Converting to ASA rules base
I am just about to start on a project where we are moving from Old Cyberguard firewalls to ASA 5520 firewalls, I was wondering if anyone has a rule base converstion tool that would be able to do a lot of the basic work? And so of the NAT conversions?
Hello Glenn
To be honest with you I do not think there is a convertion tool from that firewall to our ASA.
I would recommend to read and analize the configuration guides for the ASA or if you have any question related to the ASA setup let us know.
We will be more than glad to help!!
Regards,
Do rate all the helpful posts
Julio
Similar Messages
-
Hello to everyone
I having this kind of config and in my network were workig flawless but in the site installed is giving me trouble.
First my conection to the site is working so i can access from the internet to the ASA, but I cant do inter-vlan routing in the ASA.
I have activated those commands and nothing i cant not ping to my vlan2 interface from my inside: I do not have a router making the L3 routing only the ASA but it could let me pass traffic because the ASA is a L3 device. alsa this licence has no trunk.
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
Well I have do many things and nothing,
policy-map global_policy
class inspection_default
inspect icmp
not results, waiting for your comments.
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 10
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Botnet Traffic Filter : Disabled
ASA Version 8.2(5)
hostname ASA5505
enable password XXXXXXXXXXXXXX encrypted
passwd XXXX.XXXXXXXX encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address XX.XX.XX.174 255.255.255.248
ftp mode passive
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 10.0.0.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.169 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.0.0.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username root password XXXXXXXXX encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0c8a226f7c4a8d5a03e6fcd821893898
: endCisco ASA 5505 Base License - not inter-vlan-routing no internet access from inside interface
here the output from my pings
ping
Interface: inside
Target IP address: 10.0.0.1
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA5505# ping
Interface: outside
Target IP address: 66.XX.XX.174
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 66.XX.XX.174, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA5505# ping
Interface: inside
Target IP address: 66.XX.XX.174
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 66.XX.XX.174, timeout is 2 seconds:
Success rate is 0 percent (0/5)
ASA5505# ping
Interface: outside
Target IP address: 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Success rate is 0 percent (0/5)
So inter-vlan routing is not wowrking after I have to use the followings commands to see if there any change but not results
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
policy-map global_policy
class inspection_default
inspect icmp
exit
exit
service-policy global_policy global
After all the thing i've done in CLI I logged into the ASDM and in the nat section i look that nat was not having destination.
global (outside) 10 interface
nat (inside) 10 10.0.0.0 255.255.255.0
so I decide to apply in this way
global (outside) 1 interface
nat (inside) 1 access-list inside_nat_outbound
and voila everything is working i was able to ping 4.2.2.2 to the outside, I think that the problem is with the public ip directly assigned to the ASA by iSP and not the private ip, because in my test enviorement was working perfectly and i was using 192.168.0.0 and 172.18.0.0 networks as the outside interface ip and everything was fine.
But thanks to all that help now have to start to apply security and acls configs. -
Hi Everybody,
I have a problem with SQL queries with /*+ RULE */ base hints being posted to an Oracle database. I have reason to believe that these queries are generated by the Oracle ODBC Driver itself. Although I don't have a performance problem per se, I need to reduce these hints to a minimum so we can fine-tune the database as a whole.
* The views that are hit are always the same: All_Objects, All_Arguments, All_Synonyms,
* We are using Oracle ODBC driver 10.02.00.04 for Windows, the database server is a RS6000 with AIX and Oracle 10g,
* Aside Oracle Development tools, there are no applications, reports or similar gadgets that query the tables described above.
I would really appreciate any help about this issue.
