Multiple Internal IP in PIX 525 v7.2 unable to access from HQ
Hi Guys,
I got a problem where my HQ(private IP)unable to ping and access server with ip 10.45.x.42 reside at my branch.Both HQ and my Branch using private IP.My LAN using 2 IP Range.
LAN FW Exinda Router
10.45.x.0/19(old range)----->10.36.x.12----> 10.39.x.3 ----> 10.39.x.1----->Internet
10.36.x.0/16(New range)
Previously im using both IP Range in my network-object and i ask our provider to ping to my LAN but no reply.
Now the problem is from the HQ/provider cant ping to 10.45.x.0/19 it stuck at pix.
When i use packet-tracer i got this result.Seem it stuck at Nat.
Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 access-list net36
nat-control
match ip inside 10.45.x.0 255.255.224.0 Net any
dynamic translation to pool 1 (10.39.x.2 [Interface PAT])
translate_hits = 3185, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
out id=0x4dc4d38, priority=2, domain=nat-reverse, deny=false
hits=1782778, user_data=0x4d2e470, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=10.45.x.0, mask=255.255.224.0, port=0
Here is my config of network-object
object-group network NET_CLIENT
network-object 10.36.x.0 255.255.0.0
network-object 10.45.x.0 255.255.224.0
access-list permit-all extended permit icmp any any
access-list permit-all extended permit ip any any
access-list permit-all extended permit udp any any
access-list permit-all extended permit tcp any any
access-list net36 extended permit ip object-group NET_CLIENT any
access-list net36 extended permit tcp object-group NET_CLIENT any
access-list net36 extended permit udp object-group NET_CLIENT any
access-list net36 extended permit icmp object-group NET_CLIENT any
I really appreciate your help and advice
Hi Jouni,
I cant do the packet-tracer as the PIX already bypass by my superior.
As based on my config.How should I allowed ip 10.45.x.0 pingable from the outside interface eg my HQ.As this config was written, the Log show its has no translation group towards the dst 10.45.x.0/19
Jul 02 2013 20:13:30: %PIX-3-305005: No translation group found for tcp src Net:202.75.x.24/50204 dst inside:10.45.x.51/443
Jul 02 2013 20:13:30: %PIX-3-305005: No translation group found for tcp src Net:202.75.x.43/65025 dst inside:10.45.x.51/443
Jul 02 2013 20:13:30: %PIX-3-305005: No translation group found for tcp src Net:113.210.x.139/34736 dst inside:10.45.x.51/443
*Base on my config.Even allowing all for in and out i still stuck with the "No translation group".Can you guide my how to use the network-object with the acl so that outside can access server inside so that it will not stuck on Nat portion.
===============
PIX Version 7.2(1)
hostname SD
names
dns-guard
interface Ethernet0
nameif Net
security-level 0
ip address 10.39.x.x 255.255.255.128
interface Ethernet1
nameif inside
security-level 100
ip address 10.36.x.x 255.255.255.248
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
ftp mode passive
clock timezone MYT 8
dns server-group DefaultDNS
domain-name
same-security-traffic permit inter-interface
access-list permit-all extended permit icmp any any
access-list permit-all extended permit ip any any
access-list permit-all extended permit udp any any
access-list permit-all extended permit tcp any any
pager lines 24
logging enable
logging timestamp
logging buffer-size 16384
logging buffered notifications
logging trap debugging
logging history informational
logging asdm informational
logging host inside 10.36.x.17
logging ftp-bufferwrap
mtu Net 1500
mtu inside 1500
ip verify reverse-path interface Net
ip verify reverse-path interface inside
no failover
asdm image flash:/asdm-521.bin
asdm history enable
arp timeout 14400
nat-control
global (Net) 1 interface
nat (inside) 1 10.0.0.0 255.0.0.0
access-group permit-all in interface Net
access-group permit-all in interface inside
route Net 0.0.0.0 0.0.0.0 10.39.x.x 1
route inside 10.36.0.0 255.255.0.0 10.36.x.x 1
route inside 10.45.x.0 255.255.224.0 10.36.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.36.x.142 255.255.255.255 inside
snmp-server location level 2
snmp-server contact Network
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
telnet 10.36.x.x 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:
: end
Similar Messages
-
Cisco Pix 525 VPN - iPhone/iPad won't connect
hi,
i have one of the most basic configurations on a PIX 525 with remote access enabled. i am able to connect from a desktop machine running the cisco vpn client but for some reason i cant get my iphone or ipad to connect to my vpn. i get the error message stating 'the server did not respond'.
