NAT object with destination address exclusion (ASA)

Similar Messages

• NAT ASA destination address

  Hi
  I am using a ASA 5540 running version 7.2(3) and would like to pass all http and https requests coming from the inside of the ASA to an external proxy server on the internet (All request need to pass to port 8080). I've tried using static commands but can only seem to NAT on the inside source address and not the destination address. Have also tried the same using dynamic NAT but again can only NAT on the source address.
  Is there a way of NATing the destination address when coming from the inside of firewall?
  Alternatively, if anyone can suggest another way of diverting http requests to a proxy server on the internet that would be appreciated.

  It seems that when using the ACL in combination with the static translation statement (amounting to static policy NAT),  the number of "real" addresses to be translated (as specified in the ACL) needs to equal to the number of addresses used for translation (which is only 1 address).
  For example, my Cisco ASA 5505 took gave no errors when I entered the following:
  Static Policy Nat - Accepted by ASA w/ no errors - (1 to 1 mapping of 1 real address to 1 mapped address)
  access-list staticPOLICYnat line 1 extended permit ip host 172.16.0.2 host 74.125.45.105
  static (inside,outside) 192.168.1.253  access-list staticPOLICYnat
  The above policy static nat translates the real source address of 172.16.0.2 to 192.168.1.253 when 172.16.0.2 attempts connections to 74.125.45.105
  Notice that there is a 1 to 1 mapping of the "real" address of 172.16.0.2 to the mapped address of 192.168.1.253.
  However, in the past I also wondered if I could translate more than one real addresses and map them to one global address using the ACL and static nat combo (which amounts to static policy nat).  But I have not been able to get that to work.  For example, entering the following provided me with the "global address overlaps with mask" error.
  Static Policy Nat - Rejected By ASA w/ error of "global address overlaps with mask" - (many to 1 mapping of multiple real addresses to 1 mapped address)
  access-list staticPOLICYnat line 1 extended permit ip any host 74.125.45.105
  static (inside,outside) 192.168.1.253  access-list staticPOLICYnat
  The above configuration was rejected by my ASA 5505 with an error of "global address overlaps with mask"
  In my experience, it is, however, possible to map/translate more than one "real" IP addresses to one mapped/translated IP address using dynamic policy NAT.  So for example, the following was accepted by my ASA with no errors.
  Dynamic Policy Nat - Accepted by ASA w/ no errors - (many to 1 mapping of multiple real addresses to 1 mapped address)
  access-list staticPOLICYnat line 1 extended permit tcp any host 74.125.45.105
  nat (inside) 2 access-list staticPOLICYnat
  global (outside) 2 192.168.1.253
  If anyone knows how to translate or map multiple IP addresses to a single IP address using static policy NAT, please do share.
  Best Regards,
  David

• Cisco asa traffic flow with destination nat

  Hi Folks,
                     Can anybody comment on the below.
  1.  in source natting (inside users accessing internet), first the NAT will happen then the routing will happen. I agree with this..
  2. in destination natting (outside users accessing inside server on public ip), what will happen first, NATTING or Routing. I am looking forward to hear an explanation.
  regards
  Rajesh

