f
7594cfef 1360d88d ad3c69c1 6e617071 c6629bfa 3c77c2d2 a59b1ce1 39ae7a44
3f8c852d f51d03c1 d9924f7c 24747bbb bf79af9a 68365ed8 7f56e58c a37c7036
4db983e0 414d1b5e a8a2226f 7c76f50d d14ca714 252f7fbb d4a23d02 03010001
300d0609 2a864886 f70d0101 05050003 81810019 0d0bbce4 31d9342c 3965eb56
4dde42e0 5ea57cbb a79b3542 4897521a 8a6859c6 daf5e356 9526346d f13fb344
260f3fc8 fca6143e 25b08f3d d6780448 3e0fdf6a c1fe5379 1b9227b1 cee01a20
aa252698 6b29954e ea8bb250 4310ff96 f6c6f0dc 6c7c6021 3c72c756 f7b2e6a1
1416d222 0e11ca4a 0f0b840a 49489303 b76632
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate 580c1e53
308202ff 30820268 a0030201 02020458 0c1e5330 0d06092a 864886f7 0d010105
05003081 c3312230 2006092a 864886f7 0d010901 16136d61 696c406c 31752e64
796e646e 732e6f72 67310d30 0b060355 04071304 504c4247 310c300a 06035504
0813034e 5257310b 30090603 55040613 02444531 10300e06 0355040a 13074954
54524950 50311530 13060355 040b130c 56504e20 53657276 69636573 31173015
06035504 03130e6c 31752e64 796e646e 732e6f72 67313130 12060355 0405130b
4a4d5831 3533345a 30575430 1b06092a 864886f7 0d010902 160e6c31 752e6479
6e646e73 2e6f7267 301e170d 31343033 31353036 35303535 5a170d32 34303331
32303635 3035355a 3081c331 22302006 092a8648 86f70d01 09011613 6d61696c
406c3175 2e64796e 646e732e 6f726731 0d300b06 03550407 1304504c 4247310c
300a0603 55040813 034e5257 310b3009 06035504 06130244 45311030 0e060355
040a1307 49545452 49505031 15301306 0355040b 130c5650 4e205365 72766963
65733117 30150603 55040313 0e6c3175 2e64796e 646e732e 6f726731 31301206
03550405 130b4a4d 58313533 345a3057 54301b06 092a8648 86f70d01 0902160e
6c31752e 64796e64 6e732e6f 72673081 9f300d06 092a8648 86f70d01 01010500
03818d00 30818902 818100c0 8f17fa6c 2f227dd9 9d2856e1 b1f8193b 13c61cfe
2d6cbf94 62373535 71db9ac7 5f4ad79f 7594cfef 1360d88d ad3c69c1 6e617071
c6629bfa 3c77c2d2 a59b1ce1 39ae7a44 3f8c852d f51d03c1 d9924f7c 24747bbb
bf79af9a 68365ed8 7f56e58c a37c7036 4db983e0 414d1b5e a8a2226f 7c76f50d
d14ca714 252f7fbb d4a23d02 03010001 300d0609 2a864886 f70d0101 05050003
81810087 8aca9c2b 40c9a326 4951c666 44c311b6 5f3914d5 69fcbe0a 13985b51
336e3c1b ae29c922 c6c1c29d 161fd855 984b6148 c6cbd50f ff3dde66 a71473c4
ea949f87 b4aca243 8151acd8 a4a426d1 7a434fbd 1a14bd90 0abe5736 4cd0f21b
d194b3d6 9ae45fab 2436ccbf d59d6ba9 509580a0 ad8f4131 39e6ccf1 1b7a125d
d50e4e
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable inside client-services port 443
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable dmz client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint1
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.178.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.178.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
no vpn-addr-assign aaa
no vpn-addr-assign local
no ipv6-vpn-addr-assign aaa
dhcp-client update dns server both
dhcpd update dns both
dhcpd address 192.168.178.100-192.168.178.150 inside
dhcpd dns 192.168.178.3 192.168.177.1 interface inside
dhcpd wins 192.168.178.3 interface inside
dhcpd domain ITTRIPP.local interface inside
dhcpd update dns both interface inside
dhcpd option 3 ip 192.168.178.10 interface inside
dhcpd option 4 ip 192.168.178.3 interface inside
dhcpd option 6 ip 192.168.178.3 192.168.177.1 interface inside
dhcpd option 66 ip 192.168.178.95 interface inside
dhcpd enable inside
dhcpd address 192.168.177.100-192.168.177.150 outside
dhcpd dns 192.168.178.3 192.168.177.1 interface outside
dhcpd wins 192.168.178.3 interface outside
dhcpd domain ITTRIPP.local interface outside
dhcpd update dns both interface outside
