Configuring port-object in ASA
Hi Everyone,
I need to config port-object eq 17800 etc in ASA.
I tried command object-group service xyz
but there is no option for port-object eq ?
Regards
Mahesh
Hi,
I think you have probably configured the "object-group service " without defining the protocol used
For example
ASA(config)# object-group service TEST
ASA(config-service-object-group)# ?
description Specify description text
group-object Configure an object group as an object
help Help for service object-group configuration commands
no Remove an object or description from object-group
service-object Configure a service object
ASA(config-service-object-group)#
However if we specify the "object-group service " with either "tcp" or "udp" or "tcp-udp" at the end then you will have the option of "port-object" command
ASA(config)# object-group service TEST tcp-udp
ASA(config-service-object-group)# ?
description Specify description text
group-object Configure an object group as an object
help Help for service object-group configuration commands
no Remove an object or description from object-group
port-object Configure a port object
ASA(config-service-object-group)#
Though even if you used the original "object-group service " configuration you could still define it as an "object-group" which for example contains the allowed destination ports in some ACL.
For example the following would group TCP/17800 and UDP/17800 in one "object-group" and use them in an ACL
object-group service TEST
service-object tcp destination eq 17800
service-object udp destination eq 17800
access-list TEST extended permit object-group TEST any any
When we look how the actual ACL looks like we see the following
ASA(config)# show access-list TEST
access-list TEST; 2 elements; name hash: 0xd37fdb2b
access-list TEST line 1 extended permit object-group TEST any any (hitcnt=0) 0x0abc0954
access-list TEST line 1 extended permit tcp any any eq 17800 (hitcnt=0) 0x25ac5419
access-list TEST line 1 extended permit udp any any eq 17800 (hitcnt=0) 0xc6e32e33
Hope this helps
- Jouni
Similar Messages
-
Problems with SMTP port forwarding on ASA 5505
Cannot telnet to port 25 to test for SMTP traffic. Packet trace indicates that the packet is dropped by the implicit rule, but I have tried an access rule specifically for SMTP, and the trace appears to skip the rule and drop the packet when it hits the implicit default drop rule. Can anyone help? Here is my configuration:
ASA Version 8.2(5)
hostname XXXXXXXXXXXXXXXXX
enable pXXXXXXXXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXXX encrypted
names
name XXX.XXX.XXX.74 DNI-HOST1
name XXX.XXX.XXX.184 DNI-HOST2
name 192.168.1.2 Server
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address XXX.XXX.XXX.130 255.255.255.248
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
object-group service rdp tcp
port-object eq 3389
access-list INBOUND extended permit icmp any any time-exceeded
access-list INBOUND extended permit icmp any any echo-reply inactive
access-list INBOUND extended permit icmp any any
access-list INBOUND extended permit tcp any any eq smtp
access-list INBOUND extended permit tcp any any eq https
access-list INBOUND extended permit tcp any eq 3389 any object-group rdp
pager lines 24
logging enable
logging buffered warnings
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http DNI-HOST2 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca [REDACTED]
quit
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 206.190.255.0 255.255.255.0 outside
ssh DNI-HOST2 255.255.255.255 outside
ssh DNI-HOST1 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username Administrator password XXXXXXXXXXXXXXXXXXXX encrypted
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
: endThanks. I made the suggested changes, here are the results of packer-tracer:
ASA# packet-tracer input outside tcp 1.2.3.4 1234 XXX.XXX.XXX.130 25
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
match tcp inside host Server eq 25 outside any
static translation to XXX.XXX.XXX.130/25
translate_hits = 0, untranslate_hits = 3
Additional Information:
NAT divert to egress interface inside
Untranslate XXX.XXX.XXX.130/25 to Server/25 using netmask 255.255.255.255
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INBOUND in interface outside
access-list INBOUND extended permit tcp any host XXX.XXX.XXX.130 eq smtp
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: inspect-smtp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect esmtp _default_esmtp_map
service-policy global_policy global
Additional Information:
Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
match tcp inside host Server eq 25 outside any
static translation to XXX.XXX.XXX.130/25
translate_hits = 0, untranslate_hits = 3
Additional Information:
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
match tcp inside host Server eq 25 outside any
static translation to XXX.XXX.XXX.130/25
translate_hits = 0, untranslate_hits = 3
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 24392, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
I'm not all that experienced with translating these results, but on the surface, it appears to be passing traffic. However, I still cannt telnet to the public IP using port 25. I am using Putty as my telnet client and it doesn't generate an error. At no time am I able to interact with the prompt in the putty window. The putty window just closes abruptly after about 10 seconds. Does the line in Phase 7 containing 'untranslate_hits=3' have anything to do with my issue?
