How do I NAT based on destination port while source port can be ANY

Similar Messages

• How to read a data from USB port using JAVA

  hi all,
  i need to know how to read a data from USB port using java. any API are available for java ?.........please give your valuable ideas !!!!!!!!!
  Advance Thanks!!

  You can do this. Please use this link
  [http://www.google.co.in/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=uHu&q=java+read+data+from+usb+port&btnG=Search&meta=&aq=f&oq=]
  What research did you do of your own? Have you done some testing application and tried yourself??

• How to determine the destination port from a audit fail event

  I have a bunch of audit failure events (4625) in our security log. The details only show the source address and port but no destination port info.. Is there anyway I can find out that info.? What I really want to know is what application\port does these
  login try to authenticate into.. 
  Thanks

  Hi,
  I am not aware of any way to determine the destination port based on event logs. However, you can try to use NetMon or other software to catch packages to see if it works.
  As for application, you can check the Process Information in the event.
  Best Regards,
  Amy

• Route decisions based on destination TCP port with EIGRP

  Need information and plausibility on making routing decisions within EIGRP based on different destination TCP port.  I have a third party partner that we communicate too and they are adding a second location which we will connect too.  They are wanting to use the same destination host IP but make route decision based on destination TCP port; i.e. if we target tcp 6123 they want us to route down link A to site A, if we target tcp 7123 we would route down link B to site B.  I have never had to make that happen so I am looking into whether it actually can and if so what is basic configuration to pursue.  We use static IP routes to/from them today and will in the future at the edge, those are distributed internally to our EIGRP.  Can EIGRP make decisions based on IP and Port?

  No routing protocol makes decisions based on port number as far as I know.
  You need to look into PBR (Policy Based Routing) for this where you can use acls to define the route that traffic takes.
  Depending on your connections you may well need to use tracking as well but it depends.
  If the only reason to use EIGRP is for these connections you probably don't need it as with PBR you are overriding the routing table anyway but you may want to run it for other connectivity.
  If you do a search on PBR you should find quite a few examples but if you get stuck then by all means come back.

• SRP547W, How to use multiple WAN IPs for port forwarding?

  Hi folks,
  We've run into some difficulty trying to take advantage of multiple WAN IPs in conjunction with the SRP547, and I'm hoping someone here can help out or at least tell us that we're going to need to buy a different router...
  What we're trying to acheive is the ability to port forward from our distinct public IPs to different internal servers. Looking at the options under Port Forwarding it looks like we can only configure forwards at the "WAN interface" level, but our problem is that we can't work out how to set up separate interfaces for each of our Public IPs...
  Our ISP provides us with a fully managed NTU/router with a single "Internet" ethernet port, which we can use by statically configuring IPs on our end. For this configuration this port has been directly patched to the WAN ethernet port on the SRP547W.
  We have been allocated a 255.255.255.248 (/29) subnet, giving us 5 usable IPs after the ISP's gateway address is taken into account, like so:
  a.b.c.208     Network Address (/29 subnet)
  a.b.c.209     ISP Gateway
  a.b.c.210     IP1
  a.b.c.211     IP2
  a.b.c.212     IP3
  a.b.c.213     IP4
  a.b.c.214     IP5
  a.b.c.215     Broadcast Address
  On the SRP we've set up the default "Ethernet WAN2" sub-interface with the following details for IP1
  VLAN ID:               4088 (Uneditable)
  Connection Type:       Static IP
  Internet IP Address:   a.b.c.210
  Subnet Mask:           255.255.255.248
  Default Gateway:       a.b.c.209
  The next step (I would have thought) would be to add a second sub-interface, using similar info for IP2
  VLAN ID:               4000 (Chosen arbitrarily)
  Connection Type:       Static IP
  Internet IP Address:   a.b.c.211
  Subnet Mask:           255.255.255.248
  Default Gateway:       a.b.c.209
  When we try to do so however we get:
  Fail!
  Conflict with Ether_WAN2 interface address type
  I should mention at this point that we're running on firmware version 1.02.01 (023).
  Any suggestions on how we can proceed?
  Is there a CLI or other method of configuration that might work if the web interface won't?
  Thanks,
  Tim.

