Monitoring Internet Router from inside network

Similar Messages

• Using LDAP group to autenticate users from inside network to Internet

  Hi team, I got an asa 5510 version 7.2.3 and i need to autenticate my users from inside network to internet using a security group in the Active Directory, anyone can help me with these?

  This might not be complete for your needs but it may give you enough of what you need without having to purchase full url filtering etc.
  Authenticate with LDAP as shown earlier in this thread, then use this aaa ldap with cut-through proxy -
  PIX/ASA : Cut-through Proxy for Network Access using TACACS+ and RADIUS Server Configuration Example
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml
  then do some filtering -
  ASA/PIX 8.x: Block Certain Websites (URLs) Using Regular Expressions With MPF Configuration Example
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

• Monitoring Exchange 2010 from external network

  I would like to monitoring the following services pf Exchange 2010 from external network / internet
  1) SMTP (To confirm the mail has been accepted for delivery)
  2) ActiveSynch (Mobile device can login and synch different folders)
  3) WebApp (Users can log and access mail)
  I have created a script using test-Mailflow, test-activesynchconnectivity and Test-WebServicesConnectivity and running it on server from LAN. I want to monitor the above 3 areas from Internet(external network) to make sure these services are available
  from Internet.
  We have Barracuda as SMTP gateway, TMG for WebApp and MobileIron for ActiveSynch.
  Will i be able to monitor these services from external network(internet) using test commands. What are the alternate ways to monitor the above services from external network.
  Thanks

  We are trying to build exactly similar to ExRCA. ExRCA is good but it is manual. We would like to build something similar to ExRCA which can monitor exchange services periodically and send alerts.

• Internet Access from Inside to Outside ASA 5510 ver 9.1

  Hi everyone, I need help setting up an ASA 5510 to allow all traffic going from the inside to outside so I can get internet access through it. I have worked on this for days and I have finally got traffic moving between my router and my ASA, but that is it. Everything is blocked because of NAT rules I assume.
  I get errors like this when I try Packet Tracer:
  (nat-xlate-failed) NAT failed
  (acl-drop) Flow is denied by configured rule
  Version Information:
  Cisco Adaptive Security Appliance Software Version 9.1(4)
  Device Manager Version 7.1(5)
  Compiled on Thu 05-Dec-13 19:37 by builders
  System image file is "disk0:/asa914-k8.bin"
  Here is my ASA config, all I want for this exercise is to pass traffic from the inside network to the outside to allow internet access so I can access the internet and then look for specific acl's or nat for specific services:
  Thank You!
  Config:
  ASA5510# sh running-config
  : Saved
  ASA Version 9.1(4)
  hostname ASA5510
  domain-name
  inside.int
  enable password <redacted> encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd <redacted> encrypted
  names
  dns-guard
  interface Ethernet0/0
  description LAN Interface
  nameif Inside
  security-level 100
  ip address 10.10.1.1 255.255.255.252
  interface Ethernet0/1
  description WAN Interface
  nameif Outside
  security-level 0
  ip address 199.199.199.123 255.255.255.240
  boot system disk0:/asa914-k8.bin
  ftp mode passive
  dns domain-lookup Outside
  dns server-group DefaultDNS
  name-server 199.199.199.4
  domain-name
  inside.int
  object network inside-net
  subnet 10.0.0.0 255.255.255.0
  description Inside Network Object
  access-list USERS standard permit 10.10.1.0 255.255.255.0
  access-list OUTSIDE-IN extended permit ip any any
  access-list INSIDE-IN extended permit ip any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu Inside 1500
  mtu Outside 1500
  mtu management 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-715.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (Inside,Outside) source dynamic any interface
  object network inside-net
    nat (Inside,Outside) dynamic interface
  access-group INSIDE-IN in interface Inside
  access-group OUTSIDE-IN in interface Outside
  router rip
  network 10.0.0.0
  network 199.199.199.0
  version 2
  no auto-summary
  route Outside 0.0.0.0 0.0.0.0 199.199.199.113 1
  route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
  route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
  route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 Inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 Inside
  ssh timeout 60
  ssh version 2
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  username <redacted> password <redacted> encrypted privilege 15
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns migrated_dns_map_1
    parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
     inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http
  https://tools.cisco.com/its/service/oddce/services/DDCEService
     destination address email
  [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
     subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  password encryption aes
  Cryptochecksum:
  <redacted>
  : end
  SH NAT:
  ASA5510# sh nat
  Manual NAT Policies (Section 1)
  1 (Inside) to (Outside) source dynamic any interface
      translate_hits = 0, untranslate_hits = 0
  Auto NAT Policies (Section 2)
  1 (Inside) to (Outside) source dynamic inside-net interface
       translate_hits = 0, untranslate_hits = 0
  SH RUN NAT:
  ASA5510# sh run nat
  nat (Inside,Outside) source dynamic any interface
  object network inside-net
  nat (Inside,Outside) dynamic interface
  SH RUN OBJECT:
  ASA5510(config)# sh run object
  object network inside-net
  subnet 10.0.0.0 255.255.255.0
  description Inside Network Object
  Hi all,Hello everyone, I need some help before my head explodes. Idddddddd

  Hello Mitchell,
  First of all how are you testing this:
  interface Ethernet0/0
  description LAN Interface
  nameif Inside
  security-level 100
  ip address 10.10.1.1 255.255.255.252
  Take in consideration that the netmask is /30
  The Twice NAT is good, ACLs are good.
  do the following and provide us the result
  packet-tracer input inside tcp 10.10.1.2 1025 4.2.2.2 80
  packet-tracer input inside tcp 192.168.1.100 1025 4.2.2.2 80
  And provide us the result!
  Looking for some Networking Assistance? 
  Contact me directly at [email protected]
  I will fix your problem ASAP.
  Cheers,
  Julio Carvajal Segura
  Note: Check my website, there is a video about this that might help you.
  http://laguiadelnetworking.com

