Configuring port-object in ASA

Hi Everyone,
I need to config port-object eq 17800 etc in ASA.
I tried command object-group   service  xyz
but there is no option for port-object eq ?
Regards
Mahesh

Hi,
I think you have probably configured the "object-group service " without defining the protocol used
For example
ASA(config)# object-group service TEST
ASA(config-service-object-group)# ?
  description          Specify description text
  group-object        Configure an object group as an object
  help                    Help for service object-group configuration commands
  no                       Remove an object or description from object-group
  service-object       Configure a service object
ASA(config-service-object-group)#
However if we specify the "object-group service " with either "tcp" or "udp" or "tcp-udp" at the end then you will have the option of "port-object" command
ASA(config)# object-group service TEST tcp-udp
ASA(config-service-object-group)# ?
  description    Specify description text
  group-object  Configure an object group as an object
  help              Help for service object-group configuration commands
  no                 Remove an object or description from object-group
  port-object     Configure a port object
ASA(config-service-object-group)#
Though even if you used the original "object-group service " configuration you could still define it as an "object-group" which for example contains the allowed destination ports in some ACL.
For example the following would group TCP/17800 and UDP/17800 in one "object-group" and use them in an ACL
object-group service TEST
service-object tcp destination eq 17800
service-object udp destination eq 17800
access-list TEST extended permit object-group TEST any any
When we look how the actual ACL looks like we see the following
ASA(config)# show access-list TEST
access-list TEST; 2 elements; name hash: 0xd37fdb2b
access-list TEST line 1 extended permit object-group TEST any any (hitcnt=0) 0x0abc0954
  access-list TEST line 1 extended permit tcp any any eq 17800 (hitcnt=0) 0x25ac5419
  access-list TEST line 1 extended permit udp any any eq 17800 (hitcnt=0) 0xc6e32e33
Hope this helps
- Jouni

Similar Messages

  • Problems with SMTP port forwarding on ASA 5505

    Cannot telnet to port 25 to test for SMTP traffic.  Packet trace indicates that the packet is dropped by the implicit rule, but I have tried an access rule specifically for SMTP, and the trace appears to skip the rule and drop the packet when it hits the implicit default drop rule.  Can anyone help?  Here is my configuration:
    ASA Version 8.2(5)
    hostname XXXXXXXXXXXXXXXXX
    enable pXXXXXXXXXXXXXXXXXXXXX encrypted
    passwd XXXXXXXXXXXXXXXXXX encrypted
    names
    name XXX.XXX.XXX.74 DNI-HOST1
    name XXX.XXX.XXX.184 DNI-HOST2
    name 192.168.1.2 Server
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address XXX.XXX.XXX.130 255.255.255.248
    ftp mode passive
    clock timezone CST -6
    clock summer-time CDT recurring
    object-group service rdp tcp
    port-object eq 3389
    access-list INBOUND extended permit icmp any any time-exceeded
    access-list INBOUND extended permit icmp any any echo-reply inactive
    access-list INBOUND extended permit icmp any any
    access-list INBOUND extended permit tcp any any eq smtp
    access-list INBOUND extended permit tcp any any eq https
    access-list INBOUND extended permit tcp any eq 3389 any object-group rdp
    pager lines 24
    logging enable
    logging buffered warnings
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 192.168.1.0 255.255.255.0
    static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
    access-group INBOUND in interface outside
    route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.129 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http DNI-HOST2 255.255.255.255 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto ca trustpoint _SmartCallHome_ServerCA
    crl configure
    crypto ca certificate chain _SmartCallHome_ServerCA
    certificate ca [REDACTED]
      quit
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh 206.190.255.0 255.255.255.0 outside
    ssh DNI-HOST2 255.255.255.255 outside
    ssh DNI-HOST1 255.255.255.255 outside
    ssh timeout 5
    console timeout 0
    management-access inside
    threat-detection basic-threat
    threat-detection statistics access-list
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    webvpn
    username Administrator password XXXXXXXXXXXXXXXXXXXX encrypted
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    : end

