Match source-address and url
I have an existing policy-map with vip and port 80. Now I need to do:
1. Match pool of ip address and url /abc then redirect to url /abc1
2. If url is ok but ip is out of the pool then redirect to url /abc2
It's probably possible to achieve but I have problem with mixing class maps (L4 and L7). Please advice how to do it.
Thank you.
HI Kamil,
Something like below. Please try and let me know if it helps.
rserver redirect red
webhost-redirection www.abc1.com
inservice
rserver redirect red1
webhost-redirection www.abc2.com
inservice
serverfarm redirect red
rserver red
inservice
serverfarm redirect red1
rserver red1
inservice
class-map type http loadbalance match-all url
2 match http url abc
4 match source-address 2.2.2.2 255.255.255.0
class-map type http loadbalance match-all url1
2 match http url abc
policy-map type loadbalance first-match url
class url
serverfarm red
class url1
serverfarm red1
class class-default
serverfarm xxxx
Regards,
Kanwal
Note: Please mark answers if they are helpful
Similar Messages
-
SSL termination and URL redirection
Hi All,
I have configured application in cisco ACE module for which i got more requirement for URL redirection.
Application setup is as below.
VIP : 10.232.92.x/24 which is pointing to 2 Web server 10.232.94.x/24 range. In addition to that app team want APP server also need to be loadbalanced hence new VIP is configured for 10.232.92.x/24 which is pointing to 2 different app server 10.232.94.x/24.
Both Web and App servers are having different IP but in same broadcastdomain. SSL termination is done on ACE.
Issue : 1) After initiating connection i am getting login page but after login its again giveing login page. After 2 to 3 trial its giving me application page but with invalid session error.
2) How to do https connection redirecting to different path.
Ex. https://apps.xyz.com to https://apps.xyz.com/abc
configuration :
probe tcp rem_app_tcp
port 2100
interval 5
passdetect interval 10
passdetect count 2
open 1
probe http rem_itsm_https
port 80
interval 5
passdetect interval 10
passdetect count 2
request method get url /keepalive/https.html
expect status 200 200
open 1
serverfarm host app_tcp
predictor leastconns
probe rem_app_tcp
rserver server1 2100
inservice
rserver server2 2100
inservice
serverfarm host rem_https
predictor leastconns
probe rem_itsm_https
rserver server3 80
inservice
rserver server4 80
inservice
action-list type modify http remurlrewrite
ssl url rewrite location "apps\.xyz\.com"
policy-map type loadbalance first-match app_tcp
class class-default
serverfarm app_tcp
policy-map type loadbalance first-match app_https
class class-default
serverfarm rem_https
action remurlrewrite
class-map match-all VIP_rem_app_tcp
2 match virtual-address 10.232.92.8 any
class-map match-all VIP_rem_itsm_https
2 match virtual-address 10.232.92.9 tcp eq https
class-map match-all real_servers_vlan273
2 match source-address 10.232.94.0 255.255.255.0
policy-map multi-match VIPS
class real_servers_vlan273
nat dynamic 1 vlan 273
class VIP_rem_app_tcp
loadbalance vip inservice
loadbalance policy rem_app_tcp
loadbalance vip icmp-reply
class VIP_rem_itsm_https
loadbalance vip inservice
loadbalance policy rem_itsm_https
loadbalance vip icmp-reply
ssl-proxy server Remedy-SSL-PROXYHi Kanwaljeet,
I have applied below config for HTTPS URL redirection. Seems it dint work for me. Redirect serverfarm and policy map was not hitted.
