DMZ - Help
Hi,
Recently we purchased ASA 5510 and need you help to understand why from inside I am not able to see DMZ Server and outside.Physical connectivity is ok, reachability from ASA to DMZ is Ok.
Traffic is going to internet from ASA
is the ACL correct as per my need
outside to DMZ need ports 1080,1081,6588,80,3128
DMZ to oustide need ports smtp,5512,dns udp and tcp.
Inside to DMZ, local server 192.168.1.55 should only communicate to DMZ Server
Can get help
I have plugged the configuration
I see a couple of things to fix. In the DMZ ACL you are permitting the traffic you want ot allow from the outside, but it is applied inbound to the DMZ interface. It should be applied to the outside interface. Same for the OUTSIDE ACL. I would rename them to make more sense; outside2dmz or outside_dmz. Second, you're missing NAT for traffic to get to the internet for both the inside and the DMZ. You're also missing NAT for DMZ to inside (if you require it). If you need help with configuring NAT, just shout.
Similar Messages
-
SA 520w-k9 (DMZ help)
Hi!
Im trying to set up DMZ so we can have a webserver running in that zone. I have followed the instruction from installation guide. We use the optional port and set it in the DMZ mode use the IP numbers from the guide 172.16.2.1 and have set up a temporary computer to test this. We dont get any contact with the router from the test computer? with this configs we have set up a rule in the firewall to allow all traffic from the DMZ zone to WAN and the DMZ has a external IP.
We use FW: 1.0.15 Dont know if thats the going to help to upgrade need some advice first.
I know there is a lot of experts out there that can give me some advice...
TomHi Tom,
In router you need to have reverse route for DMZ subnet towards the firewall and in firewall just drop a default route towards the router interface.
As you have opened a any to any rule in firewall for both the inetrface routing needs to be done just configure the above route and see are you able to reach dmz subnet or not.
Hope to Help !!
Ganesh.H
Remember to rate the helpful post
Thank you for your answers! I will try the above, Sorry about my poor understandning in Inglish is there any way you can explain the above in a more easy way? I have dowloaded the latest FW and will upgrade the router soon, but thats was not that easy when all the settings vanish and you must manualy reenter the settings
best regards Tom -
Can anyone tell me how to port forward and setup an XBOX 360 using my Time Capsule??
Xbox 360
When playing the game online, the minimum speed of your network should be 128kbps. The ideal network speed for playing the game online is 768kbps. If you are having a problems with lag check the following:
Network Troubleshooting:
Disable any firewall or security features on your router.
Set port forwarding on your router to the IP address of your Xbox 360. This game uses port 3074 (UDP/TCP). Additionally Xbox LIVE requires ports 80, 53 TCP and 88, 53 UDP.
Place your Xbox 360 into the DMZ of your router.
Disconnect your router and try the game. If it works regularly at this point something about your router may not be completely compatible with the specific needs of this game. Check with your router manufacturer and Microsoft's Xbox Live Connection Issues page for additional steps that may need to be done to resolve the issue you are having. You can also verify that you have an Xbox Live compatible router.
If you are having issues connecting while multiple Xbox 360 consoles are connected on the same network, try forwarding port 3074 (UDP/TCP) for one Xbox 360 and setting the other as DMZ. There is a chance that this may not resolve you issue, if it doesn’t then you may want to consider getting an additional public IP address by contacting your Internet Service Provider and assigning it to one of these two consoles.
NOTE: If setting port forwarding or DMZ helps your connection issue, you may want to assign your Xbox 360 a static IP address within your home network. This can help to ensure that the configurations you made do not need to be done again. You can visit PortForward's Static IP Guide for a detailed guide on how to do this.
NOTE: Many broadband internet modems are coming with routing capabilities built in. Please contact your internet service provider to determine if your internet modem has an integrated router. If it does, they should be able to assist you with the steps above for setting up your router.
Once you have verified that your network setup is not the cause of the issue, try the following:
Try connecting to a different server. Some servers may have other players connected to them that you do not have an optimal connection with. In most games this is accomplished by backing out to the main menu and then selecting multiplayer again. From there you can try connecting to another online game.
Run the Xbox Network Self Test to see how strong your NAT is currently set to. Once the test is completed you will be notified if there is an issue with your connection. If you select "More Info" you will be given information about your NAT type and some steps to resolve any issues with your connection.
Moderate and Strict NAT types may have issues connecting to online matches. You may get the error "Notice - The game session is no longer available." If you do then enabling UPnP, forwarding port 3074, or placing your Xbox in your router's DMZ may resolve this issue. Please consult your router documentation for instructions on how to do this.ouman88 wrote:
Whoa....this just went way over my head.... I already have 6.1 installed for my Airport Utility.
Read again what I wrote.. 6.1 is the problem.. or part of it.
You need to install the earlier 5.6 version which I have given you explicit instructions to do.
I have done something now and can not connect the XBOX at all now....unless you can provide me step by step directions I may have to call Apple Support.
This will happen over and over.. just press reset and start again.. you need to learn how to do the setup and using 5.6 utility will help you.. as will using ethernet from the computer to the TC.. trying to fix things over wireless is like sitting on a tree branch you are sawing off. As soon as you update you will fall to the ground.
I am not that sure that Apple Support will have any idea.
Do a google search .. you will find most people struggle with this.. Microsoft made the xbox to use upnp with vista specs.. if you use a router without upnp, ie any apple router.. you will have issues.
Have a go at bypassing the problem.. I have no idea if this will work.. I do not use a TC as the main router because much of my network including xbox and ps3 is just a pain.. I use a modem router with upnp. And bridge the TC.. that is the setup I would recommend.
Try this.. once you have installed 5.6 utility.
Get the IP of the XBox and click enable default host.. and put the IP address in there.. this is called DMZ.. all unassigned packets are forwarded to this ip address.. it is like a port forwarding for all ports.
See if it helps.. If it does you will need to lock the xbox address so it doesn't change.. we can get to that.
Tell me what kind of broadband you have and what modem router first.. none of this will work if you have double NAT. -
Manually set DNS servers in BT Homehub 2.0 with BT...