    Thanks.  I made the suggested changes, here are the results of packer-tracer:
    ASA# packet-tracer input outside tcp 1.2.3.4 1234 XXX.XXX.XXX.130 25
    Phase: 1
    Type: UN-NAT
    Subtype: static
    Result: ALLOW
    Config:
    static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
      match tcp inside host Server eq 25 outside any
        static translation to XXX.XXX.XXX.130/25
        translate_hits = 0, untranslate_hits = 3
    Additional Information:
    NAT divert to egress interface inside
    Untranslate XXX.XXX.XXX.130/25 to Server/25 using netmask 255.255.255.255
    Phase: 2
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group INBOUND in interface outside
    access-list INBOUND extended permit tcp any host XXX.XXX.XXX.130 eq smtp
    Additional Information:
    Phase: 3
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 4
    Type: INSPECT
    Subtype: inspect-smtp
    Result: ALLOW
    Config:
    class-map inspection_default
    match default-inspection-traffic
    policy-map global_policy
    class inspection_default
      inspect esmtp _default_esmtp_map
    service-policy global_policy global
    Additional Information:
    Phase: 5
    Type: HOST-LIMIT
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 6
    Type: NAT
    Subtype: rpf-check
    Result: ALLOW
    Config:
    static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
      match tcp inside host Server eq 25 outside any
        static translation to XXX.XXX.XXX.130/25
        translate_hits = 0, untranslate_hits = 3
    Additional Information:
    Phase: 7
    Type: NAT
    Subtype: host-limits
    Result: ALLOW
    Config:
    static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
      match tcp inside host Server eq 25 outside any
        static translation to XXX.XXX.XXX.130/25
        translate_hits = 0, untranslate_hits = 3
    Additional Information:
    Phase: 8
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 9
    Type: FLOW-CREATION
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    New flow created with id 24392, packet dispatched to next module
    Result:
    input-interface: outside
    input-status: up
    input-line-status: up
    output-interface: inside
    output-status: up
    output-line-status: up
    Action: allow
    I'm not all that experienced with translating these results, but on the surface, it appears to be passing traffic.  However, I still cannt telnet to the public IP using port 25.  I am using Putty as my telnet client and it doesn't generate an error.  At no time am I able to interact with the prompt in the putty window. The putty window just closes abruptly after about 10 seconds.  Does the line in Phase 7 containing 'untranslate_hits=3' have anything to do with my issue?
    Here is the new config:
    NUGENT-ASA# show run
    : Saved
    ASA Version 8.2(5)
    hostname NUGENT-ASA
    enable password XXXXXXXXXXXXXXXXXXXX encrypted
    passwd XXXXXXXXXXXXXXXXXX encrypted
    names
    name XXX.XXX.XXX.74 DNI-HOST1
    name XXX.XXX.XXX.184 DNI-HOST2
    name 192.168.1.2 Server
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address XXX.XXX.XXX.130 255.255.255.248
    ftp mode passive
    clock timezone CST -6
    clock summer-time CDT recurring
    object-group service rdp tcp
    port-object eq 3389
    access-list INBOUND extended permit icmp any any time-exceeded
    access-list INBOUND extended permit icmp any any echo-reply inactive
    access-list INBOUND extended permit icmp any any
    access-list INBOUND extended permit tcp any host XXX.XXX.XXX.130 eq smtp
    pager lines 24
    logging enable
    logging buffered warnings
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 192.168.1.0 255.255.255.0
    static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
    static (outside,inside) tcp interface smtp Server smtp netmask 255.255.255.255
    access-group INBOUND in interface outside
    route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.129 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http DNI-HOST2 255.255.255.255 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto ca trustpoint _SmartCallHome_ServerCA
    crl configure
    crypto ca certificate chain _SmartCallHome_ServerCA
    certificate ca [REDACTED]
      quit
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh 206.190.255.0 255.255.255.0 outside
    ssh DNI-HOST2 255.255.255.255 outside
    ssh DNI-HOST1 255.255.255.255 outside
    ssh timeout 5
    console timeout 0
    management-access inside
    dhcpd dns 8.8.8.8 4.2.2.2
    dhcpd address 192.168.1.100-192.168.1.131 inside
    dhcpd dns 8.8.8.8 4.2.2.2 interface inside
    threat-detection basic-threat
    threat-detection statistics access-list
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    webvpn
    username Administrator password XXXXXXXXXXXXXXXXXXXXXXX encrypted
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXX
    : end

