Ms Pat
?who is my "patch vendor" Tried to install, new update and was unable.
I have Adobe Reader X(10.1.8) 117.00
AND Adobe reader X(10.1.8) installed 9-22-2013
http://labs.adobe.com/downloads/acrobatcleaner.html <---Use that to remove Reader
http://get.adobe.com/reader/enterprise/ <---Use a download from there to reinstall
Similar Messages
-
Update on BIOS & MEMORY problems? also DOT, PAT, settings...
Okie dokie, I'm new here, and I've been pouring through threads for the past 2-3 hours and doing searches, so please excuse these questions if they seem to have already been answered, but I would like to just ask a few (hopefully susinct) questions to get the quickest and most direct answers possible...
I just bought the 865pe-LS board, p-4 2.6ghz 800FSB HT CPU, and value-select Corsair PC3200 512MB dual-channel kit, and it has become apparent that there is or has been a HUGE problem with this board accepting corsiar memory. ARGH or should is say DOH for not checking into all of this BEFOREHAND!
But it seems that several bios versions have come out since the majority of those threads I have been reading about back in august. Sooo, can anyone tell me if the current version, 1.9 bios, has fixed these incompatibilities with the corsairs memory sticks? I realize that most people are going the LL version routes for the memory, and I have opted for the value-select versions...but it still seems to be a possible dilemma. I am wondering if it is worth it to try to pay the 15% restock fee or sell it on ebay (hopefully for about what I paid) and go get the same stuff in kingston memory instead, since these seem to be much more compatible? Or has this problem been fixed with newer bios versions?
Another important factor to consider, I think, is that I may not be THAT interested in overclocking much of anything, but perhaps just wishing to use the fast or turbo modes, probably not ultra-turbo since i would need the XMS or hyper-X versions to even try this. If the bios is now accepting corsair, I am trying to figure out, short of "experimenting" since i have not gotten all of my components in yet, if its even possible or recommended to overclock or use the fast/turbo mode with the cas-3 value select dual-channel setup I will be using...any clues?
Lastly, which may have been already answered by now, is it best to use the PAT or DOT settings or opt for manual setting for any sort of higher-performance setup, considering my specs for my soon-to-be new computer? Or does it really make THAT much difference? Im not into squeezing out every nano-second of speed, but if a little tweaking would make a BIG difference and wouldnt require me spending MANY hours or days to do so, then I'm all for it. I'm practically a noob at this stuff, only really educating myself in any depth about all this stuff tonight (going off of what outhers have recommended in making these purchases)...thanks for the understanding and the help in advance!
*looking for any help*
is how i feel, haha...*sigh*There doesn't seem to be any particular Ram type that is working for everybody. Also, many people that are experiencing problems are trying to overclock(some to extremes). You don't seem very interested in that aspect. For the Ram, you really just have to put it in and see what happens.
If you haven't already, read the FAQ HERE for the Neo/Neo2 boards. Particularly #5 which will help you setup the SATA/IDE devices in the Bios. Use Native mode for Windows XP.
Things I would set in the Bios right out of the box:
(Some of these might already be set by default)
Boot device select- Order that you want to boot from particular devices. Might have to set "On-chip IDE Config" items first and re-boot to see all your devices here.
HT-On
MPS revision-1.4
APIC ACPI....- Enabled
Dram Timing- By SPD
Integrated Peripherals is fairly intuitive except the "On-chip IDE config" see FAQ page.
DOT- disabled for now
MAT- slow to start
DRAM freq- 400
CPU Bus- 201(seems strange but do it; try a search here for "201" and you'll know why)
DDR voltage- 2.7v (like reilly said)
If this works OK(try something that stresses it) you can try raising the MAT to fast. After you're happy that this is stable, you can try turbo if you want but I'm not sure with the value Ram. Once you settle on this, try playing with the DOT features. I think General is the equivalent of a 10% increase on the system. Once you've found a setting you like here, you should leave it for a while and just enjoy your new compputer!
If you get bored, you can always go in and disable the DOT and manually raise FSB for more fun.
