DMZ setup

Hi
I've got an advanced leopard server running providing mail services, ical services and web services.
I would like to put the server in the DMZ and hence I need to activate the firewall. But I'm a bit unsure as to what ports I should allow traffic to. I would also like to be able to use Apple remote desktop from outside the local network and ofcourse open directory authentication from the "outside".
I have set allow traffic from any to these ports
TCP Outgoing
TCP established
UDP Fragments
UDP outbound and responses to same port
IGMP
Mail:IMAP
SSH
Mail:SMTP standard
ARD 2.x
HTTPS
DNS - response outbound queries
Remote Directory Access
Serial Number support
LDAP secure
HTTP - web service
Mail Imap SSL
ICMP - echo replymessages
ICMP - echo request
Is this a safe or good configuration or should I add some ports or rmove some ports?
I also plan to use VPN between this server and another server at another location
Any and all input appreciated.
Thanks

These are basically the defaults that where activated when instarted the firewall services. As for UDP and UDP fragments, as far as I know i dont need them. I thought these things where set by default because there was something that needed it. The same goes for ICMP. As for SSH i have set that so you need to use keys to use ssh..so without the necessary keys you cant access ssh and ofourse I have disabled root login for ssh. I havent touched the apache config file.. what specifially where you thinking of with regards to apache from a security standpoint?.
Thanks

Similar Messages

DMZ setup for SBS 2011

Any suggestions on a low end router capable of providing a decent firewall that would begin to meet the security requirements needed for a DMZ setup? (example Cisco PIX 506 Firewall)
And whether it can be done with just a couple of wireless routers, one with an enabled DMZ? My initial thought on this is that the standard consumer wireless routers have an eight character password which is far from secure enough to do
much of anything. (brainstorm details below)
Thought is to place a web form login page in the DMZ... add a read only file to test the web form access. Nothing fancy and for now, it does nothing except verify that user can login or is denied login. Verified login goes nowhere except
"Success". Build something later when the first part works (if it works).
Plan is to exist over two lans (or IP sets within the domain - one set is 192.168.01.xxx and the other set is 192.168.02.xxx) and set up bypass rules between the two. The Lan 192.168.01.xxx would house the DMZ (with HTTP port 80 access) and the
Lan 192.168.02.xxx would house the internal domain (SBS 2011 DC running VPN, Sharepoint etc, HyperV server with virtuals running SQL and TFS, and laptop access). The 192.168.01.xxx is a guest lan for non-domain (non-hostile) members.
So my questions:
1) Can the HTTP header be forwarded from SBS 2011 router rules on the router firewall to hit the second lan (http requests from 192.168.02.xxx would be routed over to 192.168.01.xxx)?
2) Can an inexpensive router like the PIX ($30 used) above solve the "crack the eight character router password issue?" (Maybe I just need a newer router in general where the passwords are more secure?)
Currently RWW open, SSL open, VPN (1723) open, 25 open... all other ports closed. [Does this create any snafu's?]
Hard to make head or tails of
http://forums.untangle.com/networking/25935-setting-up-sbs-2011-secondary-internal-dmz-3.html
R, J

While all this is good information, I would clarify one point
Port 80 should not be open and port forwarded as it's the single most commonly attacked port
Users should be taught to come in via port 443, using https
Cris Hanna [SBS - MVP] (since 1997)
Co-Contributor, Windows Small Business Server 2008 Unleashed
http://www.amazon.com/Windows-Small-Business-Server-Unleashed/dp/0672329573/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1217269967&sr=8-1
Owner, CPU Services, Belleville, IL
A Microsoft Registered Partner
MVPs do not work for Microsoft
Please do not submit questions directly to me.
<Linda Graham> wrote in message
news:[email protected]...
Hi,
I have deployed similar setups for clients. The main thing is the quality of the router/firewall facing the internet. I assume when you talk about open ports, you mean open via NAT (network address translation) otherwise, you are leaving the firewall to
do the hard work. I am a fan of Draytek 2830 adsl routers. They also have cable routers if you connect via cable. These are much more expensive than $30 - about £230 in the UK. Cheaper models by other manufacturers are available, but what you should look for
is a fully customisable NAT server (also called virtual server on some cheaper models) Have a look at Zyxel and TP-Link professional routers. Passwords with these routers can be as complex as you need.
I assume you have a static IP address or block of static IP addresses for your public wan address. Using dynamic DNS will create problems with spam filters if you are using an Exchange/smtp server on your SBS server to send email and is not recommended.
SBS needs to be able to access your server via ports 25, 80, 443 and 987. You may also want to use 1726 if you need a VPN connection. Use NAT to map these ports from WAN to LAN. for example if your WAN address is XXX.XXX.XXX.XXX and your LAN subnet
is 192.168.1.0 with your SNS server IP address set to 192.168.1.1 and your router IP is 192.168.1.254, then you would add the following to the NAT address table:
WAN XXX.XXX.XXX.XXX port 25 to LAN 192.168.1.1 port 25
WAN XXX.XXX.XXX.XXX port 80 to LAN 192.168.1.1 port 80
WAN XXX.XXX.XXX.XXX port 443 to LAN 192.168.1.1 port 43
WAN XXX.XXX.XXX.XXX port 987 to LAN 192.168.1.1 port 987
This will provide secure access to these ports from WAN to LAN and will enable SBS remote web access, SBS Exchange Email and Outlook Web Access. Computers connecting will require either a third party domain certificate (eg from Verisign or
GoDaddy etc) or the self issued certificate (found in the public document folder on the SBS server) to be distributed to machines to enable them to use this remote access.
For the non secure subnet, you will need another router connected to a LAN port on your main router. Configure the WAN address of the secondary router to be 192.168.1.253 and the LAN subnet to be anything suitable but different from your primary
LAN, eg 192.168.2.0. On your main router, set the WAN IP address of your secondary router (192.168.1.253) on the DMZ. This opens the WAN port of the secondary router to the internet but isolates it from your primary LAN subnet.
This setup is suitable for a secure network with public wifi access via the secondary router. Use the secondary router to restrict bandwidth, download types adult content etc. to prevent public abuse of your Wifi network, but still making it suitble
for smatphones to connect.
I hope this is clear, but if you have any questions, post again.
regards,
Linda
Cris Hanna, Microsoft SBS MVP, Owner-CPU Services, Belleville, IL