  • HP Officejet Pro 8600 no possibility to configure Port

    My OS is Win 8.1 (last release), last Printer Driver version, last Printer Install Wizard used.
    My first Printer "HP Officejet Pro 8600" folling down about Screen issue. I do an exchange with same model, i unsinstall and reinstall the full with wizard, now I have some trouble to recognise the Printer.
    - Some time, no comunication
    - Some time, the print come after error Printer comunication.
    If I go to "Properties/Port/Configure Port" I received "Error Message"
    >> An error occured during port configuration.
    >> The filename, directory name, or volume label syntax is incorrect.
    Could be an old key stay on Registry  (with old printer link)
    I do unsinstall and reinstall the fuul wizard without success.
    Now the Scan function doesn't run and the print run after delay.
    Major remarq:
    I have no problem with MAC, OS 9.x to 10.10.1
    Many thanks in advance for your support
    This question was solved.
    View Solution.

    Ok,
    Let's verify the following:
    Right click on Computer, then click on Properties and locate the Computer name.
    Ensure it is written in English characters and without any special characters.. modify t if required.
    From the Control Panel go to Programs and Features, uninstall the HP Officejet 8600 Basic Driver and Software.
    Click both the Windows Logo and the R keys of your keyboard to launch the Run dialog.
    Type %temp% and click on OK.
    Locate and open the HP installation folder, it will start with the 7z characters.
    Open the utils folder.
    open the x64 folder for a 64-bit operating system or the x86 for a 32 bit OS. if you aren't sure simply try both of the folders, if it is not intended for your OS an error will appear..
    Launch the RemovePreinstalledDrivers.exe file and allow it to complete.
    Once you are done, go back to the 7z folder and launch Setup.exe to reinstall the HP software.
    Reboot your PC once you are done and check again.
    Shlomi
    Say thanks by clicking the Kudos thumb up in the post.
    If my post resolve your problem please mark it as an Accepted Solution

  • Problem in Configuring the Object Editor User Interface

    Hi,
         I m using NetWeaver 7.0.11 & facing the problem in Configuring the Object Editor User Interface.In the Configuration Browser ,when i click on Object Editor & choose New Configuration & try to select service,it shows the flollowing error:
    com.sap.caf.rt.exception.CAFBaseRuntimeException: Service manager initialization failed Illegal argument exception: Unable to create javax.ejb.EJBObject.
         at com.sap.caf.rt.ui.cool.generic.ServiceFacade.init(ServiceFacade.java:121)
         at com.sap.caf.rt.ui.cool.generic.ServiceFacade.<init>(ServiceFacade.java:50)
         at com.sap.caf.rt.ui.cool.generic.ServiceFacadeFactory.getFacadeInstance(ServiceFacadeFactory.java:51)
         at com.sap.caf.ui.utils.cool.CoolUtils.getServiceFacade(CoolUtils.java:123)
         at com.sap.caf.ui.ptn.objecteditor.ObjectEditorCC.getServiceFacade(ObjectEditorCC.java:505)
         at com.sap.caf.ui.ptn.objecteditor.wdp.InternalObjectEditorCC.getServiceFacade(InternalObjectEditorCC.java:245)
         at com.sap.caf.ui.ptn.objecteditor.config.OEconfiguratorLayout.onActionSelectModule(OEconfiguratorLayout.java:322)
         at com.sap.caf.ui.ptn.objecteditor.config.wdp.InternalOEconfiguratorLayout.wdInvokeEventHandler(InternalOEconfiguratorLayout.java:300)
         at com.sap.tc.webdynpro.progmodel.generation.DelegatingView.invokeEventHandler(DelegatingView.java:87)
         at com.sap.tc.webdynpro.progmodel.controller.Action.fire(Action.java:67)
         at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.doHandleActionEvent(WindowPhaseModel.java:420)
         at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.processRequest(WindowPhaseModel.java:132)
         at com.sap.tc.webdynpro.clientserver.window.WebDynproWindow.processRequest(WebDynproWindow.java:335)
         at com.sap.tc.webdynpro.clientserver.cal.AbstractClient.executeTasks(AbstractClient.java:143)
         at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:299)
         at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:759)
         at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:712)
         at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:261)
         at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
         at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
         at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doPost(DispatcherServlet.java:53)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266)
         at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
         at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:160)
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
         at java.security.AccessController.doPrivileged(Native Method)
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
    Can anybody please tell,what can be the problem?
    regards
    Sumit

