Ms Pat

?who is my "patch vendor"  Tried to install, new update and was unable.
I have Adobe Reader X(10.1.8) 117.00
AND    Adobe reader X(10.1.8) installed 9-22-2013

http://labs.adobe.com/downloads/acrobatcleaner.html  <---Use that to remove Reader
http://get.adobe.com/reader/enterprise/ <---Use a download from there to reinstall

Similar Messages

  • Update on BIOS & MEMORY problems? also DOT, PAT, settings...

    Okie dokie, I'm new here, and I've been pouring through threads for the past 2-3 hours and doing searches, so please excuse these questions if they seem to have already been answered, but I would like to just ask a few (hopefully susinct) questions to get the quickest and most direct answers possible...
    I just bought the 865pe-LS board, p-4 2.6ghz 800FSB HT CPU, and value-select Corsair PC3200 512MB dual-channel kit, and it has become apparent that there is or has been a HUGE problem with this board accepting corsiar memory.  ARGH   or should is say DOH for not checking into all of this BEFOREHAND!  
    But it seems that several bios versions have come out since the majority of those threads I have been reading about back in august.  Sooo, can anyone tell me if the current version, 1.9 bios, has fixed these incompatibilities with the corsairs memory sticks?  I realize that most people are going the LL version routes for the memory, and I have opted for the value-select versions...but it still seems to be a possible dilemma.  I am wondering if it is worth it to try to pay the 15% restock fee or sell it on ebay (hopefully for about what I paid) and go get the same stuff in kingston memory instead, since these seem to be much more compatible?  Or has this problem been fixed with newer bios versions?
    Another important factor to consider, I think, is that I may not be THAT interested in overclocking much of anything, but perhaps just wishing to use the fast or turbo modes, probably not ultra-turbo since i would need the XMS or hyper-X versions to even try this.  If the bios is now accepting corsair, I am trying to figure out, short of "experimenting" since i have not gotten all of my components in yet, if its even possible or recommended to overclock or use the fast/turbo mode with the cas-3 value select dual-channel setup I will be using...any clues?  
    Lastly, which may have been already answered by now, is it best to use the PAT or DOT settings or opt for manual setting for any sort of higher-performance setup, considering my specs for my soon-to-be new computer?  Or does it really make THAT much difference?  Im not into squeezing out every nano-second of speed, but if a little tweaking would make a BIG difference and wouldnt require me spending MANY hours or days to do so, then I'm all for it.  I'm practically a noob at this stuff, only really educating myself in any depth about all this stuff tonight (going off of what outhers have recommended in making these purchases)...thanks for the understanding and the help in advance!  
    *looking for any help*  
      is how i feel, haha...*sigh*

    There doesn't seem to be any particular Ram type that is working for everybody. Also, many people that are experiencing problems are trying to overclock(some to extremes). You don't seem very interested in that aspect. For the Ram, you really just have to put it in and see what happens.
    If you haven't already, read the FAQ HERE for the Neo/Neo2 boards. Particularly #5 which will help you setup the SATA/IDE devices in the Bios. Use Native mode for Windows XP.
    Things I would set in the Bios right out of the box:
    (Some of these might already be set by default)
    Boot device select- Order that you want to boot from particular devices. Might have to set "On-chip IDE Config" items first and re-boot to see all your devices here.
    HT-On
    MPS revision-1.4
    APIC ACPI....- Enabled
    Dram Timing- By SPD
    Integrated Peripherals is fairly intuitive except the "On-chip IDE config" see FAQ page.
    DOT- disabled for now
    MAT- slow to start
    DRAM freq- 400
    CPU Bus- 201(seems strange but do it; try a search here for "201" and you'll know why)
    DDR voltage- 2.7v (like reilly said)
    If this works OK(try something that stresses it) you can try raising the MAT to fast. After you're happy that this is stable, you can try turbo if you want but I'm not sure with the value Ram. Once you settle on this, try playing with the DOT features. I think General is the equivalent of a 10% increase on the system. Once you've found a setting you like here, you should leave it for a while and just enjoy your new compputer!
    If you get bored, you can always go in and disable the DOT and manually raise FSB for more fun.
    Things you should read up on before you do any overclocking:
    Clearing CMOS
    5:4 FSB/MEM ratio
    Have fun!

  • Cisco asa 5505 issues ( ROUTING AND PAT)