Rather than having to se my DNS manually in network connections I was wondering if there was a setting on the homehub for changing DNS servers as I would like to use OpenDNS so I can test their web filtering capabilities.
I have browsed the hub settings but there doesn't appear to be any setting to set DNS servers statically, it seems automatically use BTs DNS servers when the connection is live.Hi hippomango, your solution to override the DNS settings in the BT Homehub sounds interesting - except that I cannot get them to work!?
I have a BT Homehub 3.0 (yes, you still can't override the default DNS settings), but I can't see that making much of a difference. I can't get any of the computers (wired or wireless) to use the OpenDNS settings in the 2nd router, they always find the BT DNS.
Wondering if you can explain some more detail about your set up if possible?
- Presumably your BT Hub is still your default gateway?
- Your 2nd router (Netgear) has the BT Hub as the default gateway?
- All computers are DHCP? Or do you have some static? (At least 1 of my machines needs a static local IP, but DHCP for the majority)
TBH, I don't know how the DMZ helps in this case? (But that may be because I don't quite understand what's going on!) Doesn't the DMZ influence incoming traffic? Don't we want to direct outbound traffic?
Thanks for any info. -
Hello. I have a WRT310N and have been having a somewhat difficult time with my xbox 360's connection. I have forwarded all the necessary ports (53, 80, 88, 3074) for it to run, and tried changing MTU and what-not.
I don't know if I have DMZ setup incorrectly, or if it's my settings.
Setup as follows:
PCX2200 modem connected via ethernet to WRT310N.
The WRT310N has into ethernet port 1 a WAP54G, and then upstairs (so that my Mother's computer can get a strong signal) I have another WAP54G that I believe receives its signal from the downstairs 54G.
In the back of the WRT310N, I have my computer connected via ethernet port 3, and my Xbox 360 connected via ethernet port 4.
Now, I first figured I just have so many connections tied to the router and that is the reason for being so slow. However, when I unplug all the other ethernet cords and nothing is connected wirelessly, except for my Xbox connected to ethernet port 4, it is still poor. Also, with everything connected (WAP54G and other devices wirelessly) I get on my PC and run a speedtest. For the sake of advice, my speedtests I am running on my PC are (after 5 tests) averagely 8.5 Mbps download, and 1.00 Mbps upload, with a ping of 82ms.
Here is an image of the results:
http://www.speedtest.net][IMG]http://www.speedtest.net/result/721106714.png
Let me add a little more detail of my (192.168.1.1) settings for WRT310N.
For starters, my Father's IT guy at his workplace set up this WRT310N and WAP54G's. So some of these settings may be his doing. I just don't know which.
"Setup" as Auto-configurations DHCP. I've added my Xbox's IP address to the DHCP reservation the IP of 192.168.1.104. This has (from what I've noticed) stayed the same for days.
MTU: Auto, which stays at 1500 when I check under status.
Advanced Routing: NAT routing enabled, Dynamic Routing disabled.
Security: Disabled SPI firewall, UNchecked these: Filter Anonymous Internet Requests, Multicast, and Internet NAT redirection.
VPN passthrough: All 3 options are enabled (IPSec, PPTP, L2TP)
Access Restrictions: None.
Applications and Gaming: Single port forwarding has no entries. Port Range Forwarding I have the ports 53 UDP/TCP, 88 UDP, 3074 UDP/TCP, and 80 TCP forwarded to IP 192.168.1.104 enabled. (192.168.1.104 is the IP for my xbox connected via ethernet wired that is in DHCP reserved list)
Port Range Triggering: It does not allow me to change anything in this page.
DMZ: I have it Enabled. This is where I am a bit confused. It says "Source IP Address" and it has me select either "Any IP address" or to put entries to the XXX.XXX.XXX.XXX to XXX fields. I have selected use any IP address. Then the source IP area, it says "Destination:" I can do either "IP address: 192.168.1.XXX" or "MAC address:" Also, under MAC Address, it says DHCP Client Table and I went there and saw my Xbox under the DHCP client list (It shows up only when the Xbox is on) and selected it.
Under QoS: WMM Enabled, No acknowledgement disabled.
Internet Access Priority: Enabled. Upstream Bandwith I set it to Manual and put 6000 Kbps. I had it set on Auto before, but I changed it. I have no idea what to put there so I just put a higher number.
Then I added for Internet Access Priority a Medium Priority for Ethernet Port 4 (the port my xbox is plugged into).
Administration: Management: Web utility access: I have checked HTTP, unchecked HTTPS.
Web utility access via Wireless: Enabled. Remote Access: Disabled.
UPnp: Enabled.
Allow Users to Configure: Enabled.
Allow users to Disable Internet Access: Enabled.
Under Diagnostics, when I try and Ping test 192.168.1.104 (xbox when on and connected to LIVE), I get:
PING 192.168.1.104 (192.168.1.104): 24 data bytes
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
--- 192.168.1.104 data statistics ---
5 Packets transmitted, 0 Packets received, 100% Packet loss
Also, when I do Traceroute Test for my Xbox's IP, I just keep getting:
traceroute to 192.168.1.104 (192.168.1.104), 30 hops max, 40 byte packets
1 * * * 192.168.1.1 Request timed out.
2 * * * 192.168.1.1 Request timed out.
As for the Wireless Settings, it is all on the default settings with Wi-Fi Protected setup Enabled.
To add, I have tried connecting my modem directly to the Xbox and my connection is much improved. I have no difficulty getting the NAT open, for it seems my settings are working for that. Any help with these settings would be VERY much appreciated.
Message Edited by CroftBond on 02-18-2010 01:09 PMI own 2 of these routers (one is a spare) with the latest firmware and I have been having trouble with them for over a year. In my case the connection speed goes to a crawl and the only way to get it back is to disable the SPI firewall. Rebooting helps for a few minutes, but the problem returns. All of the other fixes recommended on these forums did not help. I found out the hard way that disabling the SPI Firewall also closes all open ports ignoring your port forwarding settings. If you have SPI Firewall disabled, you will never be able to ping your IP from an external address. Turn your SPI Firewall back on and test your Ping.