  The ASA will always apply NAT based on the order of the NAT table (which is directly derived from the running configuration), which can be viewed with 'show nat detail'. It takes the packet and walks down the table in order of the entries programmed into the table, looking for the first rule that has a matching interface(s) and matching IP subnets/ports that apply to the packet in question; at that point the NAT translation is applied and further processing stops.
  The NAT phase that you show highlighted reflects the stage where the packet's IP headers in an existing connection are re-written by NAT; it is not the exact phase where the egress interface selection is overridden by the translation table.
  That order of operations slide is really quite simplified, and intentionally missing some steps because I just don't have time to go over the nuances of NAT during the general troubleshooting presentation that the picture was pulled from.  On the next slide titled "Egress Interface", I do explain that NAT can override the global routing table for egress interface selection. This order of operations is somewhat "rough", and there are corner cases that can make the order of operations confusing.
  The confusion here probably stems from the doubt about which comes first when selecting egress interfaces, routing or NAT. Hopefully with my explanation below, you'll have the missing pieces needed to fully explain why you see the seemingly inconsistent behavior. Please let me know what is unclear or contradictory about my explanation and I'll try and clear it up. I would also appreciate your suggestions on how to simply and clearly show these steps on a slide, so that I can improve how we deliver this information to our customers. Anyway, on to the explanation...
  The short answer:
  The NAT divert check (which is what overrides the routing table) is checking to see if there is any NAT rule that specifies destination address translation for an inbound packet arriving on an interface. 
       If there is no rule that explicitly specifies how to translate that packet's destination IP address, then the global routing table is consulted to determine the egress interface.
       If there is a rule that explicitly specifies how to translate the packets destination IP address, then the NAT rule "pulls" the packet to the other interface in the translation and the global routing table is effectively bypassed.
  The longer answer:
  For the moment, ignore the diagram above. For the first packet in the flow arriving inbound on an ASA's interface (TCP SYN packet for example):
  Step 1: un-translate the packet for the Security check: Check the packet's headers for matching NAT rules in the NAT table. If the rules apply to the packet, virtually un-NAT the packet so we can check it against the access policies of the ASA (ACL check).
       Step 1.A: ACL Check: Check the un-translated packet against the interface ACL, if permitted proceed to step 2
  Step 2: Check NAT-divert table for global routing table override: In this step the ASA checks the packet and determines if either of the following statements are true:
       Step 2 check A: Did the packet arrive inbound on an interface that is specified as the global (aka mapped) interface in a NAT translation (this is most common when a packet arrives inbound on the outside interface and matches a mapped ip address or range, and is forwarded to an inside interface)?
     -or-
       Step 2 check B:  Did the packet arrive inbound on an interface that is specified as the local (real) interface in a NAT translation that also has destination IP translation explicitly specified (this is seen in your first example, the case with your NAT exempt configuration for traffic from LAN to WAN bypassing translation)?
       If either of these checks returns true, then the packet is virtually forwarded to the other interface specified in the matching NAT translation line, bypassing the global routing table egress interface lookup; Then, a subsequent interface-specific route lookup is done to determine the next-hop address to forward the packet to.
  Put another way, Step 2 check B checks to see if the packet matches an entry in the NAT divert-table. If it does, then the global routing table is bypassed, and the packet is virtually forwarded to the other (local) interface specified in the nat translation. You can actually see the nat divert-table contents with the command 'show nat divert-table', but don't bother too much with it as it isn't very consumable and might be mis-leading.
  Now lets refer to the specific example you outlined in your post; you said:
  route ISP-1 0.0.0.0 0.0.0.0 1.1.1.1 1
  route ISP-2 0.0.0.0 0.0.0.0 2.2.2.1 254
  nat (LAN,ISP-1) after-auto source dynamic any interface
  nat (LAN,ISP-2) after-auto source dynamic any interface
  Now lets say that there is a connection coming from behind LAN interface with the source IP address 10.10.10.10 destined for 8.8.8.8 on destination port TCP/80. The flow chart would seem to indicate (with the above information/configuration in mind) that a NAT would be done before L3 Route Lookup?
  The packet you describe will not match any nat-divert entries, and the egress interface selection will be performed based on the L3 routing table, which you have tested and confirmed. This is because the packet does not match Step 2 checks A or B.
  It doesn't match Step 2 Check A because the packet did not arrive inbound on the mapped (aka global) interfaces ISP-1 or ISP-2 from the NAT config lines. It arrived inbound on the local (aka real) interface LAN.
  It doesn't match Step 2 Check B because these NAT rules don't have destination IP address translation explicitly configured (unlike your LAN to WAN example)...therefore the ASA won't match a divert-table entry for the packet (actually you'll see a rule in the divert table, but it will have ignore=yes, so it is skipped).
  Message was edited by: Jay Johnston

• Natting of Destination Address

  Is is possble to nat the destination address. What I am trying to do it change DNS servers. I would like to have traffic going to the old address be natted but traffic going to the new address not be natted. Finally if the DNS devices generates traffic it would not be natted.

  I understand it may be tricky, that is why I posted it. The DNS server is an internal server so from the router point of view I can make it either inside or outside. Currently it is connected directly to a 6509, but the thought is to put a 3640 between the DNS server and the 6509 and using static routes on the 6509 direct traffic for either address to the 3640 and then to the new server. My thought was to do nating on the 3640, but as I indicated I have not be able to get the router to change or nat the destination address and also not to nat traffic to the new address or new traffic coming from the DNS server.
  If you are someone could give a specific config or point me to a cisco document that explains how to do this it would be great.

• Can I set a destination object with command line

  I have installed sun java system message queue 3.5 with sp1. Course of I can not run admin console, I want to know if I can set destination object with command.
  Thanks

  all admin console functions are supported through the
  command line administration tools
  To change attributes on a destination administered
  object, use imqobjmgr
  http://docs.sun.com/source/817-3727/adminobj.html#wp14381
  To create and administer physical destinations on the broker
  use imqcmd
  http://docs.sun.com/source/817-3727/brkrmgmt.html#wp19759

