Nat (DMZ,outside) source dynamic any interface
Hi Everyone,
Need to confirm NAT statement below
nat (DMZ,outside) source dynamic any interface in version 9.1.
So above line means NAT from DMZ to outside.
Need to know that source here means that we are NATing IP from DMZ?
any interface means NAT IP will be of outside interface IP?
Regards
MAhesh
Hi Mahesh,
The below NAT configuration
nat (DMZ,outside) source dynamic any interface
Means the following
The NAT configuration is for connection between "DMZ" and "outside". Basicly for connection FROM "DMZ" to "outside"
The translation is a "dynamic" translation
It accepts "any" source address from behind the "DMZ" interface
It uses the "outside" "interface" IP address as the PAT address
So its a basic Dynamic PAT translations for the hosts behind "DMZ" interface and accepts any source address/network you might have behind "DMZ"
- Jouni
Similar Messages
-
Nat (inside,outside) source dynamic any interface
Hi Everyone,
Does config below
ASA1(config)# nat (inside,outside) source dynamic any interface
Will do the PAT when source is any IP from inside interface of ASA and going to any destination IP address?
Regards
MAheshHi Mahesh,
Yes, that NAT configuration would essentially do Dynamic PAT for any host behind the "inside" interface towards any destination address routed behind "outside" interface using the PAT IP address of "outside" interface.
I would however suggest configuring the same NAT configuration by adding the "after-auto" parameter
nat (inside,outside) after-auto source dynamic any interface
What the "after-auto" parameter does is that it moves the NAT rule to the very end of the NAT rules. It will be one of the last NAT rules matched against a new connection coming from behind "inside".
If we configured the Dynamic PAT the way you mentioned, there might be a possibility that it would override other NAT rules either now or in the future because it is at such a high priority.
- Jouni -
ASA5515 v8.6(1)2 NAT dmz public server
Could I get a validation that this config is correct in that it allows inbound access to the web server
and that I should be able to ping it from my inside interface.
I tried to use the example code from Cisco DocID: 115904 for DMZ WebServer, but I found the
object NAT parts did not work with my 8.6 IOS so I modified them as shown in my config.
Example from 115904 doc.
object network WebServerPublic
host 24.25.26.80
object network WebServerPrivate
host 192.168.1.80
nat(dmz,outside) static WebServerPublic service tcp www www ---> this does not code
With the below code I do not get a ping reply sourcing from a 10.1.0.X host to 192.168.1.80 web server.
And I cannot browse in from the outside to it either.
I do see the MAC for 192.168.1.80 in the ASA's arp cache for the dmz interface.
The web server is on a VMware ESX environment and I'm not sure it is set up correctly.
ASA Version 8.6(1)2
hostname A5515
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 24.25.26.254 255.255.255.240
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.0.252 255.255.240.0
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 192.168.1.254 255.255.255.0
object network N_OBJ_10.1.0.0_20
subnet 10.1.0.0 255.255.240.0
object network N_OBJ_10.24.0.0_18
subnet 10.24.0.0 255.255.192.0
object network DNSServer
host 10.24.0.86
object network WebServerPrivate
host 192.168.1.80
object network WebServerPublic
host 24.25.26.246
object network N_OBJ_DMZ_24
subnet 192.168.1.0 255.255.255.0
object-group network CampusNetworks
network-object 10.1.0.0 255.255.240.0
network-object 10.24.0.0 255.255.192.0
access-list outside_access_in extended permit tcp any object WebServerPrivate eq https
access-list outside_access_in extended permit tcp any object WebServerPrivate eq www
access-list dmz_access_in extended permit icmp object WebServerPrivate object-group CampusNetworks echo-reply
access-list dmz_access_in extended permit icmp object WebServerPrivate object-group CampusNetworks unreachable
access-list dmz_access_in extended permit icmp object WebServerPrivate object-group CampusNetworks time-exceeded
access-list dmz_access_in extended permit udp any object DNSServer eq domain
access-list dmz_access_in extended deny ip any object-group CampusNetworks
access-list dmz_access_in extended permit ip any any
nat (dmz,outside) source dynamic N_OBJ_DMZ_24 interface
nat (dmz,outside) source static WebServerPrivate WebServerPublic
nat (inside,dmz) source static CampusNetworks CampusNetworks
nat (inside,outside) after-auto source dynamic CampusNetworks interface
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 24.25.26.241 1
route inside 10.24.0.0 255.255.192.0 10.1.0.254 1
ThanksHi,
You have some conflicting NAT configurations
For example you have this
nat (dmz,outside) source dynamic N_OBJ_DMZ_24 interface
This overrides your Static PAT configuration that you are trying to achieve
Also one note regarding one of your NAT configurations
nat (inside,dmz) source static CampusNetworks CampusNetworks
You dont need NAT between local interfaces. No nat is done by default. So the traffic between "dmz" and "inside" should go trough untranslated without any need for NAT configurations.