    Hello Sumit
    This is most probably the result of metadata corruption on runtime.
    A possible workaround for this situation is:
    Undeploy all the metadata DCs of all the CAF applications you have
    deployed (these are the components which names end on "/metadata", excl.
    caf/core/metadata and caf/tc/metadata (which are part of CAF itself)).
    And then deploy the CAF applications again.
    Regards,
    Désiré

  • Add user validation in create user form during Configure User Object Classe

    Hi friends,
    I like to add a user validation code (javaScript or PL/SQL) into create user form during Configure User Object Classes.
    Is any way to pick user information and role assignment for validation in Portal side?
    or pre event in OID provisioning befor loading LDAP?
    We like to make a rols assignment validation. But portal does not have this function.
    TOM, Any suggestion?
    Thanks!!

    after study, portal form --LOVGroupSearch take a  role search and display user name  for select role.
    Who know we are can find system object LOVGroupSearch in portal or OID?
    the source SCR as /oiddas/ui/oracle/ldap/das/search/LOVGroupSearch?title=Role%3Fredirect=/oiddas/ui/oracle/ldap/das/search/LOVGroupSearch%3Ftitle=Role
    When we search a role and added it. selected role appears in form Search and Select:.
    When click role name in Search and Select form. system will display Group Members and group owner.
    Who can find behind codes for this form or samilar pl/sql codes?
    Thanks!!

  • "Access denied. Login again" when creating New Configuration in Object Edit

    Hi all,
    I am trying to complete ]<a href="http://help.sap.com/saphelp_nw70/helpdata/en/43/8d77556536267fe10000000a1553f7/content.htm">My First Composite Application</a> but got stuck at the step <a href="http://help.sap.com/saphelp_nw70/helpdata/en/43/95c95b9fc32293e10000000a1553f6/content.htm">Configuring the Object Editor User Interface</a>. When I try to create a new configuration, I get the error message "Access denied. Login again", but I have no idea where to change to overcome this.
    Please advise me, if you have any idea.
    Thanks,
    Masa

    It was due to missing user role.

  • How to get Configuration (internal object number) during MM01

    Hello Masters,
    Does anyone know how to get the value of Configuration (internal object number) during MM01 so I can use the function VC_I_GET_CONFIGURATION to get the configurable variant values. I tried to check the MM01 exit EXIT_SAPLCUKO_001 include ZXCUCU02 and it' there but I need to know how to get it so I can use it because in other exits it's not included in the local variable.
    Thanks,
    Alfred

    pl. share the answer with us. U can copy and paste that answer.......so that, some one get the solution, who r hving the same issue.
    thanq

  • Configure port channel between IO Module and FI

                       Hi,
    I have the current setup
    UCS chassis (4 uplinks) --> FI --> (Port channel) --> N5K --> (port channel) --> VSS 6500
    I configure port channel between IO Module and the FI by changing to policy to "Port Channel" and set the link to 4
    FI has created a portchannel under "Internal" containing all the FI interfaces that are connected to the IO module.
    I have installed ESXI on a blade but i was unable to reach it, even the esx was unable to ping the gateway.
    VLAN tagging is enabled from the ESX server.
    I have issued the command "show mac address-table | inc <mac address of the vnic assigned from thre service profile> on both the N5K and thr 6500 and the mac is there.
    I have allowed all the vlans on the vNIC from the service profile.
    am I missing anything?
    thanks

    Hello,
    Can you please check whether your ESXi vmkernel interface ip address learned on right VLAN on FI / upstream switch or not.
    connect nxos
    show mac-address-table | inc 
    Padma

  • Configuring port mirroring on the MA561x to capture voice packets?