access-list ANY line 8 extended permit ip any any
probe tcp rem_app_tcp
port 2100
interval 5
passdetect interval 10
passdetect count 2
open 1
probe http rem_itsm_https
port 80
interval 5
passdetect interval 10
passdetect count 2
request method get url /keepalive/https.html
expect status 200 200
open 1
ip domain-name nls.jlrint.com
ip name-server 10.226.0.10
ip name-server 10.226.128.10
rserver redirect REDIRECT-TO-HTTPS
webhost-redirection https://%h/arsys 301
inservice
rserver host serv1
ip address 10.232.94.74
inservice
rserver host serv2
ip address 10.232.94.75
inservice
rserver host serv3
ip address 10.232.94.76
inservice
rserver host serv4
ip address 10.232.94.77
inservice
serverfarm redirect REDIRECT-SERVERFARM
predictor leastconns
rserver REDIRECT-TO-HTTPS
inservice
serverfarm host rem_app_tcp
predictor leastconns
probe rem_app_tcp
rserver serv1 2100
inservice
rserver serv2 2100
inservice
serverfarm host rem_itsm_https
predictor leastconns
probe rem_itsm_https
rserver serv3 80
inservice
rserver serv4 80
inservice
ssl-proxy service Remedy-SSL-PROXY
key Remkey.pem
cert Remcert.pem
class-map type management match-any MANAGEMENT_CLASS
3 match protocol ssh any
4 match protocol snmp any
5 match protocol icmp any
6 match protocol http any
7 match protocol https any
class-map match-all VIP_rem_app_tcp
2 match virtual-address 10.232.92.8 any
class-map match-all VIP_rem_itsm_http
2 match virtual-address 10.232.92.9 tcp eq www
class-map match-all VIP_rem_itsm_https
2 match virtual-address 10.232.92.9 tcp eq https
class-map match-all real_servers_vlan273
2 match source-address 10.232.94.0 255.255.255.0
policy-map type management first-match MANAGEMENT_POLICY
class MANAGEMENT_CLASS
permit
policy-map type loadbalance first-match REDIRECT-PM
class class-default
serverfarm REDIRECT-SERVERFARM
policy-map type loadbalance first-match rem_app_tcp
class class-default
serverfarm rem_app_tcp
policy-map type loadbalance first-match rem_itsm_https
class class-default
serverfarm rem_itsm_https
policy-map multi-match VIPS
class real_servers_vlan273
nat dynamic 1 vlan 273
class VIP_rem_itsm_http
loadbalance vip inservice
loadbalance policy REDIRECT-PM
class VIP_rem_itsm_https
loadbalance vip inservice
loadbalance policy rem_itsm_https
loadbalance vip icmp-reply
ssl-proxy server Remedy-SSL-PROXY
class VIP_rem_app_tcp
loadbalance vip inservice
loadbalance policy rem_app_tcp
loadbalance vip icmp-reply
interface vlan 270
description VIP
ip address 10.232.92.4 255.255.255.0
alias 10.232.92.6 255.255.255.0
peer ip address 10.232.92.5 255.255.255.0
access-group input ANY
service-policy input MANAGEMENT_POLICY
service-policy input VIPS
no shutdown
interface vlan 273
description Real server
ip address 10.232.94.66 255.255.255.192
alias 10.232.94.65 255.255.255.192
peer ip address 10.232.94.67 255.255.255.192
access-group input ANY
nat-pool 1 10.232.92.253 10.232.92.253 netmask 255.255.255.0 pat
service-policy input MANAGEMENT_POLICY
service-policy input VIPS
no shutdown -
I have three different e-mail addresses, and need to receive the incoming e-mails from the three sources into my iPhone (it's presently receiving msgs from only one of them). How do I enable my iPhone to do it? Tks in advance.
Many thanks for your help!
-
I'm trying to connect my ipad2 to my phones wifi hotspot. my phone says hotspot is activated and it shows up as an option on my ipad but when i hit that on the ipad it shows a page with a list of things like ip address, domain, url. what do i do now?
iOS: Understanding Personal Hotspot
http://support.apple.com/kb/HT4517
Use Bluetooth to tether your iPhone, iPod touch, or iPad
http://www.macworld.com/article/1159258/bluetooth_tethering.html
How to Connect an iPad to an iPhone Via Bluetooth Tethering
http://techtips.salon.com/connect-ipad-iphone-via-bluetooth-tethering-25472.html
Cheers, Tom -
Address and Number not matching?
I moved in to a brand new house on 25/05 and was given an install date for my phone line of 07/06 by BT. I had originally signed up to Sky but they had all sorts of issues with our address and eventually admitted with days to go that they had no plans of installing a line, so I duly cancelled the order and registered for BT. I am beginning to think that the issues we are experiencing with BT are the same ones which made me cancel the Sky order.
My boyfriend phoned BT on the 7th after no-one turned up and was advised that there were some issues with our line but the message was and has continued to be somewhat fuzzy. We keep getting delays for ordering broadband and I've finally been told that it's due to the address and line not matching. I've been given a date of 30/06 for this to be looked at but not idea of whether anything will actually happen or if the date will just be extended. Can anyone tell me exactly what this problem is and how it is rectified?