If you want, you could change your current configurations to the following. Note that you would have to remove your existing NAT configurations.
object-group network DEFAULT-PAT-SOURCE
network-object 10.1.0.0 255.255.240.0
network-object 10.24.0.0 255.255.192.0
network-object 192.168.1.0 255.255.255.0
nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
The above configuration handles the Default PAT for all your networks. Both "dmz" and "inside".
object network WEB-SERVER
host 192.168.1.80
nat (dmz,outside) static interface service tcp 80 80
access-list outside_access_in permit tcp any object WEB-SERVER eq 80
access-list outside_access_in permit tcp any object WEB-SERVER eq 443
The above does the Static PAT (or Port Forward) for your DMZ server and allows the traffic on the ACL.
- Jouni -
Auto NAT and outside pool ip address
Hi Everyone,
If i do Auto NAT from DMZ interface to outside interface using config below
object network Auto_NAT
subnet 192.168.70.0 255.255.255.0 *********************DMZ subnet
description Auto NAT DMZ Interface
object network Outside_pool
range 192.168.51.3 192.168.51.100
object network Auto_NAT
nat (DMZ,outside) dynamic Outside_pool
My outside interface has IP of 192.168.71.2
I am unable to access the internet using above config
when i change the range in outside_pool to 192.168.71.3 192.168.71.100 i am able to access the internet.
Does this mean that using auto nat using dynamic NAT the outside pool range should be in same subnet as outside interface ip address?
Regards
MAheshHi Julio,
Thanks for replying back
ciscoasa# sh cap capdmz
4 packets captured
1: 23:36:38.000350 802.1Q vlan#3 P0 192.168.70.6 > 4.2.2.2: icmp: echo
request
2: 23:36:42.849779 802.1Q vlan#3 P0 192.168.70.6 > 4.2.2.2: icmp: echo
request
3: 23:36:47.841860 802.1Q vlan#3 P0 192.168.70.6 > 4.2.2.2: icmp: echo
request
4: 23:36:52.849428 802.1Q vlan#3 P0 192.168.70.6 > 4.2.2.2: icmp: echo
request
4 packets shown
ciscoasa# sh cap capout
36 packets captured
1: 22:03:42.616057 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
2: 22:03:47.348538 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
3: 22:03:52.340741 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
4: 22:03:57.348233 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
5: 22:06:25.034544 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
6: 22:06:29.839144 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
7: 22:06:34.846864 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
8: 22:06:39.838854 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
9: 22:08:08.405313 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
10: 22:08:13.345929 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
11: 22:08:18.337842 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
12: 22:08:23.345486 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
13: 22:08:28.337491 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
14: 22:51:16.824237 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
15: 22:51:21.333799 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
16: 22:51:26.333066 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
17: 22:51:31.334409 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
18: 22:52:32.936276 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
19: 22:52:37.844743 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
20: 22:52:42.834734 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
21: 22:52:47.834185 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
22: 22:52:52.834307 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
23: 22:52:57.834643 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
24: 22:53:02.834917 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
25: 22:53:07.834246 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
26: 22:53:12.834536 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
27: 22:53:17.845979 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
28: 22:53:22.834154 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
29: 22:53:27.834475 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
30: 22:53:32.834780 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
31: 22:53:37.834078 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