    I have some issues with my cisco asa 5505 config. Please see details below:
    NETWORK SETUP:
    gateway( 192.168.223.191)   - cisco asa 5505 ( outside - 192.168.223.200 , inside - 192.168.2.253, DMZ - 172.16.3.253 )  -
    ISSUES:
    1)
    no route from DMZ to outside
    example:
    ping from 172.16.3201 to the gateway
    6          Jan 27 2014          11:15:33                    172.16.3.201          39728                              Failed to locate egress interface for ICMP from outside:172.16.3.201/39728 to 172.16.3.253/0
    2)
    not working access from external to DMZ AT ALL
    ASA DETAILS:
    cisco asa5505
    Device license          Base
    Maximum Physical Interfaces          8          perpetual
    VLANs          3      DMZ Restricted
    Inside Hosts          Unlimited          perpetual
    configuration:
    firewall200(config)# show run
    : Saved
    ASA Version 9.1(3)
    hostname firewall200
    domain-name test1.com
    enable password xxxxxxxxxxx encrypted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    passwd XXXXXXXXXXX encrypted
    names
    interface Ethernet0/0
    switchport access vlan 100
    interface Ethernet0/1
    switchport access vlan 200
    interface Ethernet0/2
    switchport access vlan 200
    interface Ethernet0/3
    switchport access vlan 200
    interface Ethernet0/4
    switchport access vlan 300
    interface Ethernet0/5
    switchport access vlan 300
    interface Ethernet0/6
    switchport access vlan 300
    interface Ethernet0/7
    switchport access vlan 300
    interface Vlan100
    nameif outside
    security-level 0
    ip address 192.168.223.200 255.255.255.0
    interface Vlan200
    mac-address 001b.539c.597e
    nameif inside
    security-level 100
    ip address 172.16.2.253 255.255.255.0
    interface Vlan300
    no forward interface Vlan200
    nameif DMZ
    security-level 50
    ip address 172.16.3.253 255.255.255.0
    boot system disk0:/asa913-k8.bin
    boot config disk0:/startup-config.cfg
    ftp mode passive
    clock timezone GMT/BST 0
    clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
    dns server-group DefaultDNS
    domain-name test1.com
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object network office1-int
    host 172.16.2.1
    object network firewall-dmz-gateway
    host 172.16.3.253
    object network firewall-internal-gateway
    host 172.16.2.253
    object network com1
    host 192.168.223.227
    object network web2-ext
    host 192.168.223.201
    object network web2-int
    host 172.16.3.201
    object network gateway
    host 192.168.223.191
    object network office1-int
    host 172.16.2.1
    object-group network DMZ_SUBNET
    network-object 172.16.3.0 255.255.255.0
    object-group service www tcp
    port-object eq www
    port-object eq https
    access-list DMZ_access_in extended permit icmp any any
    access-list DMZ_access_in extended permit ip any any
    access-list outside_access_in extended permit tcp any object web2-ext eq www
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500 
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-714.bin
    no asdm history enable
    arp DMZ 172.16.4.199 001b.539c.597e alias
    arp DMZ 172.16.3.199 001b.539c.597e alias
    arp timeout 14400
    no arp permit-nonconnected
    object network web2-int
    nat (DMZ,outside) static web2-ext service tcp www www
    access-group outside_access_in in interface outside
    access-group DMZ_access_in in interface DMZ
    route inside 172.168.2.0 255.255.255.0 192.168.223.191 1
    route inside 172.168.3.0 255.255.255.0 192.168.223.191 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.223.227 255.255.255.255 outside
    http 172.163.2.5 255.255.255.255 outside
    http 172.163.2.5 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec security-association pmtu-aging infinite
    crypto ca trustpool policy
    telnet timeout 5
    ssh 192.168.223.227 255.255.255.255 outside
    ssh 172.163.2.5 255.255.255.255 outside
    ssh 172.163.2.5 255.255.255.255 inside
    ssh timeout 60
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    dhcpd address 172.16.2.10-172.16.2.10 inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 176.58.109.199 source outside prefer
    ntp server 81.150.197.169 source outside
    ntp server 82.113.154.206
    username xxxx password xxxxxxxxx encrypted
    class-map DMZ-class
    match any
    policy-map global_policy
    policy-map DMZ-policy
    class DMZ-class
      inspect icmp
    service-policy DMZ-policy interface DMZ
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:9c73fa27927822d24c75c49f09c67c24
    : end

    Thank you one more time for everthing. It is workingin indeed
    Reason why maybe sometimes I had some 'weird' results was because I had all devices connected to the same switch.Separtated all networks to a different switches helped.Anyway if you could take a look one last time to my configuration and let me know if it's good enough to deploy it on live ( only www for all , ssh restricted from outside, lan to dmz) .Thanks one more time.
    show run
    : Saved
    ASA Version 9.1(3)
    hostname firewall200
    domain-name test1.com
    enable password xxxxxxxxxx encrypted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    passwd xxxxxxxxxxxx encrypted
    names
    interface Ethernet0/0
    switchport access vlan 100
    interface Ethernet0/1
    switchport access vlan 200
    interface Ethernet0/2
    switchport access vlan 200
    interface Ethernet0/3
    switchport access vlan 200
    interface Ethernet0/4
    switchport access vlan 300
    interface Ethernet0/5
    switchport access vlan 300
    interface Ethernet0/6
    switchport access vlan 300
    interface Ethernet0/7
    switchport access vlan 300
    interface Vlan100
    nameif outside
    security-level 0
    ip address 192.168.223.200 255.255.255.0
    interface Vlan200
    mac-address 001b.539c.597e
    nameif inside
    security-level 100
    ip address 172.16.2.253 255.255.255.0
    interface Vlan300
    no forward interface Vlan200
    nameif DMZ
    security-level 50
    ip address 172.16.3.253 255.255.255.0
    boot system disk0:/asa913-k8.bin
    boot config disk0:/startup-config.cfg
    ftp mode passive
    clock timezone GMT/BST 0
    clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
    dns domain-lookup inside
    dns domain-lookup DMZ
    dns server-group DefaultDNS
    name-server 8.8.8.8
    name-server 8.8.4.4
    domain-name test1.com
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object network firewall-dmz-gateway
    host 172.16.3.253
    object network firewall-internal-gateway
    host 172.16.2.253
    object network com1
    host 192.168.223.227
    object network web2-ext
    host 192.168.223.201
    object network web2-int
    host 172.16.3.201
    object network gateway
    host 192.168.223.191
    object network office1-int
    host 172.16.2.1
    object-group network DMZ_SUBNET
    network-object 172.16.3.0 255.255.255.0
    object-group service www tcp
    port-object eq www
    port-object eq https
    access-list DMZ_access_in extended permit icmp any any
    access-list DMZ_access_in extended permit ip any any
    access-list DMZ_access_in extended permit tcp 172.16.3.0 255.255.255.0 interface outside eq ssh
    access-list outside_access_in extended permit tcp any object web2-int eq www
    access-list outside_access_in extended permit tcp any object web2-int eq ssh
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any inside
    icmp permit any DMZ
    asdm image disk0:/asdm-714.bin
    no asdm history enable
    arp DMZ 172.16.4.199 001b.539c.597e alias
    arp DMZ 172.16.3.199 001b.539c.597e alias
    arp timeout 14400
    no arp permit-nonconnected
    object network web2-int
    nat (DMZ,outside) static web2-ext net-to-net
    access-group outside_access_in in interface outside
    access-group DMZ_access_in in interface DMZ
    route outside 0.0.0.0 0.0.0.0 192.168.223.191 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.223.227 255.255.255.255 outside
    http 172.163.2.5 255.255.255.255 outside
    http 172.163.2.5 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec security-association pmtu-aging infinite
    crypto ca trustpool policy
    telnet timeout 5
    ssh 192.168.223.227 255.255.255.255 outside
    ssh 172.163.2.5 255.255.255.255 outside
    ssh 172.16.3.253 255.255.255.255 outside
    ssh 172.163.2.5 255.255.255.255 inside
    ssh timeout 60
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 176.58.109.199 source outside prefer
    ntp server 81.150.197.169 source outside
    ntp server 82.113.154.206
    username xxxxx password xxxxxxxxx encrypted
    class-map DMZ-class
    match any
    policy-map global_policy
    policy-map DMZ-policy
    class DMZ-class
      inspect icmp
    service-policy DMZ-policy interface DMZ
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:f264c94bb8c0dd206385a6b72afe9e5b
    : end