Our house is one of the first ones in the development with a different postcode and we've had issues with other companies thinking that we're also under the development postcode. Both driving licences came back with the wrong postcode after I wrote the correct one on and our mortgage provider couldn't provide us with insurance because their database was wrong. The post office site is one of the only places which has the correct postcode. I've tried going through a dummy order on the BT site and our house number comes up if I key in the wrong postcode but not the right one.
Will I have any issues later on if I just tell BT to change the postcode on our account? I fully believe that this will solve the problem for now but obviously I don't want to cause further complications.
ThanksHi Hollie04,
If your in a new house then your local authority may need to register your address. You can check if your on the Royal Mail Data base by going here http://www.royalmail.com/postcode-finder . If it can't find your address then is likely that your not currently in the database.
To report an errorr with Royal Mail then visit: http://www.royalmail.com/customer-service/personal-customers/receiving-mail/my-address-not-registere...
Another indicator is if you are recieving any post.
BT probably obtain the address from the Royal Mail's database along with other organisations like the DVLA
cheers,
James
jac_95 | BT.com Help Site | BT Service Status
Someone Solved Your Question?
Please let other members know by clicking on ’Mark as Accepted Solution’
Try a Search
See if someone in the community had the same problem and how they got it resolved. -
I am failrly green when it comes to automator.
I am trying to write an Automator program:
Not sure where to post this
trying to write an Automator program to find files and alter their names
I have a source folder with correct named master files in it.
eg. A0001_1234.mpeg
time created 14:02:03
date 07/07/2012
Another folder where there will be copies of the master files in a different format with different names but created at the same time as a file in the source directory.
they are created with a seperate device but they are
A0000001.mp4
time created 14:02:03
date 07/07/2012
I need it to then take the name from the source fies and apply the correct name to the matching file based on the time it was created.
I can't seem to find actions in automator that reference time crated.
Is this something I will be able to Do in automator?
Any help would be great
Thanks
RHi,
It's impossible to do this without any script in Automator.
Use this AppleScript script :
set source to choose folder with prompt "Select the source folder"
set anotherfolder to choose folder with prompt "Choose the another folder"
tell application "Finder"
repeat with tfile in (get files of source)
set cDate to creation date of tfile
set findFiles to (files of anotherfolder whose creation date is cDate)
if findFiles is not {} then
set tName to name of tfile
set name of item 1 of findFiles to tName
end if
end repeat
end tell -
when i try to change my payment information on my apple id i get a message "your credit card information does not match your bank's records. please enter a U.S. credit card and matching billing address." why do i do?
Please explain
-
I'm trying to submit a document from pages to a URL address and it keeps giving me the option to load pictures or take a new picture, how do I change this?
If mean by way of Safari, that is correct. Only content of the Camera or Photos apps are available. you will need to find an alternate app such as iCab Mobile for uploading documents to a website.
-
Audio and Video Pass Through / Match Source Attributes
I cant find an entry for AME in the bug/feature request form so I'll post this here:
Feature Request:
Please add the 'Match Source Attributes' options to all fields. I see its available for MPEG DVD outputs but not for anything else.
Please add options for 'Audio Passthrough'
The real world example is:
I pass AME a MOV (with 4 audio tracks) which I need the video converted from h264 to ProRes, but I dont want it to change the aspect ratio, frame size, rate etc or change the audio tracks. I just want to re-encode the video to a new codec and wrap with the original audio.
Instead what we have to do is add multiple watch folders depending on the source material....
and we have to add the audio tracks manually using quicktime 7
Because these features dont exist we instead bought Telestream Episode instead of a CS6 upgrade for one of our machines.Hi.
this is a very common problem with video converters.
most conversion softwares mention it in their FAQ as a known bug.
some people have noticed that loss of AV sync most commonly happens while they do other things on computer while the converter is working. -
I am trying to delete my icloud account from my iphone as i no longer have access to this email and when i try to challenge the security question to access the account apparently i dont know my own date of birth. I cant delete the account as i dont remeber the passwrod and i have a new icloud account that i would like to link the phone to. Any help would be appreciated
thanksIf the old ID (iCloud account) is yours, and if it is an earlier version of your current ID, go to https://appleid.apple.com, click Manage my Apple ID and sign in with your current iCloud ID. Click edit next to the primary email account, change it back to your old email address and save the change. Then edit the name of the account to change it back to your old email address. You can now use your current password to turn off Find My iDevice, even though it prompts you for the password for your old account ID. Then save any photo stream photos that you wish to keep to your camera roll. When finished go to Settings>iCloud, tap Delete Account and choose Delete from My iDevice when prompted (your iCloud data will still be in iCloud). Next, go back to https://appleid.apple.com and change your primary email address and iCloud ID name back to the way it was. Now you can go to Settings>iCloud and sign in with your current iCloud ID and password.