32: 22:53:42.833422 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
33: 23:36:38.000671 802.1Q vlan#1 P0 192.168.72.73 > 4.2.2.2: icmp: echo
request
34: 23:36:42.850084 802.1Q vlan#1 P0 192.168.72.73 > 4.2.2.2: icmp: echo
request
35: 23:36:47.842104 802.1Q vlan#1 P0 192.168.72.73 > 4.2.2.2: icmp: echo
request
36: 23:36:52.849733 802.1Q vlan#1 P0 192.168.72.73 > 4.2.2.2: icmp: echo
request
36 packets shown
ciscoasa#
Regards
Mahesh -
Nat (inside,outside) static 200.x.x.x
Hi Everyone,
Say we have webserver which has internal IP of 172.16.10.10
If we need outside users from internet who need to access the webserver on IP say 200.x.x.x
We can config the NAT as below also
nat (inside,outside) static 200.x.x.x
Regards
MaheshHi Mahesh,
I would usually configure a normal Static NAT as Network Object NAT
You first configure a "object network " under which you configure the source IP for the NAT configuration with the "host" command. Finally you enter the "nat" command inside/under the "object network ".
object network STATIC
host 172.16.10.10
nat (inside,outside) static 200.x.x.x
Depending on how the rest of the NAT configuration is built, some other NAT rule might override this but personally I have not had problem with configuring Static NAT this way.
You also have an option to configure the NAT in the following way
object network SERVER-REAL
host 172.16.10.10
object network SERVER-MAPPED
host 200.x.x.x
nat (inside,outside) source static SERVER-REAL SERVER-MAPPED
As you can see the difference from the first way I mentioned is the fact that we use Manual NAT / Twice NAT to configure this Static NAT. We create 2 "object network " which define the real and the mapped IP address. We then use those objects in the actual "nat" configuration.
The difference with the above 2 NAT configurations is that the Network Object NAT s on lower priorty in the ASA NAT rules compared to the above Manual NAT.
- Jouni -
Question about NAT Inside Source, Inside Destination, and Outside Source
I read the Cisco command references about "ip nat inside source", "inside destination", and "outside source", but couldn't have a clear understanding of how to associate the commands with "ip nat inside" and ip nat outside" configured for interfaces.
Does "ip nat inside source ..." translation only happen on the interface configured as "ip nat inside"?
Since NAT is a bidirectional action, what's the difference between "ip nat inside cource ..." and "ip nat inside destination ..."?
I've never used "ip nat outside source ...". In what cases would it be needed?
On an interface where there are NAT translation and also other actions such as policy map or IP Sec crypto map, would NAT happen before or after other actions?
Thanks for help with any questions.
GaryHi Gary,
The following documents may help you to understand some of the terminology:
http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080094831.shtml
http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080094837.shtml
Also, the following document has a clear explanation of the order of operations when using NAT:
http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
Hope that helps - pls rate the post if it does.
Paresh -
I'm struggling to figure out why you would need the 'ip nat outside source static' command. The 'inside source static' makes perfect sense, but why the outside. In what type of scenario would you use it?
Any help would be appreciatedh1 (192.168.10.2) -> R1 -> (ip nat inside) R2 (ip nat outside) -> R3 -> s1 (172.16.5.2)
On R2
ip nat outside source static 192.168.11.2 172.16.5.2
would mean -
h1 would send traffic to 192.168.11.2 and the destination IP would be translated to 172.16.5.2 and if s1 sends traffic to h1 the source IP would be 192.168.11.2.
One reason to do this would be, using the above example, your internal network uses 192.168.x.x IP addressing and you do not want to have to advertise the 172.16.5.x IP within your network.
So instead you choose an unused 192.168.x.x IP and as long as R1 routes traffic for that IP to R2 it is then translated to 172.16.5.2 on R2 which means your internal routers do not need to have external IP addresses in their routing tables.