DMZ setup (11g)

I'm using webcache in the DMZ for routing to the 11g OHS with mod_wl_ohs setup and linked to our internal server with 11g SOA/B2B.
Inbound messages seem to be flowing smoothly right now but the outbound acknowledgements all show 'MSG_WAIT_TRANSMIT'.
How can I determine if this is a problem with the internal setup or with the DMZ setup?
Where would the gurus start? :)

Ok... based on what I'm getting from the log, I've obviously got other issues not related to the DMZ/proxy...
[2010-05-12T16:32:25.707-05:00] [soa_server1] [NOTIFICATION] [] [oracle.soa.b2b.engine] [tid: weblogic.work.j2ee.J2EEWorkManager$WorkWithListener@4b785f57] [userId: <anonymous>] [ecid: 0000IYERgWiFw000jzwkno1Bulqt00000_,0] [APP: soa-infra] Acknowledgment: outgoingAckPostCollab: Ack Message Transmit failed
[2010-05-12T16:32:25.771-05:00] [soa_server1] [NOTIFICATION] [] [oracle.soa.b2b.engine] [tid: weblogic.work.j2ee.J2EEWorkManager$WorkWithListener@4b785f57] [userId: <anonymous>] [ecid: 0000IYERgWiFw000jzwkno1Bulqt00000_,0] [APP: soa-infra] Engine: processIncomingMessageImpl: Exit
[2010-05-12T16:32:25.813-05:00] [soa_server1] [WARNING] [] [oracle.soa.b2b.repository] [tid: weblogic.work.j2ee.J2EEWorkManager$WorkWithListener@4b785f57] [userId: <anonymous>] [ecid: 0000IYERgWiFw000jzwkno1Bulqt00000_,0] 2010.05.12 16:32:25.800--UnitOfWork(112993997)--Thread(Thread[weblogic.work.j2ee.J2EEWorkManager$WorkWithListener@4b785f57,10,Application Daemon Threads])--
[2010-05-12T16:32:25.836-05:00] [soa_server1] [WARNING] [] [oracle.soa.b2b.repository] [tid: weblogic.work.j2ee.J2EEWorkManager$WorkWithListener@4b785f57] [userId: <anonymous>] [ecid: 0000IYERgWiFw000jzwkno1Bulqt00000_,0] 2010.05.12 16:32:25.836--UnitOfWork(112993997)--Thread(Thread[weblogic.work.j2ee.J2EEWorkManager$WorkWithListener@4b785f57,10,Application Daemon Threads])--
[2010-05-12T16:32:25.845-05:00] [soa_server1] [ERROR] [] [oracle.soa.b2b.engine] [tid: weblogic.work.j2ee.J2EEWorkManager$WorkWithListener@4b785f57] [userId: <anonymous>] [ecid: 0000IYERgWiFw000jzwkno1Bulqt00000_,0] [APP: soa-infra] weblogic.transaction.RollbackException: Unexpected exception in beforeCompletion: sync=oracle.toplink.transaction.JTASynchronizationListener@23d26d07[[
Internal Exception: java.sql.SQLException: ORA-24816: Expanded non LONG bind data supplied after actual LONG or LOB column
Error Code: 24816
Call: UPDATE B2B_EXT_BUSINESS_MESSAGE SET ERROR_LEVEL = ?, ERROR_SEVERITY = ?, ERROR_TEXT_CLOB = ?, ERROR_CODE = ?, PROCESSING_TIME = ?, ERROR_DESCRIPTION = ? WHERE (ID = ?)
bind => [ERROR_LEVEL_COLLABORATION, INFORMATION, Transport error: [IPT_HttpSendError] HTTP encounters send error :500
<?xml version="1.0"?>
<soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>Server Error</faultstring>
<detail>
<errors>
<errorCode>ValueNotRecognized</errorCode>
<severity>Error</severity>
<location>/Envelope/Header/MessageHeader/From</location>
<errorMessage>Cannot find sender profile [ESEBXL.000001.000031] </errorMessage>
<codeContext></codeContext>
<softwareDetails>webMethods, Inc.</softwareDetails>
</errors>
<errors>
<errorCode>ValueNotRecognized</errorCode>
<severity>Error</severity>
<location>/Envelope/Header/MessageHeader/To</location>
<errorMessage>Cannot find receiver profile [ESEBXL.000001.000032] </errorMessage>
<codeContext></codeContext>
<softwareDetails>webMethods, Inc.</softwareDetails>
</errors>
</detail>
</soap:Fault>
</soap:Body>
</soap:Envelope>.
, B2B-50079, 845, Machine Info: (<server.domain.com>)^M
Transport error: [IPT_HttpSendError] HTTP encounters send error :500
<?xml version="1.0"?>
<soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>Server Error</faultstring>
<detail>
<errors>
<errorCode>ValueNotRecognized</errorCode>
<severity>Error</severity>
<location>/Envelope/Header/MessageHeader/From</location>
<errorMessage>Cannot find sender profile [ESEBXL.000001.000031] </errorMessage>
<codeContext></codeContext>
<softwareDetails>webMethods, Inc.</softwareDetails>
</errors>
<errors>
<errorCode>ValueNotRecognized</errorCode>
<severity>Error</severity>
<location>/Envelope/Header/MessageHeader/To</location>
<errorMessage>Cannot find receiver profile [ESEBXL.000001.000032] </errorMessage>
<codeContext></codeContext>
<softwareDetails>webMethods, Inc.</softwareDetails>
</errors>
</detail>
</soap:Fault>
</soap:Body>
</soap:Envelope>.
, 7F0000011288E6EC9E4000007706E35C]
Query: UpdateObjectQuery(oracle.tip.b2b.model.instance.ExtBusinessMessage@3164c66b)
at weblogic.transaction.internal.TransactionImpl.throwRollbackException(TransactionImpl.java:1848)
at weblogic.transaction.internal.ServerTransactionImpl.internalCommit(ServerTransactionImpl.java:339)
at weblogic.transaction.internal.ServerTransactionImpl.commit(ServerTransactionImpl.java:233)
at weblogic.transaction.internal.TransactionManagerImpl.commit(TransactionManagerImpl.java:286)
at weblogic.transaction.internal.TransactionManagerImpl.commit(TransactionManagerImpl.java:280)
at oracle.tip.b2b.system.TransactionManager.end(TransactionManager.java:212)
at oracle.tip.b2b.engine.ThreadWorkExecutor.processEvent(ThreadWorkExecutor.java:545)
at oracle.tip.b2b.engine.ThreadWorkExecutor.run(ThreadWorkExecutor.java:200)
at oracle.integration.platform.blocks.executor.WorkManagerExecutor$1.run(WorkManagerExecutor.java:77)
at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:183)
at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
Caused by: Exception [TOPLINK-4002] (Oracle TopLink - 11g Release 1 (11.1.1.2.0) (Build 091016)): oracle.toplink.exceptions.DatabaseException