Here is an example of the type of queries that I'm writing about:
SELECT /*+ RULE */ '', b.owner, decode (b.object_type, 'PACKAGE', CONCAT( CONCAT (b.object_name, '.'), a.object_name), b.object_name), NULL, NULL, NULL, NULL, decode (b.object_type, 'PACKAGE', decode(a.position, 0, 2, 1, 1, 0), decode(b.object_type, 'PROCEDURE', 1, 'FUNCTION', 2, 0))
FROM ALL_ARGUMENTS a, ALL_OBJECTS b
WHERE ( b.object_type = 'PROCEDURE' OR b.object_type = 'FUNCTION' ) AND b.object_id = a.object_id AND (a.sequence=1 OR a.sequence=0) AND b.OBJECT_NAME = 'MYTABLE' AND b.OWNER = 'MYSCHEMA' UNION
SELECT /*+ RULE */ '', b.owner,b.object_name,NULL, NULL, NULL, NULL,decode(b.object_type, 'PROCEDURE', 1, 'FUNCTION', 2, 0)
FROM ALL_OBJECTS b
WHERE (b.object_type = 'PROCEDURE' OR b.object_type = 'FUNCTION') AND b.OBJECT_NAME = 'MYTABLE' AND b.OWNER = 'MYSCHEMA' UNION
SELECT /*+ RULE */ distinct '', a.owner,CONCAT(CONCAT (a.package_name, '.'), a.object_name),NULL, NULL, NULL, NULL,decode(a.position, 0, 2, 1, 1, 0)
FROM ALL_ARGUMENTS a
WHERE (a.sequence=1 OR a.sequence=0) AND a.OBJECT_NAME = 'MYTABLE' AND a.OWNER = 'MYSCHEMA' ORDER BY 2,3
Best Regards,
Manuel
Edited by: user10165637 on Jul 28, 2009 1:29 PMHi Greg,
Thank you for your answer. One of the things that we did when we migrated to Oracle 10g was to ensure that the "Disable Rule Base Hints" flag, located in the "Work-arounds" tab in the ODBC DSN window is checked. We previously refreshed all Microsoft's Access databases to use this new DSN connection. Still, the hints are there.
However... we may have been able to link these calls to these Oracle System Catalog views, with a custom application that launces Crystal Reports.
Although we all know that Crystal Reports also caches ODBC DSN configuration settings, I must say that these same Crystal Reports do not generate hints when called from their InfoView server.
We will proceed to modify the custom application, overridding the dissable rule-base hint work-around with the string "DRH=T" on the connection string. Next week we will know if this works.
Best Regards,
Manuel -
Partitioning on Oracle 8.0.6 (rule base vs. cost base)
At my current engagement, we are using Oracle Financials 11.0.3 on Oracle 8.0.5 which uses rule-based optimizer. However, it is been planned to upgrade the database from Oracle 8.0.5 to Oracle 8.0.6 as well as implement Oracle partitioning. With this in mind, we are concerned about possible performance issues that the implementation of partitioning may cause since RBO does not recognize it.
We agree that the RBO will see a non-partitioned table the same as a partitioned. In this scenario where you gain the most is with backup/recoverability and general maintenance of the partitioned table.
Nevertheless, we have a few questions:
When implementing partitions, will the optimizer choose to go with Cost base vs. Rule base for these partitioned tables?
Is it possible that the optimizer might get confused with this?
If this change form RBO to CBO does occur, the application could potential perform poorly because of the way it has been written.
Please provide any feedback.
thanks in advance.If the CBO is invoked when accessing these tables, you may run into problems.
- You'll have to analyze your tables & ensure that the statistics are kept up to date.
- It's possible that any SQL statements which invoke the CBO rather than the RBO will have different performance characteristics. The SYSTEM data dictionary tables, for example, must use the RBO or their performance suffers dramatically. Most of the time, the CBO beats the RBO, but applications which have been heavily tuned with the RBO may have problems with the CBO.
- Check your init.ora to see what optimizer mode you're in. If you're set to CHOOSE, the CBO will be invoked whenever statistics are available on the table(s) involved. If you choose RULE, you'll only invoke the CBO when the RBO encounters situations it doesn't have rules for.
Justin -
Can we access two different Siebel BO in Same OPA Rule Base
Hi all,
can we access two different BO's from same rule base.
what i means is,can we pass siebel data to OPA Rule Base from two different BO's .
Thank you for your help in advance.There are two approaches to do this and they both involve making some small changes on the Siebel side.
You can create an Integration Object which contains all the business components that you want to send to OPA if you are using an Integration Object mapping.
If you would prefer to use a Business Object mapping then you will have to create a new Business Object which combines the BCs of all the Business Objects that you want to send to OPA.
As you can see, although one approach involves Integration Objects and one involves Business Objects they both work by creating a single object which is an amalgamation of the information that you want to send to OPA.
Cheers
Frank -
How to convert Alternative unit to base unit?
Helo All.
Can anyone tell me how to convert Alternative unit to base unit?. Is there any function module for this?