Here is the new config:
NUGENT-ASA# show run
: Saved
ASA Version 8.2(5)
hostname NUGENT-ASA
enable password XXXXXXXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXXX encrypted
names
name XXX.XXX.XXX.74 DNI-HOST1
name XXX.XXX.XXX.184 DNI-HOST2
name 192.168.1.2 Server
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address XXX.XXX.XXX.130 255.255.255.248
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
object-group service rdp tcp
port-object eq 3389
access-list INBOUND extended permit icmp any any time-exceeded
access-list INBOUND extended permit icmp any any echo-reply inactive
access-list INBOUND extended permit icmp any any
access-list INBOUND extended permit tcp any host XXX.XXX.XXX.130 eq smtp
pager lines 24
logging enable
logging buffered warnings
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
static (outside,inside) tcp interface smtp Server smtp netmask 255.255.255.255
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http DNI-HOST2 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca [REDACTED]
quit
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 206.190.255.0 255.255.255.0 outside
ssh DNI-HOST2 255.255.255.255 outside
ssh DNI-HOST1 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 8.8.8.8 4.2.2.2
dhcpd address 192.168.1.100-192.168.1.131 inside
dhcpd dns 8.8.8.8 4.2.2.2 interface inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username Administrator password XXXXXXXXXXXXXXXXXXXXXXX encrypted
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXX
: end -
HP Officejet Pro 8600 no possibility to configure Port
My OS is Win 8.1 (last release), last Printer Driver version, last Printer Install Wizard used.
My first Printer "HP Officejet Pro 8600" folling down about Screen issue. I do an exchange with same model, i unsinstall and reinstall the full with wizard, now I have some trouble to recognise the Printer.
- Some time, no comunication
- Some time, the print come after error Printer comunication.
If I go to "Properties/Port/Configure Port" I received "Error Message"
>> An error occured during port configuration.
>> The filename, directory name, or volume label syntax is incorrect.
Could be an old key stay on Registry (with old printer link)
I do unsinstall and reinstall the fuul wizard without success.
Now the Scan function doesn't run and the print run after delay.
Major remarq:
I have no problem with MAC, OS 9.x to 10.10.1
Many thanks in advance for your support
This question was solved.
View Solution.Ok,
Let's verify the following:
Right click on Computer, then click on Properties and locate the Computer name.
Ensure it is written in English characters and without any special characters.. modify t if required.
From the Control Panel go to Programs and Features, uninstall the HP Officejet 8600 Basic Driver and Software.
Click both the Windows Logo and the R keys of your keyboard to launch the Run dialog.
Type %temp% and click on OK.
Locate and open the HP installation folder, it will start with the 7z characters.
Open the utils folder.
open the x64 folder for a 64-bit operating system or the x86 for a 32 bit OS. if you aren't sure simply try both of the folders, if it is not intended for your OS an error will appear..
Launch the RemovePreinstalledDrivers.exe file and allow it to complete.
Once you are done, go back to the 7z folder and launch Setup.exe to reinstall the HP software.
Reboot your PC once you are done and check again.
Shlomi
Say thanks by clicking the Kudos thumb up in the post.