i am running ios 8.0.4 and i have a 3DES license which is required from what i understand.
im starting to think that this really is in the configuration. could it be the transform set specification?
can some one shed some light on this subject?
below is close to the current configuration, but its not exact, some things in it were corrected, so ignore them. it is the best i have, since i am away for the holiday. it should give insight into any areas that might be part of the problem.
thcvpn01(config)# show config
: Saved
: Written by enable_15 at 07:33:33.113 UTC Fri Nov 8 2013
PIX Version 8.0(4)
hostname thcvpn01
domain-name somewhere.net
enable password* encrypted
passwd * encrypted
names
interface Ethernet0
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.222.220
domain-name somewhere.net
same-security-traffic permit intra-interface
object-group icmp-type ICMPObject
icmp-object echo-reply
icmp-object source-quench
icmp-object time-exceeded
icmp-object unreachable
access-list outside_access_in extended permit icmp any any object-group ICMPObje
ct
access-list inside-nat0 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.2
55.255.0
access-list SPLIT-TUNNEL standard permit 10.1.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool ThcIPPool 10.1.2.1-10.1.2.50 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (outside) 101 10.1.2.0 255.255.255.0 outside
nat (inside) 0 access-list inside-nat0
nat (inside) 101 10.0.0.0 255.0.0.0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set THCTransformSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map THCDynamicMap 1 set transform-set THCTransformSet
crypto dynamic-map THCDynamicMap 1 set security-association lifetime seconds 288
00
crypto dynamic-map THCDynamicMap 1 set security-association lifetime kilobytes 4
608000
crypto dynamic-map THCDynamicMap 1 set reverse-route
crypto map THCCryptoMap 1 ipsec-isakmp dynamic THCDynamicMap
crypto map THCCryptoMap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd address 10.1.1.50-10.1.1.254 inside
dhcpd dns 208.67.222.222 208.67.222.220 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy THCVpnGroup internal
group-policy THCVpnGroup attributes
dns-server value 208.67.222.222 208.67.222.220
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelall
username [username] password [password] encrypted
tunnel-group THCVpnGroup type remote-access
tunnel-group THCVpnGroup general-attributes
address-pool ThcIPPool
default-group-policy THCVpnGroup
tunnel-group THCVpnGroup ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
service-policy global_policy global
prompt hostname context
Cryptochecksum:d57ad5e7f32936cf000c4be69d4385cb
thcvpn01(config)#
thcvpn01(config)#
thcvpn01(config)#
jeffhi,
as a primary note, the people at apple's genius bar are not genious. they do not know that the following, so if you found your way here. awesome.
the correct answer is that the iphone and ipad only supports aes. you have to modify the crypto map to use aes as well as modify the isakmp service to use aes. i believe it supports all aes options, aes, aes 192 and aes 256.
in all of the frustration, do not, as i did, forget that your username is case sensitive.
jeff -
Collect data from a dynamic XML file into multiple internal tables
I need to convert the XML file into multiple internal tables. I tried many links and posts in SDN but still was facing difficulty in achieving this. Can some one tell me where I am going wrong.
My XML file is of the following type.It is very complex and the dynamice.
The following tags occur more than once in the XML file. The "I" and "L" tags and its child tags can occur ones or more than once for each XML file and it is not constant. i.e in one file they can occur 1 time and in another they can occur 100 times.
