Customer wants a public IP address for RDP after VPN Tunnel
I have a customer that wants to set up a VPN tunnel with me with a Public IP address and a Public address for the host. I am completely at a loss as to how to accomplish this. The customer states that it against his company policy to have a remote host to connect to that is not in the public address space. I have given him a public Peer address to connect to for the establishment of the VPN Tunnel. However he states that he needs the host to be in the public address space as well.
What is my customer asking for? Surely he does not want me to put RDP on a public address?
The motive of your customer is not very clear. If the motive is to hide the remote (RDP) addressess then we can do it by natting (Static or Dynamic). We can allow the natted IP as interested traffic over the VPN tunnel. Because if we are getting the local IP into the public pool then it we don't need VPN tunnel. We can access it directly over internet too.
Similar Messages
-
UCCX 9.0- My customer wants only ziptone in headset for new call to agent, no ringing on Phone.
Can this be done? I can't seem to find a way to do this natively.Yes, I looked into that option. They don't want that because some agents have been known to walk away from their desk without going not ready.
Thanks for the quick response!
Dave -
Getting public ip address for a lan
hello is their a way to some how retrieve the public ip address of a lan? When i use the standard java get host method from a pc that's in a lan, all i get is the private lan ip address such has 192.x.x.x. this is useless to me if i want to make a connection to this computer from outside the lan.
i want to be able to get the public ip so that i can transform my instant messenger program (LAN based) into the internet so that it clients can talk to eachother from all around the world like msn messanger.
would they be a problem if say 5 users from the same LAN where logged into the program and one person from outside the lan wanted to talk to one of the people from the lan? seeing as all 5 lan users will have the exact same public ip address, is their a way to talk to teh correct user?
The current state is that as soon as a user longs into the system, their ip address from the pc that they are using, is stored temporaily into a server so that if User A whats to talk to User B, User query the server to first find out if the user is online and than get their IP address and join User B,s listening socket using the ip address retieved from the server..import java.net.URL;
import java.net.HttpURLConnection;
import java.io.InputStreamReader;
import java.io.BufferedReader;
import java.io.InputStream;
String publicIP = null;
try {
URL tempURL = new URL("http://www.whatismyip.org/");
HttpURLConnection tempConn = (HttpURLConnection)tempURL.openConnection();
InputStream tempInStream = tempConn.getInputStream();
InputStreamReader tempIsr = new InputStreamReader(tempInStream);
BufferedReader tempBr = new BufferedReader(tempIsr);
publicIP = tempBr.readLine();
tempBr.close();
tempInStream.close();
} catch (Exception ex) {
publicIP = "<Could-Not-Resolve-Public-IP-Address>";
} -
Public IP address for ERP system
Hi,
A SAP BC consultant gives me a small system landscape for ERP 6.0 and its info. as following:
a. 1 Sol Man system, 1 ERP system for DEV, 1 ERP system for PRO.
b. The Sol Man Server is for the ENTIRE SAP TECHNICAL LANDSCAPE in the single company.
c. The entire SAP Landscape needs to be on a different SUBNET on a different Gigabit switch for optimum performance. The broadcast between 2 subnets will be handled via a router.
d. A router with VPN Capabilities and 2-3 static public IP addresses (THIS IS A MUST).
I don't know why I need 2-3 static public IP addresses if I don't public anything to Internet. Somebody tell me why?
Thanks,
Toan DoHi,
Its most prob for saprouter/connection to oss etc.
Regards -
HI.......
We have Cisco router 2851 and asa firewall. We configured on he router for IP phones and ISP connected. The ISP directly connected on the router and asa firewall connected to the router. We have plan to configure VPN on the router. We have available public ip address. if i configure the VPN on the firewall we need to configure firewall local ip address to public ip address. SO how to configure firewall local ip to public ip ? Where we can configure , mean on the router or firewall. please see my firewall and router configuration ...
