Mixed service ports
Can anyone tell me how to create a mixed service ports on ASA 8.4(2)?
I need to create a service group which has ICMP, TCP ports and also different UDP ports.
Normally you would create different service group based on TCP/UDP/TCP-UDP/ICMP/Protocol and add then to new nested service group.
But I want to create a new service group where you can define everything without the need to different service groups and nesting them into a new one.
I assume you mean a service group for traffic inbound to your firewall from the internet. With that assumption, create a service group as shown below. It shows the different types of protocols.
object-group service whatever
service-object icmp
service-object tcp-udp destination eq 5500
service-object tcp destination eq 500
service-object udp destination eq 501
Similar Messages
-
Static nat and service port groups
I need some help with opening ports on my ASA using firmware 9.1.2.
I read earlier today that I can create service groups and tie ports to those. But how do I use those instead of using 'object network obj-ExchangeSever-smtp' ?
I have the ACL -
access-list incoming extended permit tcp any object-group Permit-1.1.1.1 interface outside
Can this statement
object network obj-ExchangeSever-smtp
nat (inside,outside) static interface service tcp smtp smtp
reference the service port groups instead?
Thanks,
AndrewHi,
Are you looking a way to group all the ports/services you need to allow from the external network to a specific server/servers?
Well you can for example configure this kind of "object-group"
object-group service SERVER-PORTS
service-object tcp destination eq www
service-object tcp destination eq ftp
service-object tcp destination eq https
service-object icmp echo
access-list OUTSIDE-IN permit object-group SERVER-PORTS any object
The above would essentially let you use a single ACL rule to allow multiple ports to a server or a group of servers. (Depending if you use an "object" or "object-group" to tell the destination address/addresses)
I am not sure how you have configured your NAT. Are they all Static PAT (Port Forward) configurations like the one you have posted above or perhaps Static NAT configurations?
You can use the "object network " created for the NAT configuration in the above ACL rule destination field to specify the host to which traffic will be allowed to. Using the "object" in the ACL doesnt tell the ASA the ports however. That needs to be configured in the above way or in your typical way.
Hope this helps
- Jouni -
Wism Controller 2 doesn't get service port IP but Controller 1 does
I followed the documentation for setting up the WiSM. Controller 1 is up and fine. I see in dhcp bindings, that Controller 2 is getting a DHCP address and when I "session slot 9 pro 2" it tries to connect to that dhcp address, but on a "show wism status" the service-port of controller 2 is 0.0.0.0
Has anyone encountered this problem?
ThanksHi..
What about the connectivity?? do we still have the access to the WLC 2?? either from telnet or the GUI?? or will the session to the WLC work?
Regards
Surendra -
Can't create services port in Win2K
Hello guys:
I was trying to install IDES on my laptop. The OS is Win2K Advanced Server with sp4. But there was a error when I installed the central instance of iDES.
It said:'opying c:/winnt/system32/drivers/etc/services to c:/winnt/system32/drivers/etc/services.saptmp
Internal error:a call to syslib failed. system error message:no error'. And i thought it should be something wrong when IDES was trying to create service ports. So I opened the 'service' file in the directory which said in the error message, and found that IDES added one line 'sapmszzz 3600/tcp #sapsystem message port', it should be more than one line, right?
I don't know what happened during the installation, and ask for your help to solve this. Anyone will be appreciated!
Best Regards!
ZippoAndreas, it's not quite correct:
The lines look like this:
sapdb<nn> 32<nn>/tcp
sapgw<nn> 33<nn>/tcp
sapms<SID> 36<nn>/tcp
where <nn> should be 00 in this case...
But the service number has to be unique.
If your services contains for example an entry:
sapmsAAB 3600/tcp
you will fail to add
sapmsAAX 3600/tcp
Therefore you typically have to modify the sapms<SID> entry if you install more than one system with the Number 00 to different values.
sapms<XXX> entries have to be identical on all SAP Systems which should talk to another.
regards
Peter -
Problem: Socket
connection is not creating in machine, through utility program (MFC Dll), on ListDisplay service port - 3334 (on separate machine), while we are able to telnet on same ListDisplay service port - 3334 from same issue machine on same time
Environment: -
OS:
Windows XP SP2/7
Code:
VC 6.0
Dll: MFC
Problem Description: -
We have written a utility program which create socket (Using windows standard method [MFC]), and then make connection with another service (List Display) running
on port 3334 in different machine and retrieve the required list data. This program was working fine in almost all the machines.
But, we have received a severe intermittent issue on two machines. Client is facing issue in displaying the list data from port 3334.