This will not work if your current ID is an entirely new ID and is not a newer version of the old ID. -
The rescue email address and how to reset apple ID security questions did not help me out, what now?
See Here... ask to speak with the Account Security Team...
Apple ID: Contacting Apple for help with Apple ID account security -
Parameter of Source-portion of url gets lost
Hi Expert,
following Situation:
Default List-View-WebPart from a custom List added to a Enterprise-Wiki-Page.
First column in the List-View is the edit button to open the related edit-Form.
Because of a custom Edit-Form which is not set as the default for edit i have to relink to my specific Form.
I have done this by this script which is included by Script-Editor-WebPart:
var tags = $('a[onclick*="84858E12"]');
if(tags)
tags.each(function ()
var att = $(this).attr('onclick');
if(att)
if(att.match(/ID=([0-9]*)/))
var id = $(this).attr('onclick').match(/ID=([0-9]*)/)[1];
var bo = $(this).closest('td').next('td').find('a').text();
if(bo)
$(this).removeAttr('onclick');
$(this).attr('href', '/Lists/Leads/LeadEdit.aspx?ID=' + id + "&BO=" + encodeURIComponent(bo));
$(this).attr('onclick', 'GoToLink(this);return false;');
If i click a edit button to open my edit form everything works fine and the URL has correct values. The source Portion works fine if i close the edit form (save or cancel). So far so good.
In last mentioned edit form i have another List-View-WebPart (Added through SharePoint-Designer) which holds data of a related list. Filter is working fine here. For this List-View i also have to relink the edit button to another specific edit form. I have
done this in the same way as i did it before. The important part of the script:
$(this).click(function(e)
e.preventDefault();
var currentid = $(this).attr('href').match(/ID=([0-9]*)/)[1];
var encbo = encodeURIComponent(getBO());
$s = "/Lists/Com2Know/Edit.aspx?ID=" + currentid + "&BO=" + encbo+ "&Source=" + source + "&BO=" + encbo;
location.href = $s;
This also works fine. Source Portion is shown and correct. If i copy the source Portion and paste it to a new browser tab it is working fine. But if i Close this edit form (save or cancel) a Parameter of the source portion of the URL gets lost somehow and
now i'm not there where i wanted to be. The URL is as follows (changed hostheader to ...)
http://.../Lists/Com2Know/Edit.aspx?ID=86&BO=LE%2F2014%2F2000084&Source=http://.../Lists/Leads/LeadEdit.aspx?ID=84&BO=LE%2F2014%2F2000084
So i should go to http://.../Lists/Leads/LeadEdit.aspx?ID=84&BO=LE%2F2014%2F2000084
but i end up here: http://.../Lists/Leads/LeadEdit.aspx?ID=84
So my Parameter BO is missing.
Do i miss something from specification?
With Kind regards,
RonnySorry Folks, i got it myself and i hope it is useful for somebody else.
Just mask the ampersand for Parameters in source Portion with %26
So in my case: source + "%26BO="
Kredits to Marc D Anderson. Thanx!
Ronny -
Cisco ISE guest portal redirect not working after successful authentiation and URL redirect.
Hi to all,
I am having difficulties with an ISE deployment which I am scratching my head over and can't fathom out why this isn't working.
I have an ISE 3315 doing a captive webportal for my guest users who are on an SSID. The users are successfully redirected by the WLC to the following URL:https://x.x.x.x:8443/guestportal/Login.action?portalname=XXX_Guest_Portal
Now when the user passes through the user authentication splash screen they get redirected to https://x.x.x.x:8443/guestportal/guest/redir.html and recieve the following error:
Error: Resource not found.
Resource: /guestportal/
Does anyone have any ideas why the portal is doing this?
