Mapping in XI - cannot access Global Container parameters
Hi all,
we have the following problem in graphical XI mapping.
Trying to retrieve the run-time value of a global parameter, we cannot access the value itself (e.g. test using "display queue" menu).
We use 2 simple user-defined functions (getIdoc and corresponding setIdoc).
The source code for our custom get/set methods is:
public String getIdoc(Container container){
// This is a CUSTOM global parameter set <- cannot get the value itself
//String codMsgExport = (String) container.getGlobalContainer().getParameter("idoc");
//return codMsgExport.toString();
GlobalContainer globalContainer;
java.util.Map map;
globalContainer = container.getGlobalContainer();
map = globalContainer.getParameters();
// This is a STANDARD global parameter set <- cannot get the value itself, as well
String headerField = (String) map.get(StreamTransformationConstants.INTERFACE_NAMESPACE);
return headerField;
public String setIdoc(String codMsgExport,Container container){
container.setParameter("idoc", codMsgExport.toString());
String retValue = (String) container.getGlobalContainer().getParameter("idoc");
return retValue.toString();
=> anyway, get method returns only blank values (testing by "display queue" with some custom values...)
It seems as if the parameter is seen, as pointing to a not existing variable - e.g. getParameter("idoczz") - XI runtime returns a NullPointerException.
Some XI server details:
Runtime Environment
Java version: 1.4.2_06
Java vendor: Sun Microsystems Inc.
Version
Service pack: 14
Release: 30_REL
Thanks all!
Gianluca Tacchella
Hi Sudharshan and Bhavesh,
I forgot to put a value under the tab PARAMETERS (this is the reason for the blank value, thanks:)).
Anyway, modifying (run-time by the set function) the standard runtime constant => leads to a get function with a single value returned (out) for "display queue", despite of test valorization: the initial value set under tab PARAMETERS.
Instead of using the runtime (standard) constant, using my (custom) global variable => leads to NullPointerException ("display queue" for get function) EVEN IF I initialize the variable (e.g. initIdoc() function called once at top-level target message).
under JAVA_SECTIONS_TOOLTIP button:
Global Variables
String idoc;
Initialization Section
idoc = "";
Clean-Up Section
idoc = "";
public String initIdoc(Container container){
GlobalContainer globalContainer;
globalContainer = container.getGlobalContainer();
// this is the only way NOT to get a NullPointerException
if ( globalContainer.getParameter("idoc") == null )
globalContainer.setParameter("idoc", "a");
return globalContainer.getParameter("idoc").toString();
initIdoc:
out (*)
[a]
(*) despite of initialization under JAVA_SECTIONS_TOOLTIP button
public void getIdoc(ResultList result,Container container){
//String codMsgExport = (String) container.getGlobalContainer().getParameter("idoc");
//return codMsgExport.toString();
GlobalContainer globalContainer;
java.util.Map map;
globalContainer = container.getGlobalContainer();
map = globalContainer.getParameters();
//String headerField = (String) map.get(StreamTransformationConstants.INTERFACE_NAMESPACE);
// this returns null (out stream)
//String headerField = (String) map.get("idoc");
//if ( globalContainer.getParameter("idoc") == null )
//globalContainer.setParameter("idoc", "");
// this returns NullPointerException
String headerField = globalContainer.getParameter("idoc").toString();
//result.addValue(headerField);
// this returns NullPointerException
//return headerField.toString();
//return globalContainer.getParameter("idoc").toString();
result.addValue(globalContainer.getParameter("idoc").toString());
=> leads to NullPointerException
public String setIdoc(String codMsgExport,Container container){
GlobalContainer globalContainer;
globalContainer = container.getGlobalContainer();
java.util.Map map;
map = globalContainer.getParameters();
//globalContainer.setParameter(StreamTransformationConstants.INTERFACE_NAMESPACE, codMsgExport.toString());
//container.setParameter("idoc", codMsgExport.toString());
//String retValue = (String) map.put(StreamTransformationConstants.INTERFACE_NAMESPACE, codMsgExport.toString());
// this returns a NullpointerException
//String retValue = (String) map.put("idoc", codMsgExport.toString());
globalContainer.setParameter("idoc", codMsgExport.toString());
//return "True"; // pointer for debug
//return retValue.toString(); // pointer for debug
return globalContainer.getParameter("idoc").toString();
setidoc:
in0 out (*)
[1] [1]
[2] [2]
(*) as if this "idoc" parameter is not the globally managed (JAVA_SECTIONS_TOOLTIP button), but one which lives inside the function and not outside for the get function..
Regards,
Gianluca
Similar Messages
-
Dear Experts,
I have an RFC to FILE Scenario and used BPM to meet the requirements.
There are 2 graphical mappings - mapping1 before the BPM and mapping2 (transformation) within the BPM.
I have saved a parameter in the global container in mapping1 but unable to extract the same in mapping2. Any idea?
UDF in mapping1:
GlobalContainer gc1 = container.getGlobalContainer();
String gdata1 = va2 + "_" + var3;
gc1.setParameter("gdata",gdata1);
UDF in mapping2:
GlobalContainer gc2 = container.getGlobalContainer();
String gdata2 = (String) gc2.getParameter("gdata");
Thanks and Regards,
Rana Brata DeHi Rana
Refer the following statement from SAP Help stating that the values only available in same message mapping.
This object enables you to cache the values that you want to read again when you next call any user-defined function in the same message mapping.
GlobalContainer Object - Enterprise Services Repository - SAP Library
If you want to pass the value, you can either add additional fields in your structures or use DynamicConfiguration (has limit of 200 characters). Since you are using BPM (is it ccBPM or NW BPM?), I'm not sure if DC attributes can be passed into a BPM an accessible.
Any particular reason to do the 2nd mapping within the BPM? You can also do it out of the BPM after all the necessary BPM processing.
Rgds
Eng Swee -
Global Application Parameters for EJB
Hello all, I did a search for this on these forums and there are there a TON of threads of developers wanting to implement the classic Singleton pattern so that all EJB's of an application can access "Global Application Parameters". Most of these I've been reading achieve this by workarounds that breakdown at the clustering level, since Singletons won't span multiple JVMs.
Suppose you deploy an EAR that only has EJB jars, so you don't have access to all the convenience of the web tier (context parameters, context Initialization, etc.), so there is no way for your EJB's to detect/intercept an "Application Startup" event and load any necessary values into a Global Application parameter repository.
This seems such a widely demanded functionality that I wonder if there now a "best practice" way to achieve equivalent of the Singleton pattern in the EJB world that works nicely in a clustered environment?I have the same problem
Thanks -
Global Container in Java Class of Interface Mapping
I have written a Java Class that implements the StreamTransformation interface for use in an Interface Mapping. I would like to cache information read from a file between message processing calls of this mapping.
It appears that maybe the GlobalContainer object can be used to perform this caching. How do I access the GlobalContainer object from a class that implements StreamTransformation?
The examples all show container.getGlobalContainer() method call to get access to this object. However container is not a variable in this interface. Any ideas on how to do this?
Thanks,
JayHi Jay,
if you want to link data from different messages you must use BPM, you cannot do this with GlobalContainer because it is instantiated at the begin of the mapping and is flushed at the end of the mapping (e.g. graphical mapping).
2 files for the same scenario will use 2 different instances of the same message mapping program and they will not share the container.
The container is shared inside the same instance of the mapping program.