  • Cisco ASA 5505 Simple PAT

    Good morning you clever bunch,
    Having a real issue here, am used to the Router\Switch CLI but been asked to set up an ASA 5505 8.4.
    Quite simply I am trying to at least test out a static PAT from an external source to an internal server in a test environment and no matter whether I set it up as an auto-nat or a twice-nat whenever I run a packet tracer I end up with the same error. This is the packet-tracer I am running -
    packet-trace input outside tcp 80.80.80.80 3389 10.240.0.10 3389
    Phase: 5
    Type: NAT
    Subtype: rpf-check
    Result: DROP
    Config:
    nat (inside,outside) source static server publicIP service RDP RDP
    Additional Information:
    Result:
    input-interface: outside
    input-status: up
    input-line-status: up
    output-interface: inside
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule
    Now I have a couple of questions initially. I have made the presumption that packet-tracer does not look at any external devices while running - as in as long as the ports are up it doesn't matter what is on the end of them for testing purposes? Is there anything I am missing?
    I have this morning wiped the config and have simply set up the adapters, a default route and twice nat and am not sure why I keep getting the error. I am sure it is something very simple and I'm being a massive donut! Any help ios greatly appreciated as I've gotten quite stuck and feel like I have followed all the instructions online and just about trie everything.
    Many thanks,
    Sam - below is my running config
    ASA Version 8.4(4)1
    hostname ciscoasa
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
    interface Ethernet0/1
    switchport access vlan 2
    interface Ethernet0/2
    shutdown
    interface Ethernet0/3
    shutdown
    interface Ethernet0/4
    shutdown
    interface Ethernet0/5
    shutdown
    interface Ethernet0/6
    shutdown
    interface Ethernet0/7
    shutdown
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.240.0.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 80.*.*.203 255.255.255.248
    ftp mode passive
    object network server
    host 10.240.0.10
    object network publicIP
    host 80.*.*.37
    object service RDP
    service tcp source eq 3389
    access-list ouside_in extended permit tcp any host 10.240.0.10 eq 3389
    pager lines 24
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source static server publicIP service RDP RDP
    access-group ouside_in in interface outside
    route outside 0.0.0.0 0.0.0.0 80.*.*.201 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    telnet timeout 5
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:e67c79a8361f7b6aa3a7dd549f85e818
    : end

    Hi Jennifer,
    No I just changed that for testing purposes as I had tried everything I thought was correct to no avail.
    You, Jennifer, are my new hero.... literally on the config side I was trying everything and was completely barking up the wrong tree! Every time I had set up packet tracer that way, you can understand my logic when it comes to the destination address, seeing as I had already specified the outside adapter, but it makes a lot more sense using the outside host. Flow is now running perfectly.
    Many thanks.
    Sam

  • RDP from inside to outside using PAT?

    I have several client machines( inside) that needs to have an RDP access to one server(outside) reside on customer site. The challenge is that the clinet machines can be anywhere/any subnet at any given time and will have different IP address from DHCP.Because of this i can't use the static NAT.  Also, I only need RDP access from my network to the customer server only. So will it work if i use PAT? Thanks for the help in advance

    Hello Sandeep,
    In my opinion there shouldnt be any issue since you are Natiing the RDP clients to a single IP. As long as we have static nat and permission at the destination ( Server Side) it should work
    Hope it helps
    Harish.

  • ASA 5525X - Multiple outside addresses PAT to one inside address

    Hi
    I am trying to get two external addresses to PAT to different ports on the same address in the dmz.
    Object NAT is configured as follows:
    object network Obj-192.168.1.20-1
    nat (dmz,outside) static Obj-External-1 service tcp https https
    object network Onj-192.168.1.20-2
    nat (dmz,outside) static Obj-External-2 service tcp 2000 https
    Obj-192.168.1.20-1 and Obj-192.168.1.20-2 contain the same host address.
    The idea being that traffic destined for Obj-External-1 on port 443 will be forwarded to Obj-192.168.1.20-1 on port 443. Traffic for Obj-External-2 on port 443 will be forwarded to Obj-192.168.20-2 on port 2000.
    Traffic for the first object, Obj-192.168.1.20-1, works but traffic for the second does not.
    Can anyone help?
    Thanks
    Paul

    Thanks Jouni
    Output below:
    Phase: 1
    Type: CAPTURE
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    MAC Access list
    Phase: 2
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    MAC Access list
    Phase: 3
    Type: UN-NAT
    Subtype: static
    Result: ALLOW
    Config:
    object network Obj-192.168.20-2
    nat (dmz,outside) static Obj-External-2 service tcp 2000 https
    Additional Information:
    NAT divert to egress interface dmz
    Untranslate 194.168.208.72/443 to 192.168.1.20/2000
    Phase: 4
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group outside_access_in in interface outside
    access-list outside_access_in extended permit tcp any object Obj-192.168.1.20-1 eq 2000
    Additional Information:
    Phase: 5
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 6
    Type: INSPECT
    Subtype: inspect-skinny
    Result: ALLOW
    Config:      
    class-map inspection_default
    match default-inspection-traffic
    policy-map global_policy
    class inspection_default
      inspect skinny 
    service-policy global_policy global
    Additional Information:
    Phase: 7
    Type: IDS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 8
    Type: VPN
    Subtype: ipsec-tunnel-flow
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 9
    Type: NAT    
    Subtype: rpf-check
    Result: ALLOW
    Config:
    object network Obj-192.168.1.20-2
    nat (dmz,outside) static Obj-External-2 service tcp 2000 https
    Additional Information:
    Phase: 10
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 11
    Type: FLOW-CREATION
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    New flow created with id 7479639, packet dispatched to next module
    Result:
    input-interface: outside
    input-status: up
    input-line-status: up
    output-interface: dmz
    output-status: up
    output-line-status: up
    Action: allow

