EP Implementation in DMZ

Similar Messages

• 'Logical' DMZ?

  I have an ASA 5510 and I need to implement a DMZ.  I know I can either plug devices directly into a port on the ASA or use subinterfaces to create multiple DMZs with different levels of access if I don't have enough ports, and then use a switch.  So we create the IP addresses on the interface, plug in our device (switch or PC) and the interface comes up.  Is there any way to have virtual machines within our network on a physical machine be in different zones in the firewall (i.e. one on the inside, another in a DMZ for example)?  I think the only thing here isn't really so much related to the ASA as much as it is whether or not the physical server's NIC can support trunking and plug into the ASA directly or to the switch, correct?  If I were to add multiple sub-interfaces to a port on the ASA, and I wanted one VM to be inside and another to be in the DMZ, is that doable considering there is already an interface on the ASA defined as 'Inside' (i.e. if I try to add a subinterface that contains a 'secondary' IP address that participates in the same VLAN/subnet as the Inside interface I'll have an overlap)?  An just to be sure, there's no way to make a logical DMZ inside the ASA that isn't actually bound to a physical port like creating SVIs on a L3 switch, correct?  If there were, then I could just trunk the physical machine to the network and have each of the VMs participate in the zone they are intended to be in based on the VLAN tagging.  I'll try to get a diagram together that addresses this more clearly.
  Regards,
  Scott

  @Jeff
  The problem isn't so much on the server side as much as it is on the ASA side.  If I try to create a trunk to the ASA for this machine and I want one of the VMs on the inside, I'd have to do something like this:
  interface GigabitEthernet0/0
       description Outside
       ip address 192.168.1.1 255.255.255.0
       name Outside
       security-level 0
  interface GigabitEthernet0/1
       description Inside
       ip address 192.168.2.1 255.255.255.0
       name Inside
       security-level 100
  interface GigabitEthernet0/2.10
       description DMZ
       vlan 10
       name DMZ
       security-level 50
  interface GigabitEthernet0/2.??
       description Inside
       vlan ??
       name Inside-Too
       security-level ??
  Since I already have a layer 3 interface defined for the Inside interface, I don't have any VLAN tags for it locally on the ASA to tag this sub-interface with.  I also can't define the sub-interface as 192.168.2.2 to make it part of the Inside subnet because that overlaps with Gig0/1.  I suppose in this case I'd have to create another 'Inside' interface of security-level 99 or something and then just make sure that the ASA has the NAT rules and ACL rules to allow that traffic from the Gig0/2 sub-interface back inside.  The ASA isn't going to allow me to create a logical layer 3 address like an SVI on a Layer 3 switch so that I could then just apply the VLAN tag to both interface Gig0/1 and Gig0/2.??, nor can I add a VLAN tag to the subnet I define on Gig0/1.

• ASA 5510 DMZ creation

  Hi,
  I need to implement a DMZ in my office. Before talking about the configuration , i would like to know best practises of implementing DMZ.
  My questions are
  1) is traffic from inside to DMZ is permit by default?
  2) What about DMZ to Inside traffic ?
  3) Is it necessary to do a NAT from inside to DMZ with the same IP as of inside
  4) What is the use of " static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 ? is it a no nat statement?
  5) Is it necessary to permit traffic from DMZ to inside?
  6) Suppose i have a web server in DMZ, for inside host whether it will take path through ASA or path through internet?
  Please share your advices
  Thanks
  Vipin

  Please check the below scenario and configuration and let me know whether it will work or not
  Assume my inside network is 192.168.1.0/24
            outside network is 199.199.7.64/29
            DMZ network is 192.168.2.0/24
     DMZ server IP address --> 192.168.2.2
  please see the below configuration which i am planning to implement
  ===================================
  1) Confiure interfaces,IP addresses
  ===================================
  interface Ethernet0/0
  description "Connection to LAN"
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Ethernet0/1
  description "Connection to outside"
  nameif outside
  security-level 0
  ip address 199.199.7.66 255.255.255.248
  interface Ethernet0/2
  description "DMZ"
  nameif DMZ
  security-level 50
  ip address 192.168.2.1 255.255.255.0
  =====================================
  2)Configuring PAT for inside and default route
  =====================================
  global (outside) 1 interface
  nat (inside) 1 192.168.1.0 255.255.255.0
  route outside 0.0.0.0 0.0.0.0 199.199.7.65 1
  =====================================
  3) Configure static NAT for DMZ server
  =====================================
  static (inside,outside) 199.199.7.67 192.168.2.2 netmask 255.255.255.255
  =====================================
  4)RUle to permit traffic from outside to DMZ server
  =====================================
  access-list OUTSIDE_INSIDE extended permit Ip any host 199.199.7.67
  access-group OUTSIDE_INSIDE in interface outside
  ====================================
  5)RUle to permit traffic from DMZ server to outside
  ====================================
  access-list DMZ_OUTSIDE extended permit ip host 192.168.2.2 any
  access-group DMZ_OUTSIDE in interface DMZ
  ====================================
  6)No NAT from inside to DMZ and DMZ to inside
  ====================================
  static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
  static (DMZ,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
  ====================================================================================
  I am having some questions also.
  1) is this configurations are right?
  2) Is there anything wrong in the title 5 and title 6 ( i mean configuration i mentioned above)
  3) is there anything i need to configure ?
  please advice........
  Thanks
  Vipin