dhcpd option 3 ip 192.168.177.2 interface outside
dhcpd option 4 ip 192.168.178.3 interface outside
dhcpd option 6 ip 192.168.178.3 interface outside
dhcpd enable outside
dhcpd address 10.10.10.100-10.10.10.150 dmz
dhcpd dns 192.168.178.3 192.168.177.1 interface dmz
dhcpd wins 192.168.178.3 interface dmz
dhcpd domain ITTRIPP.local interface dmz
dhcpd update dns both interface dmz
dhcpd option 3 ip 10.10.10.2 interface dmz
dhcpd option 4 ip 192.168.178.3 interface dmz
dhcpd option 6 ip 192.168.178.3 interface dmz
dhcpd enable dmz
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 averag e-rate 200
tftp-server inside 192.168.178.105 /volume1/data/tftp
ssl encryption 3des-sha1
ssl trust-point ASDM_TrustPoint0
ssl trust-point ASDM_TrustPoint1 outside
ssl trust-point ASDM_TrustPoint1 dmz
ssl trust-point ASDM_TrustPoint0 dmz vpnlb-ip
ssl trust-point ASDM_TrustPoint1 inside
ssl trust-point ASDM_TrustPoint0 inside vpnlb-ip
ssl trust-point ASDM_TrustPoint0 outside vpnlb-ip
webvpn
enable inside
enable outside
enable dmz
file-encoding 192.168.178.105 big5
csd image disk0:/csd_3.5.2008-k9.pkg
anyconnect image disk0:/anyconnect-linux-3.1.03103-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.03103-k9.pkg 2
anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 3
anyconnect profiles SSL-Profile_client_profile disk0:/SSL-Profile_client_profil e.xml
anyconnect enable
tunnel-group-list enable
mus password *****
group-policy DfltGrpPolicy attributes
wins-server value 192.168.178.3
dns-server value 192.168.178.3 192.168.177.1
dhcp-network-scope 192.168.178.0
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
default-domain value ITTRIPP.local
split-dns value ITTRIPP.local
webvpn
anyconnect firewall-rule client-interface public value outside-in
anyconnect firewall-rule client-interface private value inside-in
group-policy GroupPolicy_SSL-Profile internal
group-policy GroupPolicy_SSL-Profile attributes
wins-server value 192.168.178.3
dns-server value 192.168.178.3 192.168.177.1
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
default-domain value ITTRIPP.local
webvpn
anyconnect profiles value SSL-Profile_client_profile type user
username sarah password PRgJuqNTubRwqXtd encrypted
username admin password QkbxX5Qv0P59Hhrx encrypted privilege 15
username lukas password KGLLoTxH9mCvWzVI encrypted
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool SSL-POOL
secondary-authentication-server-group LOCAL
authorization-server-group LOCAL
tunnel-group DefaultWEBVPNGroup ipsec-attributes
ikev1 trust-point ASDM_TrustPoint0
ikev1 radius-sdi-xauth
tunnel-group SSL-Profile type remote-access
tunnel-group SSL-Profile general-attributes
address-pool SSL-POOL
default-group-policy GroupPolicy_SSL-Profile
tunnel-group SSL-Profile webvpn-attributes
group-alias SSL-Profile enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class class-default
user-statistics accounting
service-policy global_policy global
mount FTP type ftp
server 192.168.178.105
path /volume1/data/install/microsoft/Cisco
username lukas
password ********
mode passive
status enable
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:998674b777e5fd1d3a131d93704ea0e1
Any idea why it's not working?You've got a lot going on there but I'd focus on the line "no vpn-addr-assign local". Per the command reference that tells the ASA NOT to use the local pool.
By the way, DHCP on the outside interface looks very counter-intutive, as does enabling VPN on all interfaces over every protocol. -
Cisco ASA 5505 site to site Multiple subnet.
Hi. I need some help configuring my cisco asa 5505.