Things you should read up on before you do any overclocking:
Clearing CMOS
5:4 FSB/MEM ratio
Have fun! -
Cisco asa 5505 issues ( ROUTING AND PAT)
I have some issues with my cisco asa 5505 config. Please see details below:
NETWORK SETUP:
gateway( 192.168.223.191) - cisco asa 5505 ( outside - 192.168.223.200 , inside - 192.168.2.253, DMZ - 172.16.3.253 ) -
ISSUES:
1)
no route from DMZ to outside
example:
ping from 172.16.3201 to the gateway
6 Jan 27 2014 11:15:33 172.16.3.201 39728 Failed to locate egress interface for ICMP from outside:172.16.3.201/39728 to 172.16.3.253/0
2)
not working access from external to DMZ AT ALL
ASA DETAILS:
cisco asa5505
Device license Base
Maximum Physical Interfaces 8 perpetual
VLANs 3 DMZ Restricted
Inside Hosts Unlimited perpetual
configuration:
firewall200(config)# show run
: Saved
ASA Version 9.1(3)
hostname firewall200
domain-name test1.com
enable password xxxxxxxxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd XXXXXXXXXXX encrypted
names
interface Ethernet0/0
switchport access vlan 100
interface Ethernet0/1
switchport access vlan 200
interface Ethernet0/2
switchport access vlan 200
interface Ethernet0/3
switchport access vlan 200
interface Ethernet0/4
switchport access vlan 300
interface Ethernet0/5
switchport access vlan 300
interface Ethernet0/6
switchport access vlan 300
interface Ethernet0/7
switchport access vlan 300
interface Vlan100
nameif outside
security-level 0
ip address 192.168.223.200 255.255.255.0
interface Vlan200
mac-address 001b.539c.597e
nameif inside
security-level 100
ip address 172.16.2.253 255.255.255.0
interface Vlan300
no forward interface Vlan200
nameif DMZ
security-level 50
ip address 172.16.3.253 255.255.255.0
boot system disk0:/asa913-k8.bin
boot config disk0:/startup-config.cfg
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name test1.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network office1-int
host 172.16.2.1
object network firewall-dmz-gateway
host 172.16.3.253
object network firewall-internal-gateway
host 172.16.2.253
object network com1
host 192.168.223.227
object network web2-ext
host 192.168.223.201
object network web2-int
host 172.16.3.201
object network gateway
host 192.168.223.191
object network office1-int
host 172.16.2.1
object-group network DMZ_SUBNET
network-object 172.16.3.0 255.255.255.0
object-group service www tcp
port-object eq www
port-object eq https
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any object web2-ext eq www
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp DMZ 172.16.4.199 001b.539c.597e alias
arp DMZ 172.16.3.199 001b.539c.597e alias
arp timeout 14400
no arp permit-nonconnected
object network web2-int
nat (DMZ,outside) static web2-ext service tcp www www
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route inside 172.168.2.0 255.255.255.0 192.168.223.191 1
route inside 172.168.3.0 255.255.255.0 192.168.223.191 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.223.227 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.223.227 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 172.16.2.10-172.16.2.10 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 176.58.109.199 source outside prefer
ntp server 81.150.197.169 source outside
ntp server 82.113.154.206
username xxxx password xxxxxxxxx encrypted
class-map DMZ-class
match any
policy-map global_policy
policy-map DMZ-policy
class DMZ-class
inspect icmp
service-policy DMZ-policy interface DMZ
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9c73fa27927822d24c75c49f09c67c24
: endThank you one more time for everthing. It is workingin indeed
Reason why maybe sometimes I had some 'weird' results was because I had all devices connected to the same switch.Separtated all networks to a different switches helped.Anyway if you could take a look one last time to my configuration and let me know if it's good enough to deploy it on live ( only www for all , ssh restricted from outside, lan to dmz) .Thanks one more time.
show run
: Saved
ASA Version 9.1(3)
hostname firewall200
domain-name test1.com
enable password xxxxxxxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd xxxxxxxxxxxx encrypted
names
interface Ethernet0/0
switchport access vlan 100
interface Ethernet0/1
switchport access vlan 200
interface Ethernet0/2
switchport access vlan 200
interface Ethernet0/3
switchport access vlan 200
interface Ethernet0/4
switchport access vlan 300
interface Ethernet0/5
switchport access vlan 300
interface Ethernet0/6
switchport access vlan 300
interface Ethernet0/7
switchport access vlan 300
interface Vlan100
nameif outside
security-level 0
ip address 192.168.223.200 255.255.255.0
interface Vlan200
mac-address 001b.539c.597e
nameif inside
security-level 100
ip address 172.16.2.253 255.255.255.0
interface Vlan300
no forward interface Vlan200
nameif DMZ
security-level 50
ip address 172.16.3.253 255.255.255.0
boot system disk0:/asa913-k8.bin
boot config disk0:/startup-config.cfg
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns domain-lookup DMZ
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name test1.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network firewall-dmz-gateway
host 172.16.3.253
object network firewall-internal-gateway
host 172.16.2.253
object network com1
host 192.168.223.227
object network web2-ext
host 192.168.223.201
object network web2-int
host 172.16.3.201
object network gateway
host 192.168.223.191
object network office1-int
host 172.16.2.1
object-group network DMZ_SUBNET
network-object 172.16.3.0 255.255.255.0
object-group service www tcp
port-object eq www
port-object eq https
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit tcp 172.16.3.0 255.255.255.0 interface outside eq ssh
access-list outside_access_in extended permit tcp any object web2-int eq www
access-list outside_access_in extended permit tcp any object web2-int eq ssh
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any DMZ
asdm image disk0:/asdm-714.bin
no asdm history enable
arp DMZ 172.16.4.199 001b.539c.597e alias
arp DMZ 172.16.3.199 001b.539c.597e alias
arp timeout 14400
no arp permit-nonconnected
object network web2-int
nat (DMZ,outside) static web2-ext net-to-net
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 192.168.223.191 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.223.227 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.223.227 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 outside
ssh 172.16.3.253 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 176.58.109.199 source outside prefer
ntp server 81.150.197.169 source outside
ntp server 82.113.154.206
username xxxxx password xxxxxxxxx encrypted
class-map DMZ-class
match any
policy-map global_policy
policy-map DMZ-policy
class DMZ-class
inspect icmp
service-policy DMZ-policy interface DMZ
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f264c94bb8c0dd206385a6b72afe9e5b
: end -
Good morning you clever bunch,
Having a real issue here, am used to the Router\Switch CLI but been asked to set up an ASA 5505 8.4.