Jon -
I have an iMac5,1 with an intel processor. For the last month or so, whenever I play a video from an outside source - e.g. YouTube, the picture jumps and breaks-up. All of my software is up-to-date. Any thoughts on how to fix this problem?
You're welcome. As to checking speed go to http://speedtest.net/ and it will choose the closest server for you. BTW, whatever you do, don't click on the robot icon that says "Start Scan" or MacKeeper below that. Only use the speed test in the middle that has the button BEGIN TEST on it. It will run a download speed test first and then an upload speed test. The download test will give a much faster response.
-
ASA 5505 9.1 and NAT issues to single dynamic IP
Good afternoon everybody,
a few days ago I tried setting up my ASA 5505 to allow access from the outside network to an Exchange server (ports HTTPS and SMTP) in my inside LAN.
Everything seems to be working... until my outside IP address changes (for example due to a router reset or a disconnection caused by the ISP).
As soon as the outside address changes the NAT rules are deleted and these 2 lines pop up in the syslog :
<166>%ASA-6-305012: Teardown static TCP translation from inside:192.168.1.150/25 to outside:79.6.105.13/25 duration 0:01:17.
<166>%ASA-6-305012: Teardown static TCP translation from inside:192.168.1.150/443 to outside:79.6.105.13/443 duration 0:01:17.
In the same time, the consolle connection shows these two messages :
Asa5505# ERROR: NAT unable to reserve ports.
ERROR: NAT unable to reserve ports.
I have moved both Anyconnect VPN essentials and http ports to 10443 and 8080 respectively so port 443 should be free for nat.
This is the configuration file, I have marked the lines related to network objects and relative nat statements, I hope it helps to find out where's the problem.
Obviously the lines in red are the ones disappearing... I'm quite desperate, actually.
ASA Version 9.1(5)
hostname Asa5505
domain-name home
enable password XXXXXX encrypted
names
interface Ethernet0/0
description ADSLPPoE
switchport access vlan 2
interface Ethernet0/1
description Internal_LAN
interface Ethernet0/2
description Management_Net
switchport access vlan 3
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
description Uplink
switchport trunk allowed vlan 1,3
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/6
description Wireless-POE
switchport trunk allowed vlan 1,3
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/7
description Webcam-POE
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.250 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group AliceADSL
ip address pppoe setroute
interface Vlan3
no forward interface Vlan1
nameif management
security-level 100
ip address 10.5.1.250 255.255.255.0
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.1.4
domain-name home
object network Exchange-HTTPS
host 192.168.1.150
object network Exchange-SMTP
host 192.168.1.150
object network Network_Inside
subnet 192.168.1.0 255.255.255.0
object network Network_Management
subnet 10.5.1.0 255.255.255.0
access-list Outside_ACL extended permit tcp any object Exchange-HTTPS eq https
access-list Outside_ACL extended permit tcp any object Exchange-SMTP eq smtp
pager lines 24
logging enable
logging asdm warnings
mtu inside 1500
mtu outside 1492
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network Exchange-HTTPS
nat (inside,outside) static interface service tcp https https
object network Exchange-SMTP
nat (inside,outside) static interface service tcp smtp smtp
object network Network_Inside
nat (inside,outside) dynamic interface
object network Network_Management
nat (management,outside) dynamic interface
access-group Outside_ACL in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable 8080
http 10.5.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access management
vpdn group AliceADSL request dialout pppoe
vpdn group AliceADSL localname aliceadsl
vpdn group AliceADSL ppp authentication pap
vpdn username aliceadsl password ***** store-local
dhcpd address 192.168.1.100-192.168.1.130 inside
dhcpd dns 192.168.1.4 192.168.1.150 interface inside
dhcpd wins 192.168.1.4 interface inside
dhcpd enable inside
dhcpd address 10.5.1.30-10.5.1.40 management
dhcpd dns 208.67.222.222 208.67.220.220 interface management
dhcpd enable management
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
port 10443
anyconnect-essentials
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:XXXXXXXX
: end
no asdm history enable
Thanks in advance for your precious help !