I've set up a VPN tunnel between two ASA 5505
Site 1:
Subnet 192.168.77.0
Site 2:
Have multiple vlans and now the tunnel goes to vlan400 - 192.168.1.0
What I need help with:
From site 1 i need to be able to reach another vlan on site 2. vlan480 - 192.168.20.0
And from site 1 I need to reach 192.168.77.0 subnet from vlan480 - 192.168.20.0
Vlan480 is used for phones. In vlan480 we have a PABX central.
Is this possible to do?
Any help would be greatfully appreciated!
Config site 2:
: Saved
ASA Version 7.2(2)
hostname ciscoasa
domain-name default.domain.invalid
enable password x encrypted
names
name 192.168.1.250 DomeneServer
name 192.168.1.10 NotesServer
name 192.168.1.90 OvServer
name 192.168.1.97 TerminalServer
name 192.168.1.98 w8-eyeshare
name 192.168.50.10 w8-print
name 192.168.1.94 w8-app
name 192.168.1.89 FonnaFlyMedia
interface Vlan1
nameif Vlan1
security-level 100
ip address 192.168.200.100 255.255.255.0
ospf cost 10
interface Vlan2
nameif outside
security-level 0
ip address 79.x.x.226 255.255.255.224
ospf cost 10
interface Vlan400
nameif vlan400
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
interface Vlan450
nameif Vlan450
security-level 100
ip address 192.168.210.1 255.255.255.0
ospf cost 10
interface Vlan460
nameif Vlan460-SuldalHotell
security-level 100
ip address 192.168.2.1 255.255.255.0
ospf cost 10
interface Vlan461
nameif Vlan461-SuldalHotellGjest
security-level 100
ip address 192.168.3.1 255.255.255.0
ospf cost 10
interface Vlan462
nameif Vlan462-Suldalsposten
security-level 100
ip address 192.168.4.1 255.255.255.0
ospf cost 10
interface Vlan470
nameif vlan470-Kyrkjekontoret
security-level 100
ip address 192.168.202.1 255.255.255.0
ospf cost 10
interface Vlan480
nameif vlan480-Telefoni
security-level 100
ip address 192.168.20.1 255.255.255.0
ospf cost 10
interface Vlan490
nameif Vlan490-QNapBackup
security-level 100
ip address 192.168.10.1 255.255.255.0
ospf cost 10
interface Vlan500
nameif Vlan500-HellandBadlands
security-level 100
ip address 192.168.30.1 255.255.255.0
ospf cost 10
interface Vlan510
nameif Vlan510-IsTak
security-level 100
ip address 192.168.40.1 255.255.255.0
ospf cost 10
interface Vlan600
nameif Vlan600-SafeQ
security-level 100
ip address 192.168.50.1 255.255.255.0
ospf cost 10
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 500
switchport trunk allowed vlan 400,450,460-462,470,480,500,510,600,610
switchport mode trunk
interface Ethernet0/3
switchport access vlan 490
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
passwd x encrypted
ftp mode passive
clock timezone WAT 1
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service Lotus_Notes_Utgaaande tcp
description Frim Notes og ut til alle
port-object eq domain
port-object eq ftp
port-object eq www
port-object eq https
port-object eq lotusnotes
port-object eq pop3
port-object eq pptp
port-object eq smtp
object-group service Lotus_Notes_inn tcp
description From alle og inn til Notes
port-object eq www
port-object eq lotusnotes
port-object eq pop3
port-object eq smtp
object-group service Reisebyraa tcp-udp
port-object range 3702 3702
port-object range 5500 5500
port-object range 9876 9876
object-group service Remote_Desktop tcp-udp
description Tilgang til Remote Desktop
port-object range 3389 3389
object-group service Sand_Servicenter_50000 tcp-udp
description Program tilgang til Sand Servicenter AS
port-object range 50000 50000
object-group service VNC_Remote_Admin tcp
description Frå oss til alle
port-object range 5900 5900
object-group service Printer_Accept tcp-udp
port-object range 9100 9100
port-object eq echo
object-group icmp-type Echo_Ping
icmp-object echo
icmp-object echo-reply
object-group service Print tcp
port-object range 9100 9100
object-group service FTP_NADA tcp
description Suldalsposten NADA tilgang
port-object eq ftp
port-object eq ftp-data
object-group service Telefonsentral tcp
description Hoftun
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
port-object eq telnet
object-group service Printer_inn_800 tcp
description Fra 800 nettet og inn til 400 port 7777
port-object range 7777 7777
object-group service Suldalsposten tcp
description Sending av mail vha Mac Mail programmet - åpner smtp
port-object eq pop3
port-object eq smtp
object-group service http2 tcp
port-object range 81 81