Thanks
PaulHello,
As you are not able to get the guest portal, then you need to assure the following things:-
1) Ensure that the two Cisco av-pairs that are configured on the authorization profile should exactly match the example below. (Note: Do not replace the "IP" with the actual Cisco ISE IP address.)
–url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
–url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is also defined on the access switch)
2) Ensure that the URL redirection portion of the ACL have been applied to the session by entering the show epm session ip command on the switch. (Where the session IP is the IP address that is passed to the client machine by the DHCP server.)
Admission feature : DOT1X
AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
URL Redirect ACL : ACL-WEBAUTH-REDIRECT
URL Redirect :
https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
0000A45A2444BFC2&action=cpp
3) Ensure that the preposture assessment DACL that is enforced from the Cisco ISE authorization profile contains the following command lines:
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
remark ping
permit icmp any any
permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
permit tcp any host 80.0.80.2 eq www --> Provides access to internet
permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
port
permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8906 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
deny ip any any
Note:- Ensure that the above URL Redirect has the proper Cisco ISE FQDN.
4) Ensure that the ACL with the name "ACL-WEBAUTH_REDIRECT" exists on the switch as follows:
ip access-list extended ACL-WEBAUTH-REDIRECT
deny ip any host 80.0.80.2
permit ip any any
5) Ensure that the http and https servers are running on the switch:
ip http server
ip http secure-server
6) Ensure that, if the client machine employs any kind of personal firewall, it is disabled.
7) Ensure that the client machine browser is not configured to use any proxies.
8) Verify connectivity between the client machine and the Cisco ISE IP address.
9) If Cisco ISE is deployed in a distributed environment, make sure that the client machines are aware of the Policy Service ISE node FQDN.
10) Ensure that the Cisco ISE FQDN is resolved and reachable from the client machine.
11) Or you need to do re-image again. -
INTERESTING - ACE config and URL manipulation
Hi
My customer has an interesting requirement for his web/java based application (SAP).
There are multiple services (each has its own domain) running on the same server all services sharing the same TCP port. All of them require a correct path in the HTTP(S) header to display a desired web page. However if somebody is accessing (via HTTP or HTTPS) the service without any path in the URL (for a login page) the ACE should redirect a correct URL and path for the login page to the client. In other words...
1) http://sap.mydomain.com ---redirect to---> https://sap.mydomain.com/abc/init.do?language=de
2) https://sap.mydomain.com ---redirect to---> https://sap.mydomain.com/abc/init.do?language=de
3) http://sap.mydomain.com/abc/init.do?language=de ---redirect to---> https://sap.mydomain.com/abc/init.do?language=de
4) https://sap.mydomain.com/abc/AnythingElse ---NOT to be redeirected but sent unchanged---> https://sap.mydomain.com/abc/AnythingElse
Do you have any ideas how can I achieve this?
I tried something but it still doesn't work. Relevant config is attached.
Thanks in advance for your replies and happy to reward you 5* when we get it up and running
drslDsliz,
One of them may look like this:
policy-map multi-match SAP-HTTP-REDIRECT-POLICY-MAP
class SAP-REDIRECT-CM
loadbalance vip inservice
loadbalance policy SAP-REDIRECT-POLICY
loadbalance vip icmp-reply
class-map match-any SAP-REDIRECT-CM
3 match virtual-address 10.148.185.249 tcp eq ww
policy-map type loadbalance first-match SAP-REDIRECT-POLICY
class class-default
serverfarm SAP-HTTP-REDIRECT
serverfarm redirect SAP-HTTP-REDIRECT
rserver SAP-HTTP-REDIRECTOR
inservice
rserver redirect SAP-HTTP-REDIRECTOR
conn-limit max 4000000 min 4000000
webhost-redirection https://sap.mydomain.com/abc/init.do?language=de 301
inservice
You did not include the rest of the configuration for example for this:
class L7CM-B2C-DEMOSHOP
Additionally, you may need to see about matching seconday cookies as shown here, since it is required to match after "?" sometimes.
