Help with configuring security policy

Hi guys,
I've got two questions, in the same vein around SCEP and SCCM policies (2012 R2). After looking a bit within the console and some searching around, I don't see anything glaringly obvious to address the following questions, though its possible I've overlooked
it.
1) Is it possible to create a policy to prevent anyone NOT in the DomainAdmins group the ability to override a detected virus?
2) Is there a way to initiate a shutdown if the SCEP service fails or is stopped at any time?
Thanks in advance for any suggestions.
--Gabe

Hi,
1. What is "override a detected virus"?
2. You could take a look at System Center Orchestrator.
http://technet.microsoft.com/en-us/library/hh206052.aspx
Best Regards,
Joyce
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Similar Messages

Localy configured security policy in domain environment

Hello.
I have run in to a problem when configuring security policy for servers in my domain. Due to the large size of my environment and many different local administrators on servers quite a few of those administrators has configured local security policys on
their servers instead of asking for our central IT-dep to create domain based GPO's for those settings.
It's quite often settings that give a account the right to logon as a batchjob and so on. This creates the problem for us that work centraly that we can't configure central GPO since we will overwrite the localy configured ones and that will quite often
create a application to stop working.
So my question is if there's any way to make a inventory to find out what servers has a local configured policy so that i can change that to a central one.
/Lee

You can use secedit to get the local security policy. You can use
psexec to get it remotely and store the content in a share. Once done, you can fetch the data using Powershell and get what you need.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile

Welcome. At the outset, I'm sorry for my English :) Please help with configuration Photoshop CS6 appearance. How to disable the background of the program so you can see the desktop. (same menus and tools) Chiałbym to be the same effect as CS5.

Welcome.
At the outset, I'm sorry for my English
Please help with configuration Photoshop CS6 appearance.
How to disable the background of the program so you can see the desktop. (same menus and tools)
i wantto be the same effect as CS5.

Please try turning off
Window > Application Frame

Trouble with Content Security Policy (CSP)

In the latest Firefox 33 there seem to be an issue with Content Security Policy (CSP) and how it handles url that are url encoded.
For instance when some CSP directive is set to like https://mywebsite.com/application/do;jsessiond=1234 - it will get URL encoded so the ; gets replaced by %3B.
In Firefox 32 and earlier this worked, but not in this new solution.

It may be that it needs a header application/x-www-form-urlencoded is this included in your url request as well as charset UTF-8?
If you select a different encoding via web dev [https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI]
This sounds like what it did before? [http://www.justarrangingbits.org/firefox-magic-decoding-address-bar/index.html]

HT5787 How do you get help with your security questions if you forget your answers?

How do you get help with your security questions if you forget your answers?

You need to ask Apple to reset your security questions; ways of contacting them include clicking here and picking a method for your country, phoning AppleCare and asking for the Account Security team, and filling out and submitting this form.
(97108)

HT5699 The country I am living in is not on the Apple Contact Support list and I need help with my security questions.

I am currently living in Tunisia but it's not on the Apple Contact Support list. I need help with my security questions which I cannot remember the answers. There is no link to send a reset email. What do I do?

Click here and ask the iTunes Store staff for assistance.
(114040)

HT5312 i need help with the security questions is there some way to get you to remind me what they were from e-mail or other wise

I need help with the security Questions is there some way to get you to remember them by e-mail of other wise

Read the HT5312 page that you posted from, it has instructions for how to reset them i.e. if you have a rescue email address set up on your account then steps 1 to 5 half-way down that page should give you a reset link.
If you don't have a rescue email address then you will need to contact iTunes Support / Apple in your country to get the questions reset.
Contacting Apple about account security : http://support.apple.com/kb/HT5699
When they've been reset (and if you don't already have a rescue email address) you can then use the steps half-way down the HT5312 page that you posted from to add a rescue email address for potential future use