  OK, I've seen reference to this solution before but not much in the way of details. Perhaps you can spell out how this ought to work, as the Software DMZ doesn't behave as I'd expected it to.
  As before, on the SRP we've set up the default "Ethernet WAN2" sub-interface with the details for IP1 with a /29 subnet.
  VLAN ID:               4088 (Uneditable)
  Connection Type:       Static IP
  Internet IP Address:   a.b.c.210
  Subnet Mask:           255.255.255.248
  Default Gateway:       a.b.c.209
  We'd now like to expose a server function on IP2, let's say LAN details for this server are:
  VLAN:                  3000
  VLAN IP Range:         192.168.1.1/24
  Server IP:             192.168.1.10
  Server Port:           80
  So first we turn on Software DMZ:
  Status:                Enabled
  Public IP:             a.b.c.211
  Private IP:            192.168.1.10
  WAN Interface:         Ether_WAN2
  My understanding, based on what you've said, is that this should expose the whole server to external access via IP2. Unfortunately, it doesn't seem to work this way - we don't seem to have any access at all. Perhaps there's a default deny rule on the firewall?
  Just to be sure, I tried creating a rule to allow HTTP traffic to the server in the Advanced Firewall page.
  In Interface (WAN):    All
  Out Interface (LAN):   VLAN.3000
  Source IP:             0.0.0.0
  Source Subnet:         0.0.0.0
  Destination IP:        192.168.1.10
  Destination Subnet:    255.255.255.255
  Protocol:              TCP
  Source Port:           Any
  Destination Port:      Single:80
  Action:                Permit
  Schedule:              Everyday
  Times:                 24 Hours
  Still no dice. What am I missing?
  Cheers,
  Tim.

• HT3546 How do I set up my air port extreme to do port forwarding? Running 10.7.4 I have a IP camera on my local wireless net work that I want to use from my iPhone 4s and other computers.

  How do I set up my air port extreme to do port forwarding? Running 10.7.4 I have a IP camera on my local wireless net work that I want to use from my iPhone 4s and other computers.

  In most cable systems, the router you have will plug into your modem and just work automatically. A NAT (Network Address Translation) router takes your external IP and hands out LAN (Local Area Network) based IPs. All of the devices you are working with right now should handle the change automatically unless you've changed from the default automatic configuration.
  The problem with your wireless end of this is that the iPhone is not yet 802.11n, only 802.11g. Because that router is not dual band, all of your wifi devices will be forced to slow down to 802.11g speeds. This won't matter much for each device that's connecting to the internet, as your bottleneck is still going to be there. Where you will see slowdowns is device to device connections, like transferring data between the devices.

• WRT54G Incoming Log Destination Port 520

  I am trying to understand why an [Incoming Log Table] entry that recurs, i.e. in the page that presents itself when I navigate to the [Administration] Panel / [Log] Tab, and then click the [Incoming Log] button:
  =================================
  Incoming Log Table
  Source IP = 178.33.xxx.yyy
  Destination Port Number = 520
  =================================
  After I clear the Log (i.e. turn it off, save settings, turn it on again, save settings) the entry will reappear after a few days.
  I have never seen any other incoming log entry.
  Since it has been pressed into service several years ago, my WRT54G has been configured to block any and all incoming connections. The settings as they continue to appear (under the [Security] Panel / [Firewall] Tab) are:
  =================================
  Checked (Yes) = [Block Anonymous Internet Requests]
  Checked (Yes) = [Filter Multicast]
  Checked (Yes) = [Filter Internet NAT Redirection]
  Checked (Yes) = [Filter IDENT (Port 113)]
  =================================
  I continue to have disabled all port forwarding, port triggering, the DMZ, and QoS, via the applicable tabs under the [Applications & Gaming] Panel. The WRT54G continues to be configured to operate as a Gateway (via the [Settings] Panel/[Advanced Routing] Tab). No static routes are defined. The routing table show four entries, none of which are remarkable or match in anyway the partial address identified above.
  So I am under the impression that my WRT54G should be ignoring everything from the WAN-side.
  Even pinging the WAN-side of my router from the outside internet times out.
  My WRT54G ver 6 is at firmware level 1.02.8, which, as far as I can tell is the latest issued by Cisco.
  I am completely perplexed how such a connection is being established, and do not know if it is or has the potential of causing any harm. My own research indicates port 520 is typically used for RIP protocol, but I have almost zero knowledge of such.
  I certainly appreciate any elucidation.
  My thanks for your attention.