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/command/reference/policy.html#wp2336441
Jorge -
Asymmetric NAT rules matched for forward and reverse flows - NAT Issue
Having a problem with a VPN site trying to communicate to a subnet off my ASA 5505. The network is simple, VPN IPSEC remote site is 192.168.6.0/24 and I can ping and access hosts on 192.168.10.0/24 (called InfraNet). I am now trying to allow communications between 192.168.6.0/24 (called FD_net) to 192.168.9.0/24 (called Inside)
The Error:
5 Nov 12 2012 13:52:50 192.168.9.19 Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:192.168.6.11 dst inside:192.168.9.19 (type 8, code 0) denied due to NAT reverse path failure
I understand this is a NAT issue; but I not seeing the error and could use a second set of eyes. Here's my current running configuration.
: Saved
ASA Version 8.3(2)
hostname fw1
domain-name xxxxxxxx.xxx
enable password <removed>
passwd <removed>
names
interface Vlan1
description Town Internal Network
nameif inside
security-level 100
ip address 192.168.9.1 255.255.255.0
interface Vlan2
description Public Internet
nameif outside
security-level 0
ip address 173.xxx.xxx.xxx 255.255.255.248
interface Vlan3
description DMZ (CaTV)
nameif dmz
security-level 50
ip address 192.168.2.1 255.255.255.0
interface Vlan10
description Infrastructure Network
nameif InfraNet
security-level 100
ip address 192.168.10.1 255.255.255.0
interface Vlan13
description Guest Wireless
nameif Wireless-Guest
security-level 25
ip address 192.168.1.1 255.255.255.0
interface Vlan23
nameif StateNet
security-level 75
ip address 10.63.198.2 255.255.255.0
interface Vlan33
description Police Subnet
shutdown
nameif PDNet
security-level 90
ip address 192.168.0.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport trunk allowed vlan 1,5,10,13
switchport trunk native vlan 1
switchport mode trunk
speed 100
duplex full
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
switchport trunk allowed vlan 1,10,13
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/5
switchport access vlan 23
interface Ethernet0/6
shutdown
interface Ethernet0/7
switchport trunk allowed vlan 1
switchport trunk native vlan 1
switchport mode trunk
shutdown
banner exec Access Restricted to Personnel Only
banner login Access Restricted to Personnel Only
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name xxxxxxx.xxx
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object service IMAPoverSSL
service tcp destination eq 993
description IMAP over SSL
object service POPoverSSL
service tcp destination eq 995
description POP3 over SSL
object service SMTPwTLS
service tcp destination eq 465
description SMTP with TLS
object network obj-192.168.9.20
host 192.168.9.20
object network obj-claggett-https
host 192.168.9.20
object network obj-claggett-imap4
host 192.168.9.20
object network obj-claggett-pop3
host 192.168.9.20
object network obj-claggett-smtp
host 192.168.9.20
object network obj-claggett-imapoverssl
host 192.168.9.20
object network obj-claggett-popoverssl
host 192.168.9.20
object network obj-claggett-smtpwTLS
host 192.168.9.20
object network obj-192.168.9.120
host 192.168.9.120
object network obj-192.168.9.119
host 192.168.9.119
object network obj-192.168.9.121
host 192.168.9.121
object network obj-wirelessnet
subnet 192.168.1.0 255.255.255.0
object network WirelessClients
subnet 192.168.1.0 255.255.255.0
object network obj-dmznetwork
subnet 192.168.2.0 255.255.255.0
object network FD_Firewall
host 74.94.142.229
object network FD_Net
subnet 192.168.6.0 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
object network obj-TownHallNet
subnet 192.168.9.0 255.255.255.0
object network obj_InfraNet
subnet 192.168.10.0 255.255.255.0
object-group service EmailServices
description Normal Email/Exchange Services
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq https
service-object tcp destination eq imap4
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group service DM_INLINE_SERVICE_1
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq pop3
service-object tcp destination eq https
service-object tcp destination eq smtp
object-group service DM_INLINE_SERVICE_2
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq https
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group network obj_clerkpc
description Clerk's PCs
network-object object obj-192.168.9.119
network-object object obj-192.168.9.120
network-object object obj-192.168.9.121
object-group network TownHall_Nets
network-object 192.168.10.0 255.255.255.0
network-object object obj-TownHallNet
object-group network DM_INLINE_NETWORK_1
network-object 192.168.10.0 255.255.255.0
network-object 192.168.9.0 255.255.255.0
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any interface outside
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.9.20
access-list StateNet_access_in extended permit ip object-group obj_clerkpc any
