Nat (DMZ,outside) source dynamic any interface

Similar Messages

• Nat (inside,outside) source dynamic any interface

  Hi Everyone,
  Does config below
  ASA1(config)# nat (inside,outside)  source  dynamic  any  interface
  Will do the PAT  when source is any IP  from inside interface of ASA  and going to any destination IP   address?
  Regards
  MAhesh

  Hi Mahesh,
  Yes, that NAT configuration would essentially do Dynamic PAT for any host behind the "inside" interface towards any destination address routed behind "outside" interface using the PAT IP address of "outside" interface.
  I would however suggest configuring the same NAT configuration by adding the "after-auto" parameter
  nat (inside,outside) after-auto source dynamic any interface
  What the "after-auto" parameter does is that it moves the NAT rule to the very end of the NAT rules. It will be one of the last NAT rules matched against a new connection coming from behind "inside".
  If we configured the Dynamic PAT the way you mentioned, there might be a possibility that it would override other NAT rules either now or in the future because it is at such a high priority.
  - Jouni

• ASA5515 v8.6(1)2 NAT dmz public server

  Could I get a validation that this config is correct in that it allows inbound access to the web server
  and that I should be able to ping it from my inside interface.
  I tried to use the example code from Cisco DocID: 115904 for DMZ WebServer, but I found the
  object NAT parts did not work with my 8.6 IOS so I modified them as shown in my config.
  Example from 115904 doc.
  object network WebServerPublic
  host 24.25.26.80
  object network WebServerPrivate
  host 192.168.1.80
  nat(dmz,outside) static WebServerPublic service tcp www www ---> this does not code
  With the below code I do not get a ping reply sourcing from a 10.1.0.X host to 192.168.1.80 web server.
  And I cannot browse in from the outside to it either.
  I do see the MAC for 192.168.1.80 in the ASA's arp cache for the dmz interface.
  The web server is on a VMware ESX environment and I'm not sure it is set up correctly.
  ASA Version 8.6(1)2
  hostname A5515
  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  ip address 24.25.26.254 255.255.255.240
  interface GigabitEthernet0/1
  nameif inside
  security-level 100
  ip address 10.1.0.252 255.255.240.0
  interface GigabitEthernet0/2
  nameif dmz
  security-level 50
  ip address 192.168.1.254 255.255.255.0
  object network N_OBJ_10.1.0.0_20
  subnet 10.1.0.0 255.255.240.0
  object network N_OBJ_10.24.0.0_18
  subnet 10.24.0.0 255.255.192.0
  object network DNSServer
  host 10.24.0.86
  object network WebServerPrivate
  host 192.168.1.80
  object network WebServerPublic
  host 24.25.26.246
  object network N_OBJ_DMZ_24
  subnet 192.168.1.0 255.255.255.0
  object-group network CampusNetworks
  network-object 10.1.0.0 255.255.240.0
  network-object 10.24.0.0 255.255.192.0
  access-list outside_access_in extended permit tcp any object WebServerPrivate eq https
  access-list outside_access_in extended permit tcp any object WebServerPrivate eq www
  access-list dmz_access_in extended permit icmp object WebServerPrivate object-group CampusNetworks echo-reply
  access-list dmz_access_in extended permit icmp object WebServerPrivate object-group CampusNetworks unreachable
  access-list dmz_access_in extended permit icmp object WebServerPrivate object-group CampusNetworks time-exceeded
  access-list dmz_access_in extended permit udp any object DNSServer eq domain
  access-list dmz_access_in extended deny ip any object-group CampusNetworks
  access-list dmz_access_in extended permit ip any any
  nat (dmz,outside) source dynamic N_OBJ_DMZ_24 interface
  nat (dmz,outside) source static WebServerPrivate WebServerPublic
  nat (inside,dmz) source static CampusNetworks CampusNetworks
  nat (inside,outside) after-auto source dynamic CampusNetworks interface
  access-group outside_access_in in interface outside
  access-group dmz_access_in in interface dmz
  route outside 0.0.0.0 0.0.0.0 24.25.26.241 1
  route inside 10.24.0.0 255.255.192.0 10.1.0.254 1
  Thanks

