Dynamic PAT only?

Hi Everyone,
For below config need to know it will do the dynamic PAT only or it will do the Dynamic NAT + PAT?
object network inside_net
subnet 192.168.3.0 255.255.255.0
object network outhosts
subnet 172.16.5.0 255.255.255.0
nat (inside,outside) source dynamic inside_net interface destination static outhosts outhosts
Regards
Mahesh

Hi,
Since the "outhosts" is set as both real and mapped destination address that essentially means that no NAT will be done for the destination network.
But at the same sime it means that this Dynamic PAT configuration will only apply when the destination network is
"outhosts"
if the destination real and mapped contained different network then it would mean that NAT would also be done for the destination network.
If you had this configuration
nat (inside,outside) source dynamic inside_net interface
Then it would mean that this Dynamic PAT would apply to every destination IP address/network.
- Jouni

Similar Messages

ASA 5510 Multiple Public IP - Static NAT Issue - Dynamic PAT - SMTP

Running into a little bit of a roadblock and hoping someone can help me figure out what the issue is. My guess right now is that it has something to do with dynamic PAT.
Essentially, I have a block of 5 static public IP's. I have 1 assigned to the interface and am using another for email/webmail. I have no problems accessing the internet, receving emails, etc... The issue is that the static NAT public IP for email is using the outside IP instead of the one assigned through the static NAT. I would really appreciate if anyone could help shed some light as to why this is happening for me. I always thought a static nat should take precidence in the order of things.
Recap:
IP 1 -- 10.10.10.78 is assigned to outside interface. Dynamic PAT for all network objects to use this address when going out.
IP 2 -- 10.10.10.74 is assgned through static nat to email server. Email server should respond to and send out using this IP address.
Email server gets traffic from 10.10.10.74 like it is supposed to, but when sending out shows as 10.10.10.78 instead of 10.10.10.74.
Thanks in advance for anyone that reads this and can lend a hand.
- Justin
Here is my running config (some items like IP's, domain names, etc... modified to hide actual values; ignore VPN stuff -- still work in progress):
ASA Version 8.4(3)
hostname MYHOSTNAME
domain-name MYDOMAIN.COM
enable password msTsgJ6BvY68//T7 encrypted
passwd msTsgJ6BvY68//T7 encrypted
names
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 10.10.10.78 255.255.255.248
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.2.2 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name MYDOMAIN.COM
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-network
subnet 192.168.2.0 255.255.255.0
object network Email
host 192.168.2.7
object network Webmail
host 192.168.2.16
object network WebmailSecure
host 192.168.2.16
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit icmp any any
access-list VPN_Split_Tunnel_List remark The corporate network behind the ASA (inside)
access-list VPN_Split_Tunnel_List standard permit 192.168.2.0 255.255.255.0
access-list outside_access_in extended deny icmp any any
access-list outside_access_in extended permit tcp any object Email eq smtp
access-list outside_access_in extended permit tcp any object Webmail eq www
access-list outside_access_in extended permit tcp any object WebmailSecure eq https
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
object network Email
nat (inside,outside) static 10.10.10.74 service tcp smtp smtp
object network Webmail
nat (inside,outside) static 10.10.10.74 service tcp www www
object network WebmailSecure
nat (inside,outside) static 10.10.10.74 service tcp https https
access-group outside_access_in in interface outside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 10.10.10.73 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server MYDOMAIN protocol kerberos
aaa-server MYDOMAIN (inside) host 192.168.2.8
kerberos-realm MYDOMAIN.COM
aaa-server MYDOMAIN (inside) host 192.168.2.9
kerberos-realm MYDOMAIN.COM
aaa-server MY-LDAP protocol ldap