Cisco ASA 5505 DMZ Setup

Hello,
I am new to Cisco firewalls and am attempting to setup a DMZ on the firewall.
I have managed to create the interface and vlan and ip address settings etc. But im a bit lost with the NAT settings and rules i need to create for it.
I need to be able to do the following:
- RDP access from inside network to the DMZ servers
- Internet access for the DMZ
I am also setting up Active Directory Federation and requirre HTTPS traffic from the following:
- DMZ HTTPS to outside (Office 365 Services)
- Outside HTTPS to DMZ (ADFS Servers on DMZ only)
- DMZ HTTPS to inside (ADFS Servers Only)
- Inside HTTPS to DMZ (ADFS Servers Only)
Running Config:
interface Vlan1
nameif inside
security-level 100
ip address ccl-sua-asa 255.255.255.0
ospf cost 10
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 172.16.0.1 255.255.255.0
interface Vlan100
nameif outside
security-level 0
ip address 77.107.90.202 255.255.255.248
ospf cost 10
interface Ethernet0/0
switchport access vlan 100
speed 100
duplex full
interface Ethernet0/1
description Connected to CCL-SUA-SW1 port 16
interface Ethernet0/2
switchport access vlan 3
access-list inbound extended permit icmp any any
access-list inbound extended permit tcp host 87.86.204.100 host 77.107.90.203 eq smtp
access-list inbound remark Inbound ACT for Ruth Edmonds Only
access-list inbound extended permit tcp any interface outside eq www
access-list inbound extended permit tcp any interface outside eq 5022 inactive
access-list inbound remark Inbound rules for OWA 30/06/09 MD
access-list inbound extended permit tcp any host 77.107.90.203 eq https log
access-list inbound remark Inbound access for LDAP and SMTP from mimecast 02/07/09 MD
access-list inbound extended permit tcp object-group mimecast interface outside eq ldap
access-list inbound extended permit tcp object-group mimecast host 77.107.90.203 eq smtp
access-list inbound remark change request MET 56030 inbound POP3 for mimecast
access-list inbound extended permit tcp object-group mimecast host 77.107.90.203 eq pop3
access-list inbound remark Inbound rule for helpdesk 10/07/2012 ML
access-list inbound extended permit tcp any host 77.107.90.205 eq https
access-list inbound remark Inbound rule for survey 011012 ML
access-list inbound extended permit tcp any host 77.107.90.205 eq www
access-list inbound extended deny ip any any
access-list nonat extended permit ip 192.168.40.0 255.255.255.0 192.168.245.0 255.255.255.0
access-list nonat extended permit ip 192.168.40.0 255.255.255.0 192.168.252.0 255.255.252.0
access-list vpn-met-bir extended permit ip 192.168.40.0 255.255.255.0 192.168.252.0 255.255.252.0
access-list outbound extended permit ip object-group servers 192.168.255.0 255.255.255.0
access-list outbound extended deny ip any 192.168.255.0 255.255.255.0
access-list outbound extended permit ip 192.168.40.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list outbound extended deny udp any 192.168.255.0 255.255.255.0
access-list outbound extended deny ip any 10.0.0.0 255.0.0.0
access-list outbound extended deny ip any 192.168.0.0 255.255.0.0
access-list outbound extended permit ip any any
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.40.0 255.255.255.0
nat (inside) 1 192.168.41.0 255.255.255.0
nat (dmz) 1 172.16.0.0 255.255.255.0
static (inside,outside) tcp interface 5022 192.168.41.1 ssh netmask 255.255.255.255
static (outside,outside) tcp interface ssh 192.168.41.1 ssh netmask 255.255.255.255
static (inside,outside) tcp interface www WEB www netmask 255.255.255.255
static (inside,outside) tcp interface ldap FILESERVER ldap netmask 255.255.255.255
static (inside,outside) 77.107.90.203 MAILSERVER netmask 255.255.255.255
static (inside,outside) 77.107.90.205 helpdesk netmask 255.255.255.255
static (dmz,outside) 77.107.90.206 172.16.0.7 netmask 255.255.255.255
access-group outbound in interface inside
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 77.107.90.201 1
route inside 192.168.41.0 255.255.255.0 ccl-sua-sw1 1
Like i mentioned I have already setup the DMZ itself but its just the NAT and rules im struggling to get working
Many Thanks
James

Hi,
If you have only a ASA5505 Base License then you can initiate/open connections from the DMZ to INSIDE
You can confirm the License level with "show version" command. It should read at the end of the output.
In the Base License you only have a restricted DMZ/3rd interface on the ASA. You can connect to it from anywhere BUT you have to limit it from connecting towards one of the other 2 intefaces. You have already done this with the command
no forward interface Vlan1
Which to my understanding is required to get the 3rd interface active when you only have Base License on ASA5505.
OUTSIDE -> DMZ
INSIDE -> DMZ
Connection initiating should be possible.
So it seems to me that you already have one problem that will limit connectivity and not just the NAT.
You already seem to have the Default PAT configuration for DMZ Internet traffic.
You dont have the NAT for DMZ <-> INSIDE traffic but as mentioned above it might already be limited by something else even though your configurations were fine.
The corrent NAT configuration to enable that traffic would be to use
static (inside,dmz) netmask
Repeat for all
EDIT: Naturally you would also need an ACL on the DMZ interface for DMZ -> INSIDE traffic since the INSIDE is of higher "security-level". But as soon as you add the ACL to the DMZ interface you would also have to use it to allow Internet bound traffic since the "security-level" looses its meaning after an ACL is attached to the interface.
- Jouni

