How do I NAT based on destination port while source port can be ANY
Goal - I want to forward Internet bound HTTP and HTTPS traffic to a Proxy via an IPSEC Tunnel - I want to maintain my private IP as it goes accross the IPSEC Tunnel - I also want remaining Internet Traffic to route Normally by NATing to my outside address.
In 8.4 this is quite easy as I can specify a destination port and have "any" source port for the NAT
Here is a snap shot of the config:
object service Proxy_HTTP
service tcp destination eq www
object service Proxy_HTTPS
service tcp destination eq https
nat (inside,outside) source static any any service Proxy_HTTP Proxy_HTTP
nat (inside,outside) source static any any service Proxy_HTTPS Proxy_HTTPS
object network Non_Proxy
nat (any,outside) dynamic interface
PROBLEM: I need this behavior in 8.2.x - I have found no way to mimic this.
You cannot use NAT Exemption as it cannot be port based
A static policy NAT with Access list will not work as you must specify a single source port - Since there is no way to predict the source port this wont work.
I don't see any of the other NAT Types working this way.
If there is a way to make this work in 8.2 please let me know - We have many ASAs and we are not ready to make the leap to 8.4 but we need to use the proxy.
Karen-
Results: Did not work. The web based shortcuts did not appear.
Below is the steps taken with your tips incorporated. (Again it's lengthy sorry about that, but anyone can recreate what was done here. Maybe someone can see something left out by doing/reviewing it).
Here is what was done:
1. Installed a fresh install of Windows 8.1 enterprise on a pc. No updates were ran.
2. During setup created the admin account.
3. Logged into the account a simple start screen was arranged and setup by:
Starting desktop Internet Explorer. Going to Technet's website. Clicked tools and then selecting "Add site to Apps" from the drop down menu. Went to Apps screen, right clicked and pinned it to start screen. Repeated this procedure with an
educational web based site.
Right clicked a few provisioned apps and unpinned them from the start screen.
Made a few groups and labeled them. Web based shortcuts were arranged with one provisioned app in that particular group.
4. Opened a Powershell, right clicked it and ran as administrator. Typed the following:
export-startlayout -path C:\Users\Public\Master.xml -as xml
(Master is the name chosen for this test .xml file and was put in a location all users would have privelages to access it).
5. Opened the command prompt and right clicked and "ran as administrator", typed in gpedit.
6. In the Local Group Policy under User Configuration, under Start Menu and Taskbar I choose the Start Screen Layout.
7. Enabled the policy and typed in: C:\Users\Public\Master.xml for the Start Layout File.
8. Opened computer management, under Local Users and Groups I chose Users, right clicked in the middle screen and created a new user called Alpha.
9. Logged out of the inital account and logged into newly created Alpha account.
10. When the Alpha account logged in the start screen came up with everything changed in the inital account but no web based shortcuts were found on the start screen or App view.
Similar Messages
-
How to read a data from USB port using JAVA
hi all,
i need to know how to read a data from USB port using java. any API are available for java ?.........please give your valuable ideas !!!!!!!!!
Advance Thanks!!You can do this. Please use this link
[http://www.google.co.in/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=uHu&q=java+read+data+from+usb+port&btnG=Search&meta=&aq=f&oq=]
What research did you do of your own? Have you done some testing application and tried yourself?? -
How to determine the destination port from a audit fail event
I have a bunch of audit failure events (4625) in our security log. The details only show the source address and port but no destination port info.. Is there anyway I can find out that info.? What I really want to know is what application\port does these
login try to authenticate into..
ThanksHi,
I am not aware of any way to determine the destination port based on event logs. However, you can try to use NetMon or other software to catch packages to see if it works.
As for application, you can check the Process Information in the event.
Best Regards,
Amy -
Route decisions based on destination TCP port with EIGRP
Need information and plausibility on making routing decisions within EIGRP based on different destination TCP port. I have a third party partner that we communicate too and they are adding a second location which we will connect too. They are wanting to use the same destination host IP but make route decision based on destination TCP port; i.e. if we target tcp 6123 they want us to route down link A to site A, if we target tcp 7123 we would route down link B to site B. I have never had to make that happen so I am looking into whether it actually can and if so what is basic configuration to pursue. We use static IP routes to/from them today and will in the future at the edge, those are distributed internally to our EIGRP. Can EIGRP make decisions based on IP and Port?
