DMZ - Help

Similar Messages

• SA 520w-k9 (DMZ help)

  Hi!
  Im trying to set up DMZ so we can have a webserver running in that zone. I have followed the instruction from installation guide. We use the optional port and set it in the DMZ mode use the IP numbers from the guide 172.16.2.1 and have set up a temporary computer to test this. We dont get any contact with the router from the test computer? with this configs we have set up a rule in the firewall to allow all traffic from the DMZ zone to WAN and the DMZ has a external IP.
  We use FW: 1.0.15 Dont know if thats the going to help to upgrade need some advice first.
  I know there is a lot of experts out there that can give me some advice...
  Tom

  Hi Tom,
  In  router you need to have reverse route for DMZ subnet towards the  firewall and in firewall just drop a default route towards the router  interface.
  As  you have opened a any to any rule in firewall for both the inetrface  routing needs to be done just configure the above route and see are you  able to reach dmz subnet or not.
  Hope to Help !!
  Ganesh.H
  Remember to  rate the helpful post
  Thank you for your answers! I will try the above, Sorry about my poor understandning in Inglish is there any way you can explain the above in a more easy way? I have dowloaded the latest FW and will upgrade the router soon, but thats was not that easy when all the settings vanish and you must manualy reenter the settings
  best regards Tom

• Can anyone tell me how to port forward and setup an XBOX 360 using my Time Capsule??

  Xbox 360
  When playing the game online, the minimum speed of your network should be 128kbps. The ideal network speed for playing the game online is 768kbps. If you are having a problems with lag check the following:
  Network Troubleshooting:
  Disable any firewall or security features on your router.
  Set port forwarding on your router to the IP address of your Xbox 360. This game uses port 3074 (UDP/TCP). Additionally Xbox LIVE requires ports 80, 53 TCP and 88, 53 UDP.
  Place your Xbox 360 into the DMZ of your router.
  Disconnect your router and try the game. If it works regularly at this point something about your router may not be completely compatible with the specific needs of this game. Check with your router manufacturer and Microsoft's Xbox Live Connection Issues page for additional steps that may need to be done to resolve the issue you are having. You can also verify that you have an Xbox Live compatible router.
  If you are having issues connecting while multiple Xbox 360 consoles are connected on the same network, try forwarding port 3074 (UDP/TCP) for one Xbox 360 and setting the other as DMZ. There is a chance that this may not resolve you issue,  if it doesn’t then you may want to consider getting an additional public IP address by contacting your Internet Service Provider and assigning it to one of these two consoles.
  NOTE: If setting port forwarding or DMZ helps your connection issue, you may want to assign your Xbox 360 a static IP address within your home network. This can help to ensure that the configurations you made do not need to be done again. You can visit PortForward's Static IP Guide for a detailed guide on how to do this.
  NOTE: Many broadband internet modems are coming with routing capabilities built in. Please contact your internet service provider to determine if your internet modem has an integrated router. If it does, they should be able to assist you with the steps above for setting up your router.
  Once you have verified that your network setup is not the cause of the issue, try the following:
  Try connecting to a different server. Some servers may have other players connected to them that you do not have an optimal connection with. In most games this is accomplished by backing out to the main menu and then selecting multiplayer again. From there you can try connecting to another online game.
  Run the Xbox Network Self Test to see how strong your NAT is currently set to. Once the test is completed you will be notified if there is an issue with your connection. If you select "More Info" you will be given information about your NAT type and some steps to resolve any issues with your connection.
  Moderate and Strict NAT types may have issues connecting to online matches. You may get the error "Notice - The game session is no longer available." If you do then enabling UPnP, forwarding port 3074, or placing your Xbox in your router's DMZ may resolve this issue. Please consult your router documentation for instructions on how to do this.

  ouman88 wrote:
  Whoa....this just went way over my head.... I already have 6.1 installed for my Airport Utility.
  Read again what I wrote.. 6.1 is the problem.. or part of it.
  You need to install the earlier 5.6 version which I have given you explicit instructions to do.
  I have done something now and can not connect the XBOX at all now....unless you can provide me step by step directions I may have to call Apple Support.
  This will happen over and over.. just press reset and start again.. you need to learn how to do the setup and using 5.6 utility will help you.. as will using ethernet from the computer to the TC.. trying to fix things over wireless is like sitting on a tree branch you are sawing off. As soon as you update you will fall to the ground.
  I am not that sure that Apple Support will have any idea.
  Do a google search .. you will find most people struggle with this.. Microsoft made the xbox to use upnp with vista specs.. if you use a router without upnp, ie any apple router.. you will have issues.
  Have a go at bypassing the problem.. I have no idea if this will work.. I do not use a TC as the main router because much of my network including xbox and ps3 is just a pain.. I use a modem router with upnp. And bridge the TC.. that is the setup I would recommend.
  Try this.. once you have installed 5.6 utility.
  Get the IP of the XBox and click enable default host.. and put the IP address in there.. this is called DMZ.. all unassigned packets are forwarded to this ip address.. it is like a port forwarding for all ports.
  See if it helps.. If it does you will need to lock the xbox address so it doesn't change.. we can get to that.
  Tell me what kind of broadband you have and what modem router first.. none of this will work if you have double NAT.

• Manually set DNS servers in BT Homehub 2.0 with BT...

  Rather than having to se my DNS manually in network connections I was wondering if there was a setting on the homehub for changing DNS servers as I would like to use OpenDNS so I can test their web filtering capabilities.
  I have browsed the hub settings but there doesn't appear to be any setting to set DNS servers statically, it seems automatically use BTs DNS servers when the connection is live.

  Hi hippomango, your solution to override the DNS settings in the BT Homehub sounds interesting - except that I cannot get them to work!?
  I have a BT Homehub 3.0 (yes, you still can't override the default DNS settings), but I can't see that making much of a difference. I can't get any of the computers (wired or wireless) to use the OpenDNS settings in the 2nd router, they always find the BT DNS.
  Wondering if you can explain some more detail about your set up if possible?
  - Presumably your BT Hub is still your default gateway?
  - Your 2nd router (Netgear) has the BT Hub as the default gateway?
  - All computers are DHCP? Or do you have some static? (At least 1 of my machines needs a static local IP, but DHCP for the majority)
  TBH, I don't know how the DMZ helps in this case? (But that may be because I don't quite understand what's going on!) Doesn't the DMZ influence incoming traffic? Don't we want to direct outbound traffic?
  Thanks for any info.