John -
Need help with ASA 5512 and SQL port between DMZ and inside
Hello everyone,
Inside is on gigabitEthernet0/1 ip 192.9.200.254
I have a dmz on gigabitEthernet2 ip 192.168.100.254
I need to pass port 443 from outside to dmz ip 192.168.100.80 and open port 1433 from 192.168.100.80 to the inside network.
I believe this will work for port 443:
object network dmz
subnet 192.168.100.0 255.255.255.0
object network webserver
host 192.168.100.80
object network webserver
nat (dmz,outside) static interface service tcp 443 443
access-list Outside_access_in extended permit tcp any object webserver eq 443
access-group Outside_access_in in interface Outside
However...How would I open only port 1433 from dmz to inside?
At the bottom of this message is my config if it helps.
Thanks,
John Clausen
Config:
: Saved
ASA Version 9.1(2)
hostname ciscoasa-gcs
domain-name router.local
enable password f4yhsdf.4sadf977 encrypted
passwd f4yhsdf.4sadf977 encrypted
names
ip local pool vpnpool 192.168.201.10-192.168.201.50
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 123.222.222.212 255.255.255.224
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.9.200.254 255.255.255.0
interface GigabitEthernet0/2
nameif dmz
security-level 100
ip address 192.168.100.254 255.255.255.0
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name router.local
object network inside-subnet
subnet 192.9.200.0 255.255.255.0
object network netmotion
host 192.9.200.6
object network inside-network
subnet 192.9.200.0 255.255.255.0
object network vpnpool
subnet 192.168.201.0 255.255.255.192
object network NETWORK_OBJ_192.168.201.0_26
subnet 192.168.201.0 255.255.255.192
object network NETWORK_OBJ_192.9.200.0_24
subnet 192.9.200.0 255.255.255.0
access-list outside_access_in extended permit icmp any4 any4 log disable
access-list Outside_access_in extended permit udp any object netmotion eq 5020
access-list split standard permit 192.9.200.0 255.255.255.0
access-list VPNT_splitTunnelAcl standard permit 192.9.200.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static inside-network inside-network destination static vpnpool vpnpool
nat (inside,outside) source static NETWORK_OBJ_192.9.200.0_24 NETWORK_OBJ_192.9.200.0_24 destination static NETWORK_OBJ_192.168.201.0_26 NETWORK_OBJ_192.168.201.0_26 no-proxy-arp route-lookup
object network netmotion
nat (inside,outside) static interface service udp 5020 5020
nat (inside,outside) after-auto source dynamic any interface
access-group Outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 123.222.222.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.9.200.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.9.200.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes128-sha1 3des-sha1
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 2 regex "Windows NT"
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3 regex "Intel Mac OS X"
anyconnect enable
tunnel-group-list enable
group-policy SSLVPN internal
group-policy SSLVPN attributes
dns-server value 192.9.200.13
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value router.local
group-policy VPNT internal
group-policy VPNT attributes
dns-server value 192.9.200.13
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNT_splitTunnelAcl
default-domain value router.local
username grimesvpn password 7.wersfhyt encrypted
username grimesvpn attributes
service-type remote-access
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
address-pool vpnpool
default-group-policy SSLVPN
tunnel-group SSLVPN webvpn-attributes
group-alias SSLVPN enable
tunnel-group VPNT type remote-access
tunnel-group VPNT general-attributes
address-pool vpnpool
default-group-policy VPNT
tunnel-group VPNT ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:36271b5a1b9382621e14c3aa635e2fbb
: endHi Vibor. Apologies if my comment was misunderstood. What I meant to say was that the security level of the dmz interface should probably be less than 100.
And therefore traffic could be controlled between DMZ and inside networks.
As per thr security level on the DMZ interface. ....... that command is correct. :-) -
Everytime I try to setup my DMZ I keep breaking the internet, can someone help
Hi,
started this on friday at about 5 pm am about at the point of throwing my hands up in the air from frustration. I am trying to configure a dmz for a ip camera to be viewed from the outside. I had tried to set this config to NAT 10.1.35.5 to 2.2.2.14. Immediately after setting up the nat config all hosts on the network lose internet access. After 2 nights of no success, I tried to mimic the port forwarding setup and just forward traffic into the lan rather than trying to get the DMZ working as I could already see a few devices that were setup this way. I feel like I am missing a step while configuring NAT. It seems to me that touching any other the other public IP's tends to mess up the configuration. Is there something I need to do with the existing NATing to free up a public IP from the nat pool? (Sanitized config below)
: Saved
ASA Version 7.0(7)
hostname ASA
domain-name aaa.com
enable password Iliketurtles encrypted
names
dns-guard
interface Ethernet0/0
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.240
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.20.10 255.255.254.0
interface Ethernet0/2
description Test DMZ for web4
shutdown
nameif dmz
security-level 25
ip address 10.1.35.1 255.255.255.0
interface Management0/0
no nameif
no security-level
ip address 192.168.1.1 255.255.255.0
management-only
passwd xxx encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
object-group service camera tcp-udp
description https2000
port-object range 443 443
port-object range 2000 2005
access-list outside_acl extended permit icmp any any echo-reply
access-list outside_acl extended permit icmp any any time-exceeded
access-list outside_acl extended permit icmp any any unreachable
access-list outside_acl extended permit esp host Virginia host 2.2.2.2
access-list outside_acl extended permit ah host Virginia host 2.2.2.2
access-list outside_acl extended permit udp host Virginia eq isakmp host 2.2.2.2 eq isakmp
access-list outside_acl extended permit udp host Virginia eq 4500 host 2.2.2.2 eq 4500
access-list outside_acl extended permit tcp 100.100.100.0 255.255.255.0 host 2.2.2.10
access-list outside_acl extended permit tcp 100.100.100.0 255.255.255.0 host 2.2.2.11
access-list inside_acl extended permit ip 10.1.20.0 255.255.254.0 any
access-list inside_acl extended permit ip 10.1.24.0 255.255.254.0 any
access-list ltl_irvine_to_va extended permit ip 2.2.2.0 255.255.254.0 any
access-list ltl_irvine_to_va extended permit ip 10.1.24.0 255.255.254.0 any
access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.10.0 255.255.255.0
access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.11.0 255.255.255.0
access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.250.0 255.255.255.0
access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.4.0 255.255.255.0
access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.5.0 255.255.255.0
access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.6.0 255.255.255.0