I am updating MM02 using bapi_material_savedata. In that i have to update sales unit.
Thanks in advance.Hi
Try the fun modules
<b>UNIT_CONVERSION_SIMPLE
or
MD_CONVERT_MATERIAL_UNIT</b>
Reward points if useful
Regards
Anji -
Folks,
In an enterprise system, the rules are variable in a year and they may change. The rules and data are somehow dynamic. The dynamic data exists in a RDBMS but about the rules, I want to put them in a Rule Base Engine. If they are hard coded, the system is not flexible again the changes. One solution is to use the rules behine an interface and after any changes, we can implement the related interface to get the goal. but I have a question! Is there any other way to abstract the rules in an engine or some thing like that ?
Any comment is welcome,
Amin EmamiYou can implement a rules engine using the Interpreter Pattern in Java from scratch in a few days.
Checkout the GOF Design Patterns book for the pure pattern, or the Applied Java Patterns for a more practical example.
You can use this pattern to Interpret your rules file from a free form text document but then you need to implement a tokeniser & parser, which takes time. So a good alternative is to use XML.
You can use your projects existing DAO to access the database. -
Hi there,
I've been building a rule base and when I test the following rules and select "Aggregate Format" as the preferred family of format, it concludes that the product does not meet the preference requirements for Standard, Horizontal, or Linear formats since the preferred family of format is Aggregate. Clearly, it should meet the preference requirements but there must be an issue with my rules. Any ideas on how to solve this issue? what tests to run?
the product meets the preference requirements for Standard, Horizontal, or Linear formats if
(1) the product’s first choice is the Standard, Horizontal, and Linear formats or
(2) the manufacturer's product = “able to use multiple format styles” and
(2) the preferred family of format = “Standard, Horizontal or Linear”
(1) the product’s first choice is the Aggregate Format – Different Kinds of Foods and does not meet the requirements
(2) the manufacturer's product = “able to use multiple format styles” and
(2) the preferred family of format = “Aggregate Format” and
(2)the most suitable NFT format figure is not Figure 10.1 and
(2)the most suitable NFT format figure is not Figure 10.2 and
(2)the most suitable NFT format figure is not Figure 10.3 and
(2)the most suitable NFT format figure is not Figure 10.4 and
(2)the most suitable NFT format figure is not Figure 10.5 and
(2)the most suitable NFT format figure is not Figure 10.6 and
(2)the most suitable NFT format figure is not Figure 11.1 and
(2)the most suitable NFT format figure is not Figure 11.2 and
(2)the most suitable NFT format figure is not Figure 11.3 and
(2)the most suitable NFT format figure is not Figure 11.4 and
(2)the most suitable NFT format figure is not Figure 11.5 and
(2)the most suitable NFT format figure is not Figure 11.6Since the rule contains both AND and OR clauses, OPA needs to know how they are combined.
By default, there are the grouping operators ALL (or BOTH) to group premises joined by AND, and ANY (or EITHER), to group premises joined by OR.
However, it is also possible to replace the grouping attributes with new attributes. This seems to be what has been misleading you.
When applying grouping operators to your rule, you would get:
the product meets the preference requirements for Standard, Horizontal, or Linear formats if
(1) the product’s first choice is the Standard, Horizontal, and Linear formats or
all
(2) the manufacturer's product = “able to use multiple format styles” and
(2) the preferred family of format = “Standard, Horizontal or Linear”
(1) the product’s first choice is the Aggregate Format – Different Kinds of Foods and does not meet the requirements
all
(2)the manufacturer's product = “able to use multiple format styles” and
(2)the preferred family of format = “Aggregate Format” and
(2)the most suitable NFT format figure is not Figure 10.1 and
(2)the most suitable NFT format figure is not Figure 10.2 and
(2)the most suitable NFT format figure is not Figure 10.3 and
(2)the most suitable NFT format figure is not Figure 10.4 and
(2)the most suitable NFT format figure is not Figure 10.5 and
(2)the most suitable NFT format figure is not Figure 10.6 and
(2)the most suitable NFT format figure is not Figure 11.1 and
(2)the most suitable NFT format figure is not Figure 11.2 and
(2)the most suitable NFT format figure is not Figure 11.3 and
(2)the most suitable NFT format figure is not Figure 11.4 and
(2)the most suitable NFT format figure is not Figure 11.5 and
(2)the most suitable NFT format figure is not Figure 11.6
but since you have omitted the grouping operators, OPA would have interpreted the level (1) clauses as intermediate attributes. This could be misleading.
