Duplicate SYN attacks from Outside to Outside

Hi Everyone,
We have an FTP server that sits in our DMZ.  This Server has a DMZ interface and an external interface.  When trying to access the server from the internet on its external address i am getting alot of Duplicate SYN attacks.  They seem to be coming all from the same source and port to the same destination and port.
As part of the testing i first took out any references to the FTP server in my Access rules on the ASA.  I then tried to FTP to the server from an outside internet connection and as expected get the following in the log:
4
Mar 01 2013
10:23:18
194.80.130.xx
46867
78.24.112.XX
21
Deny tcp src outside:194.80.130.XX/46867 dst outside:78.24.112.XX/21 by access-group "outside_access_in" [0x0, 0x0]
I then highlighted this entry and created an access rule for it (but changed the source port to any rather than a specific one).  When i then try and FTP to the server i get lots of SYN attacks which says the following:
4
Mar 01 2013
10:27:29
194.80.130.XX
46973
78.24.112.XX
21
Duplicate TCP SYN from outside:194.80.130.XX/46973 to outside:78.24.112.XX/21 with different initial sequence number
I am not sure why I am getting duplicate SYN attacks.  I have similar servers in the DMZ that do the same thing and they seem to be working fine.  I am pretty sure this is not actually a DOS attack.  I also have spoken to the team who manage the server and they have confirmed that the external IP is setup correctly on the server (its not that the external IP does not exist and just loops).
There is also NAT'ing setup on the ASA that NATs the dmz IP to the external IP and vice versa.
I have also noticed that whenever i create a new rule on the outside interface on my ASA it automatically adds the same descripton from another rule on the outside interface.  What does this mean?  Why could it be copying a description from anothe rule?
Your advice would be much appreciated.

Output from packet-tracer to outside address 78.24.112.xx 
It seems as though the NAT to the DMZ address is just not working.  I have set a NAT rule up "before network object NAT" rule and also set a simple object NAT, but still getting the error.
Phase: 1
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 any object csdpr1ft-ext
object-group service DM_INLINE_SERVICE_7
service-object tcp destination eq ssh
service-object ip
service-object tcp destination eq ftp
Additional Information:
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
  inspect ftp
service-policy global_policy global
Additional Information:
Phase: 4
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 26135657, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
Action: allow

Similar Messages

  • Protected servers under syn attack!!

    The firewall dashboard has a window at the right lower portion of ASDM and it displays Top 10 protected servers under SYN attack.  Refer to the attached picture.
    In this scenario the server IP 82.214.154.223 seems to be getting SYN attacks from one of my internal network PC. This server 82.214.154.223 does not belong to us, a whois query tells me that the IP originates from Poland with no hostname address.
    I should have been seeing attacks only for servers belonging to my network right? Like an attack from Outside public IP towards my Server public IP, or is it that this feature provides two way statistics where it also displays attack originating from my lan towards outside world. From what I see, I feel it displays two way attacks. Correct me if I am wrong.
    Regards

    Hi,
    below is the output of the # sh threat-detection rate command. can anyone explain me the vulnerabilities and risks by looking at the figures below. thanks
                              Average(eps)    Current(eps) Trigger      Total events
      10-min ACL  drop:                  1               0       0               672
      1-hour ACL  drop:                  1               0       0              4654
      10-min SYN attck:                  0               0       0               386
      1-hour SYN attck:                  0               0       0              3428
      10-min  Scanning:                  2               1   55503              1248
      1-hour  Scanning:                  2               2   18455              9177
      10-min Bad  pkts:                  0               0       0               184
      1-hour Bad  pkts:                  0               0       0              1089
      10-min  Firewall:                  1               0       0               862
      1-hour  Firewall:                  1               1       0              5749
      10-min DoS attck:                  0               0       0                 6
      1-hour DoS attck:                  0               0       0                 6
      10-min Interface:                  1               0       0              1034
      1-hour Interface:                  1               1       0              6616
    regards,
    AAMIR

  • ASA5505, SYN attack, ISP and IPS module

    Our 5505 is currently being hit by a SYN attack from surprise, surprise, China.  The attack easily brings down the 5505 by hitting the 10,000 connection limit of the box.  I am currently using the shun command to try to mitigate the problem but it is not much help.  It converts the 10,000 connections into 12-15k dropped packets per second which doesn't crash the box but pretty much makes it unusable. 
    I have seen some examples on using service policies to set connection and embryonic limits but I don't think they will work for me because the attacks come from several IPs and use several different ports.  The attacks don't seem to be pinpointing any particular server or service.  Seems like just basic DoS of our service.  Besides, the feedback from people who have tried this doesn't seem too convincing.
    So I have two questions:
    1) My ISP is unwilling and/or unable to do anything.  They suggest I email the abuse mailbox from the offending ISP.  Just for grins, I did send an email and it promptly came back marked "mailbox full" which is quite funny I thought.
    2) Will adding the IPS module help here?  I am hoping that the processing of the dropped packets would move to the module and leave the main processor of the ASA free to do its usual NAT and firewall functions.
    Any and all advice is welcome.
    Thanks,
    Diego