access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.7.0 255.255.255.0
access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 172.16.31.0 255.255.255.0
access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.10.0 255.255.255.0
access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.11.0 255.255.255.0
access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.250.0 255.255.255.0
access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.4.0 255.255.255.0
access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.5.0 255.255.255.0
access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.6.0 255.255.255.0
access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.7.0 255.255.255.0
access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 172.16.31.0 255.255.255.0
access-list dmz_in extended permit icmp 10.1.35.0 255.255.255.0 any
access-list dmz_in extended permit udp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0 range netbios-ns 139
access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0 range 135 netbios-ssn
access-list dmz_in extended permit udp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0 eq domain
access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any eq www
access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any object-group camera
access-list dmz_in extended permit udp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0
access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0
access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any eq ftp
access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any eq 990
access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any range 53000 53010
access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any eq ftp-data
pager lines 24
logging enable
logging timestamp
logging buffered warnings
logging asdm warnings
logging facility 22
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp permit any inside
asdm image disk0:/asdm-509.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 10.1.20.0 255.255.254.0
nat (inside) 1 10.1.24.0 255.255.254.0
nat (dmz) 0 access-list no_nat
nat (dmz) 1 10.1.35.0 255.255.255.0
static (inside,outside) 2.2.2.10 10.1.20.1 netmask 255.255.255.255
static (inside,outside) 2.2.2.11 10.1.20.13 netmask 255.255.255.255
static (dmz,outside) 2.2.2.14 10.1.35.5 netmask 255.255.255.255
static (inside,dmz) 10.1.20.0 10.1.20.0 netmask 255.255.254.0
static (dmz,inside) 10.1.35.0 10.1.35.0 netmask 255.255.255.0
access-group outside_acl in interface outside
access-group inside_acl in interface inside
access-group dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 2.2.2.1 1
route inside 10.1.24.0 255.255.254.0 10.1.20.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username admin password blahblahblah encrypted privilege 15
http server enable
http 10.1.4.0 255.255.255.0 outside
http 10.1.5.0 255.255.255.0 outside
http 172.16.31.0 255.255.255.0 outside
http 100.100.100.0 255.255.255.0 outside
http 10.1.24.0 255.255.254.0 inside
http 10.1.20.0 255.255.254.0 inside
http 10.1.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside 100 match address ltl_irvine_to_va
crypto map outside 100 set peer Virginia
crypto map outside 100 set transform-set ESP-3DES-SHA
crypto map outside interface outside
isakmp enable outside
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group Virginia type ipsec-l2l
tunnel-group Virginia ipsec-attributes
pre-shared-key *
telnet 10.1.24.93 255.255.255.255 inside
telnet timeout 5
ssh 100.100.100.0 255.255.255.0 outside
ssh timeout 60
console timeout 0
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
Cryptochecksum:c6546262ff82a0b8748f0cbbb189194f
: endPlease add this ACL entry on the "outside_acl"
access-list outside_acl extended permit ip any host 2.2.2.14
let me know, if this helps.
thanks -
DMZ configuration WRT610N for 2 IP addresses Help needed
How can I set up DMZ for 2 IP addresses in WRT610N. Please help. Thanks
How would I solve this problem then. I have to servers on the network. One is Linux and other one is Windows. I'm buying block of 5 IP addresses from provider. One is assingned to .250 internal address and other one is .240. I would like to assign public addresses to them. At my work we have Neutopia box and have about 4 servers behind it with internal IP addresses. In netopia box have a table populated with addresses internal and external. Please, help. Thanks
-
Help with dmz or port forwarding on Verizon Jetpack 4G LTE Mobile Hotspot 890L
I really need help with this I want to play gta v but I have strict nat type on ps4 and everytime I go to the dmz on the ip website it shows the ip and the other side shows add and a dot I click on my ip and click apply but it tells me delete this ip but it also won't even let me delete the ip
You may wish to ask this question over at the Verizon Wireless forums: https://www.verizonwireless.com/community . This community is for DSL and FiOS support, not LTE hotspot support.
Be aware, Verizon Wireless uses Carrier-grade NAT, and your Hotspot also performs NAT. Game consoles do not like being behind Double NAT. Depending on how your hotspot is set up on the back end, you may only be able to achieve Moderate NAT / NAT 2 on the hotspot. If your hotspot has a public Internet IP, you should be able to hit Open NAT.
========
The first to bring me 1Gbps Fiber for $30/m wins! -
Uverse, TC, DMZ, BTMM ????? HELP!!!
I'm trying to set up BTMM (back to my Mac) so I can screen share my mother's computer across the state.
I have a Uverse 2Wire modem with WIFI turned off, and a TC (time capsule) etherneted to it set to bridge mode that I use as my wireless point. I have 3 ethernet cables running out of the 2Wire to various switches because of the easier placement and runs. With BTMM I get the message to set the router to NAT port mapping. I understand I have to do this on he TC and have read the posts about DMZ settings on the 2Wire. I just need some clarification.
What exatly does setting the DMZ plus setting to the TC do? Will the Ethernet cables plugged into the 2Wire still work and have firewall protection? Is there a way to have both routers running and getting along without DMZ change? Any other things I should take into account or other ways of doing this?
Thanks very much for the help.
G.W.I don't use BTMM, so any comments might be taken with suitably large grains of salt.. I do and can remote access my TC.. but I have a static public IP so it is trivial.
BTMM requires a router that is PMP-NAT or upnp compatible.. so it can open the required ports.. AFAIK if you are not trying to remote access the TC, there is absolutely no need for it to be in DMZ etc.
With BTMM I get the message to set the router to NAT port mapping. I understand I have to do this on he TC and have read the posts about DMZ settings on the 2Wire. I just need some clarification.
What exatly does setting the DMZ plus setting to the TC do? Will the Ethernet cables plugged into the 2Wire still work and have firewall protection? Is there a way to have both routers running and getting along without DMZ change? Any other things I should take into account or other ways of doing this?