If my post resolve your problem please mark it as an Accepted Solution -
Problem in Configuring the Object Editor User Interface
Hi,
I m using NetWeaver 7.0.11 & facing the problem in Configuring the Object Editor User Interface.In the Configuration Browser ,when i click on Object Editor & choose New Configuration & try to select service,it shows the flollowing error:
com.sap.caf.rt.exception.CAFBaseRuntimeException: Service manager initialization failed Illegal argument exception: Unable to create javax.ejb.EJBObject.
at com.sap.caf.rt.ui.cool.generic.ServiceFacade.init(ServiceFacade.java:121)
at com.sap.caf.rt.ui.cool.generic.ServiceFacade.<init>(ServiceFacade.java:50)
at com.sap.caf.rt.ui.cool.generic.ServiceFacadeFactory.getFacadeInstance(ServiceFacadeFactory.java:51)
at com.sap.caf.ui.utils.cool.CoolUtils.getServiceFacade(CoolUtils.java:123)
at com.sap.caf.ui.ptn.objecteditor.ObjectEditorCC.getServiceFacade(ObjectEditorCC.java:505)
at com.sap.caf.ui.ptn.objecteditor.wdp.InternalObjectEditorCC.getServiceFacade(InternalObjectEditorCC.java:245)
at com.sap.caf.ui.ptn.objecteditor.config.OEconfiguratorLayout.onActionSelectModule(OEconfiguratorLayout.java:322)
at com.sap.caf.ui.ptn.objecteditor.config.wdp.InternalOEconfiguratorLayout.wdInvokeEventHandler(InternalOEconfiguratorLayout.java:300)
at com.sap.tc.webdynpro.progmodel.generation.DelegatingView.invokeEventHandler(DelegatingView.java:87)
at com.sap.tc.webdynpro.progmodel.controller.Action.fire(Action.java:67)
at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.doHandleActionEvent(WindowPhaseModel.java:420)
at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.processRequest(WindowPhaseModel.java:132)
at com.sap.tc.webdynpro.clientserver.window.WebDynproWindow.processRequest(WebDynproWindow.java:335)
at com.sap.tc.webdynpro.clientserver.cal.AbstractClient.executeTasks(AbstractClient.java:143)
at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:299)
at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:759)
at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:712)
at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:261)
at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doPost(DispatcherServlet.java:53)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:160)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
Can anybody please tell,what can be the problem?
regards
SumitHello Sumit
This is most probably the result of metadata corruption on runtime.
A possible workaround for this situation is:
Undeploy all the metadata DCs of all the CAF applications you have
deployed (these are the components which names end on "/metadata", excl.
caf/core/metadata and caf/tc/metadata (which are part of CAF itself)).
And then deploy the CAF applications again.
Regards,
Désiré -
Add user validation in create user form during Configure User Object Classe
Hi friends,
I like to add a user validation code (javaScript or PL/SQL) into create user form during Configure User Object Classes.
Is any way to pick user information and role assignment for validation in Portal side?
or pre event in OID provisioning befor loading LDAP?
We like to make a rols assignment validation. But portal does not have this function.
TOM, Any suggestion?
Thanks!!after study, portal form --LOVGroupSearch take a role search and display user name for select role.
Who know we are can find system object LOVGroupSearch in portal or OID?
the source SCR as /oiddas/ui/oracle/ldap/das/search/LOVGroupSearch?title=Role%3Fredirect=/oiddas/ui/oracle/ldap/das/search/LOVGroupSearch%3Ftitle=Role
When we search a role and added it. selected role appears in form Search and Select:.
When click role name in Search and Select form. system will display Group Members and group owner.
Who can find behind codes for this form or samilar pl/sql codes?
Thanks!! -
"Access denied. Login again" when creating New Configuration in Object Edit
Hi all,
I am trying to complete ]<a href="http://help.sap.com/saphelp_nw70/helpdata/en/43/8d77556536267fe10000000a1553f7/content.htm">My First Composite Application</a> but got stuck at the step <a href="http://help.sap.com/saphelp_nw70/helpdata/en/43/95c95b9fc32293e10000000a1553f6/content.htm">Configuring the Object Editor User Interface</a>. When I try to create a new configuration, I get the error message "Access denied. Login again", but I have no idea where to change to overcome this.
Please advise me, if you have any idea.
Thanks,
MasaIt was due to missing user role.