Please help with Configuring Database Security Store

Here's the error i get....
Any ideas?
Initializing WebLogic Scripting Tool (WLST) ...
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
Info: Data source is: opss-DBDS
WLS ManagedService is not up running. Fall back to use system properties for con
figuration.
Info: DB JDBC driver: oracle.jdbc.OracleDriver
Info: DB JDBC URL: jdbc:oracle:thin:@localhost:1521/idgov
Connected:oracle.jdbc.driver.T4CConnection@21bce8d
Disconnect:oracle.jdbc.driver.T4CConnection@21bce8d
INFO: Found persistence provider "org.eclipse.persistence.jpa.PersistenceProvide
r". OpenJPA will not be used.
[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator] checkSe
rviceSetup - done
Aug 13, 2013 8:47:47 PM oracle.security.jps.internal.config.ldap.LdapCredStoreSe
rviceConfigurator schemaCompatibleHandler
INFO: Credential store schema upgrade not required. Store Schema version 11.1.1.
6.0 is compatible to the seed schema version 11.1.1.4.0
[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator] checkSe
rviceSchema - Store schema has been seeded completely
[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator] updateS
erviceConfiguration - done
[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator] seedSch
emaAndCreateDIT - failed JPS-10000: There was an internal error in the policy st
ore.
Exception in thread "Main Thread" java.lang.RuntimeException: JPS-10000: There w
as an internal error in the policy store.
oracle.security.jps.internal.api.common.JpsCredentialStoreLdapNodeCreationExcept
ion: JPS-10000: There was an internal error in the policy store.
        at oracle.security.jps.internal.common.rdbms.util.JpsDbBootstrapImpl.cre
ateJpsCredentailStoreInLdap(JpsDbBootstrapImpl.java:303)
        at oracle.security.jps.internal.config.ldap.LdapCredStoreServiceConfigur
ator.addServiceStoreBase(LdapCredStoreServiceConfigurator.java:114)
        at oracle.security.jps.internal.config.ldap.LdapCredStoreServiceConfigur
ator.seedSchemaAndCreateDIT(LdapCredStoreServiceConfigurator.java:142)
        at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnab
ler.runConfiguration(LdapServiceEnabler.java:448)
        at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnab
ler.configureCredentialStoreService(LdapServiceEnabler.java:233)
        at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnab
ler.configureSecurityServices(LdapServiceEnabler.java:171)
        at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnab
ler.main(LdapServiceEnabler.java:129)
Caused by: oracle.security.jps.service.policystore.PolicyStoreConnectivityExcept
ion: JPS-10000: There was an internal error in the policy store.
        at oracle.security.jps.internal.policystore.rdbms.JpsDBDataManager.handl
eRollbackException(JpsDBDataManager.java:1345)
        at oracle.security.jps.internal.policystore.rdbms.JpsDBDataManager.inter
nalCommitTxn(JpsDBDataManager.java:1508)
        at oracle.security.jps.internal.policystore.rdbms.JpsDBDataManager.commi
tTransactionInDoAs(JpsDBDataManager.java:1475)
        at oracle.security.jps.internal.policystore.rdbms.JpsDBDataManager.commi
tTransaction(JpsDBDataManager.java:1466)
        at oracle.security.jps.internal.common.rdbms.util.JpsDbBootstrapImpl.cre
ateJpsCredentailStoreInLdap(JpsDbBootstrapImpl.java:296)
        at oracle.security.jps.internal.config.ldap.LdapCredStoreServiceConfigur
ator.addServiceStoreBase(LdapCredStoreServiceConfigurator.java:113)
        at oracle.security.jps.internal.config.ldap.LdapCredStoreServiceConfigur
ator.seedSchemaAndCreateDIT(LdapCredStoreServiceConfigurator.java:142)
        at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnab
ler.runConfiguration(LdapServiceEnabler.java:447)
        at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnab
ler.configureCredentialStoreService(LdapServiceEnabler.java:232)
        at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnab
ler.configureSecurityServices(LdapServiceEnabler.java:170)
        ... 1 more
Caused by: javax.persistence.RollbackException: Exception [EclipseLink-4002] (Ec
lipse Persistence Services - 2.3.1.v20111018-r10243): org.eclipse.persistence.ex
ceptions.DatabaseException
Internal Exception: java.sql.SQLIntegrityConstraintViolationException: ORA-00001
: unique constraint (DEV20_OPSS.IDX_JPS_RDN_PDN) violated
Error Code: 1
Call: INSERT INTO JPS_DN (ENTRYID, PARENTDN, RDN) VALUES (?, ?, ?)
        bind => [3 parameters bound]
Query: InsertObjectQuery(EntryId=11437:rdn=cn=credentialstore:pdn=cn=jpsroot,cn=
jpscontext,cn=iam,: JpsStore Entry={[EntryId = 11437:Attribute RowId = 45348
dn = cn=CredentialStore,cn=IAM,cn=JPSContext,cn=jpsroot, EntryId = 11437:Attribu
te RowId = 45349
objectclass = top, EntryId = 11437:Attribute RowId = 45350
objectclass = orclContainer, EntryId = 11437:Attribute RowId = 45351
cn = CredentialStore]})
        at org.eclipse.persistence.internal.jpa.transaction.EntityTransactionImp
l.commitInternal(EntityTransactionImpl.java:102)
        at org.eclipse.persistence.internal.jpa.transaction.EntityTransactionImp
l.commit(EntityTransactionImpl.java:63)
        at oracle.security.jps.internal.policystore.rdbms.JpsDBDataManager$8.run
(JpsDBDataManager.java:1488)
        at oracle.security.jps.internal.policystore.rdbms.JpsDBDataManager.inter
nalCommitTxn(JpsDBDataManager.java:1492)
        at oracle.security.jps.internal.policystore.rdbms.JpsDBDataManager.commi
tTransactionInDoAs(JpsDBDataManager.java:1476)
        at oracle.security.jps.internal.policystore.rdbms.JpsDBDataManager.commi
tTransaction(JpsDBDataManager.java:1466)
        at oracle.security.jps.internal.common.rdbms.util.JpsDbBootstrapImpl.cre
ateJpsCredentailStoreInLdap(JpsDbBootstrapImpl.java:297)
        at oracle.security.jps.internal.config.ldap.LdapCredStoreServiceConfigur
ator.addServiceStoreBase(LdapCredStoreServiceConfigurator.java:114)
        at oracle.security.jps.internal.config.ldap.LdapCredStoreServiceConfigur
ator.seedSchemaAndCreateDIT(LdapCredStoreServiceConfigurator.java:142)
        at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnab
ler.runConfiguration(LdapServiceEnabler.java:448)
        at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnab
ler.configureCredentialStoreService(LdapServiceEnabler.java:233)
        at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnab
ler.configureSecurityServices(LdapServiceEnabler.java:171)
        ... 1 more
Caused by: Exception [EclipseLink-4002] (Eclipse Persistence Services - 2.3.1.v2
0111018-r10243): org.eclipse.persistence.exceptions.DatabaseException
Internal Exception: java.sql.SQLIntegrityConstraintViolationException: ORA-00001
: unique constraint (DEV20_OPSS.IDX_JPS_RDN_PDN) violated
Error Code: 1
Call: INSERT INTO JPS_DN (ENTRYID, PARENTDN, RDN) VALUES (?, ?, ?)
        bind => [3 parameters bound]
Query: InsertObjectQuery(EntryId=11437:rdn=cn=credentialstore:pdn=cn=jpsroot,cn=
jpscontext,cn=iam,: JpsStore Entry={[EntryId = 11437:Attribute RowId = 45348
dn = cn=CredentialStore,cn=IAM,cn=JPSContext,cn=jpsroot, EntryId = 11437:Attribu
te RowId = 45349
objectclass = top, EntryId = 11437:Attribute RowId = 45350
objectclass = orclContainer, EntryId = 11437:Attribute RowId = 45351
cn = CredentialStore]})