• Implementing AD LDS to Authenticate for External Users

  Hello,
  I'm able to find documentation on AD LDS but I can't confirm if it's what I want.
  My client is setting up an ecommerce site through Volusion and they want to be able to authenticate using Active Directory for their customers.
  I personally don't like the idea of opening up the network for customers. AD LDS seems to be the right solution on a tight budget but I can't confirm if it will work.
  The Environment:
  Server 2012 1: DC; AD; Hyper-V
  VM Server 2012 2: File Server (Hosted on Server 1)
  VM Server 2012 3: DirSync (Hosted on Server 1)
  MS documentation suggests AD LDS not be setup on a DC as well as placing the server in a DMZ. Unfortunately I can't implement a DMZ at the moment. I would like to put AD LDS on the File Sever. There is a web developer working on the ecommerce side, I just
  have to provide the authentication. I'm going to try a trial version of OneLogin, but for a couple thousand users, it could get expensive.
  Questions:
  What resources are recommended for AD LDS? (RAM, HDD Space, etc.) I only need AD LDS right now for 5-10 users but if I decide to go with it, it would need to handle a couple thousand accounts.
  Is there special process of creating a SSL Certificate for authentication? Or should one be purchased?
  How secure is AD LDS?
  Does anyone know of any good how-to guides for linking AD LDS to an external PHP site?
  Thanks in advance!
  -Jake

  Hi Jake,
  Based on my research, AD LDS provides flexible support for directory-enabled applications, without the dependencies that are required for Active Directory Domain Services, which doesn’t mean that it is more secure that AD DS on
  external network.
  AD FS is more secure and provides Single-Sign-On function. If you don’t have web applications on external network which require SSO, here is another suggestion for you: deploy a RODC.
  Deploying a RODC is a simple solution, you can select users which need to authenticate from external network, and store their credentials on RODC. In addition, due to its read-only feature, it can be placed in locations where physical
  security cannot be guaranteed.
  Here are some references for you:
  Active Directory Lightweight Directory Services Overview
  http://technet.microsoft.com/en-us/library/6a3bedf7-9c5b-4ada-9a51-6b794adc9ab8.aspx
  Federation scenarios
  http://technet.microsoft.com/en-us/library/cc757344(v=WS.10).aspx
  AD DS: Read-Only Domain Controllers
  http://technet.microsoft.com/en-us/library/cc732801(v=WS.10).aspx
  Best Regards,
  Amy

• SocialMiner Integration with Linkden and Whatsapp

  Hi Everybody,
  One of my customers wants to integrate Cisco SocialMiner with Linkden and Whatsapp but I did not find integration information in product guides. One of my team members told me that we can achieve Linkden integration through REST APIs, but I am still doubtful because it was not mentioned anywhere in the documents. So please guide me, how can we achieve it.Thanks in advance 
  Cheers :)
  Regards
  Qamar Khan

  I had the client implement a DMZ and have part of the public IP block be assigned to the it. We then placed the SocialMiner server in the DMZ and only opened the necessary ports from the OUTSIDE to DMZ and from the DMZ to the INSIDE. PDI said that doing NAT to the SocialMiner server is not currently supported. Also, we are doing this without setting up the optional proxy server.

• IChat behind NAT can't video chat with AOL IM

  I've been trying to get iChat to video chat with AOL IM for a month, with intermittent success. iChat to the apple test accounts works perfectly, but with AOL IM it always says I didn't respond. I finally used a packet sniffer to debug the protocol communication, and found the problem.
  My problem is my mac is behind a NAT firewall. iChat doesn't properly detect my public IP address. When it negotiates the video chat with AOL IM, it gives the local, private IP address only useful behind the NAT, not the public IP the NAT uses. I can see it right there in the video chat request packet.
  Apparently, when talking iChat to iChat, the programs ignore the IP address given in the negotiation, using the source IP address of the packet instead, which avoids the NAT problem. AOL IM on the other hand, ignores the source IP of the packet, and believes the (incorrect) address in the request. So AOL's attempt to set up a video channel goes off into the weeds. Opening ports is irrelevant.
  The reason it works for me part of the time is, my NAT happens to implement the "DMZ" functionality by giving the computer inside the same IP address as the public IP address. So it works for me if and only if I put my mac in the DMZ. In that state, iChat gets the right IP, the one addressable from the outside world.
  The NAT firewall that works (provided I put the mac in the DMZ) is a 2wire homeportal 1800. I've also tried with a DLink DI-524. It doesn't do the IP address trick, so no luck at all with it.
  It would be great if iChat would use a trick like http://checkip.dyndns.org/ to get the real, external, public address of my computer, and use THAT to negotiate the video chat with AOL IM.
  MacBook Pro   Mac OS X (10.4.5)  

  Hi Jim,
  On devices that do not have UPnP then yes it is either Port Forwarding with all 29 ports if doing Jabber, Bonjour and AIM or Port Triggering with fewer entries if you have that.
  If you have either UPnP or Port Triggering then you can effectively keep DHCP as they allow multiple computers and the entries or turning it on in the case of UPnP do not point to a specific computer.
  Staic addresses are best with Port Forwarding as there is a possiblity that the IP address will change with DHCP.
  The pics on this site show only Port Forwarding.
  There are however several versions of this router and also variations as to numbers in different countries so in fact you may have UPnP. Firmware updates from Netgear may also give you UPnP.
  10:12 PM Sunday; April 30, 2006

• Static NAT or NAT exemption?