Please help .....The ASA would typically be where you setup your public IP Address(es). The firewall normally needs to have a public IP on the outside interface for that to work. Once it does, you can perform dynamic NAT for outbound connections ("global (Outside) 1 xxx.xxx.xxx.185 netmask 255.255.255.255" does this).
However on the config you attached your outside interface has a private (RFC 1918) address:
interface Ethernet0/3
speed 100
duplex full
nameif Outside
security-level 0
ip address 192.168.255.2 255.255.255.252
Plus it being a /30 only gives you two addresses - one for the ASA and one for the router's Gi0/0 (per that config which you also attached). This is a bit odd setup but it seems to have been hacked together to work using the routing statement on the router "ip route xxx.xxx.xxx.184 255.255.255.248 192.168.255.2".
It's really a bit of a mess and extending it further may be possible but will make it even more complicated. I'd advise having someone sit down and re-work how the public IPs are routed to make it look like a more typical setup. -
Hello, I have an Apple-iCloud account and have used one e-Mail address. I would like to add another address for my wife on same account. How do I do it?
Hey there Raul,
It sounds like you have an iCloud account, and want to create one for your wife using the same iCloud account. You can do this with an iCloud Alias, and this article will help you do that. Keep in mind that any and all purchases made with the alias will not be transferrable or merged with another account if she wants to have her own account down the road.
iCloud: Create or change email aliases
http://support.apple.com/kb/PH2622
Thank you for using Apple Support Communities.
All the best,
Sterling -
Public IP Address for DA Teredo Edge Config
Hi,
We are configuring Direct Access for the first time on server 2012 R2. We have setup and tested it fine on the single adapter ‘basic’ configuration but would like to configure it to use Teredo as it’s supposed to be faster.
I have read that this requires two network adapters on the DA server, one configured for the intranet and the other configured for the public internet with two consecutive public IP addresses.
My question is if i point the public DNS record to the first public IP address (E.g. DirectAccess.mydomain.com) what do I need to do with the second public IP? I’m not clear what the second IP is used for?
I have read the second IP could be something to do with certificates but it wasn’t very clear. We will be using Direct Access with Windows 7 clients so already have an internal PKI installed for the DA single adapter setup.
Also, I have read that even with the IP-HTTPS performance improvements in 2012 Teredo is still considerably faster (assuming the internet connection itself is fast enough). Can anyone advice on speed differences between IP-HTTPS and Teredo?
Thanks
AlexHi
Since Windows Server 2012, you are allowed to deploy DirectAccess in multiple scenarios. I your situation, you have a single network interface. In this scenario, your DirectAccess Server have a single private IP address. Teredo can only be used in two network
interface scenario. This is the only scenario you need two ipv4 public addresses.
IPHTTPS performance is available since Windows Server 2012 but require at least Windows 8 to be used.
Best regards.
BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx -
Bandwidth Allocation for a specific VPN Tunnel - PIX 525 7.2(1)
Hello,
I have a PIX with a 10 MB internet connection. This PIX has several L2L VPN Tunnels configured: Tunnel1, Tunnel2...TunnelN. I want to be able guarentee 5Mb of the total 10Mb to a specific VPN Tunnel. Is this possible? I have read the following links, however I believe that the configuration guidelines I'm looking for are a combination of several examples shown here:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml#tab4
https://supportforums.cisco.com/docs/DOC-1230
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml#cqos
The tunnel is being defined by the following commands:
crypto map prdmay 20 match address vpn_1
crypto map prdmay 20 set peer 61.172.142.222
crypto map prdmay 20 set transform-set TS
access-list vpn_1 extended permit ip 10.14.102.0 255.255.255.0 any
access-list vpn_1 extended permit ip 10.14.101.0 255.255.255.0 any
tunnel-group 61.172.142.222 type ipsec-l2l
tunnel-group 61.172.142.222 ipsec-attributes
pre-shared-key *
Is the following what I need to do in order to accomplish what I want:
priority-queue outside
class-map vpn_5Mb
match access-list vpn_1
match tunnel-group 61.172.142.222
policy-map police-priority-policy
class vpn_5Mb
police output 5120000
service-policy police-priority-policy interface outside
Thank you for your help.I don't think the ASA will let you match on ACL and tunnel group at the same time.