WRT310N: Help with DMZ/settings (firmware 1.0.09) for wired connection

Hello. I have a WRT310N and have been having a somewhat difficult time with my xbox 360's connection. I have forwarded all the necessary ports (53, 80, 88, 3074) for it to run, and tried changing MTU and what-not.
I don't know if I have DMZ setup incorrectly, or if it's my settings.
Setup as follows:
PCX2200 modem connected via ethernet to WRT310N.
The WRT310N has into ethernet port 1 a WAP54G, and then upstairs (so that my Mother's computer can get a strong signal) I have another WAP54G that I believe receives its signal from the downstairs 54G.
In the back of the WRT310N, I have my computer connected via ethernet port 3, and my Xbox 360 connected via ethernet port 4.
Now, I first figured I just have so many connections tied to the router and that is the reason for being so slow. However, when I unplug all the other ethernet cords and nothing is connected wirelessly, except for my Xbox connected to ethernet port 4, it is still poor. Also, with everything connected (WAP54G and other devices wirelessly) I get on my PC and run a speedtest. For the sake of advice, my speedtests I am running on my PC are (after 5 tests) averagely 8.5 Mbps download, and 1.00 Mbps upload, with a ping of 82ms.
Here is an image of the results:
http://www.speedtest.net][IMG]http://www.speedtest.net/result/721106714.png
Let me add a little more detail of my (192.168.1.1) settings for WRT310N.
For starters, my Father's IT guy at his workplace set up this WRT310N and WAP54G's. So some of these settings may be his doing. I just don't know which.
"Setup" as Auto-configurations DHCP. I've added my Xbox's IP address to the DHCP reservation the IP of 192.168.1.104. This has (from what I've noticed) stayed the same for days.
MTU: Auto, which stays at 1500 when I check under status.
Advanced Routing: NAT routing enabled, Dynamic Routing disabled.
Security: Disabled SPI firewall, UNchecked these: Filter Anonymous Internet Requests, Multicast, and Internet NAT redirection.
VPN passthrough: All 3 options are enabled (IPSec, PPTP, L2TP)
Access Restrictions: None.
Applications and Gaming: Single port forwarding has no entries. Port Range Forwarding I have the ports 53 UDP/TCP, 88 UDP, 3074 UDP/TCP, and 80 TCP forwarded to IP 192.168.1.104 enabled. (192.168.1.104 is the IP for my xbox connected via ethernet wired that is in DHCP reserved list)
Port Range Triggering: It does not allow me to change anything in this page.
DMZ: I have it Enabled. This is where I am a bit confused. It says "Source IP Address" and it has me select either "Any IP address" or to put entries to the XXX.XXX.XXX.XXX to XXX fields. I have selected use any IP address. Then the source IP area, it says "Destination:" I can do either "IP address: 192.168.1.XXX" or "MAC address:" Also, under MAC Address, it says DHCP Client Table and I went there and saw my Xbox under the DHCP client list (It shows up only when the Xbox is on) and selected it.
Under QoS: WMM Enabled, No acknowledgement disabled.
Internet Access Priority: Enabled. Upstream Bandwith I set it to Manual and put 6000 Kbps. I had it set on Auto before, but I changed it. I have no idea what to put there so I just put a higher number.
Then I added for Internet Access Priority a Medium Priority for Ethernet Port 4 (the port my xbox is plugged into).
Administration: Management: Web utility access: I have checked HTTP, unchecked HTTPS.
Web utility access via Wireless: Enabled. Remote Access: Disabled.
UPnp: Enabled.
Allow Users to Configure: Enabled.
Allow users to Disable Internet Access: Enabled.
Under Diagnostics, when I try and Ping test 192.168.1.104 (xbox when on and connected to LIVE), I get:
PING 192.168.1.104 (192.168.1.104): 24 data bytes
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
--- 192.168.1.104 data statistics ---
5 Packets transmitted, 0 Packets received, 100% Packet loss
Also, when I do Traceroute Test for my Xbox's IP, I just keep getting:
traceroute to 192.168.1.104 (192.168.1.104), 30 hops max, 40 byte packets
1 * * * 192.168.1.1 Request timed out.
2 * * * 192.168.1.1 Request timed out.
As for the Wireless Settings, it is all on the default settings with Wi-Fi Protected setup Enabled.
To add, I have tried connecting my modem directly to the Xbox and my connection is much improved. I have no difficulty getting the NAT open, for it seems my settings are working for that. Any help with these settings would be VERY much appreciated.
Message Edited by CroftBond on 02-18-2010 01:09 PM

I own 2 of these routers (one is a spare) with the latest firmware and I have been having trouble with them for over a year. In my case the connection speed goes to a crawl and the only way to get it back is to disable the SPI firewall. Rebooting helps for a few minutes, but the problem returns. All of the other fixes recommended on these forums did not help. I found out the hard way that disabling the SPI Firewall also closes all open ports ignoring your port forwarding settings. If you have SPI Firewall disabled, you will never be able to ping your IP from an external address. Turn your SPI Firewall back on and test your Ping.
John