  bonski wrote:
  Forgive me if I seem flippant, but I am not sure what kind of "glitch" you are looking to correct. If performing a factory reset procedure were already known to correct a specific problem, then I would seriously consider it. If performing a factory reset did not run the risk of injecting more problems through the process of having to redo firmware updates and settings, then I would seriously consider it. I am truly seeking insight into understanding the nature of the symptoms, and why they may be occurring. I am not looking for trial and accidental success.
  Thank you for you thoughts.
  Hi bonski,
  The log means that the IP:  178.33.xxx.yyy (which is from your ISP) sends logs to port 520. Port 520 is your router. I believe it is saying that you ISP simply sends data to your router. This is normal since your router gets internet connection from the ISP. This is by the way base on my understanding about the research I've made.
  This might help:
  http://www.pc-library.com/ports/tcp-udp-port/520/
  http://www.auditmypc.com/udp-port-520.asp
  http://www.iss.net/security_center/advice/Exploits/Ports/520/default.htm

• How to change the Number of IVR ports in a UCCX?

  I know this question has been asked before but it needs to be asked again, as previous answers do not seem to apply.   The simple quesiton is:  If you have a UCCX and if after install you check you check License information and you note that you have 150 IVR ports; how do you increase the number of ports to 300?  
  I have been told that the number of ports is set by the class of the machine hardware and is not a license issue.   Others have suggested it is a license issue?   At the end of the day, however, I want a step by step procedure for adding more IVR ports to my deployment.   Even if that means buying more licenses (though I can not find a SKU).
  I have several clients that have UCCX and are having calls that exceed the number of IVR ports.   Before we get into a discussion of CTI ports or Call Controll Groups, let me identify that I think they are the same.    I can create a CTI Call Control Group with 300 paths, but if I only have 150 IVR ports I am in serious trouble on the 151 call!
  I had a lab system that installed under vmware with 150 ports.  No matter how I tried to configure the CVA it always came up 150 ports!   I added a NFR license to my lab and magically it turned it into a 12 IVR system, so licensing does have something to do with it!  
  I have htis experience on Version 8 and now on Version 9!   I need more IVR ports than appear in the installation.  I want to know exactly the steps needed to increase the number of IVR ports to the maxium of 300 for an enhanced system!
  I can refer CISOC TAC to several tickets I have opened on this subject all with unsatisactory answers!  Most recently 626743961
  Peter Buswell (aka DrVoIP)
  http://blog.drvoip.com       