access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object FD_Net
pager lines 24
logging enable
logging asdm debugging
logging mail errors
logging from-address hostmaster@xxxxxxxxx
logging recipient-address john@xxxxxxxxx level errors
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu Wireless-Guest 1500
mtu StateNet 1500
mtu InfraNet 1500
mtu PDNet 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
nat (InfraNet,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net
nat (inside,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net
object network obj_any
nat (inside,outside) static interface
object network obj-claggett-https
nat (inside,outside) static interface service tcp https https
object network obj-claggett-imap4
nat (inside,outside) static interface service tcp imap4 imap4
object network obj-claggett-pop3
nat (inside,outside) static interface service tcp pop3 pop3
object network obj-claggett-smtp
nat (inside,outside) static interface service tcp smtp smtp
object network obj-claggett-imapoverssl
nat (inside,outside) static interface service tcp 993 993
object network obj-claggett-popoverssl
nat (inside,outside) static interface service tcp 995 995
object network obj-claggett-smtpwTLS
nat (inside,outside) static interface service tcp 465 465
object network obj-192.168.9.120
nat (inside,StateNet) static 10.63.198.12
object network obj-192.168.9.119
nat (any,StateNet) static 10.63.198.10
object network obj-192.168.9.121
nat (any,StateNet) static 10.63.198.11
object network obj-wirelessnet
nat (Wireless-Guest,outside) static interface
object network obj-dmznetwork
nat (any,outside) static interface
object network obj_InfraNet
nat (InfraNet,outside) static interface
access-group outside_access_in in interface outside
access-group StateNet_access_in in interface StateNet
route outside 0.0.0.0 0.0.0.0 173.166.117.190 1
route StateNet 10.0.0.0 255.0.0.0 10.63.198.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 5443
http 192.168.9.0 255.255.255.0 inside
http 74.xxx.xxx.xxx 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 173.xxx.xxx.xxx
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.9.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.9.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd lease 10800
dhcpd auto_config outside
dhcpd address 192.168.2.100-192.168.2.254 dmz
dhcpd dns 8.8.8.8 8.8.4.4 interface dmz
dhcpd enable dmz
dhcpd address 192.168.1.100-192.168.1.254 Wireless-Guest
dhcpd enable Wireless-Guest
threat-detection basic-threat
threat-detection statistics host number-of-rate 2
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 63.240.161.99 source outside prefer
ntp server 207.171.30.106 source outside prefer
ntp server 70.86.250.6 source outside prefer
webvpn
group-policy FDIPSECTunnel internal
group-policy FDIPSECTunnel attributes
vpn-idle-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec
username support password <removed> privilege 15
tunnel-group 173.xxx.xxx.xxx type ipsec-l2l
tunnel-group 173.xxx.xxx.xxx general-attributes
default-group-policy FDIPSECTunnel
tunnel-group 173.xxx.xxx.xxx ipsec-attributes
pre-shared-key *****
smtp-server 192.168.9.20
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e4dc3cef0de15123f11439822880a2c7
: end
Any ideas would be appreciated.
JohnI don't see any inspection-commands in your config. Is there a reason for not using any of them?
If your problem is only with ICMP, then you should enable at least icmp-inspection. You can do that easiely with the legacy command " fixup protocol icmp"
Sent from Cisco Technical Support iPad App
Maybe you are looking for
-
Hundreds of my iPhoto pictures will not be copied and will not show when I double-click on them. When I do in iPhoto an exclamation surrounded by a triangle appears. Though I can see the picture in the small tiles below it will not expand. I also
-
Hello, I am trying to get the records using RFC FM in IT_DATA[] using the following. But I am not getting any records in it. it_data is declared as (DATA: it_data TYPE tab512 OCCURS 0 WITH HEADER LINE.) LOOP AT it_rseg_data. it_options-text = '
-
Hi, I am trying to post PO Acknowledgement using ORDERSOR IDOC type and Message type ORDRSP. When I try to post with different quantity than in Purchase order, its getting error with message ' acknowledgement contains quantity variance, can anybody p
-
Dear Experts I want to create database in oracle 10g manually, without using dbca or create database script on sql. I have been searching google, but not getting any related document. Can you please guide me or provide any link where I get steps to c
-
Get current item id using JavaScript Client Object Model
I have a client query that query SharePoint list Items. Lets say it is a document library. I need to get the list item id of each. I can query the Title of the document using this syntax. ctx.CurrentItem['Title'] But when I try ctx.CurrentItem['ID'