Quite simply I am trying to at least test out a static PAT from an external source to an internal server in a test environment and no matter whether I set it up as an auto-nat or a twice-nat whenever I run a packet tracer I end up with the same error. This is the packet-tracer I am running -
packet-trace input outside tcp 80.80.80.80 3389 10.240.0.10 3389
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside,outside) source static server publicIP service RDP RDP
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Now I have a couple of questions initially. I have made the presumption that packet-tracer does not look at any external devices while running - as in as long as the ports are up it doesn't matter what is on the end of them for testing purposes? Is there anything I am missing?
I have this morning wiped the config and have simply set up the adapters, a default route and twice nat and am not sure why I keep getting the error. I am sure it is something very simple and I'm being a massive donut! Any help ios greatly appreciated as I've gotten quite stuck and feel like I have followed all the instructions online and just about trie everything.
Many thanks,
Sam - below is my running config
ASA Version 8.4(4)1
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
nameif inside
security-level 100
ip address 10.240.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 80.*.*.203 255.255.255.248
ftp mode passive
object network server
host 10.240.0.10
object network publicIP
host 80.*.*.37
object service RDP
service tcp source eq 3389
access-list ouside_in extended permit tcp any host 10.240.0.10 eq 3389
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static server publicIP service RDP RDP
access-group ouside_in in interface outside
route outside 0.0.0.0 0.0.0.0 80.*.*.201 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e67c79a8361f7b6aa3a7dd549f85e818
: endHi Jennifer,
No I just changed that for testing purposes as I had tried everything I thought was correct to no avail.
You, Jennifer, are my new hero.... literally on the config side I was trying everything and was completely barking up the wrong tree! Every time I had set up packet tracer that way, you can understand my logic when it comes to the destination address, seeing as I had already specified the outside adapter, but it makes a lot more sense using the outside host. Flow is now running perfectly.
Many thanks.
Sam -
RDP from inside to outside using PAT?
I have several client machines( inside) that needs to have an RDP access to one server(outside) reside on customer site. The challenge is that the clinet machines can be anywhere/any subnet at any given time and will have different IP address from DHCP.Because of this i can't use the static NAT. Also, I only need RDP access from my network to the customer server only. So will it work if i use PAT? Thanks for the help in advance
Hello Sandeep,
In my opinion there shouldnt be any issue since you are Natiing the RDP clients to a single IP. As long as we have static nat and permission at the destination ( Server Side) it should work
Hope it helps
Harish. -
ASA 5525X - Multiple outside addresses PAT to one inside address
Hi
I am trying to get two external addresses to PAT to different ports on the same address in the dmz.
Object NAT is configured as follows:
object network Obj-192.168.1.20-1
nat (dmz,outside) static Obj-External-1 service tcp https https
object network Onj-192.168.1.20-2
nat (dmz,outside) static Obj-External-2 service tcp 2000 https
Obj-192.168.1.20-1 and Obj-192.168.1.20-2 contain the same host address.
The idea being that traffic destined for Obj-External-1 on port 443 will be forwarded to Obj-192.168.1.20-1 on port 443. Traffic for Obj-External-2 on port 443 will be forwarded to Obj-192.168.20-2 on port 2000.
Traffic for the first object, Obj-192.168.1.20-1, works but traffic for the second does not.
Can anyone help?
Thanks
PaulThanks Jouni
Output below:
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network Obj-192.168.20-2
nat (dmz,outside) static Obj-External-2 service tcp 2000 https
Additional Information:
NAT divert to egress interface dmz
Untranslate 194.168.208.72/443 to 192.168.1.20/2000
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object Obj-192.168.1.20-1 eq 2000
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: inspect-skinny
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect skinny
service-policy global_policy global
Additional Information:
Phase: 7
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network Obj-192.168.1.20-2
nat (dmz,outside) static Obj-External-2 service tcp 2000 https
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 7479639, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow -
So I have a weird problem that I'm hoping someone has a point in the right direction I can follow... At home I have a Cisco ASA 5505 - not very complex network some BCP configs and it's providing a NAT (PAT). I have a static IP and using a few RFC 1918 segments - like I said nothing earth shattering. I have a linksys E1200 802.11N WPA2 PSK - again pretty standard. I connect laptops, iPads, iPhones, Kindles, Androids no problem. Until recently my 60" Vizio had no issues using the network (wired or wireless). Now network is failing on the TV. I see it get to the FW and I can ping trace etc... to the TV. The FW logs show resets (log is below).