Thanks very much for the help.
G.W.
If the TC is bridged in the network, ie not a router, then I see no reason for port mapping it.. there is no NAT.. on the bridged device.. so absolutely no need for this.
DMZ is to open a device fully to the internet.. but protect devices on the LAN side. ie if the DMZ device is compromised the rest of the network is protected.. this is used for Router to Router setup.. where the double NAT issue exists to alleviate the problem of double port forwarding which is prone to failure in 99% of cases.
If you setup BTMM the TC in bridge can be ignored.. and opening ports on the 2wire to the Mac should not be necessary as long as upnp is working properly. -
Design Help - Firewall/DMZ
Hi,
I am about to purchase two 5515-X next generation firewalls and I need to decide what to do as far as the design goes so I need some help from the experts. This appliances seem to come with 6 1Gbps ports which is enough. In our LAN, we have two 6500 running on VSS mode and we are also going to get our second ISP. Doing the obvious which is cross-connect each firewall with the two 6500s and possibly with the internet routers. Is it something else you recommend?
Planning to trunk a couple interfaces and connect them to a DMZ switch; however, how do I make that one switch redundant? Some of the vendors currently connected do not offer a redundant link in case of failure.
I'll be deploying the devices as active/standby and this is because I have VPNs configured which it is my understanding that both devices can't be active with this type of configuration. Can someone advise on this matter? However, the company wants to use them both at the same time.
Using two ISPs, how do I deal with the Public-Internal NAT?
Any help is greatly appreciated. Thanks.Planning to trunk a couple interfaces and connect them to a DMZ switch; however, how do I make that one switch redundant? Some of the vendors currently connected do not offer a redundant link in case of failure.
Well, you could use the 6500s if you have enough free interfaces on it. Create the DMZ VLAN on the 6500s as well as on the new DMZ switch. On the 6500 and the DMZ switch configure the ports as trunk but only allow the single VLAN on that trunk. Create a subinterface on the ASA and place that subinterface in the new DMZ VLAN and give it an IP.
I'll be deploying the devices as active/standby and this is because I have VPNs configured which it is my understanding that both devices can't be active with this type of configuration. Can someone advise on this matter? However, the company wants to use them both at the same time.
What the company wants isn't always what is the best solution and they should be told that, from time to time. However, it is possible to configure the ASAs in an Active/Active setup. This will require that the ASAs are configured in multiple context mode. On one ASA context 1 is active while context 1 on the second ASA is in standby mode. then on the second ASA context 2 is the active context and on ASA context 2 is in standby mode. This setup will alow the use of both ISP connections and be able to maintain VPN connections. Keep in mind that the VPN connections will not be active on both ASAs. It wil only be active on the active context, but will failover to the standby context if a failure occurs.
Using two ISPs, how do I deal with the Public-Internal NAT?
the ASA does not support two active default gateways, and therefore support for two ISPs is not supported in single context mode. So if you have a requirement to use both ISP connection simultaneously then you need to have multiple contexts. Each context is a virtual firewall and completely seperate from eachother.
So, back to the active contexts. context 1 on ASA1 is the active context and is connected to ISP1. context 2 on ASA2 is the active context and is connected to ISP2. You would perform NAT in the exact same way as you would in a single context ASA no hocus pocus. The only difference is that the traffic that goes towards each context and subsiquently each ISP are not from the same subnet. They need to be seperated and then diveded between the two contexts.
So, context 1 would have traffic for VLANs 1, 3, 5, 7, 9 and context 2 would have traffic for VLANs 2, 4, 6, 8, 10.
here is a link on how to configure active/active failover.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/ha_failover.html#wp1163513
Please remember to rate and select a correct answer -
Need help with ASA config to set up proxy on DMZ
Hello guys,
I have a problem, I´m trying to configure an ASA as shown in the attached scenario.
I need that all inside users to go to the proxy server on DMZ and from there they will go out to the internet.
Right now i have:
INSIDE INTERFACE
Access-list inside permit ip 10.1.1.0 255.255.255.0 host 11.1.1.6
DMZ INTERFACE
Access-list dmz permit ip host 11.1.1.6 any
OUTSIDE INTERFACE
Access-list outside permit ip any host <proxy server public ip>
REGARDING NAT I HAVE THE FOLLOWING:
Static (dmz,outside) <proxy server public> 11.1.1.6 netmask 255.255.255.255
My question would be if it would work with this configuration? Do i need to apply Nat on my inside hosts? Would all my inside hosts when reached the ASA will be send to the proxy and then through the proxy it will send them back to the ASA and then to the internet??
Thanks,
TonyHello Jennifer,
Thanks for your response. So basically i will need to add a static to allow trafic from inside to dmz without being natted. I don't know what proxy server it will be, the server would be managed by another party, but in my inside hosts i will need to set all the parameters to point to the proxy, once this done trafic will go out through the proxy server to the dmz interface of the ASA and then to the outside world, is that correct?
Do you think this configuration would work???
Outside = security 0
Inside = security 100
DMZ = security 50
static (dmz,outside) 11.1.1.6 netmask 255.255.255.255
static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
access-list inside permit tcp 10.1.1.0 255.255.255.0 any
access-list dmz permit ip host 11.1.1.6 any
access-group inside in interface inside
access-group dmz in interface dmz
Basically with this configuration my web request will go to the proxy on the DMZ and then from there it will go out to the internet??
Thanks -
How to let SAP user use SSO to access Application in DMZ?
Hi All,
Our J2EE application is running on a system in DMZ which can not be connected with LDAP. So I am wondering if it's possible to let SAP user use SSO to access our application.
After talking with my colleague I think the only way is to import SSO public key to our WebAS and create user in UME and then assign user to the corresponding public key, but anybody know where to download SSP verification file or is it allowed to download and import into another system at all?
Regards,
BinHi,
Take a look at this example, it uses property nodes to select tha
active plot and then changes the color of that plot.
If you want to make the number of plots dynamic you could use a for
loop and an array of color boxes.
I hope this helps.
Regards,
Juan Carlos
N.I.