• How to manage c877(outside) in RFC1483 mode through ASA5505 from (inside)network

  Hi All
  Here is a quick summary of my network setup.
  ISP ADSL2 -- C877 Router(RFC1483) -- ASA5505(PPPoE) -- Internal network(s).
  I am trying to figure out how to correctly configure my C877 & my ASA so I can telnet and manage the C877 from one of the inside networks on the ASA5505.
  With the current configuration I can ping the C877 but only from the outside (PPPoE) interface of my ASA5505. I cannot connect to it from any other inside network.
  Interface connectivity is as follows:
  ISP <-> C877 PoTS
  C877 FA/0 <-> ASA Eth0/0[outside_public] [Zone SEC=0]
  ASA Eth0/1[inside_private][Zone SEC=100] <-> HP L2 Switch
  HP L2 Switch <-> Home PC.
  Device IPs:
  Cisco ASA [inside_private] gateway IP = 192.168.50.1 / 24
  Home PC = 192.168.50.81 / 24
  Router C877 IP = 192.168.50.2 / 24
  Everything is working as expected, except I want to be able to manage the C877 from the Home PC, but currently I am not able to establish any connectivity to the C877 from the [inside_private] network.
  Here is what I have tried so far but without luck:
  Connected (a 2nd) network cable from the C877 to the L2 switch. No connectivity from the Home PC.
  Connected (a 2nd) network cable from the C877 to ASA on another interface added to the [inside_private] network. No connectivity from the Home PC.
  Any help much appreciated!
  C877 config below:
  Current configuration : 1422 bytes
  version 15.1
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname c877
  boot-start-marker
  boot-end-marker
  no aaa new-model
  clock timezone UTC 11 0
  crypto pki token default removal timeout 0
  dot11 syslog
  ip source-route
  ip cef
  ip domain name --CUT--
  no ipv6 cef
  multilink bundle-name authenticated
  username --CUT-- privilege 15 password 7 --CUT--
  bridge irb
  interface ATM0
   no ip address
   no atm ilmi-keepalive
   bridge-group 1
   pvc 8/35
    encapsulation aal5snap
  interface FastEthernet0
   no ip address
  interface FastEthernet1
   no ip address
  interface FastEthernet2
   no ip address
  interface FastEthernet3
   no ip address
  interface Dot11Radio0
   no ip address
   shutdown
   speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
   station-role root
  interface Vlan1
   no ip address
   bridge-group 1
  interface BVI1
   ip address 192.168.50.2 255.255.255.0
  ip default-gateway 192.168.50.1
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  snmp-server community public RO
  snmp-server ifindex persist
  control-plane
  bridge 1 protocol ieee
  line con 0
   exec-timeout 0 0
   logging synchronous
   no modem enable
  line aux 0
  line vty 0 4
   exec-timeout 0 0
   logging synchronous
   login local
   transport input all
  end
  ASA5505 config below:
  ASA Version 9.1(3)
  hostname asa5505
  enable password --CUT-- encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd --CUT-- encrypted
  names
  interface Ethernet0/0
   switchport access vlan 10
  interface Ethernet0/1
  interface Ethernet0/2
   switchport access vlan 20
  interface Ethernet0/3
   switchport access vlan 30
  interface Ethernet0/4
   switchport access vlan 40
  interface Ethernet0/5
  interface Ethernet0/6
   switchport access vlan 70
  interface Ethernet0/7
   switchport access vlan 70
  interface Vlan1
   nameif inside_private
   security-level 100
   ip address 192.168.50.1 255.255.255.0
  interface Vlan10
   nameif outside_public
   security-level 0
   pppoe client vpdn group ADSL2
   ip address pppoe setroute
  interface Vlan20
   nameif inside_dmz
   security-level 70
   ip address 192.168.60.1 255.255.255.0
  interface Vlan30
   nameif inside_guest
   security-level 50
   ip address 192.168.70.1 255.255.255.0
  interface Vlan40
   nameif inside_experimental
   security-level 60
   ip address 10.0.0.1 255.255.0.0
  interface Vlan70
   nameif inside_phone
   security-level 10
   ip address 192.168.80.1 255.255.255.192
  boot system disk0:/asa913-k8.bin
  ftp mode passive
  clock timezone EST 10
  clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
  dns domain-lookup inside_dmz
  dns server-group DefaultDNS
   name-server 192.168.60.2
  same-security-traffic permit intra-interface
  object network LAN_private
   subnet 192.168.50.0 255.255.255.0
  object network LAN_dmz
   subnet 192.168.60.0 255.255.255.0
  object network LAN_guest
   subnet 192.168.70.0 255.255.255.0
  object network LAN_experimental
   subnet 10.0.0.0 255.255.0.0
  object network QNAP_host
   host 192.168.50.9
  object network INTELNUC_host
   host 192.168.60.2
  object network INTELNUC_prtgservice
   host 192.168.60.2
  object network INTELNUC_webservice
   host 192.168.60.2
  object network QNAP_management
   host 192.168.50.9
  object network QNAP_transmission
   host 192.168.50.9
  object network LAN_guest_wireless
   range 192.168.70.31 192.168.70.50
  object network QNAP_t51413
   host 192.168.50.9
  object network QNAP_u51413
   host 192.168.50.9
  object service 9000-9049
   service udp destination range 9000 9049
  object network C7940_u10000-20000
   host 192.168.80.11
  object network C7940_t5060
   host 192.168.80.11
  object network LAN_phone
   subnet 192.168.80.0 255.255.255.192
  object network SPINTEL_host
   host --CUT--
  object service 16384-32766
   service udp source range 16384 32766
  object network C7940_host
   host 192.168.80.11
  object service 10000-20000
   service udp destination range 10000 20000
  object network C7940_u5060
   host 192.168.80.11
  object-group network LAN_all
   network-object object LAN_dmz
   network-object object LAN_experimental
   network-object object LAN_guest
   network-object object LAN_private
   network-object object LAN_phone
  object-group protocol TCPUDP
   protocol-object udp
   protocol-object tcp
  object-group service 5060 tcp-udp
   port-object eq sip
  object-group service 53 tcp-udp
   port-object eq domain
  access-list public_ACL extended permit tcp any object QNAP_host eq 8080
  access-list public_ACL extended permit tcp any object QNAP_host eq 51413
  access-list public_ACL extended permit udp any object QNAP_host eq 51413
  access-list public_ACL extended permit tcp any object QNAP_host eq 9091
  access-list public_ACL extended permit tcp any object INTELNUC_host eq 444