Now here is the real interesting part - if I turn the tether feature on my iPhone on and connect the TV to it - it works - what's even more interesting is if I then go back to the home network it all works again no problem until I reboot the TV... HELP!
Apr 19 15:34:09 192.168.10.254 %ASA-6-305011: Built dynamic TCP translation from inside:10.10.10.139/60657 to outside:68.162.222.142/57003
Apr 19 15:34:09 192.168.10.254 %ASA-6-302013: Built outbound TCP connection 61988 for outside:98.137.204.251/443 (98.137.204.251/443) to inside:10.10.10.139/60657 (68.162.222.142/57003)
Apr 19 15:34:09 192.168.10.254 %ASA-6-302014: Teardown TCP connection 61988 for outside:98.137.204.251/443 to inside:10.10.10.139/60657 duration 0:00:00 bytes 3689 TCP Reset-I
Apr 19 15:34:12 192.168.10.254 %ASA-6-305011: Built dynamic TCP translation from inside:10.10.10.139/60658 to outside:68.162.222.142/53332
Apr 19 15:34:12 192.168.10.254 %ASA-6-302013: Built outbound TCP connection 61989 for outside:98.137.204.251/443 (98.137.204.251/443) to inside:10.10.10.139/60658 (68.162.222.142/53332)
Apr 19 15:34:12 192.168.10.254 %ASA-6-305011: Built dynamic TCP translation from inside:10.10.10.139/37006 to outside:68.162.222.142/40015
Apr 19 15:34:12 192.168.10.254 %ASA-6-302013: Built outbound TCP connection 61990 for outside:98.136.10.32/443 (98.136.10.32/443) to inside:10.10.10.139/37006 (68.162.222.142/40015)
Apr 19 15:34:12 192.168.10.254 %ASA-6-302014: Teardown TCP connection 61989 for outside:98.137.204.251/443 to inside:10.10.10.139/60658 duration 0:00:00 bytes 3689 TCP Reset-I
Apr 19 15:34:12 192.168.10.254 %ASA-6-302014: Teardown TCP connection 61990 for outside:98.136.10.32/443 to inside:10.10.10.139/37006 duration 0:00:00 bytes 3689 TCP FINs
AHello ras,
As you mentioned the TV is sending a reset packet to the remote address. I will recommend you to create a capture of the traffic and review the traffic at the packet level to see a posible reason for the drop.
Here is how. Then you can download it to pcap format and uploaded to the forum for further analysis.
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110117-asa-capture-asdm-config.html
http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs.html#pgfId-6941209
Hope this information is helpful. -
PAT with a single public IP and several servers behind firewall
Hi,
New to the ASA 5505 8.4 software version, but here is what I'm trying to do:
Single static public IP: 16.2.3.4
Need to PAT several ports to three separate servers behind firewall
One server houses email, pptp server, ftp server and web services: 10.1.20.91
One server houses drac management (port 445): 10.1.20.92
One server is the IP phone server using a range of ports: 10.1.20.156
Basically, need to PAT the ports associated with each server to the respective servers behind the ASA 5505.
Here is what I have. Is anything missing from this config? Do I need to include a global policy for PPTP and SMTP?
ASA Version 8.4(4)1
hostname kaa-pix
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.1.20.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 16.2.3.4 255.255.255.0
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network server_smtp
host 10.1.20.91
object service Port_25
service tcp source eq smtp
object service Port_3389
service tcp source eq 3389
object service Port_1723
service tcp source eq pptp
object service Port_21
service tcp source eq ftp
object service Port_443
service tcp source eq https
object service Port_444
service tcp source eq 444
object network drac
host 10.1.20.92
object service Port_445
service tcp source eq 445
access-list acl-out extended permit icmp any any echo-reply
access-list acl-out extended permit icmp any any
access-list acl-out extended permit tcp any interface outside eq pptp
access-list acl-out extended permit tcp any object server_smtp eq smtp
access-list acl-out extended permit tcp any object server_smtp eq pptp
access-list acl-out extended permit tcp any object server_smtp eq 3389
access-list acl-out extended permit tcp any object server_smtp eq ftp
access-list acl-out extended permit tcp any object server_smtp eq https
access-list acl-out extended permit tcp any object server_smtp eq 444
access-list acl-out extended permit tcp any object drac eq 445
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static server_smtp interface service Port_25 Port_25
nat (inside,outside) source static server_smtp interface service Port_3389 Port_
3389
nat (inside,outside) source static server_smtp interface service Port_1723 Port_
1723
nat (inside,outside) source static server_smtp interface service Port_21 Port_21
nat (inside,outside) source static server_smtp interface service Port_443 Port_4
43
nat (inside,outside) source static server_smtp interface service Port_444 Port_4
44
nat (inside,outside) source static drac interface service Port_445 Port_445
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 16.2.3.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
prompt hostname context
no call-home reporting anonymousThanks Lcambron...I got PPTP to work. Everything else works fine. I can access email, access my web server, FTP server, and PPTP server. However, from the above configuration, I cannot access my DRAC over the internet..The DRAC runs on a different internal server, and over port 445. So I have th following lines:
object network drac
host 10.1.20.92
object service Port_445
service tcp source eq 445
access-list acl-out extended permit tcp any object drac eq 445
nat (inside,outside) source static drac interface service Port_445 Port_445
Am I missing something here? Internally, i can telnet to port 445 on 10.1.20.92, so I know it is listening. However, externally, i cannot telnet to my external ip address of the ASA through port 445.