    How to configure port mirroring on the MA561x to capture voice packets? Now I use the MA5616. Any help would be appreciated!

    How to configure port mirroring on the MA561x to capture voice packets? Now I use the MA5616. Any help would be appreciated!
     I use the MA5616,too,and I bought from  www.huanetwork.com
    , nice price. The configuration of this problem, please visit:  http://momopp.blogdetik.com/

  • How to configure firewall access for ASA 5510

    Hi,
    This is my first time to use the Cisco ASA 5500 family. I have a request from a user to create an access rule, to allow all LAN traffic to Destination IP address 165.241.29.17, 165.241.31.254 with Destination TCP port 5060,5061,5070 and UDP port 50000-52399.
    I want to do this using ASDM, How do I accomplish this?
    Thanks,
    Jojo

    Hey Jojo I use the ASDM to manage my ASA... so below should get you a general access rule to allow what you need.
    •1.      Log into your ASA using ASDM.. on the top tabs look for "Configuration"
    •2.      Once you click "Configuration", on the left side panel down at the bottom you should see "Firewall".  Make sure you’re in the "Firewall" menu and at the top you should be viewing "Access Rules".  You should see a list of access rules applied to your ASA.
    •3.      At the top you should see a green "+Add" to add a new access rule to your ASA.  Once clicked you should identify…
         •a.      Interface -  INSIDE or OUTSIDE
         •b.      Action - PERMIT or DENY
         •c.      Source - Subnet that needs to talk to destination address
         •d.      Destination - use the [...] box to create a Network Object for 165.241.29.17 and 165.241.31.254 use /32 mask for specific ip address and not a range
         •e.      Service - Again use the [...] box to create TCP and UDP Service Groups for the specific ports
    •4.     You can then enter a description of the specific access rule and enable logging.
    This should be it... let me know how this works out for you!! 

  • How to configure VPN with Cisco ASA 5505 behind Actiontec MI424WR

    I'm trying to test my Cisco VPN client from my workplace to my home where I have a Cisco ASA 5505 (VPN server) behind the Actiontec MI424WR.  I'm able to Ping the Actiontec external IP.  I also have Port Forwarding for IKE and IPSec configured on the Actiontec, but I cannot establish the VPN connection.
    What do I need to configure on the Actiontec to make this work?
    Also, when I test this at home, the MI424WR acts as the DHCP server for my laptop and the Cisco outside interface.  At home, I'm able to establish the VPN connection from my laptop to the ASA, allowing me to see a shared drive behind the ASA.  However, at home, I cannot go to the Internet while using the VPN client.
    Thanks for any help.
    Steve
    Solved!
    Go to Solution.

    http://www.dslreports.com/faq/verizonfios/3.0_Networking
    those are the best sample config's and resources on how to set the FiOS network
    Bridging is possible but difficult.  That link will give you great info on it.
    Are you a FiOS customer that has phone/internet/tv
    or no tv?   or no phone?    You have to be careful on your configuration or you might lose some TV features and functionality, like the Interactive Program Guide, or the VOD or the Widgets.
    Sorry the Portforwarding wasn't enough to resolve your issue, I am not sure that it's a Actiontec config you are looking for, from my understanding of Cisco's and FiOS it may be something behind the cisco that is causing an issue.  You may want to reach out to the Cisco admin that manages that, and find out if there are additional ports that are required and then you can come back and configure those ports too.

