Configure our own Public IP pool on Cisco ASA firewall

Similar Messages

• Own Public IP Pool in another country

  I have two Public ip blocks and public AS purchased from HK service provider at HK.
  I would like to use one of the pool in another country. e.g. Singapore.
  The ISP at Singapore is OK to use my own public IP pool and advertise the block of my choice.
  Question is 
  when i advertise the public ip pool at sing pore via singapore local provider
  how would this ip details appear when someone looks up in the internet e.g.: whois lookup.
  Will it show singapore ISP or HK ISP details
  How do i deal with this ? APNIC ?
  Just wanted to know the possible challenges and proper procedure to correct it

  You have the basics. but I do have a couple comments / questions
  1. What ASA are you running? If you do not have a free interface and plan to create subinterfaces, you will need to remove the configuration of one of the interfaces, then create subinterfaces and then re-apply the configuration you removed to one of the subinterfaces there...So, why not just overwrite the existing external interface?  Also, keep in mind that the ASA does not support two default routes.  (though I have heard some rumours that this might be added to the 9.3 release, but I have not had this confirmed)
  4. You don't really say what you are going to use this new setup for, but if you are using it for internet then adding just a static NAT will not be enough, you will also need a dynamic NAT.
  Please remember to select a correct answer and rate helpful posts

• How to configure QOS on certain IP in the Cisco ASA 5510

  Hi,
  I am need to configure QOS on certain IP in the Cisco ASA 5510. Assume the IP's are 10.0.1.5 , 10.0.1.6 , 10.0.1.7. Here i have to configure 512 KBPS for 10.0.1.5 and 2 MBPS for 10.0.1.6 and 10.0.1.7
  Can this done on a ASA 5510 series? if yes can you help me how ?
  Regards,
  Venkat

  Yes you can do it.You can match the ip addresses in an access-list, put in a class-map and the class-map in a policy map that will do policing.
  Good examples for what you want to do are here https://supportforums.cisco.com/docs/DOC-1230
  I hope it helps.
  PK

• I Want Buy Cisco ASA Firewall Supporting SIP

  Hello Guys I want to buy cisco ASA Firewall , that support SIP and Session Border Controller  (SBC) So please can any one tell me the most power full that support this protocols ,, Than you guys

  Hi Vijay,
  If can be done but you need any network management software. I personally dont think you can ask your ask to send mails. ASA can trigger alert to a SNMP configured server which will intern send mail to you 
  HTH,

• Hi, I am getting the following error while booting up cisco asa firewall .

  Hi,
  I'm getting the following error form console when booting up Cisco ASA firewall...
  How do we determine the issue if its hardware or software related?
  ERROR: Type:2; Severity:80; Class:1; Subclass:3; Operation: 3

  Dear Ravi,
  You are getting the message of time out because you must be loading huge volume of data and BW runs for a specific peroid of time and then it gives a dump with message as processing is overdue.what you can do is first you should drop the indexes of the cube and then you should manually load the data-packets.I think you can again load the failed data package.select the failed data package in the monitor screen.then go to edit(on upper left next to monitor).In Edit select Init update then select "settings for further update" now select that process should be run in the background.Now right click on the failed datapacket and select Manual update.
  Hope this works for you.
  With Regards,
  Prafulla

• Problem Packet Flow through Cisco ASA Firewall

  I have a Cisco ASA 5540 8.2(1), with permit ip any any rules
  packet-tracer input inside tcp 10.56.149.129 871 10.40.170.10 3003
  show
  Phase: 1
  Type: FLOW-LOOKUP
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Found flow with id 1374599592, using existing flow
  Result:
  input-interface: inside
  input-status: up
  input-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule
  if you change the source or destination port, the packet is successfully
  clear conn did not help
  please tell me how to solve the problem?