"I" and "L" are child tags of <C>
<I>
<J>10</J>
<K>EN</K>
</I>
<L>
<J>20</J>
<N>BB</N>
</L>
Tags <C> and <F> occur only ones for each XML file. <C> is the child tag of "A" and "F" is the child tag of <C>.
I need to collect <D>, <E> in one internal table ITAB.
I need to collect <G>, <H> in one internal table JTAB.
I need to collect <J>, <K> in one internal table KTAB.
I need to collect <J>, <N> in one internal table PTAB.
Below is the complete XML file.
?xml version="1.0" encoding="iso-8859-1" ?>
<A>
<B/>
<C>
<D>RED</D>
<E>999</E>
<F>
<G>TRACK</G>
<H>PACK</H>
</F>
<I>
<J>10</J>
<K>EN</K>
</I>
<I>
<J>20</J>
<K>TN</K>
</I>
<I>
<J>30</J>
<K>KN</K>
</I>
<L>
<J>10</J>
<N>AA</N>
</L>
<L>
<J>20</J>
<N>BB</N>
</L>
<L>
<J>30</J>
<N>CC</N>
</L>
</C>
</A>
With the help of SDN I am able to gather the values of <D> <E> in one internal table.
Now if I need to gather
<G>, <H> in one internal table JTAB.
<J>, <K> in one internal table KTAB.
<J>, <N> in one internal table PTAB.
I am unable to do. I am following XSLT transformation method. If some one has some suggestions. Please help.
Here is my ABAP program
TYPE-POOLS abap.
CONSTANTS gs_file TYPE string VALUE 'C:\TEMP\ABCD.xml'.
* This is the structure for the data from the XML file
TYPES: BEGIN OF ITAB,
D(10) TYPE C,
E(10) TYPE C,
END OF ITAB.
* Table for the XML content
DATA: gt_itab TYPE STANDARD TABLE OF char2048.
* Table and work ares for the data from the XML file
DATA: gt_ITAB TYPE STANDARD TABLE OF ts_ITAB,
gs_ITAB TYPE ts_ITAB.
* Result table that contains references
* of the internal tables to be filled
DATA: gt_result_xml TYPE abap_trans_resbind_tab,
gs_result_xml TYPE abap_trans_resbind.
* For error handling
DATA: gs_rif_ex TYPE REF TO cx_root,
gs_var_text TYPE string.
* Get the XML file from your client
CALL METHOD cl_gui_frontend_services=>gui_upload
EXPORTING
filename = gs_file
CHANGING
data_tab = gt_itab1
EXCEPTIONS
file_open_error = 1
file_read_error = 2
no_batch = 3
gui_refuse_filetransfer = 4
invalid_type = 5
no_authority = 6
unknown_error = 7
bad_data_format = 8
header_not_allowed = 9
separator_not_allowed = 10
header_too_long = 11
unknown_dp_error = 12
access_denied = 13
dp_out_of_memory = 14
disk_full = 15
dp_timeout = 16
not_supported_by_gui = 17
error_no_gui = 18
OTHERS = 19.
IF sy-subrc <> 0.
MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
ENDIF.
* Fill the result table with a reference to the data table.
* Within the XSLT stylesheet, the data table can be accessed with
* "IITAB".
GET REFERENCE OF gt_shipment INTO gs_result_xml-value.
gs_result_xml-name = 'IITAB'.
APPEND gs_result_xml TO gt_result_xml.
* Perform the XSLT stylesheet
TRY.
CALL TRANSFORMATION zxslt
SOURCE XML gt_itab1
RESULT (gt_result_xml).
CATCH cx_root INTO gs_rif_ex.
gs_var_text = gs_rif_ex->get_text( ).
MESSAGE gs_var_text TYPE 'E'.
ENDTRY.
* Now let's see what we got from the file
LOOP AT gt_ITAB INTO gs_ITAB.
WRITE: / 'D:', gs_ITAB-D.
WRITE: / 'E :', gs_ITAB-E.
ENDLOOP.