• WRT310N: Help with DMZ/settings (firmware 1.0.09) for wired connection

  Hello. I have a WRT310N and have been having a somewhat difficult time with my xbox 360's connection. I have forwarded all the necessary ports (53, 80, 88, 3074) for it to run, and tried changing MTU and what-not.
  I don't know if I have DMZ setup incorrectly, or if it's my settings.
  Setup as follows:
  PCX2200 modem connected via ethernet to WRT310N. 
  The WRT310N has into ethernet port 1 a WAP54G, and then upstairs (so that my Mother's computer can get a strong signal) I have another WAP54G that I believe receives its signal from the downstairs 54G. 
  In the back of the WRT310N, I have my computer connected via ethernet port 3, and my Xbox 360 connected via ethernet port 4.
  Now, I first figured I just have so many connections tied to the router and that is the reason for being so slow. However, when I unplug all the other ethernet cords and nothing is connected wirelessly, except for my Xbox connected to ethernet port 4, it is still poor. Also, with everything connected (WAP54G and other devices wirelessly) I get on my PC and run a speedtest.  For the sake of advice, my speedtests I am running on my PC are (after 5 tests) averagely 8.5 Mbps download, and 1.00 Mbps upload, with a ping of  82ms.
  Here is an image of the results:
  http://www.speedtest.net][IMG]http://www.speedtest.net/result/721106714.png
  Let me add a little more detail of my (192.168.1.1) settings for WRT310N.
  For starters, my Father's IT guy at his workplace set up this WRT310N and WAP54G's. So some of these settings may be his doing. I just don't know which.
  "Setup" as Auto-configurations DHCP. I've added my Xbox's IP address to the DHCP reservation the IP of 192.168.1.104. This has (from what I've noticed) stayed the same for days.
  MTU: Auto, which stays at 1500 when I check under status.
  Advanced Routing: NAT routing enabled, Dynamic Routing disabled. 
  Security: Disabled SPI firewall, UNchecked these: Filter Anonymous Internet Requests, Multicast, and Internet NAT redirection.
  VPN passthrough: All 3 options are enabled (IPSec, PPTP, L2TP)
  Access Restrictions: None.
  Applications and Gaming: Single port forwarding has no entries. Port Range Forwarding I have the ports 53 UDP/TCP, 88 UDP, 3074 UDP/TCP, and 80 TCP forwarded to IP 192.168.1.104 enabled. (192.168.1.104 is the IP for my xbox connected via ethernet wired that is in DHCP reserved list)
  Port Range Triggering: It does not allow me to change anything in this page.
  DMZ: I have it Enabled. This is where I am a bit confused. It says "Source IP Address" and it has me select either "Any IP address" or to put entries to the XXX.XXX.XXX.XXX to XXX fields. I have selected use any IP address. Then the source IP area, it says "Destination:"  I can do either "IP address: 192.168.1.XXX" or "MAC address:" Also, under MAC Address, it says DHCP Client Table and I went there and saw my Xbox under the DHCP client list (It shows up only when the Xbox is on) and selected it.  
  Under QoS: WMM Enabled, No acknowledgement disabled.
  Internet Access Priority: Enabled. Upstream Bandwith I set it to Manual and put 6000 Kbps. I had it set on Auto before, but I changed it. I have no idea what to put there so I just put a higher number. 
  Then I added for Internet Access Priority a Medium Priority for Ethernet Port 4 (the port my xbox is plugged into).
  Administration: Management: Web utility access: I have checked HTTP, unchecked HTTPS.
  Web utility access via Wireless: Enabled. Remote Access: Disabled.
  UPnp: Enabled.
  Allow Users to Configure: Enabled.
  Allow users to Disable Internet Access: Enabled.
  Under Diagnostics, when I try and Ping test 192.168.1.104 (xbox when on and connected to LIVE), I get:
  PING 192.168.1.104 (192.168.1.104): 24 data bytes
  Request timed out.
  Request timed out.
  Request timed out.
  Request timed out.
  Request timed out.
  --- 192.168.1.104 data statistics ---
  5 Packets transmitted, 0 Packets received, 100% Packet loss
  Also, when I do Traceroute Test for my Xbox's IP, I just keep getting: 
  traceroute to 192.168.1.104 (192.168.1.104), 30 hops max, 40 byte packets
  1 * * * 192.168.1.1 Request timed out.
  2 * * * 192.168.1.1 Request timed out.
   As for the Wireless Settings, it is all on the default settings with Wi-Fi Protected setup Enabled.
  To add, I have tried connecting my modem directly to the Xbox and my connection is much improved. I have no difficulty getting the NAT open, for it seems my settings are working for that. Any help with these settings would be VERY much appreciated. 
  Message Edited by CroftBond on 02-18-2010 01:09 PM

  I own 2 of these routers (one is a spare) with the latest firmware and I have been having trouble with them for over a year.  In my case the connection speed goes to a crawl and the only way to get it back is to disable the SPI firewall.  Rebooting helps for a few minutes, but the problem returns.  All of the other fixes recommended on these forums did not help.  I found out the hard way that disabling the SPI Firewall also closes all open ports ignoring your port forwarding settings.  If you have SPI Firewall disabled, you will never be able to ping your IP from an external address.  Turn your SPI Firewall back on and test your Ping. 
  John