object-group service DMZ_FTP_PASSIVE tcp-udp
port-object range 55536 56559
object-group service DMZ_FTP tcp-udp
port-object range 20 21
object-group service DMZ_HTTPS tcp-udp
port-object range 443 443
object-group service DMZ_HTTP tcp-udp
port-object range 8080 8080
object-group service DNS_Query tcp
port-object range domain domain
object-group service DUETT_SQL_PORT tcp-udp
description For kobling mellom andre nett og duett server
port-object range 54659 54659
access-list outside_access_in extended permit ip any any
access-list outside_access_out extended permit ip any any
access-list vlan400_access_in extended deny ip any host 149.20.56.34
access-list vlan400_access_in extended deny ip any host 149.20.56.32
access-list vlan400_access_in extended permit ip any any
access-list Vlan450_access_in extended deny ip any host 149.20.56.34
access-list Vlan450_access_in extended deny ip any host 149.20.56.32
access-list Vlan450_access_in extended permit ip any any
access-list Vlan460_access_in extended deny ip any host 149.20.56.34
access-list Vlan460_access_in extended deny ip any host 149.20.56.32
access-list Vlan460_access_in extended permit ip any any
access-list vlan400_access_out extended permit icmp any any object-group Echo_Ping
access-list vlan400_access_out extended permit tcp any host NotesServer object-group Lotus_Notes_Utgaaande
access-list vlan400_access_out extended permit tcp any host DomeneServer object-group Remote_Desktop
access-list vlan400_access_out extended permit tcp any host TerminalServer object-group Remote_Desktop
access-list vlan400_access_out extended permit tcp any host OvServer object-group http2
access-list vlan400_access_out extended permit tcp any host NotesServer object-group Lotus_Notes_inn
access-list vlan400_access_out extended permit tcp any host NotesServer object-group Remote_Desktop
access-list vlan400_access_out extended permit tcp any host w8-eyeshare object-group Remote_Desktop
access-list vlan400_access_out extended permit tcp any host w8-app object-group Remote_Desktop
access-list vlan400_access_out extended permit tcp any host FonnaFlyMedia range 8400 8600
access-list vlan400_access_out extended permit udp any host FonnaFlyMedia range 9000 9001
access-list vlan400_access_out extended permit tcp 192.168.4.0 255.255.255.0 host DomeneServer
access-list vlan400_access_out extended permit tcp 192.168.4.0 255.255.255.0 host w8-app object-group DUETT_SQL_PORT
access-list Vlan500_access_in extended deny ip any host 149.20.56.34
access-list Vlan500_access_in extended deny ip any host 149.20.56.32
access-list Vlan500_access_in extended permit ip any any
access-list vlan470_access_in extended deny ip any host 149.20.56.34
access-list vlan470_access_in extended deny ip any host 149.20.56.32
access-list vlan470_access_in extended permit ip any any
access-list Vlan490_access_in extended deny ip any host 149.20.56.34
access-list Vlan490_access_in extended deny ip any host 149.20.56.32
access-list Vlan490_access_in extended permit ip any any
access-list Vlan450_access_out extended permit icmp any any object-group Echo_Ping
access-list Vlan1_access_out extended permit ip any any
access-list Vlan1_access_out extended permit tcp any host w8-print object-group Remote_Desktop
access-list Vlan1_access_out extended deny ip any any
access-list Vlan1_access_out extended permit icmp any any echo-reply
access-list Vlan460_access_out extended permit icmp any any object-group Echo_Ping
access-list Vlan490_access_out extended permit icmp any any object-group Echo_Ping
access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_FTP
access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_FTP_PASSIVE
access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_HTTPS
access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_HTTP
access-list Vlan500_access_out extended permit icmp any any object-group Echo_Ping
access-list vlan470_access_out extended permit icmp any any object-group Echo_Ping
access-list vlan470_access_out extended permit tcp any host 192.168.202.10 object-group Remote_Desktop
access-list Vlan510_access_out extended permit icmp any any object-group Echo_Ping
access-list vlan480_access_out extended permit ip any any
access-list Vlan510_access_in extended permit ip any any
access-list Vlan600_access_in extended permit ip any any