Try to split the rule in multiple rules. This is likely to help you debug this rule. -
Error compiling Rule base in 10.4.4
Hi ,
I am facing an error while compiling (using Build and Debug option) OPA rule base in OPM 10.4.4 version.
The rule base was originally built in 10.4.2 and it gets successfully complied in 10.4.2 version.
Error code: OPA - E00088 ( Unknown attribute)
Could you please help me with this.
Let me know if you need additional details.
Thank you
Chetan JainWhere are you seeing "Error code: OPA - E00088 ( Unknown attribute)"? Is it the 'Error List' in OPM? Often the errors there are clickable and will take you to what's causing the error, e.g. when there's an interview screen causing an error, clicking the error in the Error List usually opens the problem interview screen (in your case it sounds like an attribute not a screen though).
The other thing I'd try is narrowing down the cause of the problem. For example, is there a particular rule document which won't compile?
Cheers,
Jasmine -
DTP Request Error: "Overflow converting from ''" (Executing rule)
Hi,
I have an error for every dataset in my dtp:
Anyone an idea?
Error Ercords Display says:
Runtime error while executing rule
Longtext:
Diagnosis
An error occurred while executing a transformati
The exact error message is:
Overflow converting from ''
The error was triggered at the following point i
GPD5DB2R35UPL1XXBS1ICKUVG8O 2313
System Response
Processing the data record has been terminated.
Procedure
The following additional information is included in the hig
node of the monitor:
o Transformation ID
o Data record number of the source record
o Number and name of the rule which produced the errorHi,
It seems that there is a error in transformation routine. Are you filling any internal table or converting any data type in the routine. Go to ST22 it will show you dump and give you line at which error is coming OR if you click on the message in DTP monitor it will divert you to the errorneous line.
Regards,
Viren -
Converting PIX/ASA logs into CSV
I work as a network forensics analyst for a gov't agency. We are getting large amounts of PIX and ASA logs being pushed to our Syslog server. I'm trying to create a script to parse/convert the standard PIX/ASA logs into CSV files in order to assist with integration to other products. Has anyone had success with this, or have a perl / shell script(awk grep, etc) written for this task? I would like to capture as much data as possible.
What syslog server are you using? The free kiwi syslog has an option to spin a new file based on the time or day to a text file automatically which can be archived later. Seems like kiwi can export in .csv format. http://www.kiwisyslog.com/help/syslogwebaccess/index.html?export_to_csv.htm
-KS -
How find all un-used/in-active ASA rules
Hello,
I am tasked to identify all un-used, in-active, and idle rules in Cisco ASA firewalls.
I have access to CSM. But in CSM, I do not know how create such a report. I would be grateful if someone can help to create such a report.
If CSM does not support such a report, I will be grateful if someone can help to use CLI to figure out such rules.
thanks in advance
BoHi,
Do u mean the ACL rules which is inactive/idle for a long time????
If it is ACL rules then sh access-list | in (hitcnt=0) and check. But this may not conclude that it is invalid. Because the endusers uses that flow on a rare cases also. Be sure on this one.
for interface ACL's you can check sh access-group and check how many ACL's configured and used on interfaces.
If it is used for VPN or NAT then you need to check NAT configurations and VPN configurations with the rule name.
Or best way you can take the sh run and find ACL name which is used or not used. like if it is an valid ACL then apart from the ACL lines it should be mapped somewhere either in access-group/NAT/VPN configs.
By
Karthik -
Rule base optimizer in 9i and 10g
Hi
All,
I just upgraded databses from oracle 9.2.0.6 to 10.2.0.3.
I think as i know oracle 10g no more support rule based optimzer ( correct me if i am wrong)
but some of the script have rule optimizer hint over there. If i keep as it is will it give me error or I need to change something.
Thanks,
Vishalwhat should i do? should i keep as it is?
RBO is obsoleted in 10g , but hint RULE still work i.e it will not error out.
Check execution plan with and without hint , if execution plan look better without hint,
go for it. Keeping as it is , will not harm , but data increase/change drastically in underlying table of query , in that case CBO might give you better execution plan then with rule hint. -
Rule Bases Check and CTP Settings
Dear Experts,
I want to run Rule based ATP and CTP together in the system. As far as i know the system of each of these are typicAl and i am not able to run both together. Please guide me for any settings to be maintained to run the same.