    Hi Diego,
    As Julio mentioned, info has to be there. Do you have the 'show xlate' when the issue was seen? In such cases, along with xlate table, you can check connection for hosts making unusual number of connections (show connection count/show connection all). Here are few useful commands in such scenarios:
    show local-host connection udp 100-10000          << Gives host with total UDP connections b/w 100-1000
    show local-host connection tcp 100-10000          << Same info for hosts making TCP connections
    show local-host connection embryonic 100-10000    << hosts with 100-1000 embryonic connections
    Change the range as per need.
    Sourav

  • Routing failed to locate next hop for ICMP from outside:10.60.30.111/1 to inside:10.89.30.41/0

    ASA 5505 Split tunneling stopped working when upgraded from 8.3(1) to 8.4(3).
    When a user was connecting to the old 8.3(1) appliance they could access all of our subnets: 10.60.0.0/16, 10.89.0.0/16, 10.33.0.0/16, 10.1.0.0/16
    but now they cannot and in the logs I can just see
    6          Oct 31 2012          08:17:59          110003          10.60.30.111          1          10.89.30.41          0          Routing failed to locate next hop for ICMP from outside:10.60.30.111/1 to inside:10.89.30.41/0
    any hints? i have tried almost everything. the running configuration is:
    : Saved
    ASA Version 8.4(3)
    hostname asa
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.60.70.1 255.255.0.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 80.90.98.217 255.255.255.248
    ftp mode passive
    clock timezone GMT 0
    dns domain-lookup inside
    dns domain-lookup outside
    same-security-traffic permit intra-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network NETWORK_OBJ_10.33.0.0_16
    subnet 10.33.0.0 255.255.0.0
    object network NETWORK_OBJ_10.60.0.0_16
    subnet 10.60.0.0 255.255.0.0
    object network NETWORK_OBJ_10.89.0.0_16
    subnet 10.89.0.0 255.255.0.0
    object network NETWORK_OBJ_10.1.0.0_16
    subnet 10.1.0.0 255.255.0.0
    object network tetPC
    host 10.60.10.1
    description test        
    object network NETWORK_OBJ_10.60.30.0_24
    subnet 10.60.30.0 255.255.255.0
    object network NETWORK_OBJ_10.60.30.64_26
    subnet 10.60.30.64 255.255.255.192
    object network SSH-server
    host 10.60.20.6
    object network SSH_public
    object network ftp_public
    host 80.90.98.218
    object network rdp
    host 10.60.10.4
    object network ftp_server
    host 10.60.20.2
    object network ssh_public
    host 80.90.98.218
    object service FTP
    service tcp destination eq 12
    object network NETWORK_OBJ_10.60.20.3
    host 10.60.20.3
    object network NETWORK_OBJ_10.60.40.192_26
    subnet 10.60.40.192 255.255.255.192
    object network NETWORK_OBJ_10.60.10.10
    host 10.60.10.10
    object network NETWORK_OBJ_10.60.20.2
    host 10.60.20.2
    object network NETWORK_OBJ_10.60.20.21
    host 10.60.20.21
    object network NETWORK_OBJ_10.60.20.4
    host 10.60.20.4
    object network NETWORK_OBJ_10.60.20.5
    host 10.60.20.5
    object network NETWORK_OBJ_10.60.20.6
    host 10.60.20.6
    object network NETWORK_OBJ_10.60.20.7
    host 10.60.20.7
    object network NETWORK_OBJ_10.60.20.29
    host 10.60.20.29
    object service port_tomcat
    service tcp source range 8080 8082
    object network TBSF
    subnet 172.16.252.0 255.255.255.0
    object network MailServer
    host 10.33.10.2
    description Mail Server
    object service HTTPS
    service tcp source eq https
    object network test
    object network access_web_mail
    host 10.60.50.251
    object network downtown_Interface_host
    host 10.60.50.1
    description downtown Interface Host
    object service Oracle_port
    service tcp source eq sqlnet
    object network NETWORK_OBJ_10.60.50.248_29
    subnet 10.60.50.248 255.255.255.248
    object network NETWORK_OBJ_10.60.50.1
    host 10.60.50.1
    object network NETWORK_OBJ_10.60.50.0_28
    subnet 10.60.50.0 255.255.255.240
    object network brisel
    subnet 10.191.191.0 255.255.255.0
    object network NETWORK_OBJ_10.191.191.0_24
    subnet 10.191.191.0 255.255.255.0
    object network NETWORK_OBJ_10.60.60.0_24
    subnet 10.60.60.0 255.255.255.0
    object-group service TCS_Service_Group
    description This Group of available Services is for TCS Clients
    service-object object port_tomcat
    object-group service HTTPS_ACCESS tcp
    port-object eq https
    object-group network DM_INLINE_NETWORK_1
    network-object 10.1.0.0 255.255.0.0
    network-object 10.33.0.0 255.255.0.0
    network-object 10.60.0.0 255.255.0.0
    network-object 10.89.0.0 255.255.0.0
    access-list outside_1_cryptomap extended permit ip 10.60.0.0 255.255.0.0 10.33.0.0 255.255.0.0
    access-list outside_2_cryptomap extended permit ip 10.60.0.0 255.255.0.0 10.89.0.0 255.255.0.0
    access-list outside_3_cryptomap extended permit ip 10.60.0.0 255.255.0.0 10.1.0.0 255.255.0.0
    access-list OUTSIDE_IN extended permit icmp any any time-exceeded
    access-list OUTSIDE_IN extended permit icmp any any unreachable
    access-list OUTSIDE_IN extended permit icmp any any echo-reply
    access-list OUTSIDE_IN extended permit icmp any any source-quench
    access-list OUTSIDE_IN extended permit tcp 194.2.20.0 255.255.255.0 host 80.90.98.220 eq smtp
    access-list OUTSIDE_IN extended permit tcp host 194.25.12.0 host 80.90.98.220 eq smtp
    access-list OUTSIDE_IN extended permit icmp host 80.90.98.222 host 80.90.98.217
    access-list OUTSIDE_IN extended permit tcp host 162.162.4.1 host 80.90.98.220 eq smtp
    access-list OUTSIDE_IN extended permit tcp host 98.85.125.2 host 80.90.98.221 eq ssh