• Site to Site VPN Problems With 2801 Router and ASA 5505

  Hello,
  I am having some issue setting up a site to site ipsec VPN between a Cisco 2801 router and a Cisco ASA 5505. I was told there was a vpn previously setup with an old hosting provider, but those connections have been servered. Right now I am trying to get the sites to talk to the 2801. Here ere are my current configs, please let me know if you need anything else. Im stumped on this one. Thanks.
  IP scheme at SIte A:
  IP    172.19.3.x
  sub 255.255.255.128
  GW 172.19.3.129
  Site A Ciscso 2801 Router
  Current configuration : 11858 bytes
  version 12.4
  service timestamps debug datetime localtime
  service timestamps log datetime localtime show-timezone
  service password-encryption
  hostname router-2801
  boot-start-marker
  boot-end-marker
  logging message-counter syslog
  logging buffered 4096
  aaa new-model
  aaa authentication login userauthen group radius local
  aaa authorization network groupauthor local
  aaa session-id common
  clock timezone est -5
  clock summer-time zone recurring last Sun Mar 2:00 1 Sun Nov 2:00
  dot11 syslog
  ip source-route
  ip dhcp excluded-address 172.19.3.129 172.19.3.149
  ip dhcp excluded-address 172.19.10.1 172.19.10.253
  ip dhcp excluded-address 172.19.3.140
  ip dhcp ping timeout 900
  ip dhcp pool DHCP
     network 172.19.3.128 255.255.255.128
     default-router 172.19.3.129
     domain-name domain.local
     netbios-name-server 172.19.3.7
     option 66 ascii 172.19.3.225
     dns-server 172.19.3.140 208.67.220.220 208.67.222.222
  ip dhcp pool VoiceDHCP
     network 172.19.10.0 255.255.255.0
     default-router 172.19.10.1
     dns-server 208.67.220.220 8.8.8.8
     option 66 ascii 172.19.10.2
     lease 2
  ip cef
  ip inspect name SDM_LOW cuseeme
  ip inspect name SDM_LOW dns
  ip inspect name SDM_LOW ftp
  ip inspect name SDM_LOW h323
  ip inspect name SDM_LOW https
  ip inspect name SDM_LOW icmp
  ip inspect name SDM_LOW imap
  ip inspect name SDM_LOW pop3
  ip inspect name SDM_LOW netshow
  ip inspect name SDM_LOW rcmd
  ip inspect name SDM_LOW realaudio
  ip inspect name SDM_LOW rtsp
  ip inspect name SDM_LOW esmtp
  ip inspect name SDM_LOW sqlnet
  ip inspect name SDM_LOW streamworks
  ip inspect name SDM_LOW tftp
  ip inspect name SDM_LOW tcp
  ip inspect name SDM_LOW udp
  ip inspect name SDM_LOW vdolive
  no ip domain lookup
  ip domain name domain.local
  multilink bundle-name authenticated
  key chain key1
  key 1
     key-string 7 06040033484B1B484557
  crypto pki trustpoint TP-self-signed-3448656681
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3448bb6681
  revocation-check none
  rsakeypair TP-self-signed-344bbb56681
  crypto pki certificate chain TP-self-signed-3448656681
  certificate self-signed 01
    3082024F
              quit
  username admin privilege 15 password 7 F55
  archive
  log config
    hidekeys
  crypto isakmp policy 10
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp key XXXXX address 209.118.0.1
  crypto isakmp key xxxxx address SITE B Public IP
  crypto isakmp keepalive 40 5
  crypto isakmp nat keepalive 20
  crypto isakmp client configuration group IISVPN
  key 1nsur3m3
  dns 172.19.3.140
  wins 172.19.3.140
  domain domain.local
  pool VPN_Pool
  acl 198
  crypto isakmp profile IISVPNClient
     description VPN clients profile
     match identity group IISVPN
     client authentication list userauthen
     isakmp authorization list groupauthor
     client configuration address respond
  crypto ipsec transform-set myset esp-3des esp-md5-hmac
  crypto dynamic-map Dynamic 5
  set transform-set myset
  set isakmp-profile IISVPNClient
  qos pre-classify
  crypto map VPN 10 ipsec-isakmp
  set peer 209.118.0.1
  set peer SITE B Public IP
  set transform-set myset
  match address 101
  qos pre-classify
  crypto map VPN 65535 ipsec-isakmp dynamic Dynamic
  track 123 ip sla 1 reachability
  delay down 15 up 10
  class-map match-any VoiceTraffic
  match protocol rtp audio
  match protocol h323
  match protocol rtcp
  match access-group name VOIP
  match protocol sip
  class-map match-any RDP
  match access-group 199
  policy-map QOS
  class VoiceTraffic
      bandwidth 512
  class RDP
      bandwidth 768
  policy-map MainQOS
  class class-default
      shape average 1500000
    service-policy QOS
  interface FastEthernet0/0
  description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_INSIDE$
  ip address 172.19.3.129 255.255.255.128
  ip access-group 100 in
  ip inspect SDM_LOW in
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  interface FastEthernet0/0.10
  description $ETH-VoiceVLAN$$
  encapsulation dot1Q 10
  ip address 172.19.10.1 255.255.255.0
  ip inspect SDM_LOW in
  ip nat inside
  ip virtual-reassembly
  interface FastEthernet0/1
  description "Comcast"
  ip address PUB IP 255.255.255.248
  ip access-group 102 in
  ip inspect SDM_LOW out
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map VPN
  interface Serial0/1/0
  description "Verizon LEC Circuit ID: w0w13908 Site ID: U276420-1"
  bandwidth 1536
  no ip address
  encapsulation frame-relay IETF
  frame-relay lmi-type ansi
  interface Serial0/1/0.1 point-to-point
  bandwidth 1536
  ip address 152.000.000.18 255.255.255.252
  ip access-group 102 in
  ip verify unicast reverse-path
  ip inspect SDM_LOW out
  ip nat outside
  ip virtual-reassembly
  frame-relay interface-dlci 500 IETF 
  crypto map VPN
  service-policy output MainQOS
  interface Serial0/2/0
  description "PAETEC 46.HCGS.788446.CV (Verizon ID) / 46.HCGS.3 (PAETEC ID)"
  ip address 123.252.123.102 255.255.255.252
  ip access-group 102 in
  ip inspect SDM_LOW out
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  crypto map VPN