No routing protocol makes decisions based on port number as far as I know.
You need to look into PBR (Policy Based Routing) for this where you can use acls to define the route that traffic takes.
Depending on your connections you may well need to use tracking as well but it depends.
If the only reason to use EIGRP is for these connections you probably don't need it as with PBR you are overriding the routing table anyway but you may want to run it for other connectivity.
If you do a search on PBR you should find quite a few examples but if you get stuck then by all means come back. -
SRP547W, How to use multiple WAN IPs for port forwarding?
Hi folks,
We've run into some difficulty trying to take advantage of multiple WAN IPs in conjunction with the SRP547, and I'm hoping someone here can help out or at least tell us that we're going to need to buy a different router...
What we're trying to acheive is the ability to port forward from our distinct public IPs to different internal servers. Looking at the options under Port Forwarding it looks like we can only configure forwards at the "WAN interface" level, but our problem is that we can't work out how to set up separate interfaces for each of our Public IPs...
Our ISP provides us with a fully managed NTU/router with a single "Internet" ethernet port, which we can use by statically configuring IPs on our end. For this configuration this port has been directly patched to the WAN ethernet port on the SRP547W.
We have been allocated a 255.255.255.248 (/29) subnet, giving us 5 usable IPs after the ISP's gateway address is taken into account, like so:
a.b.c.208 Network Address (/29 subnet)
a.b.c.209 ISP Gateway
a.b.c.210 IP1
a.b.c.211 IP2
a.b.c.212 IP3
a.b.c.213 IP4
a.b.c.214 IP5
a.b.c.215 Broadcast Address
On the SRP we've set up the default "Ethernet WAN2" sub-interface with the following details for IP1
VLAN ID: 4088 (Uneditable)
Connection Type: Static IP
Internet IP Address: a.b.c.210
Subnet Mask: 255.255.255.248
Default Gateway: a.b.c.209
The next step (I would have thought) would be to add a second sub-interface, using similar info for IP2
VLAN ID: 4000 (Chosen arbitrarily)
Connection Type: Static IP
Internet IP Address: a.b.c.211
Subnet Mask: 255.255.255.248
Default Gateway: a.b.c.209
When we try to do so however we get:
Fail!
Conflict with Ether_WAN2 interface address type
I should mention at this point that we're running on firmware version 1.02.01 (023).
Any suggestions on how we can proceed?
Is there a CLI or other method of configuration that might work if the web interface won't?
Thanks,
Tim.OK, I've seen reference to this solution before but not much in the way of details. Perhaps you can spell out how this ought to work, as the Software DMZ doesn't behave as I'd expected it to.
As before, on the SRP we've set up the default "Ethernet WAN2" sub-interface with the details for IP1 with a /29 subnet.
VLAN ID: 4088 (Uneditable)
Connection Type: Static IP
Internet IP Address: a.b.c.210
Subnet Mask: 255.255.255.248
Default Gateway: a.b.c.209
We'd now like to expose a server function on IP2, let's say LAN details for this server are:
VLAN: 3000
VLAN IP Range: 192.168.1.1/24
Server IP: 192.168.1.10
Server Port: 80
So first we turn on Software DMZ:
Status: Enabled
Public IP: a.b.c.211
Private IP: 192.168.1.10
WAN Interface: Ether_WAN2
My understanding, based on what you've said, is that this should expose the whole server to external access via IP2. Unfortunately, it doesn't seem to work this way - we don't seem to have any access at all. Perhaps there's a default deny rule on the firewall?
Just to be sure, I tried creating a rule to allow HTTP traffic to the server in the Advanced Firewall page.
In Interface (WAN): All
Out Interface (LAN): VLAN.3000
Source IP: 0.0.0.0
Source Subnet: 0.0.0.0
Destination IP: 192.168.1.10
Destination Subnet: 255.255.255.255
Protocol: TCP
Source Port: Any
Destination Port: Single:80
Action: Permit
Schedule: Everyday
Times: 24 Hours
Still no dice. What am I missing?