-
How to get Configuration (internal object number) during MM01
Hello Masters,
Does anyone know how to get the value of Configuration (internal object number) during MM01 so I can use the function VC_I_GET_CONFIGURATION to get the configurable variant values. I tried to check the MM01 exit EXIT_SAPLCUKO_001 include ZXCUCU02 and it' there but I need to know how to get it so I can use it because in other exits it's not included in the local variable.
Thanks,
Alfredpl. share the answer with us. U can copy and paste that answer.......so that, some one get the solution, who r hving the same issue.
thanq -
Configure port channel between IO Module and FI
Hi,
I have the current setup
UCS chassis (4 uplinks) --> FI --> (Port channel) --> N5K --> (port channel) --> VSS 6500
I configure port channel between IO Module and the FI by changing to policy to "Port Channel" and set the link to 4
FI has created a portchannel under "Internal" containing all the FI interfaces that are connected to the IO module.
I have installed ESXI on a blade but i was unable to reach it, even the esx was unable to ping the gateway.
VLAN tagging is enabled from the ESX server.
I have issued the command "show mac address-table | inc <mac address of the vnic assigned from thre service profile> on both the N5K and thr 6500 and the mac is there.
I have allowed all the vlans on the vNIC from the service profile.
am I missing anything?
thanksHello,
Can you please check whether your ESXi vmkernel interface ip address learned on right VLAN on FI / upstream switch or not.
connect nxos
show mac-address-table | inc
Padma -
Configuring port mirroring on the MA561x to capture voice packets?
How to configure port mirroring on the MA561x to capture voice packets? Now I use the MA5616. Any help would be appreciated!
How to configure port mirroring on the MA561x to capture voice packets? Now I use the MA5616. Any help would be appreciated!
I use the MA5616,too,and I bought from www.huanetwork.com
, nice price. The configuration of this problem, please visit: http://momopp.blogdetik.com/ -
How to configure firewall access for ASA 5510
Hi,
This is my first time to use the Cisco ASA 5500 family. I have a request from a user to create an access rule, to allow all LAN traffic to Destination IP address 165.241.29.17, 165.241.31.254 with Destination TCP port 5060,5061,5070 and UDP port 50000-52399.
I want to do this using ASDM, How do I accomplish this?
Thanks,
JojoHey Jojo I use the ASDM to manage my ASA... so below should get you a general access rule to allow what you need.
•1. Log into your ASA using ASDM.. on the top tabs look for "Configuration"
•2. Once you click "Configuration", on the left side panel down at the bottom you should see "Firewall". Make sure you’re in the "Firewall" menu and at the top you should be viewing "Access Rules". You should see a list of access rules applied to your ASA.
•3. At the top you should see a green "+Add" to add a new access rule to your ASA. Once clicked you should identify…
•a. Interface - INSIDE or OUTSIDE
•b. Action - PERMIT or DENY
•c. Source - Subnet that needs to talk to destination address
•d. Destination - use the [...] box to create a Network Object for 165.241.29.17 and 165.241.31.254 use /32 mask for specific ip address and not a range
•e. Service - Again use the [...] box to create TCP and UDP Service Groups for the specific ports
•4. You can then enter a description of the specific access rule and enable logging.
This should be it... let me know how this works out for you!! -
How to configure VPN with Cisco ASA 5505 behind Actiontec MI424WR
I'm trying to test my Cisco VPN client from my workplace to my home where I have a Cisco ASA 5505 (VPN server) behind the Actiontec MI424WR. I'm able to Ping the Actiontec external IP. I also have Port Forwarding for IKE and IPSec configured on the Actiontec, but I cannot establish the VPN connection.
What do I need to configure on the Actiontec to make this work?
Also, when I test this at home, the MI424WR acts as the DHCP server for my laptop and the Cisco outside interface. At home, I'm able to establish the VPN connection from my laptop to the ASA, allowing me to see a shared drive behind the ASA. However, at home, I cannot go to the Internet while using the VPN client.
Thanks for any help.
Steve
Solved!
Go to Solution.http://www.dslreports.com/faq/verizonfios/3.0_Networking
those are the best sample config's and resources on how to set the FiOS network
Bridging is possible but difficult. That link will give you great info on it.