Attempt: -
First we tried to debug code, and we come to know that socket is not creating in utility program. So we tried to telnet on ListDisplay service port 3334 and we were surprised that we were able to telnet, then we opened some more
telnet window on same port 3334 around (6 to 8) window, and each cmd connected properly. But we were not able to create socket from utility program.
Problem is severe because issue is intermittent.
We have tried all the way, but we are not able to figure it out, that what can be the exact problem and what are the conditions, when utility program will not
connect with ListDisplay service on port 3334.
Kindly assist to resolve this issue. For any help, we would be really thankful.Hi,
According to your description, it seems that you have created an utility program which is making connection with another service port 3334, however, two clients are facing issue in display the data list from port 3334.
Port: 3334/TCP
3334/TCP - Known port assignments (1 record found)
Service
Details
Source
directv-web
Direct TV Webcasting
IANA
Since the port 3334 is used by directv-web service, I'd like to suggest check this service it is working well on the problematic clients.
1. The client can be resolved in DNS well? Please run "nslookup" in the prompt command.
2. Is there any 3rd party application interrupting? Do test in clean boot.
2. Strongly suggest you run process monitor tool to analysis it.
I am looking forward to your reply if you have any updated on your side.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
Issue on Service Ports for outgoing connection
Hi,
My question is regarding to my desktop Mac making outgoing connection to an external IP address 184.84.124.244 using TCP protocol destination port 443 but using 40 Service Ports between 49170 through 49217. This is an automatic outgoing connection by OS X 10.7.3 (I assumed as I did not make that connection). Why such connection required 40 ports to be opened at the same time? Anyone have any idea what might have caused that? Thanks.There could be lots of outgoing connections when you fire up Safari, as an example, because by default it has many favourites that are RSS feeder. You could have added some new yourself.
How do I find out if those connections stay up indefinitely?
By the way just curious, how did you look up the IP address as who they are?
If you are "Terminal aware" there are some commands that can help you in this direction
host
host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. When no arguments or options are given, host prints a short summary of its command line arguments and options.
netstat
show network status
whois
The whois utility looks up records in the databases maintained by several Network Information Centers (NICs).
nslookup
query Internet name servers interactively
dig
dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. Most DNS administrators use dig to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality than dig.
just to name a few.
netstat in particular let you know which connections and their relative status are going on between your computer and the rest of the world -
When you configure hierarchical queueing on an enhanced services port, should one also configure the egress queue chararcteristics such as buffer space and thresholds, shaped/shared weights, egress priority queue, etc., that is all of those characteristics that one would configure if one were configuring a port for standard QOS. In other words, on an enhanced services port, are the hierarchical queueing features using the modular QOS CLI and the standard egress queueing features supposed to be used together or are they mutually exclusive?
Hi Christine,
Answer to your confusion is in the following document.
http://www.cisco.com/en/US/docs/switches/metro/catalyst3750m/software/release/12.1_14_ax/release/notes/OL464603.html#wp58682
On an ES port, you can use LLQ (enabled with the priority policy-map class configuration command) and the egress priority queue (enabled with the priority-queue out
interface configuration command). By using these two features, you can
give priority to a class of traffic and avoid losing traffic when the
switch is congested. In previous releases (before the egress priority
queue was supported), you could put a traffic class into the
strict-priority queue, but congestion at the egress queue-sets could
result in the dropping of that priority traffic. The priority-queue out
interface configuration command enables you to prioritize the same
traffic class at the egress queue-sets, ensuring that priority traffic
reaches the hierarchical queues and is processed with priority.
you can also fine tune the Queue-sets for your desired results.
http://www.cisco.com/en/US/docs/switches/metro/catalyst3750m/software/release/12.2_50_se/configuration/guide/swqos.html#wp1162303 -
Hi everybody.
Two 5508 WLCs running 7.4.100.60. I had to activate HA
I decided to configure Service ports: following HA conf guide, I used DHCP. That's because static IPs on service ports are often cleared and forgot during switchover. HA went up perfectly; tests were positive: by rebooting the active unit, standby was immediately ready, and so on.
I decided to test maintenance mode: by shutting down the mgt ports of the active unit, the standby one was activated, and the active went into maintenance mode (because it did not reach the standby). This again is correct.
Issue: when the unit is in this status (maintenance), its service port IS NOT reachable! I have to open again its mgt ports: the unit does not change tha maintenance status (and this is fully correct), but becomes reachable through its service port.
This is not enough: the active unit remembers the peer service port address, but the standby one does not.