  Hi,
  You have some conflicting NAT configurations
  For example you have this
  nat (dmz,outside) source dynamic N_OBJ_DMZ_24 interface
  This overrides your Static PAT configuration that you are trying to achieve
  Also one note regarding one of your NAT configurations
  nat (inside,dmz) source static CampusNetworks CampusNetworks
  You dont need NAT between local interfaces. No nat is done by default. So the traffic between "dmz" and "inside" should go trough untranslated without any need for NAT configurations.
  If you want, you could change your current configurations to the following. Note that you would have to remove your existing NAT configurations.
  object-group network DEFAULT-PAT-SOURCE
  network-object 10.1.0.0 255.255.240.0
  network-object 10.24.0.0 255.255.192.0
  network-object 192.168.1.0 255.255.255.0
  nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
  The above configuration handles the Default PAT for all your networks. Both "dmz" and "inside".
  object network WEB-SERVER
  host 192.168.1.80
  nat (dmz,outside) static interface service tcp 80 80
  access-list outside_access_in permit tcp any object WEB-SERVER eq 80
  access-list outside_access_in permit tcp any object WEB-SERVER eq 443
  The above does the Static PAT (or Port Forward) for your DMZ server and allows the traffic on the ACL.
  - Jouni

• Auto NAT and outside pool ip address

  Hi Everyone,
  If i do Auto NAT  from DMZ  interface to outside  interface using config below
  object network Auto_NAT
  subnet 192.168.70.0 255.255.255.0                           *********************DMZ  subnet
  description Auto NAT  DMZ Interface
  object network Outside_pool
  range 192.168.51.3 192.168.51.100
  object network Auto_NAT
  nat (DMZ,outside) dynamic Outside_pool
  My outside interface has IP  of 192.168.71.2
  I am unable to access the internet using above config 
  when i change the range in outside_pool  to 192.168.71.3 192.168.71.100  i am able to access the internet.
  Does this mean that using auto nat using dynamic NAT  the outside pool range should be in same subnet as outside interface  ip address?
  Regards
  MAhesh

  Hi  Julio,
  Thanks  for replying back
  ciscoasa# sh cap capdmz
  4 packets captured
     1: 23:36:38.000350       802.1Q vlan#3 P0 192.168.70.6 > 4.2.2.2: icmp: echo
  request
     2: 23:36:42.849779       802.1Q vlan#3 P0 192.168.70.6 > 4.2.2.2: icmp: echo
  request
     3: 23:36:47.841860       802.1Q vlan#3 P0 192.168.70.6 > 4.2.2.2: icmp: echo
  request
     4: 23:36:52.849428       802.1Q vlan#3 P0 192.168.70.6 > 4.2.2.2: icmp: echo
  request
  4 packets shown
  ciscoasa# sh cap capout
  36 packets captured
     1: 22:03:42.616057       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
  request
     2: 22:03:47.348538       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
  request
     3: 22:03:52.340741       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
  request
     4: 22:03:57.348233       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
  request
     5: 22:06:25.034544       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
  request
     6: 22:06:29.839144       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
  request
     7: 22:06:34.846864       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
  request
     8: 22:06:39.838854       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
  request
     9: 22:08:08.405313       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
  request
    10: 22:08:13.345929       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
  request
    11: 22:08:18.337842       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
  request
    12: 22:08:23.345486       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
  request
    13: 22:08:28.337491       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
  request
    14: 22:51:16.824237       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
  request
    15: 22:51:21.333799       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
  request
    16: 22:51:26.333066       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
  request
    17: 22:51:31.334409       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
  request
    18: 22:52:32.936276       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
  request
    19: 22:52:37.844743       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
  request
    20: 22:52:42.834734       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
  request
    21: 22:52:47.834185       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
  request
    22: 22:52:52.834307       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
  request
    23: 22:52:57.834643       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
  request
    24: 22:53:02.834917       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
  request
    25: 22:53:07.834246       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
  request
    26: 22:53:12.834536       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
  request
    27: 22:53:17.845979       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
  request
    28: 22:53:22.834154       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
  request
    29: 22:53:27.834475       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
  request
    30: 22:53:32.834780       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
  request
    31: 22:53:37.834078       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
  request
    32: 22:53:42.833422       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
  request
    33: 23:36:38.000671       802.1Q vlan#1 P0 192.168.72.73 > 4.2.2.2: icmp: echo
  request
    34: 23:36:42.850084       802.1Q vlan#1 P0 192.168.72.73 > 4.2.2.2: icmp: echo
  request
    35: 23:36:47.842104       802.1Q vlan#1 P0 192.168.72.73 > 4.2.2.2: icmp: echo
  request
    36: 23:36:52.849733       802.1Q vlan#1 P0 192.168.72.73 > 4.2.2.2: icmp: echo
  request
  36 packets shown
  ciscoasa#
  Regards
  Mahesh