  Here's the long answer
  Peter Buswell wrote:I know this question has been asked before but it needs to be asked again, as previous answers do not seem to apply.   The simple quesiton is:  If you have a UCCX and if after install you check you check License information and you note that you have 150 IVR ports; how do you increase the number of ports to 300?  
  Since I see below that you mentioned that the system in question is Enhanced, the answer is simply, install on faster hardware.  Presently the best hardware you can get is VMWare ESXi with the 400 Agent License OVA, which gives you 400 IVR Port Licenses.
  Standard licensing works the same as Enhanced, as far as IVR Port licenses go.
  If you were wondering about Premium, then it's a 1:2 ratio of agent:ports.  You cannot buy Premium ports directly, instead you buy them indirectly through the process of buying Premium Agent seats.  So if you had a Premium UCCX with 100 Agents, you would have 200 ports, and if you desired to have 250 ports, you simply buy 25 more Premium Agent seats.  Premium does still need to adhere to the hardware limits.  I have seen partners sell someone an Enhanced UCCX which gave them 300 ports, but they only had like 50 Agents.  A year later, the customer upgraded to Premuim, but only bought 50 seats, and thus downgraded their port license count to 100.  A third of what they had!  The solution?  Buy 100 more Premium Agent seats so your total goes up to 150 Agents, and thus your ports go up to 300.
  Peter Buswell wrote:I have been told that the number of ports is set by the class of the machine hardware and is not a license issue.   Others have suggested it is a license issue?
  These are both correct statements.  Just remember, that it's licensed based first for Premium, then hardware limited.  Standard and Enhanced are hardware limited only.
  Peter Buswell wrote:At the end of the day, however, I want a step by step procedure for adding more IVR ports to my deployment.   Even if that means buying more licenses (though I can not find a SKU).
  Again, for Standard and Enhanced, you need to move to bigger/better hardware to get more ports, assuming you're not already at the meximum of 400.
  Here is the document which walks you through moving to bigger hardware: Disaster Recovery Guide
  And for Premium, you need to purchase the SKU for a Premium Agent Seat license.  It's a 1:2 ratio for agents:ports.
  Peter Buswell wrote:I have several clients that have UCCX and are having calls that exceed the number of IVR ports.
  I'm not a partner, nor in sales, but I thought there was an A2Q process which validates CC designs for sales people.  At any rate, it sounds like they were either under sized or outgrew their overhead, and something needs to be done.
  Sometimes you can simply dump excess calls off.  Think about playing a high call volume message to callers and then drop them.
  Other times you can drop them into voicemail, and come back to it later.
  I've seen some basic call back functionality implemented with an external data source, which could alleviate ports.
  Lastly, I've seen improperly designed scripts which loop on themselves or other scripts, causing a high port usage.
  My point is that there's a few options here, outside of simply increasing the size of the server or purchasing new licenses.  There's no one size fits all answer though.
  Peter Buswell wrote:Before we get into a discussion of CTI ports or Call Controll Groups, let me identify that I think they are the same.
  Are you saying that CTI Ports and Call Control Groups are the same?  Or that CTI Ports/CCG's are the same as IVR Port Licenses?  Cause the former is true, while the latter is not.  Think "oversubscribed" CTI Ports.
  Sometimes it is advantageous to oversubscribe your CTI Ports, to achieve a more dynamic environment.  E.g., I have 100 ports, and all 100 are used for inbound calls.  I develope a single inbound app, which is limited to 10 ports, and handles small bursts of calls.  What happens is that, if the new inbound app is running, the most it can "steal" from the inbound calls is 10 ports.  However, if the app is not running (because it doesn't run all day, it's mostly bursty in nature), I can still have my regular inbound calls go all the way up to 100.
  Peter Buswell wrote:I can create a CTI Call Control Group with 300 paths, but if I only have 150 IVR ports I am in serious trouble on the 151 call!
  This is true.  Again, you need to decide if you really need the extra ports, of if there is some solution to solving this problem without making a hardware/license purchase.  These kinds of problems still exist for customers at the 400 port level, and they don't have the option to "buy more."
  Well, that's not entirely true.  While you cannot grow past the 400 port limit today, you could install another UCCX instance on the same CUCM cluster, effectively doubling your capacity, but breaking your administration into two separate domains.
  Peter Buswell wrote:I had a lab system that installed under vmware with 150 ports.  No matter how I tried to configure the CVA it always came up 150 ports!
  What's CVA?
  Peter Buswell wrote:I added a NFR license to my lab and magically it turned it into a 12 IVR system, so licensing does have something to do with it!  
  The NFR is most likely a Premium license.  Refer back to the 1:2 ratio, and that would tell me you have an NFR license for 6 Premium Agents.  Installing a higher level license on a lower level licensed system brings the whole system up to the higher level.  Recall my partner story about the Enhanced to Premium upgrade scenario.
  Peter Buswell wrote:I have htis experience on Version 8 and now on Version 9!
  The licensing doesn't change from 8x to 9x.
  Peter Buswell wrote:I need more IVR ports than appear in the installation.  I want to know exactly the steps needed to increase the number of IVR ports to the maxium of 300 for an enhanced system!
  You buy bigger/better hardware, and use the link I provided above for moving to that new hardware.
  Peter Buswell wrote:I can refer CISOC TAC to several tickets I have opened on this subject all with unsatisactory answers!  Most recently 626743961
  I would be surprised if there is a single Cisco TAC person who doesn't understand this simply IVR Port licensing model.  Perhaps there was some miscommunication about what was being asked, and what answer was being given.
  I hope that helped to clarify some things for you.  Also, if you are a partner, reach out to your CAM and ask for a one on one with a UCCX guru who can sit down with you.  Cisco would want you to be successful with selling their products.
  Anthony Holloway
  Please use the star ratings to help drive great content to the top of searches.