  Hi,
  I would suggest sharing the firewall configuration (except for any sensitive information they might have) so troubleshooting this would be easier.
  It would seem to me that during your "packet-tracer" test there is already an existing traffic flow through the ASA with the same information that you entered in the command.
  I don't know however why the connection would be blocked according to the "packet-tracer". In my own test this seemed to work. Output was otherwise the same but the "connection" wasnt dropped.
  - Jouni

• Difficulty of moving from Meraki MX to Cisco ASA firewall / IDS

  Maybe a region thing. I have had excellent support from my Fortigate re-seller here in the UK. I used Cisco TAC once and have vowed to never use them again. It took them a month to sort out a single CME issue that when I showed it to a colleague took 10 mins to figure out the solution and pretty much showed the TAC solution was just about the worst way to go!
  Fortigate also come out ahead of Cisco in the Gartner analysis, so they can't be all bad.
  Horses for courses I guess...

  I'm running a Meraki MX60 and find it underwhelming. It's expensive for what it is, performance isn't great, and I want an SSL VPN.
  Would like to move to Cisco ASA, maybe something like a 5512-X. 
  How difficult is this going to be? I'm technical and know more than nothing about networking, but I'm not a Cisco person. Not afraid to read/learn and use a CLI though.
  This topic first appeared in the Spiceworks Community

• LDAP Authentcation on Cisco ASA 8.2(1)

  Dear Security Experts,
  i am facing an issue while trying to configure LDAP integration on Cisco ASA firewall. The requirement is allow the remote access VPN to specific group defined on AD. When i checked the debug logs " debug ldap 255" , it shows that the authenication is sucessfull with the LDAP server , but the ldap attribute is not getting mapped and because of this reason , the tunnel-group default group policy of "NOACCESS" is getting applied ( vpn simultanous set to zero) that results zero connection.
  I confirmed this by changing the value of NOACCESS from zero to one and found that the VPN is getting connected
  The name of user account is testvendor that belongs to the group of Test-vendor.
  Could you kindly advice me what i am missing in this configuration.Highy appreciated the help on this .
  The configuration and debug output is shown below.
  SHOW RUN
  ldap attribute-map ABC-VENDOR
    map-name  memberOf Group-Policy
    map-value memberOf CN=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local Allow-Vendor
  aaa-server ldapvend protocol ldap
  aaa-server ldapvend (INSIDE) host 10.1.141.7
  ldap-base-dn DC=abc,DC=local
  ldap-scope subtree
  ldap-naming-attribute sAMAccountName
  ldap-login-password *
  ldap-login-dn CN=ldapvpn,OU=ServiceAccounts,OU=Abc,DC=abc,DC=local
  server-type microsoft
  ldap attribute-map ABC-VENDOR
  group-policy NOACCESS internal
  group-policy NOACCESS attributes
  vpn-simultaneous-logins 0
  group-policy Allow-Vendor internal
  group-policy Allow-Vendor attributes
  vpn-simultaneous-logins 10
  vpn-tunnel-protocol IPSec
  dns-server value 10.1.141.7
  default-domain value abc.org
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split_acl
  tunnel-group ABC-AD-VENDOR type remote-access
  tunnel-group ABC-AD-VENDOR general-attributes
  address-pool vendor_pool
  authentication-server-group ldapvend
  default-group-policy NOACCESS
  tunnel-group ABC-AD-VENDOR ipsec-attributes
  pre-shared-key *
  Note : I tried the below map-value under the ldap attribute ABC-VENDOR as part of troubleshooting
  map-value memberOf CN=Test-vendors,CN=Users,OU=Abc,DC=abc,DC=local Allow-Vendor
  map-value memberOf CN=Test-vendors,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local Allow-Vendor
  map-value memberOf CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local Allow-Vendor
  DEBUG LDAP 255
  [454095] Session Start
  [454095] New request Session, context 0xb1f296b0, reqType = Authentication
  [454095] Fiber started
  [454095] Creating LDAP context with uri=ldap://10.1.141.7:389
  [454095] Connect to LDAP server: ldap://10.1.141.7:389, status = Successful
  [454095] supportedLDAPVersion: value = 3
  [454095] supportedLDAPVersion: value = 2
  [454095] Binding as ldapvpn
  [454095] Performing Simple authentication for ldapvpn to 10.1.141.7
  [454095] LDAP Search:
          Base DN = [DC=abc,DC=local]
          Filter  = [sAMAccountName=testvendor]
          Scope   = [SUBTREE]
  [454095] User DN = [CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local]
  [454095] Talking to Active Directory server 10.1.141.7
  [454095] Reading password policy for testvendor, dn:CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local
  [454095] Read bad password count 0
  [454095] Binding as testvendor
  [454095] Performing Simple authentication for testvendor to 10.1.141.7
  [454095] Processing LDAP response for user testvendor
  [454095] Message (testvendor):
  [454095] Checking password policy
  [454095] Authentication successful for testvendor to 10.1.141.7
  [454095] Retrieved User Attributes:
  [454095]        objectClass: value = top
  [454095]        objectClass: value = person
  [454095]        objectClass: value = organizationalPerson
  [454095]        objectClass: value = user
  [454095]        cn: value = testvendor
  [454095]        givenName: value = testvendor
  [454095]        distinguishedName: value = CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local
  [454095]        instanceType: value = 4
  [454095]        whenCreated: value = 20111019133739.0Z
  [454095]        whenChanged: value = 20111030135415.0Z
  [454095]        displayName: value = testvendor
  [454095]        uSNCreated: value = 20258545
  [454095]        uSNChanged: value = 20899179
  [454095]        name: value = testvendor
  [454095]        objectGUID: value = ).u>.v.H.6>..u.Z
  [454095]        userAccountControl: value = 66048
  [454095]        badPwdCount: value = 0
  [454095]        codePage: value = 0
  [454095]        countryCode: value = 0
  [454095]        badPasswordTime: value = 129644550477428806
  [454095]        lastLogoff: value = 0
  [454095]        lastLogon: value = 129644551251183846
  [454095]        pwdLastSet: value = 129635050595360564
  [454095]        primaryGroupID: value = 513
  [454095]        userParameters: value = m:                    d.                       
  [454095]        objectSid: value = ...............n."J.h.0.....
  [454095]        accountExpires: value = 9223372036854775807
  [454095]        logonCount: value = 0
  [454095]        sAMAccountName: value = testvendor
  [454095]        sAMAccountType: value = 805306368
  [454095]        userPrincipalName: value = [email protected]
  [454095]        objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=abc,DC=local
  [454095]        msNPAllowDialin: value = TRUE
  [454095]        dSCorePropagationData: value = 20111026081253.0Z
  [454095]        dSCorePropagationData: value = 20111026080938.0Z
  [454095]        dSCorePropagationData: value = 16010101000417.0Z
  [454095]        lastLogonTimestamp: value = 129638228546025674
  [454095] Fiber exit Tx=719 bytes Rx=2851 bytes, status=1
  [454095] Session End