• Nat (inside,outside) static 200.x.x.x

  Hi Everyone,
  Say we have webserver which has internal IP of 172.16.10.10
  If we need outside users from internet who need to access the webserver on IP say  200.x.x.x
  We can config the NAT as below also
  nat (inside,outside) static 200.x.x.x
  Regards
  Mahesh

  Hi Mahesh,
  I would usually configure a normal Static NAT as Network Object NAT
  You first configure a "object network " under which you configure the source IP for the NAT configuration with the "host" command. Finally you enter the "nat" command inside/under the "object network ".
  object network STATIC
  host 172.16.10.10
  nat (inside,outside) static 200.x.x.x
  Depending on how the rest of the NAT configuration is built, some other NAT rule might override this but personally I have not had problem with configuring Static NAT this way.
  You also have an option to configure the NAT in the following way
  object network SERVER-REAL
  host 172.16.10.10
  object network SERVER-MAPPED
  host 200.x.x.x
  nat (inside,outside) source static SERVER-REAL SERVER-MAPPED
  As you can see the difference from the first way I mentioned is the fact that we use Manual NAT / Twice NAT to configure this Static NAT. We create 2 "object network " which define the real and the mapped IP address. We then use those objects in the actual "nat" configuration.
  The difference with the above 2 NAT configurations is that the Network Object NAT s on lower priorty in the ASA NAT rules compared to the above Manual NAT.
  - Jouni

• Question about NAT Inside Source, Inside Destination, and Outside Source

  I read the Cisco command references about "ip nat inside source", "inside destination", and "outside source", but couldn't have a clear understanding of how to associate the commands with "ip nat inside" and ip nat outside" configured for interfaces.
  Does "ip nat inside source ..." translation only happen on the interface configured as "ip nat inside"?
  Since NAT is a bidirectional action, what's the difference between "ip nat inside cource ..." and "ip nat inside destination ..."?
  I've never used "ip nat outside source ...". In what cases would it be needed?
  On an interface where there are NAT translation and also other actions such as policy map or IP Sec crypto map, would NAT happen before or after other actions?
  Thanks for help with any questions.
  Gary

  Hi Gary,
  The following documents may help you to understand some of the terminology:
  http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080094831.shtml
  http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080094837.shtml
  Also, the following document has a clear explanation of the order of operations when using NAT:
  http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
  Hope that helps - pls rate the post if it does.
  Paresh

• Ip nat outside source static

  I'm struggling to figure out why you would need the 'ip nat outside source static' command. The 'inside source static' makes perfect sense, but why the outside. In what type of scenario would you use it?
  Any help would be appreciated

  h1 (192.168.10.2)  -> R1 -> (ip nat inside)  R2 (ip nat outside)  -> R3 -> s1 (172.16.5.2)
  On R2
  ip nat outside source static 192.168.11.2  172.16.5.2
  would mean -
  h1 would send traffic to 192.168.11.2  and the destination IP would be translated to 172.16.5.2 and if s1 sends traffic to h1 the source IP would be 192.168.11.2.
  One reason to do this would be, using the above example, your internal network uses 192.168.x.x IP addressing and you do not want to have to advertise the 172.16.5.x IP within your network.
  So instead you choose an unused 192.168.x.x IP and as long as R1 routes traffic for that IP to R2 it is then translated to 172.16.5.2 on R2 which means your internal routers do not need to have external IP addresses in their routing tables.
  Jon

• I have an iMac5,1 with an intel processor.  For the last month or so, whenever I play a video from an outside source - e.g. YouTube, the picture jumps and breaks-up.  All of my software is up-to-date.  Any thoughts on how to fix this problem?