Thanks -
Hi there.
I just trying to do PAT with gns3. but not working and i don't have any idea.
(Cisco Adaptive Security Appliance Software Version 8.4(2))
and also i figure out that there are some changes in nat configuration. i did but didn't work.
I cannot ping from my host 192.168.100.116 to 1.1.12.1 ~ 1.1.12.2, 8.8.8.8
i turn debug in R1 and i can see the icmp.
R1#
*Mar 1 01:31:28.091: ICMP: echo reply sent, src 1.1.12.1, dst 10.10.10.1
R1#
*Mar 1 01:31:32.739: ICMP: echo reply sent, src 1.1.12.1, dst 10.10.10.1
R1#
And also can see xlate on ASA
ASA-1# sh xlate
1 in use, 9 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
ICMP PAT from inside:192.168.100.116/1 to outside:10.10.10.1/6370 flags ri idle 0:00:04 timeout 0:00:30
ASA-1#
This is my topology.
[ASA1]
ASA-1# sh run ip
interface GigabitEthernet0
nameif outside
security-level 0
ip address 10.10.10.1 255.255.255.0
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.10.20.1 255.255.255.0
ASA-1# sh run object network
object network obj-192.168.100.0
subnet 0.0.0.0 0.0.0.0
ASA-1# conf t
ASA-1(config)# ob
ASA-1(config)# object net
ASA-1(config)# object network obj-192.168.100.0
ASA-1(config-network-object)# nat (in
ASA-1(config-network-object)# nat (inside,ou
ASA-1(config-network-object)# nat (inside,outside) dy
ASA-1(config-network-object)# nat (inside,outside) dynamic inter
ASA-1(config-network-object)# nat (inside,outside) dynamic interface
ASA-1(config-network-object)# end
[R4]
interface FastEthernet0/0
ip address 10.10.20.254 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 192.168.100.254 255.255.255.0
duplex auto
speed auto
no ip http server
no ip http secure-server
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.10.20.1
[HOST]
ip address 192.168.100.116/24
[R1]
interface FastEthernet0/0
ip address 10.10.10.254 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 1.1.12.1 255.255.255.0
duplex auto
speed auto
no ip http server
no ip http secure-server
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
what am i mssing ?
please corret me.
Thank you in advance.just reload... .. i'm still stuck in the ping.
changed topology more simple. but still not working.
Here is all what i did.
[ASA]
access-list ICMP extended permit icmp any any echo-reply
access-list ICMP extended permit icmp any any time-exceeded
access-group ICMP in interface outside
interface GigabitEthernet0
description To_UP
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.0
interface GigabitEthernet1
description To_DOWN
nameif inside
security-level 100
ip address 10.10.20.1 255.255.255.0
[R1]
interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
ip route 10.10.20.0 255.255.255.0 10.10.10.2 (I don't think i need this)
[R4]
interface FastEthernet0/0
ip address 10.10.20.2 255.255.255.0
ip route 10.10.10.0 255.255.255.0 10.10.20.1 (same as well)
[outout tracer]
ciscoasa# packet-tracer input inside icmp 10.10.20.1 8 0 10.10.10.1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.10.0 255.255.255.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP <---??????????????????????????
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ciscoasa#
[ASA]
ciscoasa# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list ICMP; 2 elements; name hash: 0x2d2cf426
access-list ICMP line 1 extended permit icmp any any echo-reply (hitcnt=0) 0x0b307247
access-list ICMP line 2 extended permit icmp any any time-exceeded (hitcnt=0) 0x1e6b1395
ciscoasa#
I created acl and permit it
Thank you. -
i had a power mac g4 into which i put 3, 320 gb PATA hard drives in a raid slice config so that it worked as one drive needless to sat that i lost the g4 to a surge but the drives are good. now i have an imac, how can i recover the info off those drives. can i put the drives in external cases and plug them all in, will the imac see them as a raid slice then help please
Before you have another accident:
Buy a UPS of good quality and sufficient to your needs.
I would have to assume that the drives were connected to a PCI PATA card, hopefully. Otherwise, well RAID and having drives on the same bus (master and slave).
And no backup, none at all...
Get your hands on a G4.
Data Rescue 3 from Prosoft maybe.
If they were SATA and running on PCI SATA controller, very popular and common really in G4s, more options would be open. -
ASA 5510 Multiple Public IP - Static NAT Issue - Dynamic PAT - SMTP
Running into a little bit of a roadblock and hoping someone can help me figure out what the issue is. My guess right now is that it has something to do with dynamic PAT.