• Setting Forward Lookup Zones in DNS based on the port queried

  I have the following problem.
  We are using Dynamic DNS to access our site and the modem/router differentiates via port forwarding what server the query goes to based on the port number ie all request go to abc.dyndns.org:port number.
  Based on the port eg. port 3389 goes to server1 (192.168.0.1), port 8080 goes to server 2(192.168.0.2), port 80 goes to server 3 (192.168.0.3). This all works well if you are entering from OUTSIDE the local network.
  INSIDE the local network, I have setup a Forward Lookup Zone on a Domain server using DNS where the Host A resolves abc.dyndns.org to the local IP address of server 1 (192.168.0.1). This works fine.
  How do I get the abc.dyndns.org:other ports to go to the other servers IP addresses as you can only setup one Host A record of  abc.dyndns.org to one address 192.168.0.1, if someone queries from INSIDE the local network as the modem/router does not
  come into play?

  As I said before, DNS doesn't do this. DNS has nothing to do with ports resolution. It's purely a name to IP or IP to name resolution. THAT'S IT!
  But you can port translate each individual port from the WAN IP to different IPs  internally. I thought I said that earlier? Maybe I wasn't clear. I apologize for not fully explaining it, for I thought you understood that part.
  Revisiting the bottom of your original post:
  INSIDE the local network, I have setup a Forward Lookup Zone on a Domain server using DNS where the Host A resolves abc.dyndns.org to the local IP address of server 1 (192.168.0.1). This works fine.
  How do I get the abc.dyndns.org:other ports to go to the other servers IP addresses as you can only setup one Host A record of  abc.dyndns.org to one address 192.168.0.1, if someone queries from INSIDE the local network as the modem/router does not
  come into play?
  You still have to specify the port internally. Assuming mail.domain.com is server4 (since you didn't specify that port in your original post), you simply create a mail.domain.com zone and give it a blank IP for (making this up) 192.168.0.3, then type in
  the same exact thing you would do from the outside:
  http://mail.domain.com:8083/folder  
  Like I said, it's in the application. DNS just resolve to an IP. There are 65,536 port numbers, and DNS does not deal with resolving any of them. That's the responsibility of the application or service and the client (such as a browser) connecting to
  it.
  Ace Fekay
  MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
  This post is provided AS-IS with no warranties or guarantees and confers no rights.

• How do I set up jms destination  of OSB Alert?

  According to the document description,a JMS destination URI in the format: jms://host:port/factoryJndiName/destJndiName. My jms is on a cluster, So, I Set this URI: jms://10.1.1.100:8001,10.1.1.101:8001,10.1.100:8002,10.1.1.101:8002/factoryJndiName/destJndiName.
  When the machine (10.1.1.100) was shutdown, the alert will error and says "can not find JMS destination".
  How do I set up jms destination? tks!
  Edited by: user12382989 on 2009-12-23 下午5:03

  Did you consider using JMS distributed destination for your use-case?
  http://download-llnw.oracle.com/docs/cd/E13222_01/wls/docs103/jms/dds.html
  Manoj

• Prioritize traffic based on destination IP?

  Hi all, we're looking to use an ASA5505 or 5510 as our firewall but want to see if one of them can help us prioritize traffic. I know it does QoS but we're wanting to dedicate x amount of our bandwidth to traffic based on destination IP address. Is that possible and does it take a license upgrade?
  Thanks!