  service-policy output MainQOS
  ip local pool VPN_Pool 172.20.3.130 172.20.3.254
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 50.00.000.110 track 123
  ip route 0.0.0.0 0.0.0.0 111.252.237.000 254
  ip route 122.112.197.20 255.255.255.255 209.252.237.101
  ip route 208.67.220.220 255.255.255.255 50.78.233.110
  no ip http server
  no ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip flow-top-talkers
  top 20
  sort-by bytes
  ip nat inside source route-map COMCAST interface FastEthernet0/1 overload
  ip nat inside source route-map PAETEC interface Serial0/2/0 overload
  ip nat inside source route-map VERIZON interface Serial0/1/0.1 overload
  ip nat inside source static tcp 172.19.3.140 21 PUB IP 21 extendable
  ip access-list extended VOIP
  permit ip 172.20.3.0 0.0.0.127 host 172.19.3.190
  permit ip host 172.19.3.190 172.20.3.0 0.0.0.127
  ip radius source-interface FastEthernet0/0
  ip sla 1
  icmp-echo 000.67.220.220 source-interface FastEthernet0/1
  timeout 10000
  frequency 15
  ip sla schedule 1 life forever start-time now
  access-list 23 permit 172.19.3.0 0.0.0.127
  access-list 23 permit 172.19.3.128 0.0.0.127
  access-list 23 permit 173.189.251.192 0.0.0.63
  access-list 23 permit 107.0.197.0 0.0.0.63
  access-list 23 permit 173.163.157.32 0.0.0.15
  access-list 23 permit 72.55.33.0 0.0.0.255
  access-list 23 permit 172.19.5.0 0.0.0.63
  access-list 100 remark "Outgoing Traffic"
  access-list 100 deny   ip 67.128.87.156 0.0.0.3 any
  access-list 100 deny   ip host 255.255.255.255 any
  access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
  access-list 100 permit tcp host 172.19.3.190 any eq smtp
  access-list 100 permit tcp host 172.19.3.137 any eq smtp
  access-list 100 permit tcp any host 66.251.35.131 eq smtp
  access-list 100 permit tcp any host 173.201.193.101 eq smtp
  access-list 100 permit ip any any
  access-list 100 permit tcp any any eq ftp
  access-list 101 remark "Interesting VPN Traffic"
  access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
  access-list 101 permit ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
  access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.10
  access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.11
  access-list 101 permit tcp any any eq ftp
  access-list 101 permit tcp any any eq ftp-data
  access-list 102 remark "Inbound Access"
  access-list 102 permit udp any host 152.179.53.18 eq non500-isakmp
  access-list 102 permit udp any host 152.179.53.18 eq isakmp
  access-list 102 permit esp any host 152.179.53.18
  access-list 102 permit ahp any host 152.179.53.18
  access-list 102 permit udp any host 209.000.000.102 eq non500-isakmp
  access-list 102 permit udp any host 209.000.000.102 eq isakmp
  access-list 102 permit esp any host 209.000.000.102
  access-list 102 permit ahp any host 209.000.000.102
  access-list 102 permit udp any host PUB IP eq non500-isakmp
  access-list 102 permit udp any host PUB IP eq isakmp
  access-list 102 permit esp any host PUB IP
  access-list 102 permit ahp any host PUB IP
  access-list 102 permit ip 72.55.33.0 0.0.0.255 any
  access-list 102 permit ip 107.0.197.0 0.0.0.63 any
  access-list 102 deny   ip 172.19.3.128 0.0.0.127 any
  access-list 102 permit icmp any any echo-reply
  access-list 102 permit icmp any any time-exceeded
  access-list 102 permit icmp any any unreachable
  access-list 102 permit icmp any any
  access-list 102 deny   ip any any log
  access-list 102 permit tcp any host 172.19.3.140 eq ftp
  access-list 102 permit tcp any host 172.19.3.140 eq ftp-data established
  access-list 102 permit udp any host SITE B Public IP  eq non500-isakmp
  access-list 102 permit udp any host SITE B Public IP  eq isakmp
  access-list 102 permit esp any host SITE B Public IP
  access-list 102 permit ahp any host SITE B Public IP
  access-list 110 remark "Outbound NAT Rule"
  access-list 110 remark "Deny VPN Traffic NAT"
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
  access-list 110 deny   ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
  access-list 110 deny   ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.11
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.10
  access-list 110 permit ip 172.19.3.128 0.0.0.127 any
  access-list 110 permit ip 172.19.10.0 0.0.0.255 any
  access-list 198 remark "Networks for IISVPN Client"
  access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
  access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
  access-list 199 permit tcp any any eq 3389
  route-map PAETEC permit 10
  match ip address 110
  match interface Serial0/2/0
  route-map COMCAST permit 10
  match ip address 110
  match interface FastEthernet0/1
  route-map VERIZON permit 10
  match ip address 110
  match interface Serial0/1/0.1
  snmp-server community 123 RO
  radius-server host 172.19.3.7 auth-port 1645 acct-port 1646 key 7 000000000000000
  control-plane
  line con 0
  line aux 0
  line vty 0 4
  access-class 23 in
  privilege level 15
  transport input telnet ssh
  line vty 5 15
  access-class 23 in
  privilege level 15
  transport input telnet ssh
  scheduler allocate 20000 1000
  ntp server 128.118.25.3
  ntp server 217.150.242.8
  end
  IP scheme at site B:
  ip     172.19.5.x
  sub  255.255.255.292
  gw   172.19.5.65
  Cisco ASA 5505 at Site B
  ASA Version 8.2(5)
  hostname ASA5505
  domain-name domain.com
  enable password b04DSH2HQqXwS8wi encrypted
  passwd b04DSH2HQqXwS8wi encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 172.19.5.65 255.255.255.192
  interface Vlan2
  nameif outside
  security-level 0
  ip address SITE B public IP 255.255.255.224
  boot system disk0:/asa825-k8.bin