access-list Vlan600_access_out extended permit icmp any any
access-list Vlan600_access_out extended permit tcp any host w8-print object-group Remote_Desktop
access-list Vlan600_access_out extended permit tcp 192.168.1.0 255.255.255.0 host w8-print eq www
access-list Vlan600_access_out extended permit tcp 192.168.202.0 255.255.255.0 host w8-print eq www
access-list Vlan600_access_out extended permit tcp 192.168.210.0 255.255.255.0 host w8-print eq www
access-list Vlan600_access_in_1 extended permit ip any any
access-list Vlan461_access_in extended permit ip any any
access-list Vlan461_access_out extended permit icmp any any object-group Echo_Ping
access-list vlan400_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0
access-list outside_20_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0
access-list Vlan462-Suldalsposten_access_in extended permit ip any any
access-list Vlan462-Suldalsposten_access_out extended permit icmp any any echo-reply
access-list Vlan462-Suldalsposten_access_out_1 extended permit icmp any any echo-reply
access-list Vlan462-Suldalsposten_access_in_1 extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Vlan1 1500
mtu outside 1500
mtu vlan400 1500
mtu Vlan450 1500
mtu Vlan460-SuldalHotell 1500
mtu Vlan461-SuldalHotellGjest 1500
mtu vlan470-Kyrkjekontoret 1500
mtu vlan480-Telefoni 1500
mtu Vlan490-QNapBackup 1500
mtu Vlan500-HellandBadlands 1500
mtu Vlan510-IsTak 1500
mtu Vlan600-SafeQ 1500
mtu Vlan462-Suldalsposten 1500
no failover
monitor-interface Vlan1
monitor-interface outside
monitor-interface vlan400
monitor-interface Vlan450
monitor-interface Vlan460-SuldalHotell
monitor-interface Vlan461-SuldalHotellGjest
monitor-interface vlan470-Kyrkjekontoret
monitor-interface vlan480-Telefoni
monitor-interface Vlan490-QNapBackup
monitor-interface Vlan500-HellandBadlands
monitor-interface Vlan510-IsTak
monitor-interface Vlan600-SafeQ
monitor-interface Vlan462-Suldalsposten
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (vlan400) 0 access-list vlan400_nat0_outbound
nat (vlan400) 1 0.0.0.0 0.0.0.0 dns
nat (Vlan450) 1 0.0.0.0 0.0.0.0 dns
nat (Vlan460-SuldalHotell) 1 0.0.0.0 0.0.0.0
nat (Vlan461-SuldalHotellGjest) 1 0.0.0.0 0.0.0.0
nat (vlan470-Kyrkjekontoret) 1 0.0.0.0 0.0.0.0
nat (Vlan490-QNapBackup) 1 0.0.0.0 0.0.0.0 dns
nat (Vlan500-HellandBadlands) 1 0.0.0.0 0.0.0.0
nat (Vlan510-IsTak) 1 0.0.0.0 0.0.0.0
nat (Vlan600-SafeQ) 1 0.0.0.0 0.0.0.0
nat (Vlan462-Suldalsposten) 1 0.0.0.0 0.0.0.0
static (vlan400,outside) 79.x.x.x DomeneServer netmask 255.255.255.255
static (vlan470-Kyrkjekontoret,outside) 79.x.x.x 192.168.202.10 netmask 255.255.255.255
static (vlan400,outside) 79.x.x.x NotesServer netmask 255.255.255.255 dns
static (vlan400,outside) 79.x.x.231 TerminalServer netmask 255.255.255.255
static (vlan400,outside) 79.x.x.234 OvServer netmask 255.255.255.255
static (vlan400,outside) 79.x.x.232 w8-eyeshare netmask 255.255.255.255
static (Vlan490-QNapBackup,outside) 79.x.x.233 192.168.10.10 netmask 255.255.255.255 dns
static (Vlan600-SafeQ,outside) 79.x.x.235 w8-print netmask 255.255.255.255
static (vlan400,outside) 79.x.x.236 w8-app netmask 255.255.255.255
static (Vlan450,vlan400) 192.168.210.0 192.168.210.0 netmask 255.255.255.0
static (Vlan500-HellandBadlands,vlan400) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (vlan400,Vlan500-HellandBadlands) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (vlan400,Vlan450) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (vlan400,outside) 79.x.x.252 FonnaFlyMedia netmask 255.255.255.255
static (Vlan462-Suldalsposten,vlan400) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
static (vlan400,Vlan462-Suldalsposten) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (vlan400,Vlan600-SafeQ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (Vlan600-SafeQ,vlan400) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
static (Vlan600-SafeQ,Vlan450) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
static (Vlan600-SafeQ,vlan470-Kyrkjekontoret) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
static (Vlan450,Vlan600-SafeQ) 192.168.210.0 192.168.210.0 netmask 255.255.255.0
static (vlan470-Kyrkjekontoret,Vlan600-SafeQ) 192.168.202.0 192.168.202.0 netmask 255.255.255.0
access-group Vlan1_access_out out interface Vlan1