        at org.eclipse.persistence.exceptions.DatabaseException.sqlException(Dat
abaseException.java:324)
        at org.eclipse.persistence.internal.databaseaccess.DatabaseAccessor.exec
uteDirectNoSelect(DatabaseAccessor.java:840)
        at org.eclipse.persistence.internal.databaseaccess.DatabaseAccessor.exec
uteNoSelect(DatabaseAccessor.java:906)
        at org.eclipse.persistence.internal.databaseaccess.DatabaseAccessor.basi
cExecuteCall(DatabaseAccessor.java:592)
        at org.eclipse.persistence.internal.databaseaccess.DatabaseAccessor.exec
uteCall(DatabaseAccessor.java:535)
        at org.eclipse.persistence.internal.sessions.AbstractSession.basicExecut
eCall(AbstractSession.java:1717)
        at org.eclipse.persistence.sessions.server.ClientSession.executeCall(Cli
entSession.java:253)
        at org.eclipse.persistence.internal.queries.DatasourceCallQueryMechanism
.executeCall(DatasourceCallQueryMechanism.java:207)
        at org.eclipse.persistence.internal.queries.DatasourceCallQueryMechanism
.executeCall(DatasourceCallQueryMechanism.java:193)
        at org.eclipse.persistence.internal.queries.DatasourceCallQueryMechanism
.insertObject(DatasourceCallQueryMechanism.java:342)
        at org.eclipse.persistence.internal.queries.StatementQueryMechanism.inse
rtObject(StatementQueryMechanism.java:162)
        at org.eclipse.persistence.internal.queries.StatementQueryMechanism.inse
rtObject(StatementQueryMechanism.java:177)
        at org.eclipse.persistence.internal.queries.DatabaseQueryMechanism.inser
tObjectForWrite(DatabaseQueryMechanism.java:472)
        at org.eclipse.persistence.queries.InsertObjectQuery.executeCommit(Inser
tObjectQuery.java:80)
        at org.eclipse.persistence.queries.InsertObjectQuery.executeCommitWithCh
angeSet(InsertObjectQuery.java:90)
        at org.eclipse.persistence.internal.queries.DatabaseQueryMechanism.execu
teWriteWithChangeSet(DatabaseQueryMechanism.java:287)
        at org.eclipse.persistence.queries.WriteObjectQuery.executeDatabaseQuery
(WriteObjectQuery.java:58)
        at org.eclipse.persistence.queries.DatabaseQuery.execute(DatabaseQuery.j
ava:844)
        at org.eclipse.persistence.queries.DatabaseQuery.executeInUnitOfWork(Dat
abaseQuery.java:743)
        at org.eclipse.persistence.queries.ObjectLevelModifyQuery.executeInUnitO
fWorkObjectLevelModifyQuery(ObjectLevelModifyQuery.java:108)
        at org.eclipse.persistence.queries.ObjectLevelModifyQuery.executeInUnitO
fWork(ObjectLevelModifyQuery.java:85)
        at org.eclipse.persistence.internal.sessions.UnitOfWorkImpl.internalExec
uteQuery(UnitOfWorkImpl.java:2871)
        at org.eclipse.persistence.internal.sessions.AbstractSession.executeQuer
y(AbstractSession.java:1516)
        at org.eclipse.persistence.internal.sessions.AbstractSession.executeQuer
y(AbstractSession.java:1498)
        at org.eclipse.persistence.internal.sessions.AbstractSession.executeQuer
y(AbstractSession.java:1449)
        at org.eclipse.persistence.internal.sessions.CommitManager.commitNewObje
ctsForClassWithChangeSet(CommitManager.java:224)
        at org.eclipse.persistence.internal.sessions.CommitManager.commitAllObje
ctsForClassWithChangeSet(CommitManager.java:191)
        at org.eclipse.persistence.internal.sessions.CommitManager.commitAllObje
ctsWithChangeSet(CommitManager.java:136)
        at org.eclipse.persistence.internal.sessions.AbstractSession.writeAllObj
ectsWithChangeSet(AbstractSession.java:3799)
        at org.eclipse.persistence.internal.sessions.UnitOfWorkImpl.commitToData
base(UnitOfWorkImpl.java:1415)
        at org.eclipse.persistence.internal.sessions.RepeatableWriteUnitOfWork.c
ommitToDatabase(RepeatableWriteUnitOfWork.java:636)
        at org.eclipse.persistence.internal.sessions.UnitOfWorkImpl.commitToData
baseWithChangeSet(UnitOfWorkImpl.java:1505)
        at org.eclipse.persistence.internal.sessions.RepeatableWriteUnitOfWork.c
ommitRootUnitOfWork(RepeatableWriteUnitOfWork.java:267)
        at org.eclipse.persistence.internal.sessions.UnitOfWorkImpl.commitAndRes
ume(UnitOfWorkImpl.java:1143)
        at org.eclipse.persistence.internal.jpa.transaction.EntityTransactionImp
l.commitInternal(EntityTransactionImpl.java:84)
        at org.eclipse.persistence.internal.jpa.transaction.EntityTransactionImp
l.commit(EntityTransactionImpl.java:63)
        at oracle.security.jps.internal.policystore.rdbms.JpsDBDataManager$8.run
(JpsDBDataManager.java:1487)
        at oracle.security.jps.internal.policystore.rdbms.JpsDBDataManager.inter
nalCommitTxn(JpsDBDataManager.java:1492)
        at oracle.security.jps.internal.policystore.rdbms.JpsDBDataManager.commi
tTransactionInDoAs(JpsDBDataManager.java:1475)
        at oracle.security.jps.internal.policystore.rdbms.JpsDBDataManager.commi
tTransaction(JpsDBDataManager.java:1466)
        at oracle.security.jps.internal.common.rdbms.util.JpsDbBootstrapImpl.cre
ateJpsCredentailStoreInLdap(JpsDbBootstrapImpl.java:296)
        at oracle.security.jps.internal.config.ldap.LdapCredStoreServiceConfigur
ator.addServiceStoreBase(LdapCredStoreServiceConfigurator.java:113)
        at oracle.security.jps.internal.config.ldap.LdapCredStoreServiceConfigur
ator.seedSchemaAndCreateDIT(LdapCredStoreServiceConfigurator.java:142)
        at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnab
ler.runConfiguration(LdapServiceEnabler.java:447)
        at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnab
ler.configureCredentialStoreService(LdapServiceEnabler.java:232)
        at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnab
ler.configureSecurityServices(LdapServiceEnabler.java:170)
        ... 1 more
Caused by: java.sql.SQLIntegrityConstraintViolationException: ORA-00001: unique
constraint (DEV20_OPSS.IDX_JPS_RDN_PDN) violated
        at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:445)
        at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:396)
        at oracle.jdbc.driver.T4C8Oall.processError(T4C8Oall.java:879)
        at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:450)
        at oracle.jdbc.driver.T4CTTIfun.doRPC(T4CTTIfun.java:192)
        at oracle.jdbc.driver.T4C8Oall.doOALL(T4C8Oall.java:531)
        at oracle.jdbc.driver.T4CPreparedStatement.doOall8(T4CPreparedStatement.
java:207)
        at oracle.jdbc.driver.T4CPreparedStatement.executeForRows(T4CPreparedSta
tement.java:1044)
        at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStateme
nt.java:1329)
        at oracle.jdbc.driver.OraclePreparedStatement.executeInternal(OraclePrep
aredStatement.java:3593)
        at oracle.jdbc.driver.OraclePreparedStatement.executeUpdate(OraclePrepar
edStatement.java:3674)
        at oracle.jdbc.driver.OraclePreparedStatementWrapper.executeUpdate(Oracl
ePreparedStatementWrapper.java:1354)
        at org.eclipse.persistence.internal.databaseaccess.DatabaseAccessor.exec
uteDirectNoSelect(DatabaseAccessor.java:831)
        ... 45 more
        at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnab
ler.throwExceptionWithStackTrace(LdapServiceEnabler.java:145)
        at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnab
ler.main(LdapServiceEnabler.java:137)
Error: Failed to initialize security store.
Error: Create operation has failed.
C:\Oracle\IDGMiddleware\oracle_common\common\bin>