Are you a FiOS customer that has phone/internet/tv
or no tv? or no phone? You have to be careful on your configuration or you might lose some TV features and functionality, like the Interactive Program Guide, or the VOD or the Widgets.
Sorry the Portforwarding wasn't enough to resolve your issue, I am not sure that it's a Actiontec config you are looking for, from my understanding of Cisco's and FiOS it may be something behind the cisco that is causing an issue. You may want to reach out to the Cisco admin that manages that, and find out if there are additional ports that are required and then you can come back and configure those ports too. -
How to set up NAT for two servers using same port with ASDM ASA 5505
Hi there,
We have a new installation of a ASA 5505 and are trying to get some NAT issues straightened out. Here is the scenario: On our internal network, we have two servers running Filemaker Server, a relational database server that clients connect with using port 5003. Our goal is to be able to allow users from the outside to access either of these servers as needed. I know how to set up a simple static NAT rule and matching Access rule in ASDM which would be fine for a case in which only one server using a given port is running on a network, but for simple static rules I seem to be blocked from entering a different translated port number from the orginal port number, which becomes a problem when two servers we need to access from the outside are running software using the same port number.
What is the simplest way to address this need? I am guessing that I need to set up a scenario like this, where port 5004 (or any arbitrarily choosen unused port, can be used to access the second server:
Outside user enters FQDN:5004 and this translates to Database server # 1 as 192.168.1.40:5003
and
Outside user enters FQDN:5003 and this translates to Database server # 1 as 192.168.1.38:5003
If so, what is the easist way to get this done? Or is there a better what to handle this scenario?
Thanks in advance,
JamesI would create two objects and use object NAT
object network Obj_5004
host 192.168.1.40
object network Obj_5004
nat (inside,outside) static service tcp 5003 5004
object network Obj_5003
host 192.168.1.38
object network Obj_5003
nat (inside,outside) static service tcp 5003 5003
Of course you will need to open your outside interface for tcp ports 5003 and 5004 to make this happen -
NAT configuration on PIX to ASA
Hi,
I have below configuration on my PIX 8.0 which I want to convert into ASA 9.1 :
nat (Cust-DMZ) 0 access-list Cust-DMZ_nat0_outbound
access-list Cust-DMZ_nat0_outbound extended permit ip host 10.2.1.175 host 10.10.49.30
access-list Cust-DMZ_nat0_outbound extended permit ip host 1.1.1.58 host 1.1.1.57
access-list Cust-DMZ_nat0_outbound extended permit ip host 172.29.83.2 host 172.29.83.1
access-list Cust-DMZ_nat0_outbound extended permit ip host 202.138.123.75 host 10.10.11.20
access-list Cust-DMZ_nat0_outbound extended permit ip host 10.14.1.11 host 10.10.50.150
And, there is no "NAT (global) 0 " command in PIX for this configuration.
How can I use this in ASA..?
Regards,
NinadHi,
The configurations is going to be bigger atleast. I did like the NAT0 more in the old software when you could use the ACL configuration to handle it and not bloat the NAT configuration needlesly.
There are some strange ACEs in that ACL. I mean the rules where the source and destination seem to be either from the same subnet or just simply host address (perhaps loopback interface IP addresses somewhere in the network?) that wouldnt expect to use the firewall to communicate? Though I will assume those configurations are needed.
You could try the following configuration though I naturally suggest perhaps coming with some other naming policy for the "object" configuration if needed.