Cheers,
Tim. -
How do I set up my air port extreme to do port forwarding? Running 10.7.4 I have a IP camera on my local wireless net work that I want to use from my iPhone 4s and other computers.
In most cable systems, the router you have will plug into your modem and just work automatically. A NAT (Network Address Translation) router takes your external IP and hands out LAN (Local Area Network) based IPs. All of the devices you are working with right now should handle the change automatically unless you've changed from the default automatic configuration.
The problem with your wireless end of this is that the iPhone is not yet 802.11n, only 802.11g. Because that router is not dual band, all of your wifi devices will be forced to slow down to 802.11g speeds. This won't matter much for each device that's connecting to the internet, as your bottleneck is still going to be there. Where you will see slowdowns is device to device connections, like transferring data between the devices. -
WRT54G Incoming Log Destination Port 520
I am trying to understand why an [Incoming Log Table] entry that recurs, i.e. in the page that presents itself when I navigate to the [Administration] Panel / [Log] Tab, and then click the [Incoming Log] button:
=================================
Incoming Log Table
Source IP = 178.33.xxx.yyy
Destination Port Number = 520
=================================
After I clear the Log (i.e. turn it off, save settings, turn it on again, save settings) the entry will reappear after a few days.
I have never seen any other incoming log entry.
Since it has been pressed into service several years ago, my WRT54G has been configured to block any and all incoming connections. The settings as they continue to appear (under the [Security] Panel / [Firewall] Tab) are:
=================================
Checked (Yes) = [Block Anonymous Internet Requests]
Checked (Yes) = [Filter Multicast]
Checked (Yes) = [Filter Internet NAT Redirection]
Checked (Yes) = [Filter IDENT (Port 113)]
=================================
I continue to have disabled all port forwarding, port triggering, the DMZ, and QoS, via the applicable tabs under the [Applications & Gaming] Panel. The WRT54G continues to be configured to operate as a Gateway (via the [Settings] Panel/[Advanced Routing] Tab). No static routes are defined. The routing table show four entries, none of which are remarkable or match in anyway the partial address identified above.
So I am under the impression that my WRT54G should be ignoring everything from the WAN-side.
Even pinging the WAN-side of my router from the outside internet times out.
My WRT54G ver 6 is at firmware level 1.02.8, which, as far as I can tell is the latest issued by Cisco.
I am completely perplexed how such a connection is being established, and do not know if it is or has the potential of causing any harm. My own research indicates port 520 is typically used for RIP protocol, but I have almost zero knowledge of such.
I certainly appreciate any elucidation.
My thanks for your attention.bonski wrote:
Forgive me if I seem flippant, but I am not sure what kind of "glitch" you are looking to correct. If performing a factory reset procedure were already known to correct a specific problem, then I would seriously consider it. If performing a factory reset did not run the risk of injecting more problems through the process of having to redo firmware updates and settings, then I would seriously consider it. I am truly seeking insight into understanding the nature of the symptoms, and why they may be occurring. I am not looking for trial and accidental success.
Thank you for you thoughts.
Hi bonski,
The log means that the IP: 178.33.xxx.yyy (which is from your ISP) sends logs to port 520. Port 520 is your router. I believe it is saying that you ISP simply sends data to your router. This is normal since your router gets internet connection from the ISP. This is by the way base on my understanding about the research I've made.
This might help:
http://www.pc-library.com/ports/tcp-udp-port/520/
http://www.auditmypc.com/udp-port-520.asp
http://www.iss.net/security_center/advice/Exploits/Ports/520/default.htm -
How to change the Number of IVR ports in a UCCX?
I know this question has been asked before but it needs to be asked again, as previous answers do not seem to apply. The simple quesiton is: If you have a UCCX and if after install you check you check License information and you note that you have 150 IVR ports; how do you increase the number of ports to 300?
I have been told that the number of ports is set by the class of the machine hardware and is not a license issue. Others have suggested it is a license issue? At the end of the day, however, I want a step by step procedure for adding more IVR ports to my deployment. Even if that means buying more licenses (though I can not find a SKU).
I have several clients that have UCCX and are having calls that exceed the number of IVR ports. Before we get into a discussion of CTI ports or Call Controll Groups, let me identify that I think they are the same. I can create a CTI Call Control Group with 300 paths, but if I only have 150 IVR ports I am in serious trouble on the 151 call!