  • How to set up NAT for two servers using same port with ASDM ASA 5505

    Hi there,
    We have a new installation of a ASA 5505 and are trying to get some NAT issues straightened out. Here is the scenario: On our internal network, we have two servers running Filemaker Server, a relational database server that clients connect with using port 5003. Our goal is to be able to allow users from the outside to access either of these servers as needed. I know how to set up a simple static NAT rule and matching Access rule in ASDM which would be fine for a case in which only one server using a given port is running on a network, but for simple static rules I seem to be blocked from entering a different translated port number from the orginal port number, which becomes a problem when two servers we need to access from the outside are running software using the same port number.
    What is the simplest way to address this need? I am guessing that I need to set up a scenario like this, where port 5004 (or any arbitrarily choosen unused port, can be used to access the second server:
    Outside user enters   FQDN:5004  and this translates to Database server # 1 as   192.168.1.40:5003
    and
    Outside user enters   FQDN:5003  and this translates to Database server # 1 as   192.168.1.38:5003
    If so, what is the easist way to get this done? Or is there a better what to handle this scenario?
    Thanks in advance,
    James

    I would create two objects and use object NAT
    object network Obj_5004
    host 192.168.1.40
    object network Obj_5004
    nat (inside,outside) static service tcp 5003 5004
    object network Obj_5003
    host 192.168.1.38
    object network Obj_5003
    nat (inside,outside) static service tcp 5003 5003
    Of course you will need to open your outside interface for tcp ports 5003 and 5004 to make this happen

  • NAT configuration on PIX to ASA

    Hi,
    I have below configuration on my PIX 8.0 which I want to convert into ASA 9.1 :
     nat (Cust-DMZ) 0 access-list Cust-DMZ_nat0_outbound
    access-list Cust-DMZ_nat0_outbound extended permit ip host 10.2.1.175 host 10.10.49.30
    access-list Cust-DMZ_nat0_outbound extended permit ip host 1.1.1.58 host 1.1.1.57
    access-list Cust-DMZ_nat0_outbound extended permit ip host 172.29.83.2 host 172.29.83.1
    access-list Cust-DMZ_nat0_outbound extended permit ip host 202.138.123.75 host 10.10.11.20
    access-list Cust-DMZ_nat0_outbound extended permit ip host 10.14.1.11 host 10.10.50.150
    And, there is no "NAT (global) 0 " command in PIX for this configuration.
    How can I use this in ASA..?
    Regards,
    Ninad

    Hi,
    The configurations is going to be bigger atleast. I did like the NAT0 more in the old software when you could use the ACL configuration to handle it and not bloat the NAT configuration needlesly.
    There are some strange ACEs in that ACL. I mean the rules where the source and destination seem to be either from the same subnet or just simply host address (perhaps loopback interface IP addresses somewhere in the network?) that wouldnt expect to use the firewall to communicate? Though I will assume those configurations are needed.
    You could try the following configuration though I naturally suggest perhaps coming with some other naming policy for the "object" configuration if needed.
    object network HOST-10.2.1.175
     host 10.2.1.175
    object network HOST-10.10.49.30
     host 10.10.49.30
    object network HOST-1.1.1.58
     host 1.1.1.58
    object network HOST-1.1.1.57
     host 1.1.1.57
    object network HOST-172.29.83.2
     host 172.29.83.2
    object network HOST-172.29.83.1
     host 172.29.83.1
    object network HOST-202.138.123.75
     host 202.138.123.75
    object network HOST-10.10.11.20
     host 10.10.11.20
    object network HOST-10.14.1.11
     host 10.14.1.11
    object network HOST-10.10.50.150
     host 10.10.50.150
    nat (Cust-DMZ,any) source static HOST-10.2.1.175 HOST-10.2.1.175 destination static HOST-10.10.49.30 HOST-10.10.49.30
    nat (Cust-DMZ,any) source static HOST-1.1.1.58 HOST-1.1.1.58 destination static HOST-1.1.1.57 HOST-1.1.1.57
    nat (Cust-DMZ,any) source static HOST-172.29.83.2 HOST-172.29.83.2 destination static HOST-172.29.83.1 HOST-172.29.83.1
    nat (Cust-DMZ,any) source static HOST-202.138.123.75 HOST-202.138.123.75 destination static HOST-10.10.11.20 HOST-10.10.11.20
    nat (Cust-DMZ,any) source static HOST-10.14.1.11 HOST-10.14.1.11 destination static HOST-10.10.50.150 HOST-10.10.50.150
    Notice that I configured the destination interface as "any". With that setting it should define the destination interface based on your ASAs routing table. I personally tend to define that interface but can't do that in this case as I cant see your routing configuration or routing table.
    If you want to read up some on the new NAT configuration format you  can check a document that I wrote in 2013.
    Sadly the update to these forums also changed the layout of the document a bit some things aren't really as I wish them to be.
    https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli
    Hope this helps :)
    - Jouni