Try to configure the policy store with different ID (highlighted in the below command)
./wlst.sh <Oracle_IDM1_Home>/common/tools/configureSecurityStore.py -d <WLS_Domain>/OAM_domain -c IAM -p <Password> -m create
OR
Reinstall the RCU and try to configure the policy store.

ISM with NAT44 - Need help with configuration

Hello everyone,
I'm trying to set up NAT44 in the following scenario below and I'm having a hard time figuring out how to redirect the traffic. As you can see the big problem is that I have one single interface that connects to the internal network (10.0.0.0/8) and also to the tunnel destinations all in the same VRF. Can you guys give me a hand? The trafiic comes from network network 10.0.0.0/8 enters interface bundle-ether 2 (Now it needs to be translated), once it is translated, now it needs to reach the destination known via GRE tunnel.
Configurations
vrf NAT_IN
address-family ipv4 unicast
vrf BLUE
address-family ipv4 unicast
hw-module service cgn location 0/3/CPU0
interface Bundle-Ether2
description UPLINK TO METRO ETHERNET
interface Bundle-Ether2.2 l2transport
encapsulation dot1q 2
rewrite ingress tag pop 1 symmetric
interface GigabitEthernet200/0/0/43
description LINK TO METRO ETHERNET
bundle id 2 mode active
interface GigabitEthernet300/0/0/43
description LINK TO METRO ETHERNET
bundle id 2 mode active
interface BVI2
description METRO
vrf BLUE
ipv4 address 100.0.0.10/24
interface tunnel-ip 101
description GRE_TUNNEL
vrf BLUE
ipv4 address 1.1.1.1/32
tunnel mode gre ipv4
tunnel source interface bvi 2
tunnel destination 200.0.0.1
interface BVI 100
vrf BLUE
ipv4 address [GATEWAY_100] [MASK_100]
interface BVI 200
vrf BLUE
ipv4 address [GATEWAY_200] [MASK_200]
interface BVI 300
vrf BLUE
ipv4 address [GATEWAY_300] [MASK_300]
interface ServiceApp1
vrf NAT_IN
ipv4 address 10.0.2.1 255.255.255.252
service cgn CGN service-type nat44
interface ServiceApp2
vrf BLUE
ipv4 address 10.0.2.2 255.255.255.252
service cgn CGN service-type nat44
interface ServiceInfra1
ipv4 address 10.0.3.1 255.255.255.0
service-location 0/3/CPU0
router static
address-family ipv4 unicast
vrf NAT_IN
address-family ipv4 unicast
0.0.0.0/0 ServiceApp1
10.0.0.0/8 vrf BLUE bvI 2 <NEXT HOP>
vrf BLUE
address-family ipv4 unicast
172.16.0.0/24 ServiceApp2
router ospf METRO
vrf BLUE
router-id [ROUTER_ID]
redistribute bgp 65500 metric 100
area 0
interface bvi 2
router ospf BLUE
vrf BLUE
router-id [ROUTER ID]
redistribute bgp 65500 metric 100
area 10
interface BVI100
interface BVI200
interface BVI200
router bgp 65500
address-family ipv4 unicast
address-family vpnv4 unicast
vrf BLUE
rd 65500:2
address-family ipv4 unicast
redistribute static
redistribute ospf BLUE
neighbor 1.1.1.2
remote-as 64512
ebgp-multihop 5
address-family ipv4 unicast
route-policy PASS in
route-policy PASS out
service cgn CGN
service-location preferred-active 0/3/CPU0
service-type nat44 nat44
portlimit 20000
inside-vrf NAT_IN
map outside-vrf BLUE address-pool 172.16.0.0/24
Thanks in advance,
Renato