Attachments:
Changing_plot_color.vi 38 KB -
Webserver on DMZ cannot send email via php script using SMTP (cisco firewall pix 515e)
Hello,
I have two web servers that are sitting in a DMZ behind a Cisco Firewall PIX 515e. The webservers appear to be configured correctly as our website and FTP website are up. On two of our main website, we have two contact forms that use a simple html for to call a php script that uses smtp as its mailing protocol. Since, I am not the network administrator, I don't quite understand how to read the current configurations on the firewall, but I suspect that port 25 is blocked, which prevents the script from actually working or sending out emails. What I've done to narrow the problem done is the following: I used a wamp server to test our scripts with our smtp servers settings, was able to successfully send an email out to both my gmail and work place accounts. Currently, we have backupexec loaded on both of these servers, and when I try to send out an alert I never receive it. I think because port 25 is closed on both of those servers. I will be posting our configuration. if anyone can take a look and perhaps explain to me how I can change our webservers to communicate and successfully deliver mail via that script, I would gladly appreciate it. our IP range is 172.x.x.x, but it looks like our webservers are using 192.x.x.x with NAT in place. Please someone help.
Thanks,
Jeff Mateo
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password GFO9OSBnaXE.n8af encrypted
passwd GFO9OSBnaXE.n8af encrypted
hostname morrow-pix-ct
domain-name morrowco.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 12.42.47.27 LI-PIX
name 172.20.0.0 CT-NET
name 172.23.0.0 LI-NET
name 172.22.0.0 TX-NET
name 172.25.0.0 NY-NET
name 192.168.10.0 CT-DMZ-NET
name 1.1.1.1 DHEC_339849.ATI__LEC_HCS722567SN
name 1.1.1.2 DHEC_339946.ATI__LEC_HCS722632SN
name 199.191.128.105 web-dns-1
name 12.127.16.69 web-dns-2
name 12.3.125.178 NY-PIX
name 64.208.123.130 TX-PIX
name 24.38.31.80 CT-PIX
object-group network morrow-net
network-object 12.42.47.24 255.255.255.248
network-object NY-PIX 255.255.255.255
network-object 64.208.123.128 255.255.255.224
network-object 24.38.31.64 255.255.255.224
network-object 24.38.35.192 255.255.255.248
object-group service morrow-mgmt tcp
port-object eq 3389
port-object eq telnet
port-object eq ssh
object-group network web-dns
network-object web-dns-1 255.255.255.255
network-object web-dns-2 255.255.255.255
access-list out1 permit icmp any any echo-reply
access-list out1 permit icmp object-group morrow-net any
access-list out1 permit tcp any host 12.193.192.132 eq ssh
access-list out1 permit tcp any host CT-PIX eq ssh
access-list out1 permit tcp any host 24.38.31.72 eq smtp
access-list out1 permit tcp any host 24.38.31.72 eq https
access-list out1 permit tcp any host 24.38.31.72 eq www
access-list out1 permit tcp any host 24.38.31.70 eq www
access-list out1 permit tcp any host 24.38.31.93 eq www
access-list out1 permit tcp any host 24.38.31.93 eq https
access-list out1 permit tcp any host 24.38.31.93 eq smtp
access-list out1 permit tcp any host 24.38.31.93 eq ftp
access-list out1 permit tcp any host 24.38.31.93 eq domain
access-list out1 permit tcp any host 24.38.31.94 eq www
access-list out1 permit tcp any host 24.38.31.94 eq https
access-list out1 permit tcp any host 24.38.31.71 eq www
access-list out1 permit tcp any host 24.38.31.71 eq 8080
access-list out1 permit tcp any host 24.38.31.71 eq 8081
access-list out1 permit tcp any host 24.38.31.71 eq 8090
access-list out1 permit tcp any host 24.38.31.69 eq ssh
access-list out1 permit tcp any host 24.38.31.94 eq ftp
access-list out1 permit tcp any host 24.38.31.92 eq 8080
access-list out1 permit tcp any host 24.38.31.92 eq www
access-list out1 permit tcp any host 24.38.31.92 eq 8081
access-list out1 permit tcp any host 24.38.31.92 eq 8090
access-list out1 permit tcp any host 24.38.31.93 eq 3389
access-list out1 permit tcp any host 24.38.31.92 eq https
access-list out1 permit tcp any host 24.38.31.70 eq https
access-list out1 permit tcp any host 24.38.31.74 eq www
access-list out1 permit tcp any host 24.38.31.74 eq https
access-list out1 permit tcp any host 24.38.31.74 eq smtp
access-list out1 permit tcp any host 24.38.31.75 eq https
access-list out1 permit tcp any host 24.38.31.75 eq www
access-list out1 permit tcp any host 24.38.31.75 eq smtp
access-list out1 permit tcp any host 24.38.31.70 eq smtp
access-list out1 permit tcp any host 24.38.31.94 eq smtp
access-list dmz1 permit icmp any any echo-reply
access-list dmz1 deny ip any 10.0.0.0 255.0.0.0
access-list dmz1 deny ip any 172.16.0.0 255.240.0.0
access-list dmz1 deny ip any 192.168.0.0 255.255.0.0
access-list dmz1 permit ip any any
access-list dmz1 deny ip any any
access-list nat0 permit ip CT-NET 255.255.0.0 192.168.220.0 255.255.255.0
access-list nat0 permit ip host 172.20.8.2 host 172.23.0.2
access-list nat0 permit ip CT-NET 255.255.0.0 LI-NET 255.255.0.0
access-list nat0 permit ip CT-NET 255.255.0.0 NY-NET 255.255.0.0
access-list nat0 permit ip CT-NET 255.255.0.0 TX-NET 255.255.0.0
access-list vpn-split-tun permit ip CT-NET 255.255.0.0 192.168.220.0 255.255.255
.0
access-list vpn-split-tun permit ip CT-DMZ-NET 255.255.255.0 192.168.220.0 255.2
55.255.0
access-list vpn-dyn-match permit ip any 192.168.220.0 255.255.255.0
access-list vpn-ct-li-gre permit gre host 172.20.8.2 host 172.23.0.2
access-list vpn-ct-ny permit ip CT-NET 255.255.0.0 NY-NET 255.255.0.0
access-list vpn-ct-ny permit ip CT-DMZ-NET 255.255.255.0 NY-NET 255.255.0.0
access-list vpn-ct-tx permit ip CT-NET 255.255.0.0 TX-NET 255.255.0.0
access-list vpn-ct-tx permit ip CT-DMZ-NET 255.255.255.0 TX-NET 255.255.0.0
access-list static-dmz-to-ct-2 permit ip host 192.168.10.141 CT-NET 255.255.248.