  • Cisco ASA 5505 and PAT

    So I have a weird problem that I'm hoping someone has a point in the right direction I can follow... At home I have a Cisco ASA 5505 - not very complex network some BCP configs and it's providing a NAT (PAT). I have a static IP and using a few RFC 1918 segments - like I said nothing earth shattering. I have a linksys E1200 802.11N WPA2 PSK - again pretty standard. I connect laptops, iPads, iPhones, Kindles, Androids no problem. Until recently my 60" Vizio had no issues using the network (wired or wireless). Now network is failing on the TV. I see it get to the FW and I can ping trace etc... to the TV. The FW logs show resets (log is below).
    Now here is the real interesting part - if I turn the tether feature on my iPhone on and connect the TV to it - it works - what's even more interesting is if I then go back to the home network it all works again no problem until I reboot the TV... HELP!
    Apr 19 15:34:09 192.168.10.254 %ASA-6-305011: Built dynamic TCP translation from inside:10.10.10.139/60657 to outside:68.162.222.142/57003
    Apr 19 15:34:09 192.168.10.254 %ASA-6-302013: Built outbound TCP connection 61988 for outside:98.137.204.251/443 (98.137.204.251/443) to inside:10.10.10.139/60657 (68.162.222.142/57003)
    Apr 19 15:34:09 192.168.10.254 %ASA-6-302014: Teardown TCP connection 61988 for outside:98.137.204.251/443 to inside:10.10.10.139/60657 duration 0:00:00 bytes 3689 TCP Reset-I
    Apr 19 15:34:12 192.168.10.254 %ASA-6-305011: Built dynamic TCP translation from inside:10.10.10.139/60658 to outside:68.162.222.142/53332
    Apr 19 15:34:12 192.168.10.254 %ASA-6-302013: Built outbound TCP connection 61989 for outside:98.137.204.251/443 (98.137.204.251/443) to inside:10.10.10.139/60658 (68.162.222.142/53332)
    Apr 19 15:34:12 192.168.10.254 %ASA-6-305011: Built dynamic TCP translation from inside:10.10.10.139/37006 to outside:68.162.222.142/40015
    Apr 19 15:34:12 192.168.10.254 %ASA-6-302013: Built outbound TCP connection 61990 for outside:98.136.10.32/443 (98.136.10.32/443) to inside:10.10.10.139/37006 (68.162.222.142/40015)
    Apr 19 15:34:12 192.168.10.254 %ASA-6-302014: Teardown TCP connection 61989 for outside:98.137.204.251/443 to inside:10.10.10.139/60658 duration 0:00:00 bytes 3689 TCP Reset-I
    Apr 19 15:34:12 192.168.10.254 %ASA-6-302014: Teardown TCP connection 61990 for outside:98.136.10.32/443 to inside:10.10.10.139/37006 duration 0:00:00 bytes 3689 TCP FINs
    A

    Hello ras,
    As you mentioned the TV is sending a reset packet to the remote address. I will recommend you to create a capture of the traffic and review the traffic at the packet level to see a posible reason for the drop.
    Here is how. Then you can download it to pcap format and uploaded to the forum for further analysis.
    http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110117-asa-capture-asdm-config.html
    http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs.html#pgfId-6941209
    Hope this information is helpful.

  • PAT with a single public IP and several servers behind firewall

    Hi,
    New to the ASA 5505 8.4 software version, but here is what I'm trying to do:
    Single static public IP:  16.2.3.4
    Need to PAT several ports to three separate servers behind firewall
    One server houses email, pptp server, ftp server and web services: 10.1.20.91
    One server houses drac management (port 445): 10.1.20.92
    One server is the IP phone server using a range of ports: 10.1.20.156
    Basically, need to PAT the ports associated with each server to the respective servers behind the ASA 5505. 
    Here is what I have.  Is anything missing from this config? Do I need to include a global policy for PPTP and SMTP?
    ASA Version 8.4(4)1
    hostname kaa-pix
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.1.20.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 16.2.3.4 255.255.255.0
    ftp mode passive
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network server_smtp
    host 10.1.20.91
    object service Port_25
    service tcp source eq smtp
    object service Port_3389
    service tcp source eq 3389
    object service Port_1723
    service tcp source eq pptp
    object service Port_21
    service tcp source eq ftp
    object service Port_443
    service tcp source eq https
    object service Port_444
    service tcp source eq 444
    object network drac
    host 10.1.20.92
    object service Port_445
    service tcp source eq 445
    access-list acl-out extended permit icmp any any echo-reply
    access-list acl-out extended permit icmp any any
    access-list acl-out extended permit tcp any interface outside eq pptp
    access-list acl-out extended permit tcp any object server_smtp eq smtp
    access-list acl-out extended permit tcp any object server_smtp eq pptp
    access-list acl-out extended permit tcp any object server_smtp eq 3389
    access-list acl-out extended permit tcp any object server_smtp eq ftp
    access-list acl-out extended permit tcp any object server_smtp eq https
    access-list acl-out extended permit tcp any object server_smtp eq 444
    access-list acl-out extended permit tcp any object drac eq 445
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source static server_smtp interface service Port_25 Port_25
    nat (inside,outside) source static server_smtp interface service Port_3389 Port_
    3389
    nat (inside,outside) source static server_smtp interface service Port_1723 Port_
    1723
    nat (inside,outside) source static server_smtp interface service Port_21 Port_21
    nat (inside,outside) source static server_smtp interface service Port_443 Port_4
    43
    nat (inside,outside) source static server_smtp interface service Port_444 Port_4
    44
    nat (inside,outside) source static drac interface service Port_445 Port_445
    object network obj_any
    nat (inside,outside) dynamic interface
    route outside 0.0.0.0 0.0.0.0 16.2.3.1 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    telnet timeout 5
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    prompt hostname context
    no call-home reporting anonymous