  access-list public_ACL extended permit tcp any object INTELNUC_host eq www
  access-list public_ACL extended permit object-group TCPUDP any object C7940_host eq domain inactive
  access-list public_ACL extended permit tcp object SPINTEL_host object C7940_host eq sip
  access-list public_ACL extended permit udp object SPINTEL_host object C7940_host eq sip
  access-list public_ACL extended permit icmp object SPINTEL_host object C7940_host
  access-list public_ACL extended permit object 10000-20000 object SPINTEL_host object C7940_host
  access-list public_ACL extended permit ip object SPINTEL_host object C7940_host
  access-list dmz_ACL extended permit icmp any any echo
  access-list dmz_ACL extended permit udp any any eq snmp
  access-list dmz_ACL extended permit ip object INTELNUC_host object-group LAN_all
  access-list dmz_ACL extended deny ip any object LAN_private
  access-list dmz_ACL extended deny ip any object LAN_guest
  access-list dmz_ACL extended deny ip any object LAN_experimental
  access-list dmz_ACL extended deny ip any object LAN_phone
  access-list dmz_ACL extended permit ip any any
  access-list guest_ACL extended permit icmp any any echo
  access-list guest_ACL extended permit udp any any eq snmp
  access-list guest_ACL extended permit object-group TCPUDP object LAN_guest_wireless object INTELNUC_host eq domain
  access-list guest_ACL extended deny ip object LAN_guest_wireless object INTELNUC_host
  access-list guest_ACL extended deny ip object LAN_guest_wireless object QNAP_host
  access-list guest_ACL extended permit ip any object INTELNUC_host
  access-list guest_ACL extended permit ip any object QNAP_host
  access-list guest_ACL extended deny ip any object LAN_private
  access-list guest_ACL extended deny ip any object LAN_dmz
  access-list guest_ACL extended deny ip any object LAN_experimental
  access-list guest_ACL extended deny ip any object LAN_phone
  access-list guest_ACL extended permit ip any any
  access-list phone_ACL extended permit udp object C7940_host object INTELNUC_host eq tftp
  access-list phone_ACL extended permit icmp object C7940_host object SPINTEL_host
  access-list phone_ACL extended permit object 16384-32766 object C7940_host object SPINTEL_host
  access-list phone_ACL extended permit object-group TCPUDP object C7940_host any eq domain
  access-list phone_ACL extended permit udp object C7940_host any eq ntp
  access-list phone_ACL extended permit tcp object C7940_host any eq sip
  access-list phone_ACL extended permit udp object C7940_host any eq sip
  access-list phone_ACL extended permit ip object C7940_host any inactive
  access-list phone_ACL extended permit ip object LAN_phone any inactive
  pager lines 24
  logging enable
  logging asdm notifications
  mtu inside_private 1500
  mtu outside_public 1492
  mtu inside_dmz 1500
  mtu inside_guest 1500
  mtu inside_experimental 1500
  mtu inside_phone 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-714.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside_private,outside_public) source static C7940_u10000-20000 interface service 10000-20000 10000-20000
  object network LAN_private
   nat (inside_private,outside_public) dynamic interface
  object network LAN_dmz
   nat (inside_dmz,outside_public) dynamic interface
  object network LAN_guest
   nat (inside_guest,outside_public) dynamic interface
  object network LAN_experimental
   nat (inside_experimental,outside_public) dynamic interface
  object network INTELNUC_prtgservice
   nat (inside_dmz,outside_public) static interface service tcp 444 444
  object network INTELNUC_webservice
   nat (inside_dmz,outside_public) static interface service tcp www www
  object network QNAP_management
   nat (inside_private,outside_public) static interface service tcp 8080 8080
  object network QNAP_transmission
   nat (inside_private,outside_public) static interface service tcp 9091 9091
  object network QNAP_t51413
   nat (inside_private,outside_public) static interface service tcp 51413 51413
  object network QNAP_u51413
   nat (inside_private,outside_public) static interface service udp 51413 51413
  object network C7940_t5060
   nat (inside_private,outside_public) static interface service tcp sip sip
  object network LAN_phone
   nat (inside_phone,outside_public) dynamic interface
  object network C7940_u5060
   nat (inside_private,outside_public) static interface service udp sip sip
  access-group public_ACL in interface outside_public
  access-group dmz_ACL in interface inside_dmz
  access-group guest_ACL in interface inside_guest
  access-group phone_ACL in interface inside_phone
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication telnet console LOCAL
  http server enable
  http 192.168.50.0 255.255.255.0 inside_private
  snmp-server host inside_dmz 192.168.60.2 community *****
  snmp-server location inside_dmz
  no snmp-server contact
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpoint localtrust
   enrollment self
   fqdn asa5505.--CUT--
   subject-name CN=sasa5505.--CUT--
   keypair sslvpnkey
   crl configure
  crypto ca trustpool policy
  crypto ca certificate chain localtrust
   certificate --CUT--
  telnet 192.168.50.0 255.255.255.0 inside_private
  telnet timeout 60
  ssh timeout 60
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  vpdn group ADSL2 request dialout pppoe
  vpdn group ADSL2 localname --CUT--
  vpdn group ADSL2 ppp authentication pap
  vpdn username --CUT-- password --CUT-- store-local
  dhcpd auto_config outside_public
  dhcprelay server 192.168.60.2 inside_dmz
  dhcprelay enable inside_private
  dhcprelay enable inside_guest
  dhcprelay enable inside_experimental
  dhcprelay enable inside_phone
  dhcprelay timeout 60
  threat-detection basic-threat
  threat-detection statistics host number-of-rate 3
  threat-detection statistics port number-of-rate 3
  threat-detection statistics protocol number-of-rate 3
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ntp server --CUT-- source inside_private
  ssl encryption aes256-sha1 aes128-sha1 3des-sha1 rc4-sha1
  ssl trust-point localtrust outside_public
  webvpn
   anyconnect-essentials
  username --CUT-- password --CUT-- encrypted privilege 15
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect xdmcp
    inspect icmp
    inspect pptp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  hpm topN enable
  Cryptochecksum:--CUT--