  Jerry, i would try something like in the second config example I mentioned. keep in mind, if ISP doesn't support marking packets, it may be hard to QoS inbound. if you assign the VOIP traffic high priority, it should go out interface first during congestion. Don't need to dedicate a certain amount of bandwidth in any way. Make sure in the design to keep the VOIP traffic, VPN traffic and User PAT (outbound NAT) traffic on separate IP's. That will help when defining the access-lists. This QoS stuff is kind of tricky and is bit confusing. I have setup a few configs according to the above examples and they _seem_ to work. I ran a policing queue on the edge router for traffic leaving to ASA, and ran a priority queue on the ASA. When i test big download from a major site, which could consume all bandwidth, it doesn't appear to clobber VOIP traffic. The same results apply, when I test a big upload to internet. The QoS stuff is tricky though, and i _didn't_ see what I expected when i use the show QoS commands to see traffic drops, etc. so YMMV!
  Take a look at this link for ASA 7.X release, which may give you some ideas:
  "QoS based on ACL with VPN Configuration" You can change ACL to include the outside interface IP as long as you have separated the NAT's, VPN, etc. like i mentioend earlier.
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml
  Will

• ERROR: NAT unable to reserve ports.

  Hi guys,
  I am trying to let the PPTP VPN traffic passing through a new Cisco ASA 5505 but I cannot NAT any UDP traffic using the outside interface as public ip for the incoming VPN connections.
  The error arrears I run these commands:
  object network CUSTOMER-VPN-SERVER-INTERNAL
  nat (inside,outside) static interface service udp isakmp isakmp
  I get the following error:
  ERROR: NAT unable to reserve ports.
  My version is:
  Cisco Adaptive Security Appliance Software Version 8.4(2)18
  Device Manager Version 6.4(5)
  Here below my configuration (sanitized as much as I could). Can you please help me find out where I am mistaking?
  ASA Version 8.4(2)18
  hostname CUSTOMER-SITE1
  domain-name CUSTOMER
  names
  name 192.168.31.0 CUSTOMER-SITE1
  name 192.168.32.0 CUSTOMER-SITE2
  name 192.168.32.253 CUSTOMER-SITE2-FW-LAN
  name YYY.YYY.YYY.YYY CUSTOMER-SITE2-FW-WAN
  name 192.168.31.253 CUSTOMER-SITE1-FW-LAN
  name XXX.XXX.XXX.XXX CUSTOMER-SITE1-FW-WAN
  name 192.168.31.2 USER-TEST-PC
  name 192.168.31.30 CUSTOMER-SITE1-VPN-SERVER-PRIVATE
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.30.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address CUSTOMER-SITE1-VPN-SERVER-PUBLIC 255.255.255.252
  object network CUSTOMER-SITE1
  subnet 192.168.31.0 255.255.255.0
  object network CUSTOMER-SITE2
  subnet 192.168.32.0 255.255.255.0
  object network USER-TEST-PC
  host 192.168.31.186
  object network CUSTOMER-SITE1-VPN-SERVER-PUBLIC
  host 116.212.244.138
  description Created during name migration
  object network CUSTOMER-SITE1-VPN-SERVER-INTERNAL
  host 192.168.31.30
  description VPN SERVER
  object-group service DM_INLINE_SERVICE_1
  service-object tcp destination eq pptp
  service-object udp destination eq 4500
  service-object udp destination eq isakmp
  service-object gre
  object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object ip
  protocol-object gre
  access-list outside_1_cryptomap extended permit ip object CUSTOMER-SITE1 object CUSTOMER-SITE2
  access-list inside_nat0_outbound extended permit ip object CUSTOMER-SITE1 object CUSTOMER-SITE2
  access-list inside_access_in extended permit ip any any
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object CUSTOMER-SITE1-VPN-SERVER-INTERNAL
  access-list outside_access_in extended permit tcp any object USER-TEST-PC eq www
  nat (inside,any) source static CUSTOMER-SITE1 CUSTOMER-SITE1 destination static CUSTOMER-SITE2 CUSTOMER-SITE2 no-proxy-arp
  object network CUSTOMER-SITE1
  nat (inside,outside) dynamic interface
  object network USER-TEST-PC
  nat (inside,outside) static interface service tcp www www
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs group1
  crypto map outside_map 1 set peer CUSTOMER-SITE2-FW-WAN
  crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
  crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map interface outside
  crypto ca trustpoint _SmartCallHome_ServerCA
  crl configure
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  tunnel-group 116.212.199.226 type ipsec-l2l
  tunnel-group 116.212.199.226 ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect pptp
  Thanks,
  Dario