Transformation
<xsl:transform xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
<xsl:output encoding="iso-8859-1" indent="yes" method="xml" version="1.0"/>
<xsl:strip-space elements="*"/>
<xsl:template match="/">
<asx:abap xmlns:asx="http://www.sap.com/abapxml" version="1.0">
<asx:values>
<IITAB>
<xsl:apply-templates select="//C"/>
</IITAB>
</asx:values>
</asx:abap>
</xsl:template>
<item>
<D>
<xsl:value-of select="D"/>
</D>
<E>
<xsl:value-of select="E"/>
</E>
</item>
</xsl:template>
</xsl:transform>
Now the above pgm and transformation work well and I am able to extract data into the ITAB. Now what changes should I make in transformation and in pgm to collect
<G>, <H> in one internal table JTAB.
<J>, <K> in one internal table KTAB.
<J>, <N> in one internal table PTAB.
Please help..i am really tring hard to figure this out. I am found lot of threads addressing this issue but not my problem.
Kindly help.
Regards,
VSHi Rammohan,
Thanks for the effort!
But I don't need to use GUI upload because my functionality does not require to fetch data from presentation server.
Moreover, the split command advised by you contains separate fields...f1, f2, f3... and I cannot use it because I have 164 fields. I will have to split into 164 fields and assign the values back to 164 fields in the work area/header line.
Moreover I have about 10 such work areas. so the effort would be ten times the above effort! I want to avoid this! Please help!
I would be very grateful if you could provide an alternative solution.
Thanks once again,
Best Regards,
Vinod.V -
Can PING/ASDM/SSH to External IP but not to Internal IP on PIX itself
We have two networks HQ and Site1 and for some reason we can’t ping the inside IP for Site1 PIX device. We have site-site-VPN set up between the two and everything works fine except we can’t ping the Site1 PIX from internal IP. However, I can ASDM/SSH in from HQ to the external IP of the Site1 PIX.
HQ is using an ASA 5550 (172.1.0.1)
PC from HQ (172.1.64.x)
Site1 is using a PIX-515E (172.2.0.1)
PC from Site1 (172.2.64.x)
Ping from HQ PC to Site1 PC (172.1.64.x to 172.2.64.x) works fine
Ping from Site1 PC to HQ PC (172.2.64.x to 172.1.64.x) works fine
Ping from HQ PC to Site1 PIX internal IP (172.1.64.x to 172.2.0.1) doesn’t work
Ping from HQ PC to Site1 PIX external IP (172.1.64.x to Site1 external IP) works fine
ASDM/SSH from any HQ PC to Site1 PIX internal IP (172.1.64.x to 172.2.0.1) doesn’t work
ASDM/SSH from any HQ PC to Site1 PIX external IP (172.1.64.x to Site1 external IP) works fine
Everything was working fine until we recently changed the outside IP address for Site1 because we switch to a different ISP. Nothing changed on the HQ ASA or Site1 PIX other than the outside IP address on Site1 PIX. I did rebuild the site-to-site VPN tunnel between Site1 and HQ.
Thanks first in advance for any ideas/suggestions.Thanks Julio for your reply. We are currently running PIX Version 8.0 (3) and yes we do have management-access inside configured.
Cisco PIX Security Appliance Software Version 8.0(3)
Device Manager Version 6.0(3)
Hardware: PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list -
Cisco pix 525 and 515 cannot archieve configuration in LMS 3.0.1
Hi,
we have several cisco pix 525 and 515 cannot archieve configuration in LMS 3.0.1
Any help would be greatly appriciated.
Thanks in advance
SamirHi,
Here is the output.
*** Device Details for ***
Protocol ==> Unknown / Not Applicable
Selected Protocols with order ==> TFTP,SSH,HTTPS
Execution Result:
RUNNING
CM0151 PRIMARY RUNNING Config fetch failed for ********* Cause: SSH: Failed to establish SSH connection to 10.192.18.10 - Cause: Authentication failed on device 3 times.