So it is shared for example between two UDF in the same mapping
So if you are using Java mapping you do not need to use the global container, you can use an Object to store data, but keep in mind that all this data will be lost at the end of the mapping.
Hope it helps,
Kind Regards,
Sergio -
Trace not showing Global container variable at mapping test time.
Hi Folks ,
I have a scenario file to Proxy scenario. At mapping time I am doing a lookup inside a UDF using JCO connections.
Lookup is taking 2 fields(ex X an dY) as input and coming up with couple of fields in output.
Output fileds I am storing in global container and want to access in further mapping .
I am using trace to see variable values at mapping tijme
Surprisingly :
1. For a particular "X" field in Input, No output fields are coming at trace . On testing it end to end I can see fields getting populated at run time at lookup table . but not getting reflected at mapping trace . what could be the possible cause ?
2. For few input fields like "Z" . It is showing all the output values at Trace. But when I go and place a value in lookup table for the same Input field "Z" . this new value is not coming up at trace Level while rest of teh values are coming up. Can anyone hint where I am going wrong ?
End to end Debugging sahows values populating and being sent across . Where I need to look at ?
Regards ,
SantoshHi Horia ,
By trace do you mean display queue or running the mapping completely in the ESR ?
--->I am talking about running the mapping at IR and getting the values of trace by using messagetype.traceinfo() in UDF functionality. I am working on Pi 7.0
Regards ,
Santosh -
Cannot save new outlook contacts or access Global Address List
I have outlook 2007 connected via VPN to exchange server. I can
1) Send and receive emails
2) Edit contacts that have already been created some time ago
3) Copy and paste existing contacts
However, when I try and save a new contact it says the Microsoft exchange server is not available. I am connected because I am showing as connected and contacts created via the outlook web app appear almost immediately in my Outlook. However,
I cannot save any edits to these but can copy and paste as a whole record.
Also, I cannot access the Global Address Book at all.
Does anyone know what the problem could be?
Thanks
ZezeHi Zeze,
Please check whether the issue happens in Outlook Online mode. If it doesn’t happen in Online mode, please create a new Outlook profile to have a try:
https://support.microsoft.com/kb/829918/en-us
Regards,
Winnie Liang
TechNet Community Support -
Mapping and global container?
I have to map single different field IN_F1 to three output fields..
1) map the input field value IN_F1 to output field value OUT_F1
2)
a) based on the INPUT field value , conditionally map incremental numbers to OUT_F2. For example, if IN_F1 is 'X', OUT_F2 will be '01' and second time around I will increment it to '02'.
b) Same condition as 2a, but move the incremented value from OUT_F2 to OUT_F3 in different node.
I am planning to set global container in step 2a. And then use that global container in step 2b to fill OUT_F3. My question is will steps 2a and 2b always follow the order? Since my field OUT_F3 occurs in node after OUT_F2, 2a should always get executed first. Is this assumption right?
I am actually invoking standard BAPI.. Would it be better to do all this steps in XI to fill std. BAPI structure or create a custom RFC to do this?Hi,
>>>>Since my field OUT_F3 occurs in node after OUT_F2, 2a should always get executed first. Is this assumption right?
yes
you can also get all OUT_F2 in an advanced function
and put then in a global array which you'll just
use in a new andanved function to fill OUT_F3
Regards,
michal -
I cannot access anyone from my global address book, not even through the search. Any suggestions? iOS 7.0.4
I could access this before.mouse1832 wrote:
I've been to apple to speak to one of the so called genius' and even their baffled by the problem
and they told you , "Oh well" and you left without getting it resolved? -
ASA 5505 Static hosts cannot access outside
I'm replacing an old PIX with a second hand ASA firewall.
I have configured the ASA in a very similar manner to how the PIX was set up but I'm having trouble with some hosts on the inside accessing the Internet. Any inside hosts which use DHCP work fine. Any inside hosts with a static IP (and configured on the ASA with a "static" rule) cannot access the Internet. For example, in the config below the server daviker-dialler cannot access the Internet.
I've spent a few days working on this now and have started from scratch several times but I'm not getting anywhere.
Apologies for all the X's everywhere, didn't like to post anything sensitive on the Internet. If I've obscured something pertinent let me know.
Any advice would be greatly appreciated! Thanks.
: Saved
ASA Version 7.2(3)
hostname fw-1
domain-name XXXX
enable password XXXX encrypted
names
name 92.X.X.61 bb-office
name 92.X.X.128 gl-office
name 10.0.0.117 daviker-dialler_in
name 77.X.X.117 daviker-dialler_out
name 10.0.0.112 data-2_in
name 77.X.X.112 data-2_out
name 10.0.0.81 corp-1_in
name 77.X.X.81 corp-1_out
name 10.0.0.111 data-1_in
name 77.X.X.210 user_75
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 77.X.X.66 255.255.255.192
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
passwd XXXX encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name XXXX
access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq 5900
access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq 4040
access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq 9876
access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq sip
access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq www
access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq https
access-list inbound extended permit udp host bb-office host daviker-dialler_out eq sip
access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq 1433
access-list inbound extended permit udp host bb-office host daviker-dialler_out eq netbios-ns
access-list inbound extended permit udp host bb-office host daviker-dialler_out eq netbios-dgm
access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq netbios-ssn
access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq 445
access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq 4040
access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq 9876
access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq sip
access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq www
access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq https
access-list inbound extended permit udp host gl-office host daviker-dialler_out eq sip
access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq 1433
access-list inbound extended permit udp host gl-office host daviker-dialler_out eq netbios-ns
access-list inbound extended permit udp host gl-office host daviker-dialler_out eq netbios-dgm
access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq netbios-ssn
access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq 445
access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq 5900
access-list inbound extended permit tcp any host data-2_out eq ssh
access-list inbound extended permit tcp any host corp-1_out eq ssh
access-list inbound extended permit tcp any host corp-1_out eq www
access-list inbound extended permit tcp any host corp-1_out eq pop3
access-list inbound extended permit tcp any host corp-1_out eq imap4
access-list inbound extended permit tcp any host corp-1_out eq smtp
access-list inbound extended permit tcp any host corp-1_out eq 995
access-list inbound extended permit tcp any host corp-1_out eq 465
access-list inbound extended permit tcp any host corp-1_out eq 993
access-list inbound extended permit tcp any host corp-1_out eq 8008
access-list inbound extended permit udp 77.X.X.64 255.255.255.192 host 77.X.X.113 eq netbios-ns
access-list inbound extended permit udp 77.X.X.64 255.255.255.192 host 77.X.X.113 eq netbios-dgm
access-list inbound extended permit tcp 77.X.X.64 255.255.255.192 host 77.X.X.113 eq netbios-ssn
access-list inbound extended permit tcp 77.X.X.64 255.255.255.192 host 77.X.X.113 eq 445
access-list inbound extended permit udp any host 77.X.X.113 eq netbios-ns
access-list inbound extended permit udp any host 77.X.X.113 eq netbios-dgm
access-list inbound extended permit tcp any host 77.X.X.113 eq netbios-ssn
access-list inbound extended permit tcp any host 77.X.X.113 eq 445
access-list inbound extended permit tcp host bb-office host data-2_out eq 5901
access-list inbound extended permit tcp host bb-office host data-2_out eq 3690
access-list inbound extended permit tcp host bb-office host data-2_out eq www
access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq 3389
access-list inbound extended permit tcp host 2.X.X.18 host data-2_out eq 3306
access-list inbound extended permit tcp any host data-2_out eq 3306
access-list inbound extended permit tcp host 212.X.X.7 host daviker-dialler_out eq 5900
access-list inbound extended permit tcp host bb-office host data-2_out eq 3306
access-list inbound extended permit tcp host user_75 host daviker-dialler_out eq 1433
access-list inbound extended permit tcp host user_75 host daviker-dialler_out eq 5900
access-list inbound extended permit tcp host user_75 host data-2_out eq 3690
access-list inbound extended permit tcp host user_75 host data-2_out eq www
access-list inbound extended permit tcp host user_75 host data-2_out eq 3306
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) daviker-dialler_out daviker-dialler_in netmask 255.255.255.255
static (inside,outside) corp-1_out corp-1_in netmask 255.255.255.255
static (inside,outside) data-2_out data-2_in netmask 255.255.255.255
static (inside,outside) 77.X.X.113 data-1_in netmask 255.255.255.255
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 77.X.X.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 77.X.X.91 8.8.8.8
dhcpd domain cagltd.net
dhcpd auto_config outside
dhcpd address 10.0.0.20-10.0.0.40 inside
dhcpd enable inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
username matt password XXXX encrypted
prompt hostname context
Cryptochecksum:00af76f23831b8c828fc6677c9069072
: endHi Jouni,
Thanks for the info.