  ftp mode passive
  clock timezone est -5
  clock summer-time zone recurring last Sun Mar 2:00 last Sun Oct 2:00
  dns server-group DefaultDNS
  domain-name iis-usa.com
  same-security-traffic permit intra-interface
  object-group network old hosting provider
  network-object 72.55.34.64 255.255.255.192
  network-object 72.55.33.0 255.255.255.0
  network-object 173.189.251.192 255.255.255.192
  network-object 173.163.157.32 255.255.255.240
  network-object 66.11.1.64 255.255.255.192
  network-object 107.0.197.0 255.255.255.192
  object-group network old hosting provider
  network-object host 172.19.250.10
  network-object host 172.19.250.11
  access-list 100 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
  access-list 100 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
  access-list 10 extended deny ip 0.0.0.0 255.0.0.0 any
  access-list 10 extended deny ip 127.0.0.0 255.0.0.0 any
  access-list 10 extended deny ip 169.254.0.0 255.255.0.0 any
  access-list 10 extended deny ip 172.16.0.0 255.255.0.0 any
  access-list 10 extended deny ip 224.0.0.0 224.0.0.0 any
  access-list 10 extended permit icmp any any echo-reply
  access-list 10 extended permit icmp any any time-exceeded
  access-list 10 extended permit icmp any any unreachable
  access-list 10 extended permit icmp any any traceroute
  access-list 10 extended permit icmp any any source-quench
  access-list 10 extended permit icmp any any
  access-list 10 extended permit tcp object-group old hosting provider any eq 3389
  access-list 10 extended permit tcp any any eq https
  access-list 10 extended permit tcp any any eq www
  access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.0 255.255.255.128
  access-list 110 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
  pager lines 24
  logging enable
  logging timestamp
  logging console emergencies
  logging monitor emergencies
  logging buffered warnings
  logging trap debugging
  logging history debugging
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip verify reverse-path interface inside
  ip verify reverse-path interface outside
  ip audit name jab attack action alarm drop reset
  ip audit name probe info action alarm drop reset
  ip audit interface outside probe
  ip audit interface outside jab
  ip audit info action alarm drop reset
  ip audit attack action alarm drop reset
  ip audit signature 2000 disable
  ip audit signature 2001 disable
  ip audit signature 2004 disable
  ip audit signature 2005 disable
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit 75.150.169.48 255.255.255.240 outside
  icmp permit 72.44.134.16 255.255.255.240 outside
  icmp permit 72.55.33.0 255.255.255.0 outside
  icmp permit any outside
  icmp permit 173.163.157.32 255.255.255.240 outside
  icmp permit 107.0.197.0 255.255.255.192 outside
  icmp permit 66.11.1.64 255.255.255.192 outside
  icmp deny any outside
  asdm image disk0:/asdm-645.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list 100
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group 10 in interface outside
  route outside 0.0.0.0 0.0.0.0 174.78.151.225 1
  timeout xlate 3:00:00
  timeout conn 24:00:00 half-closed 0:10:00 udp 0:10:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 24:00:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http 107.0.197.0 255.255.255.192 outside
  http 66.11.1.64 255.255.255.192 outside
  snmp-server host outside 107.0.197.29 community *****
  snmp-server host outside 107.0.197.30 community *****
  snmp-server host inside 172.19.250.10 community *****
  snmp-server host outside 172.19.250.10 community *****
  snmp-server host inside 172.19.250.11 community *****
  snmp-server host outside 172.19.250.11 community *****
  snmp-server host outside 68.82.122.239 community *****
  snmp-server host outside 72.55.33.37 community *****
  snmp-server host outside 72.55.33.38 community *****
  snmp-server host outside 75.150.169.50 community *****
  snmp-server host outside 75.150.169.51 community *****
  no snmp-server location
  no snmp-server contact
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map VPNMAP 10 match address 110
  crypto map VPNMAP 10 set peer 72.00.00.7 old vpn public ip Site B Public IP
  crypto map VPNMAP 10 set transform-set ESP-3DES-MD5
  crypto map VPNMAP 10 set security-association lifetime seconds 86400
  crypto map VPNMAP 10 set security-association lifetime kilobytes 4608000
  crypto map VPNMAP interface outside
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy 20
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet 172.19.5.64 255.255.255.192 inside
  telnet 172.19.3.0 255.255.255.128 outside
  telnet timeout 60
  ssh 0.0.0.0 0.0.0.0 inside
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 60
  console timeout 0
  management-access inside
  dhcpd dns 172.19.3.140
  dhcpd wins 172.19.3.140
  dhcpd ping_timeout 750
  dhcpd domain iis-usa.com
  dhcpd address 172.19.5.80-172.19.5.111 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection scanning-threat shun except object-group old hosting provider
  threat-detection statistics
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ntp server 128.118.25.3 source outside
  ntp server 217.150.242.8 source outside
  tunnel-group 72.00.00.7 type ipsec-l2l
  tunnel-group 72.00.00.7 ipsec-attributes
  pre-shared-key *****
  tunnel-group old vpn public ip type ipsec-l2l
  tunnel-group old vpn public ip ipsec-attributes
  pre-shared-key *****
  tunnel-group SITE A Public IP  type ipsec-l2l
  tunnel-group SITE A Public IP  ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect netbios
    inspect tftp
    inspect pptp
    inspect sip 
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:
  : end