  So my situation is kind of unique. I'm currently configuring an ASA5510 (ver. 8.4) to replace an OpenBSD router box. My company was originally given a /24 of public IP's.....yes it's weird. We are currenly working on eliminating the public vlan in our office. Currently half the company is using these public IPs for their computers and half are on a private vlan. We also have several servers on the public vlan. Everything is connected to a layer 3 switch that routes between these computers. When we first implement the ASA we want to leave the servers on the public vlan and have them still accessible from the outside by the same IP address. Currently the OpenBSD box just doesn't NAT the public vlan.
  We were looking at 2 solutions.
  1. NAT the server IPs to itself. ie. if the server has an IP of 80.80.80.2 then the nat statement would looke something like:
  nat (inside,outside) 80.80.80.2 80.80.80.2
  This is what we think would work best.
  2. We create a nat exemption rule for that entire public vlan.
  Is our theory correct that option 1 works best? Any other suggestions? We do not want to implement a DMZ because we have such sensitive data and only our web server could exist in our DMZ. My company is small....the simpler the solution, the better.

  only difference in these options are that static identity nat would create a xlate entry on the firewall however if you use nat exempt that would not create the xlate on the firewall.

• Implementing a Reverse Proxy Alone in a DMZ Configuration....???

  Hii All ,
  have anybody implemented this configuration..??
  Implementing a Reverse Proxy Alone in a DMZ Configuration - R12 [ID 726953.1]
  we planning to implement this configuration, please guide me if anybdy implemented and working with this configuration.
  Thanks
  RB

  Hi,
  1)in that document they have used 10g webcache as reverse proxy... but in my case already modproxy in place can i use this modproxy in place of 10g webcache..?A number of options exist for choosing a reverse proxy -- See (Oracle E-Business Suite R12 Configuration in a DMZ [ID 380490.1]), Appendix D: Reverse Proxy Configuration
  It is also explained in this article.
  In-Depth: Demilitarized Zones and the E-Business Suite
  http://blogs.oracle.com/stevenChan/2006/05/indepth_demilitarized_zones_an.html
  2)i have 2 web nodes loadbalancing through reverseproxy, do i need to configure the external web node on both the web nodes ..according to the above doc..?You do not need to have a dedicated reverse proxy for each web tier node (see the second diagram in this doc).
  Advanced Deployment Architectures for Oracle E-Business Suite (OpenWorld 2008 Recap)
  http://blogs.oracle.com/stevenChan/2008/11/advanced_deployment_architectures_for_oracle_ebs.html
  Thanks,
  Hussein

• Log Out Page is Not working in R12.1.3 DMZ

  Hi Everyone ,
  Good Evening.
  Apps Version : 12.1.3
  DB Version 11.2.0.3
  PLatform : AIX 6.1
  Arch : LBR ---> Reverse Proxy ----> EXternal Middle Tier (DMZ) --- DB
  I am able to login to External Middle tier using the URL ( https://LBR.Domain/OA_HTML/AppsLocalLogin.jsp. I am able to navigate the links like preferences , Diagnostic , Home. But As soon as I am clicking on the log out link , I am getting http 500 error.
  One this Which I have Observer that Lou out Url is changing to the host name of the server instead of LBR Name as
  ( https://hostname.domain/OA_HTML/AppsLocalLogin.jsp?cancelUrl=/OA_HTML/AppsLocalLogin.jsp&_logoutRedirect=y&langCode=US)
  I have already followed the doc on Metalinks but no luck. Have tried to run the Autoconfig and bouncing of application but no luck. Enabled the Debug for OC4J but couldn't get any thing
  Advanced Configurations and Topologies for Enterprise Deployments of E-Business Suite 11i [ID 217368.1]
  Oracle E-Business Suite R12 Configuration in a DMZ (Doc ID 380490.1)
  MOS Doc 380489.1 (Using Load-Balancers with Oracle E-Business Suite Release 12)
  Tips and Queries for Troubleshooting Advanced Topologies (Doc ID 364439.1)
  Enabling SSL in Oracle E-Business Suite Release 12 (Doc ID 376700.1)
  Case History: Implementing a Reverse Proxy Alone in a DMZ Configuration - R12 (Doc ID 726953.1)
  Regards
  Sourabh Gupta