I didn't have icmp traffic allowed, so I knew ping wouldn't be working. I was testing using http.
I have enabled icmp and dhcp clients can ping outside. Static nat clients can't ping outside. Static clients also cannot use outbound http.
As suggested, I have run some packet traces.
From a static nat client on the ASA:
fw-1# packet-tracer input inside tcp 10.0.0.81 80 173.203.209.67 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,outside) corp-1_out corp-1_in netmask 255.255.255.255
match ip inside host corp-1_in outside any
static translation to corp-1_out
translate_hits = 668, untranslate_hits = 2
Additional Information:
Static translate corp-1_in/0 to corp-1_out/0 using netmask 255.255.255.255
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) corp-1_out corp-1_in netmask 255.255.255.255
match ip inside host corp-1_in outside any
static translation to corp-1_out
translate_hits = 668, untranslate_hits = 2
Additional Information:
Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1759, packet dispatched to next module
Phase: 10
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 77.X.X.65 using egress ifc outside
adjacency Active
next-hop mac address 0017.0f13.5000 hits 1
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
This looks fine to me, but as I say, an outbound tcp port 80 connection from the actual machine on 10.0.0.81 fails.
Here is a similar trace from a dhcp client to the same destination:
fw-1# packet-tracer input inside tcp 10.0.0.20 80 173.203.209.67 80
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (77.74.111.66 [Interface PAT])
translate_hits = 990, untranslate_hits = 226
Additional Information:
Dynamic translate 10.0.0.20/80 to 77.74.111.66/1 using netmask 255.255.255.255
Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1771, packet dispatched to next module
Phase: 9
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 77.X.X.65 using egress ifc outside
adjacency Active
next-hop mac address 0017.0f13.5000 hits 5
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
I can see the difference in the NAT translation section. A real outbound tcp port 80 connection from the actual machine on 10.0.0.20 works fine.
Finally, for the sake of comparison, I ran a similar packet trace using a static nat IP on the old PIX firewall:
old-fw-1# packet-tracer input inside tcp 10.0.0.117 80 173.203.209.67 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect http
service-policy global_policy global
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,outside) daviker-dialler_out daviker-dialler_in netmask 255.255.255.255
nat-control
match ip inside host daviker-dialler_in outside any
static translation to daviker-dialler_out
translate_hits = 17132, untranslate_hits = 1277850
Additional Information:
Static translate daviker-dialler_in/0 to daviker-dialler_out/0 using netmask 255.255.255.255
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) daviker-dialler_out daviker-dialler_in netmask 255.255.255.255
nat-control
match ip inside host daviker-dialler_in outside any
static translation to daviker-dialler_out
translate_hits = 17132, untranslate_hits = 1277850
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1006075, packet dispatched to next module
Phase: 10
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 78.X.X.69 using egress ifc outside
adjacency Active
next-hop mac address 0017.0f13.5000 hits 572133
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Outbound traffic from static nat hosts on the old PIX firewall works fine. One glaring difference is that the PIX is inspecting http traffic, but surely this is a red herring. Another difference is that the old and new firewalls have different gateways / default routes & different outside IP addresses. As the new ASA firewall (and its dhcp hosts) can talk to the outside world quite happily I don't think this is relevant.
I wondered whether it might be down to the difference in the inside (255.255.255.0) and outside (255.255.255.192) subnets. The set up is the same on the PIX, but I wondered whether some other line of config might be required on the ASA to handle it. I adjusted the subnet of the inside interface on the ASA to match the outside one (both 255.255.255.192) but it didn't make any difference.
So I'm puzzled! -
Cisco ASA 5505 L2TP VPN cannot access internal network
Hi,
I'm trying to configure Cisco L2TP VPN to my office. After successful connection I cannot access to internal network.
Can you jhelp me to find out the issue?
I have Cisco ASA:
inside network - 192.168.1.0
VPN network - 192.168.168.0
I have router 192.168.1.2 and I cannot ping or get access to this router.
Here is my config:
ASA Version 8.4(3)
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 198.X.X.A 255.255.255.248
ftp mode passive
same-security-traffic permit intra-interface
object network net-all
subnet 0.0.0.0 0.0.0.0
object network vpn_local
subnet 192.168.168.0 255.255.255.0
object network inside_nw
subnet 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any log
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool sales_addresses 192.168.168.1-192.168.168.254
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic net-all interface
nat (inside,outside) source static inside_nw inside_nw destination static vpn_local vpn_local
nat (outside,inside) source static vpn_local vpn_local destination static inside_nw inside_nw route-lookup
object network vpn_local
nat (outside,outside) dynamic interface
object network inside_nw
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 198.X.X.B 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set my-transform-set-ikev1 esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set my-transform-set-ikev1 mode transport
crypto dynamic-map dyno 10 set ikev1 transform-set my-transform-set-ikev1
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp nat-traversal 3600
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
management-access inside
dhcpd address 192.168.1.5-192.168.1.132 inside
dhcpd dns 75.75.75.75 76.76.76.76 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy sales_policy internal
group-policy sales_policy attributes
dns-server value 75.75.75.75 76.76.76.76
vpn-tunnel-protocol l2tp-ipsec
username ----------
username ----------
tunnel-group DefaultRAGroup general-attributes
address-pool sales_addresses
default-group-policy sales_policy
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:5d1fc9409c87ecdc1e06f06980de6c13
: end
Thanks for your help.You have to test it with "real" traffic to 192.168.1.2 and if you use ping, you have to add icmp-inspection:
policy-map global_policy
class inspection_default
inspect icmp
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Cannot access internal LAN after VPN connect
I know this is either an ACL or NAT issue that I cannot figure out. The nat-t config in defaulted in the IOS config for the ASA. I actually forgot the command to show the hidden default config lines. Either way, can someone take a look at my config, and let me know what I am doing wrong, again.
Thanks ahead of time.