    access-list OAKDCAcl standard permit 10.60.0.0 255.255.0.0
    access-list OAKDCAcl standard permit 10.33.0.0 255.255.0.0
    access-list OAKDCAcl remark backoffice
    access-list OAKDCAcl standard permit 10.89.0.0 255.255.0.0
    access-list OAKDCAcl remark maint
    access-list OAKDCAcl standard permit 10.1.0.0 255.255.0.0
    access-list osgd standard permit host 10.60.20.4
    access-list osgd standard permit host 10.60.20.5
    access-list osgd standard permit host 10.60.20.7
    access-list testOAK_splitTunnelAcl standard permit 10.60.0.0 255.255.0.0
    access-list snmp extended permit udp any eq snmptrap any
    access-list snmp extended permit udp any any eq snmp
    access-list downtown_splitTunnelAcl standard permit host 10.60.20.29
    access-list webMailACL standard permit host 10.33.10.2
    access-list HBSC standard permit host 10.60.30.107
    access-list HBSC standard deny 10.33.0.0 255.255.0.0
    access-list HBSC standard deny 10.89.0.0 255.255.0.0
    access-list outside_4_cryptomap extended permit ip 10.60.0.0 255.255.0.0 10.191.191.0 255.255.255.0
    access-list OAK-remote_splitTunnelAcl standard permit 10.1.0.0 255.255.0.0
    access-list OAK-remote_splitTunnelAcl standard permit 10.33.0.0 255.255.0.0
    access-list OAK-remote_splitTunnelAcl standard permit 10.60.0.0 255.255.0.0
    access-list OAK-remote_splitTunnelAcl standard permit 10.89.0.0 255.255.0.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool OAKPRD_pool 10.60.30.110-10.60.30.150 mask 255.255.0.0
    ip local pool mail_sddress_pool 10.60.50.251-10.60.50.255 mask 255.255.0.0
    ip local pool test 10.60.50.1 mask 255.255.255.255
    ip local pool ipad 10.60.30.90-10.60.30.99 mask 255.255.0.0
    ip local pool TCS_pool 10.60.40.200-10.60.40.250 mask 255.255.255.0
    ip local pool OSGD_POOL 10.60.50.2-10.60.50.10 mask 255.255.0.0
    ip local pool OAK_pool 10.60.60.0-10.60.60.255 mask 255.255.0.0
    ip verify reverse-path interface inside
    ip verify reverse-path interface outside
    ip audit name ThreatDetection attack action alarm
    ip audit interface inside ThreatDetection
    ip audit interface outside ThreatDetection
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any inside
    icmp permit any echo inside
    icmp permit any echo outside
    asdm history enable
    arp timeout 14400
    nat (inside,outside) source static NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 destination static NETWORK_OBJ_10.33.0.0_16 NETWORK_OBJ_10.33.0.0_16
    nat (inside,outside) source static NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 destination static NETWORK_OBJ_10.89.0.0_16 NETWORK_OBJ_10.89.0.0_16
    nat (inside,outside) source static NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 destination static NETWORK_OBJ_10.1.0.0_16 NETWORK_OBJ_10.1.0.0_16
    nat (inside,outside) source static any any destination static NETWORK_OBJ_10.60.30.0_24 NETWORK_OBJ_10.60.30.0_24
    nat (inside,outside) source static any any destination static NETWORK_OBJ_10.60.30.64_26 NETWORK_OBJ_10.60.30.64_26
    nat (inside,outside) source static NETWORK_OBJ_10.60.20.29 NETWORK_OBJ_10.60.20.29 destination static NETWORK_OBJ_10.60.40.192_26 NETWORK_OBJ_10.60.40.192_26 service any port_tomcat
    nat (inside,outside) source static any any destination static NETWORK_OBJ_10.60.50.1 NETWORK_OBJ_10.60.50.1
    nat (inside,outside) source static MailServer MailServer destination static NETWORK_OBJ_10.60.50.248_29 NETWORK_OBJ_10.60.50.248_29
    nat (inside,outside) source static any any destination static NETWORK_OBJ_10.60.50.0_28 NETWORK_OBJ_10.60.50.0_28
    nat (inside,outside) source static NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 destination static NETWORK_OBJ_10.191.191.0_24 NETWORK_OBJ_10.191.191.0_24
    nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_10.60.60.0_24 NETWORK_OBJ_10.60.60.0_24 no-proxy-arp route-lookup
    object network obj_any
    nat (inside,outside) dynamic interface
    route outside 0.0.0.0 0.0.0.0 80.90.98.222 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 10.60.10.10 255.255.255.255 inside
    http 10.33.30.33 255.255.255.255 inside
    http 10.60.30.33 255.255.255.255 inside
    snmp-server host inside 10.33.30.108 community ***** version 2c
    snmp-server host inside 10.89.70.30 community *****
    no snmp-server location
    no snmp-server contact
    snmp-server community *****
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set lux_trans_set esp-aes esp-sha-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set peer 84.51.31.173
    crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
    crypto map outside_map 2 match address outside_2_cryptomap
    crypto map outside_map 2 set peer 98.85.125.2
    crypto map outside_map 2 set ikev1 transform-set ESP-3DES-SHA
    crypto map outside_map 3 match address outside_3_cryptomap
    crypto map outside_map 3 set peer 220.79.236.146
    crypto map outside_map 3 set ikev1 transform-set ESP-3DES-SHA
    crypto map outside_map 4 match address outside_4_cryptomap
    crypto map outside_map 4 set pfs
    crypto map outside_map 4 set peer 159.146.232.122
    crypto map outside_map 4 set ikev1 transform-set lux_trans_set
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ikev1 enable outside
    crypto ikev1 policy 5
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 20
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 86400
    crypto ikev1 policy 30
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 28800
    crypto ikev1 policy 50
    authentication pre-share
    encryption aes
    hash sha
    group 1
    lifetime 86400