Just the ACL will do though. The ACL should match local ip addresses (there are usually no-natted for the VPN anyway).
Here is a page with a QoS examples on the ASA for reference https://supportforums.cisco.com/docs/DOC-1230
I hope it helps.
PK -
What are the public IP addresses for Apple Update servers?
I work for a school district and we would like to create a NAT rule in our firewall to make all traffic going out for Apple updates to use the same public IP (iPhones, iPads, Macs, etc). Does anyone know what Apple IP addresses I would need for that?
This will be used to make all devices in our district go to the same Apple Caching Server.
Thanks in advance.Hi,
which book from the chapter you are refering to?
If possible can you post the entire question so that we help you in identificying the correct address.
Best to use the ip subnet calculator.
http://www.vlsm-calc.net/
http://www.subnet-calculator.com/cidr.php
Regards
Inayath -
Hi,
I have a Cisco 887 behind my ISP modem.
Is setup a inbound NAT-rule to router the 3389-port to a server.
How can i setup the firewall to allow only ip address i've added in the rule?
Below you''l find my configuration:
version 12.4no service padservice tcp-keepalives-inservice tcp-keepalives-outservice timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezoneservice password-encryptionservice sequence-numbers!hostname Cisco877!boot-start-markerboot-end-marker!logging buffered 51200logging console criticalenable secret 5 $1$Zw/5$a5r6xtBQsVR40v27N1uBP/!no aaa new-modelclock timezone PCTime -8clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00!crypto pki trustpoint TP-self-signed-3329446285 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3329446285 revocation-check none rsakeypair TP-self-signed-3329446285!!crypto pki certificate chain TP-self-signed-3329446285 certificate self-signed 01 3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 33333239 34343632 3835301E 170D3132 31323035 31303333 35345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33323934 34363238 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 81009475 F7B360BF 10A5F0F0 B031341A 5E969804 171E3070 4539CC44 3C43F4B1 9BC3050A B401D3E1 B72D7061 3EDA7ACE 69C9B97D A8110577 5465AA89 B87932D2 A35208A5 C53B7967 098E0E60 CF0FFB44 DB4BB355 6A53F872 90421142 8308CE5D 0D8E33E5 2C56C19B 3FD59DB1 8E816305 1A298873 2EEBB2B1 9E4EFA47 FF304797 34550203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603 551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 6779AC0C F43AE5E1 134304F6 5E2A5059 02F1B711 301D0603 551D0E04 16041467 79AC0CF4 3AE5E113 4304F65E 2A505902 F1B71130 0D06092A 864886F7 0D010104 05000381 81002A9A 9F20A8FF 81B275E9 92A32D01 FEC789BB 928CCFB1 2741D3AF 17795AD5 59D56D81 4BC6A4C5 4AFF9207 DC35EA9C D93B53DE 47F315F7 A158ADB3 E6133418 A678C128 79EA4643 5BA45B44 94DD42CE BC2FC144 A9406783 F9092BF5 9B37C358 E273DB2F 44FFC382 1EB013A0 A01F6A3D DF7C7FA2 1DC24436 36B7F07E 1EA52843 FDA8 quitdot11 syslogno ip source-routeip cef!!no ip dhcp use vrf connected!ip dhcp pool sdm-pool1 import all network 192.168.0.0 255.255.255.0 default-router 192.168.0.1 dns-server 195.238.2.21 !!no ip bootp server!multilink bundle-name authenticated!archive log config hidekeys!!ip tcp synwait-time 10no ip ftp passiveip ssh time-out 60ip ssh authentication-retries 2!!!interface BRI0 no ip address encapsulation hdlc shutdown!interface ATM0 no ip address shutdown no atm ilmi-keepalive dsl operating-mode auto !interface FastEthernet0 description WAN_Link switchport access vlan 2!interface FastEthernet1!interface FastEthernet2!interface FastEthernet3!interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$ ip address 192.168.0.