  Access LOG
  192.25.91.72 - - [12/Jan/2013:03:19:51 -0800] "GET /OA_HTML/AppsLocalLogin.jsp HTTP/1.1" 302 654
  192.25.91.72 - - [12/Jan/2013:03:20:09 -0800] "GET /OA_HTML/RF.jsp?function_id=33375&resp_id=-1&resp_appl_id=-1&security_group_id=0&lang_code=US&params=Qs-5KmFWI7wTvCh5zUbV0Q&oa
  s=kukIe_oeKd3-mIFqpYDc-g.. HTTP/1.1" 200 36832
  192.25.91.72 - - [12/Jan/2013:03:20:12 -0800] "GET /OA_MEDIA/nlsgb.gif HTTP/1.1" 404 224
  192.25.91.72 - - [12/Jan/2013:03:20:13 -0800] "GET /favicon.ico HTTP/1.1" 404 217
  192.25.91.72 - - [12/Jan/2013:03:20:43 -0800] "POST /OA_HTML/OA.jsp?page=/oracle/apps/fnd/sso/login/webui/MainLoginPG&_ri=0&_ti=1178971693&language_code=US&requestUrl=&oapc=2&oa
  s=yYEcdVDqcyn1J76kQdGvIg.. HTTP/1.1" 302 297
  192.25.91.72 - - [12/Jan/2013:03:20:49 -0800] "GET /OA_HTML/OA.jsp?OAFunc=OAHOMEPAGE HTTP/1.1" 200 23961
  192.25.91.72 - - [12/Jan/2013:03:20:51 -0800] "GET /favicon.ico HTTP/1.1" 404 217
  192.25.91.72 - - [12/Jan/2013:03:20:51 -0800] "POST /OA_HTML/RF.jsp?function_id=MAINMENUREST&security_group_id=0 HTTP/1.1" 200 527
  192.25.91.72 - - [12/Jan/2013:03:20:58 -0800] "GET /OA_HTML/OALogout.jsp?menu=Y HTTP/1.1" 302 255
  192.25.91.72 - - [12/Jan/2013:03:20:59 -0800] "GET /OA_HTML/AppsLogout HTTP/1.1" 302 474
  192.25.91.72 - - [12/Jan/2013:03:21:21 -0800] "GET /OA_HTML/xxatatgibeCAcdLogin.jsp HTTP/1.1" 200 4955
  192.25.91.72 - - [12/Jan/2013:03:21:22 -0800] "GET /favicon.ico HTTP/1.1" 404 217
  Error-Log ====================
  [Sat Jan 12 05:27:42 2013] [debug] /ade/plebld_ascore_467553/oracle/asg_apache/oc4j/src/oc4j_ajp13_worker.c(1700): [client 192.25.91.72] [ecid: 1357997262:192.25.89.136:17825804
  :0:16,0] mod_oc4j: Response header 3, Key: Location, Value: https://LBR:443/OA_HTML/AppsLogout
  [Sat Jan 12 05:27:42 2013] [debug] /ade/plebld_ascore_467553/oracle/asg_apache/oc4j/src/oc4j_ajp13_worker.c(1748): [client 192.25.91.72] [ecid: 1357997262:192.25.89.136:17825804
  :0:16,0] mod_oc4j: sending response chunk to client: 243 bytes
  [Sat Jan 12 05:27:42 2013] [debug] /ade/plebld_ascore_467553/oracle/asg_apache/oc4j/src/oc4j_main.c(554): [client 192.25.91.72] [ecid: 1357997262:192.25.89.136:17825804:0:16,0]
  mod_oc4j: Successfully serviced the request by worker: home.
  [Sat Jan 12 05:27:44 2013] [debug] /ade/plebld_ascore_467553/oracle/asg_apache/oc4j/src/oc4j_ajp13_worker.c(845): [client 192.25.91.72] [ecid: 1357997264:192.25.89.136:12451862:
  0:52,0] mod_oc4j: Sending request to: hostname.cos.domain.com:21530
  [Sat Jan 12 05:27:44 2013] [debug] /ade/plebld_ascore_467553/oracle/asg_apache/oc4j/src/oc4j_ajp13_worker.c(900): [client 192.25.91.72] [ecid: 1357997264:192.25.89.136:12451862:
  0:52,0] mod_oc4j: num request headers: 13
  [Sat Jan 12 05:27:44 2013] [debug] /ade/plebld_ascore_467553/oracle/asg_apache/oc4j/src/oc4j_ajp13_worker.c(914): [client 192.25.91.72] [ecid: 1357997264:192.25.89.136:12451862:
  0:52,0] mod_oc4j: Request header 0, Key: Accept, Value: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  [Sat Jan 12 05:27:44 2013] [debug] /ade/plebld_ascore_467553/oracle/asg_apache/oc4j/src/oc4j_ajp13_worker.c(914): [client 192.25.91.72] [ecid: 1357997264:192.25.89.136:12451862:
  0:52,0] mod_oc4j: Request header 1, Key: Accept-Charset, Value: ISO-8859-1,utf-8;q=0.7,*;q=0.3
  [Sat Jan 12 05:27:44 2013] [debug] /ade/plebld_ascore_467553/oracle/asg_apache/oc4j/src/oc4j_ajp13_worker.c(914): [client 192.25.91.72] [ecid: 1357997264:192.25.89.136:12451862:
  0:52,0] mod_oc4j: Request header 2, Key: Accept-Encoding, Value: gzip,deflate,sdch
  [Sat Jan 12 05:27:44 2013] [debug] /ade/plebld_ascore_467553/oracle/asg_apache/oc4j/src/oc4j_ajp13_worker.c(914): [client 192.25.91.72] [ecid: 1357997264:192.25.89.136:12451862:
  0:52,0] mod_oc4j: Request header 3, Key: Accept-Language, Value: en-US,en;q=0.8
  [Sat Jan 12 05:27:44 2013] [debug] /ade/plebld_ascore_467553/oracle/asg_apache/oc4j/src/oc4j_ajp13_worker.c(914): [client 192.25.91.72] [ecid: 1357997264:192.25.89.136:12451862:
  0:52,0] mod_oc4j: Request header 4, Key: Connection, Value: Keep-Alive
  [Sat Jan 12 05:27:44 2013] [debug] /ade/plebld_ascore_467553/oracle/asg_apache/oc4j/src/oc4j_ajp13_worker.c(914): [client 192.25.91.72] [ecid: 1357997264:192.25.89.136:12451862:
  0:52,0] mod_oc4j: Request header 5, Key: Cookie, Value: OTST_pses=ZGF3942C49577C19434B20BB2BFC38217F24B83798344666F7EBDA8A2CE821953ED87BB7860DF6137DC51AB7F3AB1DD1D7; JSESSIONID=
  1d74eb5633089116f24c2c69ae565cbadc116765f9bbba7ef053c2d31f9f18a2.e38QahiPbxuObi0LbxeKaN0Kch0Re0; rvprod=; AGRL=thcgn_ivteb36%40lnubb.pb.va%7C%3A%3Bbde49ffdb22662e94721e6e73d7c20
  f4%3A%3DUmaluUp4qT5fgOwL8NFUGg%3D%3D%3A%3B57f4c9dc1bf265e6378a7ea00a65338f%3A%3DUmaluUp4qT5fgOwL8NFUGg%3D%3D%3A%3B4ed5d2eaed1a1fadcc41ad1d58ed603e%3A%3DUmaluUp4qT5fgOwL8NFUGg%3D
  %3D%3A%3Bdb486e4cdf8b2048591e59f683319c4c%3A%3DUmaluUp4qT5fgOwL8NFUGg%3D%3D%3A%3B459d9fca17e3a950deae755d13578292%3A%3DUmaluUp4qT5fgOwL8NFUGg%3D%3D%3A%3Bed89387bcd11937a7a92a99a
  2cbfb5d7%3A%3Dox20hZArLI714LpPDtK%2Fhw%3D%3D%3A%3Bef21925fada6dfb684b5d8ec72114bb1%3A%3DATXmBagSN%2B8f817OiRKOyg%3D%3D%3A%3Bf7a42fe7211f98ac7a60a285ac3a9e87%3A%3DUmaluUp4qT5fgOw
  L8NFUGg%3D%3D%3A%3B851f5ac9941d720844d143ed9cfcf60a%3A%3DUmaluUp4qT5fgOwL8NFUGg%3D%3D%3A%3B9ed39e2ea931586b6a985a6942ef573e%3A%3DUmaluUp4qT5fgOwL8NFUGg%3D%3D%3A%3Becfdd0a8fcb7da
  c5ef0e651b7a6bb24c%3A%3DUmaluUp4qT5fgOwL8NFUGg%3D%3D; AGWL=; s_vi=[CS]v1|2834C339851633B7-600001A68017C480[CE]; treemenu1=none open; OTST=t3ThpFHMpGPbJV3neU811CUwTg; oracle.uix=
  0^^GMT+5:30^p
  [Sat Jan 12 05:27:44 2013] [debug] /ade/plebld_ascore_467553/oracle/asg_apache/oc4j/src/oc4j_ajp13_worker.c(914): [client 192.25.91.72] [ecid: 1357997264:192.25.89.136:12451862:
  0:52,0] mod_oc4j: Request header 6, Key: Host, Value: hostname.cos.domain.com:4493
  [Sat Jan 12 05:27:44 2013] [debug] /ade/plebld_ascore_467553/oracle/asg_apache/oc4j/src/oc4j_ajp13_worker.c(914): [client 192.25.91.72] [ecid: 1357997264:192.25.89.136:12451862:
  0:52,0] mod_oc4j: Request header 7, Key: Referer, Value: https://LBR/OA_HTML/OA.jsp?OAFunc=OAHOMEPAGE
  [Sat Jan 12 05:27:44 2013] [debug] /ade/plebld_ascore_467553/oracle/asg_apache/oc4j/src/oc4j_ajp13_worker.c(914): [client 192.25.91.72] [ecid: 1357997264:192.25.89.136:12451862:
  0:52,0] mod_oc4j: Request header 7, Key: Referer, Value: https://LBR/OA_HTML/OA.jsp?OAFunc=OAHOMEPAGE
  [Sat Jan 12 05:27:44 2013] [debug] /ade/plebld_ascore_467553/oracle/asg_apache/oc4j/src/oc4j_ajp13_worker.c(914): [client 192.25.91.72] [ecid: 1357997264:192.25.89.136:12451862:
  0:52,0] mod_oc4j: Request header 8, Key: User-Agent, Value: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.52 Safari/537.17
  [Sat Jan 12 05:27:44 2013] [debug] /ade/plebld_ascore_467553/oracle/asg_apache/oc4j/src/oc4j_ajp13_worker.c(914): [client 192.25.91.72] [ecid: 1357997264:192.25.89.136:12451862:
  0:52,0] mod_oc4j: Request header 9, Key: X-Forwarded-For, Value: 192.25.91.88
  [Sat Jan 12 05:27:44 2013] [debug] /ade/plebld_ascore_467553/oracle/asg_apache/oc4j/src/oc4j_ajp13_worker.c(914): [client 192.25.91.72] [ecid: 1357997264:192.25.89.136:12451862:
  0:52,0] mod_oc4j: Request header 10, Key: X-Forwarded-Host, Value: LBR
  [Sat Jan 12 05:27:44 2013] [debug] /ade/plebld_ascore_467553/oracle/asg_apache/oc4j/src/oc4j_ajp13_worker.c(914): [client 192.25.91.72] [ecid: 1357997264:192.25.89.136:12451862:
  0:52,0] mod_oc4j: Request header 11, Key: X-Forwarded-Server, Value: LBR