  (sanitized)
  ASA Version 8.4(2)18
  hostname xxxxxx
  enable password xxxxxx
  passwd xxxxxx
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address xxxxxx 255.255.255.224
  boot system disk0:/asa842-18-k8.bin
  ftp mode passive
  clock timezone SGT 8
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group DefaultDNS
  name-server xxxxxx
  name-server xxxxxx
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Public_Address
  host xxxxxx
  object network VPN-TCP
  host 192.168.1.2
  object network VPN-UDP
  host 192.168.1.2
  object network xxxxxx
  host 192.168.1.2
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object ip
  protocol-object gre
  access-list outside_access_in extended permit ip any any
  access-list outside_access_in_1 extended permit gre any host 192.168.1.2
  access-list outside_access_in_1 remark VPN TCP Connection
  access-list outside_access_in_1 extended permit tcp any object VPN-TCP eq pptp
  access-list outside_access_in_1 remark VPN UDP Connection
  access-list outside_access_in_1 extended permit udp any object VPN-UDP eq isakmp
  access-list inside_access_in remark All inside to outside connections
  pager lines 24
  logging enable
  logging asdm informational
  logging mail alerts
  mtu inside 1500
  mtu outside 1500
  ip verify reverse-path interface outside
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  icmp permit any outside
  asdm image disk0:/asdm-641.bin
  no asdm history enable
  arp timeout 14400
  object network VPN-TCP
  nat (inside,outside) static interface service tcp pptp pptp
  object network VPN-UDP
  nat (inside,outside) static interface service udp isakmp isakmp
  object network Kaseya-TCP
  nat (inside,outside) after-auto source dynamic any interface description Default NAT from Inside to Outside
  access-group inside_access_in in interface inside
  access-group outside_access_in_1 in interface outside
  route outside 0.0.0.0 0.0.0.0 XXXXXX
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication http console LOCAL
  http server enable 11443
  http 0.0.0.0 0.0.0.0 outside
  http 0.0.0.0 0.0.0.0 inside
  http redirect inside 80
  snmp-server host inside 192.168.1.2 community *****
  snmp-server host inside 192.168.1.5 community *****
  no snmp-server location
  no snmp-server contact
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec fragmentation after-encryption inside
  crypto ipsec fragmentation after-encryption outside
  crypto ca trustpoint _SmartCallHome_ServerCA
  crl configure
  crypto ca certificate chain _SmartCallHome_ServerCA
  certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
      XXXXXX
    quit
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 inside
  ssh XXXXXX 255.255.255.255 outside
  ssh timeout 5
  console timeout 0
  management-access inside
  dhcpd auto_config outside
  dhcpd dns XXXXXX XXXXXX interface inside
  threat-detection basic-threat
  threat-detection scanning-threat shun except ip-address 192.168.1.0 255.255.255.0
  threat-detection scanning-threat shun duration 3600
  threat-detection statistics
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ntp server 118.107.60.254 source outside
  ntp server 121.0.0.41 source outside
  ntp server 202.60.94.11 source outside prefer
  webvpn
  port 11443
  enable outside
  group-policy DfltGrpPolicy attributes
  webvpn
    url-list value Administration
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  vpn-tunnel-protocol ikev1 ikev2
  username XXXX password XXXXXX encrypted privilege 15
  vpn-group-policy DfltGrpPolicy
  tunnel-group ClientlessVPN type remote-access
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect ctiqbe
    inspect dcerpc
    inspect icmp
    inspect icmp error
    inspect ils
    inspect ipsec-pass-thru
    inspect mgcp
    inspect snmp
    inspect waas
    inspect pptp
  service-policy global_policy global
  prompt hostname context
  call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:af0d8ba03c99dd37540a4d0a4bf569d2
  : end