Action: Check if protocol is supported by device and required device package is installed. Check device credentials. Increase timeout value, if required.
But when I do mangement station to Device it gives me following results:
Interface Found: 10.192.18.10
Status: UP
Test Results
UDP Failed
sent: 5 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 64 protocol: udp port: 7
TCP Failed
sent: 0 recvd: 0 min: 0 max: 0 avg: 0 timeout: 0 size: 0 protocol: tcp port: 7
HTTP Failed
sent: 0 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 33 protocol: http port: 80
TFTP Failed
sent: 5 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 25 protocol: tftp port: 69
SNMPRv2c(Read) Okay
sent: 5 recvd: 5 min: 0 max: 0 avg: 0 timeout: 2 min_size: 1472 protocol: snmpv3_get port: 0
SNMPWv2c(Write) Failed
sent: 5 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 min_size: 1472 protocol: snmpv3_set port: 0
SSHv2 Failed
TELNET Okay
Waiting for your reply.
Samir -
Send Notification to Multiple Internal Users
Hi everybody,
how can i send an email to Multiple Internal Users in BPM which are not known at design time?
I know i can use an expression, but i have a collection of type string (EmployeeID's). I can use the method getPrincipalByUniqueName(EmployeeID,"user") but employeeID is a collection and this method expected a single string.
regards,
SidHi Anil,
my BPM-WebService will be called with a Request parameter:
users (1..*)
userID (string)
So at Run Time i get a collection or array with userID's like: SD4711, AN4712....
If i use getPrincipalByUniqueName("SP4711","user") i get the right user but i have a collection, so what could i do?
I can determine the interface by my self, so it is not a problem to change the interface if it is necessary.
How can i use getPrincipals(Sting(1..*) principalID)?
regards,
Sid
Edited by: Sid on Dec 13, 2010 3:21 PM -
PIX 525 UR With 1 4-Port FE, 1 VPN Accel Card
Good day;
I have a PIX 525 Unrestricted with failover.
802.bin IOS
There is 1 4-port FE and a VPN Accelerator card installed in each unit.
I tried to install a second 4-port FE in both prime and secondary units and the following is the result.
Once I power up both units the second 4-port FE mimics the first one. Although there are no physical connections to the second 4-port FE's, the port lights on the second FE's light up as the ones on the first 4-port FE.
Example:
1st 4-port FE
Fa0/2 - physical connection - Light on
Fa0/3 - no physical connection - Light off
Fa0/4 - physical connection - Light on
Fa0/5 - no physical connection - Light off
2nd 4-port FE
Fa0/6 - no physical connection - Light on
Fa0/7 - no physical connection - Light off
Fa0/8 - no physical connection - Light on
Fa0/9 - no physical connection - Light off
Also, when the second card is installed the first card will not function and this sets both PIX's as active.
I'm somewhat baffled.Hi;
Here's the show version.
As you will see, it allows for 10 physical interfaces.
I'm scratching my head over this one.
Cisco PIX Security Appliance Software Version 8.0(2)
Device Manager Version 6.0(2)
Compiled on Fri 15-Jun-07 18:25 by builders
System image file is "flash:/pix802.bin"
Config file at boot was "startup-config"
MHCPPIX1 up 27 days 22 hours
failover cluster up 93 days 1 hour
Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
0: Ext: Ethernet0 : address is 0011.924b.dd31, irq 10
1: Ext: Ethernet1 : address is 0011.924b.dd32, irq 11
2: Ext: Ethernet2 : address is 000d.88ee.5d70, irq 11
3: Ext: Ethernet3 : address is 000d.88ee.5d71, irq 10
4: Ext: Ethernet4 : address is 000d.88ee.5d72, irq 9
5: Ext: Ethernet5 : address is 000d.88ee.5d73, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : 10
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : Unlimited
This platform has an Unrestricted (UR) license. -
Multiple MX records with PIX and ASA5510
I need some help with a setup for email.