Issue with cookies in DMZ multi node envt

Hi ,
We are facing the following issue at our client site:
The client has implemented iStore and iSupport on top of the existing Oracle Applications (11.5.10 ).
For these two modules they have added the DMZ node for their customers to make istore order and to use isupport.
And for the other internal users who use the other modules they have the internal node. Both the internal and external nodes have different domain name.
They also have some internal users having access to their istore and isupport as well as other module access. So they access the apps both from the external and internal nodes.
The issue is, that when the user log-on to istore/isupport thru the external node (eccp.company.com domain).
Once they are in istore/isupport pages, without log-off or closing the browser, if the user goes to the internal node url AppsLocalLogin.jsp (prodapp01.company.com) on the same browser with a difft user name, he gets the resp. of the user who had logged thru the external node on the home page with the LAF changes for iStore and iSupport. But it will not allow them to navigate further. So the users wont see their regular home page when they logon to the internal node in this case. This might be because the home page (AppsLocalLogin) doesn’t associate the correct cookie when the user log-on thru the internal node on the same browser (The browser has both the cookies).
How to solve this issue? Is there any set-up/patch available for this scenario? Any help on this is greatly appreciated.

I don't see much relevance of this issue with OAF. It is more of your DMZ setup issue. For better response, you can post it in forum "Managing Oracle Applications" http://forums.oracle.com/forums/forum.jspa?forumID=40&start=0
--Shiv

Performance issue in guest access anchored in DMZ

Hello,
I've been having performance issue in our wifi guest network anchored in the DMZ.
I have 3-5508 anchor controllers behind the Checkpoint gaia firewall and have 24 guest SSIDs in here.
Right now, only 14 guest SSIDs are enabled and tunnelled out in this anchor DMZ setup, whenever I try to add few more SSIDs I run into performance issue.
It seems to me that the problem is not about these additional SSIDs that I add because the performance issue starts to appear only when the traffic peaks or associated clients reached to certain number which is in my case 4000 users.
The firewall serves as the NAT device and gateway for all these guest SSIDs. The cpu, memory, number of connections have been checked and verified low.
Has anyone seen a problem like this? or has a setup like mine?
thanks!

Presuming you're not exceeding client count maximums on the individual WLCs I can't say I've seen anything in line with this "specific problem", but anything is possible.
What are the specific "performance issues" the clients are experiencing? Is it just general poor performance (slow web browsing/etc) or do you see other issues like no internet connectivity at all or something else?
May I ask, what is the use-case behind having 24 SSIDs on your anchors?

Need DMZ set up document?

Dear
We have our Oracle ERP R12 running on i550 machines with AIX 5L, 2 LPAR's. Our requirement for iprocurement module is that, we need to have DMZ setup. What should be the configuration setup? IBM pseries server are very costly, we are planning to have IBM iseries servers. Can we have iseries server with aix for DMZ setup? Need to explore about DMZ?

You can also refer to:
Note: 380483.1 - Oracle E-Business Suite Release 12 Additional Configuration and Deployment Options
https://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=380483.1
Additional Configuration and Deployment Options in Release 12
http://blogs.oracle.com/stevenChan/2007/02/additional_configuration_and_d.html

Port Foward Vs. DMZ

My company is in the process of implementing a new system that they want internal and external access to.
I would like to use our DMZ, however there is a concern that we will overrun the throughput of our PIX 525.
The software vendor just wants us to port forward from the outside across the firewall. What are the ramifications of doing this besides the large security holes from the untrusted to trusted network?
Thanks

Thanks for your reply.
We have a pix 525 pair in active/standby right now. Each has 256MB of memory and they are not being utilized very heavy today. We have on average 30 concurrent VPN connections, plus the PIX is our Firewall for our companies internet access.
We are worried about the throughput when we bring our new software system online. We will have 200Mb of bandwidth out of our data center to our offices and up to 100Mb of bandwidth outbound to the internet. If we put all our application on the DMZ, that is very close to the PIX rated throughput of 330. If we put only a few of the systems on the DMZ, then the
servers will not be able to communicate to eachother at 1Gb speeds because of the PIX limitations.
As for port forwarding, the application will only need 2 open ports. SSL and another TCP port.
As for the servers, they will all have public IPs assigned to them (either physically assigned in a port forward setup or through NAT in a DMZ setup).
My major concern with port forwarding is if one of the servers is compromised, then the entire inside network becomes vulnerable.
Even if we put them on the DMZ I am still going to need to allow access from the inside to the DMZ for internal users. Is it possible to do this securely?
Thanks

Reverse proxy setup for EBS R12.1.1

We have an external DMZ server configured for oracle ebs r12.1.1. The URL is http://testerp.mydomain.com:8003.
Can you please provide a link that shows step by step setup of Reverse proxy for the above URL to access the application.
I already have the metalink notes that says about DMZ setup for oracle ebs. I actually am looking for step by step setup for the reverse proxy using oracle application server 10g. Please help. Thanks.