0
access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 192.168.220.0 255.255.25
5.0
access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 LI-NET 255.255.0.0
access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 NY-NET 255.255.0.0
access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 TX-NET 255.255.0.0
access-list static-dmz-to-ct-1 permit ip host 192.168.10.140 CT-NET 255.255.248.
0
access-list static-dmz-to-li-1 permit ip CT-DMZ-NET 255.255.255.0 CT-NET 255.255
.248.0
access-list vpn-ct-li permit ip CT-NET 255.255.0.0 LI-NET 255.255.0.0
access-list vpn-ct-li permit ip CT-DMZ-NET 255.255.255.0 LI-NET 255.255.0.0
access-list vpn-ct-li permit ip host 10.10.2.2 host 10.10.1.1
access-list in1 permit tcp host 172.20.1.21 any eq smtp
access-list in1 permit tcp host 172.20.1.20 any eq smtp
access-list in1 deny tcp any any eq smtp
access-list in1 permit ip any any
access-list in1 permit tcp any any eq smtp
access-list cap4 permit ip host 172.20.1.82 host 192.168.220.201
access-list cap2 permit ip host 172.20.1.82 192.168.220.0 255.255.255.0
access-list in2 deny ip host 172.20.1.82 any
access-list in2 deny ip host 172.20.1.83 any
access-list in2 permit ip any any
pager lines 43
logging on
logging timestamp
logging buffered notifications
logging trap notifications
logging device-id hostname
logging host inside 172.20.1.22
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside CT-PIX 255.255.255.224
ip address inside 172.20.8.1 255.255.255.0
ip address DMZ 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ctpool 192.168.220.100-192.168.220.200
ip local pool ct-thomson-pool-201 192.168.220.201 mask 255.255.255.255
pdm history enable
arp timeout 14400
global (outside) 1 24.38.31.81
nat (inside) 0 access-list nat0
nat (inside) 1 CT-NET 255.255.0.0 2000 10
nat (DMZ) 0 access-list nat0-dmz
static (inside,DMZ) CT-NET CT-NET netmask 255.255.0.0 0 0
static (inside,outside) 24.38.31.69 172.20.8.2 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.94 192.168.10.141 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.71 172.20.1.11 dns netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.93 192.168.10.140 netmask 255.255.255.255 0 0
static (DMZ,inside) 24.38.31.93 access-list static-dmz-to-ct-1 0 0
static (DMZ,inside) 24.38.31.94 access-list static-dmz-to-ct-2 0 0
static (inside,outside) 24.38.31.92 172.20.1.56 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.91 192.168.10.138 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.90 192.168.10.139 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.72 172.20.1.20 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.73 172.20.1.21 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.70 172.20.1.91 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.88 192.168.10.136 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.89 192.168.10.137 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.74 172.20.1.18 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.75 172.20.1.92 netmask 255.255.255.255 0 0
access-group out1 in interface outside
access-group dmz1 in interface DMZ
route outside 0.0.0.0 0.0.0.0 24.38.31.65 1
route inside 10.10.2.2 255.255.255.255 172.20.8.2 1
route inside CT-NET 255.255.248.0 172.20.8.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server ct-rad protocol radius
aaa-server ct-rad max-failed-attempts 2
aaa-server ct-rad deadtime 10
aaa-server ct-rad (inside) host 172.20.1.22 morrow123 timeout 7
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 173.220.252.56 255.255.255.248 outside
http 65.51.181.80 255.255.255.248 outside
http 208.65.108.176 255.255.255.240 outside
http CT-NET 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community m0rroW(0
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
crypto dynamic-map dyn_map 20 match address vpn-dyn-match
crypto dynamic-map dyn_map 20 set transform-set 3des-sha
crypto map ct-crypto 10 ipsec-isakmp
crypto map ct-crypto 10 match address vpn-ct-li-gre
crypto map ct-crypto 10 set peer LI-PIX
crypto map ct-crypto 10 set transform-set 3des-sha
crypto map ct-crypto 15 ipsec-isakmp
crypto map ct-crypto 15 match address vpn-ct-li
crypto map ct-crypto 15 set peer LI-PIX
crypto map ct-crypto 15 set transform-set 3des-sha
crypto map ct-crypto 20 ipsec-isakmp
crypto map ct-crypto 20 match address vpn-ct-ny
crypto map ct-crypto 20 set peer NY-PIX
crypto map ct-crypto 20 set transform-set 3des-sha
crypto map ct-crypto 30 ipsec-isakmp
crypto map ct-crypto 30 match address vpn-ct-tx
crypto map ct-crypto 30 set peer TX-PIX
crypto map ct-crypto 30 set transform-set 3des-sha
crypto map ct-crypto 65535 ipsec-isakmp dynamic dyn_map
crypto map ct-crypto client authentication ct-rad
crypto map ct-crypto interface outside
isakmp enable outside
isakmp key ******** address LI-PIX netmask 255.255.255.255 no-xauth no-config-mo
de
isakmp key ******** address 216.138.83.138 netmask 255.255.255.255 no-xauth no-c
onfig-mode
isakmp key ******** address NY-PIX netmask 255.255.255.255 no-xauth no-config-mo
de
isakmp key ******** address TX-PIX netmask 255.255.255.255 no-xauth no-config-mo
de
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 86400
vpngroup remotectusers address-pool ctpool
vpngroup remotectusers dns-server 172.20.1.5
vpngroup remotectusers wins-server 172.20.1.5
vpngroup remotectusers default-domain morrowny.comAmit,
I applaud your creativity in seeking to solve your problem, however, this sounds like a real mess in the making. There are two things I don't like about your approach. One, cron -> calling Java -> calling PHP -> accessing database, it's just too many layers, in my opinion, where things can go wrong. Two it seems to me that you are exposing data one your website (with the PHP) that you may not want expose and this is an important consideration when you are dealing with emails and privacy and so on.