Essentially, I have a block of 5 static public IP's. I have 1 assigned to the interface and am using another for email/webmail. I have no problems accessing the internet, receving emails, etc... The issue is that the static NAT public IP for email is using the outside IP instead of the one assigned through the static NAT. I would really appreciate if anyone could help shed some light as to why this is happening for me. I always thought a static nat should take precidence in the order of things.
Recap:
IP 1 -- 10.10.10.78 is assigned to outside interface. Dynamic PAT for all network objects to use this address when going out.
IP 2 -- 10.10.10.74 is assgned through static nat to email server. Email server should respond to and send out using this IP address.
Email server gets traffic from 10.10.10.74 like it is supposed to, but when sending out shows as 10.10.10.78 instead of 10.10.10.74.
Thanks in advance for anyone that reads this and can lend a hand.
- Justin
Here is my running config (some items like IP's, domain names, etc... modified to hide actual values; ignore VPN stuff -- still work in progress):
ASA Version 8.4(3)
hostname MYHOSTNAME
domain-name MYDOMAIN.COM
enable password msTsgJ6BvY68//T7 encrypted
passwd msTsgJ6BvY68//T7 encrypted
names
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 10.10.10.78 255.255.255.248
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.2.2 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name MYDOMAIN.COM
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-network
subnet 192.168.2.0 255.255.255.0
object network Email
host 192.168.2.7
object network Webmail
host 192.168.2.16
object network WebmailSecure
host 192.168.2.16
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit icmp any any
access-list VPN_Split_Tunnel_List remark The corporate network behind the ASA (inside)
access-list VPN_Split_Tunnel_List standard permit 192.168.2.0 255.255.255.0
access-list outside_access_in extended deny icmp any any
access-list outside_access_in extended permit tcp any object Email eq smtp
access-list outside_access_in extended permit tcp any object Webmail eq www
access-list outside_access_in extended permit tcp any object WebmailSecure eq https
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
object network Email
nat (inside,outside) static 10.10.10.74 service tcp smtp smtp
object network Webmail
nat (inside,outside) static 10.10.10.74 service tcp www www
object network WebmailSecure
nat (inside,outside) static 10.10.10.74 service tcp https https
access-group outside_access_in in interface outside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 10.10.10.73 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server MYDOMAIN protocol kerberos
aaa-server MYDOMAIN (inside) host 192.168.2.8
kerberos-realm MYDOMAIN.COM
aaa-server MYDOMAIN (inside) host 192.168.2.9
kerberos-realm MYDOMAIN.COM
aaa-server MY-LDAP protocol ldap
aaa-server MY-LDAP (inside) host 192.168.2.8
ldap-base-dn DC=MYDOMAIN,DC=com
ldap-group-base-dn DC=MYDOMAIN,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=SOMEUSER,CN=Users,DC=MYDOMAIN,DC=com
server-type microsoft
aaa-server MY-LDAP (inside) host 192.168.2.9
ldap-base-dn DC=MYDOMAIN,DC=com
ldap-group-base-dn DC=MYDOMAIN,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=SOMEUSER,CN=Users,DC=MYDOMAIN,DC=com
server-type microsoft
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.2.0 255.255.255.0 inside
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
email [email protected]
subject-name CN=MYHOSTNAME
ip-address 10.10.10.78
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate e633854f
30820298 30820201 a0030201 020204e6 33854f30 0d06092a 864886f7 0d010105
0500305e 31143012 06035504 03130b47 46472d53 55532d41 53413146 301a0609
2a864886 f70d0109 08130d39 382e3130 302e3232 322e3738 30280609 2a864886
f70d0109 02161b47 46472d53 55532d41 53412e47 46472d50 4541424f 44592e43
4f4d301e 170d3132 30343131 30373431 33355a17 0d323230 34303930 37343133
355a305e 31143012 06035504 03130b47 46472d53 55532d41 53413146 301a0609
2a864886 f70d0109 08130d39 382e3130 302e3232 322e3738 30280609 2a864886
f70d0109 02161b47 46472d53 55532d41 53412e47 46472d50 4541424f 44592e43
4f4d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b4
aa6e27de fbf8492b 74ba91aa e0fd8361 e0e85a31 f95c380d 6e5f43ac a695a810
f50e893b 82b91870 a32f7e38 8f392607 7a69c814 36a71a9c 2dccca07 24fe7f88
0f3451ed c64e85fc 8359c87e 62ebf166 0a570ac5 f9f1c64b 262eca66 ea05ab65
78da1ac2 9867a115 b14a6ba1 cd82d04e 00fc6557 856f7c04 ab1b08a0 b9de8b02
03010001 a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f
0101ff04 04030201 86301f06 03551d23 04183016 801430cf 97ef92bb 678e3ba3
0002069c 8130550a 2664301d 0603551d 0e041604 1430cf97 ef92bb67 8e3ba300
02069c81 30550a26 64300d06 092a8648 86f70d01 01050500 03818100 64c403bd
d75717ab 24383e77 63e10ba7 4fdef625 73c5a952 19ceecbd 75bd23ca 86dc0298
e6693a8a 2c7fb85f 096497a7 8d784ada a433ee0d d88e9219 f0615f3c 7814bf1c