C.Update 29th of June :
Tried both suggestions: flashing to 9.22 didn't fix the problem. The only significant change between 9.1(5) and 9.2(2) is that as soon as I reload the configuration after a connection drop both nat rules are restored. In 9.1(5) the nat statements were removed from the runnning configuration when the PPPoE connection was lost, and the config was updated (or maybe saved?), so after a reload those statements were gone and I had to copy-paste them back in conf-t in order to restore them.
I tried using show xlate both before, during, and after the connection drop. As expected before the disconnection of PPPoE the static PAT rules are there, and the dynamic ones as well. During disconnection, all the xlate table is clean empty and the aforementioned error "Asa5505# ERROR: NAT unable to reserve ports. ERROR: NAT unable to reserve ports." pops up in the terminal. After a few minutes (needed by the DSL modem to perform its reset and bring up the DSL line again) the connection is established once more, but the only rules appearing in xlate are the ones created by the dynamic statements for management and LAN. If i reload the ASA using reload noconfirm every rule is restored and everything works again.
Two brief questions :
1) in my NAT statements for PAT, does it change anything if I modify them (for example) from
nat (inside,outside) static interface service tcp https https
to
nat (inside,outside) dynamic interface service tcp https https
? Since it seems like the dynamic PAT is restored after a connection drop I was asking myself what happens if I change the rules this way.
2) if there's not any ohter way to fix this, is it possible to schedule a reload of the ASA as soon as the PPPoE connection drops in order to make this problem "self fixing" ? I can't predict how many times a day the line drops and I can't be there 24/7 with my consolle cable connected in order to restore the nat statements ^^
Thank you for your precious help and patience !
C. -
ASA5510 - Verifying NAT is fully disabled between two interfaces
Hello,
I am trying to configure two inside interfaces without NAT. I am not using nat-control and I have added exemptions for the two networks. I can communicate between the two networks and to the Internet just fine.
I would like to verify that NAT is disabled between the two interfaces. I also need to make sure that the Interface IP (specifically for the traffic from inside-test to the inside network) is not added to packets between the two networks. I would like to be able to verify this as well. In other words I need to have the Source IP address from the originating connection on the inside-test network passed along through to the Inside network device without being replaced by the Interface's IP address. This is a test config for a production environment that will be using a load balancer. The config I have may be working in this regard and the load balancer may be replacing this IP address (that is what I am trying to test), but I am not certain.
So far I have the following NAT related running-config command (in regards to these two interfaces):
access-list NAT_Exempt extended permit ip 192.168.12.0 255.255.255.0 interface inside
access-list NAT_Exempt extended permit ip 192.168.3.0 255.255.255.0 interface Inside-test
access-list NAT_Exempt extended permit ip 192.168.12.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list NAT_Exempt_2 extended permit ip 192.168.12.0 255.255.255.0 interface inside
access-list NAT_Exempt_2 extended permit ip 192.168.3.0 255.255.255.0 interface Inside-test
access-list NAT_Exempt_2 extended permit ip 192.168.3.0 255.255.255.0 192.168.12.0 255.255.255.0
nat (inside) 0 access-list NAT_Exempt_2
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Inside-test) 0 access-list NAT_Exempt
nat (Inside-test) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
global (Inside-test) 1 interface
Let me know if more information is needed for you to assist me futher.
Thank you.Thank you Jennifer for your responses.
Do I need to include access-list commands for both directions for each interface as listed in my full config above, or do I just need one for one direction on one and one direction on the other interface (plus the exempt for the 69.x.x.x network)?
Would this config suffice?
access-list NAT_Exempt_2 permit ip 192.168.3.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list NAT_Exempt_2 permit ip 192.168.3.0 255.255.255.0 69.87.157.192 255.255.255.224
access-list NAT_Exempt permit ip 192.168.12.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list NAT_Exempt permit ip 192.168.12.0 255.255.255.0 69.87.157.192 255.255.255.224
nat (inside) 0 access-list NAT_Exempt_2
nat (inside-test) 0 access-list NAT_Exempt
Will I need to clear xlate to see the results of this or will this take affect immediately? I can't really do that during business hours, but should be able to after hours if I need to.