Setup
I have a PIX525 and an ASA5510VPN and an internal 2950 router. The PIX does firewalling and the ASA does VPN. Currently all outbound Internet traffic goes through the PIX via the router with this command:
ip route 0.0.0.0 0.0.0.0 10.1.1.2 1
The ASA5510 with its dedicated external IP is used to allow VPN traffic in.
The problem:
I have two separate domain names and two MX records. One (mail.PIX.com)is pointed at the external IP of the PIX the other (mail.ASAVPN.com) is pointed at the ASA5510. I can receive inbound mail through both of the devices. I'd like to mail go out using both domains one through PIX and the other thru ASA. The problem is the router says all unknown traffic go to PIX.
How do I route mail from a host (10.1.1.5) to the ASA5510(10.1.1.4), while sending the mail from host (10.1.1.3) to PIX(10.1.1.2)I am not folliwing something here. If your gateway for 10.1.1.5 is truly set to the ASA and the ASA has the nat rule on the outside for the 10.1.1.5 address there should be no issue. It sounds like you are sending your traffic back out the pix interface. If your gateway is the 10.1.1.254 address the router will send the traffic to the PIX or redirect you to do so with an ICMP redirect.
Just the simple fact that it's coming out with the wrong external address leads me to beleive that that is the issue.
Any configs/route tables on the servers and firewalls would help. -
Assign multiple internal parts (materials of different plants) to one MPN
HI
I have a requirement to assign multiple internal parts (materials of different plants) to one manufacture part number.
but in HERS material type it allows to assign to only one .
can any body suggest how can I do this.
SreeramYou can do that.
1:Assign the new plant to the sales org / distribution channel - Enterprise structure
2:DO the shipping point determination for the new plant.
3:Extend the materials to the new plant.
4:If there is intercompnay process, please check "Assignmnet of organizational units to plants" in navigation SD - Billing - Intercompany billing.
5: Check if there are any pricing records, output records....et cwhich has Plant as parameters. if yes maintain the entries for the new plant.
These are the things I could think of.
Before deleting the existing plants, make sure there are no open documents existing for these plants, else system will not allow to delete.
Regards
Sai
Edited by: Sai on Jun 1, 2010 4:19 PM -
Split a string into multiple internal tables
Hi all,
I need to split a string based internal table into multiple internal tables based on some sub strings in that string based internal table...
High priority help me out...
eg...
a | jhkhjk | kljdskj |lkjdlj |
b | kjhdkjh | kldjkj |
c | jndojkok |
d |
this data which is in the application server file is brought into a internal table as a text. Now i need to send 'a' to one internal table, 'b' to one internal table, so on... help me
<Priority downgraded>
Edited by: Suhas Saha on Oct 12, 2011 12:24 PMHi pradeep,
eg...
a | jhkhjk | kljdskj |lkjdlj |
b | kjhdkjh | kldjkj |
c | jndojkok |
d |
As per your statement "Now i need to send 'a' to one internal table, 'b' to one internal table"
Do you want only a to one internal table and b to one internal table
OR
Do you want the whole row of the internal table i mean
a | jhkhjk | kljdskj |lkjdlj | to 1 internal table
Having the case of an internal table which is of type string,
1) Loop through the internal table. LOOP AT lt_tab INTO lwa_tab.
2) Ge the work area contents and get the first char wa_tab-string+0(1)
3) FIELD-SYMBOLS: <t_itab> TYPE ANY TABLE.
w_tabname = p_table.
CREATE DATA w_dref TYPE TABLE OF (w_tabname).
ASSIGN w_dref->* TO <t_itab>.
Follow the link
http://www.sap-img.com/ab030.htm
http://www.sapdev.co.uk/tips/dynamic-structure.htm
and then based on the sy-tabix values you will get that many number of internal table
<FS> = wa_tab-string+0(1)
append <FS>
OR
USE SPLIT statement at the relevant seperator
revert for further clarification
Thanks
Sri
Edited by: SRIKANTH P on Oct 12, 2011 12:36 PM -
We currently had to RMA both PIX 525s due to increasing crc errors. After swapping the old ones with the new we are still seeing crc errors on all gig interfaces. We have swapped the gig nic's and the sfp's and the fiber patch cables, yet still the crc errors continue to climb. Another thing that's interesting is that when we disconnect the secondary we see an increase in throughput. Any insight as to what else could be causing the errors would be appreciated.