  I have removed the old "set peer" and have added:
  IOS router:
  access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.65
  ASA fw:
  access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
  on the router I have also added;
  access-list 110 deny  ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
  Here is my acl :
  access-list 110 remark "Outbound NAT Rule"
  access-list 110 remark "Deny VPN Traffic NAT"
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
  access-list 110 deny   ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
  access-list 110 deny   ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.11
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.10
  access-list 110 permit ip 172.19.3.128 0.0.0.127 any
  access-list 110 permit ip 172.19.10.0 0.0.0.255 any
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
  access-list 198 remark "Networks for IISVPN Client"
  access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
  access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
  Still no ping tothe other site.

• Multiple public IP Addresses on ASA 5505?

  Hi
  Is it possible to two or more public IP Addresses bound to a Cisco ASA 5505 running 8.4(2). If so, how?
  Thanks in advance for your help with my request.
  d

  Hello Douglas,
  you don't need to assign multiple IP-addresses - the trick is the MASK besides that you tell ASA where to find the default gateway.
  The rest is icing on a cake, and you achive this with the help of NAT.
  Lets say you're provided a network with a mask of 255.255.255.248, then nets, or subnets, jump on the number 8.
  1. net: X.X.X.0, with 7 being the broadcast, 1 the first usable (usually the DFGW) leaving you 5 addresses
  2. net: X.X.X.8, with 15 being the broadcast, 9 the first usable leaving you 5 addresses
  3. net: X.X.X.16, with 23 being the broadcast, 17 the first usable, leaving you 5 adresses
  and so forth
  Lets take the 3rd example here, and configure the outside interface with a mask of 255.255.255.248 and the address of X.X.X.18 (the first usable besides the DFGW), or X.X.X.22 (the last usable if 17 was taken by the DFGW) - we stick with 18.
  If you want your mail to be available through X.X.X.19 create a NAT-rule where you reference from the inside (IP of your server etc.) to the outside with the address X.X.X.19 (create a object like "WAN-ADDRESS-19" and give it the address X.X.X.19, and don't forget the ACLs!).
  If you want your webservices to be available through X.X.X.20 create a NAT-rule where you reference from the inside (IP of your server etc.) to the outside with the address X.X.X.20 (create a object like "WAN-ADDRESS-20" and give it the address X.X.X.20, and don't forget the ACLs!).
  That all works through 1 cable, 1 interface assigned with the right MASK
  Hope that clears the skys?
  Pls, rate right answers!