ThanksPrashant,
First, make sure RBA works, and CTP works, independently. I won't go into setup for each of these, which are pretty extensive all on their own.
I don't know what you are using for rules, so I will give you some general ideas. You will have to decide how you want it to work. For RBA & CTP, it usually makes most sense to run RBA immediately, and when none of the RBA proposals give a solution, then you execute production (CTP). If you were to invoke production first, you will typically find a solution immediately and never get to the RBA step. The trick is to have RBA call production on the last step of the last rule.
So, in IMG>APO>GATP>General Settings>Maintain Check instructions do product check first (well, unless you are doing allocation, but that is another story). Tick Activate RBA, start immediately. This gets RBA running first. It will do all the product checks you have configured in your RBA. Set the Production part as 'Availability check only, no production'. A bit counter-intuitive sounding, thanks SAP!
Logically, the final rule you determine (after failure of all previous rules) will be a location determination rule, where the system decides where you are going to manufacture the parts. (you should already have determined product and version). On the final location determination rule, you assign a location determination activity (which you defined in /SAPAPO/RBA04>Profiles and Parameters>Location determination activities). Within the Location determination activity, you invoke production. Within the activity, you define Start Production as 'Availability check first, then production', on the assumption that you haven't checked this location yet for standard product check.
This is one way to use both RBA and CTP. There are probably others, but I have used this successfully.
Rgds,
DB49 -
Hello,
Do you guys have any idea about this issue.
I am wondering!....In our new server (10g on AIX) the Rule Based optimizer mode shows the cost.
Is it possible..? Today only I found that one... few days back its not shown the cost.
Actually... it is not suppose to show the cost when you use the Rule based optimizer. Am I correct?Hi,
>>the Rule Based optimizer mode shows the cost.
Where did you get this information from? I think that it wouldn't happen ... unless you actually have been using the cost-based optimization mode (CBO)
SQL> alter session set optimizer_mode=RULE;
Session altered.
SQL> explain plan for select 1 from dual;
Explained.
SQL> set linesize 130
SQL> set pagesize 0
SQL> select * from table(dbms_xplan.display);
Plan hash value: 1550022268
| Id | Operation | Name | Rows | Bytes | Cost |
| 0 | SELECT STATEMENT | | | | |
| 1 | FAST DUAL | | | | |
Note
- rule based optimizer used (consider using cbo)
12 rows selected.
SQL> alter session set optimizer_mode=ALL_ROWS;
Session altered.
SQL> explain plan for select 1 from dual;
Explained.
SQL> select * from table(dbms_xplan.display);
Plan hash value: 1550022268
| Id | Operation | Name | Rows | Bytes | Cost (%CPU)| Time |
| 0 | SELECT STATEMENT | | 1 | | 2 (0)| 00:00:01 |
| 1 | FAST DUAL | | 1 | | 2 (0)| 00:00:01 |
8 rows selected.Cheers
Legatti
Maybe you are looking for
-
Is there a way to set up F110 configuration for the below requirements- Payments in USD should be disbursed from a bank account in the same company code as the vendor Payments in CAD should go from a bank in another company In the standard FBZP confi
-
Syntax error in ABAP query after implement patch
Dear All, After implement patch from SAPKA46C39 to SAPKA46C53, we have syntax error in our query. our SAP release version is 46C. The error in query is -The data object "R01" does not have a component called "046" - We don't found any SAP notes that
-
Organizational Unit in DC directory
If you are maintaining the Organizational Unit (OU) information in DC directory, does this information replicate over with CCM database? If so, does it map to "department" field in CCM or any other field? CCM version in this case is 4.1.3.
-
Error: couldn't create user
hi, i have installed EP on WAS 6.40. when i am tring to create a user i am getting the error as : "Couldn't create User". can someone guide me as to how to resolve this issue.... please reply fast...
-
Encore Error: CGOPGrouper.cpp
For some reason a project that used to burn without problems to DVD now gives the error "internal software error:.Vobulator\TitlePlanner\CGOPGrouper.cpp line 297" and aborts. Any suggestions? Encore reports no problems with Check Project. WinXP Pro 3