ASA Version 8.2(2)
hostname ciscousa
enable password
names
interface Vlan1
nameif inside
security-level 100
ip address 1.1.1.2 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 14.14.11.5 255.255.255.0
interface Vlan3
shutdown
no forward interface Vlan2
nameif dmz
security-level 50
ip address dhcp
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
speed 100
duplex full
ftp mode passive
same-security-traffic permit intra-interface
access-list outside_in extended permit icmp any any
access-list inside_nat0 extended permit ip any 1.1.1.0 255.255.255.0
access-list inside_nat0 extended permit ip any 10.12.27.0 255.255.255.0
access-list split_tunnel standard permit 1.1.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpnpool 10.12.27.100-10.12.27.120 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 14.14.11.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 1.1.1.0 255.255.255.0 inside
http 1.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map inet-1_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map inet-1_map 65535 ipsec-isakmp dynamic inet-1_dyn_map
crypto map inet-1_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy vpnipsec internal
group-policy vpnipsec attributes
wins-server value 1.1.1.16
dns-server value 1.1.1.16
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
default-domain value company.com
tunnel-group vpnipsec type remote-access
tunnel-group vpnipsec general-attributes
address-pool vpnpool
default-group-policy vpnipsec
tunnel-group vpnipsec ipsec-attributes
pre-shared-key *****
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512Hello,
I have been trying to get this to work within the last week but to no avail. I changed my config altogether and started from scratch. I have Split Tunnel working well, and I can access the VPN client from the internal LAN. But I still cannot access the internal LAN from the VPN client host. Can anyone take a look at my config and tell me what ACL\Access Group I am missing. I know I am close but I cannot get over the hump.
Thanks!
ASA Version 8.2(2)
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.0
interface Vlan3
shutdown
no forward interface Vlan2
nameif dmz
security-level 50
ip address dhcp
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
speed 100
duplex full
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_in extended permit icmp any any
access-list outside_in_vpn extended permit ip 192.168.3.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list split_tunnel standard permit 192.168.0.0 255.255.0.0
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool ipvpn 192.168.3.100-192.168.3.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_in in interface outside control-plane
access-group outside_in_vpn in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map internet-1_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHAESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map internet-1_map 65535 ipsec-isakmp dynamic internet-1_dyn_map
crypto map internet-1_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
group-policy vpnipsec internal
group-policy vpnipsec attributes
wins-server value 192.168.1.5
dns-server value 192.168.1.5
split-tunnel-policy tunnelall
split-tunnel-network-list value split_tunnel
default-domain value company.com
tunnel-group vpnipsec type remote-access
tunnel-group vpnipsec general-attributes
address-pool ipvpn
default-group-policy vpnipsec
tunnel-group vpnipsec ipsec-attributes
pre-shared-key *
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
prompt hostname context
Cryptochecksum:7e41045c9d7c66ac2c03c3b12ae63908 -
Vpn client can access internet but cannot access internal network
I am using PIX 501 to setup a VPN. At first the VPN client cannot access the internet once they logged in via the Cisco system vpn client, so i enable split tunneling. Now the VPN client can access the internet but they can't access the internal network.Due to the limited characters can be posted here, only necessary IOS coding is posted on the next message. Who knows how to solve this problem? Pls Help.....
enable password ********** encrypted
passwd ********** encrypted
hostname Firewall
domain-name aqswdefrgt.com.sg
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list nat permit tcp any host 65.165.123.142 eq smtp
access-list nat permit tcp any host 65.165.123.142 eq pop3
access-list nat permit tcp any host 65.165.123.143 eq smtp
access-list nat permit tcp any host 65.165.123.143 eq pop3
access-list nat permit tcp any host 65.165.123.143 eq www
access-list nat permit tcp any host 65.165.123.152 eq smtp
access-list nat permit tcp any host 65.165.123.152 eq pop3
access-list nat permit tcp any host 65.165.123.152 eq www
access-list nat permit tcp any host 65.165.123.143 eq https
access-list nat permit icmp any any
ip address outside 65.165.123.4 255.255.255.240
ip address inside 192.168.1.2 255.255.255.0
ip verify reverse-path interface outside
ip local pool clientpool 192.168.50.1-192.168.50.50
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 65.165.123.142 smtp 192.168.1.56 smtp netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 65.165.123.142 pop3 192.168.1.56 pop3 netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 65.165.123.143 smtp 192.168.1.55 smtp netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 65.165.123.143 pop3 192.168.1.55 pop3 netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 65.165.123.143 www 192.168.1.55 www netmask 255.255.255
.255 0 0
static (inside,outside) tcp 65.165.123.152 smtp 192.168.1.76 smtp netmask 255.255.
255.255 0 0
static (inside,outside) tcp 65.165.123.152 pop3 192.168.1.76 pop3 netmask 255.255.
255.255 0 0
static (inside,outside) tcp 65.165.123.152 www 192.168.1.76 www netmask 255.255.25
5.255 0 0
static (inside,outside) tcp 65.165.123.143 https 192.168.1.55 https netmask 255.255
.255.255 0 0
access-group nat in interface outside
route outside 0.0.0.0 0.0.0.0 65.165.123.1 1
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server plexus protocol radius
aaa-server plexus (inside) host 192.168.1.55 ******** timeout 5
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map client authentication plexus
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup vpn3000 address-pool clientpool
vpngroup vpn3000 dns-server 192.168.1.55
vpngroup vpn3000 wins-server 192.168.1.55
vpngroup vpn3000 default-domain aqswdefrgt.com.sg
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80 -
VPN Clients cannot access remote site
Hey there,
I am pretty new in configuring Cisco devices and now I need some help.
I have 2 site here:
site A
Cisco 891
external IP: 195.xxx.yyy.zzz
VPN Gateway for Remote users
local IP: VLAN10 10.133.10.0 /23
site B
Cisco 891
external IP: 62.xxx.yyy.zzz
local IP VLAN10 10.133.34.0 /23
Those two sites are linked together with a Site-to-Site VPN. Accessing files or ressources from one site to the other is working fine while connected to the local LAN.
I configured VPN connection with Radius auth. VPN clients can connect to Site A, get an IP adress from VPN Pool (172.16.100.2-100) and can access files and servers on site A. But for some reason they cannot access ressources on site B. I already added the site B network to the ACL and when connecting with VPN it shows secured routes to 10.133.10.0 and 10.133.34.0 in the statistics. Same thing for other VPN Tunnels to ERP system.
What is missing here to make it possible to reach remote sites when connected through VPN? I had a look at the logs but could not find anything important.
Here is the config of site A
Building configuration...