aaa-server MY-LDAP (inside) host 192.168.2.8
ldap-base-dn DC=MYDOMAIN,DC=com
ldap-group-base-dn DC=MYDOMAIN,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=SOMEUSER,CN=Users,DC=MYDOMAIN,DC=com
server-type microsoft
aaa-server MY-LDAP (inside) host 192.168.2.9
ldap-base-dn DC=MYDOMAIN,DC=com
ldap-group-base-dn DC=MYDOMAIN,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=SOMEUSER,CN=Users,DC=MYDOMAIN,DC=com
server-type microsoft
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.2.0 255.255.255.0 inside
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
email [email protected]
subject-name CN=MYHOSTNAME
ip-address 10.10.10.78
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate e633854f
    30820298 30820201 a0030201 020204e6 33854f30 0d06092a 864886f7 0d010105
    0500305e 31143012 06035504 03130b47 46472d53 55532d41 53413146 301a0609
    2a864886 f70d0109 08130d39 382e3130 302e3232 322e3738 30280609 2a864886
    f70d0109 02161b47 46472d53 55532d41 53412e47 46472d50 4541424f 44592e43
    4f4d301e 170d3132 30343131 30373431 33355a17 0d323230 34303930 37343133
    355a305e 31143012 06035504 03130b47 46472d53 55532d41 53413146 301a0609
    2a864886 f70d0109 08130d39 382e3130 302e3232 322e3738 30280609 2a864886
    f70d0109 02161b47 46472d53 55532d41 53412e47 46472d50 4541424f 44592e43
    4f4d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b4
    aa6e27de fbf8492b 74ba91aa e0fd8361 e0e85a31 f95c380d 6e5f43ac a695a810
    f50e893b 82b91870 a32f7e38 8f392607 7a69c814 36a71a9c 2dccca07 24fe7f88
    0f3451ed c64e85fc 8359c87e 62ebf166 0a570ac5 f9f1c64b 262eca66 ea05ab65
    78da1ac2 9867a115 b14a6ba1 cd82d04e 00fc6557 856f7c04 ab1b08a0 b9de8b02
    03010001 a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f
    0101ff04 04030201 86301f06 03551d23 04183016 801430cf 97ef92bb 678e3ba3
    0002069c 8130550a 2664301d 0603551d 0e041604 1430cf97 ef92bb67 8e3ba300
    02069c81 30550a26 64300d06 092a8648 86f70d01 01050500 03818100 64c403bd
    d75717ab 24383e77 63e10ba7 4fdef625 73c5a952 19ceecbd 75bd23ca 86dc0298
    e6693a8a 2c7fb85f 096497a7 8d784ada a433ee0d d88e9219 f0615f3c 7814bf1c
    5b4fe847 7d8894eb 18fe2da7 05f15ae9 bc2c17ec 3a7831ee f95d6ced 4799fba2
    781c8228 48224843 dc07ebb5 d20abf2a b68cfa62 ac71a41b 1196a018
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable inside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 20
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.2.8 source inside prefer
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
enable inside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 1
anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy GroupPolicy_VPN internal
group-policy GroupPolicy_VPN attributes
wins-server value 192.168.2.8 192.168.2.9
dns-server value 192.168.2.8 192.168.2.9
vpn-filter value VPN_Split_Tunnel_List
vpn-tunnel-protocol ikev2 ssl-client
group-lock value VPN
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Split_Tunnel_List
default-domain value MYDOMAIN.COM
webvpn
anyconnect profiles value VPN_client_profile type user
group-policy GroupPolicy-VPN-LAPTOP internal
group-policy GroupPolicy-VPN-LAPTOP attributes
wins-server value 192.168.2.8 192.168.2.9
dns-server value 192.168.2.8 192.168.2.9
vpn-filter value VPN_Split_Tunnel_List
vpn-tunnel-protocol ikev2
group-lock value VPN-LAPTOP
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Split_Tunnel_List
default-domain value MYDOMAIN.COM
webvpn
anyconnect profiles value VPN_client_profile type user
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
authentication-server-group MYDOMAIN
default-group-policy GroupPolicy_VPN
dhcp-server 192.168.2.8
dhcp-server 192.168.2.9
dhcp-server 192.168.2.10
tunnel-group VPN webvpn-attributes
group-alias VPN enable
tunnel-group VPN-LAPTOP type remote-access
tunnel-group VPN-LAPTOP general-attributes
authentication-server-group MY-LDAP
default-group-policy GroupPolicy-VPN-LAPTOP
dhcp-server 192.168.2.8
dhcp-server 192.168.2.9
dhcp-server 192.168.2.10
tunnel-group VPN-LAPTOP webvpn-attributes
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:951faceacf912d432fc228ecfcdffd3f