  Thankyou Jennifer for the responds.
  Could you please help me on how to enable "memberOf" attribute on AD to be pushed to ASA for the OU matching.
  i have already set the "Remote Dialin" property of user account name "testvendor" in AD as "Allow Access" .It can be shown in the debug output as below.
  [454095] sAMAccountName: value = testvendor
  [454095] sAMAccountType: value = 805306368
  [454095] userPrincipalName: value = [email protected]
  [454095] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=abc,DC=local
  [454095] msNPAllowDialin: value = TRUE
  [454095] dSCorePropagationData: value = 20111026081253.0Z
  [454095] dSCorePropagationData: value = 20111026080938.0Z
  [454095] dSCorePropagationData: value = 16010101000417.0Z
  Is their any other settings that i need to do it on AD ?
  Kindly advice
  Regards
  Shiji

• Cisco ASA - Web Server Publishing

  My requirement is I need to publish 2 Web Servers to internet behind Cisco ASA.
  The users will be using secure https acccess to the Web Server.
  I have only 1 Public IP Address assigned to access both the Web Servers.
  Wanted to know what are the things required in the Cisco ASA firewall.
  1. What type of licenses ?
  2. What type of certificates ?
  3. How can i use a single Public IP to access to both the Web servers. Does the Cisco ASA supports this.
  I dont want any client software on the end users PC.....