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat inside ip virtual-reassembly!interface Vlan2 ip address 192.168.254.2 255.255.255.0 ip nat outside ip virtual-reassembly crypto map SDM_CMAP_1!ip forward-protocol ndip route 0.0.0.0 0.0.0.0 192.168.254.1!!ip http serverip http authentication localip http secure-serverip http timeout-policy idle 60 life 86400 requests 10000ip nat inside source list 101 interface Vlan2 overloadip nat inside source static tcp 192.168.0.10 3389 192.168.254.2 3389 extendable!logging trap debuggingaccess-list 100 permit ip 172.16.0.0 0.0.255.255 192.168.1.0 0.0.0.255access-list 101 permit ip 192.168.0.0 0.0.0.255 anyno cdp run!!!!control-plane!banner login ^CCCCAuthorized access only!Disconnect IMMEDIATELY if you are not an authorized user!^C!line con 0 login local no modem enable transport output telnetline aux 0 login local transport output telnetline vty 0 4 privilege level 15 login local transport input telnet ssh!scheduler max-task-time 5000scheduler allocate 4000 1000scheduler interval 500endInstead of configuring NAT on the ISP-device as suggested by jumora, I would do it differently: Reconfigure the ISP-modem to be a real modem (at the moment it is configured as a router) so that you have your public IP on the router. Then you can control firewalling and NAT completely on the router.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Multiple address for the same customer code
Hi,
Suppose we have a customer name XYZ LTD whose sap code is 123.
Now user want to maintain multiple addresses for the same customer in the same code.So that during billing he can have option to chose one of the address in which he want to sent the invoice.
Is it posible if yes then let me know.
Thanks in advance.
Regards,
SATYAHi Satya,
you can define for a vendor/customer several partner functions with different
adresses. You can create certain partner roles several times.
If you create a purchase order, than you can choose the wanted
address and partnerrole on the header level. In the standard system you
can use the patner role 'OA' ordering address and for the finance
the 'IP' Invoice presented by.
I hope I was able to help you.
Kind regards,
Zsuzsanna -
Migration Accelerator - Public IP address requirement for Config Server and Process Server
Currently, when installing the Migration Accelerator components, the Config Server's public IP address must be specified in several places. In the released version of Migration Accelerator, could this be changed to allow customers to specify a public
DNS domain name instead? Using a Public IP address for the Config Server in Azure represents a risk that this public IP may change (unless using the new Reserved VIP Capability in Azure) which could require reconfiguration of several MA components. If
a DNS name will not be supported in the released version of MA, then the documentation should be updated to step through provisioning a Reserved VIP for the Config Server in Azure.
Similarly, if running the Process Server on Amazon AWS (in an Amazon AWS -> Azure migration scenario), either DNS names should be supported for the Process Server configuration or a reference in the document should be added to step through acquiring an
Elastic IP Address for the Process Server.Thanks Keith for your feedback; we will update the document to reflect this. We will look into improving this in functionality in the released version.
Thx - Srinath -
RA VPN into ASA5505 behind C871 Router with one public IP address
Hello,
I have a network like below for testing remote access VPN to ASA5505 behind C871 router with one public IP address.