  Ansar,
  A source group or "group" is what you need to configure on the CSS in order for the backend servers to initiate a connection outbound on the CSS. It would be helpful if you could email me directly a piece of your config. Specifically I would need the "service" section in terms of which servers need outbound access as well as the content rules you have configured and the ACL section to confirm you are not blocking anything.
  As an example.
  If you had
  service pete
  ip address 1.1.1.1
  active
  content pete
  add service pete
  protocol tcp
  port 80
  vip address 2.2.2.2
  active
  group pete_out
  vip address 2.2.2.2
  add service pete
  active
  So what happens is when the service makes an outbound connection, the source ip address is now the vip address. When the return packet comes back, the CSS recognizes it and gets it back to the backend server.
  You can also apply a source group via an acl as another option.
  Regards
  Pete..
  [email protected]

• Protect internet Router from ddos attack

  Hello,
  i have small router 2911 connected the main internet router GSR this GSR has peering with ISPs , there is default route on 2911 send to GSR and all user connect on 2911 will go from 2911 to GSR, i had attack ddos attack on 2911 my question how can protect 2911 from this kind of attack, i have some queries if you can help me:
  1. what is the access-list need to configure to protect the router 2911.for example ICMP, HTTP.......
  2. what is the COOP configuration to allow us to able to access this router when attack and CPU high.
  3. i heard ASR and 7200 has some feature to protect these router from ddos attack, is helpful for all kind of dedos attack
  thanks in advanced.

  Hi Steven,
  Have a look at the below mentioned link:
  DDOS Protection
  DDOS Protection 2
  Regards,
  Anim Saxena
  Community Manager
  *do rate helpful posts*

• Complex DNS? Cannot reach XServe from inside network

  I'm trying to make DNS work on a XServe with Leopard Server installed.
  I had to migrate (mostly manually) DNS from the old server.
  The server runs DNS for about 50 websites, most of them on the server itself, some on other local machines. All these are configured with their external ip addresses.
  From inside the building i cannot reach the server unless i make a subnet so the xserve acts as a router to. Then I can also use Server Admin e.g., which I cannot use without that subnet.
  From witin the server DNS seems to work while just browsing the domains with Safari.
  sudo changeip -checkhostname
  Primary address = 10.0.2.15
  Current HostName = dns.myserver.com
  The DNS hostname is not available, please repair DNS and re-run this tool.
  So i guess i made a mess..
  host on xserve ip address (also from within xserve)
  odin:~ admin$ host 10.0.2.15
  Host 15.2.0.10.in-addr.arpa not found: 3(NXDOMAIN
  host command on external ip address gave me one of the domains, but not dns.myserver.com.
  $ host 192.xxx.xxx.xxx (of course i used the full external ip address)
  192.xxx.xxx.xxx.in-addr.arpa domain name pointer dns.myserver.com.
  Can anybody help?
  Message was edited by: skipx2

  I'm trying to make DNS work on a XServe with Leopard Server installed.
  I had to migrate (mostly manually) DNS from the old server.
  The server runs DNS for about 50 websites, most of them on the server itself, some on other local machines. All these are configured with their external ip addresses.
  From inside the building i cannot reach the server unless i make a subnet so the xserve acts as a router to. Then I can also use Server Admin e.g., which I cannot use without that subnet.
  From witin the server DNS seems to work while just browsing the domains with Safari.
  sudo changeip -checkhostname
  Primary address = 10.0.2.15
  Current HostName = dns.myserver.com
  The DNS hostname is not available, please repair DNS and re-run this tool.
  So i guess i made a mess..
  host on xserve ip address (also from within xserve)
  odin:~ admin$ host 10.0.2.15
  Host 15.2.0.10.in-addr.arpa not found: 3(NXDOMAIN
  host command on external ip address gave me one of the domains, but not dns.myserver.com.
  $ host 192.xxx.xxx.xxx (of course i used the full external ip address)
  192.xxx.xxx.xxx.in-addr.arpa domain name pointer dns.myserver.com.
  Can anybody help?
  Message was edited by: skipx2

• Routing from internal network to external (internet) - is this possible ?

  Hi all,
  I know that private IPs cannot be used on the internet. But what will be the component that is preventing it ?
  In this setup below, assuming i am assigned a /24 public ip block, but i am not going to use or assigned them (e.g. NAT), how/where will my packet from host 1 to 8.8.8.8 be dropped ?
  Regards
  Noob

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  Well, as Jon has already noted, packet is forwarded only by its destination IP.  Which means, if the original packet has only a private IP in its source address, it won't be involved in the forwarding decision.  (Again,  the source IP might still be subjected to analysis that will block the packet at some point.)
  So, your private IP will only be a routing consideration if the receiving host is trying to reply and use your original source IP as the return packet's destinations IP.  (I suspect you understand the foregoing, but I did want to insure there's no misunderstanding.)
  Ok, so if the original destination host generates a packet with a private IP for destination IP, it would be (most likely be) treated, from that host, like any other packet that host generates with a private IP in the destination.  I.e.  The network will attempt to deliver it.
  If the prefix destination is totally unknown, the packet will be dropped unless the forwarding router has a default route (or aggregate) that covers it.
  Assuming there's a local private subnet, that matches the destination, the network will deliver it to that network, and if there's a host with that actual private IP, the packet will be delivered to it.  Usually, the overlapping private IP host will drop the packet, as it won't have process expecting the packet, but it's possible, a process is might accept the packet and attempt to process it.  Then, most likely, the process will go "huh?" and drop the packet.  However, it's also possible the newly receiving host will reply to your original receiving host, i.e. those hosts will now fling packets back-and-forth, because of your original packet.  Again, this is all very unlikely normally, more so if the network isn't "sloppy", but such routing is the basis for some DDoS attacks. (For example, I place another host's IP in my packet's source IP, and then send out ping to the network broadcast IP.  Hosts receiving the ping will send a ping reply to the host I targeted.)