Hi ,
As per you config :
object network obj_any
nat (inside,outside) dynamic interface
object network Email
nat (inside,outside) static 10.10.10.74 service tcp smtp smtp
object network Webmail
nat (inside,outside) static 10.10.10.74 service tcp www www
object network WebmailSecure
nat (inside,outside) static 10.10.10.74 service tcp https https
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-network
subnet 192.168.2.0 255.255.255.0
object network Email
host 192.168.2.7
object network Webmail
host 192.168.2.16
object network WebmailSecure
host 192.168.2.16
The flows from email server ( 192.168.2.7 ) , will be NATed to 10.10.10.74, only if the source port is TCP/25. Any other souce port will use the interface IP for NAT.
Are you saying that this is not happening ?
Dan

Dynamic PAT and Static NAT issue ASA 5515

Hi All,
Recently we migrated our network to ASA 5515, since we had configured nat pool overload on our existing router the users are able to translated their ip's outside. Right now my issue was when I use the existing NAT configured to our router into firewall, it seems that the translation was not successful actually I used Dynamic NAT. When I use the Dynamic PAT(Hide) all users are able to translated to the said public IP's. I know that PAT is Port address translation but when I use static nat for specific server. The Static NAT was not able to translated. Can anyone explain if there's any conflict whit PAT to Static NAT? I appriciate their response. Thanks!
- Bhal

Hi,
I would have to guess that you Dynamic PAT was perhaps configured as a Section 1 rule and Static NAT configured as Section 2 rule which would mean that the Dynamic PAT rule would always override the Static NAT for the said host.
The very basic configured for Static NAT and Default PAT I would do in the following way
object network STATIC
host
nat (inside,outside) static dns
object-group network DEFAULT-PAT-SOURCE
network-object
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
The Static NAT would be configured as Network Object NAT (Section 2) and the Default PAT would be configured with Twice NAT / Manual NAT (after-auto specifies it as Section 3 rule)
This might sound confusing. Though it would be easier to say what the problem is if we saw the actual NAT configuration. Though I gave the reason that I think is probably one of the most likely reasons if there is some conflict with the 2 NAT rules
You can also check out a NAT document I made regarding the new NAT configuration format and its operation.
https://supportforums.cisco.com/docs/DOC-31116
Hope this helps
- Jouni

Dynamic PAT

I need some help with configuring Dynamic PAT (I think).
Here is my setup:
-Cisco UC520 runing latest software pack.
-Configuration done using CCA
-Block of 5 Public IP addresses
-2 Internal webservers on port 80
-UC500 Internal IP 192.168.10.1
-UC500 External IP 70.91.24.41
-Both internal webserver have their gateway set as 192.168.10.1
I would like to have inbound traffic fowarded internally in this way:
External IP 70.91.24.42 port 80 -----> Internal 192.168.10.6 port 80 (Webserver1)
External IP 70.91.24.43 port 80 -----> Internal 192.168.10.16 port 80 (Webserver2)
I believe this is called Dynamic PAT..? Can this be done? Do I need to to use NAT pools or something? And can it be condfigured using CCA so that I conform to out-of-band configuration?
I'm just confused on how outside clients would be able to successfully NAT if they get directed to the UC500 using IP address 70.91.24.41 but then the NAT translation changes it to 70.91.24.42 and the traffic is sent back to the clients with that IP. Wouldn't that get rejected on the client's end?
Hope I'm making sense here. Thank!
-Brian

But in this scenario, traffic would enter the network using one particular external IP and then leave the network using a different external IP address since all internal hosts are using the same gateway.
Would I need to configure multiple routes for all of the external IP addresses in my block of external IP's?

Dynamic Streaming only can work in localhost.

Could anybody tell me why the dynamic streaming can only work in the host machine but not others?
Is it related to my setting? I install the latest version of apache before the FMS4. After the installation completed,
I copied webroot, applications and other files to the web sites home directory. I also updated the FMS.ini file in the config
folder. Because I am not familiar with FMS, I don't know whether the change is correct or not. Can any expert share his/her
experience to me. Thank you very much.