• Need help with ASA 5512 and SQL port between DMZ and inside

  Hello everyone,
  Inside is on gigabitEthernet0/1 ip 192.9.200.254
  I have a dmz on gigabitEthernet2 ip 192.168.100.254
  I need to pass port 443 from outside to dmz ip 192.168.100.80 and open port 1433 from 192.168.100.80 to the inside network. 
  I believe this will work for port 443:
  object network dmz
  subnet 192.168.100.0 255.255.255.0
  object network webserver
  host 192.168.100.80
  object network webserver
  nat (dmz,outside) static interface service tcp 443 443
  access-list Outside_access_in extended permit tcp any object webserver eq 443
  access-group Outside_access_in in interface Outside
  However...How would I open only port 1433 from dmz to inside?
  At the bottom of this message is my config if it helps.
  Thanks,
  John Clausen
  Config:
  : Saved
  ASA Version 9.1(2) 
  hostname ciscoasa-gcs
  domain-name router.local
  enable password f4yhsdf.4sadf977 encrypted
  passwd f4yhsdf.4sadf977 encrypted
  names
  ip local pool vpnpool 192.168.201.10-192.168.201.50
  interface GigabitEthernet0/0
   nameif outside
   security-level 0
   ip address 123.222.222.212 255.255.255.224 
  interface GigabitEthernet0/1
   nameif inside
   security-level 100
   ip address 192.9.200.254 255.255.255.0 
  interface GigabitEthernet0/2
   nameif dmz
   security-level 100
   ip address 192.168.100.254 255.255.255.0 
  interface GigabitEthernet0/3
   shutdown
   no nameif
   no security-level
   no ip address
  interface GigabitEthernet0/4
   shutdown
   no nameif
   no security-level
   no ip address
  interface GigabitEthernet0/5
   shutdown
   no nameif
   no security-level
   no ip address
  interface Management0/0
   management-only
   nameif management
   security-level 100
   ip address 192.168.1.1 255.255.255.0 
  ftp mode passive
  dns server-group DefaultDNS
   domain-name router.local
  object network inside-subnet
   subnet 192.9.200.0 255.255.255.0
  object network netmotion
   host 192.9.200.6
  object network inside-network
   subnet 192.9.200.0 255.255.255.0
  object network vpnpool
   subnet 192.168.201.0 255.255.255.192
  object network NETWORK_OBJ_192.168.201.0_26
   subnet 192.168.201.0 255.255.255.192
  object network NETWORK_OBJ_192.9.200.0_24
   subnet 192.9.200.0 255.255.255.0
  access-list outside_access_in extended permit icmp any4 any4 log disable 
  access-list Outside_access_in extended permit udp any object netmotion eq 5020 
  access-list split standard permit 192.9.200.0 255.255.255.0 
  access-list VPNT_splitTunnelAcl standard permit 192.9.200.0 255.255.255.0 
  pager lines 24
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu management 1500
  mtu dmz 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static inside-network inside-network destination static vpnpool vpnpool
  nat (inside,outside) source static NETWORK_OBJ_192.9.200.0_24 NETWORK_OBJ_192.9.200.0_24 destination static NETWORK_OBJ_192.168.201.0_26 NETWORK_OBJ_192.168.201.0_26 no-proxy-arp route-lookup
  object network netmotion
   nat (inside,outside) static interface service udp 5020 5020 
  nat (inside,outside) after-auto source dynamic any interface
  access-group Outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 123.222.222.1 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 management
  http 192.9.200.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpool policy
  crypto ikev1 enable outside
  crypto ikev1 policy 10
   authentication crack
   encryption aes-256
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 20
   authentication rsa-sig
   encryption aes-256
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 30
   authentication pre-share
   encryption aes-256
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 40
   authentication crack
   encryption aes-192
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 50
   authentication rsa-sig
   encryption aes-192
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 60
   authentication pre-share
   encryption aes-192
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 70
   authentication crack
   encryption aes
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 80
   authentication rsa-sig
   encryption aes
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 90
   authentication pre-share
   encryption aes
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 100
   authentication crack
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 110
   authentication rsa-sig
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 120
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 130
   authentication crack
   encryption des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 140
   authentication rsa-sig
   encryption des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 150
   authentication pre-share
   encryption des
   hash sha
   group 2
   lifetime 86400
  telnet 192.9.200.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd address 192.168.1.2-192.168.1.254 management
  dhcpd enable management
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl encryption aes128-sha1 3des-sha1
  webvpn
   enable outside
   anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 2 regex "Windows NT"
   anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3 regex "Intel Mac OS X"
   anyconnect enable
   tunnel-group-list enable
  group-policy SSLVPN internal
  group-policy SSLVPN attributes
   dns-server value 192.9.200.13
   vpn-tunnel-protocol ssl-client 
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value split
   default-domain value router.local
  group-policy VPNT internal
  group-policy VPNT attributes
   dns-server value 192.9.200.13
   vpn-tunnel-protocol ikev1 l2tp-ipsec 
   split-tunnel-policy tunnelspecified
  split-tunnel-network-list value VPNT_splitTunnelAcl
   default-domain value router.local
  username grimesvpn password 7.wersfhyt encrypted
  username grimesvpn attributes
   service-type remote-access
  tunnel-group SSLVPN type remote-access
  tunnel-group SSLVPN general-attributes
   address-pool vpnpool
   default-group-policy SSLVPN
  tunnel-group SSLVPN webvpn-attributes
   group-alias SSLVPN enable
  tunnel-group VPNT type remote-access
  tunnel-group VPNT general-attributes
   address-pool vpnpool
   default-group-policy VPNT
  tunnel-group VPNT ipsec-attributes
   ikev1 pre-shared-key *****
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map 
    inspect ftp 
    inspect h323 h225 
    inspect h323 ras 
    inspect rsh 
    inspect rtsp 
    inspect esmtp 
    inspect sqlnet 
    inspect skinny  
    inspect sunrpc 
    inspect xdmcp 
    inspect sip  
    inspect netbios 
    inspect tftp 
    inspect ip-options 
    inspect icmp 
  service-policy global_policy global
  prompt hostname context 
  no call-home reporting anonymous
  Cryptochecksum:36271b5a1b9382621e14c3aa635e2fbb
  : end

  Hi Vibor. Apologies if my comment was misunderstood.  What I meant to say was that the security level of the dmz interface should probably be less than 100. 
  And therefore traffic could be controlled between DMZ and inside networks. 
  As per thr security level on the DMZ interface. ....... that command is correct. :-)