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group vlan400_access_in in interface vlan400
access-group vlan400_access_out out interface vlan400
access-group Vlan450_access_in in interface Vlan450
access-group Vlan450_access_out out interface Vlan450
access-group Vlan460_access_in in interface Vlan460-SuldalHotell
access-group Vlan460_access_out out interface Vlan460-SuldalHotell
access-group Vlan461_access_in in interface Vlan461-SuldalHotellGjest
access-group Vlan461_access_out out interface Vlan461-SuldalHotellGjest
access-group vlan470_access_in in interface vlan470-Kyrkjekontoret
access-group vlan470_access_out out interface vlan470-Kyrkjekontoret
access-group vlan480_access_out out interface vlan480-Telefoni
access-group Vlan490_access_in in interface Vlan490-QNapBackup
access-group Vlan490_access_out out interface Vlan490-QNapBackup
access-group Vlan500_access_in in interface Vlan500-HellandBadlands
access-group Vlan500_access_out out interface Vlan500-HellandBadlands
access-group Vlan510_access_in in interface Vlan510-IsTak
access-group Vlan510_access_out out interface Vlan510-IsTak
access-group Vlan600_access_in_1 in interface Vlan600-SafeQ
access-group Vlan600_access_out out interface Vlan600-SafeQ
access-group Vlan462-Suldalsposten_access_in_1 in interface Vlan462-Suldalsposten
access-group Vlan462-Suldalsposten_access_out_1 out interface Vlan462-Suldalsposten
route outside 0.0.0.0 0.0.0.0 79.x.x.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username x password x encrypted privilege 15
aaa authentication ssh console LOCAL
http server enable
http 192.168.210.0 255.255.255.0 Vlan450
http 192.168.200.0 255.255.255.0 Vlan1
http 192.168.1.0 255.255.255.0 vlan400
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap_1
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 62.92.159.137
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp enable vlan400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 62.92.159.137 type ipsec-l2l
tunnel-group 62.92.159.137 ipsec-attributes
pre-shared-key *
telnet 192.168.200.0 255.255.255.0 Vlan1
telnet 192.168.1.0 255.255.255.0 vlan400
telnet timeout 5
ssh 171.68.225.216 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd update dns both
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan1
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface outside
dhcpd address 192.168.1.100-192.168.1.225 vlan400
dhcpd option 6 ip DomeneServer 81.167.36.11 interface vlan400
dhcpd option 3 ip 192.168.1.1 interface vlan400
dhcpd enable vlan400
dhcpd address 192.168.210.100-192.168.210.200 Vlan450
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan450
dhcpd option 3 ip 192.168.210.1 interface Vlan450
dhcpd enable Vlan450
dhcpd address 192.168.2.100-192.168.2.150 Vlan460-SuldalHotell
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan460-SuldalHotell
dhcpd option 3 ip 192.168.2.1 interface Vlan460-SuldalHotell
dhcpd enable Vlan460-SuldalHotell
dhcpd address 192.168.3.100-192.168.3.200 Vlan461-SuldalHotellGjest
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan461-SuldalHotellGjest
dhcpd option 3 ip 192.168.3.1 interface Vlan461-SuldalHotellGjest
dhcpd enable Vlan461-SuldalHotellGjest
dhcpd address 192.168.202.100-192.168.202.199 vlan470-Kyrkjekontoret
dhcpd option 3 ip 192.168.202.1 interface vlan470-Kyrkjekontoret
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan470-Kyrkjekontoret
dhcpd enable vlan470-Kyrkjekontoret
dhcpd option 3 ip 192.168.20.1 interface vlan480-Telefoni
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan480-Telefoni
dhcpd address 192.168.10.80-192.168.10.90 Vlan490-QNapBackup
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan490-QNapBackup
dhcpd option 3 ip 192.168.10.1 interface Vlan490-QNapBackup
dhcpd address 192.168.30.100-192.168.30.199 Vlan500-HellandBadlands
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan500-HellandBadlands
dhcpd option 3 ip 192.168.30.1 interface Vlan500-HellandBadlands
dhcpd enable Vlan500-HellandBadlands
dhcpd address 192.168.40.100-192.168.40.150 Vlan510-IsTak
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan510-IsTak
dhcpd option 3 ip 192.168.40.1 interface Vlan510-IsTak
dhcpd enable Vlan510-IsTak
dhcpd address 192.168.50.150-192.168.50.199 Vlan600-SafeQ
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan600-SafeQ