There is no such restriction that Dynamic Streaming would work only on localhost.
Are you saying after installing FMS4, you installed your own Apache and changed settings to point to this Apache? Also had you installed FMS4 with Apache or without Apache?
I copied webroot, applications and other files to the web sites home directory ??? - What do you mean by this - which applications and what was the reason for copying them to home directory of website - what is this website you are talking - is it same as your new apache installation?

Dynamic LOV only Mondays.

Does anybody know of a way to use dynamic LOV's to build a select list of dates that only lists mondays?

select the_num, to_char(the_date,'Day, Mon DD,YYYY') the_date,the_day
from (/* generate 365 rows */
           select level the_num,
                  sysdate + level the_date,
                  to_number(to_char(sysdate + level,'D')) the_day
             from dual
          connect by level < 366) r
where the_day = 2I beleive there is an NLS setting that determines what day your week starts on, which could throw this off, but you could easily adject for that.
Thanks,
Tyler

Dynamic Parameter only showing 1000 records when Crystal report is run.

I have created a crystal report using ODBC access to a table that has 3000 records. I created a dynamic parameter to pull a list of all the Customer ID's in a customer table and the parameter will only show the 1st 1000 records. In addition I cannot type in the customer ID that I would like. Version of Crystal - Crystal 11.

Oh, darn. So sorry. Looks like I hyperlinked the wrong URL (You'd think I got that down by now...). Anyhow here is the correct link:
1218588 - How to increase the number of values in a dynamic parameter list in Crystal Reports?
And in case the link does not work, or I goofed again, here is a copy of the resolution:
Resolution
CAUTION
The following resolution involves editing the registry. Using the Registry Editor incorrectly can cause serious problems that may require you to reinstall the Microsoft Windows operating system. Use the Registry Editor at your own risk. For information on how to edit the registry key, view the 'Changing Keys and Values' online Help topic in the Registry Editor (Regedit.exe). It is strongly recommended that you make a backup copy of the registry files before you edit the registry.
To increase the maximum number of values available in a dynamic parameter list of values, set the registry key: MaxRowsetRecords, to a value greater than 1,000.
Open the Microsoft Registry Editor, and navigate to the path corresponding to the version of Crystal Reports used:
Crystal Reports XI:
- HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 11.0\Crystal Reports\DatabaseOptions\LOV
Crystal Reports XI R2:
- HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 11.5\Crystal Reports\DatabaseOptions\LOV
Crystal Reports 2008:
- HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.0\Crystal Reports\DatabaseOptions\LOV
Crystal Reports 2011:
- HKEY_LOCAL_MACHINE\SOFTWARE\SAP BusinessObjects\Suite XI 4.0\Crystal Reports\DatabaseOptions\LOV
Crystal Reports 2013:
- HKEY_LOCAL_MACHINE\SOFTWARE\SAP BusinessObjects\Suite XI 4.0\Crystal Reports\DatabaseOptions\LOV
Crystal Reports for Visual Studio 2010:
- HKEY_LOCAL_MACHINE\SOFTWARE\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Crystal Reports\DatabaseOptions\LOV
NOTES:
- Add the key: LOV, if it is not present.
- For 64 bit version of Microsoft Windows, the registry path will be slightly different, it will start with:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\...
But the rest of the registry path is the same.
Add the String value: MaxRowsetRecords
Set the value of: MaxRowsetRecords to the maximum number of values to display in the List of Values.
For example, a value of 2000 will return up to 2000 values in the lowest level of a dynamic cascading parameter.
IMPRTANT NOTES:
- The higher the number of values is, the longer it will take the see the dynamic parameter prompt screen. In brief, it impact the performance.
- The value 0 (Unlimited) will not work with BusinessObjects Enterprise XI or Crystal Reports Server XI, you must specify another value.
After making changes to the registry, close and reopen Crystal Reports, or restart the Crystal Reports services for the BusinessObjects platforms.
- Ludek