    Thanks Lcambron...I got PPTP to work.  Everything else works fine.  I can access email, access my web server, FTP server, and PPTP server.  However, from the above configuration, I cannot access my DRAC over the internet..The DRAC runs on a different internal server, and over port 445.  So I have th following lines:
    object network drac
    host 10.1.20.92
    object service Port_445
    service tcp source eq 445
    access-list acl-out extended permit tcp any object drac eq 445
    nat (inside,outside) source static drac interface service Port_445 Port_445
    Am I missing something here?  Internally, i can telnet to port 445 on 10.1.20.92, so I know it is listening.  However, externally, i cannot telnet to my external ip address of the ASA through port 445. 
    Thanks

  • Pat is not working on my asa

    Hi there. 
    I just trying to do PAT with gns3. but not working and i don't have any idea.
    (Cisco Adaptive Security Appliance Software Version 8.4(2))
    and also i figure out that there are some changes in nat configuration. i did but didn't work. 
    I cannot ping from my host 192.168.100.116 to 1.1.12.1 ~ 1.1.12.2, 8.8.8.8 
    i turn debug in R1 and i can see the icmp. 
    R1#
    *Mar  1 01:31:28.091: ICMP: echo reply sent, src 1.1.12.1, dst 10.10.10.1
    R1#
    *Mar  1 01:31:32.739: ICMP: echo reply sent, src 1.1.12.1, dst 10.10.10.1
    R1#
    And also can see xlate on ASA
    ASA-1# sh xlate
    1 in use, 9 most used
    Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
    ICMP PAT from inside:192.168.100.116/1 to outside:10.10.10.1/6370 flags ri idle 0:00:04 timeout 0:00:30
    ASA-1#
    This is my topology. 
    [ASA1]
    ASA-1# sh run ip
    interface GigabitEthernet0
     nameif outside
     security-level 0
     ip address 10.10.10.1 255.255.255.0
    interface GigabitEthernet1
     nameif inside
     security-level 100
     ip address 10.10.20.1 255.255.255.0
    ASA-1# sh run object network
    object network obj-192.168.100.0
     subnet 0.0.0.0 0.0.0.0
    ASA-1# conf t
    ASA-1(config)# ob
    ASA-1(config)# object net
    ASA-1(config)# object network obj-192.168.100.0
    ASA-1(config-network-object)# nat (in
    ASA-1(config-network-object)# nat (inside,ou
    ASA-1(config-network-object)# nat (inside,outside) dy
    ASA-1(config-network-object)# nat (inside,outside) dynamic inter
    ASA-1(config-network-object)# nat (inside,outside) dynamic interface
    ASA-1(config-network-object)# end
    [R4]
    interface FastEthernet0/0
     ip address 10.10.20.254 255.255.255.0
     duplex auto
     speed auto
    interface FastEthernet0/1
     ip address 192.168.100.254 255.255.255.0
     duplex auto
     speed auto
    no ip http server
    no ip http secure-server
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 10.10.20.1
    [HOST]
    ip address 192.168.100.116/24
    [R1]
    interface FastEthernet0/0
     ip address 10.10.10.254 255.255.255.0
     duplex auto
     speed auto
    interface FastEthernet0/1
     ip address 1.1.12.1 255.255.255.0
     duplex auto
     speed auto
    no ip http server
    no ip http secure-server
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
    what am i mssing ?
    please corret me. 
    Thank you in advance. 

    just reload... .. i'm still stuck in the ping. 
    changed topology more simple. but still not working. 
    Here is all what i did. 
    [ASA]
    access-list ICMP extended permit icmp any any echo-reply
    access-list ICMP extended permit icmp any any time-exceeded
    access-group ICMP in interface outside
    interface GigabitEthernet0
     description To_UP
     nameif outside
     security-level 0
     ip address 10.10.10.2 255.255.255.0
    interface GigabitEthernet1
     description To_DOWN
     nameif inside
     security-level 100
     ip address 10.10.20.1 255.255.255.0
    [R1]
    interface FastEthernet0/0
     ip address 10.10.10.1 255.255.255.0
    ip route 10.10.20.0 255.255.255.0 10.10.10.2 (I don't think i need this)
    [R4]
    interface FastEthernet0/0
     ip address 10.10.20.2 255.255.255.0
    ip route 10.10.10.0 255.255.255.0 10.10.20.1 (same as well)
    [outout tracer]
    ciscoasa# packet-tracer input inside icmp 10.10.20.1 8 0 10.10.10.1
    Phase: 1
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   10.10.10.0      255.255.255.0   outside
    Phase: 2
    Type: ACCESS-LIST
    Subtype:
    Result: DROP <---??????????????????????????
    Config:
    Implicit Rule
    Additional Information:
    Result:
    input-interface: inside
    input-status: up
    input-line-status: up
    output-interface: outside
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule
    ciscoasa#
    [ASA]
    ciscoasa# show access-list
    access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
                alert-interval 300
    access-list ICMP; 2 elements; name hash: 0x2d2cf426
    access-list ICMP line 1 extended permit icmp any any echo-reply (hitcnt=0) 0x0b307247
    access-list ICMP line 2 extended permit icmp any any time-exceeded (hitcnt=0) 0x1e6b1395
    ciscoasa#
    I created acl and permit it
    Thank you. 

  • I had a power mac g4 into which i put 3, 320 gb PATA hard drives in a raid slice config so that it worked as one drive needless to sat that i lost the g4 to a surge but the drives are good. now i have an imac, how can i recover the info off those drives

    i had a power mac g4 into which i put 3, 320 gb PATA hard drives in a raid slice config so that it worked as one drive needless to sat that i lost the g4 to a surge but the drives are good. now i have an imac, how can i recover the info off those drives. can i put the drives in external cases and plug them all in, will the imac see them as a raid slice then  help please

    Before you have another accident:
    Buy a UPS of good quality and sufficient to your needs.
    I would have to assume that the drives were connected to a PCI PATA card, hopefully. Otherwise, well RAID and having drives on the same bus (master and slave).
    And no backup, none at all...
    Get your hands on a G4.
    Data Rescue 3 from Prosoft maybe.
    If they were SATA and running on PCI SATA controller, very popular and common really in G4s, more options would be open.