  [Sat Jan 12 05:27:44 2013] [debug] /ade/plebld_ascore_467553/oracle/asg_apache/oc4j/src/oc4j_ajp13_worker.c(914): [client 192.25.91.72] [ecid: 1357997264:192.25.89.136:12451862:
  0:52,0] mod_oc4j: Request header 12, Key: Oracle-ECID, Value: 1357997264:192.25.89.136:12451862:0:52,0
  [Sat Jan 12 05:27:44 2013] [debug] /ade/plebld_ascore_467553/oracle/asg_apache/oc4j/src/oc4j_ajp13_worker.c(980): [client 192.25.91.72] [ecid: 1357997264:192.25.89.136:12451862:
  0:52,0] mod_oc4j: jvm_route: e38QahiPbxuObi0LbxeKaN0Kch0Re0
  [Sat Jan 12 05:27:44 2013] [debug] /ade/plebld_ascore_467553/oracle/asg_apache/oc4j/src/oc4j_ajp13_worker.c(1117): [client 192.25.91.72] [ecid: 1357997264:192.25.89.136:12451862
  :0:52,0] mod_oc4j: uri4oc4j: /OA_HTML/AppsLogout
  [Sat Jan 12 05:27:44 2013] [debug] /ade/plebld_ascore_467553/oracle/asg_apache/oc4j/src/oc4j_ajp13_worker.c(1668): [client 192.25.91.72] [ecid: 1357997264:192.25.89.136:12451862
  :0:52,0] Number of response headers: 8
  [Sat Jan 12 05:27:44 2013] [debug] /ade/plebld_ascore_467553/oracle/asg_apache/oc4j/src/oc4j_ajp13_worker.c(1700): [client 192.25.91.72] [ecid: 1357997264:192.25.89.136:12451862
  :0:52,0] mod_oc4j: Response header 0, Key: Date, Value: Sat, 12 Jan 2013 13:27:43 G
  [Sat Jan 12 05:27:44 2013] [debug] /ade/plebld_ascore_467553/oracle/asg_apache/oc4j/src/oc4j_ajp13_worker.c(1700): [client 192.25.91.72] [ecid: 1357997264:192.25.89.136:12451862
  :0:52,0] mod_oc4j: Response header 1, Key: Content-Type, Value: text/html
  [Sat Jan 12 05:27:44 2013] [debug] /ade/plebld_ascore_467553/oracle/asg_apache/oc4j/src/oc4j_ajp13_worker.c(1700): [client 192.25.91.72] [ecid: 1357997264:192.25.89.136:12451862
  :0:52,0] mod_oc4j: Response header 2, Key: Set-Cookie, Value: JSESSIONID=1d74eb5633089116f24c2c69ae565cbadc116765f9bbba7ef053c2d31f9f18a2.e38QahiPbxuObi0LbxeKaN0Kch0Re0; path=/O
  A_HTML; secure
  [Sat Jan 12 05:27:44 2013] [debug] /ade/plebld_ascore_467553/oracle/asg_apache/oc4j/src/oc4j_ajp13_worker.c(1700): [client 192.25.91.72] [ecid: 1357997264:192.25.89.136:12451862
  :0:52,0] mod_oc4j: Response header 3, Key: Set-Cookie, Value: OTST=-1; Domain=.domain.com; Path=/; Secure
  [Sat Jan 12 05:27:44 2013] [debug] /ade/plebld_ascore_467553/oracle/asg_apache/oc4j/src/oc4j_ajp13_worker.c(1700): [client 192.25.91.72] [ecid: 1357997264:192.25.89.136:12451862
  :0:52,0] mod_oc4j: Response header 4, Key: Cache-Control, Value: no-cache
  [Sat Jan 12 05:27:44 2013] [debug] /ade/plebld_ascore_467553/oracle/asg_apache/oc4j/src/oc4j_ajp13_worker.c(1700): [client 192.25.91.72] [ecid: 1357997264:192.25.89.136:12451862
  :0:52,0] mod_oc4j: Response header 5, Key: Pragma, Value: no-cache
  [Sat Jan 12 05:27:44 2013] [debug] /ade/plebld_ascore_467553/oracle/asg_apache/oc4j/src/oc4j_ajp13_worker.c(1700): [client 192.25.91.72] [ecid: 1357997264:192.25.89.136:12451862
  :0:52,0] mod_oc4j: Response header 6, Key: Expires, Value: Thu, 01 Jan 1970 00:00:00 GMT
  [Sat Jan 12 05:27:44 2013] [debug] /ade/plebld_ascore_467553/oracle/asg_apache/oc4j/src/oc4j_ajp13_worker.c(1700): [client 192.25.91.72] [ecid: 1357997264:192.25.89.136:12451862
  :0:52,0] mod_oc4j: Response header 7, Key: Location, Value: https://hostname.cos.domain.com/OA_HTML/AppsLocalLogin.jsp?cancelUrl=/OA_HTML/AppsLocalLogin.jsp&_logoutRedirect=y&l
  angCode=US
  [Sat Jan 12 05:27:44 2013] [debug] /ade/plebld_ascore_467553/oracle/asg_apache/oc4j/src/oc4j_ajp13_worker.c(1748): [client 192.25.91.72] [ecid: 1357997264:192.25.89.136:12451862
  :0:52,0] mod_oc4j: sending response chunk to client: 462 bytes
  [Sat Jan 12 05:27:44 2013] [debug] /ade/plebld_ascore_467553/oracle/asg_apache/oc4j/src/oc4j_main.c(554): [client 192.25.91.72] [ecid: 1357997264:192.25.89.136:12451862:0:52,0]
  mod_oc4j: Successfully serviced the request by worker: home.