  I have an iMac5,1 with an intel processor.  For the last month or so, whenever I play a video from an outside source - e.g. YouTube, the picture jumps and breaks-up.  All of my software is up-to-date.  Any thoughts on how to fix this problem?

  You're welcome. As to checking speed go to http://speedtest.net/ and it will choose the closest server for you. BTW, whatever you do, don't click on the robot icon that says "Start Scan" or MacKeeper below that. Only use the speed test in the middle that has the button BEGIN TEST on it. It will run a download speed test first and then an upload speed test. The download test will give a much faster response.

• ASA 5505 9.1 and NAT issues to single dynamic IP

  Good afternoon everybody, 
  a few days ago I tried setting up my ASA 5505 to allow access from the outside network to an Exchange server (ports HTTPS and SMTP) in my inside LAN.
  Everything seems to be working... until my outside IP address changes (for example due to a router reset or a disconnection caused by the ISP). 
  As soon as the outside address changes the NAT rules are deleted and these 2 lines pop up in the syslog :
  <166>%ASA-6-305012: Teardown static TCP translation from inside:192.168.1.150/25 to outside:79.6.105.13/25 duration 0:01:17.
  <166>%ASA-6-305012: Teardown static TCP translation from inside:192.168.1.150/443 to outside:79.6.105.13/443 duration 0:01:17.
  In the same time, the consolle connection shows these two messages :
  Asa5505# ERROR: NAT unable to reserve ports.
  ERROR: NAT unable to reserve ports.
  I have moved both Anyconnect VPN essentials and http ports to 10443 and 8080 respectively so port 443 should be free for nat.
  This is the configuration file, I  have marked the lines related to network objects and relative nat statements, I hope it helps to find out where's the problem.
  Obviously the lines in red are the ones disappearing... I'm quite desperate, actually.
  ASA Version 9.1(5) 
  hostname Asa5505
  domain-name home
  enable password XXXXXX encrypted
  names
  interface Ethernet0/0
   description ADSLPPoE
   switchport access vlan 2
  interface Ethernet0/1
   description Internal_LAN
  interface Ethernet0/2
   description Management_Net 
   switchport access vlan 3
  interface Ethernet0/3
   shutdown
  interface Ethernet0/4
   shutdown
  interface Ethernet0/5
   description Uplink
   switchport trunk allowed vlan 1,3
   switchport trunk native vlan 1
   switchport mode trunk
  interface Ethernet0/6
   description Wireless-POE
   switchport trunk allowed vlan 1,3
   switchport trunk native vlan 1
   switchport mode trunk
  interface Ethernet0/7
   description Webcam-POE 
  interface Vlan1
   nameif inside
   security-level 100
   ip address 192.168.1.250 255.255.255.0 
  interface Vlan2
   nameif outside
   security-level 0
   pppoe client vpdn group AliceADSL
   ip address pppoe setroute 
  interface Vlan3
   no forward interface Vlan1
   nameif management
   security-level 100
   ip address 10.5.1.250 255.255.255.0 
  ftp mode passive
  clock timezone CEST 1
  clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group DefaultDNS
   name-server 192.168.1.4
   domain-name home
  object network Exchange-HTTPS
   host 192.168.1.150
  object network Exchange-SMTP
   host 192.168.1.150
  object network Network_Inside
   subnet 192.168.1.0 255.255.255.0
  object network Network_Management
   subnet 10.5.1.0 255.255.255.0
  access-list Outside_ACL extended permit tcp any object Exchange-HTTPS eq https 
  access-list Outside_ACL extended permit tcp any object Exchange-SMTP eq smtp 
  pager lines 24
  logging enable
  logging asdm warnings
  mtu inside 1500
  mtu outside 1492
  mtu management 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  object network Exchange-HTTPS
   nat (inside,outside) static interface service tcp https https 
  object network Exchange-SMTP
   nat (inside,outside) static interface service tcp smtp smtp 
  object network Network_Inside
   nat (inside,outside) dynamic interface
  object network Network_Management
   nat (management,outside) dynamic interface
  access-group Outside_ACL in interface outside
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable 8080
  http 10.5.1.0 255.255.255.0 management
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh stricthostkeycheck
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  management-access management
  vpdn group AliceADSL request dialout pppoe
  vpdn group AliceADSL localname aliceadsl
  vpdn group AliceADSL ppp authentication pap
  vpdn username aliceadsl password ***** store-local
  dhcpd address 192.168.1.100-192.168.1.130 inside
  dhcpd dns 192.168.1.4 192.168.1.150 interface inside
  dhcpd wins 192.168.1.4 interface inside
  dhcpd enable inside
  dhcpd address 10.5.1.30-10.5.1.40 management
  dhcpd dns 208.67.222.222 208.67.220.220 interface management
  dhcpd enable management
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
   port 10443
   anyconnect-essentials
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map 
    inspect ftp 
    inspect h323 h225 
    inspect h323 ras 
    inspect ip-options 
    inspect netbios 
    inspect rsh 
    inspect rtsp 
    inspect skinny  
    inspect esmtp 
    inspect sqlnet 
    inspect sunrpc 
    inspect tftp 
    inspect sip  
    inspect xdmcp 
  service-policy global_policy global
  prompt hostname context 
  no call-home reporting anonymous
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:XXXXXXXX
  : end
  no asdm history enable
  Thanks in advance for your precious help !
  C.