object network HOST-10.2.1.175
host 10.2.1.175
object network HOST-10.10.49.30
host 10.10.49.30
object network HOST-1.1.1.58
host 1.1.1.58
object network HOST-1.1.1.57
host 1.1.1.57
object network HOST-172.29.83.2
host 172.29.83.2
object network HOST-172.29.83.1
host 172.29.83.1
object network HOST-202.138.123.75
host 202.138.123.75
object network HOST-10.10.11.20
host 10.10.11.20
object network HOST-10.14.1.11
host 10.14.1.11
object network HOST-10.10.50.150
host 10.10.50.150
nat (Cust-DMZ,any) source static HOST-10.2.1.175 HOST-10.2.1.175 destination static HOST-10.10.49.30 HOST-10.10.49.30
nat (Cust-DMZ,any) source static HOST-1.1.1.58 HOST-1.1.1.58 destination static HOST-1.1.1.57 HOST-1.1.1.57
nat (Cust-DMZ,any) source static HOST-172.29.83.2 HOST-172.29.83.2 destination static HOST-172.29.83.1 HOST-172.29.83.1
nat (Cust-DMZ,any) source static HOST-202.138.123.75 HOST-202.138.123.75 destination static HOST-10.10.11.20 HOST-10.10.11.20
nat (Cust-DMZ,any) source static HOST-10.14.1.11 HOST-10.14.1.11 destination static HOST-10.10.50.150 HOST-10.10.50.150
Notice that I configured the destination interface as "any". With that setting it should define the destination interface based on your ASAs routing table. I personally tend to define that interface but can't do that in this case as I cant see your routing configuration or routing table.
If you want to read up some on the new NAT configuration format you can check a document that I wrote in 2013.
Sadly the update to these forums also changed the layout of the document a bit some things aren't really as I wish them to be.
https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli
Hope this helps :)
- Jouni -
How to configure business objects web services
Hi can anyone tell me were can i find these web services in cmc, and how i need to configure these webservices.in order to talk externally with the java program.
my scenerio is, java program will kick off to send the parameters to the web services in business objects. The web services need to take those parameters from java and create a file and drop it locally or anywhereHi
Which version you are on?
if it is XI 3.x then, dswsbobje is the web application which is deployed on default tomcat, You can get the details of of all available web services by :http://BOEHOSTNAME:PORT/dswsbobje/services/listServices
Regards
Ashwini -
Need Help on Port Blocking in ASA
Dear All,
I have configured firewall and allow only port 443 and deny all tcp ports for destination, but when i am scanning from port scanner it shows several tcp ports are enabled.. need your seuggestion and help on it.. how to block these tcp ports..
Early response is required..
ThanksHi,
Still don't know the ports that were supposedly open.
Though if that is the ACL you have bound to the "outside" interface on the ASA then it should be blocking the connections through the ASA for everything else other than the TCP/443 for a single destination IP address.
Then there is naturally the ASAs own services and ports on which its listening on.
You can check that with the following command
show asp table socket
Most likely the ports that are open on the ASA are the ones used for management purposes perhaps
Those set with the following commands
telnet
ssh
http
You also have the option to create an ACL that blocks all traffic to the ASA "outside" interface IP address. You can then attach it with "access-group" command
access-group in interface outside control-plane
This would limit the "To the Box" traffic. Though the above mentioned management commands "telnet", "ssh" and "http" would still override this ACL.
- Jouni
Maybe you are looking for
-
How can I update OS 9.0.4 to 9.2 to run Classic?
Okay some of you might remember me - like Cornelius... Basically, I just recently put OS X 10.4 on my computer to fix an earlier problem (you can read my other post if you want). To make a long story short, I put OS 9 on it again in order to get Clas
-
I have just became an Apple Developer and new to this whole developing thing.
I have just became an Apple Developer and new to this whole developing thing. I became an apple developer to support what I'm doing.I just graduated high school and became a self learning video producer. I created videos since I first got into high s
-
Hi All, When I am posting GR against PO in MIGO Screen, IT IS LEADING TO RUNTIME_error The system is not excuting 'J_1I7_MIGO_SAVE' . "In Program SAPLJ1IEXGM in the function module J_1IEXGM_UPDATE_EXCISE there is a "CALL FUNCTION 'J_1I7_MIGO_SAVE'.
-
Javax.smartcardio problem on linux SuSE
HI, i am trying to develop a simple applet in java, which should read data from a smartcard... But when i want to read the terminals: CardTerminal terminal = (CardTerminal)factory.terminals().get(0); the full method: CardTerminal terminal = (CardTerm
-
Extension manager update 7.3.2 will not install
Hello, I have just installed Adobe CC on my laptop. Next to that I have installed Extension manager CC so I can install extension for Photoshop 2014 CC. All that went very well. Extension manager has te version number 7.0.0.347. This version generate