  ThanksI do have 2 Public IP address for my 2 servers.That is clear.
  I thought you said you just have 1 Public IP in your first post. Anyways, if you do have 2 Public IPs for each server, then use Static NAT instead of PAT. Use the same commands but without the port information.
  Prior 8.3:
  static (inside,outside) public_ip1 web_server1 
  static (inside,outside) public_ip2 web_server2
  8.3 or later:
  object network web_server1_real
  host web_server1
  nat (inside,outside) static public_ip1
  object network web_server2_real
  host web_server2
  nat (inside,outside) static public_ip2
  Because Application1 will be published to the web server and the web server will be published to internet, the web server is the one to be published through ASA. I am not sure how you use Application1 and how you will publish it to the web server internally so this is out of the scope of my help.
  About Application2's security, the question is, how do you want to achieve security for App2? We have several types of security. Having the ASA infront of Application2, using NAT and using ACLs, this will achieve Access Control. However, if you want to achieve data encryption between internet clients and App2, then you have to consider PKI (or certificates) to achieve this. You also can consider IPsec remote access vpn for the App2 server. It all depends on what security flavor do you like.
  Regards,
  AM

• Can Cisco ASA work with spaces in LDAP DN string to authenticate and assign group policies?

  I am having the hardest time getting a definitive answer to this;  basically, I have a Cisco ASA firewall that is using AD via LDAP to authenticate  users and assign them a group policy based on certain AD group memberships.
  The problem I think I have is that due to how our AD forest is structured, I have spaces in the DN string, as shown below...  I have tried enclosing the entire string in quotes, etc.  - nothing seems to work.  Basically, the string is not matched, and the users are assigned a non-matching default policy.  Cisco TAC thinks it is due to the spaces (highlighted) but I am not sure sure.
  Can some one please advise?
  CN=VPN_SSL_SPLIT,OU=Grps - ACS,OU=Res - Groups,OU=BU - Vesna.Resources,DC=DOM1,DC=US,DC=LOCAL

  We can troubleshoot this issue. Please provide me the following outputs:
  show run aaa-server
  show run ldap
  Turn on "debug ldap 255" and reproduce the issue. Paste the output here.
  Regards,
  Jatin Katyal
  *Do rate helpful posts*

• Cisco ASA 5505 Site to Site VPN Problem

  Hi All,
  We have a site to site VPN with a cisco asa 5505 on one end and a Checkpoint firewall on the other end.
  We can establish the vpn tunnel and all users in the remote office are working great. However at a random point during the day or it may even be after 2 weeks of working, the tunnel between the sites automatically fails.
  When I dial into the modem which is connected to the firewall I see the following messages in the logs:
  Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x42314d8, mess id 0xa18dcb12)!
  Sep 14 2011 16:40:02: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
  Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
  Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x426b988, mess id 0xf0160f94)!
  Sep 14 2011 16:40:14: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
  Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
  Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x42314d8, mess id 0xa18dcb12)!
  Sep 14 2011 16:40:02: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
  Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
  Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x426b988, mess id 0xf0160f94)!
  Sep 14 2011 16:40:14: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
  Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
  There is nothing in the Checkpoint logs. To solve the issue I have to reload the firewall.
  I have checked both firewalls for any mis-matched parameters and do not see any.
  Any help is very much appreciated as it is very frustrating for myself and the users in the remote office.
  Thanks!