Roy, I have already gone through that document, it is actually showing how to install and configure webcache 10g for oracle ebs r12.
It also says the features that oracle applicaiton server web cache provides like,
•Load Balance
•Reverse Proxy
•Failover and Surge Protection to minimize downtime
•Personalize Attributes for Caching
BUT IT IS NOT MENTIONING HOW TO CONFIGURE THE 'REVERSE PROXY' FOR THE ORACLE EBS EXTERNAL APPLICATION SERVER ON DMZ.

DMZ and VLANS

I have been trying to setup this router for over a week. i can not get a DMZ setup or get the VLAN tagging to work.
it will not give a DHCP address to devices on the second vlan and when pluged in to my switch it causes spanning tree to shut down the broadcast storm. because it is not tagging the VLANs.
i have the latest firmware on the device.

Code version:
System image file is "flash:c3750-ipservicesk9-mz.122-50.SE3/c3750-ipservicesk9-mz.122-50.SE3.bin"
I don’t have any etherchannel running from the switch. It is connected to vmware machines which are on DMZ.
rgds,
arman

1841 with DMZ.

I have got 1841. By default it has got only 2 FE port. One for WAN and other for LAN. So we got HWIC-4ESW.
Is there any problem in setting up the DMZ setup in 1841?

That is indeed the correct version. Although I could not find a complete configuration example, the link below might provide you with a point to start from:
http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186a00800fc176.shtml
Regards,
Leo

GSLB probes in redundant CSM setup

Hi -
When using leastloaded in GSLB setup a probe is needed to get load data from remote CSM. Is it possible to initiate probes from specific interface on CSM?
Does the secondary unit in a ft setup make own probes, or is it updated on the load from the primary?
Right now I have a situation where probes from a CSM is sent with the source IP adr. belonging in one vlan out another - there is no bridging between theese vlans.
Any help would be appreciated.

Hi Gilles -
Many thanks for your fast answer.
Yes - the way to control it is to define routing within the vlan that I want to source the address. Came to the same conclusion, and it works. What really bothered me was to discover traffic sourced from one vlan interface in another vlan (especially because it is a DMZ setup). My problem was that I had defined gateway command on several client vlan interfaces. Is there a way to se the routing table of the CSM?
Rgds Peter

VPN Split-Tunneling not working

Hello,
First off - thanks to all who post here. I often browse the forums and search for help on here and its very useful, so a great pat on the back for everyone who contributes. My first time posting so here goes.....
I have my ASA 5505 v8.2 configured to allow AnyConnect. This is working. Client can connect and access the remote systems through VPN. What is causing me a massive headache is that the client loses internet connectivity. I have played around with my config somewhat so what I am about to post I know for certain is incorrect but any help is greatly appreciated.
Notes
1. The Router was set up for a standard site-to-site VPN which is no longer functional but as you can see all the settings are still in the router.
2. The router also has a DMZ setup to allow some clients access to the internet through it using the DMZ
CONFIGURATION:
ASA Version 8.2(5)
hostname MYHOST
enable password mUUvr2NINofYuSh2 encrypted
passwd UNDrnIuGV0tAPtz2 encrypted
names
name x.x.x.x AIME-SD
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.0.0
interface Vlan7
no forward interface Vlan1
nameif DMZ
security-level 20
ip address 137.57.183.1 255.255.255.0