• Everytime I try to setup my DMZ I keep breaking the internet, can someone help

  Hi,
  started this on friday at about 5 pm am about at the point of throwing my hands up in the air from frustration.  I am trying to configure a dmz for a ip camera to be viewed from the outside. I had tried to set this config to NAT 10.1.35.5 to 2.2.2.14.  Immediately after setting up the nat config all hosts on the network lose internet access. After 2 nights of no success, I tried to mimic the port forwarding setup and just forward traffic into the lan rather than trying to get the DMZ working as I could already see a few devices that were setup this way. I feel like I am missing a step while configuring NAT.  It seems to me that touching any other the other public IP's tends to mess up the configuration.  Is there something I need to do with the existing NATing to free up a public IP from the nat pool? (Sanitized config below)
  : Saved
  ASA Version 7.0(7)
  hostname ASA
  domain-name aaa.com
  enable password Iliketurtles encrypted
  names
  dns-guard
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address 2.2.2.2 255.255.255.240
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 10.1.20.10 255.255.254.0
  interface Ethernet0/2
  description Test DMZ for web4
  shutdown
  nameif dmz
  security-level 25
  ip address 10.1.35.1 255.255.255.0
  interface Management0/0
  no nameif
  no security-level
  ip address 192.168.1.1 255.255.255.0
  management-only
  passwd xxx encrypted
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  object-group service camera tcp-udp
  description https2000
  port-object range 443 443
  port-object range 2000 2005
  access-list outside_acl extended permit icmp any any echo-reply
  access-list outside_acl extended permit icmp any any time-exceeded
  access-list outside_acl extended permit icmp any any unreachable          
  access-list outside_acl extended permit esp host Virginia host 2.2.2.2
  access-list outside_acl extended permit ah host Virginia host 2.2.2.2
  access-list outside_acl extended permit udp host Virginia eq isakmp host 2.2.2.2 eq isakmp
  access-list outside_acl extended permit udp host Virginia eq 4500 host 2.2.2.2 eq 4500
  access-list outside_acl extended permit tcp 100.100.100.0 255.255.255.0 host 2.2.2.10
  access-list outside_acl extended permit tcp 100.100.100.0 255.255.255.0 host 2.2.2.11
  access-list inside_acl extended permit ip 10.1.20.0 255.255.254.0 any
  access-list inside_acl extended permit ip 10.1.24.0 255.255.254.0 any
  access-list ltl_irvine_to_va extended permit ip 2.2.2.0 255.255.254.0 any
  access-list ltl_irvine_to_va extended permit ip 10.1.24.0 255.255.254.0 any
  access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.10.0 255.255.255.0
  access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.11.0 255.255.255.0
  access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.250.0 255.255.255.0
  access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.4.0 255.255.255.0
  access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.5.0 255.255.255.0
  access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.6.0 255.255.255.0
  access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.7.0 255.255.255.0
  access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 172.16.31.0 255.255.255.0
  access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.10.0 255.255.255.0
  access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.11.0 255.255.255.0
  access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.250.0 255.255.255.0
  access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.4.0 255.255.255.0
  access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.5.0 255.255.255.0
  access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.6.0 255.255.255.0            
  access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.7.0 255.255.255.0
  access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 172.16.31.0 255.255.255.0
  access-list dmz_in extended permit icmp 10.1.35.0 255.255.255.0 any
  access-list dmz_in extended permit udp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0 range netbios-ns 139
  access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0 range 135 netbios-ssn
  access-list dmz_in extended permit udp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0 eq domain
  access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any eq www
  access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any object-group camera
  access-list dmz_in extended permit udp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0
  access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0
  access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any eq ftp
  access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any eq 990
  access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any range 53000 53010
  access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any eq ftp-data
  pager lines 24
  logging enable
  logging timestamp
  logging buffered warnings
  logging asdm warnings
  logging facility 22
  mtu outside 1500
  mtu inside 1500
  mtu dmz 1500
  icmp permit any inside            
  asdm image disk0:/asdm-509.bin
  asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list no_nat
  nat (inside) 1 10.1.20.0 255.255.254.0
  nat (inside) 1 10.1.24.0 255.255.254.0
  nat (dmz) 0 access-list no_nat
  nat (dmz) 1 10.1.35.0 255.255.255.0
  static (inside,outside) 2.2.2.10 10.1.20.1 netmask 255.255.255.255
  static (inside,outside) 2.2.2.11 10.1.20.13 netmask 255.255.255.255
  static (dmz,outside) 2.2.2.14 10.1.35.5 netmask 255.255.255.255
  static (inside,dmz) 10.1.20.0 10.1.20.0 netmask 255.255.254.0
  static (dmz,inside) 10.1.35.0 10.1.35.0 netmask 255.255.255.0
  access-group outside_acl in interface outside
  access-group inside_acl in interface inside
  access-group dmz_in in interface dmz
  route outside 0.0.0.0 0.0.0.0 2.2.2.1 1
  route inside 10.1.24.0 255.255.254.0 10.1.20.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
  timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute            
  username admin password blahblahblah encrypted privilege 15
  http server enable
  http 10.1.4.0 255.255.255.0 outside
  http 10.1.5.0 255.255.255.0 outside
  http 172.16.31.0 255.255.255.0 outside
  http 100.100.100.0 255.255.255.0 outside
  http 10.1.24.0 255.255.254.0 inside
  http 10.1.20.0 255.255.254.0 inside
  http 10.1.5.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto map outside 100 match address ltl_irvine_to_va
  crypto map outside 100 set peer Virginia
  crypto map outside 100 set transform-set ESP-3DES-SHA
  crypto map outside interface outside
  isakmp enable outside
  isakmp policy 30 authentication pre-share
  isakmp policy 30 encryption 3des
  isakmp policy 30 hash sha          
  isakmp policy 30 group 2
  isakmp policy 30 lifetime 86400
  isakmp policy 65535 authentication pre-share
  isakmp policy 65535 encryption 3des
  isakmp policy 65535 hash sha
  isakmp policy 65535 group 2
  isakmp policy 65535 lifetime 86400
  tunnel-group Virginia type ipsec-l2l
  tunnel-group Virginia ipsec-attributes
  pre-shared-key *
  telnet 10.1.24.93 255.255.255.255 inside
  telnet timeout 5
  ssh 100.100.100.0 255.255.255.0 outside
  ssh timeout 60
  console timeout 0
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy      
  class inspection_default
    inspect dns maximum-length 512
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
  service-policy global_policy global
  Cryptochecksum:c6546262ff82a0b8748f0cbbb189194f
  : end

  Please add this ACL entry on the "outside_acl"
  access-list outside_acl extended permit ip any host 2.2.2.14
  let me know, if this helps.
  thanks

• DMZ configuration WRT610N for 2 IP addresses Help needed

  How can I set up DMZ for 2 IP addresses in WRT610N. Please help. Thanks

  How would I solve this problem then. I have to servers on the network. One is Linux and other one is Windows. I'm buying block of 5 IP addresses from provider. One is assingned to .250 internal address and other one is .240. I would like to assign public addresses to them. At my work we have Neutopia box and have about 4 servers behind it with internal IP addresses. In netopia box have a table populated with addresses internal and external. Please, help. Thanks 

• Help with dmz or port forwarding on Verizon Jetpack 4G LTE Mobile Hotspot 890L

  I really need help with this I want to play gta v but I have strict nat type on ps4 and everytime I go to the dmz on the ip website it shows the ip and the other side shows add and a dot I click on my ip and click apply but it tells me delete this ip but it also won't even let me delete the ip

  You may wish to ask this question over at the Verizon Wireless forums: https://www.verizonwireless.com/community . This community is for DSL and FiOS support, not LTE hotspot support.
  Be aware, Verizon Wireless uses Carrier-grade NAT, and your Hotspot also performs NAT. Game consoles do not like being behind Double NAT. Depending on how your hotspot is set up on the back end, you may only be able to achieve Moderate NAT / NAT 2 on the hotspot. If your hotspot has a public Internet IP, you should be able to hit Open NAT.
  ========
  The first to bring me 1Gbps Fiber for $30/m wins!

• Uverse, TC, DMZ, BTMM ????? HELP!!!

  I'm trying to set up BTMM (back to my Mac) so I can screen share my mother's computer across the state.
  I have  a Uverse 2Wire modem with WIFI turned off, and a TC (time capsule) etherneted to it set to bridge mode that I use as my wireless point. I have 3 ethernet cables running out of the 2Wire to various switches because of the easier placement and runs. With BTMM I get the message to set the router to NAT port mapping. I understand I have to do this on he TC and have read the posts about DMZ settings on the 2Wire. I just need some clarification.
  What exatly does setting the DMZ plus setting to the TC do? Will the Ethernet cables plugged into the 2Wire still work and have firewall protection? Is there a way to have both routers running and getting along without DMZ change? Any other things I should take into account or other ways of doing this?
  Thanks very much for the help.
  G.W.