dhcpd enable Vlan600-SafeQ
dhcpd address 192.168.4.100-192.168.4.150 Vlan462-Suldalsposten
dhcpd option 6 ip DomeneServer 81.167.36.11 interface Vlan462-Suldalsposten
dhcpd option 3 ip 192.168.4.1 interface Vlan462-Suldalsposten
dhcpd enable Vlan462-Suldalsposten
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
prompt hostname context
Cryptochecksum:x
: end
Config site 1:
: Saved
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password x encrypted
passwd x encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.77.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group Telenor
ip address pppoe setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 15
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_access_in extended permit icmp any any echo-reply log disable
access-list outside_1_cryptomap extended permit ip 192.168.77.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.77.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.77.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 79.160.252.226
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.77.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group Telenor request dialout pppoe
vpdn group Telenor localname x
vpdn group Telenor ppp authentication chap
vpdn username x password x store-local
dhcpd auto_config outside
dhcpd address 192.168.77.100-192.168.77.130 inside
dhcpd dns 192.168.77.1 interface inside
dhcpd option 6 ip 130.67.15.198 193.213.112.4 interface inside
dhcpd enable inside
dhcpd option 6 ip 130.67.15.198 193.213.112.4 interface outside
tunnel-group 79.160.252.226 type ipsec-l2l
tunnel-group 79.160.252.226 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:x
: endHi,
The addition of a new network to the existing L2L VPN should be a pretty simple process.
Essentially you will have to add the network to the Crypto ACL present in the "crypto map" configurations. You will also have to configure the NAT0 configuration for it in the proper interfaces of the ASA. These configurations are all done on both ends of the L2L VPN connection.
Looking at your above configurations it would seem that you will need the following configurations
SITE 1
We add the new network to both the crypto ACL and the NAT0 ACL
access-list outside_1_cryptomap extended permit ip 192.168.77.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.77.0 255.255.255.0 192.168.20.0 255.255.255.0
SITE 2
We add the new network to the crypto ACL
We create a new NAT0 configuration for the Vlan480 interface as it has no previous NAT0 configuration
access-list outside_20_cryptomap_1 extended permit ip 192.168.20.0 255.255.255.0 192.168.77.0 255.255.255.0
access-list VLAN480-NAT0 remark NAT0 for VPN
access-list VLAN480-NAT0 permit ip 192.168.20.0 255.255.255.0 192.168.77.0 255.255.255.0
nat (vlan480-Telefoni) 0 access-list VLAN480-NAT0
These configurations should pretty much do the trick.
Let me know if it worked
- Jouni
Maybe you are looking for
-
I have a power book g4 can i upgrade my current os 10.4.11 to 10.6
I would like to up grade my power book g4 from its current os 10.4.11 to 10.6.8. Is this possible
-
Inserting a pdf file in Acrobat X?
Hi there, I've been using Acrobat 6.0 Standard for a few years and recently went to X Standard. When I try inserting a pdf into one I'm working with, it does not work the first time. When I do the same actions the second time it works as it should.
-
How to remove iCloud on iPad2, iOS 8, No Password, User left Company?
How do I remove iCloud on iPad2, iOS 8? I don't have the password because the user left our company. No password means I can't turn off "Find My iPad". I do have a company AppleID if that is needed.
-
Copy-Pasting images to change icons of files/folders.
I have changed a few folders to images I have found online, rather than the default blue folder, however there is always a background (usually black). Is there some site that has lots of icons with no backgrounds (for example most applications have n
-
Can I make wrapped pictures move relative to text?
I really like the controls Pages gives about how images are treated in the document text (text wrapped around, text above/below, etc.) But, I run into a problem when I add text above the image, and it moves the text that was related to the embedded i