Moreover, after some time, when I try to contact the latter, I jump on the former (I am always talking of Service ports).
This is really diffcult for me to explain.... Any suggestion?
Thanks
DavideHi
In my 5508 WLC i have exactly the same problem as you gsutherland
I tried apply this command config 802.11b 11nSupport a-mpdu tx priority all disable
and i get message
"802.11b network not disabled"
Why i must turn off b standard ?
Thanks for respons -
Service port interface Question
I have a customer that wants to use the service port interface as a backup entry door to its WLCs in the event of a network failure or misconfiguration. I have configured the WLC's mgt and ap-manager interface in a 10.50.x.x network and the service interface in a 10.103.x.x network, which are 2 completely separate networks. Cisco's documentation is unclear as to how to configure the service interface. Should I have the service interface completely separate from the 10.x.x.x network class (e.g 172.16.x.x or 192.168.x.x) or I am okay in using the 10.103.x.x. network?
The WLC can be configured with static routes. Are those, when configured, reserved for the service interface? Should I configure the WLC with a static route? And if yes what should it be?
Your help would be greatly appreciated
ThanksYou can use the service port, but make sure you configure it correctly. Here is from a Cisco doc:
By default, the physical service port interface has a DHCP client installed and looks for an address via DHCP. The WLC attempts to request a DHCP address for the service port. If no DHCP server is available, then a DHCP request for the service port fails. Therefore, this generates the error messages.
The workaround is to configure a static IP address to the service port (even if the service port is disconnected) or have a DHCP server available to assign an IP address to the service port. Then, reload the controller, if needed.
The service port is actually reserved for out-of-band management of the controller and system recovery, and maintenance in the event of a network failure. It is also the only port that is active when the controller is in boot mode. The service port cannot carry 802.1Q tags. Therefore, it must be connected to an access port on the neighbor switch. Use of the service port is optional.
The service port interface controls communications through and is statically mapped by the system to the service port. It must have an IP address on a different subnet from the management, AP-manager, and any dynamic interfaces. Also, it cannot be mapped to a backup port. The service port can use DHCP in order to obtain an IP address, or it can be assigned a static IP address, but a default gateway cannot be assigned to the service port interface. Static routes can be defined through the controller for remote network access to the service port.
Hope this helps. -
Simulation error : size mismatch in mixed language port association with VIVADO simulator
Hi,
I have instantiated a VHDL module in a verilog top file . When I tried to simulate the verilog top , I received the following error .
ERROR : Size mismatch in mixed language port association , vhdl port vid_data
(Simulation tool : VIVADO simulator . VIVADO ver : 2015.1)
// Following is the instantiation of VHDL module in verilog top file
VPS VPS_inst
.clk (VPS_clk),
.reset_n(~user_reset),
.vid_active_video(data_valid),
.vid_data(data_to_mem)
The port 'vid_data' is declared in the VHDL module as std_logic_vector (15 downto 0)
"vid_data : out std_logic_vector(15 downto 0)"
'data_to_mem' is declared in verilog top file as "wire [15:0] data_to_mem" .
No size mismatch exists actually . But , I am getting the above mentioned error in simulation.
I have searched for similar threads . Nothing was useful .
Does anyone know how to solve this?
Thanks and Regards
Raisa
You might also get this error if you mis-spelled "data_to_mem" such that the declaration did not match the instantiation port map. For example:
wire [15:0] data__to_mem; // double underscore before "to"
VPS VPS_inst
.clk (VPS_clk),
.reset_n(~user_reset),
.vid_active_video(data_valid),
.vid_data(data_to_mem) // only one underscore before "to"
In Verilog this is not an error unless you disable automatic net inference. In this case Verilog is happy to create a single wire for data_to_mem, but then you would be trying to attach a 1-bit wire to a 16-bit port. That would also be valid in Verilog, but not allowed for connections to VHDL.
I typically avoid this sort of error by placing:
`default_nettype none
at the top of each Verilog file, and
`default_nettype wire
at the bottom of each Verilog file. This prevents the automatic creation of wires when you mis-spell or forget to declare nets. -
CSS11501 - Rejects incoming connections on VIP service port
Hi,
I have configured CSS11501 in one-armed mode with only one server behind the VIP. After every couple of hours the connectivity to VIP Service port (80) is lost. Telnet to VIP on port 80 does not reach the server. During the same time ping to the VIP works continuously. The interface throughput does not go beyond 40Mbps and the max concurrent connections does not go beyond 200 connections. And the 'show service summary' continues to show the server alive on http. NAT is defined for the return traffic through 'group' command
The problem gets resolved by itself within 3-4 minutes or by deactivating and re-activating the VIP within CSS configurations.