  I don't use BTMM, so any comments might be taken with suitably large grains of salt.. I do and can remote access my TC.. but I have a static public IP so it is trivial.
  BTMM requires a router that is PMP-NAT or upnp compatible.. so it can open the required ports.. AFAIK if you are not trying to remote access the TC, there is absolutely no need for it to be in DMZ etc.
  With BTMM I get the message to set the router to NAT port mapping. I understand I have to do this on he TC and have read the posts about DMZ settings on the 2Wire. I just need some clarification.
  What exatly does setting the DMZ plus setting to the TC do? Will the Ethernet cables plugged into the 2Wire still work and have firewall protection? Is there a way to have both routers running and getting along without DMZ change? Any other things I should take into account or other ways of doing this?
  Thanks very much for the help.
  G.W.
  If the TC is bridged in the network, ie not a router, then I see no reason for port mapping it.. there is no NAT.. on the bridged device.. so absolutely no need for this.
  DMZ is to open a device fully to the internet.. but protect devices on the LAN side. ie if the DMZ device is compromised the rest of the network is protected.. this is used for Router to Router setup.. where the double NAT issue exists to alleviate the problem of double port forwarding which is prone to failure in 99% of cases.
  If you setup BTMM the TC in bridge can be ignored.. and opening ports on the 2wire to the Mac should not be necessary as long as upnp is working properly.

• Design Help - Firewall/DMZ

  Hi,
  I am about to purchase two 5515-X next generation firewalls and I need to decide what to do as far as the design goes so I need some help from the experts. This appliances seem to come with 6 1Gbps ports which is enough. In our LAN, we have two 6500 running on VSS mode and we are also going to get our second ISP. Doing the obvious which is cross-connect each firewall with the two 6500s and possibly with the internet routers. Is it something else you recommend?
  Planning to trunk a couple interfaces and connect them to a DMZ switch; however, how do I make that one switch redundant? Some of the vendors currently connected do not offer a redundant link in case of failure.
  I'll be deploying the devices as active/standby and this is because I have VPNs configured which it is my understanding that both devices can't be active with this type of configuration. Can someone advise on this matter? However, the company wants to use them both at the same time.
  Using two ISPs, how do I deal with the Public-Internal NAT?
  Any help is greatly appreciated. Thanks.

  Planning  to trunk a couple interfaces and connect them to a DMZ switch; however,  how do I make that one switch redundant? Some of the vendors currently  connected do not offer a redundant link in case of failure.
  Well, you could use the 6500s if you have enough free interfaces on it.  Create the DMZ VLAN on the 6500s as well as on the new DMZ switch.  On the 6500 and the DMZ switch configure the ports as trunk but only allow the single VLAN on that trunk.  Create a subinterface on the ASA and place that subinterface in the new DMZ VLAN and give it an IP.
  I'll be deploying the devices as  active/standby and this is because I have VPNs configured which it is my  understanding that both devices can't be active with this type of  configuration. Can someone advise on this matter? However, the company  wants to use them both at the same time.
  What the company wants isn't always what is the best solution and they should be told that, from time to time.  However, it is possible to configure the ASAs in an Active/Active setup.  This will require that the ASAs are configured in multiple context mode.  On one ASA context 1 is active while context 1 on the second ASA is in standby mode. then on the second ASA context 2 is the active context and on ASA context 2 is in standby mode.  This setup will alow the use of both ISP connections and be able to maintain VPN connections.  Keep in mind that the VPN connections will not be active on both ASAs.  It wil only be active on the active context, but will failover to the standby context if a failure occurs.
  Using two ISPs, how do I deal with the Public-Internal NAT?
  the ASA does not support two active default gateways, and therefore support for two ISPs is not supported in single context mode.  So if you have a requirement to use both ISP connection simultaneously then you need to have multiple contexts. Each context is a virtual firewall and completely seperate from eachother.
  So, back to the active contexts.  context 1 on ASA1 is the active context and is connected to ISP1.  context 2 on ASA2 is the active context and is connected to ISP2.  You would perform NAT in the exact same way as you would in a single context ASA no hocus pocus.  The only difference is that the traffic that goes towards each context and subsiquently each ISP are not from the same subnet.  They need to be seperated and then diveded between the two contexts.
  So, context 1 would have traffic for VLANs 1, 3, 5, 7, 9 and context 2 would have traffic for VLANs 2, 4, 6, 8, 10.
  here is a link on how to configure active/active failover.
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/ha_failover.html#wp1163513
  Please remember to rate and select a correct answer

• Need help with ASA config to set up proxy on DMZ

  Hello guys,
  I have a problem, I´m trying to configure an ASA as shown in the attached scenario.
  I need that all inside users to go to the proxy server on DMZ and from there they will go out to the internet.
  Right now i have:
  INSIDE INTERFACE
  Access-list inside permit ip 10.1.1.0 255.255.255.0 host 11.1.1.6
  DMZ INTERFACE
  Access-list dmz permit ip host 11.1.1.6 any
  OUTSIDE INTERFACE
  Access-list outside permit ip any host <proxy server public ip>
  REGARDING NAT I HAVE THE FOLLOWING:
  Static (dmz,outside) <proxy server public> 11.1.1.6 netmask 255.255.255.255
  My question would be if it would work with this configuration? Do i need to apply Nat on my inside hosts?  Would all my inside hosts when reached the ASA will be send to the proxy and then through the proxy it will send them back to the ASA and then to the internet??
  Thanks,
  Tony

  Hello Jennifer,
  Thanks for your response. So basically i will need to add a static to allow trafic from inside to dmz without being natted. I don't know what proxy server it will be, the server would be managed by another party, but in my inside hosts i will need to set all the parameters to point to the proxy, once this done trafic will go out through the proxy server to the dmz interface of the ASA and then to the outside world, is that correct?
  Do you think this configuration would work???
  Outside = security 0
  Inside = security 100
  DMZ = security 50
  static (dmz,outside) 11.1.1.6 netmask 255.255.255.255
  static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
  access-list inside permit tcp 10.1.1.0 255.255.255.0 any
  access-list dmz permit ip host 11.1.1.6 any
  access-group inside in interface inside
  access-group dmz in interface dmz
  Basically with this configuration my web request will go to the proxy on the DMZ and then from there it will go out to the internet??
  Thanks

• How to let SAP user use SSO to access Application in DMZ?