  Update 29th of June :
  Tried both suggestions: flashing to 9.22 didn't fix the problem. The only significant change between 9.1(5) and 9.2(2) is that as soon as I reload the configuration after a connection drop both nat rules are restored. In 9.1(5) the nat statements were removed from the runnning configuration when the PPPoE connection was lost, and the config was updated (or maybe saved?), so after a reload those statements were gone and I had to copy-paste them back in conf-t in order to restore them.
  I tried using show xlate both before, during, and after the connection drop. As expected before the disconnection of PPPoE the static PAT rules are there, and the dynamic ones as well. During disconnection, all the xlate table is clean empty and the aforementioned error "Asa5505# ERROR: NAT unable to reserve ports. ERROR: NAT unable to reserve ports." pops up in the terminal. After a few minutes (needed by the DSL modem to perform its reset and bring up the DSL line again) the connection is established once more, but the only rules appearing in xlate are the ones created by the dynamic statements for management and LAN. If i reload the ASA using reload noconfirm every rule is restored and everything works again.
  Two brief questions :
  1) in my NAT statements for PAT, does it change anything if I modify them (for example) from 
  nat (inside,outside) static interface service tcp https https
  to
  nat (inside,outside) dynamic interface service tcp https https 
  ? Since it seems like the dynamic PAT is restored after a connection drop I was asking myself what happens if I change the rules this way.
  2) if there's not any ohter way to fix this, is it possible to schedule a reload of the ASA as soon as the PPPoE connection drops in order to make this problem "self fixing" ? I can't predict how many times a day the line drops and I can't be there 24/7 with my consolle cable connected in order to restore the nat statements ^^
  Thank you for your precious help and patience !
  C.

• ASA5510 - Verifying NAT is fully disabled between two interfaces

  Hello,
  I am trying to configure two inside interfaces without NAT. I am not using nat-control and I have added exemptions for the two networks. I can communicate between the two networks and to the Internet just fine.
  I would like to verify that NAT is disabled between the two interfaces. I also need to make sure that the Interface IP (specifically for the traffic from inside-test to  the inside network) is not added to packets between the two networks. I would like to be able to verify this as well. In other words I need to have the Source IP address from the originating connection on the inside-test network passed along through to the Inside network device without being replaced by the Interface's IP address. This is a test config for a production environment that will be using a load balancer. The config I have may be working in this regard and the load balancer may be replacing this IP address (that is what I am trying to test), but I am not certain.
  So far I have the following NAT related running-config command (in regards to these two interfaces):
  access-list NAT_Exempt extended permit ip 192.168.12.0 255.255.255.0 interface inside
  access-list NAT_Exempt extended permit ip 192.168.3.0 255.255.255.0 interface Inside-test
  access-list NAT_Exempt extended permit ip 192.168.12.0 255.255.255.0 192.168.3.0 255.255.255.0
  access-list NAT_Exempt_2 extended permit ip 192.168.12.0 255.255.255.0 interface inside
  access-list NAT_Exempt_2 extended permit ip 192.168.3.0 255.255.255.0 interface Inside-test
  access-list NAT_Exempt_2 extended permit ip 192.168.3.0 255.255.255.0 192.168.12.0 255.255.255.0
  nat (inside) 0 access-list NAT_Exempt_2
  nat (inside) 1 0.0.0.0 0.0.0.0
  nat (Inside-test) 0 access-list NAT_Exempt
  nat (Inside-test) 1 0.0.0.0 0.0.0.0
  global (outside) 1 interface
  global (Inside-test) 1 interface
  Let me know if more information is needed for you to assist me futher.
  Thank you.