Hi Somnath,
Let's see if you can help with this new scenario. I want to extend this NAT configuration to a new site (BO1), but instead of using this entire setup with ASR9K, etc, I just want to use ASR9000v module and have this AS9K + ISM as the host. The first problem I see in this scenario is that I have the same 10.0.0.0/8 network in both sites, network which will access the same resources as the devices in the 10.0.0.0/8 in the main site.
1) Do you think if I create a new inside VRF [NAT_IN1] would address this issue?
2) Can I use the same outside VRF?
Here is the configurations.
!! IOS XR Configuration 4.3.1
vrf NAT_IN
address-family ipv4 unicast
import route-target
   65500:2
   65500:3
export route-target
   65500:3
vrf RED
address-family ipv4 unicast
import route-target
   65500:1
export route-target
   65500:1
vrf NAT_OUT
address-family ipv4 unicast
import route-target
   65500:4
export route-target
   65500:4
vrf SATELLITE
vrf BLUE
address-family ipv4 unicast
import route-target
   65500:2
export route-target
   65500:2
hw-module service cgn location 0/3/CPU0
ipv4 access-list ABF
5 permit ospf any any
10 permit ipv4 any 10.200.0.0 0.0.255.255 nexthop1 vrf NAT_IN ipv4 10.0.2.2
20 permit icmp any any
interface Bundle-Ether3
description Uplink (BE3 - VRF NAT_IN) - VLAN 20
vrf NAT_IN
ipv4 address 1.1.1.1 255.255.255.0
ipv4 access-group ABF ingress
interface Bundle-Ether22
description LOOPBACK CABLE NAT_OUT
vrf NAT_OUT
ipv4 address 10.0.1.1 255.255.255.0
interface Bundle-Ether23
description LOOPBACK CABLE BLUE
vrf BLUE
ipv4 address 10.0.1.2 255.255.255.0
interface 6
description Uplink (BE6 - Global) - VLAN 20,51,80-82
interface 6.2
ipv4 address 1.1.1.2 255.255.255.0
encapsulation dot1q 2
interface 6.51 l2transport
description EFP - BE6 - VLAN 51
encapsulation dot1q 51
rewrite ingress tag pop 1 symmetric
interface 6.80 l2transport
description EFP - BE6 - VLAN 80
encapsulation dot1q 80
rewrite ingress tag pop 1 symmetric
interface 6.81 l2transport
description EFP - BE6 - VLAN 81
encapsulation dot1q 81
rewrite ingress tag pop 1 symmetric
interface 6.82 l2transport
description EFP - BE6 - VLAN 82
encapsulation dot1q 82
rewrite ingress tag pop 1 symmetric
interface Bundle-Ether100
description Bundle to Satellite 100
vrf SATELLITE
ipv4 point-to-point
ipv4 unnumbered Loopback0
nv
satellite-fabric-link satellite 100
   remote-ports GigabitEthernet 0/0/0-43
interface Bundle-Ether200
description Bundle to Satellite 200
vrf SATELLITE
ipv4 point-to-point
ipv4 unnumbered Loopback0
nv
satellite-fabric-link satellite 200
   remote-ports GigabitEthernet 0/0/0-43
interface Bundle-Ether300
description Bundle to Satellite 300
vrf SATELLITE
ipv4 point-to-point
ipv4 unnumbered Loopback0
nv
satellite-fabric-link satellite 300
   remote-ports GigabitEthernet 0/0/0-35
interface Loopback0
description MGMT SATELLITE
vrf SATELLITE
ipv4 address 10.0.0.254 255.255.255.0
interface tunnel-ip31101
description BLUE-TUNNEL01
vrf BLUE
ipv4 address 10.200.253.90 255.255.255.252
tunnel mode gre ipv4
tunnel source 6.2
tunnel destination 13.13.13.13
interface tunnel-ip31102
description BLUE-TUNNEL02
vrf BLUE
ipv4 address 10.200.253.94 255.255.255.252
tunnel mode gre ipv4
tunnel source 6.2
tunnel destination 14.14.14.14
interface tunnel-ip31103
description RED-TUNNEL03
vrf RED
ipv4 address 10.200.253.90 255.255.255.252
tunnel mode gre ipv4
tunnel source 6.2
tunnel destination 13.13.13.13
interface tunnel-ip31104
description RED-TUNNEL04
vrf RED
ipv4 address 10.200.253.94 255.255.255.252
tunnel mode gre ipv4
tunnel source 6.2
tunnel destination 14.14.14.14
interface TenGigE0/0/0/0
description LINK TO SATELLITE 100
bundle id 100 mode on
interface TenGigE0/0/0/1
description LINK TO SATELLITE 100
bundle id 100 mode on
interface TenGigE0/0/0/2
description LINK TO SATELLITE 200
bundle id 200 mode on
interface TenGigE0/0/0/3
description LINK TO SATELLITE 200
bundle id 200 mode on
interface TenGigE0/0/0/4
description LINK TO SATELLITE 300
vrf SATELLITE
ipv4 point-to-point
ipv4 unnumbered Loopback0
nv
satellite-fabric-link satellite 300
   remote-ports GigabitEthernet 0/0/36-43
interface TenGigE0/0/0/5
description LINK TO SATELLITE 300
bundle id 300 mode on
interface TenGigE0/0/0/16
description UPLINK (BE6 - GLOBAL) - VLAN 20,51,80-82
bundle id 6 mode active
interface TenGigE0/1/0/16
description UPLINK (BE6 - GLOBAL) - VLAN 20,51,80-82
bundle id 6 mode active
interface TenGigE0/0/0/17
description UPLINK (BE3 - VRF NAT_IN) - VLAN 20
bundle id 3 mode active
interface TenGigE0/1/0/17
description UPLINK (BE3 - VRF NAT_IN) - VLAN 20
bundle id 3 mode active
interface TenGigE0/0/0/22
description LOOPBACK CABLE TE0/1/0/22
bundle id 22 mode on
interface TenGigE0/0/0/23
description LOOPBACK CABLE TE0/1/0/23
bundle id 22 mode on
interface TenGigE0/1/0/0
description LINK TO SATELLITE 100
bundle id 100 mode on
interface TenGigE0/1/0/1
description LINK TO SATELLITE 100
bundle id 100 mode on
interface TenGigE0/1/0/2
description LINK TO SATELLITE 200
bundle id 200 mode on
interface TenGigE0/1/0/3
description LINK TO SATELLITE 200
bundle id 200 mode on
interface TenGigE0/1/0/4
description LINK TO SATELLITE 300
bundle id 300 mode on
interface TenGigE0/1/0/5
description LINK TO SATELLITE 300
bundle id 300 mode on
interface TenGigE0/1/0/22
description LOOPBACK CABLE TE0/0/0/22
bundle id 23 mode on
interface TenGigE0/1/0/23
description LOOPBACK CABLE TE0/0/0/23
bundle id 23 mode on
interface BVI30