I had a lab system that installed under vmware with 150 ports. No matter how I tried to configure the CVA it always came up 150 ports! I added a NFR license to my lab and magically it turned it into a 12 IVR system, so licensing does have something to do with it!
I have htis experience on Version 8 and now on Version 9! I need more IVR ports than appear in the installation. I want to know exactly the steps needed to increase the number of IVR ports to the maxium of 300 for an enhanced system!
I can refer CISOC TAC to several tickets I have opened on this subject all with unsatisactory answers! Most recently 626743961
Peter Buswell (aka DrVoIP)
http://blog.drvoip.comHere's the long answer
Peter Buswell wrote:I know this question has been asked before but it needs to be asked again, as previous answers do not seem to apply. The simple quesiton is: If you have a UCCX and if after install you check you check License information and you note that you have 150 IVR ports; how do you increase the number of ports to 300?
Since I see below that you mentioned that the system in question is Enhanced, the answer is simply, install on faster hardware. Presently the best hardware you can get is VMWare ESXi with the 400 Agent License OVA, which gives you 400 IVR Port Licenses.
Standard licensing works the same as Enhanced, as far as IVR Port licenses go.
If you were wondering about Premium, then it's a 1:2 ratio of agent:ports. You cannot buy Premium ports directly, instead you buy them indirectly through the process of buying Premium Agent seats. So if you had a Premium UCCX with 100 Agents, you would have 200 ports, and if you desired to have 250 ports, you simply buy 25 more Premium Agent seats. Premium does still need to adhere to the hardware limits. I have seen partners sell someone an Enhanced UCCX which gave them 300 ports, but they only had like 50 Agents. A year later, the customer upgraded to Premuim, but only bought 50 seats, and thus downgraded their port license count to 100. A third of what they had! The solution? Buy 100 more Premium Agent seats so your total goes up to 150 Agents, and thus your ports go up to 300.
Peter Buswell wrote:I have been told that the number of ports is set by the class of the machine hardware and is not a license issue. Others have suggested it is a license issue?
These are both correct statements. Just remember, that it's licensed based first for Premium, then hardware limited. Standard and Enhanced are hardware limited only.
Peter Buswell wrote:At the end of the day, however, I want a step by step procedure for adding more IVR ports to my deployment. Even if that means buying more licenses (though I can not find a SKU).
Again, for Standard and Enhanced, you need to move to bigger/better hardware to get more ports, assuming you're not already at the meximum of 400.
Here is the document which walks you through moving to bigger hardware: Disaster Recovery Guide
And for Premium, you need to purchase the SKU for a Premium Agent Seat license. It's a 1:2 ratio for agents:ports.
Peter Buswell wrote:I have several clients that have UCCX and are having calls that exceed the number of IVR ports.
I'm not a partner, nor in sales, but I thought there was an A2Q process which validates CC designs for sales people. At any rate, it sounds like they were either under sized or outgrew their overhead, and something needs to be done.
Sometimes you can simply dump excess calls off. Think about playing a high call volume message to callers and then drop them.
Other times you can drop them into voicemail, and come back to it later.
I've seen some basic call back functionality implemented with an external data source, which could alleviate ports.
Lastly, I've seen improperly designed scripts which loop on themselves or other scripts, causing a high port usage.
My point is that there's a few options here, outside of simply increasing the size of the server or purchasing new licenses. There's no one size fits all answer though.
Peter Buswell wrote:Before we get into a discussion of CTI ports or Call Controll Groups, let me identify that I think they are the same.
Are you saying that CTI Ports and Call Control Groups are the same? Or that CTI Ports/CCG's are the same as IVR Port Licenses? Cause the former is true, while the latter is not. Think "oversubscribed" CTI Ports.
Sometimes it is advantageous to oversubscribe your CTI Ports, to achieve a more dynamic environment. E.g., I have 100 ports, and all 100 are used for inbound calls. I develope a single inbound app, which is limited to 10 ports, and handles small bursts of calls. What happens is that, if the new inbound app is running, the most it can "steal" from the inbound calls is 10 ports. However, if the app is not running (because it doesn't run all day, it's mostly bursty in nature), I can still have my regular inbound calls go all the way up to 100.