• Phone connects to the wifi just fine, my phone does not have signal and cannot connect to Internet away from wifi network t

  i upgrade my iPhone 4 to iOS 6 and if I'm close to my router the signal indicator comes on and the phone connects to the wifi just fine, but if I step away from the router my phone does not have signal and cannot connect to Internet 

  I can use my iPhone only with wifi .
  I don't get any signal and I can not connect to
  The Internet without wifi.
  When I don't use my wifi from home I have lost all connection to the net
  My iPhone is on and working it does not shut down

• ARD works from inside network, but not from outside.

  I can connect me MB to my G5 no problem when on the network inside my home. But if I'm on another network (and supply the correct IP address) I get an "ARD Not Active" error.
  All seem to be well, both machine are up to date and this works locally.
  What's wrong?

  That I can't tell. I travel and all I can do is open ports at home. I have no control over the hotel's systems.
  This was up and working fine - now it just won't connect. Even for the same locations that used to work just fine.
  But perhaps this is something:
  I recently installed Parallels Desktop. Now in the Network pref Pane, there are "Parallels Guest-Host" and "Parallels NAT".
  That's new, could it be a clue?

• Routes from BGP network statements are not tagged same as other BGP routes?

  I have a question if BGP treats the routes it advertised by using the network statements the same way as the routes it learned or redistributed.
  Here is what I did:
  bgp 65113
  network 1.2.3.4 mask 255.255.255.0
  redistribute static route-map STATIC_INTO_BGP
  ip route 1.2.3.4 255.255.255.0 null0
  ip route ....
  route-map STATIC_INTO_BGP permit 10
  match ip address prefix-list STATIC_INTO_BGP
  set community 65113:100
  I had all the static routes, including the one to null0, in the prefix-list STATIC_INTO_BGP. So those routes could be tagged with the community value.
  I found out that all the routes in the prefix list were tagedd correctly except for the one to null0 (the one advertised by the BGP network statement). I had to create a seperate prefix list just for this route and add to the route map to have it tagged correctly.
  So my question is: is this how BGP supposed to function or did I do it incorrectly?
  Thanks a lot
  Gary

  Thanks all for the help. I agree that if the static route is redistributed into BGP, there's no need to have a BGP network statement again.
  How about this scenario:
  I have a static route:
  ip route 1.2.3.0 255.255.255.0 null0
  I don't redistribute it into BGP, instead I use a network statement:
  bgp xxxxx
  network 1.2.3.0 mask 255.255.255.0
  I create a prefix list and route map to tag it:
  ip prefix-list set-community permit 1.2.3.0/18 le 32
  route-map set-community permit 10
  match ip address prefix-list set-community
  set community xxxxx:100
  Would this set the right community for 1.2.3.0/24 (and other length in the range 18-32)? IN thise case, I used a network statement not a redistribution.
  Thansk
  Gary

• Bad DNS return from inside network

  Hello,
    I am getting my butt kicked on this one.  Our company site is now hosted on an external server.  There was a DNS CNAME entry made on our domain controller that points www to
  www.mycompany.com.  Internally it used to work now we don't know what happened.  When I use nslookup internally I get 192.185.5.155 I used to get 96.45.82.197.  I still get 96.45.82.197 when on an external
  server.  If I change DNS server to 8.8.8.8 everthing works great, so I am guessing it has to be an entry somewhere.  I have check hosts files, both DNS servers, the firewall, and switches.  Still cannot find anything.
    Any ideas?
  TIA,
  Jim

  Hi,
  It sounds like you're having the same dns-zone in your local network as you have externally, and a mismatch between the records of www. Please verify (as you stated you've been doing some changes in the local dns) that your
  www.mycompany.com record internally matches the external one (96.45.82.197 or what it was).
  /Johan
  Microsoft Certified Trainer
  MCSE: Desktop, Server, Private Cloud, Messaging
  Blog: http://365lab.net