• How Can i Use two Different Public IP Addresses no my DMZ with ASA Firewall.

  How To Using Two Different Public IP Address on My DMZ with ASA 5520
  Postado por jorge decimo decimo em 28/Jan/2013 5:51:28
  Hi everyone out there.
  can any one please help me regarding this situation that im looking for a solution
  My old range of public ip address are finished, i mean (the 41.x.x.0 range)
  So now i still need to have in my DMZ another two servers that will bring some new services.
  Remember that those two server, will need to be accessable both from inside and from outside users (Internet users) as well.
  So as i said, my old range of public ip address is finished and we asked the ISP to gives some additional public
  ip address to address the need of the two new servers on DMZ. and the ISP gave us the range of 197.216.1.24/29
  So my quation is, on reall time world (on the equipment) how can i Use two different public ip address on the same DMZ
  on Cisco ASA 5520 v8??
  How my configuration should look like?
  I was told about implementing static nat with Sub Interfaces on both Router and ASA interface
  Can someone please do give me a help with a practical config sample please. i can as well be reached at [email protected]
  attached is my network diagram for a better understanding
  I thank every body in advance
  Jorge

  Hi,
  So looking at your picture you have the original public IP address range configured on the OUTSIDE and its used for NAT for different servers behind the ASA firewall.
  Now you have gotten a new public IP address range from the ISP and want to get it into use.
  How do you want to use this IP address range? You want to configure the public IP addresses directly on the servers or NAT them at the ASA and have private IP addresses on the actual servers (like it seems to be for the current server)?
  To get the routing working naturally the only thing needed between your Router and Firewall would be to have a static route for the new public network range pointing towards your ASA OUTSIDE IP address. The routing between your Router and the ISP core could either be handled with Static Routing or Dynamic Routing.
  So you dont really need to change the interface configuration between the Router and ASA at all. You just need a Static route pointing the new public IP address towards the ASA outside IP address.
  Now when the routing is handled between the ISP - ISP/Your Router - Your Firewall, you can then consider how to use those IP addresses.
  Do you want to use the public IP addresses DIRECTLY on the HOSTS behind the firewall?This would require you to either configure a new physical interface with the new public IP address range OR create a new subinterface with the new public IP addresses range AND then configure the LAN devices correspondingly to the chosen method on the firewall
  Do you want to use the public IP addresses DIRECLTY on the ASA OUTSIDE as NAT IP addresses?This would require for you to only start configuring Static NAT for the new servers between the inside/dmz and outside interface of the ASA. The format would be no different from the previous NAT configuration other than for the different IP addresses ofcourse
  Of the above ways
  The first way is good because the actual hosts will have the public IP addresses. Therefore you wont run into problems with DNS when the LAN users are trying to access the server.
  The second way is the one requiring the least amount of configurations/changes on the ASA. In this case though you might run into problem with DNS (to which I refer above) as the server actually has a private IP address but the public DNS might reply to the LAN hosts with a public IP address and therefore connections from LAN could fail. This is because LAN users cant connect to the servers OUTSIDE NAT IP address (unless you NAT the server to public IP address towards LAN also)
  Hopefully the above was helpfull. Naturally ask more specific questions and I'll answer them. Hopefully I didnt miss something. But please ask more
  I'm currently at Cisco Live! 2013 London so in the "worst case" I might be able to answer on the weekend at earliest.
  - Jouni

• Issue with cookies in DMZ multi node envt

  Hi ,
  We are facing the following issue at our client site:
  The client has implemented iStore and iSupport on top of the existing Oracle Applications (11.5.10 ).
  For these two modules they have added the DMZ node for their customers to make istore order and to use isupport.
  And for the other internal users who use the other modules they have the internal node. Both the internal and external nodes have different domain name.
  They also have some internal users having access to their istore and isupport as well as other module access. So they access the apps both from the external and internal nodes.
  The issue is, that when the user log-on to istore/isupport thru the external node (eccp.company.com domain).
  Once they are in istore/isupport pages, without log-off or closing the browser, if the user goes to the internal node url AppsLocalLogin.jsp (prodapp01.company.com) on the same browser with a difft user name, he gets the resp. of the user who had logged thru the external node on the home page with the LAF changes for iStore and iSupport. But it will not allow them to navigate further. So the users wont see their regular home page when they logon to the internal node in this case. This might be because the home page (AppsLocalLogin) doesn’t associate the correct cookie when the user log-on thru the internal node on the same browser (The browser has both the cookies).
  How to solve this issue? Is there any set-up/patch available for this scenario? Any help on this is greatly appreciated.