Peter Buswell wrote:I can create a CTI Call Control Group with 300 paths, but if I only have 150 IVR ports I am in serious trouble on the 151 call!
This is true. Again, you need to decide if you really need the extra ports, of if there is some solution to solving this problem without making a hardware/license purchase. These kinds of problems still exist for customers at the 400 port level, and they don't have the option to "buy more."
Well, that's not entirely true. While you cannot grow past the 400 port limit today, you could install another UCCX instance on the same CUCM cluster, effectively doubling your capacity, but breaking your administration into two separate domains.
Peter Buswell wrote:I had a lab system that installed under vmware with 150 ports. No matter how I tried to configure the CVA it always came up 150 ports!
What's CVA?
Peter Buswell wrote:I added a NFR license to my lab and magically it turned it into a 12 IVR system, so licensing does have something to do with it!
The NFR is most likely a Premium license. Refer back to the 1:2 ratio, and that would tell me you have an NFR license for 6 Premium Agents. Installing a higher level license on a lower level licensed system brings the whole system up to the higher level. Recall my partner story about the Enhanced to Premium upgrade scenario.
Peter Buswell wrote:I have htis experience on Version 8 and now on Version 9!
The licensing doesn't change from 8x to 9x.
Peter Buswell wrote:I need more IVR ports than appear in the installation. I want to know exactly the steps needed to increase the number of IVR ports to the maxium of 300 for an enhanced system!
You buy bigger/better hardware, and use the link I provided above for moving to that new hardware.
Peter Buswell wrote:I can refer CISOC TAC to several tickets I have opened on this subject all with unsatisactory answers! Most recently 626743961
I would be surprised if there is a single Cisco TAC person who doesn't understand this simply IVR Port licensing model. Perhaps there was some miscommunication about what was being asked, and what answer was being given.
I hope that helped to clarify some things for you. Also, if you are a partner, reach out to your CAM and ask for a one on one with a UCCX guru who can sit down with you. Cisco would want you to be successful with selling their products.
Anthony Holloway
Please use the star ratings to help drive great content to the top of searches. -
Setting Forward Lookup Zones in DNS based on the port queried
I have the following problem.
We are using Dynamic DNS to access our site and the modem/router differentiates via port forwarding what server the query goes to based on the port number ie all request go to abc.dyndns.org:port number.
Based on the port eg. port 3389 goes to server1 (192.168.0.1), port 8080 goes to server 2(192.168.0.2), port 80 goes to server 3 (192.168.0.3). This all works well if you are entering from OUTSIDE the local network.
INSIDE the local network, I have setup a Forward Lookup Zone on a Domain server using DNS where the Host A resolves abc.dyndns.org to the local IP address of server 1 (192.168.0.1). This works fine.
How do I get the abc.dyndns.org:other ports to go to the other servers IP addresses as you can only setup one Host A record of abc.dyndns.org to one address 192.168.0.1, if someone queries from INSIDE the local network as the modem/router does not
come into play?As I said before, DNS doesn't do this. DNS has nothing to do with ports resolution. It's purely a name to IP or IP to name resolution. THAT'S IT!
But you can port translate each individual port from the WAN IP to different IPs internally. I thought I said that earlier? Maybe I wasn't clear. I apologize for not fully explaining it, for I thought you understood that part.
Revisiting the bottom of your original post:
INSIDE the local network, I have setup a Forward Lookup Zone on a Domain server using DNS where the Host A resolves abc.dyndns.org to the local IP address of server 1 (192.168.0.1). This works fine.
How do I get the abc.dyndns.org:other ports to go to the other servers IP addresses as you can only setup one Host A record of abc.dyndns.org to one address 192.168.0.1, if someone queries from INSIDE the local network as the modem/router does not
come into play?
You still have to specify the port internally. Assuming mail.domain.com is server4 (since you didn't specify that port in your original post), you simply create a mail.domain.com zone and give it a blank IP for (making this up) 192.168.0.3, then type in
the same exact thing you would do from the outside:
http://mail.domain.com:8083/folder
Like I said, it's in the application. DNS just resolve to an IP. There are 65,536 port numbers, and DNS does not deal with resolving any of them. That's the responsibility of the application or service and the client (such as a browser) connecting to
it.