• Double computer name on network and NAT issue with Back to My Mac

  These are the problems I am having:
  When my MacPro workstation (which on the network is named "The Beast") wakes from sleep - I get a message saying "there is already a computer on the network with the name "The Beast". Other computers on the network can now find you at "The Beast-2"" and it gives me a new name in the file sharing preferences - even though it is the only computer on the network with that name.
  Why is this happening???
  The other problem is with BackTo My Mac - When I try to enable it - I get an error message saying "Turn off NAT Addressing" - which I thought was turned off since the AEBS is in Bridge Mode. Why is this happening?
  Here is my network setup which consists of the Modem / Router from my ISP - an Airport Extreme Base Station and one Airport Express - which is connected to my MacPro via ethernet. The MacPro does not have an airport card installed and is running OSX 10.6.8 - all other computers / devices are running 10.7.x and iOS6).
  VDSL Modem / Router (from Internet provider) with wireless turned off - (so it is not broadcasting a competing wireless signal) - connected via ethernet to my Airport Extreme Base Station.
  Here are all the settings on the AEBS and the Airport Express: - I am using Airport Utility 5.6.1 on my Mac Pro running OSX 10.6.8 - so the setup prefs are different than the newer version of Airport Utility found on 10.7.x systems - but both work fine. Although I did notice that the option to allow ethernet clients to connect to the Airport Express does not exist (or I just didn't find it) in the newer version of Airport Utility.
  Airport Extreme Base Station is set up as follows:
  Wireless Mode: Create a Wireless Network
  Wireless Settings:
  Allow this network to be extended IS CHECKED
  Radio Mode: 802.11n (b and g compatible)
  Wireless Security: WPA/WPA2 Personal
  Access Control:
  MAC Address Access Control: Not Enabled
  Internet Settings:
  Internet Connection:
  Connect Using: Ethernet
  Connection Sharing: OFF (Bridge Mode).
  TCP/IP:
  Configure IPv4: Using DHCP
  Advanced Settings:
  Logging & Statistics:
  Syslog Destination Address is blank (as in nothing appears in this field).
  Syslog Level: 5 - Notice
  Allow SNMP is CHECKED
  MobileMe:
  Back to my Mac is turned off - but if I try to turn it on I get an error message saying "Turn off NAT Addressing - which I thought was turned off since the AEBS is in Bridge Mode. Why is this happening?
  IPv6:
  IPv6 Mode: Link-local only
  As stated - my MacPro with no wifi card -  is connected via ethernet to an Airport Express which connects wirelessly to the AEBS for network and internet access.
  Airport Express Settings:
  Airport Settings:
  Wireless Mode: Join a Wireless Network
  Allow Ethernet Clients IS CHECKED
  Wireless Security WPA/WPA2 Personal
  Internet Settings: Are grayed out (as in I can't change these settings - I assume because they are being controlled by the AEBS) and read as follows:
  Connect Using: Wireless Network
  Connection Sharing: OFF (Bridge Mode)
  TCP/IP:
  Configure IPv4: using DHCP
  All other settings are identical to the AEBS.
  All other WiFi devices in the house (MacBook Pro, iPhones, iPad's, iMac, Apple TV, Nintendo Wii etc…all are able to connect to the network and connect to the internet - no problem.
  Thanks for any insights into what might be causing the double name on the network and why it is asking me to turn off NAT addressing - when both my Airport devices are in Bridge Mode?

  I am also having this issue... any updates on this??

• Change destination address

  Hello,
  I would know: It would be possible to implement in a Catalyst 6500, when a packet reaches with destination IP address 10.2.2.20 is redirected to IP 10.2.2.58 (are servers)
  Is that possible making some kind of NAT ?
  Regards,
  S.

  Hi
  There is a function called SLB ( server load balancing ) that You can investigate. It might be what You are looking for.
  here are 2 links to start with.
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a0080093de3.shtml
  http://www.cisco.com/en/US/products/hw/routers/ps341/products_tech_note09186a0080134735.shtml?referring_site=bodynav
  /Mikael