• Cisco ASA 5505 Routing between internal networks

  Hi,
  I am new to Cisco ASA and have been configuring my new firewall but one thing have been bothering. I cannot get internal networks and routing between them to work as I would like to. Goal is to set four networks and control access with ACL:s between those.
  1. Outside
  2. DMZ
  3. ServerNet1
  4. Inside
  ASA version is 9.1 and i have been reading on two different ways on handling IP routing with this. NAT Exempt and not configuring NAT at all and letting normal IP routing to handle internal networks. No matter how I configure, with or without NAT I cannot get access from inside network to DMZ or from ServerNet1 to DMZ. Strange thing is that I can access services from DMZ to Inside and ServerNet1 if access list allows it. For instance DNS server is on Inside network and DMZ works great using it.
  Here is the running conf:
  interface Ethernet0/0
  switchport access vlan 20
  interface Ethernet0/1
  switchport access vlan 20
  interface Ethernet0/2
  switchport access vlan 19
  interface Ethernet0/3
  switchport access vlan 10
  switchport trunk allowed vlan 10,19-20
  switchport trunk native vlan 1
  interface Ethernet0/4
  switchport access vlan 10
  interface Ethernet0/5
  switchport access vlan 10
  switchport trunk allowed vlan 10-11,19-20
  switchport trunk native vlan 1
  switchport mode trunk
  interface Ethernet0/6
  switchport access vlan 10
  switchport trunk allowed vlan 10-11,19-20
  switchport trunk native vlan 1
  switchport mode trunk
  interface Ethernet0/7
  switchport access vlan 10
  interface Vlan10
  nameif inside
  security-level 90
  ip address 192.168.2.1 255.255.255.0
  interface Vlan11
  nameif ServerNet1
  security-level 100
  ip address 192.168.4.1 255.255.255.0
  interface Vlan19
  nameif DMZ
  security-level 10
  ip address 192.168.3.1 255.255.255.0
  interface Vlan20
  nameif outside
  security-level 0
  ip address dhcp setroute
  ftp mode passive
  clock timezone EEST 2
  clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network obj-192.168.2.0
  subnet 192.168.2.0 255.255.255.0
  object network obj-192.168.3.0
  subnet 192.168.3.0 255.255.255.0
  object network DNS
  host 192.168.2.10
  description DNS Liikenne
  object network Srv2
  host 192.168.2.10
  description DC, DNS, DNCP
  object network obj-192.168.4.0
  subnet 192.168.4.0 255.255.255.0
  object network ServerNet1
  subnet 192.168.4.0 255.255.255.0
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group network RFC1918
  object-group network InternalNetworks
  network-object 192.168.2.0 255.255.255.0
  network-object 192.168.3.0 255.255.255.0
  object-group service DM_INLINE_SERVICE_1
  service-object tcp destination eq domain
  service-object udp destination eq domain
  service-object udp destination eq nameserver
  service-object udp destination eq ntp
  object-group service DM_INLINE_TCP_1 tcp
  port-object eq www
  port-object eq https
  port-object eq ftp
  port-object eq ftp-data
  object-group service rdp tcp-udp
  description Microsoft RDP
  port-object eq 3389
  object-group service DM_INLINE_TCP_2 tcp
  port-object eq ftp
  port-object eq ftp-data
  port-object eq www
  port-object eq https
  object-group service DM_INLINE_SERVICE_2
  service-object tcp destination eq domain
  service-object udp destination eq domain
  object-group network DM_INLINE_NETWORK_1
  network-object object obj-192.168.2.0
  network-object object obj-192.168.4.0
  access-list dmz_access_in extended permit ip object obj-192.168.3.0 object obj_any
  access-list dmz_access_in extended deny ip any object-group InternalNetworks
  access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object DNS eq domain
  access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object-group DM_INLINE_NETWORK_1 object-group rdp
  access-list DMZ_access_in extended deny ip any object-group InternalNetworks
  access-list DMZ_access_in extended permit tcp object obj-192.168.3.0 object obj_any object-group DM_INLINE_TCP_2
  access-list inside_access_in extended permit ip object obj-192.168.2.0 object-group InternalNetworks
  access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj_any object-group rdp
  access-list inside_access_in extended permit tcp object obj-192.168.2.0 object obj_any object-group DM_INLINE_TCP_1
  access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Srv2 object obj_any
  access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj-192.168.3.0 object-group rdp
  access-list ServerNet1_access_in extended permit object-group DM_INLINE_SERVICE_2 any object DNS
  access-list ServerNet1_access_in extended permit ip any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu ServerNet1 1500
  mtu inside 1500
  mtu DMZ 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-711-52.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,DMZ) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp
  object network obj_any
  nat (inside,outside) dynamic interface
  nat (DMZ,outside) after-auto source dynamic obj_any interface destination static obj_any obj_any
  nat (ServerNet1,outside) after-auto source dynamic obj-192.168.4.0 interface
  access-group ServerNet1_access_in in interface ServerNet1
  access-group inside_access_in in interface inside
  access-group DMZ_access_in in interface DMZ
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  http 192.168.4.0 255.255.255.0 ServerNet1
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh 192.168.4.0 255.255.255.0 ServerNet1
  ssh 192.168.2.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous

  Hi Jouni,
  Yep, Finnish would be good also =)
  In front of ASA is DSL modem, on the trunk ports is Hyper-V host that uses the trunk ports so that every VM has their VLAN ID defined in the VM level. Everything is working good on that end. Also there is WLAN Access Pois on one of the ASA ports, on the WLAN AP there is the management portal address on DMZ that i have been testing agains (192.168.3.4)
  If i configure Dynamic PAT from inside to the DMZ then the traffic starts to work from inside to all hosts on DMZ but thats not the right way to do it so no shortcuts =)
  Here is the conf now, still doesnt work:
  interface Ethernet0/0
  switchport access vlan 20
  interface Ethernet0/1
  switchport access vlan 20
  interface Ethernet0/2
  switchport access vlan 19
  interface Ethernet0/3
  switchport access vlan 10
  switchport trunk allowed vlan 10,19-20
  switchport trunk native vlan 1
  interface Ethernet0/4
  switchport access vlan 10
  interface Ethernet0/5
  switchport access vlan 10
  switchport trunk allowed vlan 10-11,19-20
  switchport trunk native vlan 1
  switchport mode trunk
  interface Ethernet0/6
  switchport access vlan 10
  switchport trunk allowed vlan 10-11,19-20
  switchport trunk native vlan 1
  switchport mode trunk
  interface Ethernet0/7
  switchport access vlan 10
  interface Vlan10
  nameif inside
  security-level 90
  ip address 192.168.2.1 255.255.255.0
  interface Vlan11
  nameif ServerNet1
  security-level 100
  ip address 192.168.4.1 255.255.255.0
  interface Vlan19
  nameif DMZ
  security-level 10
  ip address 192.168.3.1 255.255.255.0
  interface Vlan20
  nameif outside
  security-level 0
  ip address dhcp setroute
  ftp mode passive
  clock timezone EEST 2
  clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network obj-192.168.2.0
  subnet 192.168.2.0 255.255.255.0
  object network obj-192.168.3.0
  subnet 192.168.3.0 255.255.255.0
  object network DNS
  host 192.168.2.10
  description DNS Liikenne
  object network Srv2
  host 192.168.2.10
  description DC, DNS, DNCP
  object network obj-192.168.4.0
  subnet 192.168.4.0 255.255.255.0
  object network ServerNet1
  subnet 192.168.4.0 255.255.255.0
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group network RFC1918
  object-group network InternalNetworks
  network-object 192.168.2.0 255.255.255.0
  network-object 192.168.3.0 255.255.255.0
  object-group service DM_INLINE_SERVICE_1
  service-object tcp destination eq domain
  service-object udp destination eq domain
  service-object udp destination eq nameserver
  service-object udp destination eq ntp
  object-group service DM_INLINE_TCP_1 tcp
  port-object eq www
  port-object eq https
  port-object eq ftp
  port-object eq ftp-data
  object-group service rdp tcp-udp
  description Microsoft RDP
  port-object eq 3389
  object-group service DM_INLINE_TCP_2 tcp
  port-object eq ftp
  port-object eq ftp-data
  port-object eq www
  port-object eq https
  object-group service DM_INLINE_SERVICE_2
  service-object tcp destination eq domain
  service-object udp destination eq domain
  object-group network DM_INLINE_NETWORK_1
  network-object object obj-192.168.2.0
  network-object object obj-192.168.4.0
  object-group network DEFAULT-PAT-SOURCE
  description Default PAT source networks
  network-object 192.168.2.0 255.255.255.0
  network-object 192.168.3.0 255.255.255.0
  network-object 192.168.4.0 255.255.255.0
  access-list dmz_access_in extended permit ip object obj-192.168.3.0 object obj_any
  access-list dmz_access_in extended deny ip any object-group InternalNetworks
  access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object DNS eq domain
  access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object-group DM_INLINE_NETWORK_1 object-group rdp
  access-list DMZ_access_in extended deny ip any object-group InternalNetworks
  access-list DMZ_access_in extended permit tcp object obj-192.168.3.0 object obj_any object-group DM_INLINE_TCP_2
  access-list inside_access_in extended permit ip object obj-192.168.2.0 object-group InternalNetworks
  access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj_any object-group rdp
  access-list inside_access_in extended permit tcp object obj-192.168.2.0 object obj_any object-group DM_INLINE_TCP_1
  access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Srv2 object obj_any
  access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj-192.168.3.0 object-group rdp
  access-list ServerNet1_access_in extended permit object-group DM_INLINE_SERVICE_2 any object DNS
  access-list ServerNet1_access_in extended permit ip any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu ServerNet1 1500
  mtu inside 1500
  mtu DMZ 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-711-52.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
  access-group ServerNet1_access_in in interface ServerNet1
  access-group inside_access_in in interface inside
  access-group DMZ_access_in in interface DMZ
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  http 192.168.4.0 255.255.255.0 ServerNet1
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh 192.168.4.0 255.255.255.0 ServerNet1
  ssh 192.168.2.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous

• ASA access from inside to outside interface

  Hi
  We need to make acces on our ASA device from inside network to outside interface.
  The situation is next:
  We have public external ip address and we need to access it from our inside network.
  Can you please tell me if it is possible to do this?
  Thank you.

  That's right, the solution is named Hairpinning aka U-turn.
  The dynamic rule was the one suggested in my first reply:
  global (inside) 1* interface              *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
  global (inside) 1* interface              *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
  global (inside) 1* interface              *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
  global (inside) 1* interface              *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
  global (inside) 1* interface              *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
  global (inside) 1* interface           *Assume you are using number one

• Share wireless internet modem from one computer to another with router model WRT120N