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
This post is provided AS-IS with no warranties or guarantees and confers no rights. -
How do I set up jms destination of OSB Alert?
According to the document description,a JMS destination URI in the format: jms://host:port/factoryJndiName/destJndiName. My jms is on a cluster, So, I Set this URI: jms://10.1.1.100:8001,10.1.1.101:8001,10.1.100:8002,10.1.1.101:8002/factoryJndiName/destJndiName.
When the machine (10.1.1.100) was shutdown, the alert will error and says "can not find JMS destination".
How do I set up jms destination? tks!
Edited by: user12382989 on 2009-12-23 下午5:03Did you consider using JMS distributed destination for your use-case?
http://download-llnw.oracle.com/docs/cd/E13222_01/wls/docs103/jms/dds.html
Manoj -
Prioritize traffic based on destination IP?
Hi all, we're looking to use an ASA5505 or 5510 as our firewall but want to see if one of them can help us prioritize traffic. I know it does QoS but we're wanting to dedicate x amount of our bandwidth to traffic based on destination IP address. Is that possible and does it take a license upgrade?
Thanks!Jerry, i would try something like in the second config example I mentioned. keep in mind, if ISP doesn't support marking packets, it may be hard to QoS inbound. if you assign the VOIP traffic high priority, it should go out interface first during congestion. Don't need to dedicate a certain amount of bandwidth in any way. Make sure in the design to keep the VOIP traffic, VPN traffic and User PAT (outbound NAT) traffic on separate IP's. That will help when defining the access-lists. This QoS stuff is kind of tricky and is bit confusing. I have setup a few configs according to the above examples and they _seem_ to work. I ran a policing queue on the edge router for traffic leaving to ASA, and ran a priority queue on the ASA. When i test big download from a major site, which could consume all bandwidth, it doesn't appear to clobber VOIP traffic. The same results apply, when I test a big upload to internet. The QoS stuff is tricky though, and i _didn't_ see what I expected when i use the show QoS commands to see traffic drops, etc. so YMMV!
Take a look at this link for ASA 7.X release, which may give you some ideas:
"QoS based on ACL with VPN Configuration" You can change ACL to include the outside interface IP as long as you have separated the NAT's, VPN, etc. like i mentioend earlier.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml
Will -
ERROR: NAT unable to reserve ports.
Hi guys,
I am trying to let the PPTP VPN traffic passing through a new Cisco ASA 5505 but I cannot NAT any UDP traffic using the outside interface as public ip for the incoming VPN connections.
The error arrears I run these commands:
object network CUSTOMER-VPN-SERVER-INTERNAL
nat (inside,outside) static interface service udp isakmp isakmp
I get the following error:
ERROR: NAT unable to reserve ports.
My version is:
Cisco Adaptive Security Appliance Software Version 8.4(2)18
Device Manager Version 6.4(5)
Here below my configuration (sanitized as much as I could). Can you please help me find out where I am mistaking?