    crypto ikev1 policy 70
    authentication pre-share
    encryption aes
    hash sha
    group 5
    lifetime 86400
    telnet 10.60.10.10 255.255.255.255 inside
    telnet 10.60.10.1 255.255.255.255 inside
    telnet 10.60.10.5 255.255.255.255 inside
    telnet 10.60.30.33 255.255.255.255 inside
    telnet 10.33.30.33 255.255.255.255 inside
    telnet timeout 30
    ssh 10.60.10.5 255.255.255.255 inside
    ssh 10.60.10.10 255.255.255.255 inside
    ssh 10.60.10.3 255.255.255.255 inside
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    dhcpd dns 155.2.10.20 155.2.10.50 interface inside
    dhcpd auto_config outside interface inside
    threat-detection basic-threat
    threat-detection scanning-threat shun duration 3600
    threat-detection statistics
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    tftp-server inside 10.60.10.10 configs/config1
    webvpn
    group-policy testTG internal
    group-policy testTG attributes
    dns-server value 155.2.10.20 155.2.10.50
    vpn-tunnel-protocol ikev1
    group-policy DefaultRAGroup_1 internal
    group-policy DefaultRAGroup_1 attributes
    dns-server value 155.2.10.20 155.2.10.50
    vpn-tunnel-protocol l2tp-ipsec
    group-policy TcsTG internal
    group-policy TcsTG attributes
    vpn-idle-timeout 20
    vpn-session-timeout 120
    vpn-tunnel-protocol ikev1
    ipsec-udp disable
    ipsec-udp-port 10000
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value testOAK_splitTunnelAcl
    address-pools value TCS_pool
    group-policy downtown_interfaceTG internal
    group-policy downtown_interfaceTG attributes
    dns-server value 155.2.10.20 155.2.10.50
    vpn-tunnel-protocol ikev1
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value downtown_splitTunnelAcl
    group-policy HBSCTG internal
    group-policy HBSCTG attributes
    dns-server value 155.2.10.20 155.2.10.50
    vpn-tunnel-protocol ikev1
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value HBSC
    group-policy OSGD internal
    group-policy OSGD attributes
    dns-server value 155.2.10.20 155.2.10.50
    vpn-session-timeout none
    vpn-tunnel-protocol ikev1
    group-lock value OSGD
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value testOAK_splitTunnelAcl
    group-policy OAKDC internal
    group-policy OAKDC attributes
    vpn-tunnel-protocol ikev1
    group-lock value OAKDC
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value OAKDCAcl
    intercept-dhcp 255.255.0.0 disable
    address-pools value OAKPRD_pool
    group-policy mailTG internal
    group-policy mailTG attributes
    dns-server value 155.2.10.20 155.2.10.50
    vpn-tunnel-protocol ikev1
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value webMailACL
    group-policy OAK-remote internal
    group-policy OAK-remote attributes
    dns-server value 155.2.10.20 155.2.10.50
    vpn-tunnel-protocol ikev1
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value OAK-remote_splitTunnelAcl
    vpn-group-policy OAKDC
    service-type nas-prompt
    tunnel-group DefaultRAGroup general-attributes
    address-pool OAKPRD_pool
    address-pool ipad
    default-group-policy DefaultRAGroup_1
    tunnel-group DefaultRAGroup ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group 84.51.31.173 type ipsec-l2l
    tunnel-group 84.51.31.173 ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group 98.85.125.2 type ipsec-l2l
    tunnel-group 98.85.125.2 ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group 220.79.236.146 type ipsec-l2l
    tunnel-group 220.79.236.146 ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group OAKDC type remote-access
    tunnel-group OAKDC general-attributes
    address-pool OAKPRD_pool
    default-group-policy OAKDC
    tunnel-group OAKDC ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group TcsTG type remote-access
    tunnel-group TcsTG general-attributes
    address-pool TCS_pool
    default-group-policy TcsTG
    tunnel-group TcsTG ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group downtown_interfaceTG type remote-access
    tunnel-group downtown_interfaceTG general-attributes
    address-pool test
    default-group-policy downtown_interfaceTG
    tunnel-group downtown_interfaceTG ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group TunnelGroup1 type remote-access
    tunnel-group mailTG type remote-access
    tunnel-group mailTG general-attributes
    address-pool mail_sddress_pool
    default-group-policy mailTG
    tunnel-group mailTG ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group testTG type remote-access
    tunnel-group testTG general-attributes
    address-pool mail_sddress_pool
    default-group-policy testTG
    tunnel-group testTG ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group OSGD type remote-access
    tunnel-group OSGD general-attributes
    address-pool OSGD_POOL
    default-group-policy OSGD
    tunnel-group OSGD ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group HBSCTG type remote-access
    tunnel-group HBSCTG general-attributes
    address-pool OSGD_POOL
    default-group-policy HBSCTG
    tunnel-group HBSCTG ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group 159.146.232.122 type ipsec-l2l
    tunnel-group 159.146.232.122 ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group OAK-remote type remote-access
    tunnel-group OAK-remote general-attributes
    address-pool OAK_pool
    default-group-policy OAK-remote
    tunnel-group OAK-remote ipsec-attributes
    ikev1 pre-shared-key *****
    policy-map global_policy
    prompt hostname context
    no call-home reporting anonymous
    hpm topN enable
    : end
    asdm history enable