  Hi All,
  Our J2EE application is running on a system in DMZ which can not be connected with LDAP. So I am wondering if it's possible to let SAP user use SSO to access our application.
  After talking with my colleague I think the only way is to import SSO public key to our WebAS and create user in UME and then assign user to the corresponding public key, but anybody know where to download SSP verification file or is it allowed to download and import into another system at all?
  Regards,
  Bin

  Hi,
  Take a look at this example, it uses property nodes to select tha
  active plot and then changes the color of that plot.
  If you want to make the number of plots dynamic you could use a for
  loop and an array of color boxes.
  I hope this helps.
  Regards,
  Juan Carlos
  N.I.
  Attachments:
  Changing_plot_color.vi ‏38 KB

• Webserver on DMZ cannot send email via php script using SMTP (cisco firewall pix 515e)

  Hello,
  I have two web servers that are sitting in a DMZ behind a Cisco Firewall PIX 515e. The webservers appear to be configured correctly as our website and FTP website are up. On two of our main website, we have two contact forms that use a simple html for to call a php script that uses smtp as its mailing protocol. Since, I am not the network administrator, I don't quite understand how to  read the current configurations on the firewall, but I suspect that port 25 is blocked, which prevents the script from actually working or sending out emails.  What I've done to narrow the problem done is the following: I used a wamp server to test our scripts with our smtp servers settings, was able to successfully send an email out to both my gmail and work place accounts. Currently, we have backupexec loaded on both of these servers, and when I try to send out an alert I never receive it. I think because port 25 is closed on both of those servers.  I will be posting our configuration. if anyone can take a look and perhaps explain to me how I can change our webservers to communicate and successfully deliver mail via that script, I would gladly appreciate it. our IP range is 172.x.x.x, but it looks like our webservers are using 192.x.x.x with NAT in place. Please someone help.
  Thanks,
  Jeff Mateo
  PIX Version 6.3(4)
  interface ethernet0 100full
  interface ethernet1 100full
  interface ethernet2 100full
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  nameif ethernet2 DMZ security50
  enable password GFO9OSBnaXE.n8af encrypted
  passwd GFO9OSBnaXE.n8af encrypted
  hostname morrow-pix-ct
  domain-name morrowco.com
  clock timezone EST -5
  clock summer-time EDT recurring
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  no fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names
  name 12.42.47.27 LI-PIX
  name 172.20.0.0 CT-NET
  name 172.23.0.0 LI-NET
  name 172.22.0.0 TX-NET
  name 172.25.0.0 NY-NET
  name 192.168.10.0 CT-DMZ-NET
  name 1.1.1.1 DHEC_339849.ATI__LEC_HCS722567SN
  name 1.1.1.2 DHEC_339946.ATI__LEC_HCS722632SN
  name 199.191.128.105 web-dns-1
  name 12.127.16.69 web-dns-2
  name 12.3.125.178 NY-PIX
  name 64.208.123.130 TX-PIX
  name 24.38.31.80 CT-PIX
  object-group network morrow-net
  network-object 12.42.47.24 255.255.255.248
  network-object NY-PIX 255.255.255.255
  network-object 64.208.123.128 255.255.255.224
  network-object 24.38.31.64 255.255.255.224
  network-object 24.38.35.192 255.255.255.248
  object-group service morrow-mgmt tcp
  port-object eq 3389
  port-object eq telnet
  port-object eq ssh
  object-group network web-dns
  network-object web-dns-1 255.255.255.255
  network-object web-dns-2 255.255.255.255
  access-list out1 permit icmp any any echo-reply
  access-list out1 permit icmp object-group morrow-net any
  access-list out1 permit tcp any host 12.193.192.132 eq ssh
  access-list out1 permit tcp any host CT-PIX eq ssh
  access-list out1 permit tcp any host 24.38.31.72 eq smtp
  access-list out1 permit tcp any host 24.38.31.72 eq https
  access-list out1 permit tcp any host 24.38.31.72 eq www
  access-list out1 permit tcp any host 24.38.31.70 eq www
  access-list out1 permit tcp any host 24.38.31.93 eq www
  access-list out1 permit tcp any host 24.38.31.93 eq https
  access-list out1 permit tcp any host 24.38.31.93 eq smtp
  access-list out1 permit tcp any host 24.38.31.93 eq ftp
  access-list out1 permit tcp any host 24.38.31.93 eq domain
  access-list out1 permit tcp any host 24.38.31.94 eq www
  access-list out1 permit tcp any host 24.38.31.94 eq https
  access-list out1 permit tcp any host 24.38.31.71 eq www
  access-list out1 permit tcp any host 24.38.31.71 eq 8080
  access-list out1 permit tcp any host 24.38.31.71 eq 8081
  access-list out1 permit tcp any host 24.38.31.71 eq 8090
  access-list out1 permit tcp any host 24.38.31.69 eq ssh
  access-list out1 permit tcp any host 24.38.31.94 eq ftp
  access-list out1 permit tcp any host 24.38.31.92 eq 8080
  access-list out1 permit tcp any host 24.38.31.92 eq www
  access-list out1 permit tcp any host 24.38.31.92 eq 8081
  access-list out1 permit tcp any host 24.38.31.92 eq 8090
  access-list out1 permit tcp any host 24.38.31.93 eq 3389
  access-list out1 permit tcp any host 24.38.31.92 eq https
  access-list out1 permit tcp any host 24.38.31.70 eq https
  access-list out1 permit tcp any host 24.38.31.74 eq www
  access-list out1 permit tcp any host 24.38.31.74 eq https
  access-list out1 permit tcp any host 24.38.31.74 eq smtp
  access-list out1 permit tcp any host 24.38.31.75 eq https
  access-list out1 permit tcp any host 24.38.31.75 eq www
  access-list out1 permit tcp any host 24.38.31.75 eq smtp
  access-list out1 permit tcp any host 24.38.31.70 eq smtp
  access-list out1 permit tcp any host 24.38.31.94 eq smtp
  access-list dmz1 permit icmp any any echo-reply
  access-list dmz1 deny ip any 10.0.0.0 255.0.0.0
  access-list dmz1 deny ip any 172.16.0.0 255.240.0.0
  access-list dmz1 deny ip any 192.168.0.0 255.255.0.0
  access-list dmz1 permit ip any any
  access-list dmz1 deny ip any any
  access-list nat0 permit ip CT-NET 255.255.0.0 192.168.220.0 255.255.255.0
  access-list nat0 permit ip host 172.20.8.2 host 172.23.0.2
  access-list nat0 permit ip CT-NET 255.255.0.0 LI-NET 255.255.0.0
  access-list nat0 permit ip CT-NET 255.255.0.0 NY-NET 255.255.0.0
  access-list nat0 permit ip CT-NET 255.255.0.0 TX-NET 255.255.0.0
  access-list vpn-split-tun permit ip CT-NET 255.255.0.0 192.168.220.0 255.255.255
  .0
  access-list vpn-split-tun permit ip CT-DMZ-NET 255.255.255.0 192.168.220.0 255.2
  55.255.0
  access-list vpn-dyn-match permit ip any 192.168.220.0 255.255.255.0
  access-list vpn-ct-li-gre permit gre host 172.20.8.2 host 172.23.0.2
  access-list vpn-ct-ny permit ip CT-NET 255.255.0.0 NY-NET 255.255.0.0
  access-list vpn-ct-ny permit ip CT-DMZ-NET 255.255.255.0 NY-NET 255.255.0.0