vrf RED
ipv4 address 10.200.25.193 255.255.255.192
interface BVI31
vrf BLUE
ipv4 address 10.200.1.1 255.255.255.248
interface BVI32
vrf BLUE
ipv4 address 10.200.25.129 255.255.255.224
interface BVI33
vrf BLUE
ipv4 address 10.200.25.1 255.255.255.128
interface BVI36
vrf BLUE
ipv4 address 10.200.237.145 255.255.255.240
interface BVI51
vrf RED
ipv4 address 192.168.7.12 255.255.255.0
interface BVI80
vrf RED
ipv4 address 10.200.26.169 255.255.255.224
interface BVI81
vrf BLUE
ipv4 address 10.200.25.164 255.255.255.240
interface BVI82
vrf BLUE
ipv4 address 10.200.25.180 255.255.255.240
interface ServiceApp1
description NAT_IN
vrf NAT_IN
ipv4 address 10.0.2.1 255.255.255.252
service cgn CGN service-type nat44
interface ServiceApp2
description NAT_OUT
vrf NAT_OUT
ipv4 address 10.0.2.5 255.255.255.252
service cgn CGN service-type nat44
interface ServiceInfra1
description ISM
ipv4 address 10.0.3.1 255.255.255.0
service-location 0/3/CPU0
prefix-set PS_ROUTES
10.200.0.8,
10.200.5.40/29,
10.200.1.0/29,
10.200.5.32/29,
10.200.0.144/28,
10.200.106.0/28,
10.200.106.16/28
end-set
prefix-set PS_BGP_BLUE_OUT
10.200.24.192/26,
10.200.5.40/29,
10.200.240.0/25,
10.200.1.0/29,
10.200.25.128/27,
10.200.25.0/25,
10.200.5.32/29,
10.200.26.0/25,
10.200.0.144/28,
10.200.27.128/27,
10.200.27.0/25,
10.200.106.0/28,
10.200.106.128/25,
10.200.106.16/28,
10.200.107.128/25
end-set
route-policy RP_DENY_ALL
drop
end-policy
route-policy RP_PASS_ALL
pass
end-policy
route-policy RP_BGP_BLUE_OUT
if destination in PS_BGP_BLUE_OUT then
    pass
endif
end-policy
route-policy RP_PASS_ROUTES
if destination in PS_ROUTES then
    pass
endif
end-policy
router static
address-family ipv4 unicast
0.0.0.0/0 1.1.1.20
vrf NAT_IN
address-family ipv4 unicast
   0.0.0.0/0 ServiceApp1
vrf RED
vrf NAT_OUT
address-family ipv4 unicast
   0.0.0.0/0 10.0.1.2
   10.200.24.192/26 ServiceApp2
vrf BLUE
address-family ipv4 unicast
   10.200.24.192/26 10.0.1.1
router ospf
log adjacency changes
vrf NAT_IN
router-id 1.1.1.1
disable-dn-bit-check
redistribute bgp 65500 metric 5 metric-type 2 route-policy RP_PASS_ROUTES
area 7
   interface Bundle-Ether3
router ospf RED
log adjacency changes
vrf RED
router-id 10.200.26.169
disable-dn-bit-check
redistribute bgp 65500 metric 10 metric-type 2
area 11
   interface BVI30
   interface BVI80
router ospf BLUE
log adjacency changes
vrf BLUE
router-id 10.200.25.164
disable-dn-bit-check
redistribute static
redistribute bgp 65500 metric 10 metric-type 2
area 0
   interface BVI81
   interface BVI82
area 2
   interface BVI31
   interface BVI32
   interface BVI33
   interface BVI36
router bgp 65500
address-family ipv4 unicast
address-family vpnv4 unicast
vrf NAT_IN
rd 65500:3
bgp router-id 1.1.1.1
address-family ipv4 unicast
   route-target download
vrf RED
rd 65500:1
bgp router-id 10.200.253.90
address-family ipv4 unicast
   network 10.200.25.192/26
   network 10.200.26.128/27
   network 10.200.26.192/27
   network 10.200.27.192/26
   network 10.200.104.128/27
   network 10.200.104.160/27
neighbor 10.200.253.89
   remote-as 64512
   ebgp-multihop 5
   update-source tunnel-ip31103
   address-family ipv4 unicast
    route-policy RP_PASS_ALL in
    route-policy RP_PASS_ALL out
    soft-reconfiguration inbound
neighbor 10.200.253.93
   remote-as 64512
   ebgp-multihop 5
   update-source tunnel-ip31104
   address-family ipv4 unicast
    route-policy RP_PASS_ALL in
    route-policy RP_PASS_ALL out
    soft-reconfiguration inbound
vrf BLUE
rd 65500:2
bgp router-id 10.200.253.90
address-family ipv4 unicast
   network 10.200.0.144/28
   network 10.200.1.0/29
   network 10.200.5.32/29
   network 10.200.5.40/29
   network 10.200.24.192/26
   network 10.200.25.0/25
   network 10.200.25.128/27
   network 10.200.26.0/25
   network 10.200.27.0/25
   network 10.200.27.128/27
   network 10.200.106.0/28
   network 10.200.106.16/28
   network 10.200.106.128/25
   network 10.200.107.128/25
   network 10.200.240.0/25
neighbor 10.200.253.89
   remote-as 64512
   ebgp-multihop 5
   update-source tunnel-ip31101
   address-family ipv4 unicast
    route-policy RP_PASS_ALL in
    route-policy RP_BGP_BLUE_OUT out
    soft-reconfiguration inbound
neighbor 10.200.253.93
   remote-as 64512
   ebgp-multihop 5
   update-source tunnel-ip31102
   address-family ipv4 unicast
    route-policy RP_PASS_ALL in
    route-policy RP_BGP_BLUE_OUT out
    soft-reconfiguration inbound
l2vpn
load-balancing flow src-dst-ip
bridge group VLAN30
bridge-domain VLAN30
   routed interface BVI30
bridge group VLAN31
bridge-domain VLAN31
   routed interface BVI31
bridge group VLAN32
bridge-domain VLAN32
   routed interface BVI32
bridge group VLAN33
bridge-domain VLAN33
   routed interface BVI33
bridge group VLAN36
bridge-domain VLAN36
   routed interface BVI36
bridge group VLAN51
bridge-domain VLAN51
   routed interface BVI51
bridge group VLAN80
bridge-domain VLAN80
   interface 6.80
   routed interface BVI80
bridge group VLAN81
bridge-domain VLAN81
   interface 6.81
   routed interface BVI81
bridge group VLAN82
bridge-domain VLAN82
   interface 6.82
   routed interface BVI82
nv
satellite 100
type asr9000v
ipv4 address 10.0.0.1
satellite 200
type asr9000v
ipv4 address 10.0.0.2
satellite 300
type asr9000v
ipv4 address 10.0.0.3
service cgn CGN
service-location preferred-active 0/3/CPU0
service-type nat44 nat44
portlimit 20000
inside-vrf NAT_IN
   map outside-vrf NAT_OUT address-pool 10.200.24.192/26
Thanks in advance,
Renato