Current configuration : 24257 bytes
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname Englerstrasse
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
aaa new-model
aaa group server radius Radius-AD
server 10.133.10.5 auth-port 1812 acct-port 1813
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_2 group Radius-AD local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_2 local
aaa session-id common
clock timezone Berlin 1 0
clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
crypto pki trustpoint TP-self-signed-27361994
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-27361994
revocation-check none
rsakeypair TP-self-signed-27361994
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name [email protected]
revocation-check crl
crypto pki certificate chain TP-self-signed-27361994
certificate self-signed 01
30820227 30820190 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32373336 31393934 301E170D 31323038 32373038 30343238
5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D323733 36313939
3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B709
64CE1874 BF812A9F 0B761522 892373B9 10F0BB52 6263DCDB F9877AA3 7BD34E53
BCFDA45C 2A991777 4DDC7E6B 1FCEE36C B6E35679 C4A18771 9C0F871F 38310234
2D89A4FF 37B616D8 362B3103 A8A319F2 10A72DC7 490A04AC 7955DF68 32EF9615
9E1A3B31 2A1AB243 B3ED3E35 F4AAD029 CDB1F941 5E794300 5C5EF8AE 5C890203
010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304
18301680 14D0F5E7 D3A9311D 1675AA8F 38F064FC 4D04465E F5301D06 03551D0E
04160414 D0F5E7D3 A9311D16 75AA8F38 F064FC4D 04465EF5 300D0609 2A864886
F70D0101 05050003 818100AB 2CD4363A E5ADBFB0 943A38CB AC820801 117B52CC
20216093 79D1F777 2B3C0062 4301CF73 094B9CA5 805F585E 04CF3301 9B839DEB
14A334A2 F5A5316F C65EEF21 0B0DF3B5 F4322440 F28B984B E769876D 6EF94895
C3D5048A A4E2A180 12DF6652 176942F8 58187D7B D37B1F1A 4DDD7AE9 5189F9AF
AF3EF676 26AD3F31 D368F5
quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
no ip source-route
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
no ip bootp server
no ip domain lookup
ip domain name yourdomain.com
ip inspect log drop-pkt
ip inspect name CCP_MEDIUM appfw CCP_MEDIUM
ip inspect name CCP_MEDIUM ftp
ip inspect name CCP_MEDIUM h323
ip inspect name CCP_MEDIUM sip
ip inspect name CCP_MEDIUM https
ip inspect name CCP_MEDIUM icmp
ip inspect name CCP_MEDIUM netshow
ip inspect name CCP_MEDIUM rcmd
ip inspect name CCP_MEDIUM realaudio
ip inspect name CCP_MEDIUM rtsp
ip inspect name CCP_MEDIUM sqlnet
ip inspect name CCP_MEDIUM streamworks
ip inspect name CCP_MEDIUM tftp
ip inspect name CCP_MEDIUM udp
ip inspect name CCP_MEDIUM vdolive
ip inspect name CCP_MEDIUM imap reset
ip inspect name CCP_MEDIUM smtp
ip cef
no ipv6 cef
appfw policy-name CCP_MEDIUM
application im aol
service default action allow alarm
service text-chat action allow alarm
server permit name login.oscar.aol.com
server permit name toc.oscar.aol.com
server permit name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action allow alarm
service text-chat action allow alarm
server permit name messenger.hotmail.com
server permit name gateway.messenger.hotmail.com
server permit name webmessenger.msn.com
audit-trail on
application http
strict-http action allow alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action allow alarm
application im yahoo
service default action allow alarm
service text-chat action allow alarm
server permit name scs.msg.yahoo.com
server permit name scsa.msg.yahoo.com
server permit name scsb.msg.yahoo.com
server permit name scsc.msg.yahoo.com
server permit name scsd.msg.yahoo.com
server permit name cs16.msg.dcn.yahoo.com
server permit name cs19.msg.dcn.yahoo.com
server permit name cs42.msg.dcn.yahoo.com
server permit name cs53.msg.dcn.yahoo.com
server permit name cs54.msg.dcn.yahoo.com
server permit name ads1.vip.scd.yahoo.com
server permit name radio1.launch.vip.dal.yahoo.com
server permit name in1.msg.vip.re2.yahoo.com
server permit name data1.my.vip.sc5.yahoo.com
server permit name address1.pim.vip.mud.yahoo.com
server permit name edit.messenger.yahoo.com
server permit name messenger.yahoo.com
server permit name http.pager.yahoo.com
server permit name privacy.yahoo.com
server permit name csa.yahoo.com
server permit name csb.yahoo.com
server permit name csc.yahoo.com
audit-trail on
parameter-map type inspect global
log dropped-packets enable
multilink bundle-name authenticated
redundancy
ip tcp synwait-time 10
class-map match-any CCP-Transactional-1
match dscp af21
match dscp af22
match dscp af23
class-map match-any CCP-Voice-1
match dscp ef
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any CCP-Routing-1
match dscp cs6
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any CCP-Signaling-1
match dscp cs3
match dscp af31
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any CCP-Management-1
match dscp cs2
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
policy-map sdm-qos-test-123
class class-default
policy-map sdmappfwp2p_CCP_MEDIUM
class sdm_p2p_edonkey
class sdm_p2p_gnutella
class sdm_p2p_kazaa
class sdm_p2p_bittorrent
policy-map CCP-QoS-Policy-1
class sdm_p2p_edonkey
class sdm_p2p_gnutella
class sdm_p2p_kazaa
class sdm_p2p_bittorrent
class CCP-Voice-1
priority percent 33
class CCP-Signaling-1
bandwidth percent 5
class CCP-Routing-1
bandwidth percent 5
class CCP-Management-1
bandwidth percent 5
class CCP-Transactional-1
bandwidth percent 5
class class-default
fair-queue
random-detect
crypto ctcp port 10000
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key REMOVED address 62.20.xxx.yyy
crypto isakmp key REMOVED address 195.243.xxx.yyy
crypto isakmp key REMOVED address 195.243.xxx.yyy
crypto isakmp key REMOVED address 83.140.xxx.yyy
crypto isakmp client configuration group VPN_local
key REMOVED
dns 10.133.10.5 10.133.10.7
wins 10.133.10.7
domain domain.de
pool SDM_POOL_2
acl 115
crypto isakmp profile ciscocp-ike-profile-1
match identity group VPN_local
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA11 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA1 esp-des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA11
set isakmp-profile ciscocp-ike-profile-1
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to62.20.xxx.xxx
set peer 62.20.xxx.xxx
set transform-set ESP-3DES-SHA
match address 105
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to195.243.xxx.xxx
set peer 195.243.xxx.xxx
set transform-set ESP-3DES-SHA4
match address 107
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Tunnel to83.140.xxx.xxx
set peer 83.140.xxx.xxx
set transform-set ESP-DES-SHA1
match address 118
interface Loopback2
ip address 192.168.10.1 255.255.254.0
interface Null0
no ip unreachables
interface FastEthernet0
switchport mode trunk
no ip address
spanning-tree portfast
interface FastEthernet1
no ip address
spanning-tree portfast
interface FastEthernet2
no ip address
spanning-tree portfast
interface FastEthernet3
no ip address
spanning-tree portfast