  • How to configure business objects web services

    Hi can anyone tell me were can i find these web services in cmc, and how i need to configure these webservices.in order to talk externally with the java program.
    my scenerio is, java program will kick off to send the parameters to the web services in business objects. The web services need to take those parameters from java and create a file and drop it locally or anywhere

    Hi
      Which version you are on?
    if it is XI 3.x then, dswsbobje is the web application which is deployed on default tomcat, You can get the details of of all available web services by :http://BOEHOSTNAME:PORT/dswsbobje/services/listServices
    Regards
    Ashwini

  • Need Help on Port Blocking in ASA

    Dear All,
    I have configured firewall and allow only port 443 and deny all tcp ports for destination, but when i am scanning from port scanner it shows several tcp ports are enabled.. need your seuggestion and help on it.. how to block these tcp ports..
    Early response is required..
    Thanks

    Hi,
    Still don't know the ports that were supposedly open.
    Though if that is the ACL you have bound to the "outside" interface on the ASA then it should be blocking the connections through the ASA for everything else other than the TCP/443 for a single destination IP address.
    Then there is naturally the ASAs own services and ports on which its listening on.
    You can check that with the following command
    show asp table socket
    Most likely the ports that are open on the ASA are the ones used for management purposes perhaps
    Those set with the following commands
    telnet
    ssh
    http
    You also have the option to create an ACL that blocks all traffic to the ASA "outside" interface IP address. You can then attach it with "access-group" command
    access-group in interface outside control-plane
    This would limit the "To the Box" traffic. Though the above mentioned management commands "telnet", "ssh" and "http" would still override this ACL.
    - Jouni

Maybe you are looking for

  • How can I update OS 9.0.4 to 9.2 to run Classic?

    Okay some of you might remember me - like Cornelius... Basically, I just recently put OS X 10.4 on my computer to fix an earlier problem (you can read my other post if you want). To make a long story short, I put OS 9 on it again in order to get Clas

  • I have just became an Apple Developer and new to this whole developing thing.

    I have just became an Apple Developer and new to this whole developing thing. I became an apple developer to support what I'm doing.I just graduated high school and became a self learning video producer. I created videos since I first got into high s

  • MIGO GR POSTING ERROR

    Hi All, When I am posting GR against PO in MIGO Screen, IT IS LEADING TO RUNTIME_error The system is not excuting 'J_1I7_MIGO_SAVE' . "In Program SAPLJ1IEXGM  in the function module J_1IEXGM_UPDATE_EXCISE there is a "CALL FUNCTION 'J_1I7_MIGO_SAVE'.

  • Javax.smartcardio problem on linux SuSE

    HI, i am trying to develop a simple applet in java, which should read data from a smartcard... But when i want to read the terminals: CardTerminal terminal = (CardTerminal)factory.terminals().get(0); the full method: CardTerminal terminal = (CardTerm

  • Extension manager update 7.3.2 will not install

    Hello, I have just installed Adobe CC on my laptop. Next to that I have installed Extension manager CC so I can install extension for Photoshop 2014 CC. All that went very well. Extension manager has te version number 7.0.0.347. This version generate