How to make the fields dynamic read only in live cycle designer

hi folks
I have created a form in Adove livecycle es. Some fields should be read only from the start. So i have set the property .access 'open'. In versions of Adobe 8 this works, but in the latest version it won't so i think it should be done via another solution. Does anybody know how?
kind regards,
Anton Pierhagen

May be the below code may help.. It loops thru all the pages in the PDF form and make them protected. So the user can not change any value in the form.
for (var i = 0; i < xfa.host.numPages; i++)
var oFields = xfa.layout.pageContent(i, "field");
var nodesLength = oFields.length;
//set the access type to be protected for all fields
for (var j = 0; j < nodesLength; j++)
var oItem = oFields.item(j);
oItem.access = "protected";
Thanks
Srini

HTML Article put together dynamically, scroll only possible after orientation change

Hi guys,
i have encountered the following problem today:
im having a HTML page put together dynamically from a JSON source file, handling the JSON information with jQuery. i am uploading said HTML page (html page is empty until the page is in the DPS stack, then it builds itself) as an HTML article with "Smooth Scrolling: Vertical". So far, so good.
When i open the page inside the Adobe Viewer App on my iPad, i can see the "first" part of the page (the first 1024px in portrait-orientation) but i am not able to scroll further down the page.
however, when i do a orientation change of the device (turn it landscape and then back), i can scroll perfectly fine and am able to see everything on the page (so im quite sure the conversion from json to jquery to html does work). even stranger, when i let the page tell me its height ( via $("body").height() and $(document).height() ) it shows me, that the height of the page is indeed (e.g.) 10.000px, but i am not able to scroll down until i do the orientation change.
am i missing something? im pretty sure that my code is correct, because once i change the orientation of my device, everything does work flawless.
i hope my problem is understandable, any help is much appreciated.
thanks
Max

Nevermind... since the HTML is empty, when the magazin gets opened, i suspect the HTML tells DPS "hey, my height is 0px, dont bother scrolling!". but once i am on the page itself and the process of bulding the page starts (HTML elements are added on the fly), it doesnt tell DPS "hey, my height changed, check if i need to be scrollable please" since im not able to scroll. when im changing orientation, it forces DPS to rerender the page and thus getting the correct height of the page.
my workaround: setting the body height to (e.g.) 20.000px and then, later on, reduce it to the actual height needed by the HTML elements.
but still: can someone explain me the process of loading / rendering pages inside DPS? when do DPS render pages, does it render pages the first time i open the app and then again when im on the page itself (or rather a page before the actual page?) is there a command to force DPS to rerender the page?

Dynamic Actions - only PA40 ?

Can we use dynamic actions in PA30... or is it juust dedicated to PA40/Actions ?
Thanks in advance

If you want the spro path
Personnel management -
> PA -
>customising procedures --->dynamic actions
For recruitment
Personnel management -
> Recruitment -
> dialog controls -
> create
dynamic actions for recruitment.
All of them get stored in T588Z.
Kindly reward in case useful.
Regards & Thanks,
Darshan Mulmule

Dynamic display-only checkbox

How can I make a checkbox display only depending on the value of another item on the page?
I imagine I need to add a process based on htmldb_item.checkbox but I cannot figure out how
Thanks
Mac

Hi,
1-If you have a checkbox item , you can use Condition Type =
Value of item in expression 1 = expression 2
2-Otherwise with APEX_ITEM.CHECKBOX :
APEX_ITEM.CHECKBOX(1,PK,
decode(your_item ,NULL,NULL,your_item )
3- with javascript, if you need it :
APEX_ITEM.CHECKBOX(1,PK,
decode(your_expression ,
your_search,
'checked onClick="your_function1" ',
'null onClick="your_function2" '
Regards,
Gregory

Give out dynamic IP only within certain range ...

I currently have the airport express' IP to be 10.0.1.1
Is there a way to tell it to only give out IP addresses in the 10.0.1.100+ range.
I have static IPs set for 10.0.1.2-10 and every time a DHCP client logs in, it kicks off one of these IPs.
any help would be great.

I have static IPs set for 10.0.1.2-10 and every time a DHCP client logs in, it kicks off one of these IPs.
Why not change them to 10.0.1.202-210 ?