  I am trying to share an internet connection of my Sprint wireless modem from computer 1 to computer 2. Is there a way to share the internet connection? I have successfully set up a Home Group. I have tried to share my internet connection by
       right clicking on the network connections icon in the system tray -->
       Open Network and Sharing Center -->
       "Change Adapter Settings -->
       right clicking on "Modem -->
       Properties -->
       Sharing -->
       Allow other network users to connect through this computer's connection --> *
       Home networking connection: > Local Area Connection -->
       OK **
  * I get this error message
              "The user name and password  for this connection cannot be saved for use by all users. As a result, Internet Connection Sharing can only dial this connection when you are logged on. To enable automatic dialing, you should create a new connection for all users, save your user name and password for all users, and then enable sharing for the new connection."
  ** I get this error message
              "Since this connection is currently active, some settings will not take effect until the next time you dial it."
  Next Network Magic informs me that LAN has lost connection.
  I disconnect from the internet connection then connect again.
  Network Magic shows my computer is not connected to the router but the internet is connected as well as the 2nd computer (Sharing the internet to). I can still connect to the internet from my computer.
  I tried opening google my IE 9 browser on computer 2, not able to connect. On computer 2 Network Magic shows that all devices are connected to the router but is not connected to the internet.
  Home Groups are not available now on both computers but I am still able to connect to mapped network drives.
  I am running Network Magic Basic on both computers.
  ipconfig /all on computer 1 shows:
  Microsoft Windows [Version 6.1.7601]
  Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
  C:\Users\Michael>ipconfig /all
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : AnnaBannana-PC
     Primary Dns Suffix  . . . . . . . :
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
  PPP adapter Mobile:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Mobile
     Physical Address. . . . . . . . . :
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv4 Address. . . . . . . . . . . : 173.153.207.50(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.255
     Default Gateway . . . . . . . . . : 0.0.0.0
     DNS Servers . . . . . . . . . . . : 68.28.58.92
                                         68.28.50.91
     NetBIOS over Tcpip. . . . . . . . : Disabled
  Ethernet adapter Local Area Connection 10:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : U600 EVDO Network Adapter #3
     Physical Address. . . . . . . . . : 00-A0-C6-00-00-00
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
  Ethernet adapter Local Area Connection 6:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : WiMAX Network Adapter
     Physical Address. . . . . . . . . : F4-63-49-03-58-B6
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
  Ethernet adapter Local Area Connection:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : NVIDIA nForce 10/100 Mbps Ethernet
     Physical Address. . . . . . . . . : 70-71-BC-5D-DC-44
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : 2002:ad99:cf32:a:955e:5b9:b42c:197b(Prefe
  rred)
     IPv6 Address. . . . . . . . . . . : 2002:b8c3:8b53:a:955e:5b9:b42c:197b(Prefe
  rred)
     Site-local IPv6 Address . . . . . : fec0::a:955e:5b9:b42c:197b%2(Preferred)
     Temporary IPv6 Address. . . . . . : 2002:ad99:cf32:a:f152:48a7:38e0:4bd8(Pref
  erred)
     Temporary IPv6 Address. . . . . . : 2002:b8c3:8b53:a:f152:48a7:38e0:4bd8(Pref
  erred)
     Link-local IPv6 Address . . . . . : fe80::955e:5b9:b42c:197b%10(Preferred)
     IPv4 Address. . . . . . . . . . . : 192.168.137.1(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . :
     DHCPv6 IAID . . . . . . . . . . . : 242250172
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-C2-02-FF-70-71-BC-5D-DC-44
     DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%2
                                         fec0:0:0:ffff::2%2
                                         fec0:0:0:ffff::3%2
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Tunnel adapter isatap.{A05F6BCE-ED0A-4E3C-AFEA-96B9B0FC00E7}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter isatap.{D73CCDF5-F1EE-4FBE-9C86-FB6D72F97B0C}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter 6TO4 Adapter:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft 6to4 Adapter
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : 2002:ad99:cf32::ad99:cf32(Preferred)
     Default Gateway . . . . . . . . . : 2002:c058:6301::c058:6301
     DNS Servers . . . . . . . . . . . : 68.28.58.92
                                         68.28.50.91
     NetBIOS over Tcpip. . . . . . . . : Disabled
  Tunnel adapter isatap.{CDEAD959-7804-4D3A-8989-A5D8F1B154F5}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter #6
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Local Area Connection* 11:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:1443:3dd8:473c:74ac(Pref
  erred)
     Link-local IPv6 Address . . . . . : fe80::1443:3dd8:473c:74ac%26(Preferred)
     Default Gateway . . . . . . . . . :
     DHCPv6 IAID . . . . . . . . . . . : 335544320
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-C2-02-FF-70-71-BC-5D-DC-44
     NetBIOS over Tcpip. . . . . . . . : Disabled
  Tunnel adapter isatap.{99E66CF3-88EA-4809-A033-6BB90F33EB9C}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  ipconfig /all on computer 2 shows:
  Microsoft Windows [Version 6.1.7600]
  Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
  C:\Users\Michael>IPCONFIG /ALL
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : HP-Mini-Laptop
     Primary Dns Suffix  . . . . . . . :
     Node Type . . . . . . . . . . . . : Mixed
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
  Ethernet adapter Bluetooth Network Connection:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
     Physical Address. . . . . . . . . : 00-26-5E-C1-25-70
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
  Wireless LAN adapter Wireless Network Connection 3:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter
     Physical Address. . . . . . . . . : 0C-60-76-55-76-16
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
  Ethernet adapter Local Area Connection 3:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Atheros AR8132 PCI-E Fast Ethernet Contro
  ller (NDIS 6.20)
     Physical Address. . . . . . . . . : 00-26-55-CD-33-EE
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
  Wireless LAN adapter Wireless Network Connection 2:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Broadcom 802.11g Network Adapter
     Physical Address. . . . . . . . . : 0C-60-76-55-76-16
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : 2002:ad99:cf32:a:60ec:aea0:d494:59d1(Pref
  erred)
     Site-local IPv6 Address . . . . . : fec0::a:60ec:aea0:d494:59d1%1(Preferred)
     Temporary IPv6 Address. . . . . . : 2002:ad99:cf32:a:e92e:d367:eddc:aaae(Pref
  erred)
     Link-local IPv6 Address . . . . . : fe80::60ec:aea0:d494:59d1%16(Preferred)
     IPv4 Address. . . . . . . . . . . : 192.168.1.101(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Lease Obtained. . . . . . . . . . : Friday, June 17, 2011 11:23:38 PM
     Lease Expires . . . . . . . . . . : Saturday, June 18, 2011 11:23:37 PM
     Default Gateway . . . . . . . . . : fe80::955e:5b9:b42c:197b%16
                                         192.168.1.1
     DHCP Server . . . . . . . . . . . : 192.168.1.1
     DHCPv6 IAID . . . . . . . . . . . : 369909878
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-F1-D7-F0-00-1E-33-A3-7E-43
     DNS Servers . . . . . . . . . . . : 192.168.1.1
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Tunnel adapter isatap.{056F6EC1-7291-43F0-AAD2-9B90787CF29C}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter isatap.{FB5BBB88-D238-474F-9958-88E1F2149ED3}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Teredo Tunneling Pseudo-Interface:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter isatap.{6FC9C384-65F1-4D3E-9BEB-4DC925A0F24F}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter isatap.{8992E75C-3566-440C-8167-94CD03CFCB37}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter #5
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter 6TO4 Adapter:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft 6to4 Adapter
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Reusable Microsoft 6To4 Adapter:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft 6to4 Adapter #2
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  C:\Users\Michael>

  See this thread: here.
  However, please don't use 192.168.0.2 for the router but 192.168.137.2 instead. Home sharing uses 192.168.137.1 on the sharing computer instead of 192.168.0.1 as it was in earlier Windows versions.
  To make the change, unplug the WRT from your network. Wire your second computer to a LAN port of the WRT.
  Open the web interface at http://192.168.1.1/
  On the main setup page, change the LAN IP address from 192.168.1.1 to 192.168.137.2.
  On the same page, disable the DHCP server.
  Save settings.
  Unplug the computer. Now wire one of the numbered LAN ports of the WRT to your home sharing computer.
  That's it.