ftp mode passive
clock timezone MST -7
object-group network obj_any_dmz
access-list 10 extended permit ip 192.168.25.0 255.255.255.0 192.168.6.0 255.255                                                                                        .255.0
access-list no_nat extended permit ip host x.x.x.x 192.168.25.0 255.255.25                                                                                        5.0
access-list split-tunneling standard permit 192.168.101.0 255.255.255.0
access-list nonat extended permit ip 192.168.101.0 255.255.255.0 any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool Internal_Range 192.168.101.125-192.168.101.130 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 access-list nonat
nat (DMZ) 10 137.57.183.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 192.168.8.0 255.255.255.0 192.168.101.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable 64000
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set batus esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map batus 100 match address 10
crypto map batus 100 set peer AIME-SD
crypto map batus 100 set transform-set batus
crypto map batus interface outside
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=MYHOST
keypair ClientX_cert
crl configure
crypto ca certificate chain ASDM_TrustPoint1
certificate 0f817951
    308201e7 30820150 a0030201 0202040f 81795130 0d06092a 864886f7 0d010105
    05003038 31173015 06035504 03130e41 494d452d 56504e2d 42415455 53311d30
    1b06092a 864886f7 0d010902 160e4149 4d452d56 504e2d42 41545553 301e170d
    31333036 32373137 32393335 5a170d32 33303632 35313732 3933355a 30383117
    30150603 55040313 0e41494d 452d5650 4e2d4241 54555331 1d301b06 092a8648
    86f70d01 0902160e 41494d45 2d56504e 2d424154 55533081 9f300d06 092a8648
    86f70d01 01010500 03818d00 30818902 818100c9 ff840bf4 cfb8d394 2c940430
    1887f25a 49038aa0 1299cf10 bda2a436 227dcdbf f1c5566b c35c2f19 8b3514d3
    4e24f5b1 c8840e8c 60e2b39d bdc0082f 08cce525 97ffefba d42bb087 81b9adb9
    db0a8b2f b643e651 d17cd6f8 f67297f2 d785ef46 c3acbb39 615e1ef1 23db072c
    783fe112 acd6dc80 dc38e94b 6e56fe94 d59d5d02 03010001 300d0609 2a864886
    f70d0101 05050003 8181007e 29e90ea0 e337976e 9006bc02 402fd58a a1d30fe8
    b2c1ab49 a1828ee0 488d1d2f 1dc5d150 3ed85f09 54f099b2 064cd622 dc3d3821
    fca46c69 62231fd2 6e396cd1 7ef586f9 f41205af c2199174 3c5ee887 42b684c9
    7f4d2045 4742adb5 d70c3805 4ad13191 8d802bbc b2bcd8c7 8eec111b 761d89f3
    63ebd49d 30dd06f4 e0fa25
quit
crypto isakmp enable outside
crypto isakmp policy 40
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 DMZ
ssh timeout 10
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint1 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
group-policy ClientX_access internal
group-policy ClientX_access attributes
vpn-tunnel-protocol svc
split-tunnel-network-list value split-tunneling
default-domain value access.local
address-pools value Internal_Range
ipv6-address-pools none
webvpn
svc mtu 1406
svc rekey time none
svc rekey method ssl
username ClientX password ykAxQ227nzontdIh encrypted privilege 15
username ClientX attributes
vpn-group-policy ClientX_access
service-type admin
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****
tunnel-group ClientX type remote-access
tunnel-group ClientX general-attributes
address-pool Internal_Range
default-group-policy ClientX_access
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy ClientX_access
tunnel-group ClientX_access type remote-access
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e7d92a387d1c5f07e14b3c894d159ec1
: end
Thank you for any help!!