Can you clarify what the global commands do? I keep thinking that it adds the IP of the Interface to packets as they go through the interface and that I should use a different config for the Inside-test network.
I will try the xlate detail to verify and let you know what I find.
Thank you. -
Hello,
here's a little teaser for user interface experts out there:
I wonder what kind of techniques ABAP offers for creating dynamic user interfaces.
When talking of 'dynamic' I imagine something like an arbitrary number of 'containers' where other programs (classes f.ex.) can draw their own user interface into.
In Java this could be realized with the container concept in swing.
I have done some research on this topic and the results are so far:
a plain dynpro: seems to have no dynamic at all -> not an option
a plain dynpro with a tabstrip: in case the number of tabs CAN be set at runtime AND the subscreens CAN be drawn from inside separate classes -> a definite option otherwise not an option
any kind of web-frontend (BSP, JSP etc.): web-frontends are not allowed by company restrictions -> not an option
dynamic documents: I could not find many information on these yet (also not on sdn). In case that an arbitrary number of parts of the dynamic document can be created from inside separate classes -> an option otherwise not an option
I will be happy about any further information on this topic.
Best regards,
Patrick BaerI spent some time today doing research on BSP's and built a "BSP-Viewer" embedded into the SAP-GUI. Though I like the concept of BSP's a lot (like I did already with JSP's) but company restricitions are too strict. So BSP's are out of the play.
After the discussion I started to play around with the different containers and basically I'm quite pleased with them and the "cl_gui_container_bar" allows an arbirtary number of "subscreens" which matches my requirements.
But as usual there's still a downside:
I found no option to built text labels and text fields into a container. Unless this is possible I can't give this approach a chance. I already found some postings which seemed to confirm that this is in fact not possible but I can't really believe it. At least from what it looks like it seems to me that the object navigator utilizes both: splitters, containers and all the stuff AS WELL AS the "classical" elements like text boxes, labels and so on.
Any ideas on how to combine the container concept with text fields, labels maybe whole dynpros or subscreens ?
Best regards,
Patrick Baer -
Creating Node data on Author server from outside source?
I was wondering if it is possible to create node data on the author server from an outside source such as the publish server, without using reverse replication?
IE,
User accessing form page on publish server, enters data, submits the form. Which somehow would create node data directly on the author server without storing any data on the publish server.
Is this even possible?
ThanksThank you for all the responses.
Yes I do agree that not using reverse replication as the system is designed is not exactly a wise design choice. The problem I am facing is that the end user generated content is security sensitive and cannot be store on the publish instance. (Even temporarily)
I have managed to write a servlet on the Author server to accept the post data and create node data on the Author repository.
However to do this, I have had to disable login/security on the Author server for the servlet path (IE /bin/posthandlerservlet ) so that the author servlet can be accessed from the outside. Firewall has also been adjusted to let traffic through as well.
Now my remaining question would be, is opening up this path to the Author server much more dangerous and less secure that creating the node data on the Publish server in a place that protected access? We are really worried that the node created data on the publish server could somehow be accessed by end users in the event of a security problem. -
Flash drive new version 11. ask for outside source to store files on pc.
new version of flash drive adobe 11 ask for outside source. if they could file on my computer. new version came with mac a fee securty . i have a virus protection allredy . my knowlege u can not run to virus program.
Re: McAfee - you're right. Two A/V programs is bad. Uninstall McAffee.
Re: Storage. In order to view Flash content (videos or games), you NEED to allow a small amount of data to be stored in your temp folder, to prevent the content from constantly stopping and restarting. As always, if you have ANY reason to be suspicious of a site you're visiting, then you have reason the be suspicious of what it may want to store on your system but for the most part, Flash data is video "buffering" content and nothing more. -
I need to count intermittent high speed pulses from an outside source with cFP-CTR-502 and Labview 8.2 . I've found example code for generating pulses and creating intricate count setups but no straightforward examples of a simple counter. Any suggestions?