• 851W - mac address changes destination port on bridge

  Hello,
  We have a 851w configured in bridge mode between the wireless lan and the wired local lan.
  The mac addresses of the machines connected through wire keep changing the destination port on where they are registered.
  If they are on FastEthernetX everything works ok, when they are on VLAN1 we loose connection between wire and wireless clients.
  NORMAL OPERATION
  Destination Address  Address Type  VLAN  Destination Port
  0019.7d83.xxxx          Dynamic        1     Vlan1
  0021.8656.xxxx          Dynamic        1     FastEthernet0
  0022.9064.xxxx          Self               1     Vlan1
  ERROR: NO NETWORK
  Destination Address  Address Type  VLAN  Destination Port
  0019.7d83.xxxx          Dynamic        1     Vlan1
  0021.8656.xxxx          Dynamic        1     Vlan1
  0022.9064.xxxx          Self               1     Vlan1
  I tryed to debug using the various debug arp commands but didn't find  any useful info.
  Why does it change the destination port?
  How can I make it stable?
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname UM01
  boot-start-marker
  boot system flash:/c850-advsecurityk9-mz.124-11.XW6.bin
  boot-end-marker
  logging buffered 51200 warnings
  dot11 ssid UM01
     vlan 1
     authentication open
     authentication key-management wpa
     guest-mode
     wpa-psk ascii 7 00101615105E3F233C1569
  ip cef
  bridge irb
  interface FastEthernet0
  no ip address
  ip virtual-reassembly
  no dot11 extension aironet
  encryption vlan 1 mode ciphers aes-ccm
  ssid UM01
  speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
  channel 2412
  station-role root
  no cdp enable
  interface Dot11Radio0.1
  encapsulation dot1Q 1 native
  no cdp enable
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 spanning-disabled
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  interface Vlan1
  no ip address
  ip tcp adjust-mss 1452
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 spanning-disabled
  interface BVI1
  description Bridge to Internal Network
  ip address 10.10.189.254 255.255.255.0
  no ip http server
  no ip http secure-server
  no cdp run
  control-plane
  bridge 1 protocol ieee
  bridge 1 route ip
  line con 0
  privilege level 15
  no modem enable
  line aux 0
  line vty 0 4
  privilege level 15
  transport input ssh
  scheduler max-task-time 5000
  end

  FYI, the solution we found was to force the mac address of each wired computer to a physical interface and vlan 1.
  This seems to have stabilize the communications, no more mac address hopping between destination port.

• ALSB SNMP Destination Port Change

  Hi,
  When we configure SNMP Destination in ALSB, its "localhost" and port is 162.
  Can we change the SNMP Destination Port number in ALSB?
  Any help would be appreciated
  Jon

  The 2 questions you are asking are the same:
  The Port on the content rule is how traffic enters the box (incomming request port)
  The Port on the service is how traffic will be sent to the server.
  By using diffrent ports on the service and content rule you invoke port address translation wich you need for question 2

• 2950C Unable to ping destination port in monitor session

  I have 2 Pix firewalls and a web filtering server running Surfcontrol. In order for Surfcontrol to filter web usage it has to see the traffic being sent to the firewall's. I have created a monitor session and have used the firewall ports as the source with transmit and receive, and the web filter server as the destination. However when I do this I am not able to ping the web filter server. The web filter is unable to function ie block websites based on the rules that we have setup if the destination port is unable to send packets to internal workstations.
  Is there anything I can do to allow the destination port to be able to send packets to internal workstations ??

  Hi Frined,
  When you configure SPAN destination port , that port will just work as a monitoring port and will not work for general network traffic.
  If you do " sh int" you will see line protocol down (monitoring)
  Now if you want that port to monitor as well as take part into normal network also you have to enable ingress traffic on the destination port
  "monitor session session_number destination interface interface-id [ingress vlan vlan id]"
  Check this link for more details
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12119ea1/2950scg/swspan.htm#1218090
  HTH
  Ankur