interface FastEthernet4
description Internal LAN
switchport access vlan 10
switchport trunk native vlan 10
no ip address
spanning-tree portfast
interface FastEthernet5
no ip address
spanning-tree portfast
interface FastEthernet6
no ip address
spanning-tree portfast
interface FastEthernet7
no ip address
spanning-tree portfast
interface FastEthernet8
description $FW_OUTSIDE$$ETH-WAN$
ip address 62.153.xxx.xxx 255.255.255.248
ip access-group 113 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect CCP_MEDIUM out
no ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
crypto map SDM_CMAP_1
service-policy input sdmappfwp2p_CCP_MEDIUM
service-policy output CCP-QoS-Policy-1
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet8
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
interface Vlan1
no ip address
interface Vlan10
description $FW_INSIDE$
ip address 10.133.10.1 255.255.254.0
ip access-group 112 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
ip local pool SDM_POOL_1 192.168.10.101 192.168.10.200
ip local pool VPN_Pool 192.168.20.2 192.168.20.100
ip local pool SDM_POOL_2 172.16.100.2 172.16.100.100
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip forward-protocol nd
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet8 overload
ip route 0.0.0.0 0.0.0.0 62.153.xxx.xxx
ip access-list extended VPN1
remark VPN_Haberstrasse
remark CCP_ACL Category=4
permit ip 10.133.10.0 0.0.1.255 10.133.34.0 0.0.1.255
ip radius source-interface Vlan10
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.7
access-list 23 remark CCP_ACL Category=17
access-list 23 permit 195.243.xxx.xxx
access-list 23 permit 10.133.10.0 0.0.1.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 10.133.10.0 0.0.1.255 any
access-list 101 remark CCP_ACL Category=16
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny ip 10.10.10.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip any any
access-list 102 remark auto generated by CCP firewall configuration
access-list 102 remark CCP_ACL Category=1
access-list 102 deny ip 10.10.10.0 0.0.0.7 any
access-list 102 permit icmp any host 62.153.xxx.xxx echo-reply
access-list 102 permit icmp any host 62.153.xxx.xxx time-exceeded
access-list 102 permit icmp any host 62.153.xxx.xxx unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
access-list 103 remark auto generated by CCP firewall configuration
access-list 103 remark CCP_ACL Category=1
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.133.34.0 0.0.1.255 10.133.10.0 0.0.1.255
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.133.34.0 0.0.1.255 192.168.10.0 0.0.1.255
access-list 103 permit udp host 195.243.xxx.xxx host 62.153.xxx.xxx eq non500-isakmp
access-list 103 permit udp host 195.243.xxx.xxx host 62.153.xxx.xxx eq isakmp
access-list 103 permit esp host 195.243.xxx.xxx host 62.153.xxx.xxx
access-list 103 permit ahp host 195.243.xxx.xxx host 62.153.xxx.xxx
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.133.20.0 0.0.0.255 10.133.10.0 0.0.1.255
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.10.0 0.0.1.255 10.133.10.0 0.0.1.255
access-list 103 permit udp host 62.20.xxx.xxx host 62.153.xxx.xxx eq non500-isakmp
access-list 103 permit udp host 62.20.xxx.xxx host 62.153.xxx.xxx eq isakmp
access-list 103 permit esp host 62.20.xxx.xxx host 62.153.xxx.xxx
access-list 103 permit ahp host 62.20.xxx.xxx host 62.153.xxx.xxx
access-list 103 permit udp any host 62.153.xxx.xxx eq non500-isakmp
access-list 103 permit udp any host 62.153.xxx.xxx eq isakmp
access-list 103 permit esp any host 62.153.xxx.xxx
access-list 103 permit ahp any host 62.153.xxx.xxx
access-list 103 permit udp host 194.25.0.60 eq domain any
access-list 103 permit udp host 194.25.0.68 eq domain any
access-list 103 permit udp host 194.25.0.68 eq domain host 62.153.xxx.xxx
access-list 103 deny ip 10.10.10.0 0.0.0.7 any
access-list 103 permit icmp any host 62.153.xxx.xxx echo-reply
access-list 103 permit icmp any host 62.153.xxx.xxx time-exceeded
access-list 103 permit icmp any host 62.153.xxx.xxx unreachable
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip host 0.0.0.0 any
access-list 103 deny ip any any log
access-list 104 remark CCP_ACL Category=4
access-list 104 permit ip 10.133.10.0 0.0.1.255 any
access-list 105 remark CCP_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.133.10.0 0.0.1.255 10.133.20.0 0.0.0.255
access-list 106 remark CCP_ACL Category=2
access-list 106 remark IPSec Rule
access-list 106 deny ip 192.168.10.0 0.0.1.255 10.133.34.0 0.0.1.255
access-list 106 remark IPSec Rule
access-list 106 deny ip 192.168.10.0 0.0.1.255 10.60.16.0 0.0.0.255
access-list 106 remark IPSec Rule
access-list 106 deny ip 10.133.10.0 0.0.1.255 10.60.16.0 0.0.0.255
access-list 106 remark IPSec Rule
access-list 106 deny ip 10.133.10.0 0.0.1.255 10.133.34.0 0.0.1.255
access-list 106 remark IPSec Rule
access-list 106 deny ip 10.133.10.0 0.0.1.255 10.133.20.0 0.0.0.255
access-list 106 permit ip 10.10.10.0 0.0.0.7 any
access-list 106 permit ip 10.133.10.0 0.0.1.255 any
access-list 107 remark CCP_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.133.10.0 0.0.1.255 10.133.34.0 0.0.1.255
access-list 107 remark IPSec Rule
access-list 107 permit ip 192.168.10.0 0.0.1.255 10.133.34.0 0.0.1.255
access-list 108 remark Auto generated by SDM Management Access feature
access-list 108 remark CCP_ACL Category=1
access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq telnet
access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq 22
access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq www
access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq 443
access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq cmd
access-list 108 deny tcp any host 10.133.10.1 eq telnet
access-list 108 deny tcp any host 10.133.10.1 eq 22
access-list 108 deny tcp any host 10.133.10.1 eq www
access-list 108 deny tcp any host 10.133.10.1 eq 443
access-list 108 deny tcp any host 10.133.10.1 eq cmd
access-list 108 deny udp any host 10.133.10.1 eq snmp
access-list 108 permit ip any any
access-list 109 remark CCP_ACL Category=1
access-list 109 permit ip 10.133.10.0 0.0.1.255 any
access-list 109 permit ip 10.10.10.0 0.0.0.7 any
access-list 109 permit ip 192.168.10.0 0.0.1.255 any
access-list 110 remark CCP_ACL Category=1
access-list 110 permit ip host 195.243.xxx.xxx any
access-list 110 permit ip host 84.44.xxx.xxx any
access-list 110 permit ip 10.133.10.0 0.0.1.255 any
access-list 110 permit ip 10.10.10.0 0.0.0.7 any
access-list 110 permit ip 192.168.10.0 0.0.1.255 any
access-list 111 remark CCP_ACL Category=4
access-list 111 permit ip 10.133.10.0 0.0.1.255 any
access-list 112 remark CCP_ACL Category=1
access-list 112 permit udp host 10.133.10.5 eq 1812 any
access-list 112 permit udp host 10.133.10.5 eq 1813 any
access-list 112 permit udp any host 10.133.10.1 eq non500-isakmp
access-list 112 permit udp any host 10.133.10.1 eq isakmp
access-list 112 permit esp any host 10.133.10.1