CSS model : CSS11501
Version: 08.20.0.01
Any clue or hint to troubleshoot this problem will be of great assistance.
Thanks.Good afternoon,
Probably the best would be opening a TAC service request to get this investigated further.
Before you do, I would anyway recommend you to try a software upgrade to the latest 8.20 release. 8.20.001 was the first release in the 8.20 train, so a lot of bug fixes have been added since then. There is still the chance that your issue will go away with this upgrade
Regards
Daniel -
WLC 5508 - What is the use of service port.
Hi,
I am getting hard to understand use of service port in wlc 5508,
Even after reading so much post and cisco note I am not understanig the use of (Even basic use) service port.
As I understand service port should be access port and should be in diffrent vlan.
Pleae help me to understand it in simple way....Hi Tarun,
Like others mentioned it is used for Out of Band Management of a WLC. Many do not use this as it could leads to issues unless you properly configure it & put it onto two completely different supernets. Config guides highlighted those restrictions & below is one of them listed in 7.4 config guide
Do not configure wired clients in the same VLAN or subnet of the service port of the controller on the network. If you configure wired clients on the same subnet or VLAN as the service port, it is not possible to access the management interface of the controller.
In situations you can use it to get access by directly connecting a laptop to take configuration backup or restore configuration to a controller. In the below post I have used service port to take backup & restore the configuration to a WLC.
http://mrncciew.com/2013/01/25/backup-restore-wlc-configs/
HTH
Rasika
**** Pls rate all useful responses **** -
/etc/services, port numbers & Unix processes
I have some questions about /etc/services, ports and unix processes.
First, it appears to me that a process can listen on a port WITHOUT the service/port number being in /etc/services. Is this correct?
For example we have TUXEDO apps that listen on high number ports even though there are no corresponding service/port pairs in /etc/services.
Second, How do you find out which Unix process is listening on a given port?
Forexample, when you run netstat -a and get something that looks like:
host.port.........................LISTEN
How do you get the Unix PID listening on this port?Hi
A service can run on any port number, as I understand it, /etc/services just describes the well know port number services.
As for finding out what process is listening on a given port, I recall a previous post that suggested
using lsof with some switches.
I think it was :
lsof -i -n -P
I've never tried it myself.
You can find lsof at www.sunfreeware.com -
Is it possible to connect to the WLC GUI through the service-port on the 5500 series controllers?
Or is this just for SSH?Hi Colin,
Yes you can access the GUI using the service port IP Address.
Connect your laptop using service port and assign a static ip address of the same subnet as Service port IP of your Controller. -
I am walking into a site that already has the WISMs setup. There are 2 switches setup with VSS and there are a total of 4 WISMs. When I do a show wism status there are 3 of the service ports that show down. One port down on one of the WISMs and both ports down on another. The managment addresses are setup and I can mange the WISMs and when I do a show int on any of the interfaces they show as 'notconnect'.
I don't think you can go in and do a "no shut" on the ports so not sure what to do in order to get the service ports up.I guess when in doubt reboot....I booted the controllers in question and the ports came up.
Maybe you are looking for
-
When I try to build executables in LabView 8.01 I get message: Error 7 occurred at Copy in ABAPI Dist New VI Library.vi->ABAPI Dist Chk for Destinations.vi->ABAPI Copy Files and Apply Settings.vi->EBEP_Invoke_Build_Engine.vi->EBUIP_Build_Invoke.vi->
-
HP color laserjet pro cm1415 stopped printing on my wifi network.
It used to print fine, then about 2 weeks ago, just stopped. The print job sends OK, but then sits in the queue for a minute or so, and then it says "error". I've removed and re-installed the software, rebooted the routers, computers, and printer,
-
I am thinking to buy an Apple server and would like to put Final Cut HD on it so as to access and edit from remote loction by my team! Is this possible over the internet. Rod
-
How can I scan a document to PDF in Windows 7 Professional
I have a Canon MX892 which I previously used with Windows XP. I was able to scan documents to PDF very easily using the Canon Solutions Menu EX. I am now using Windows 7 Pro 64. I downloaded the associated version of Canon Solutions Menu EX, but it
-
Thinking about playing with Vista don't really know why except Just to look , Missing lots of Software and a few Harddrive Drivers.. Ok I was trying to install Vista on one of my 2 SATA promise controller drives, they are set up as Storage, Not r