  • ASA 5510 Multiple Public IP - Static NAT Issue - Dynamic PAT - SMTP

    Running into a little bit of a roadblock and hoping someone can help me figure out what the issue is.  My guess right now is that it has something to do with dynamic PAT.
    Essentially, I have a block of 5 static public IP's.  I have 1 assigned to the interface and am using another for email/webmail.  I have no problems accessing the internet, receving emails, etc...  The issue is that the static NAT public IP for email is using the outside IP instead of the one assigned through the static NAT.  I would really appreciate if anyone could help shed some light as to why this is happening for me.  I always thought a static nat should take precidence in the order of things.
    Recap:
    IP 1 -- 10.10.10.78 is assigned to outside interface.  Dynamic PAT for all network objects to use this address when going out.
    IP 2 -- 10.10.10.74 is assgned through static nat to email server.  Email server should respond to and send out using this IP address.
    Email server gets traffic from 10.10.10.74 like it is supposed to, but when sending out shows as 10.10.10.78 instead of 10.10.10.74.
    Thanks in advance for anyone that reads this and can lend a hand.
    - Justin
    Here is my running config (some items like IP's, domain names, etc... modified to hide actual values; ignore VPN stuff -- still work in progress):
    ASA Version 8.4(3)
    hostname MYHOSTNAME
    domain-name MYDOMAIN.COM
    enable password msTsgJ6BvY68//T7 encrypted
    passwd msTsgJ6BvY68//T7 encrypted
    names
    interface Ethernet0/0
    speed 100
    duplex full
    nameif outside
    security-level 0
    ip address 10.10.10.78 255.255.255.248
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.2.2 255.255.255.0
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    boot system disk0:/asa843-k8.bin
    ftp mode passive
    clock timezone CST -6
    clock summer-time CDT recurring
    dns server-group DefaultDNS
    domain-name MYDOMAIN.COM
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network inside-network
    subnet 192.168.2.0 255.255.255.0
    object network Email
    host 192.168.2.7
    object network Webmail
    host 192.168.2.16
    object network WebmailSecure
    host 192.168.2.16
    access-list inside_access_out extended permit ip any any
    access-list inside_access_out extended permit icmp any any
    access-list VPN_Split_Tunnel_List remark The corporate network behind the ASA (inside)
    access-list VPN_Split_Tunnel_List standard permit 192.168.2.0 255.255.255.0
    access-list outside_access_in extended deny icmp any any
    access-list outside_access_in extended permit tcp any object Email eq smtp
    access-list outside_access_in extended permit tcp any object Webmail eq www
    access-list outside_access_in extended permit tcp any object WebmailSecure eq https
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-647.bin
    asdm history enable
    arp timeout 14400
    nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
    object network obj_any
    nat (inside,outside) dynamic interface
    object network Email
    nat (inside,outside) static 10.10.10.74 service tcp smtp smtp
    object network Webmail
    nat (inside,outside) static 10.10.10.74 service tcp www www
    object network WebmailSecure
    nat (inside,outside) static 10.10.10.74 service tcp https https
    access-group outside_access_in in interface outside
    access-group inside_access_out out interface inside
    route outside 0.0.0.0 0.0.0.0 10.10.10.73 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server MYDOMAIN protocol kerberos
    aaa-server MYDOMAIN (inside) host 192.168.2.8
    kerberos-realm MYDOMAIN.COM
    aaa-server MYDOMAIN (inside) host 192.168.2.9
    kerberos-realm MYDOMAIN.COM
    aaa-server MY-LDAP protocol ldap
    aaa-server MY-LDAP (inside) host 192.168.2.8
    ldap-base-dn DC=MYDOMAIN,DC=com
    ldap-group-base-dn DC=MYDOMAIN,DC=com
    ldap-scope subtree
    ldap-naming-attribute sAMAccountName
    ldap-login-password *****
    ldap-login-dn CN=SOMEUSER,CN=Users,DC=MYDOMAIN,DC=com
    server-type microsoft
    aaa-server MY-LDAP (inside) host 192.168.2.9
    ldap-base-dn DC=MYDOMAIN,DC=com
    ldap-group-base-dn DC=MYDOMAIN,DC=com
    ldap-scope subtree
    ldap-naming-attribute sAMAccountName
    ldap-login-password *****
    ldap-login-dn CN=SOMEUSER,CN=Users,DC=MYDOMAIN,DC=com
    server-type microsoft
    user-identity default-domain LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 management
    http 192.168.2.0 255.255.255.0 inside
    http redirect outside 80
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map inside_map interface inside
    crypto ca trustpoint ASDM_TrustPoint0
    enrollment self
    email [email protected]
    subject-name CN=MYHOSTNAME
    ip-address 10.10.10.78
    proxy-ldc-issuer
    crl configure
    crypto ca certificate chain ASDM_TrustPoint0
    certificate e633854f
        30820298 30820201 a0030201 020204e6 33854f30 0d06092a 864886f7 0d010105
        0500305e 31143012 06035504 03130b47 46472d53 55532d41 53413146 301a0609
        2a864886 f70d0109 08130d39 382e3130 302e3232 322e3738 30280609 2a864886
        f70d0109 02161b47 46472d53 55532d41 53412e47 46472d50 4541424f 44592e43
        4f4d301e 170d3132 30343131 30373431 33355a17 0d323230 34303930 37343133
        355a305e 31143012 06035504 03130b47 46472d53 55532d41 53413146 301a0609
        2a864886 f70d0109 08130d39 382e3130 302e3232 322e3738 30280609 2a864886
        f70d0109 02161b47 46472d53 55532d41 53412e47 46472d50 4541424f 44592e43
        4f4d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b4
        aa6e27de fbf8492b 74ba91aa e0fd8361 e0e85a31 f95c380d 6e5f43ac a695a810
        f50e893b 82b91870 a32f7e38 8f392607 7a69c814 36a71a9c 2dccca07 24fe7f88
        0f3451ed c64e85fc 8359c87e 62ebf166 0a570ac5 f9f1c64b 262eca66 ea05ab65
        78da1ac2 9867a115 b14a6ba1 cd82d04e 00fc6557 856f7c04 ab1b08a0 b9de8b02
        03010001 a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f
        0101ff04 04030201 86301f06 03551d23 04183016 801430cf 97ef92bb 678e3ba3
        0002069c 8130550a 2664301d 0603551d 0e041604 1430cf97 ef92bb67 8e3ba300
        02069c81 30550a26 64300d06 092a8648 86f70d01 01050500 03818100 64c403bd
        d75717ab 24383e77 63e10ba7 4fdef625 73c5a952 19ceecbd 75bd23ca 86dc0298
        e6693a8a 2c7fb85f 096497a7 8d784ada a433ee0d d88e9219 f0615f3c 7814bf1c
        5b4fe847 7d8894eb 18fe2da7 05f15ae9 bc2c17ec 3a7831ee f95d6ced 4799fba2
        781c8228 48224843 dc07ebb5 d20abf2a b68cfa62 ac71a41b 1196a018
      quit
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside client-services port 443
    crypto ikev2 enable inside client-services port 443
    crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet 192.168.2.0 255.255.255.0 inside
    telnet 192.168.1.0 255.255.255.0 management
    telnet timeout 20
    ssh timeout 5
    console timeout 0
    management-access inside
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    threat-detection basic-threat
    threat-detection statistics
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    ntp server 192.168.2.8 source inside prefer
    ssl trust-point ASDM_TrustPoint0 inside
    ssl trust-point ASDM_TrustPoint0 outside
    webvpn
    enable outside
    enable inside
    anyconnect-essentials
    anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 1
    anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
    anyconnect enable
    tunnel-group-list enable
    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol ikev1 l2tp-ipsec
    group-policy GroupPolicy_VPN internal
    group-policy GroupPolicy_VPN attributes
    wins-server value 192.168.2.8 192.168.2.9
    dns-server value 192.168.2.8 192.168.2.9
    vpn-filter value VPN_Split_Tunnel_List
    vpn-tunnel-protocol ikev2 ssl-client
    group-lock value VPN
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value VPN_Split_Tunnel_List
    default-domain value MYDOMAIN.COM
    webvpn
      anyconnect profiles value VPN_client_profile type user
    group-policy GroupPolicy-VPN-LAPTOP internal
    group-policy GroupPolicy-VPN-LAPTOP attributes
    wins-server value 192.168.2.8 192.168.2.9
    dns-server value 192.168.2.8 192.168.2.9
    vpn-filter value VPN_Split_Tunnel_List
    vpn-tunnel-protocol ikev2
    group-lock value VPN-LAPTOP
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value VPN_Split_Tunnel_List
    default-domain value MYDOMAIN.COM
    webvpn
      anyconnect profiles value VPN_client_profile type user
    tunnel-group VPN type remote-access
    tunnel-group VPN general-attributes
    authentication-server-group MYDOMAIN
    default-group-policy GroupPolicy_VPN
    dhcp-server 192.168.2.8
    dhcp-server 192.168.2.9
    dhcp-server 192.168.2.10
    tunnel-group VPN webvpn-attributes
    group-alias VPN enable
    tunnel-group VPN-LAPTOP type remote-access
    tunnel-group VPN-LAPTOP general-attributes
    authentication-server-group MY-LDAP
    default-group-policy GroupPolicy-VPN-LAPTOP
    dhcp-server 192.168.2.8
    dhcp-server 192.168.2.9
    dhcp-server 192.168.2.10
    tunnel-group VPN-LAPTOP webvpn-attributes
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
    class class-default
      user-statistics accounting
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    hpm topN enable
    Cryptochecksum:951faceacf912d432fc228ecfcdffd3f