5b4fe847 7d8894eb 18fe2da7 05f15ae9 bc2c17ec 3a7831ee f95d6ced 4799fba2
781c8228 48224843 dc07ebb5 d20abf2a b68cfa62 ac71a41b 1196a018
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable inside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 20
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.2.8 source inside prefer
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
enable inside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 1
anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy GroupPolicy_VPN internal
group-policy GroupPolicy_VPN attributes
wins-server value 192.168.2.8 192.168.2.9
dns-server value 192.168.2.8 192.168.2.9
vpn-filter value VPN_Split_Tunnel_List
vpn-tunnel-protocol ikev2 ssl-client
group-lock value VPN
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Split_Tunnel_List
default-domain value MYDOMAIN.COM
webvpn
anyconnect profiles value VPN_client_profile type user
group-policy GroupPolicy-VPN-LAPTOP internal
group-policy GroupPolicy-VPN-LAPTOP attributes
wins-server value 192.168.2.8 192.168.2.9
dns-server value 192.168.2.8 192.168.2.9
vpn-filter value VPN_Split_Tunnel_List
vpn-tunnel-protocol ikev2
group-lock value VPN-LAPTOP
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Split_Tunnel_List
default-domain value MYDOMAIN.COM
webvpn
anyconnect profiles value VPN_client_profile type user
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
authentication-server-group MYDOMAIN
default-group-policy GroupPolicy_VPN
dhcp-server 192.168.2.8
dhcp-server 192.168.2.9
dhcp-server 192.168.2.10
tunnel-group VPN webvpn-attributes
group-alias VPN enable
tunnel-group VPN-LAPTOP type remote-access
tunnel-group VPN-LAPTOP general-attributes
authentication-server-group MY-LDAP
default-group-policy GroupPolicy-VPN-LAPTOP
dhcp-server 192.168.2.8
dhcp-server 192.168.2.9
dhcp-server 192.168.2.10
tunnel-group VPN-LAPTOP webvpn-attributes
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:951faceacf912d432fc228ecfcdffd3fHi ,
As per you config :
object network obj_any
nat (inside,outside) dynamic interface
object network Email
nat (inside,outside) static 10.10.10.74 service tcp smtp smtp
object network Webmail
nat (inside,outside) static 10.10.10.74 service tcp www www
object network WebmailSecure
nat (inside,outside) static 10.10.10.74 service tcp https https
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-network
subnet 192.168.2.0 255.255.255.0
object network Email
host 192.168.2.7
object network Webmail
host 192.168.2.16
object network WebmailSecure
host 192.168.2.16
The flows from email server ( 192.168.2.7 ) , will be NATed to 10.10.10.74, only if the source port is TCP/25. Any other souce port will use the interface IP for NAT.
Are you saying that this is not happening ?
Dan -
Can I send an e-mail to a specific person in Communities? Want to thank them for their answer to a question that I didn't ask. Just wanted to give him/her feedback that their info was very helpful. Just a pat on the back to perhaps brighten their day.
If you click on the person's name, you go to the public profile they have posted. If there is an email address given you can email directly. If not, you cannot email the person directly.
You could post a reply to the persons reply on the communities to note their help. -
Not much more to say. Went to check my e-mail, and the icon was gone at the bottom. I would really like it back so I can see how many e-mails I have and get alerted to new ones coming in. Thanks, Pat aka paw4him
* "Bookmarks > Organize Bookmarks" has been renamed to "Show All Bookmarks" in Firefox 4.
* Click the orange Firefox button to open the Firefox menu and click the Bookmarks entry or click "Show All Bookmarks" to open the Library.
* [/kb/how-do-i-use-bookmarks] -
Hello fellow engineers!
I have a puzzling situation implementing an Internet routing pilot project and I need someone with a fresh look at the matter because I cannot make-out what the problem is…
Scenario description:
2901 router with two (one used) DSL intf’s on board and its two GE ports connected to a switch via Port-Channel sub-int’f (router-on-a-stick is implemented). The router has two other WAN (Internet) connections via a Satelite link and a MetroEthernet link. These two are terminated on the switch on intf’s at the appropriate VLAN’s. At attached topology scheme I depict them all collocated on the router for “simplicity” (logical topology) since the router has intf’s at the corresponding networks. The aDSL and Metro links have an 8-IP public set, each.
Most servers/hosts utilize VLAN 10 (int port-channel 1.10) but they need to forward their internet traffic to corresponding Internet links so PBR is used. VLAN/subnet (all /24) pairs are:
VLAN 11 -> 10.0.1.x
VLAN 12 -> 10.0.2.x
VLAN 13 -> 10.0.3.x
VLAN 71 -> 192.168.17.x
VLAN 204 -> 172.16.204.x
and – last but not least ! – VLAN 10 -> 10.0.0.x
All servers use static 1-1 NAT while all other hosts/PC’s use the Metro link (PAT).