ASA Version 8.4(2)18
hostname CUSTOMER-SITE1
domain-name CUSTOMER
names
name 192.168.31.0 CUSTOMER-SITE1
name 192.168.32.0 CUSTOMER-SITE2
name 192.168.32.253 CUSTOMER-SITE2-FW-LAN
name YYY.YYY.YYY.YYY CUSTOMER-SITE2-FW-WAN
name 192.168.31.253 CUSTOMER-SITE1-FW-LAN
name XXX.XXX.XXX.XXX CUSTOMER-SITE1-FW-WAN
name 192.168.31.2 USER-TEST-PC
name 192.168.31.30 CUSTOMER-SITE1-VPN-SERVER-PRIVATE
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Vlan1
nameif inside
security-level 100
ip address 192.168.30.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address CUSTOMER-SITE1-VPN-SERVER-PUBLIC 255.255.255.252
object network CUSTOMER-SITE1
subnet 192.168.31.0 255.255.255.0
object network CUSTOMER-SITE2
subnet 192.168.32.0 255.255.255.0
object network USER-TEST-PC
host 192.168.31.186
object network CUSTOMER-SITE1-VPN-SERVER-PUBLIC
host 116.212.244.138
description Created during name migration
object network CUSTOMER-SITE1-VPN-SERVER-INTERNAL
host 192.168.31.30
description VPN SERVER
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq pptp
service-object udp destination eq 4500
service-object udp destination eq isakmp
service-object gre
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object gre
access-list outside_1_cryptomap extended permit ip object CUSTOMER-SITE1 object CUSTOMER-SITE2
access-list inside_nat0_outbound extended permit ip object CUSTOMER-SITE1 object CUSTOMER-SITE2
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object CUSTOMER-SITE1-VPN-SERVER-INTERNAL
access-list outside_access_in extended permit tcp any object USER-TEST-PC eq www
nat (inside,any) source static CUSTOMER-SITE1 CUSTOMER-SITE1 destination static CUSTOMER-SITE2 CUSTOMER-SITE2 no-proxy-arp
object network CUSTOMER-SITE1
nat (inside,outside) dynamic interface
object network USER-TEST-PC
nat (inside,outside) static interface service tcp www www
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer CUSTOMER-SITE2-FW-WAN
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 116.212.199.226 type ipsec-l2l
tunnel-group 116.212.199.226 ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
Thanks,
Dario(sanitized)
ASA Version 8.4(2)18
hostname xxxxxx
enable password xxxxxx
passwd xxxxxx
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address xxxxxx 255.255.255.224
boot system disk0:/asa842-18-k8.bin
ftp mode passive
clock timezone SGT 8
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server xxxxxx
name-server xxxxxx
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Public_Address
host xxxxxx
object network VPN-TCP
host 192.168.1.2
object network VPN-UDP
host 192.168.1.2
object network xxxxxx
host 192.168.1.2
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object gre
access-list outside_access_in extended permit ip any any
access-list outside_access_in_1 extended permit gre any host 192.168.1.2
access-list outside_access_in_1 remark VPN TCP Connection
access-list outside_access_in_1 extended permit tcp any object VPN-TCP eq pptp
access-list outside_access_in_1 remark VPN UDP Connection
access-list outside_access_in_1 extended permit udp any object VPN-UDP eq isakmp
access-list inside_access_in remark All inside to outside connections
pager lines 24
logging enable
logging asdm informational
logging mail alerts
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
object network VPN-TCP
nat (inside,outside) static interface service tcp pptp pptp
object network VPN-UDP
nat (inside,outside) static interface service udp isakmp isakmp
object network Kaseya-TCP
nat (inside,outside) after-auto source dynamic any interface description Default NAT from Inside to Outside
access-group inside_access_in in interface inside
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 XXXXXX
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable 11443
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
http redirect inside 80
snmp-server host inside 192.168.1.2 community *****
snmp-server host inside 192.168.1.5 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec fragmentation after-encryption inside
crypto ipsec fragmentation after-encryption outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
XXXXXX
quit
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh XXXXXX 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd dns XXXXXX XXXXXX interface inside
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 192.168.1.0 255.255.255.0
threat-detection scanning-threat shun duration 3600
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 118.107.60.254 source outside
ntp server 121.0.0.41 source outside
ntp server 202.60.94.11 source outside prefer
webvpn
port 11443
enable outside
group-policy DfltGrpPolicy attributes
webvpn
url-list value Administration
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1 ikev2
username XXXX password XXXXXX encrypted privilege 15
vpn-group-policy DfltGrpPolicy
tunnel-group ClientlessVPN type remote-access
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ctiqbe
inspect dcerpc
inspect icmp
inspect icmp error
inspect ils
inspect ipsec-pass-thru
inspect mgcp
inspect snmp
inspect waas
inspect pptp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:af0d8ba03c99dd37540a4d0a4bf569d2
: end -
851W - mac address changes destination port on bridge
Hello,
We have a 851w configured in bridge mode between the wireless lan and the wired local lan.
The mac addresses of the machines connected through wire keep changing the destination port on where they are registered.
If they are on FastEthernetX everything works ok, when they are on VLAN1 we loose connection between wire and wireless clients.