    Hi ,
    As per you config :
    object network obj_any
    nat (inside,outside) dynamic interface
    object network Email
    nat (inside,outside) static 10.10.10.74 service tcp smtp smtp
    object network Webmail
    nat (inside,outside) static 10.10.10.74 service tcp www www
    object network WebmailSecure
    nat (inside,outside) static 10.10.10.74 service tcp https https
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network inside-network
    subnet 192.168.2.0 255.255.255.0
    object network Email
    host 192.168.2.7
    object network Webmail
    host 192.168.2.16
    object network WebmailSecure
    host 192.168.2.16
    The flows from email server ( 192.168.2.7 ) , will be NATed to 10.10.10.74, only if the source port is TCP/25. Any other souce port will use the interface IP for NAT.
      Are you saying that this is not happening ?
    Dan

  • Can I send an e-mail to a specific person in Communities?  Want to thank them for their answer to a question that I didn't ask.  Just wanted to give him/her feedback that their info was very helpful.  Just a pat on the back to perhaps brighten their day.

    Can I send an e-mail to a specific person in Communities?  Want to thank them for their answer to a question that I didn't ask.  Just wanted to give him/her feedback that their info was very helpful.  Just a pat on the back to perhaps brighten their day.

    If you click on the person's name, you go to the public profile they have posted.  If there is an email address given you can email directly.  If not, you cannot email the person directly.
    You could post a reply to the persons reply on the communities to note their help.

  • I updated my firefox, and my web mailer is no longer in the bottom right hand corner. Where did it go and how do I get it back?? Thanks, Pat

    Not much more to say. Went to check my e-mail, and the icon was gone at the bottom. I would really like it back so I can see how many e-mails I have and get alerted to new ones coming in. Thanks, Pat aka paw4him

    * "Bookmarks > Organize Bookmarks" has been renamed to "Show All Bookmarks" in Firefox 4.
    * Click the orange Firefox button to open the Firefox menu and click the Bookmarks entry or click "Show All Bookmarks" to open the Library.
    * [/kb/how-do-i-use-bookmarks]

  • NAT issue - (over same link) static-NAT works but PAT (for rest of hosts) does not !