    Dear Darko,
    The problem here is the overlapp issue with the Internal network.
    Since the VPN pool is:
    ip local pool OAKPRD_pool 10.60.30.110-10.60.30.150 mask 255.255.0.0
    And the local network is:
    interface Vlan1
         nameif inside
         security-level 100
         ip address 10.60.70.1 255.255.0.0
    So since you have some NAT rules telling the FW that 10.60.0.0/16 is connected to the inside, we need to change that and force it to know that 10.60.30.0/24 is actually reachable to the outside.
    On the other hand, yes you could point to outside interface, but is not a good practice.
    Thanks.
    Portu.
    In case you do not have any further questions, please mark this post as answered.

  • How do i connect my time capsule from outside my home? i dont have static ip

    sorry about my english...
    its been 4 months now and still I am not able to connect my time capsule via internet from outside . i have read enough forums and discussion but i am confused because every discussion has different answer. please anyone can explain me the simplest way to configure my time capsule so i can connect it from other computers. i am using windows 7 64bit os.i am not advance user of networking so please explain me in detail.
    some questions.
    1. is it possible to use time capsule as nas using dynamic ip address?
    2. if yes how and where can i get exact detail about this.
    3. how to connect my time capsule form my iphone,ipad or other computers . connect through ip address or something else?
    4. is it any simple installation way to do this? i heard about bonjour and icloud but dont know how to connect through this.
    please help me
    thank you
    sachin

    i am using windows 7 64bit os.i am not advance user of networking so please explain me in detail.
    Here is your primary issue.. you cannot connect with win7 ..
    Windows only offers SMB protocol which just about every ISP.. all responsible ones ...block..
    Time Capule offers AFP to internet and only AFP.
    You need to use a Mac to connect.. then use BTMM and iCloud as there is no dyndns in the TC anyway. (Actually there is a dyndns but only for apple btmm use...  you cannot access.
    If you want to or have to use windows.. then get a proper vpn router that offers vpn endpoints to windows and has dyndns.. setup the TC in bridge behind the vpn router and access via vpn .. this is the only safe way of connecting using SMB.

  • Blocking access to file sharing (AFP/SMB) from outside of network

    Hello all,
    Is there a way to block access to file shares from outside of our LAN? I have a machine that has some sharing turned on (it is also my email server) and I can reach it across the internet and mount shares as if I was in the office.
    How can I block this access? Both SMB and AFP?
    Thank you,
    -John

    Justin, thank you for your reply. The machine is on a public ip address and is not behind a NAT router. I've turned on the software firewall and that is working now. However, I imagine it would be better to use a hardware firewall. Any suggestions on a good one? Thank you.