Karsten!
That fixed my internet access problem. Yippee!
Unfortunately it seems to have broken my access to the internal network. Boo!
I can no longer access/ping anything on the internal IP range (192.168.101.x).
I assume this is a nat issue somewhere along the line. Posting the top half of my config for any assistance and the info requested by Raj (although VPN is connecting fine). Thank you both for your very prompt replies!!!
Short Config
object-group network obj_any_dmz
access-list 10 extended permit ip 192.168.25.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list no_nat extended permit ip host x.x.x.x 192.168.25.0 255.255.255.0
access-list split-tunneling standard permit 192.168.101.0 255.255.255.0
access-list nonat extended permit ip 192.168.101.0 255.255.255.0 any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool Internal_Range 192.168.101.125-192.168.101.130 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 access-list nonat
nat (DMZ) 10 137.57.183.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 207.229.2.129 1
route inside 192.168.8.0 255.255.255.0 192.168.101.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
Show vpn-sessiondb svc
Session Type: SVC
Username     : ClientX                 Index        : 9
Assigned IP : 192.168.101.125        Public IP    : x.x.x.x
Protocol     : Clientless SSL-Tunnel DTLS-Tunnel
License      : SSL VPN
Encryption   : RC4 AES128             Hashing      : MD5 SHA1
Bytes Tx     : 11662                  Bytes Rx     : 62930
Group Policy : ClientX_access          Tunnel Group : DefaultWEBVPNGroup
Login Time   : 22:40:56 MST Mon Jul 1 2013
Duration     : 0h:11m:08s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

HP laserjet 400 mfp and Laserjet 200 mfp

I have 2 printers HP Laserjet 200 mfp and HP Laserjet 400 MFP. I tried HP phone support. I checked each printer on 2 diffent networks to make sure it was not my setup. When I try and setup both printers with Web Services they both say unable to connect to the internet. I did a firmware update on both printers no help. HP told me that I needed to have a DMZ setup ie. port forwarding I don't think this is right.
Thanks
O.D. Smith (HP Retired)

Hi Smith,
Welcome to Consumer Support Forum.
As per the request you have 2 printer and u want to connect through n.w
In 400 mfp printer, please connect the n/w cabel(Physical Cabel)
and print a configration report, you will get the ip address of the printer.
I want you to check the ip of the printer and the ip of the computer are in same range or not, if its in same range
please try to ping the ip through command prompt winodw
Once reply from the printer is confirmed printer can be installed easily.
Please reply if the issue persist.
Regards
HP

DMZ setup

Similar Messages

Maybe you are looking for