I need help with my security questions/answer?

I forgot my security questions answer

The Three Best Alternatives for Security Questions and Rescue Mail
    1. Use Apple's Express Lane.
          Go to https://expresslane.apple.com ; click 'See all products and services' at the
          bottom of the page. In the next page click 'More Products and Services, then
          'Apple ID'. In the next page select 'Other Apple ID Topics' then 'Forgotten Apple
          ID security questions' and click 'Continue'. Please be patient waiting for the return
          phone call. It will come in time depending on how heavily the servers are being hit.
     2. Call Apple Support in your country: Customer Service: Contacting Apple for support or
          Apple ID- Contacting Apple for help with Apple ID account security. Ask to speak to
          Account Security.
     3. Rescue email address and how to reset Apple ID security questions.
How to Manage your Apple ID: Manage My Apple ID

What is wrong with AS (Security policy)

In my opinion there are several huge flaws in AS2.0.
Currently the security policy (which is FUBAR) is causing me a lot
of grief.
I'm trying to do a simple login over https with the swf
running from within a projector, but it seems totally impossible,
despite all promises with cross-domain files and everything.
Is there anybody around here that has successfully been able
to login over https from another domain (not on a http page)?
Any solution, the uglier the better will be greatly
appreciated.

On this page:
http://livedocs.adobe.com/flash/mx2004/main_7_2/wwhelp/wwhimpl/common/html/wwhelp.htm?cont ext=Flash_MX_2004&file=00001097.html
there is a short snippet:
"If the SWF file you are downloading comes from a HTTPS
server, but the SWF file loading it is on an HTTP server, you need
to add the secure="false" attribute to the
<allow-access-from> tag, as shown in the following code:
<allow-access-from domain="www.foo.com" secure="false"
/>"
This made me really happy, until I tested it out . As we a
lot of things from MacroMedia documentation does not match provided
functionality.
Given that the documenatation was is correct the follwoing
code should work.
System.security.loadPolicyFile("
http://somedomain.com/secure/crossdomain.xml");
this.createEmptyMovieClip("tester_mc", 1);
tester_mc.loadMovie("https://somedomain.com/secure/test.swf");
Given that the corssdomain file looks like this:
<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
</cross-domain-policy>
I'm so puzzled I'm seriously considering jumping out of the
window...

Help with Configuring an HWIC AP with a 7920

I am trying to configure an HWIC-AP on a 2811 router. I keep getting the error No service-IP config failed on the 7920. The 7920 is registering with the router but Im not able to receive a number. Im using CCME on the router. Im only interested in the bare minimum at this point before I add any security features. Below is the config I am using.
interface Dot11Radio0/3/0
no ip address
ssid ldk
vlan 1
authentication open
guest-mode
infrastructure-ssid optional
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
interface Dot11Radio0/3/0.1
encapsulation dot1Q 1 native
no snmp trap link-status
I am also using switchports and int Vlan1 is 192.168.2.1 /24.
This is the first time I have configure the HWIC-AP. Any help would be greatly appreciated.
Thanks,
Lawny

It required that I assign a static IP address to the dot11 subinterface and I had to use two dhcp pools. One for the IP phones that were plugging into the switchports and another for the wireless IP phones.
Below is the entire config for the phones.

Help with configuring AP-1240AG as local authenticator for EAP-FAST client

Hi,
I am trying to configure an AP-1240AG as a local authenticator for a Windows XP client with no success. Here is a part of the AP configuration:
dot11 lab_test
   authentication open eap eap_methods
   authentication network-eap eap_methods
   guest-mode
   infrastructure-ssid
radius-server local
eapfast authority id 0102030405060708090A0B0C0D0E0F10
eapfast authority info lab
eapfast server-key primary 7 211C7F85F2A6056FB6DC70BE66090DE351
user georges nthash 7 115C41544E4A535E2072797D096466723124425253707D0901755A5B3A370F7A05
Here is the Windows XP client configuration:
Authentication: Open
Encrpytion WEP
Disable Cisco ccxV4 improvements
username: georges
password: georges
Results: The show radius local-server statistics does not show any activity for the user georges and the debug messages are showing the following:
*Mar 4 01:15:58.887: %DOT11-7-AUTH_FAILED: Station 0016.6f68.b13b Authentication failed
*Mar 4 01:16:28.914: %DOT11-7-AUTH_FAILED: Station 0016.6f68.b13b Authentication failed
*Mar 4 01:16:56.700: RADIUS/ENCODE(00001F5C):Orig. component type = DOT11
*Mar 4 01:16:56.701: RADIUS: AAA Unsupported Attr: ssid              [263] 19
*Mar 4 01:16:56.701: RADIUS:    [lab_test]
*Mar 4 01:16:56.701: RADIUS:   65                                               [e]
*Mar 4 01:16:56.701: RADIUS: AAA Unsupported Attr: interface         [156] 4
*Mar 4 01:16:56.701: RADIUS:   38 32                                            [82]
*Mar 4 01:16:56.701: RADIUS(00001F5C): Storing nasport 8275 in rad_db
*Mar 4 01:16:56.702: RADIUS(00001F5C): Config NAS IP: 10.5.104.22
*Mar 4 01:16:56.702: RADIUS/ENCODE(00001F5C): acct_session_id: 8026
*Mar 4 01:16:56.702: RADIUS(00001F5C): sending
*Mar 4 01:16:56.702: RADIUS/DECODE: parse response no app start; FAIL
*Mar 4 01:16:56.702: RADIUS/DECODE: parse response; FAIL
It seems that the radius packet that the AP receive is not what is expected. Do not know if the problem is with the client or with the AP configuration. Try many things but running out of ideas. Any suggestions would be welcome
Thanks

Hi Stephen,
I do not want to create a workgroup bridge, just want to have the wireless radio bridge with the Ethernet port. I will remove the infrastructure command.
Thanks for your help
Stephane
Here is the complete configuration:
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Lab
ip subnet-zero
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 lab_test
   authentication open eap eap_methods
   authentication network-eap eap_methods
   guest-mode
   infrastructure-ssid
power inline negotiation prestandard source
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
ssid lab_test
traffic-metrics aggregate-report
speed basic-54.0
no power client local
channel 2462
station-role root
antenna receive right
antenna transmit right
no dot11 extension aironet
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
dfs band 3 block
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
channel dfs
station-role root
no dot11 extension aironet
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
hold-queue 160 in
interface BVI1
ip address 10.5.104.22 255.255.255.0
ip default-gateway 10.5.104.254
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server local
eapfast authority id 000102030405060708090A0B0C0D0E0F
eapfast authority info LAB
eapfast server-key primary 7 C7AC67E296DF3437EB018F73BE00D822B8
user georges nthash 7 14424A5A555C72790070616C03445446212202080A75705F513942017A76057007
control-plane
bridge 1 route ip
line con 0
line vty 0 4
end