Hello tinfish,
I could not find a simple example that implements simple counting either, but it should be straightforward enough for us to try. Do you have the CTR module configured properly in MAX? If so, can you monitor the channels on your CTR 502 for input? Try connecting a square wave or some other digital pulse to the terminal to test the functionality of the counter module first (before programming). If you monitor the input channels with somethign connected you should see the count increment each time it sees a rising edge (assuming default configuration).
Once you've verified that everything works in MAX, you can set up your CTR module in a LV 8.2 project. If you need help with this, refer to the help document (look in the "Configuring FieldPoint in LabVIEW" section):
C:\Program Files\National Instruments\FieldPoint\documentation\Online Help\fplv.chm
You should be able to just read a channel tag from your CTR 502 using an FP Read VI. (Simply drag the channel from your project onto the block diagram). Since counting is the default behavior of the 502, there is no special programming involved to make it work.
I hope this helps -- if it's too high-level we can talk details about specific questions you have. Have a good one!
Charlie S.
Visit ni.com/gettingstarted for step-by-step help in setting up your system -
Access log4j.properties outside source folder
Hi,
I have developed a standalone java application, for logging the application i have created a log4j.properties in the source folder.
it is woring fine and the logs are created as specified in the properties file.
Issue:
i have created a jar which contains the complete source code and log4j.properties file.
if i try to create a jar without log4j.properties since the properties file will change by customer frequantly, i need to keep the log4j.properties outside the source folder.
but my jar is unable to access the log4j.properties when i try to run the appplication.
Question:
how do we access the log4j.properties from outside source folder?
thanks,
J Rgimbal2 wrote:
T.PD wrote:
In addition what gimbal2 sad: Do you create a MANIFEST.MF file in your jar?
If so you should add (or extend) the ClassPath entry to include the current directory ( *.* ) so you can have the log4j.properties file in the folder where you call your jar from:[...]This is very dangerous. It makes the path not relative to where the jar is, but to where you invoke the java command.The OP's request is to have the (log4j) properties file outside of the jar maybe for easier editing.
Adding any known folder in the file system to the class path is the only way I know to achieve this (Do you know better?). Folliwing this you could try to guess paths to add hoping that they will exist on all Systems you will use and place the properties file(s) there. On the other hane the current working dir the java command is invoked in is perdictable. Usually it's the directory the jar itself is located...
I agree that this solution can be dangerous and opens the possibility to access classes located in a valid package structure below current working dir . But if you add the ' *.* ' as the last entry in your classpath at least the classes from all your other jars are accessed first...
bye
TPD
Maybe you are looking for
-
Command plus is no longer working for me correctly in Safari 8.0.2.
Command plus is no longer working for me correctly in Safari 8.0.2. When I use it to zoom in a safari window, it makes fonts bigger instead of scaling the entire page bigger like it used to. What changed or what did I accidentally change? This i
-
Wher is the place holder option to set output encoding in PI 7.1?
Hi In 7.0 we had an place holder to set the output encoding (i.e. ctrlshftrightclick). where is that option in 7.1? please help Regards Osman Abdul Aziz Jabri
-
How do you adjust the offset of a text wrap?
I'm trying to adjust the offset of the text wrap and the Indesign help I found just says to specify it. But WHERE? I see the text wrap options on my tool bar but there doesn't seem to be a corresponding place to change the offset distances.
-
Subcontarcting with excise...
Hi all, I am doing subcontracting scenario with excise (without payment of excise duty).Here challan can be sent to supplier manually not in SAP. But we capture the incoming excise during goods Receipt. I have a doubt that whether main com
-
Using my old 3 mobile number as a skype number.
I would like to use my old mobile number as my skype contact number. Is this possible via transfering the number from 3 to skype ? Theywere the last provider to use it but it may have been transfered from optus to 3 many years ago. I don't have an ac