  access-list vpn-ct-tx permit ip CT-NET 255.255.0.0 TX-NET 255.255.0.0
  access-list vpn-ct-tx permit ip CT-DMZ-NET 255.255.255.0 TX-NET 255.255.0.0
  access-list static-dmz-to-ct-2 permit ip host 192.168.10.141 CT-NET 255.255.248.
  0
  access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 192.168.220.0 255.255.25
  5.0
  access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 LI-NET 255.255.0.0
  access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 NY-NET 255.255.0.0
  access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 TX-NET 255.255.0.0
  access-list static-dmz-to-ct-1 permit ip host 192.168.10.140 CT-NET 255.255.248.
  0
  access-list static-dmz-to-li-1 permit ip CT-DMZ-NET 255.255.255.0 CT-NET 255.255
  .248.0
  access-list vpn-ct-li permit ip CT-NET 255.255.0.0 LI-NET 255.255.0.0
  access-list vpn-ct-li permit ip CT-DMZ-NET 255.255.255.0 LI-NET 255.255.0.0
  access-list vpn-ct-li permit ip host 10.10.2.2 host 10.10.1.1
  access-list in1 permit tcp host 172.20.1.21 any eq smtp
  access-list in1 permit tcp host 172.20.1.20 any eq smtp
  access-list in1 deny tcp any any eq smtp
  access-list in1 permit ip any any
  access-list in1 permit tcp any any eq smtp
  access-list cap4 permit ip host 172.20.1.82 host 192.168.220.201
  access-list cap2 permit ip host 172.20.1.82 192.168.220.0 255.255.255.0
  access-list in2 deny ip host 172.20.1.82 any
  access-list in2 deny ip host 172.20.1.83 any
  access-list in2 permit ip any any
  pager lines 43
  logging on
  logging timestamp
  logging buffered notifications
  logging trap notifications
  logging device-id hostname
  logging host inside 172.20.1.22
  mtu outside 1500
  mtu inside 1500
  mtu DMZ 1500
  ip address outside CT-PIX 255.255.255.224
  ip address inside 172.20.8.1 255.255.255.0
  ip address DMZ 192.168.10.1 255.255.255.0
  ip audit info action alarm
  ip audit attack action alarm
  ip local pool ctpool 192.168.220.100-192.168.220.200
  ip local pool ct-thomson-pool-201 192.168.220.201 mask 255.255.255.255
  pdm history enable
  arp timeout 14400
  global (outside) 1 24.38.31.81
  nat (inside) 0 access-list nat0
  nat (inside) 1 CT-NET 255.255.0.0 2000 10
  nat (DMZ) 0 access-list nat0-dmz
  static (inside,DMZ) CT-NET CT-NET netmask 255.255.0.0 0 0
  static (inside,outside) 24.38.31.69 172.20.8.2 netmask 255.255.255.255 0 0
  static (DMZ,outside) 24.38.31.94 192.168.10.141 netmask 255.255.255.255 0 0
  static (inside,outside) 24.38.31.71 172.20.1.11 dns netmask 255.255.255.255 0 0
  static (DMZ,outside) 24.38.31.93 192.168.10.140 netmask 255.255.255.255 0 0
  static (DMZ,inside) 24.38.31.93 access-list static-dmz-to-ct-1 0 0
  static (DMZ,inside) 24.38.31.94 access-list static-dmz-to-ct-2 0 0
  static (inside,outside) 24.38.31.92 172.20.1.56 netmask 255.255.255.255 0 0
  static (DMZ,outside) 24.38.31.91 192.168.10.138 netmask 255.255.255.255 0 0
  static (DMZ,outside) 24.38.31.90 192.168.10.139 netmask 255.255.255.255 0 0
  static (inside,outside) 24.38.31.72 172.20.1.20 netmask 255.255.255.255 0 0
  static (inside,outside) 24.38.31.73 172.20.1.21 netmask 255.255.255.255 0 0
  static (inside,outside) 24.38.31.70 172.20.1.91 netmask 255.255.255.255 0 0
  static (DMZ,outside) 24.38.31.88 192.168.10.136 netmask 255.255.255.255 0 0
  static (DMZ,outside) 24.38.31.89 192.168.10.137 netmask 255.255.255.255 0 0
  static (inside,outside) 24.38.31.74 172.20.1.18 netmask 255.255.255.255 0 0
  static (inside,outside) 24.38.31.75 172.20.1.92 netmask 255.255.255.255 0 0
  access-group out1 in interface outside
  access-group dmz1 in interface DMZ
  route outside 0.0.0.0 0.0.0.0 24.38.31.65 1
  route inside 10.10.2.2 255.255.255.255 172.20.8.2 1
  route inside CT-NET 255.255.248.0 172.20.8.2 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ max-failed-attempts 3
  aaa-server TACACS+ deadtime 10
  aaa-server RADIUS protocol radius
  aaa-server RADIUS max-failed-attempts 3
  aaa-server RADIUS deadtime 10
  aaa-server LOCAL protocol local
  aaa-server ct-rad protocol radius
  aaa-server ct-rad max-failed-attempts 2
  aaa-server ct-rad deadtime 10
  aaa-server ct-rad (inside) host 172.20.1.22 morrow123 timeout 7
  aaa authentication ssh console LOCAL
  aaa authentication http console LOCAL
  aaa authentication serial console LOCAL
  aaa authentication telnet console LOCAL
  http server enable
  http 173.220.252.56 255.255.255.248 outside
  http 65.51.181.80 255.255.255.248 outside
  http 208.65.108.176 255.255.255.240 outside
  http CT-NET 255.255.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server community m0rroW(0
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  sysopt connection permit-pptp
  crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
  crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
  crypto dynamic-map dyn_map 20 match address vpn-dyn-match
  crypto dynamic-map dyn_map 20 set transform-set 3des-sha
  crypto map ct-crypto 10 ipsec-isakmp
  crypto map ct-crypto 10 match address vpn-ct-li-gre
  crypto map ct-crypto 10 set peer LI-PIX
  crypto map ct-crypto 10 set transform-set 3des-sha
  crypto map ct-crypto 15 ipsec-isakmp
  crypto map ct-crypto 15 match address vpn-ct-li
  crypto map ct-crypto 15 set peer LI-PIX
  crypto map ct-crypto 15 set transform-set 3des-sha
  crypto map ct-crypto 20 ipsec-isakmp
  crypto map ct-crypto 20 match address vpn-ct-ny
  crypto map ct-crypto 20 set peer NY-PIX
  crypto map ct-crypto 20 set transform-set 3des-sha
  crypto map ct-crypto 30 ipsec-isakmp
  crypto map ct-crypto 30 match address vpn-ct-tx
  crypto map ct-crypto 30 set peer TX-PIX
  crypto map ct-crypto 30 set transform-set 3des-sha
  crypto map ct-crypto 65535 ipsec-isakmp dynamic dyn_map
  crypto map ct-crypto client authentication ct-rad
  crypto map ct-crypto interface outside
  isakmp enable outside
  isakmp key ******** address LI-PIX netmask 255.255.255.255 no-xauth no-config-mo
  de
  isakmp key ******** address 216.138.83.138 netmask 255.255.255.255 no-xauth no-c
  onfig-mode
  isakmp key ******** address NY-PIX netmask 255.255.255.255 no-xauth no-config-mo
  de
  isakmp key ******** address TX-PIX netmask 255.255.255.255 no-xauth no-config-mo
  de
  isakmp identity address
  isakmp nat-traversal 20
  isakmp policy 10 authentication pre-share
  isakmp policy 10 encryption 3des
  isakmp policy 10 hash sha
  isakmp policy 10 group 2
  isakmp policy 10 lifetime 86400
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption 3des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  isakmp policy 30 authentication pre-share
  isakmp policy 30 encryption 3des
  isakmp policy 30 hash md5
  isakmp policy 30 group 1
  isakmp policy 30 lifetime 86400
  vpngroup remotectusers address-pool ctpool
  vpngroup remotectusers dns-server 172.20.1.5
  vpngroup remotectusers wins-server 172.20.1.5
  vpngroup remotectusers default-domain morrowny.com