  • Why i cant access asa 8.4 thruogh asdm from outside interface ???

    hi all ,
    plz help e why i cant access asa asdm from outside interface
    my puclic ip on outisde is :
    x.x.55.34
    i changed  portf of asdm to 65000 because i have portforward  ,
    i tried to connect to my ip thriuogh asdm bu :
    x.x.55.34
    x.x.55.34:65000
    but no luck ,
    it succed if i try to connect locally
    here is my sh run command :
    ====================================================
    ASA5505#
    ASA5505# sh run
    : Saved
    ASA Version 8.4(2)
    hostname ASA5505
    enable password qsddsEGCCSH encrypted
    passwd 2KFsdsdbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    switchport access vlan 2
    interface Vlan1
    nameif ins
    security-level 100
    ip address 10.66.12.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 50
    ip address x.x.55.34 255.255.255.248
    boot system disk0:/asa842-k8.bin
    ftp mode passive
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network obj-0.0.0.0
    host 0.0.0.0
    object network localsubnet
    subnet 10.66.12.0 255.255.255.0
    description localsubnet
    object network HTTP-Host
    host 10.66.12.249
    description web server
    object network HTTPS-HOST
    host 10.66.12.249
    description Https
    object network RDP-Host
    host 10.66.12.122
    description RDP host
    object network citrix-host
    host 10.66.12.249
    description citrix
    object service rdp
    service tcp destination eq 3389
    object service https
    service tcp destination eq https
    object service citrix
    service tcp destination eq 2598
    object service http
    service tcp destination eq www
    object network RDP1
    host 10.66.12.249
    object network HTTPS-Host
    host 10.66.12.249
    object network CITRIX-Host
    host 10.66.12.249
    object-group network RDP-REDIRECT
    object-group network HTTP-REDIRECT
    object-group network HTTPS-REDIRECT
    object-group network CITRIX-ICA-HDX-REDIRECTION
    object-group network CITRIX-ICA-SESSION-RELIABILITY-REDIRECTION
    object-group service CITRIX-ICA-HDX
    object-group service CITRIX-SR
    object-group service RDP
    object-group network MY-insideNET
    network-object 10.66.12.0 255.255.255.0
    access-list outside_in extended permit tcp any host 10.66.12.249 eq www
    access-list outside_in extended permit tcp any host 10.66.12.249 eq https
    access-list outside_in extended permit tcp any host 10.66.12.249 eq 2598
    access-list outside_in extended permit tcp any host 10.66.12.122 eq 3389
    access-list outside_in extended permit tcp any host 10.66.12.249 eq citrix-ica
    access-list outside_in extended permit tcp any host x.x.55.34 eq 65000
    access-list outside_in extended permit tcp any host x.x.55.34 eq https
    access-list outside_in extended permit ip any any
    pager lines 24
    mtu ins 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-645.bin
    no asdm history enable
    arp timeout 14400
    object network localsubnet
    nat (ins,outside) dynamic interface
    object network HTTP-Host
    nat (ins,outside) static interface service tcp www www
    object network RDP-Host
    nat (ins,outside) static interface service tcp 3389 3389
    object network HTTPS-Host
    nat (ins,outside) static interface service tcp https https
    object network CITRIX-Host
    nat (ins,outside) static interface service tcp citrix-ica citrix-ica
    access-group outside_in in interface outside
    route outside 0.0.0.0 0.0.0.0 62.109.55.33 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication http console LOCAL
    aaa authentication ssh console LOCAL
    http server enable 65000
    http 10.66.12.0 255.255.255.0 ins
    http 0.0.0.0 0.0.0.0 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ca trustpoint _SmartCallHome_ServerCA
    crl configure
    crypto ca certificate chain _SmartCallHome_ServerCA
    certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
        308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
        0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
        30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
        13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
        0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
        20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
        65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
        65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
        30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
        30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
        496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
        74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
        68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
        3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
        63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
        0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
        a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
        9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
        7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
        15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
        63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
        18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
        4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
        81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
        db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
        7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
        ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
        45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
        2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
        1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
        03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
        69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
        02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
        6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
        c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
        69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
        1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
        551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355
        1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609
        2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80
        4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
        b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
        6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc
        481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
        b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
        5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
        6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
        6c2527b9 deb78458 c61f381e a4c4cb66
      quit
    telnet 0.0.0.0 0.0.0.0 outside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    management-access outside
    dhcpd address 10.66.12.160-10.66.12.180 ins
    dhcpd dns 212.112.166.22 212.112.166.18 interface ins
    dhcpd enable ins
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    username test password P4ttSdddd3SV8TYp encrypted privilege 15
    username ADMIN password 5dddd3ThngqY encrypted privilege 15
    username drvirus password p03BtCddddryePSDf encrypted privilege 15
    username cisco password edssdsdOAQcNEL encrypted privilege 15
    prompt hostname context
    call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DD
    CEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
    : end

    For access over VPN you need:
    management-access inside
    and don't forget:
    ssh inside
    http inside
    I'm guessing you forgot to grant ASDM (http/https) access to the IP addresses used by the VPN?  Can you SSH?  If not, that is your problem to solve first.