access-list 112 permit ahp any host 10.133.10.1
access-list 112 permit udp host 10.133.10.5 eq 1645 host 10.133.10.1
access-list 112 permit udp host 10.133.10.5 eq 1646 host 10.133.10.1
access-list 112 remark auto generated by CCP firewall configuration
access-list 112 permit udp host 10.133.10.5 eq 1812 host 10.133.10.1
access-list 112 permit udp host 10.133.10.5 eq 1813 host 10.133.10.1
access-list 112 permit udp host 10.133.10.7 eq domain any
access-list 112 permit udp host 10.133.10.5 eq domain any
access-list 112 deny ip 62.153.xxx.xxx 0.0.0.7 any
access-list 112 deny ip 10.10.10.0 0.0.0.7 any
access-list 112 deny ip host 255.255.255.255 any
access-list 112 deny ip 127.0.0.0 0.255.255.255 any
access-list 112 permit ip any any
access-list 113 remark CCP_ACL Category=1
access-list 113 remark IPSec Rule
access-list 113 permit ip 10.133.34.0 0.0.1.255 192.168.10.0 0.0.1.255
access-list 113 remark IPSec Rule
access-list 113 permit ip 10.60.16.0 0.0.0.255 192.168.10.0 0.0.1.255
access-list 113 remark IPSec Rule
access-list 113 permit ip 10.60.16.0 0.0.0.255 10.133.10.0 0.0.1.255
access-list 113 permit udp host 83.140.100.4 host 62.153.xxx.xxx eq non500-isakmp
access-list 113 permit udp host 83.140.100.4 host 62.153.xxx.xxx eq isakmp
access-list 113 permit esp host 83.140.100.4 host 62.153.xxx.xxx
access-list 113 permit ahp host 83.140.100.4 host 62.153.xxx.xxx
access-list 113 permit ip host 195.243.xxx.xxx host 62.153.xxx.xxx
access-list 113 permit ip host 84.44.xxx.xxx host 62.153.xxx.xxx
access-list 113 remark auto generated by CCP firewall configuration
access-list 113 permit udp host 194.25.0.60 eq domain any
access-list 113 permit udp host 194.25.0.68 eq domain any
access-list 113 permit udp host 194.25.0.68 eq domain host 62.153.xxx.xxx
access-list 113 permit udp host 194.25.0.60 eq domain host 62.153.xxx.xxx
access-list 113 permit udp any host 62.153.xxx.xxx eq non500-isakmp
access-list 113 permit udp any host 62.153.xxx.xxx eq isakmp
access-list 113 permit esp any host 62.153.xxx.xxx
access-list 113 permit ahp any host 62.153.xxx.xxx
access-list 113 permit ahp host 195.243.xxx.xxx host 62.153.xxx.xxx
access-list 113 permit esp host 195.243.xxx.xxx host 62.153.xxx.xxx
access-list 113 permit udp host 195.243.xxx.xxx host 62.153.xxx.xxx eq isakmp
access-list 113 permit udp host 195.243.xxx.xxx host 62.153.xxx.xxx eq non500-isakmp
access-list 113 remark IPSec Rule
access-list 113 permit ip 10.133.34.0 0.0.1.255 10.133.10.0 0.0.1.255
access-list 113 permit ahp host 62.20.xxx.xxx host 62.153.xxx.xxx
access-list 113 remark IPSec Rule
access-list 113 permit ip 192.168.10.0 0.0.1.255 10.133.10.0 0.0.1.255
access-list 113 permit esp host 62.20.xxx.xxx host 62.153.xxx.xxx
access-list 113 permit udp host 62.20.xxx.xxx host 62.153.xxx.xxx eq isakmp
access-list 113 permit udp host 62.20.xxx.xxx host 62.153.xxx.xxx eq non500-isakmp
access-list 113 remark IPSec Rule
access-list 113 permit ip 10.133.20.0 0.0.0.255 10.133.10.0 0.0.1.255
access-list 113 remark Pop3
access-list 113 permit tcp host 82.127.xxx.xxx eq 8080 host 62.153.xxx.xxx
access-list 113 remark Pop3
access-list 113 permit tcp any eq pop3 host 62.153.xxx.xxx
access-list 113 remark SMTP
access-list 113 permit tcp any eq 465 host 62.153.xxx.xxx
access-list 113 remark IMAP
access-list 113 permit tcp any eq 587 host 62.153.xxx.xxx
access-list 113 deny ip 10.133.10.0 0.0.1.255 any
access-list 113 deny ip 10.10.10.0 0.0.0.7 any
access-list 113 permit icmp any host 62.153.xxx.xxx echo-reply
access-list 113 permit icmp any host 62.153.xxx.xxx time-exceeded
access-list 113 permit icmp any host 62.153.xxx.xxx unreachable
access-list 113 deny ip 10.0.0.0 0.255.255.255 any
access-list 113 deny ip 172.16.0.0 0.15.255.255 any
access-list 113 deny ip 192.168.0.0 0.0.255.255 any
access-list 113 deny ip 127.0.0.0 0.255.255.255 any
access-list 113 deny ip host 255.255.255.255 any
access-list 113 deny ip host 0.0.0.0 any
access-list 113 deny ip any any log
access-list 114 remark auto generated by CCP firewall configuration
access-list 114 remark CCP_ACL Category=1
access-list 114 deny ip 10.133.10.0 0.0.1.255 any
access-list 114 deny ip 10.10.10.0 0.0.0.7 any
access-list 114 permit icmp any any echo-reply
access-list 114 permit icmp any any time-exceeded
access-list 114 permit icmp any any unreachable
access-list 114 deny ip 10.0.0.0 0.255.255.255 any
access-list 114 deny ip 172.16.0.0 0.15.255.255 any
access-list 114 deny ip 192.168.0.0 0.0.255.255 any
access-list 114 deny ip 127.0.0.0 0.255.255.255 any
access-list 114 deny ip host 255.255.255.255 any
access-list 114 deny ip host 0.0.0.0 any
access-list 114 deny ip any any log
access-list 115 remark VPN_Sub
access-list 115 remark CCP_ACL Category=5
access-list 115 permit ip 10.133.10.0 0.0.1.255 172.16.0.0 0.0.255.255
access-list 115 permit ip 10.133.34.0 0.0.1.255 172.16.0.0 0.0.255.255
access-list 115 permit ip 10.133.20.0 0.0.0.255 any
access-list 116 remark CCP_ACL Category=4
access-list 116 remark IPSec Rule
access-list 116 permit ip 10.133.10.0 0.0.1.255 10.60.16.0 0.0.0.255
access-list 117 remark CCP_ACL Category=4
access-list 117 remark IPSec Rule
access-list 117 permit ip 10.133.10.0 0.0.1.255 10.60.16.0 0.0.0.255
access-list 118 remark CCP_ACL Category=4
access-list 118 remark IPSec Rule
access-list 118 permit ip 10.133.10.0 0.0.1.255 10.60.16.0 0.0.0.255
access-list 118 remark IPSec Rule
access-list 118 permit ip 192.168.10.0 0.0.1.255 10.60.16.0 0.0.0.255
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 106
control-plane
mgcp profile default
line con 0
transport output telnet
line 1
modem InOut
speed 115200
flowcontrol hardware
line aux 0
transport output telnet
line vty 0 4
session-timeout 45
access-class 110 in
transport input telnet ssh
line vty 5 15
access-class 109 in
transport input telnet ssh
scheduler interval 500
endThe crypto ACL for the site to site vpn should also include the vpn client pool, otherwise, traffic from the vpn client does not match the interesting traffic for the site to site vpn.
On Site A:
should include "access-list 107 permit ip 172.16.100.0 0.0.0.255 10.133.34.0 0.0.1.255"
You should also remove the following line as the pool is incorrect:
access-list 107 permit ip 192.168.10.0 0.0.1.255 10.133.34.0 0.0.1.255
On Site B:
should include: permit ip 10.133.34.0 0.0.1.255 172.16.100.0 0.0.0.255"
NAT exemption on site B should also be configured with deny on the above ACL. -
I have a problem with starting the Excel Application under a particular user (service account).
I try to schedule this C# script through an application X (not Windows Task Scheduler. And this
application will always use a service account to run services on the server). If I run the C# script in
command prompt under the same user, it runs. Under the application X, which uses the exact same
user, to initiate the C# script, it fails to open the Excel application (not sufficient permission?).