  I don't see much relevance of this issue with OAF. It is more of your DMZ setup issue. For better response, you can post it in forum "Managing Oracle Applications" http://forums.oracle.com/forums/forum.jspa?forumID=40&start=0
  --Shiv                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           

• Domain Controller going down after IDM implemented

  Hi,
  We have implemented IDM 7.1 and are using the PSS (Password Self Service), Password Syncronization functionality for 2 AD and 6 ABAP systems. This PSS is implemented to support our company ESS which is on the internet so that users can reset their own password. Hence to support it we have a architecture having one AD on the DMZ and another internal.
  Both the AD repositories have been configured pointing to a perticular DC (Domain Contorller) . All the DC's have Phook installed on them.
  Since Go-live we have not had any issue with the DC on the DMZ but the internal DC keeps going down once in a while and it doesnt have a pattern. We tried switching to different DC's also which didnt work. Right now we are keeping a close watch on the DC and we carryout a restart whenever it happens.
  Did anyone come across such kind of a issue, if so then please let me know.
  Thanks.

  Hi Ahmed,
  Thank you for your quick response!  Our secondary domain controller IP settings were set properly according to the recommendation, but the primary (the one having the issues) was not. I went ahead and changed the settings and did an ipconfig /registerdns
  and restarted the netlogon service. Nothing changed after that. I ran a dcdiag and the only one that failed was this:
        Starting test: NCSecDesc
           Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
              Replicating Directory Changes In Filtered Set
           access rights for the naming context:
           DC=ForestDnsZones,DC=*hidden*,DC=*hidden*
           Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
              Replicating Directory Changes In Filtered Set
           access rights for the naming context:
           DC=DomainDnsZones,DC=*hidden*,DC=*hidden*
           ......................... *hidden PDC Name* failed test NCSecDesc
  I'm going to restart the server tonight after those IP changes and let you know my outcome.
  Thanks again!

• Create Shopping Page gives Javascript Error - Sun JVM in a DMZ?

  Hi SDN
  We are running on SRM 5.0, with server at 5.5 and we have just implemented SP 11.  Since then, our users running IE with the Sun JVM 1.4.2_10 are getting a JavaScript  error everytime an applet loads on their page (in this case, it is the applet within the Document & Attachments section).  Moreover, our portal is being hosted on an SSL secured server within our DMZ, in conjunction with a Provencia IDS System, Blue Coat hardarware, RadWare, ...etc.
  The only way we can make that page work, is by disabling the Sun JVM and use the MS Version of the JVM.  At that point, no issue with the applet on our SSL Secured Portal.  Even funnier, is that when I'm calling directly the Portal Server (without the SSL proxy), even if i run the Sun JVM, I'm not getting the error. Since we have over 1000 users, it woulde be aimpossible to have all of them making that change... We need to make that work.
  Have you ever experienced something like that?  If yes, what have you done to fix it? Any suggestion, OSS notes
  Thanks in advance
  Eric L.

  I am having almost the same issue.  This is what my java console throws "load: class com.sapportals.portal.epcf.EPCMfactory not found."

• After configuring DMZ unable Supplier login to Sourcing modules

  After configuring DMZ unable Supplier login to Sourcing modules
  You have encountered an unexpected error. Please contact the System Administrator for assistance.
  Regards,
  Amit Chowrasia

  mikey.askdbaonline wrote:
  Anybody face this issue earlier we are also getting error
  [Wed Jan 16 07:28:08 2013] [error] mod_ossl: Unknown error
  [Wed Jan 16 07:28:08 2013] [error] mod_ossl: SSL call to NZ function nzos_Handshake failed with error 29014 (server test.com:4443, client 192.168.1.22)
  [Wed Jan 16 07:28:08 2013] [error] mod_ossl: Unknown error
  [Wed Jan 16 07:28:08 2013] [error] mod_ossl: SSL call to NZ function nzos_Handshake failed with error 29014 (server test.com:4443, client 192.168.1.22)
  [Wed Jan 16 07:28:08 2013] [error] mod_ossl: Unknown error
  Regards,
  Amit ChowrasiaWhat is your application release? What version of JRE you are running?
  Is SSL enabled?
  Is the issue with one module only?
  What document did you follow to implement DMZ?
  Can you find any errors in access_log file (assuming the above from error_log file)?
  Can you find any errors in the application.log file and/or in the database log file?
  Thanks,
  Hussein

• DMZ Ports to Communicate with SCCM Primary Server

  Hello,
  I have searched and came to know that on firewall, following ports should be open for DMZ to communicate with SCCM primary server 
  HTTP 80 and 443
  8530
  TCP 10123
  TCP 135TCP 445
  We are planning to implement a software on DMZ server which should communicate with SCCM primary server.
  Do the above ports work for communication from DMZ to Primary or if there are more ports required for it?
  Is it possible to achieve this without the SCCM client installed on the DMZ server as i would like the software to communicate via its own methods but the required ports should be open.

  Could you please provide the WMI and SQL ports which would be required.
  If we talk about generically, Are below ports enough for a DMZ server to communicate with the primary site server ?
  HTTP 80 and 443
  8530
  TCP 10123
  TCP 135TCP
  445