  • How to allow some fixed extension go in from outside to inside but not allow go from inside to outside

    how to allow some fixed extension go in from outside to inside but not allow go from inside to outside
    for example, allow JPEG, MOV, AVI data flow from outside to inside
    but not allow JPEG, MOV, AVI files access or upload or get by outside, in another words not from inside to outside
    how to configure?

    Hi,
    The ZBF link sent earlier show how we can inspect URI in http request
    parameter-map type regex uri_regex_cm
       pattern “.*cmd.exe”
    class-map type inspect http uri_check_cm
       match request uri regex uri_regex_cm
    ZBf is the feature on Cisco routers and ASA though concepts are little same but works differently. However it is important that you can be more granular with the protocol (layer 7) inspection only. Like on ASA if you will try to restrict .exe file from a p2p application that won't be possible, But on router you have some application for p2p in NBAR and you can use it file filtering. Please check configuartion example for both devices.
    Thanks

  • How can i call a plugin from outside of Acrobat Pro.?

    Hello All,
    Is it possible to call acrobat pro plugins from outside of Acrobat Pro.? I believe it is definitely possible.
    I am not able to get any pointers on this. Can someone suggest any pointers on this.
    Thanks.

    The plugins that come with Acrobat or custom ones that you write yourself?
    Custome ones. 
    Call them in what way?
    Through an executable. I mean from inside an exceutable.
    On what OS platform?
    Windows
    For what purpose?
    Just for fun Actually learning
    Thanks for the reply.

  • Access to Time Capsule in Bridge Mode from outside of the network

    I have a Time Capsule with an external hard drive set up in bridge mode on my home network. The main router and DHCP server is an Actiontec MI424, and is specific to my ISP (Verizon, required for TV Guide info from Fios) so the Time Capsule's AirPort can't be used as the primary. I need to access the external hard drive from outside my network (I.E. the internet), but I'm having trouble figuring out which ports are required for Sharepoint to work.
    So far I've forwarded 548, but I get an error "-36" when I try to connect from the outside. It works fine on the inside. Any suggestions?
    Thanks, JSD

    The Express units can extend wireless on the TC or each other.. but they cannot extend wireless on the Asus anyway..
    So the setup is Asus--TC (that has to be ethernet) The TC in bridge mode.
    Then TC -- express can be done by ethernet in roaming mode as bob listed above or extend wireless.
    I am guessing.. what model are the express units.. they are older Gen1 N model ??
    IMHO the TC is simply no longer viable.. replace it with one express as the AP and extend it with the other Express.. see if that works better.
    But I would be trying to use the wireless just from the AC66U.
    I would also force the Asus back to 20mhz on the 2.4ghz band.. so you can provide adequate channel separation.. 40mhz wireless on 2.4ghz works poorly anyway because you have too much wifi .. there is very limited number of non-overlapping channels.. ie 3. 11, 6 and 1.

  • Can't Open File Explorer -- How can I reset the Quick Access Toolbar from outside of File Explorer?

    First of all, this is not a virus. This is my a bug within windows explorer itself.
    So, I added the properties button to the QAT, and it displayed it as an expandable menu, like this: ";" but with small arrows like this: ">". didn't want this, I wanted to click on it and immediately display the properties of the file
    to me. So, I hovered over it, right-clicked on "Properties" in this menu and added it to the QAT. Of course, this crashes File Explorer. Now whenever I try and open it, it crashes, so I have to assume that the corrupted button has been saved.
    So, my question is: How do I reset the QAT from OUTSIDE of file explorer? Regedit magic? Any ideas?
    Thanks for stopping by,
    Trolleyman.
    Edit: Just so you know, I can navigate through my systems files using the 7-zip file manager. Phew.

    Thanks from me  too, Niki. This first happened with Windows 8.0 File Manager a week ago,, and despite much research I couldn't  discover the cause so eventually I resorted to restoring  the system drive from backup (luckily I make daily backups, 
    so didn't lose   much  work).
    Without  knowing the cause  a  few days later I again tried to alter  the Quick Access  Toolbar  and the problem reappeared.  Should  I again resort to restoring the entire system drive, the thought horrified me. But
    luckily while doing a bit more research prior to resorting to the same drastic recovery, I cane  across this post  of yours and it worked!
    It doesn't  seem  to be  happening with Office 2007's   or  Wordpad's  Quick Access Toolbar,  so presumably it's a File Explorer bug  (a.k.a. Windows Explorer in Windows 7, of course). Have Microsoft recorded this as
    a  bug -- if not,  why not  -- and when  are they coming up with a fix?