  Thank you Jennifer for your responses.
  Do I need to include access-list commands for both directions for each interface as listed in my full config above, or do I just need one for one direction on one and one direction on the other interface (plus the exempt for the 69.x.x.x network)?
  Would this config suffice?
  access-list NAT_Exempt_2 permit ip 192.168.3.0 255.255.255.0 192.168.12.0 255.255.255.0
  access-list NAT_Exempt_2 permit ip 192.168.3.0 255.255.255.0 69.87.157.192 255.255.255.224
  access-list NAT_Exempt permit ip 192.168.12.0 255.255.255.0 192.168.3.0 255.255.255.0
  access-list NAT_Exempt permit ip 192.168.12.0 255.255.255.0 69.87.157.192 255.255.255.224
  nat (inside) 0 access-list NAT_Exempt_2
  nat (inside-test) 0 access-list NAT_Exempt
  Will I need to clear xlate to see the results of this or will this take affect immediately? I can't really do that during business hours, but should be able to after hours if I need to.
  Can you clarify what the global commands do? I keep thinking that it adds the IP of the Interface to packets as they go through the interface and that I should use a different config for the Inside-test network.
  I will try the xlate detail to verify and let you know what I find.
  Thank you.

• Dynamic user interfaces

  Hello,
  here's a little teaser for user interface experts out there:
  I wonder what kind of techniques ABAP offers for creating dynamic user interfaces.
  When talking of 'dynamic' I imagine something like an arbitrary number of 'containers' where other programs (classes f.ex.) can draw their own user interface into.
  In Java this could be realized with the container concept in swing.
  I have done some research on this topic and the results are so far:
  a plain dynpro: seems to have no dynamic at all -> not an option
  a plain dynpro with a tabstrip: in case the number of tabs CAN be set at runtime AND the subscreens CAN be drawn from inside separate classes -> a definite option otherwise not an option
  any kind of web-frontend (BSP, JSP etc.): web-frontends are not allowed by company restrictions -> not an option
  dynamic documents: I could not find many information on these yet (also not on sdn). In case that an arbitrary number of parts of the dynamic document can be created from inside separate classes -> an option otherwise not an option
  I will be happy about any further information on this topic.
  Best regards,
  Patrick Baer

  I spent some time today doing research on BSP's and built a "BSP-Viewer" embedded into the SAP-GUI. Though I like the concept of BSP's a lot (like I did already with JSP's) but company restricitions are too strict. So BSP's are out of the play.
  After the discussion I started to play around with the different containers and basically I'm quite pleased with them and the "cl_gui_container_bar" allows an arbirtary number of "subscreens" which matches my requirements.
  But as usual there's still a downside:
  I found no option to built text labels and text fields into a container. Unless this is possible I can't give this approach a chance. I already found some postings which seemed to confirm that this is in fact not possible but I can't really believe it. At least from what it looks like it seems to me that the object navigator utilizes both: splitters, containers and all the stuff AS WELL AS the "classical" elements like text boxes, labels and so on.
  Any ideas on how to combine the container concept with text fields, labels maybe whole dynpros or subscreens ?
  Best regards,
  Patrick Baer

• Creating Node data on Author server from outside source?