  Amit,
  I applaud your creativity in seeking to solve your problem, however, this sounds like a real mess in the making. There are two things I don't like about your approach. One, cron -> calling Java -> calling PHP -> accessing database, it's just too many layers, in my opinion, where things can go wrong. Two it seems to me that you are exposing data one your website (with the PHP) that you may not want expose and this is an important consideration when you are dealing with emails and privacy and so on.
  I think the path of least resistance would be to get a new user account added to the MySQL database that you can access remotely with your Java program. This account can be locked down for read only access and be locked down to the specific IP or IP range that your Java program will be connecting from.
  Again I applaud your creativity but truly this seems like a hack because of the complexity and security concerns you are introducing and I think is a path to the land of trouble. Hopefully you will be able to get a remote account set up.

• Need help on which router to buy for my BB 8320

  Now i know 8320 is dated but at this point i am not planning to change anytime soon .
  So I have a router which is kinda old, it didnt really occur to me since it worked. When i got my bb 8320 i was in a hotel and i could connect through their wireless without any hassle. I could surf, use youtube, name it.
  When i got home i couldnt do anything, i spent countless nights trying to figure out waht was wrong then i realized its my router. If only BB said somethign it wont support old routers then i wouldve saved myself hours of self-loathing.
  Anyways I also have gone to my friends house, and i could connect to her linksys router without any hassle. i was the one who set her router up and we bought it this year. i didnt do anything special, configuration-wise or w/e.
  So NOW i am just going to buy a new router. I really need help!!!!
  I was wondering if this one is good:
  W311R Wireless-N Broadband Router
  W311R integrates the wireless AP, router, four-port switch and firewall in one, and increases over 4 times transmission range of ordinary 802.11g products. Compatible with IEEE802.11n (Draft 2.0) and IEEE802.11g/b standards, it can provide up to 150Mbps stable transmission rate. It is dedicated to SOHOs and students’ dormitory. In addition, URL and MAC address filtering can take it easy for parents and network administrator to manage network life, and QoS bandwidth control over specific computer’s downloading speed is supported as well. Moreover, UPnP and WMM support can smooth your MSN voice better, and the included Setup Wizard on CD-ROM will be easy and fast for non-savvy users to install the device and access to the Internet.
  Overview:
  * Includes router, wireless access point, four-port switch and firewall in one
  * Provides up to 150Mbps uploading and downloading speed
  * Supports two WPS (Wi-Fi Protected Setup) encryption methods: PBC and PIN
  * Compliant to IEEE802.11n, IEEE802.11g, IEEE802.11b, IEEE802.3 and IEEE802.3u standards
  * Supports far-distance transmission, 100 meters indoor, 400 meters outdoor (depends on the environments around)
  * Supports 64/128-bit WEP encryption, WPA and the latest WPA2 encryption security authentication
  * Supports RTS/CTS protocol and data partitioning function
  * Provides one 10/100Mbps Auto-Negotiation Ethernet WAN ports for WAN connection
  * Provides four 10/100Mbps Auto-Negotiation Ethernet LAN ports for LAN connections
  * Supports xDSL/Cable MODEM, static and dynamic IP in community networking
  * Supports remote/local Web management
  * Supports WMM to better smooth your voice and video
  * Supports SSID stealth mode and access control based over MAC address (up to 30 entries)
  * Supports Auto MDI/MDIX
  * Supports wireless Roaming technology and ensures high-efficient wireless connections
  * Supports auto negotiation/manual mode for 802.11b/802.11g/802.11n
  * Supports UPnP and DDNS
  * Supports Firefox 1.0, IE5.5 or above
  * Supports SNTP
  * Supports virtual server, DMZ host
  * Built-in firewall for hacker’s attack prevention
  * Supports DHCP server/client
  * Supports auto wireless channel selection
  * Supports the control over LAN access to Internet
  * Provides syslog to record the status of the router
  * Supports WDS wireless network extension
  * Supports QoS function
  Input Voltage Range
  AC 110~240V
  Output Voltage Range
  9V~1000mA
  Consumption
  20dbm
  Operating Temperature
  0? ~ 40?
  Storage Temperature
  -40? ~ 70?
  Operating Humidity
  10% ~ 90% RH non-condensing
  Storage Humidity
  5% ~ 90% RH non-condensing
  Antenna
  One Non-detachable external antenna (5dBi)
  Frequency Range
  2.4GHz-2.5GHz
  EVM
  -30dB
  Sensitivity
  54M:-74dBm@10% PER; 11M:-85dBm@8% PER; 6M:-88dBm@10% PER; 1M:-90dBm@8% PER
  Outdoor
  400m
  Indoor
  100m
  WLAN?LAN
  93Mbps
  WLAN?WLAN
  93Mbps
  Frequency Range
  2.4GHz
  Gain
  5dBi
  Nominal Impedance
  50
  Polarization
  Linear; Vertical
  Maximum Power
  1W
  * Vertical Beamwidth 360º

  Flip UltraHD.
  Shoots mp4 H264 format files. Fits in a shirt pocket and records 2 hrs worth of material to an internal card. Charges from your USB port as you download. If you are just trimming clips, you can use QT Pro without conversion. If you need to edit, convert to ProRes 720p30. Works like a dream.
  Just make sure you have it solidly placed when you pull the trigger as there is no image stabilization.
  Oh, and it is only $199 US.
  x