  • Open Directory access from outside of network / internet

    Hello all,
    Got a question I'd love to get some help on, I have some users who are outside of my network and I'd like them to connect into the open directory on our leopard server so they can use the Shared iCal calendars, addresses, etc.
    So my questions are A) Is it possible to connect in from outside the network and get access to the directory without having to have a seperate user account and use our VPN every time you want to connect? - if not is this the only way to do it (would you have to connect via the Mac VPN and then connect to the directory?)
    B) is it possible to do this "seamlessly" so that you don't have to change any settings, login details each time you switch between your local user from outside the network and your directory access. (so basically if you are in iCal if you have internet access it will connect you to the directory, without you doing anything extra?)
    Hope that makes sense, I can't seem to find the answers I need in the manuals, if I knew how this was meant to work I could probably have a fair go at figuring out how to actually do it (firewall changes etc)
    Thanks in advance for the help
    Martin

    So my questions are A) Is it possible to connect in from outside the network and get access to the directory without having to have a seperate user account and use our VPN every time you want to connect? - if not is this the only way to do it (would you have to connect via the Mac VPN and then connect to the directory?)
    If your OD server is visible from the internet -- i.e., it has a public address -- then you can do this without the VPN. However, it's not advisable to have a server exposed in that fashion.
    You would be better off doing this through the VPN:
    - Remote user connects to internet at hotel, for example.
    - Remote user initiates VPN connection.
    - Remote user now has access to iCal server and directory information.
    Explain to the users that this information is private to the company, and private company resources are only available through the VPN. Allowing access without the VPN would be similar to the company posting its Employee roster and meeting calendars on the face of the building where any person (or competitor) could see them.
    B) is it possible to do this "seamlessly" so that you don't have to change any settings, login details each time you switch between your local user from outside the network and your directory access. (so basically if you are in iCal if you have internet access it will connect you to the directory, without you doing anything extra?)
    It's just one extra step: Connect to VPN. You're still the same local user on the computer.
    If you're talking about laptop users needing directory access to authenticate when logging into their computers, well...That sounds like a whole other situation.
    Hopefully this helps.
    Bryan Vines

  • Pages (or Numbers) Template Cannot Be Opened From Outside the Application

    Ever since the upgrade to Mavericks, I cannot open a Pages (or Numbers) template without being asked.....
    Do you want to add this custom template to the Template Chooser?  Then my only options are Cancel or Add to Template Chooser.
    If I cancel, it won't open anything.
    But this template is already in my Template Chooser.
    So the only way to open a template in Pages (or Numbers) is to open the application first, and then click "New", and choose the template.
    I can't figure out a way to open the template from outside the application, which is very very handy, rather than having to open the application every time that I want to access a template.
    How can I open a template simply by clicking on it?

    Yes, the problem is that opening the template from outside of the application will not open the application, showing the document.  I only get this....
    Do you want to add this custom template to the Template Chooser?  Then my only options are Cancel or Add to Template Chooser.
    If I cancel, it won't open anything. 
    But this template is already in my Template Chooser.
    Put your Pages or Numbers document on your desktop and open it by double-clicking it, and you'll understand.  You can't do it, even if the template is in your template chooser.
    The only way to do this now is to open the application, select "New", and the select the template.  So you cannot open a template from outside the application....only from within.

  • How do I set up a static IP on Airport Express so I can activate the Connet my Mac App from outside my network?

    How do I set up a static IP on Airport Express so I can activate and use the Connect My Mac app from outside my home network?

    You will need to enable file sharing in System Preferences
    as well as setting up sharing and permissions for the
    directories that you want shared.  You may also want to
    setup a non-administrative user or allow limited guest
    access.  The user would require entering a user name and
    password to make the connection, but would allow remotes
    to change files, if set up tat way.
    As for serving iTunes media, better to post in the iTunes forum.

  • How can I use an American credit card to pay for a membership from outside the US?

    How can I use an American credit card to pay for a membership from outside the US? My payment page is set up for Japanese credit cards. I can't change to the US store, because the "Select a Store" page just jumps to the "Products" page.
    Has anyone else had this problem? Any help would be much appreciated!

    Hi Batt5721,
    Welcome to Adobe Forums.
    The address and the country on the Credit Card should match the billing address then only payment would be possible.
    Thanks
    Garima

Maybe you are looking for

  • Vertical black line running down imac screen

    This morning i noticed for the first time (wasn't there yesterday) a thin black vertical line running down my 21' imac screen. Any suggestions?

  • CONNECTING IPAD TO DENON VIA HDMI

    Can I use my ipad to connect to denon HDMI port so that I can use it as a display device to view the onscreen menu of the denon. As you know onscreen menu or GUI of denon is displayed only via HDMI port, so I want to connect my ipad to this HDMI out

  • How can i connect iphone 4 with other mobile through bluetooth

    how can i connect iphone 4 with other mobile through bluetooth

  • Macbook Pro Retina Display back to "out of box" setting

    I put some things on my new computer, but want to get it back to the "out of the box" state, so that I can start it up with a fresh backup install from my time machine.  I don't have backup disks "no optical drive", so how do I do it?

  • Cross Dimension vs FIX

    We are trying to improve calc times by using FIX statements instead of Cross Dimensional statements.We have had success with converting calcs like:"New Prod Dev" = "Total Manufacturing Expense->D904"intoFIX(D904)"New Prod Dev" = "Total Manufacturing