  I was wondering if it is possible to create node data on the author server from an outside source such as the publish server, without using reverse replication?
  IE,
  User accessing form page on publish server, enters data, submits the form. Which somehow would create node data directly on the author server without storing any data on the publish server.
  Is this even possible?
  Thanks

  Thank you for all the responses.
  Yes I do agree that not using reverse replication as the system is designed is not exactly a wise design choice. The problem I am facing is that the end user generated content is security sensitive and cannot be store on the publish instance. (Even temporarily)
  I have managed to write a servlet on the Author server to accept the post data and create node data on the Author repository.
  However to do this, I have had to disable login/security on the Author server for the servlet path (IE /bin/posthandlerservlet ) so that the author servlet can be accessed from the outside. Firewall has also been adjusted to let traffic through as well.
  Now my remaining question would be, is opening up this path to the Author server much more dangerous and less secure that creating the node data on the Publish server in a place that protected access? We are really worried that the node created data on the publish server could somehow be accessed by end users in the event of a security problem.

• Flash drive new version 11. ask for outside source to store files on pc.

  new version of flash drive adobe 11 ask for outside source. if they could file on my computer. new version came with mac a fee securty . i have a virus protection allredy . my knowlege u can not run to virus program.

  Re: McAfee - you're right. Two A/V programs is bad. Uninstall McAffee.
  Re: Storage. In order to view Flash content (videos or games), you NEED to allow a small amount of data to be stored in your temp folder, to prevent the content from constantly stopping and restarting. As always, if you have ANY reason to be suspicious of a site you're visiting, then you have reason the be suspicious of what it may want to store on your system but for the most part, Flash data is video "buffering" content and nothing more.

• I need to count intermitte​nt high speed pulses from an outside source with cFP-CTR-50​2 and labview.

  I need to count intermittent high speed pulses from an outside source with cFP-CTR-502 and Labview 8.2 . I've found example code for generating pulses and creating intricate count setups but no straightforward examples of a simple counter. Any suggestions?

  Hello tinfish,
  I could not find a simple example that implements simple counting either, but it should be straightforward enough for us to try. Do you have the CTR module configured properly in MAX? If so, can you monitor the channels on your CTR 502 for input? Try connecting a square wave or some other digital pulse to the terminal to test the functionality of the counter module first (before programming). If you monitor the input channels with somethign connected you should see the count increment each time it sees a rising edge (assuming default configuration).
  Once you've verified that everything works in MAX, you can set up your CTR module in a LV 8.2 project. If you need help with this, refer to the help document (look in the "Configuring FieldPoint in LabVIEW" section):
  C:\Program Files\National Instruments\FieldPoint\documentation\Online Help\fplv.chm
  You should be able to just read a channel tag from your CTR 502 using an FP Read VI. (Simply drag the channel from your project onto the block diagram). Since counting is the default behavior of the 502, there is no special programming involved to make it work.
  I hope this helps -- if it's too high-level we can talk details about specific questions you have.  Have a good one!
  Charlie S.
  Visit ni.com/gettingstarted for step-by-step help in setting up your system

• Access log4j.properties outside source folder

  Hi,
  I have developed a standalone java application, for logging the application i have created a log4j.properties in the source folder.
  it is woring fine and the logs are created as specified in the properties file.
  Issue:
  i have created a jar which contains the complete source code and log4j.properties file.
  if i try to create a jar without log4j.properties since the properties file will change by customer frequantly, i need to keep the log4j.properties outside the source folder.
  but my jar is unable to access the log4j.properties when i try to run the appplication.
  Question:
  how do we access the log4j.properties from outside source folder?
  thanks,
  J R

  gimbal2 wrote:
  T.PD wrote:
  In addition what gimbal2 sad: Do you create a MANIFEST.MF file in your jar?
  If so you should add (or extend) the ClassPath entry to include the current directory ( *.* ) so you can have the log4j.properties file in the folder where you call your jar from:[...]This is very dangerous. It makes the path not relative to where the jar is, but to where you invoke the java command.The OP's request is to have the (log4j) properties file outside of the jar maybe for easier editing.
  Adding any known folder in the file system to the class path is the only way I know to achieve this (Do you know better?). Folliwing this you could try to guess paths to add hoping that they will exist on all Systems you will use and place the properties file(s) there. On the other hane the current working dir the java command is invoked in is perdictable. Usually it's the directory the jar itself is located...
  I agree that this solution can be dangerous and opens the possibility to access classes located in a valid package structure below current working dir . But if you add the ' *.* ' as the last entry in your classpath at least the classes from all your other jars are accessed first...
  bye
  TPD