Sent from Cisco Technical Support iPhone AppHello,
First, double check the speed/duplex configuration and make sure they match on both ends of each cable. Also, CRC errors are usually caused by the transmitter, but they show up as errors on the receiver side. Therefore, if you're only seeing CRC errors on the PIX and the switch ports look clean, I would focus on why the switch is corrupting the packets. You might try moving the cables to a different unused switch port and see if that helps.
-Mike -
I was wondering if someone can tell me how to upgrade a Cisco Pix 525 boot rom from 4.0 to 4.3. Is it a physical chip or software upgrade? Is it needed to upgrade to latest IOS on Cisco Pix 525 to 8.0. Where can I find more information on it? Thanks in advance
This link should help you
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094a5d.shtml
Reards,
Sachin -
Pix 525 6.2 Mac control
Hello, I'm trying to configure a pix 525 with 6.2 firmware version, usually I would try this:
mac access-list extended (name)
permit host (mac) any
int f0/0
mac access-group (name) in
but this pix doesn't have mac commands. Can someone help me?
Thanks
Mario SilvaHello;
That does not work unless u are running in transparent mode.
Hope it helps.
Mike
Sent from Cisco Technical Support Android App -
Pix 525 I need erasedisk.bin
hey ,
i have PIX 525 can any one provide me with erasedisk.bin to erase my flash memory
thnx in advance ,From the cisco.com terms and conditions:
"You may not post, modify, distribute, or reproduce in any way copyrighted or other proprietary materials without obtaining the prior written consent of the copyright owner of such materials. We may terminate an account, deny access to a site or service, or terminate any user who is alleged to have infringed the copyright or proprietary rights of another."
This is further reinforced in the CSC-specific Acceptable Use Agreement.
You need to ask the TAC (or your reseller) for binaries. -
Two aaa-server TACACS+ in PIX 525
I have a PIX 525 with two aaa-server for TACACS+; My aaa comands are configured by default.
I understand that my aaa-server TACACS+max-failed-attempts "number" have a "3" times to declare my aaa-server unresponsive and move on to try the next server in the list.
Once it happens, how long does the aaa requests are send to the secundary aaa-server?
Can somebody of you can help me? I want to keep my first aaa-server as primary and just in case of failure use the second aaa-server.
Thanks a lot.The timeout interval also has to be configured for the request. This is the time after which the PIX Firewall gives up on the request to the primary AAA server. If there is a standby AAA server, the PIX Firewall will send the request to the backup server. The retransmit timeout is currently set to 10 seconds and is not user configurable.
Maybe you are looking for
-
Can I use a variable across events?
Hi there, SDK newbe! I'm successfully parsing an GroupWise WebAccess event log. At the beginning of each days log is a line with the server name and IP address. Subsequent events only have the date/time and event message. How can I capture the name a
-
PO with multiple account assignment
Hi Experts, While creating PO for multiple account assignment system is automatically picking 'GR Non-Valuated' check box.After doing a GR no accouning document generated. How is the goods receipt valuated for a purchase order with multiple account a
-
Hi, I need to load XML file into ABAP and then process data. Can I use call transformation for that?? My SAP version is 4.7 E(Basis 620). Is there any difference for SAP version 4.6C???? Thanks.
-
I can't publish a folio into my DPS Professional Account. This is the error message: An error has occurred while trying to publish your folio. We could not start this operation. Please try again later. Anyone can help? Tks
-
Please help me exit "full screen mode." I am unable to see the Safari menu bar.
I have never used this tool. Please help me to "exit the full screen mode." I am unable to see the toolbar in Safari.