Dynamic Image ONLY appearing in Safari

I am trying to create a page that uses a URL variable to get
a value from a database and use it to display an image on a page.
When I preview the page in Safari, the image appears. When I
preview the page in Firefox or IE, the
alt text appears instead of the image. The HTML code on the
page seems pretty clear, but as I said, this is my first time
trying it.
I am using DW8 on a Mac powerbook.
I have included the page source code here. The photo
'tiger.tif' is supposed to be displayed.

On 26 Jan 2007 in macromedia.dreamweaver.appdev, Bearchild
wrote:
> I am trying to create a page that uses a URL variable to
get a value
> from a database and use it to display an image on a
page. When I
> preview the page in Safari, the image appears. When I
preview the
> page in Firefox or IE, the
alt text appears instead of the
> image. The HTML code on the page seems pretty clear, but
as I said,
> this is my first time trying it.
>
> I am using DW8 on a Mac powerbook.
>
> I have included the page source code here. The photo
'tiger.tif' is
> supposed to be displayed.
I just checked - FF2 and IE6, both on Win2K, won't display
TIFFs. JPEGs,
GIFs and PNGs should all be OK.
Joe Makowiec
http://makowiec.net/
Email:
http://makowiec.net/email.php

IP which only allowed for PAT

Hello,
I am looking for example which allow some of the IP's belongs to INSIDE which can allow to using PAT method to access Internet.
With reference to URL
http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/nat_objects.html#pgfId-1455942
It is talking about the whole 192.168.2.0/24 subnet.
The following example configures dynamic PAT that hides the 192.168.2.0 network behind the outside interface address:
hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic interface
I would like to check how should config if only allow parts of IP belongs to 192.168.2.0/24 can be PAT to internet and others will deny. Should be need create additional ACL?
Thanks!

Hi,
You might be better of limitin the mentioned hosts from connecting to the Internet in the interface ACL rather than making a special NAT configuration that determines if a host can connect to the Internet.
If you want to control which host gets NATed then you could use the Manual NAT / Twice NAT configuration instead of the above Auto NAT / Network Object NAT
Example could look something like this
object-group network PAT-SOURCE-HOSTS
network-object host <host1 ip>
network-object host <host2 ip>
network-object host <host3 ip>
nat (inside,outside) after-auto source dynamic PAT-SOURCE-HOSTS interface
You can then add the addresses directly under the "object-group" or remove them when needed.
You could naturally use small subnets instead of the host addresses in the above example if all the users are from a certain range of the subnet you mentioned. You will also have to make sure that there is no other NAT configuration on your ASA that would apply to the users.
The above Manual NAT / Twice NAT is at the lowest Section 3 (priority of NAT configuration) because it has "after-auto" as a part of the "nat" command.
Hope this helps :)
- Jouni

ASA 5505 -Can I use outside dynamic IP for webserver DMZ?