  Also to note, PFS is enabled on both firewalls. Config on Cisco ASA firewall as follows:
  hostname
  domain-name
  enable passwordpasswd names
  interface Vlan701
  nameif inside
  security-level 100
  ip address 10.65.0.69 255.255.255.252
  interface Vlan999
  nameif outside
  security-level 0
  ip address ******  255.255.255.248
  interface Ethernet0/0
  description Link to Internet
  switchport access vlan 999
  interface Ethernet0/1
  description
  switchport access vlan 701
  interface range Ethernet0/2 - 0/7
  switchport access vlan 2
  shutdown
  ftp mode passive
  dns server-group DefaultDNS
  domain-name******
  access-list 101 extended permit ip host ****** 172.25.0.0 255.255.0.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.25.0.0 255.255.0.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.28.0.0 255.255.0.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.26.0.0 255.255.0.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.16.0.0 255.248.0.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 10.72.0.0 255.255.0.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.224 10.68.2.0 255.255.255.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 10.151.10.0 255.255.255.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 host ******
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 ******* 255.255.255.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.25.0.0 255.255.0.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.28.0.0 255.255.0.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.26.0.0 255.255.0.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.16.0.0 255.248.0.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 10.72.0.0 255.255.0.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.224 10.68.2.0 255.255.255.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 10.151.10.0 255.255.255.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 ******** 255.255.255.0
  pager lines 24
  logging enable
  logging timestamp
  logging buffered warnings
  logging trap warnings
  logging asdm informational
  logging host outside *****
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm history enable
  arp timeout 14400
  nat (inside) 0 access-list nonat
  route inside ******
  route outside 0.0.0.0 0.0.0.0 ********
  timeout xlate 0:05:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  aaa authentication ssh console LOCAL
  aaa authentication telnet console LOCAL
  snmp-server location **:
  snmp-server contact **
  snmp-server community shortkey
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  snmp-server enable traps syslog
  crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac
  crypto map CASGMAP 50 match address 101
  crypto map CASGMAP 50 set pfs group1
  crypto map CASGMAP 50 set peer ********
  crypto map CASGMAP 50 set transform-set 3desmd5
  crypto map CASGMAP 50 set security-association lifetime seconds 3600
  crypto map CASGMAP interface outside
  crypto isakmp enable outside
  crypto isakmp policy 20
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet **** inside
  telnet timeout 5
  ssh **** inside
  ssh **** outside
  ssh timeout 5
  console timeout 30
  management-access inside
  dhcpd ping_timeout 750
  priority-queue outside
  ntp server **
  username ***
  tunnel-group ******** type ipsec-l2l
  tunnel-group ******** ipsec-attributes
  pre-shared-key ***
  class-map VoIP
  match dscp ef
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map General-purpose
  class VoIP
  priority
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect http
  service-policy General-purpose interface outside
  prompt hostname context

• Dynamic Routing Protocol Support in Cisco ASA Multiple Context Mode

                     Dear Experts,
  Wold like to know whether dynamic Routing Protocol Support in Cisco ASA Firewall Multiple Context Mode. If yes then please provide OS version and Hardware Model of Cisco ASA Firewall. Appreciate the quick response.  Thanks.

  Hi,
  Check out this document for the information
  http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html#wp93116
  Its lists the following for software level 9.0(1)
  Multiple   Context Mode Features
  Dynamic routing in Security   Contexts
  EIGRP and OSPFv2 dynamic   routing protocols are now supported in multiple context mode. OSPFv3, RIP, and multicast routing   are not supported.
  Seems to me you would need some 9.x version to support the above mentioned Dynamic Routing Protocols.
  I don't think its related to the hardware model of the ASA other than that it requires a model that supports Multiple Context Mode. To my understanding the only model that doesnt support that is ASA5505 of the whole ASA5500 and ASA5500-X series.
  Hope this helps
  - Jouni

• Cisco ASA 5510 Specs

  In Cisco ASA Firewall 5510 does the feature content filter come built in?
  Posted by WebUser Allyson Buscemi from Cisco Support Community App

  Here is a number of Cisco Press book for ASA:
  http://www.ciscopress.com/search/index.asp?query=ASA
  Cisco ASA, PIX, and FWSM Firewall Handbook, 2nd Edition
  Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance, 2nd Edition