PC1 (with VPN client)----Internet-----Modem----C871------ASA5505------PC2
The public IP address is assigned to the outside interface of the C871. The C871 forwards incoming traffic UDP 500, 4500, and esp to the outside interface of the ASA that has a private IP address. The PC1 can establish a secure tunnel to the ASA. However, it is not able to ping or access PC2. PC2 is also not able to ping PC1. The PC1 encrypts packets to PC2 but the ASA does not to PC1. Maybe a NAT problem? I understand removing C871 and just use ASA makes VPN much simpler and easier, but I like to understand why it is not working with the current setup and learn how to troubleshoot and fix it. Here's the running config for the C871 and ASA. Thanks in advance for your help!C871:
version 15.0
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
hostname router
boot-start-marker
boot-end-marker
enable password 7 xxxx
aaa new-model
aaa session-id common
clock timezone UTC -8
clock summer-time PDT recurring
dot11 syslog
ip source-route
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.2
ip dhcp pool dhcp-vlan2
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
ip cef
ip domain name xxxx.local
no ipv6 cef
multilink bundle-name authenticated
password encryption aes
username xxxx password 7 xxxx
ip ssh version 2
interface FastEthernet0
switchport mode trunk
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description WAN Interface
ip address 1.1.1.2 255.255.255.252
ip access-group wna-in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
interface Vlan1
no ip address
interface Vlan2
description LAN-192.168.2
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Vlan10
description router-asa
ip address 10.10.10.1 255.255.255.252
ip nat inside
ip virtual-reassembly
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list nat-pat interface FastEthernet4 overload
ip nat inside source static 10.10.10.1 interface FastEthernet4
ip nat inside source static udp 10.10.10.2 500 interface FastEthernet4 500
ip nat inside source static udp 10.10.10.2 4500 interface FastEthernet4 4500
ip nat inside source static esp 10.10.10.2 interface FastEthernet4
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.10.10.0 255.255.255.252 10.10.10.2
ip route 192.168.2.0 255.255.255.0 10.10.10.2
ip access-list standard ssh
permit 0.0.0.0 255.255.255.0 log
permit any log
ip access-list extended nat-pat
deny ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended wan-in
deny ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.255.0.0 0.0.255.255 any
deny ip 255.0.0.0 0.255.255.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip host 0.0.0.0 any
deny icmp any any fragments log
permit tcp any any established
permit icmp any any net-unreachable
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any packet-too-big
permit icmp any any administratively-prohibited
permit icmp any any source-quench
permit icmp any any ttl-exceeded
permit icmp any any echo-reply
deny ip any any log
control-plane
line con 0
exec-timeout 0 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
access-class ssh in
exec-timeout 5 0
logging synchronous
transport input ssh
scheduler max-task-time 5000
end
ASA:
ASA Version 9.1(2)
hostname asa
domain-name xxxx.local
enable password xxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd xxxx encrypted
names
ip local pool vpn-pool 192.168.100.10-192.168.100.35 mask 255.255.255.0
interface Ethernet0/0
switchport trunk allowed vlan 2,10
switchport mode trunk
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan2
nameif inside
security-level 100
ip address 192.168.2.2 255.255.255.0
interface Vlan10
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.252
ftp mode passive
clock timezone UTC -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name xxxx.local
object network vlan2-mapped
subnet 192.168.2.0 255.255.255.0
object network vlan2-real
subnet 192.168.2.0 255.255.255.0
object network vpn-192.168.100.0
subnet 192.168.100.0 255.255.255.224
object network lan-192.168.2.0
subnet 192.168.2.0 255.255.255.0
access-list no-nat-in extended permit ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list vpn-split extended permit ip 192.168.2.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static lan-192.168.2.0 lan-192.168.2.0 destination static vpn-192.168.100.0 vpn-192.168.100.0 no-proxy-arp route-lookup
object network vlan2-real
nat (inside,outside) static vlan2-mapped
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 10.10.10.1 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 inside
ssh 10.10.10.1 255.255.255.255 outside
ssh timeout 20
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy vpn internal
group-policy vpn attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-split
default-domain value xxxx.local
username xxxx password xxxx encrypted privilege 15
tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
address-pool vpn-pool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
ikev1 pre-shared-key xxxx
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:40c05c90210242a42b7dbfe9bda79ce2
: endHi,
I think, that you want control all outbound traffic from the LAN to the outside by ASA.