NORMAL OPERATION
Destination Address Address Type VLAN Destination Port
0019.7d83.xxxx Dynamic 1 Vlan1
0021.8656.xxxx Dynamic 1 FastEthernet0
0022.9064.xxxx Self 1 Vlan1
ERROR: NO NETWORK
Destination Address Address Type VLAN Destination Port
0019.7d83.xxxx Dynamic 1 Vlan1
0021.8656.xxxx Dynamic 1 Vlan1
0022.9064.xxxx Self 1 Vlan1
I tryed to debug using the various debug arp commands but didn't find any useful info.
Why does it change the destination port?
How can I make it stable?
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname UM01
boot-start-marker
boot system flash:/c850-advsecurityk9-mz.124-11.XW6.bin
boot-end-marker
logging buffered 51200 warnings
dot11 ssid UM01
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 00101615105E3F233C1569
ip cef
bridge irb
interface FastEthernet0
no ip address
ip virtual-reassembly
no dot11 extension aironet
encryption vlan 1 mode ciphers aes-ccm
ssid UM01
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2412
station-role root
no cdp enable
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Vlan1
no ip address
ip tcp adjust-mss 1452
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
interface BVI1
description Bridge to Internal Network
ip address 10.10.189.254 255.255.255.0
no ip http server
no ip http secure-server
no cdp run
control-plane
bridge 1 protocol ieee
bridge 1 route ip
line con 0
privilege level 15
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input ssh
scheduler max-task-time 5000
endFYI, the solution we found was to force the mac address of each wired computer to a physical interface and vlan 1.
This seems to have stabilize the communications, no more mac address hopping between destination port. -
ALSB SNMP Destination Port Change
Hi,
When we configure SNMP Destination in ALSB, its "localhost" and port is 162.
Can we change the SNMP Destination Port number in ALSB?
Any help would be appreciated
JonThe 2 questions you are asking are the same:
The Port on the content rule is how traffic enters the box (incomming request port)
The Port on the service is how traffic will be sent to the server.
By using diffrent ports on the service and content rule you invoke port address translation wich you need for question 2 -
2950C Unable to ping destination port in monitor session
I have 2 Pix firewalls and a web filtering server running Surfcontrol. In order for Surfcontrol to filter web usage it has to see the traffic being sent to the firewall's. I have created a monitor session and have used the firewall ports as the source with transmit and receive, and the web filter server as the destination. However when I do this I am not able to ping the web filter server. The web filter is unable to function ie block websites based on the rules that we have setup if the destination port is unable to send packets to internal workstations.
Is there anything I can do to allow the destination port to be able to send packets to internal workstations ??Hi Frined,
When you configure SPAN destination port , that port will just work as a monitoring port and will not work for general network traffic.
If you do " sh int" you will see line protocol down (monitoring)
Now if you want that port to monitor as well as take part into normal network also you have to enable ingress traffic on the destination port
"monitor session session_number destination interface interface-id [ingress vlan vlan id]"
Check this link for more details
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12119ea1/2950scg/swspan.htm#1218090
HTH
Ankur
Maybe you are looking for
-
Problem passing parameters to commandLink in a column
Hi. I'm using JDeveloper 11.1.1.7.0 I'm having this problem and I can't understand what I'm doing wrong. I have a table like this: <af:table value="#{bindings.myView.collectionModel}" var="row" rows="#{bindings.myView.rangeSiz
-
PHP/MySQL - Nav links pass variable to another page? Or?
I'm a PHP/MySQL beginner. I'm digging through books and tutorials as best I can, but finding myself a little lost in the sheer volume of information. If someone can point me in the right direction for this task, I'd really appreciate it. I have a dat
-
Superscripts and subscripts in Mail
How to write a superscript in Mail ? e.g x to the power of 2. i had to revert to writing x**2. even TextEdit has this capability. Format/Font/Baseline/Superscript. so i thought i'd type it there, and copy and paste it into Mail. but it lost the super
-
How to activate and passivate member variables?
Hi ViewObjects have methods like public void passivateState(ViewRowImpl currentRow, Document doc, Element parent)andpublic void activateState(ViewRowImpl currentRow, Element elem)However, I can't find any example how to use them. Can anyone show me a
-
CS2, RAW plug-in, Nikon D90
I have a friend who has CS2 and a Nikon D90. Does anyone know if the Adobe RAW Plug-in works to recognize the D90? Thanks in advance! The Plug-in worked for me in CS4 the first time I tried :-)