I think the path of least resistance would be to get a new user account added to the MySQL database that you can access remotely with your Java program. This account can be locked down for read only access and be locked down to the specific IP or IP range that your Java program will be connecting from.
Again I applaud your creativity but truly this seems like a hack because of the complexity and security concerns you are introducing and I think is a path to the land of trouble. Hopefully you will be able to get a remote account set up. -
Need help on which router to buy for my BB 8320
Now i know 8320 is dated but at this point i am not planning to change anytime soon .
So I have a router which is kinda old, it didnt really occur to me since it worked. When i got my bb 8320 i was in a hotel and i could connect through their wireless without any hassle. I could surf, use youtube, name it.
When i got home i couldnt do anything, i spent countless nights trying to figure out waht was wrong then i realized its my router. If only BB said somethign it wont support old routers then i wouldve saved myself hours of self-loathing.
Anyways I also have gone to my friends house, and i could connect to her linksys router without any hassle. i was the one who set her router up and we bought it this year. i didnt do anything special, configuration-wise or w/e.
So NOW i am just going to buy a new router. I really need help!!!!
I was wondering if this one is good:
W311R Wireless-N Broadband Router
W311R integrates the wireless AP, router, four-port switch and firewall in one, and increases over 4 times transmission range of ordinary 802.11g products. Compatible with IEEE802.11n (Draft 2.0) and IEEE802.11g/b standards, it can provide up to 150Mbps stable transmission rate. It is dedicated to SOHOs and students’ dormitory. In addition, URL and MAC address filtering can take it easy for parents and network administrator to manage network life, and QoS bandwidth control over specific computer’s downloading speed is supported as well. Moreover, UPnP and WMM support can smooth your MSN voice better, and the included Setup Wizard on CD-ROM will be easy and fast for non-savvy users to install the device and access to the Internet.
Overview:
* Includes router, wireless access point, four-port switch and firewall in one
* Provides up to 150Mbps uploading and downloading speed
* Supports two WPS (Wi-Fi Protected Setup) encryption methods: PBC and PIN
* Compliant to IEEE802.11n, IEEE802.11g, IEEE802.11b, IEEE802.3 and IEEE802.3u standards
* Supports far-distance transmission, 100 meters indoor, 400 meters outdoor (depends on the environments around)
* Supports 64/128-bit WEP encryption, WPA and the latest WPA2 encryption security authentication
* Supports RTS/CTS protocol and data partitioning function
* Provides one 10/100Mbps Auto-Negotiation Ethernet WAN ports for WAN connection
* Provides four 10/100Mbps Auto-Negotiation Ethernet LAN ports for LAN connections
* Supports xDSL/Cable MODEM, static and dynamic IP in community networking
* Supports remote/local Web management
* Supports WMM to better smooth your voice and video
* Supports SSID stealth mode and access control based over MAC address (up to 30 entries)
* Supports Auto MDI/MDIX
* Supports wireless Roaming technology and ensures high-efficient wireless connections
* Supports auto negotiation/manual mode for 802.11b/802.11g/802.11n
* Supports UPnP and DDNS
* Supports Firefox 1.0, IE5.5 or above
* Supports SNTP
* Supports virtual server, DMZ host
* Built-in firewall for hacker’s attack prevention
* Supports DHCP server/client
* Supports auto wireless channel selection
* Supports the control over LAN access to Internet
* Provides syslog to record the status of the router
* Supports WDS wireless network extension
* Supports QoS function
Input Voltage Range
AC 110~240V
Output Voltage Range
9V~1000mA
Consumption
20dbm
Operating Temperature
0? ~ 40?
Storage Temperature
-40? ~ 70?
Operating Humidity
10% ~ 90% RH non-condensing
Storage Humidity
5% ~ 90% RH non-condensing
Antenna
One Non-detachable external antenna (5dBi)
Frequency Range
2.4GHz-2.5GHz
EVM
-30dB
Sensitivity
54M:-74dBm@10% PER; 11M:-85dBm@8% PER; 6M:-88dBm@10% PER; 1M:-90dBm@8% PER
Outdoor
400m
Indoor
100m
WLAN?LAN
93Mbps
WLAN?WLAN
93Mbps
Frequency Range
2.4GHz
Gain
5dBi
Nominal Impedance
50
Polarization
Linear; Vertical
Maximum Power
1W
* Vertical Beamwidth 360ºFlip UltraHD.
Shoots mp4 H264 format files. Fits in a shirt pocket and records 2 hrs worth of material to an internal card. Charges from your USB port as you download. If you are just trimming clips, you can use QT Pro without conversion. If you need to edit, convert to ProRes 720p30. Works like a dream.
Just make sure you have it solidly placed when you pull the trigger as there is no image stabilization.
Oh, and it is only $199 US.
x
Maybe you are looking for
-
RE:HR-ABAP selection screen problem.
hi, hi friends iam facing one problem regarding hr ABAP selection screen ,in my program iam using PNP LDB for bonus details report i have using selection screen declaration present for single selection. SELECTION-SCREEN BEGIN OF BLOCK B3 WITH FRAME
-
hi, i have a product table like product month1 month2 month3 ................. soap 1200 1256 1895 ............ i want use a query where i can select column name with a parameter. like select month||:num from product; in num variable it cud be 1 to 1
-
The default menu of an Applet (when it loads) has a Save option. It saves the Applet in a .ser format. Can this .ser format file be used anyway? It can not be opened with appletviewer.exe.
-
I'm a recent convert from BlackBerry to iPhone 4S. How do I silence audible email, message, etc.notifications during bedtime without shutting off phone?
-
I have played dvd's on my macbook but for somereason now the dvd player seems to have disappeared. When I look on the system profiler it shows the following: Model: MATSHITACD-RW CW-8221 Revision: GA0J Serial Number: Detachable Drive: No Protocol: AT