I suggest some modifications as shown below.
C871:
interface Vlan2
description LAN-192.168.2
ip address 192.168.2.2 255.255.255.0
no ip nat inside
no ip proxy-arp
ip virtual-reassembly
ip access-list extended nat-pat
no deny ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
no permit ip 192.168.2.0 0.0.0.255 any
deny ip 192.168.2.0 0.0.0.255 any
permit ip 10.10.10.0 0.0.0.255 any
ASA 5505:
interface Vlan2
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
Try them out and response.
Best regards,
MB -
How can I assign virtual IP address for Pluggable Database on Exadata?
Hi Guru,
My customer wants the architecture as below. and they want to assign IP address for each pdbs.
Do you have any idea for this? Can I know the step for assigning IP?Hi,
thank you for this interesting idea!
Let me ask you to read this document as I refer to some of the concepts described there: Oracle Single Client Access Name (SCAN)
Please let me go into details about assigning IPs to DBs:
In a cluster configuration, IPs (often called VIPs) belong to a "network"
vips can be bound to a host (they will failover in cases of node failure, but will not server an listener) or "float" on all available hosts (SCAN vips)
A VIP can be used by (one or more) listener [let's assume "exactly one listener" to reduce complexity]
with a SERVICE a service_name registers a database to listeners of a network where preferred or available INSTANCES can be defined
Based on these details you can
create one subnet for "Oracle" and another for "Shin" - your given IP definition will not work, i Hope that's not a problem
define SCAN IPs & Listener in each subnet
define VIPs per node/subnet & listeners for each VIP
create a SERVICE "Oracle" for network1 with required instance of Svr #1
create a SERVICE "Shin" for network2 with required instance of Svr #2
This will be quite close to what your customer requests.
but I agree with Salman, before you start that road, please ask for your customers goal.
hth
Martin -
Static NAT and same IP address for two interfaces
We have a Cisco ASA 5520 and in order to conserve public IP addresses and configuration (possibly) can we use the same public IP address for a static NAT with two different interfaces? Here is an example of what I'm refering too where 10.10.10.10 would be the same public IP address.
static (inside,Outside) 10.10.10.10 access-list inside_nat_static_1
static (production,Outside) 10.10.10.10 access-list production_nat_static_1
Thanks for any help.
JeffHi Jeff,
Unfortunately this cannot be done, on the ASA packet classification is done on the basis of mac-address, destination nat and route, and here you are confusing the firewall, to which interface does the ip belong to. I haven't ever tried to do it, but it should cause you issues.
Thanks,
Varun Rao
Security Team,
Cisco TAC
Maybe you are looking for
-
Report for Partial Invoice and pendinf Invoices
Hi all, We need a report for Partial Invoices /Pending Invoices done w.r.t. Purchase Orders with PO document type as one of the selection option. We have tried ME80FN, please suggest if there is any other report available. thanks, Prashant Rathore
-
Payment terms---date and insatllement
hello SAP gurus, the issue is that we select payment terms when we create sales and order , and we want it to be printed under , 1st installment date and amount , 2nd installement date and amout , 3rd installemnt date and amount. Any suggestions or h
-
Use of BinaryData variable type in the BPM
First of all, please forgive me if I am being stupid, but... How do I load my data into a BinaryData variable type within the BPM studio. I can create a variable of type BinaryData but I cannot find any mention of how to load it with the data, nor an
-
I have duplicate charges of $9.99 from travel-nave that I need to have removed. How can I go about doing this?
-
Use different java versions to start weblogic and run application.
Hi All, I'm currently using weblogic707 which need java 1.4.1 to start up. However, i have this application that run only on java version 1.3.1. Is there any possibility to configure the weblogic to run my application on different java version? Thank