    Hello fellow engineers!
    I have a puzzling situation implementing an Internet routing pilot project and I need someone with a fresh look at the matter because I cannot make-out what the problem is…
    Scenario description:
    2901 router with two (one used) DSL intf’s on board and its two GE ports connected to a switch via Port-Channel sub-int’f (router-on-a-stick is implemented).    The router has two other WAN (Internet) connections via a Satelite link and a MetroEthernet link.   These two are terminated on the switch on intf’s at the appropriate VLAN’s.   At attached topology scheme I depict them all collocated on the router for “simplicity” (logical topology) since the router has intf’s at the corresponding networks.   The aDSL and Metro links have an 8-IP public set, each.
    Most servers/hosts utilize VLAN 10 (int port-channel 1.10) but they need to forward their internet traffic to corresponding Internet links so PBR is used.    VLAN/subnet (all /24) pairs are:
    VLAN 11 -> 10.0.1.x
    VLAN 12 -> 10.0.2.x
    VLAN 13 -> 10.0.3.x
    VLAN 71 -> 192.168.17.x
    VLAN 204 -> 172.16.204.x
    and – last but not least ! – VLAN 10 -> 10.0.0.x
    All servers use static 1-1 NAT while all other hosts/PC’s use the Metro link (PAT).
    Situation: All PBR rules and static NAT’s of VLAN 10 behave as expected.   So does the PAT for hosts of all other VLAN’s (11, 12, 13, …).   The rest of the hosts of VLAN 10, i.e. PC’s with IP’s 10.0.0.x (in red), cannot get to the Internet !
    What is puzzling is that traffic is matched (by ACL) and NAT does occur but all I see (via “sh ip nat tra”) are the translations of the DNS requests !   Nothing else !   To top that, tracerouting a public IP does lead to the target but when hitting that same public IP (not by name) on the browser can’t load the page !
    Could pls someone spot what I’m missing !!
    To help you I also attach the router config and some command outputs…
    All help is appreciated.
    Thanx
    Costas

    That last PBR statement
    (route-map 10.0.0.X_hosts_PBR permit 70
     description *** rest of 10.0.0.x net --> Oxygen ***
     match ip address rest_of_10.0.0.x
     set ip next-hop 212.251.64.153)
    was not there in the first place - I got it there assuming it would help but it didn't.   Actually - as mentioned - it does not get any hits !
    (route-map 10.0.0.X_hosts_PBR, permit, sequence 255
      Match clauses:
        ip address (access-lists): rest_of_10.0.0.x
      Set clauses:
        ip next-hop 212.251.64.153
      Policy routing matches: 0 packets, 0 bytes)

  • Static PAT entry blocking Branch site from accessing resource on same port. How to get around this?

    Hello, I have a UC560 and UC540 connected using an IPSec Site to Site tunnel.
    There is a server on the main site they are trying to access (lets say IP is 192.168.1.252) and they need to access this server on ports 13000, 14000, and 15000.
    Unfortunately, since there are users from the internet and other places that need to access this server on these ports, these static pat entries are in the server (Lets say 99.99.99.99 is the WAN IP):
    ip nat inside source static tcp 192.168.1.252 13000 99.99.99.99 13000 extendable
    ip nat inside source static tcp 192.168.1.252 14000 99.99.99.99 14000 extendable
    ip nat inside source static tcp 192.168.1.252 15000 99.99.99.99 15000 extendable
    The users in the branch site that is connected via VPN can reach this server on all TCP ports(RDP, http, etc) so that's not the issue. When I remove these nat statements, the VPN users can access the resource via that port (I.e telnet 192.168.1.252 13000 ) whereas they are shut down and connection fails if the static pat entries are in there.
    I need to have outside users and VPN users be able to access this server whether they are coming in across the VPN goin to 192.168.1.252:13000 or coming in from the internet on 99.99.99.99:13000
    Is there a way around this other than forcing the VPN users to access this server via the WAN IP for these ports? And does anyone know the logic behind this? I'm curious. From what I've seen in other cases, this is expected behavior, I'd just like a better understanding of it.
    Any help on this would be GREATLY appreciated! Thank you

    I hope I explained this properly. If not, please let me know!
    Thanks

  • NAT/PAT Two private IP's to one Real on the same port.

    Hello all.
    I have the following situation. A colleagues installed a spam block (Norton something) and he put two ip's on itsinterfaces. 192.168.2.20 and 192.68.2.21. One will be used to receive and one to send mail but both on port 25. They use a sinlge real IP 175.75.67.32. I am using a 5540 ASA with 8.2 IOS.
    I am pretty sure this cannot happen but i got some advice to NAT the outgoing IP/Port and then PAT the incoming port to both IP's and it will work. I tried to do it with no success. I know that  ASA 8.4 changes everything in NAT/PAT but is there any way with the newer OS my setup can work or not???
    Thanks very much in advance for your help.

    ASA 8.4:
    receive mail:
    nat (inside,outside) source static obj-192.68.2.20 obj-175.75.67.32 service src25 src25
    send mail:
    nat (inside,outside) source dynamic obj-192.68.2.21 obj-175.75.67.32 service dst25 dst25

Maybe you are looking for

  • Itunes will not open and I have tried fixing it!!

    i double click on the icon and it comes up with this The itunes application could not be opnened. An unknown error occured (0x666D743F) Thanks

  • How add a radio station to atv3?

    attempting to add new radio station to ATV3 using the iTunes playlist method described in hundreds of forum entries about ATV1 and ATV2. radio station plays fine in itunes;  however, ATV3 sees playlist in Computer>Music>Playlist section but says "The

  • Change tables order

    Hi I'm trying to do a java application, using unmanaged ras, which change tables order. I tried 2 methods but the two of them seems to have a bug. In the first one I tried to move one table to the end and when i displayed the tabels looked just fine

  • Help on CATS

    Hello guys, I know this is probably not the right place to post questions like this, but I really have no idea where CATS belongs to, so... Anyway, I have little experinece using SAP and knows absolutely nothing about CATS besides what it stands for,

  • Adding a Module in SPRO

    Hi All, I am working on a custom built module for a customer. I would like to know how to enhance the SPRO tree, to add an additional Module node to the main tree and its corresponding transactions below it? Regards, Madhur