This script calls application.Workbooks.Open(<ExcelFileName>,0,false,Type.missing....). At this line
of code, it gives the following error:
Microsoft Excel cannot access the file "...". There are several possible reasons:
-The file name or path does not exist.
-The file is being used by another program.
-The workbook you are trying to save has the same name as a currently open workbook.
I tried all the methods that I found online as follow:
Create directory "C:\Windows\SysWOW64\config\systemprofile\Desktop" (for 64 bit Windows) or "C:\Windows\System32\config\systemprofile\Desktop" (for 32 bit Windows).
Changed the DCOM config for the Microsoft Excel application to include this user for Local/Remote Launch and Access.
Enabled all macros in Excel application and set the Trust Center.
Add the user to have full control on all folders that contain the Excel file.
Under DCOM
config, Microsoft Excel Application, if I modify the Identity tab to check on "This User" and enter the username/password to let Excel always run under that user. Then the application runs perfectly. However, other users can't run the excel application
on their own with the following error: "Cannot use object linking and embedding". If I check "Use the launching user", then Excel can't be launched. No errors in the logs or events anywhere to check.
Yet, still the same error. I think it's permission but I am not sure where and what to do for this to work.
Now, normally, when I run this excel report, I can double-click on the file and it'd automatically run,
save the new parameters into the current file and generate a new excel file (with date attached to the
file name). That means there is a change (save) to the original file.
Environment: Windows Server 2008 R2 and running Microsoft Excel 2010.
I appreciate all your help!I am wondering if this has anything to do with having the user log into Excel.
In point #5 above: Under DCOM config, Microsoft Excel Application, if I modify the Identity tab to check on "This User" and enter the username/password to let Excel always run under that user. Then the application runs perfectly. However, other
users can't run the excel application on their own with the following error: "Cannot use object linking and embedding". If I check "Use the launching user", then Excel can't be launched. No errors in the logs or events anywhere to check.
Because running with the launching user proposes an user to run the Excel application. However, I do not think there is any where that we can pass in the password for this user to Excel. However, this Excel has all the permissions to Excel application as
well as the folders that have the Excel files.
Please help!
Thank you! -
Ise 1.2, cannot access guest portal
I upgraded from 1.1.4 patch 3 to 1.2 but cannot access guest portal anymore nor with FQDN:8443 nor with IP:8443
any idea?I had attached the steps to configure the guest portal and hope will address the problem.
Configuring the Guest Portal
Adding a New Guest Portal You must configure settings for the Guest portal before allowing guests to use it to access the network. Some settings apply globally to all Guest portals and other require you to set them for each portal individually.
You can add a new Guest portal or edit an existing one.
Step 1Choose Administration > Web Portal Management > Settings > Guest > Multi-Portal Configurations.
Step 2Click Add.
Step 3Update the fields on each of these tabs:
•General—enter a portal name and description and choose a portal type.
•Operations—enable the customizations for the specific portal
•Customization—choose a language template for displaying the Guest portal with localized content
•File Uploads—displays only if you have chosen a portal type requiring you to upload custom HTML files.
•File Mapping— identify and choose the HTML files uploaded for the particular guest pages. Displays only if you have chosen a portal type requiring you to upload custom HTML files.
•Authentication—indicate how users should be authenticated during guest login.
Step 4Click Submit.
Specifying Ports and Ethernet Interfaces for End-User Portals
You can specify the port used for each web portal allowing you to use different ports for the end-user portals: Sponsor, Guest (and Client Provisioning), My Devices, and Blacklist portals. The Client Provisioning portal uses ports 8905 and 8909 for posture assessments and remediation, which you cannot change. Otherwise, it uses the same ports assigned to the Guest portal.
You can also partition portal traffic to specific Gigabit Ethernet interfaces. For example, you might not want the Admin portal (which always uses GigabitEthernet 0) available on the same network as guest users or employee devices.
Step 1Choose Administration > Web Portal Management > Settings > General > Ports.
Step 2Enter the port value in the HTTPS Port field for each portal. By default, the Sponsor, Guest, My Devices portals use 8443, and the Blacklist portal uses port 8444.
Step 3Check the Gigabit Ethernet interfaces you want to enable for each portal.
Step 4Click Save.
If you have changed the port settings, all nodes (Administration, Policy Services, and Monitoring) restart automatically, which may take several hours to complete.
Tips for Assigning Ports and Ethernet Interfaces
•All port assignments must be between 8000-8999. This port range restriction is new in Cisco ISE 1.2. If you upgraded with port values outside this range, they are honored until you make any change to this page. If you make any change to this page, you must update the port setting to comply with this restriction.
•You must assign the Blacklist portal to use a different port than the other end-user portals.
•Any portals assigned to the same HTTPS port also use the same Ethernet interfaces. For example, if you assign both the Sponsor and My Devices portals to port 8443, and you disable GigabitEthernet 0 on the Sponsor portal, that interface is also automatically disabled for the My Devices portal.
•You must configure the Ethernet interfaces using IP addresses on different subnets. Refer to these guidelines to help you decide how best to assign ports and Ethernet interfaces to the end-user portals:
Specifying the Fully Qualified Domain Name for Sponsor and My Devices Portals
You can set the Sponsor and My Devices portals to use an easy-to-remember fully-qualified domain names (FQDN), such as: mydevices.companyname.com or sponsor.companyname.com. Alternatively, Cisco ISE also supports wildcard certificates to address certificate name mismatch issues. You must configure DNS to resolve to at least one policy services node. If you have more than one policy services node that will provide portal services, you should configure high availability for the portal. For example, you could use a load balancer or DNS round-robin services.
Before You Begin
Step 1Choose Administration > Web Portal Management > Settings > General > Ports.
Step 2Scroll to the Portal FQDNs section, and check the appropriate setting:
•Default Sponsor Portal FQDN
•Default My Devices Portal FQDN
Step 3Enter a fully qualified domain name.
Step 4Click Save, and all nodes (Administration, Policy Services, and Monitoring) restart automatically, which may take several hours to complete.
Step 5Configure the network DNS server so that it resolves the FQDN to the Sponsor or My Devices portal nodes. You must also update DNS to ensure the FQDN of the new URL resolves to a valid policy service node IP address. Additionally, to avoid certificate warning messages due to name mismatches, you should also include the FQDN of the customized URL in the subject alternative name (SAN) attribute of the local server certificate of the Cisco ISE policy service node.
Maybe you are looking for
-
Pcd folder is empty after installation
Hi All, I have installed SAP Netweaver sneak preview 7.0.Server is running fine.I tried to get logon par (com.sap.portal.runtime.logon.par) from <J2EE_Engine_Instance>\j2ee\cluster\server<X>\apps\sap.com\irj\servlet_jsp\irj\root\WEB-INF\deployment\pc
-
The Home button disappeared in the last software update
I just received the latest update for Firefox yesterday. Today I don't have half of the available command buttons on the header lines including the Home button. I managed to get back the bookmarks, print and Sync buttons. Not very happy at the moment
-
Can "Comments" be included in a Numbers print?
I want the comments associated with various cells to be printed along with the page I'm printing. Is there a way to do this?
-
Multiple Top-Level Realms in Access Manager via AMconfig?
Is it possible to configure multiple top-level realms in Access Manager via AMconfig? It is not possible through the UI.
-
from where can i download the zonestat utility, somebody can help me, i need to know the information about my non-global-zones but the zonestat utility isn't isntalled