• Creating our own Thread Pool

  We have an application running on WLS6.1 with WLI2.1. We're using WLI2.1 to define
  workflows; we interface to the workflow definitions with custom EJB/JSP code.
  Without getting too detailed, we would like to spawn a thread when a user submits
  some of our forms. From the point of submittal onwards, there is nothing in the
  execution of the workflow that requires user intervention.
  We initially tackled this problem with the use of internal JMS messages in the
  workflow. However, the way our workflow is structured we would really like to
  manually spawn threads instead of embedding JMS messages in the flow. (For instance,
  we may want to obtain multiple workflow instances and execute them all at once
  with the same action).
  Is there any downside to us developing our own ThreadPool? Is there a pre-canned
  Thread Pool service that is available as part of the WLS package?
  I've already got a ThreadPool implementation working and it seems to be doing
  the right thing. There's just some concern in our company that we should be using
  a WLS service instead of rolling our own.
  Details of our threadpool:
  - it's a long-lived Singleton that is instantated at application startup.
  - A predefined number of Worker threads are created, and they can be set with
  a Runnable object to execute.
  - I have synchronized LinkedList containers for idleThreads, busyThreads, and
  tasksToRun (Runnables that have not yet been assigned to a thread).
  Thanks!
  Ron

  Hi,
  You have to configure these things.
  Goto System Admin>System Configuration>Universal Worklist & Workflow-->WorkFlow, it shows subareas like
  Engine
  Mail
  Scheduler
  User Interface
  Workflow Notification Settings
  To follow this link
  http://help.sap.com/saphelp_nw04/helpdata/en/57/5b781705184211a4ba344387a992e5/frameset.htm
  Regards,
  Senthil K.

• How to Configure Cisco ASA 5512 for multiple public IP interfaces

  Hi
  I have a new ASA 5512 that I would like to configure for multiple public IP support.  My problem may be basic but I am an occasional router admin and don't touch this stuff enough to retain everything I have learned.
  Here is my concept.    We have a very basic network setup using three different ISPs that are currently running with cheap routers for internet access.  We use these networks to open up access for Sales to demo different products that use a lot of bandwidth (why we have three)
  I wanted to use the 5512 to consolidate the ISPs so we are using one router to manage the connections.  I have installed an add on license that allows multiple outside interfaces along with a number of other features.
  Outside Networks (I've changed the IPs for security purposes)
  Outside1 E 0/0 : 74.55.55.210  255.255.255.240 gateway 74.55.55.222
  Outside2 E 0/2: 50.241.134.220 255.255.248 gateway 50.241.134.222
  Inside1 : E 0/1 192.168.255.1 255.255.248.0
  Inside2 : E 0/3 172.16.255.1 255.255.248.0
  My goal is to have Inside 1 route all internet traffic using Outside1 and Inside 2 to use Outside2.    The problem is I can't seem to do this. I can get inside 1 to use outside 1 but Inside2 uses Outside 1 as well.
  I tried adding static routes on Outside2 to have all 172.16.248.0/21 traffic use gateway 50.241.134.222 but that doesn't seem to work.   
  I can post my config up as needed.  I am not well versed in Cisco CLI, I've been using the ASDM 7.1 app.  My ASA 5512 is at 9.1.   
  Thanks in advance for the suggestions/help

  I have been away for a while and am just getting caught up on some posts. so my apology for a delayed response.
  I find the response very puzzling. It begins by proclaiming that to achieve the objective we must use Policy Based Routing. But then in the suggested configuration there is no PBR. What it gives us is two OSPF processes using one process for each of the public address ranges and with some strange distribute list which uses a route map. I am not clear what exactly it is that this should accomplish and do not see how it contributes to having one group of users use one specific ISP and the other group of users use the other ISP>
  To the original poster
  It seems to me that you have chosen the wrong device to implement the edge function of your network. The ASA is a good firewall and it does some routing things. But fundamentally it is not a router. And to achieve what you want were a group of users will use a specified ISP and the other group of users will use the other ISP you really need a router. You want to control outbound traffic based on the source of the traffic, and that is a classic situation where PBR is the ideal solution. But the ASA does not do PBR.
  HTH
  Rick