SETUP
ASA 5505
ASA Version 9.1(2)
ASDM Version 7.1(3)
I have basic license, using only three vlans (outside, inside, DMZ).
QUESTION:
I want to find a way (if possible) to use the single DYNAMIC IP (dhcp'd from ISP) on the "outside" interface, as a means to setup a web-server on the DMZ? I just want to allow my WHS-2011 (server) to talk to microsoft's free DDNS service where my domain name is hosted (ports 80,443,4125).
So far, every setup option I have tried does not make it past the implicit deny acl's (on the outside interface) to the web-server (DMZ).
I understand that the VLAN1 (inside) had to be disabled. I understand that objects now replace some of the older NAT'd components.
CONFIG:
object network webserver-external-ip
host <X.X.X.X>
! I had set this to match my ISP DHCP address
object network webserver
host 172.16.0.2
nat (DMZ,outside) static webserver-external-ip service tcp www www
nat (DMZ,outside) static webserver-external-ip service tcp 443 443
nat (DMZ,outside) static webserver-external-ip service tcp 4125 4125
access-list outside_acl extended permit tcp any object webserver eq www
access-list outside_acl_https extended permit tcp any object webserver eq 443
access-list outside_acl_rww extended permit tcp any object webserver eq 4125
access-group outside_acl in interface outside
access-group outside_acl_https in interface outside
access-group outside_acl_rww in interface outside
! added the dns statements below because the cisco doc (below) says it's required or dmz traffic can't get out despite default rule allowing it to do so.
! (ctrl-F) ... "all traffic would be blocked from the dmz to hosts on the internet"
! http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080bf150c.shtml
object network dns-server
host 8.8.8.8
exit
access-list dmz_acl extended permit udp any object dns-server eq domain
access-list dmz_acl extended permit ip any any
access-group dmz_acl in interface DMZ
SUMMARY:
I just want to allow my WHS-2011 (server) to talk to microsoft's free DDNS service where my domain name is hosted (ports 80,443,4125).
I want to find a way (if possible) to use the single DYNAMIC IP (dhcp'd from ISP) on the "outside" interface, as a means to setup a web-server on the DMZ?
Other:
As an interim alternative, I have been able to setup & connect to the ASA using clientless vpn (web-ssl), and from there getting over to my WHS2011 server...-but the problem is, I have no way of knowing, or updating my DDNS once that IP changes since the ASA keeps blocking the return traffic to theh outside interface. My only assumption is that becasue I am using a single dynamic IP (outside interface) that it has nothing to re-direct the traffic to....???
Thank You for any help you can provide!!
k/r

Hi,
I cant really help with the DDNS portion but I would imagine you already have that sorted out.
The ASA configurations however seem a bit off to me.
Here is what you should configure
STATIC PAT TO HOST SERVICES
There are some changes that need to be done to both ACL and NAT configurations. First of the NAT configurations for each port require their own "object network" to be configured.
Also since you are using a DHCP address from the ISP to act as the NAT address then you can use the keyword/parameter "interface" in the actual "nat" command. This basically tells the ASA that it should use whatever IP address is currently on the "outside" interface of the ASA. So you wont have to configure any separate "object network" for the public IP address every time it changes.
Also, with regards to the ACL configurations. You should only configure one ACL per interface in the "in" direction. So all the rules you need to configure for traffic inbound from the Internet need to be in the same ACL that you then attach to the "outside" interface with the command "access-group"
object network WEBSERVER-TCP80
host 172.16.0.2
nat (DMZ,outside) static interface service tcp www www
object network WEBSERVER-TCP443
host 172.16.0.2
nat (DMZ,outside) static interface service tcp 443 443
object network WEBSERVER-TCP4125
host 172.16.0.2
nat (DMZ,outside) static interface service tcp 4125 4125
access-list outside_acl extended permit tcp any object WEBSERVER-TCP80 eq www
access-list outside_acl extended permit tcp any object WEBSERVER-TCP443 eq https
access-list outside_acl extended permit tcp any object WEBSERVER-TCP4125 eq 4125
access-group outside_acl in interface outside
DYNAMIC PAT FOR LANs and DMZs
The above NAT configurations only handles the NAT for situations where the remote hosts on the Internet contact your DMZ server.
If you want to configure Dynamic PAT for all your LAN and DMZ users which basically enable them to use the "outside" interface public IP address for Internet traffic, then you could configure this single "nat" configuration
nat (any,outside) after-auto source dynamic any interface
This would enable Dynamic PAT for all users behind the ASA
I am not sure if you will run into problems since you are using a single public IP address and trying to forward TCP/443. This port is both used for SSL VPN and ASDM management of the ASA.
If you want to change the default port of the ASDM management you can use this command
http server enable
If you want to change the default port of SSL VPN you can use these commands
webvpn
port
Naturally before doing either of the above changes, make sure that you are not relying to them for management purposes if something was to go wrong. If you have SSH management access to the ASA then it should naturally be ok.
I am not sure if all of the above are enough to get your setup working but it should be the basics. Naturally if there is still problems after the above suggestions it might be helpfull to see the current ASA configurations. For example NAT might not work if the ordering of NAT rules is wrong even though the actual configurations are otherwise valid.
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni

Dynamic PAT only?

Similar Messages

Maybe you are looking for