Situation: All PBR rules and static NAT’s of VLAN 10 behave as expected. So does the PAT for hosts of all other VLAN’s (11, 12, 13, …). The rest of the hosts of VLAN 10, i.e. PC’s with IP’s 10.0.0.x (in red), cannot get to the Internet !
What is puzzling is that traffic is matched (by ACL) and NAT does occur but all I see (via “sh ip nat tra”) are the translations of the DNS requests ! Nothing else ! To top that, tracerouting a public IP does lead to the target but when hitting that same public IP (not by name) on the browser can’t load the page !
Could pls someone spot what I’m missing !!
To help you I also attach the router config and some command outputs…
All help is appreciated.
Thanx
CostasThat last PBR statement
(route-map 10.0.0.X_hosts_PBR permit 70
description *** rest of 10.0.0.x net --> Oxygen ***
match ip address rest_of_10.0.0.x
set ip next-hop 212.251.64.153)
was not there in the first place - I got it there assuming it would help but it didn't. Actually - as mentioned - it does not get any hits !
(route-map 10.0.0.X_hosts_PBR, permit, sequence 255
Match clauses:
ip address (access-lists): rest_of_10.0.0.x
Set clauses:
ip next-hop 212.251.64.153
Policy routing matches: 0 packets, 0 bytes) -
Hello, I have a UC560 and UC540 connected using an IPSec Site to Site tunnel.
There is a server on the main site they are trying to access (lets say IP is 192.168.1.252) and they need to access this server on ports 13000, 14000, and 15000.
Unfortunately, since there are users from the internet and other places that need to access this server on these ports, these static pat entries are in the server (Lets say 99.99.99.99 is the WAN IP):
ip nat inside source static tcp 192.168.1.252 13000 99.99.99.99 13000 extendable
ip nat inside source static tcp 192.168.1.252 14000 99.99.99.99 14000 extendable
ip nat inside source static tcp 192.168.1.252 15000 99.99.99.99 15000 extendable
The users in the branch site that is connected via VPN can reach this server on all TCP ports(RDP, http, etc) so that's not the issue. When I remove these nat statements, the VPN users can access the resource via that port (I.e telnet 192.168.1.252 13000 ) whereas they are shut down and connection fails if the static pat entries are in there.
I need to have outside users and VPN users be able to access this server whether they are coming in across the VPN goin to 192.168.1.252:13000 or coming in from the internet on 99.99.99.99:13000
Is there a way around this other than forcing the VPN users to access this server via the WAN IP for these ports? And does anyone know the logic behind this? I'm curious. From what I've seen in other cases, this is expected behavior, I'd just like a better understanding of it.
Any help on this would be GREATLY appreciated! Thank youI hope I explained this properly. If not, please let me know!
Thanks -
NAT/PAT Two private IP's to one Real on the same port.
Hello all.
I have the following situation. A colleagues installed a spam block (Norton something) and he put two ip's on itsinterfaces. 192.168.2.20 and 192.68.2.21. One will be used to receive and one to send mail but both on port 25. They use a sinlge real IP 175.75.67.32. I am using a 5540 ASA with 8.2 IOS.
I am pretty sure this cannot happen but i got some advice to NAT the outgoing IP/Port and then PAT the incoming port to both IP's and it will work. I tried to do it with no success. I know that ASA 8.4 changes everything in NAT/PAT but is there any way with the newer OS my setup can work or not???
Thanks very much in advance for your help.ASA 8.4:
receive mail:
nat (inside,outside) source static obj-192.68.2.20 obj-175.75.67.32 service src25 src25
send mail:
nat (inside,outside) source dynamic obj-192.68.2.21 obj-175.75.67.32 service dst25 dst25
Maybe you are looking for
-
Itunes will not open and I have tried fixing it!!
i double click on the icon and it comes up with this The itunes application could not be opnened. An unknown error occured (0x666D743F) Thanks
-
How add a radio station to atv3?
attempting to add new radio station to ATV3 using the iTunes playlist method described in hundreds of forum entries about ATV1 and ATV2. radio station plays fine in itunes; however, ATV3 sees playlist in Computer>Music>Playlist section but says "The
-
Hi I'm trying to do a java application, using unmanaged ras, which change tables order. I tried 2 methods but the two of them seems to have a bug. In the first one I tried to move one table to the end and when i displayed the tabels looked just fine
-
Hello guys, I know this is probably not the right place to post questions like this, but I really have no idea where CATS belongs to, so... Anyway, I have little experinece using SAP and knows absolutely nothing about CATS besides what it stands for,
-
Hi All, I am working on a custom built module for a customer. I would like to know how to enhance the SPRO tree, to add an additional Module node to the main tree and its corresponding transactions below it? Regards, Madhur