Need help with configuration

I'm new to Cisco and we just took over a client with an ASA 5505 I need to do 2 things first
I need to know how to open or forward ports to an internal IP address   they want me to open ports 3389 and 1433 to an internal address   192.168.192.52
but only from       207.235.73.64 and 255.255.255.192
                              40.143.46.64 and 255.255.255.192
o      and
      66.192.91.128 and 255.255.255.192
      40.143.28.64 and 255.255.255.192
And second Id link to getb the ASDM downlaoded and working as I;ve used that before in other offices and it helps me out as a non cisco expert. I try going to the device IP in a browser 192.168.192.1/admin and just get a prompt for username and password but it doesn;t take the one I have. Here is the config on the device right now. Any help you guys can point me to Id appreciate. 4 hours of Google research has gotten me no where
sho run
: Saved
ASA Version 7.2(3)
hostname vmine
domain-name mine
enable password CyQcVKTj6CW8.Vsj encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.192.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
interface Vlan3
mac-address 001f.6ce3.bd99
no forward interface Vlan1
nameif guest
security-level 10
ip address 205.10.2.1 255.255.255.0
interface Ethernet0/0
description Internet-Connection
switchport access vlan 2
interface Ethernet0/1
description Connection to Inside Network
speed 100
duplex full
interface Ethernet0/2
shutdown
interface Ethernet0/3
switchport access vlan 2
interface Ethernet0/4
switchport access vlan 3
interface Ethernet0/5
description Connection to Public Network
switchport access vlan 3
speed 100
duplex full
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
passwd CyQcVKTj6CW8.Vsj encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name domain
access-list guest extended permit icmp any any
access-list guest extended permit ip any any
access-list inside extended permit icmp any any
access-list inside extended permit ip any any
access-list outside extended permit icmp any any echo-reply
access-list outside extended permit tcp any any eq 8440
access-list nonat extended permit ip 192.168.192.0 255.255.255.0 192.168.252.0 255.255.255.0
access-list outside-in extended permit tcp any any eq https
access-list outside-in extended permit tcp host x.x.x.x any eq 1433
access-list outside-in extended permit tcp host x.x.x.x any eq 1433
access-list outside-in extended permit tcp host x.x.x.x any eq 1433
access-list outside-in extended permit tcp host x.x.x.x any eq 1433
access-list outside-in extended permit tcp host x.x.x.x any eq 1433
access-list outside-in extended permit tcp host x.x.x.x any eq 1433
access-list outside-in extended permit tcp host x.x.x.x any eq 1433
access-list outside-in extended permit tcp host x.x.x.x any eq 1433
access-list outside-in extended permit tcp host x.x.x.x any eq 1433
access-list outside-in extended permit tcp host x.x.x.x any eq 1433
access-list outside-in extended permit tcp host x.x.x.x any eq 1433
pager lines 24
logging enable
logging buffer-size 16384
logging buffered informational
mtu inside 1500
mtu outside 1500
mtu guest 1500
ip local pool vpn-ip 192.168.252.1-192.168.252.
10
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm.bin
no asdm history enable
arp timeout 14400
global (outside) 1 x.x.x.x
global (outside) 2 x.x.x.x
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.192.0 255.255.255.0
nat (guest) 2 205.10.2.0 255.255.255.0
static (inside,outside) tcp interface www 192.168.192.170 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.192.170 https netmask 255.255.255.255
static (inside,outside) x.x.x.x 192.168.192.52 netmask 255.255.255.255
access-group inside in interface inside
access-group outside-in in interface outside
access-group guest in interface guest
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.192.0 255.255.255.0 inside
snmp-server host inside 192.168.192.10 poll community ciscosnmp
snmp-server location PIX
no snmp-server contact
snmp-server community ciscosnmp
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map dynvpn 10 set transform-set DES-MD5
crypto map vpn 65535 ipsec-isakmp dynamic dynvpn
crypto map vpn interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 28800
crypto isakmp nat-traversal 20
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 0
dhcpd dns 209.253.113.10 209.253.113.18
dhcpd address 205.10.2.10-205.10.2.99 guest
dhcpd dns 209.253.113.10 209.253.113.18 interface guest
dhcpd enable guest
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ipsec-pass-thru
service-policy global_policy global
group-policy RA-VPN internal
group-policy RA-VPN attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value nonat
username VMRemote password .RSNgq92vZTSELWV encrypted
username VMRemote attributes
vpn-group-policy RA-VPN
username VMVPN password jSqp8CjjxHhRa6jk encrypted
username kernels password jDS98nJtthzlEvw5 encrypted
tunnel-group VMVPN type ipsec-ra
tunnel-group VMVPN general-attributes
address-pool vpn-ip
tunnel-group VMVPN ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:52c3d65fc1111c561b1598cc341dc6d5
: end

Hi,
As per your 1st query , I think he Static NAT should work fine.
To restrict the access from the outside only for certain IP , you can use Source Based ACL:-
access-list outside-in extended permit tcp 207.235.73.64 255.255.255.192 host x.x.x.x eq 3389
access-list outside-in extended permit tcp 40.143.46.64 255.255.255.192 host x.x.x.x eq 3389
access-list outside-in extended permit tcp 66.192.91.128 255.255.255.192 host x.x.x.x eq 3389
access-list outside-in extended permit tcp 40.143.28.64 255.255.255.192 host x.x.x.x eq 3389
access-list outside-in extended permit tcp 207.235.73.64 255.255.255.192 host x.x.x.x eq 1433
access-list outside-in extended permit tcp 40.143.46.64 255.255.255.192 host x.x.x.x eq 1433
access-list outside-in extended permit tcp 66.192.91.128 255.255.255.192 host x.x.x.x eq 1433
access-list outside-in extended permit tcp 40.143.28.64 255.255.255.192 host x.x.x.x eq 1433
If you would like to use the LOCAL username and Passowrd on the ASA:-
aaa authentication http console LOCAL
Thanks and Regards,
Vibhor

I need help with the Security Update 2006-002!

Security update has really screwed up the two systems I've installed it on:
1) My G4 PowerBook refused to reboot after the update, getting only as far as the initialApple screen. Rebooting with a 10.4 install disk and using Disk Utilities to try to repair the disk either results in an "Unable to unmount disk" error, or if Repair does proceed, it is unable to repair the disk. I get a "Invalid node structure" error message, then a "Rebuilding B-Tree" message, then a "The Voluma Macintosh HD could not be repaird" message, and Repair quits with a "Error: the underlying task reported failure on exit" message.
2) On my Dual 2 GHz G5 desktop, Safari appears to be unable to load more than six URL:s in 6 tabs; I read about 20 webcomics all organized in a bookmarks folder, and my usual practice is to select "Open in tabs" to open them all at once. Heretofore Safari has opened all the tabs and all the URLs without a hitch. After the update it will open all the ttabs but only about the first six sites load - all the rest just sit there spinning their wheels.
Also it has hosed iChat on my Dsktop. iChat will open, but will not send or receive chats, and will not open the buddy window.
Also Also, the system frequently hangs, seizing up anywhere from 30 seconds to a few minutes, then resuming normally. Safari seems to be the culprit, but I can't really tell.
I need an update to recover from the effects of the last update.

I'm not very knowledgeable on macs yet being a new user (switcher) However, there appear to have been too many problems for too many people and too many systems associated with this update for it to be co-incidental. Take a look through the topics since the update appeared. My computer is brand new. The update did something that screwed something in the startup file (or whatever) The nice man in India helped me get the computer going by removing all sorts of wonderous things, this after his colleague in Cork had sent me all sorts of stuff to my work address to try out when I got home, like pram and nvram (which only made things worse) and other things. Now my computers fixed. Except that there's now no printer, it won't find the drivers off the install discs and any driver I load from canon isn't recognised or a script isn't recognised. I bought this thing to get away from problems like this on PCs!!!!
iMac Intel 20" Mac OS X (10.4.4)

Help with configuring security policy

Similar Messages

Maybe you are looking for