• Tracing TCP Source/Destination Addresses/Ports for ongoing connections

  On Solaris 10 U4 through U7, I'm trying the following just to perform basic tracking of TCP source/destination addresses and ports, using code similar to what is available in tcpsnoop_snv and tcptop_snv.
  The odd thing is that the addresses/ports appear to be zeroed out - are they being cached outside of the conn_t data structure?
  #!/usr/sbin/dtrace -Cs
  #pragma D option switchrate=10hz
  #pragma D option bufsize=512k
  #pragma D option aggsize=512k
  #include <sys/file.h>
  #include <inet/common.h>
  #include <sys/byteorder.h>
  #include <sys/socket.h>
  #include <sys/socketvar.h>
  /* First pass, for all TCP Read/Write actions, collect source/destination
     IP + Port - after a few secs, print them all out */
  fbt:ip:tcp_send_data:entry
    /* Outgoing TCP */
    self->connp = (conn_t *)args[0]->tcp_connp;
  fbt:ip:tcp_rput_data:entry
    /* Incoming TCP */
    self->connp = (conn_t *)arg0;
  fbt:ip:tcp_send_data:entry,
  fbt:ip:tcp_rput_data:entry
  /self->connp/
    /* fetch ports */
  #if defined(_BIG_ENDIAN)
    self->lport = self->connp->u_port.tcpu_ports.tcpu_lport;
    self->fport = self->connp->u_port.tcpu_ports.tcpu_fport;
  #else
    self->lport = BSWAP_16(self->connp->u_port.tcpu_ports.tcpu_lport);
    self->fport = BSWAP_16(self->connp->u_port.tcpu_ports.tcpu_fport);
  #endif
    /* fetch IPv4 addresses */
    this->fad12 =
      (int)self->connp->connua_v6addr.connua_faddr._S6_un._S6_u8[12];
    this->fad13 =
      (int)self->connp->connua_v6addr.connua_faddr._S6_un._S6_u8[13];
    this->fad14 =
      (int)self->connp->connua_v6addr.connua_faddr._S6_un._S6_u8[14];
    this->fad15 =
      (int)self->connp->connua_v6addr.connua_faddr._S6_un._S6_u8[15];
    this->lad12 =
      (int)self->connp->connua_v6addr.connua_laddr._S6_un._S6_u8[12];
    this->lad13 =
      (int)self->connp->connua_v6addr.connua_laddr._S6_un._S6_u8[13];
    this->lad14 =
      (int)self->connp->connua_v6addr.connua_laddr._S6_un._S6_u8[14];
    this->lad15 =
      (int)self->connp->connua_v6addr.connua_laddr._S6_un._S6_u8[15];
  /* At this point, this->{f|l}ad1{2345}->connua_v6addr.connua_{f|l}addr._S6_un.S6_u8
      are empty - where is this data? */
  }

  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.50/command/reference/CmdGrpC.html#wp1139667
  portmap [base-port base_number|disable|enable|number-of-ports number|vip-address-range number]
  disable
  Instructs the CSS to perform Network Address Translation (NAT) only on the source IP addresses and not on the source ports of UDP traffic hitting a particular source group. This option does not affect TCP flows.
  For applications with high-numbered assigned ports (for example, SIP and WAP), we recommend that you preserve those port numbers by configuring destination services in source groups. Destination services cause the CSS to NAT the client source ports, but not the destination ports.
  Note If you disable flows for a UDP port using the flow-state table and configure the portmap disable command in a source group, traffic for that port that matches on the source group does not successfully traverse the CSS.
  The CSS maintains but ignores any base-port or number-of ports (see the options above) values configured in the source group. If you later reenable port mapping for that source group, any configured base-port or number-of ports values will take effect. The default behavior for a configured source group is to NAT both the source IP address and the source port for port numbers greater than 1023.
  There is no possibility to disable it for TCP.
  We need to source nat the port to guarantee that the server response comes back on the same module/CPU and the internal packet allocation algorithm is based on src and dst ports.µ
  Gilles:

• Error while creating the HTTP client with destination GB_DPSRetrieve

  Hi All,
  It is an interface R/3 -->XI --> HTTP ( proxy to HTTP ).
  Please find the error log below and throw some light why the HTTP adapter is getting error -
    <?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
  - <!--  Call Adapter
    -->
  - <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SAP="http://sap.com/xi/XI/Message/30">
  - <SOAP:Header>
  - <SAP:Main xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://www.docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" versionMajor="003" versionMinor="000" SOAP:mustUnderstand="1" wsu:Id="wsuid-main-92ABE13F5C59AB7FE10000000A1551F7">
    <SAP:MessageClass>SystemError</SAP:MessageClass>
    <SAP:ProcessingMode>synchronous</SAP:ProcessingMode>
    <SAP:MessageId>DC98499F-7E42-74F1-A41F-0017A4107EE6</SAP:MessageId>
    <SAP:RefToMessageId>DC98499C-A1EA-BEF1-B4DD-00110A63BF06</SAP:RefToMessageId>
    <SAP:TimeSent>2007-11-21T15:51:30Z</SAP:TimeSent>
  - <SAP:Sender>
    <SAP:Party agency="http://sap.com/xi/XI" scheme="XIParty">GovernmentGateway</SAP:Party>
    <SAP:Service>GGMailbox</SAP:Service>
    <SAP:Interface namespace="http://sap.com/xi/E-FILING_GB/2005">DPSretrieve</SAP:Interface>
    </SAP:Sender>
  - <SAP:Receiver>
    <SAP:Party agency="" scheme="" />
    <SAP:Service>SAP_DEV_ERP2005</SAP:Service>
    <SAP:Interface namespace="http://sap.com/xi/HR">HR_GB_EFI_DPSretrieve</SAP:Interface>
    </SAP:Receiver>
    <SAP:Interface namespace="http://sap.com/xi/E-FILING_GB/2005">DPSretrieve</SAP:Interface>
    </SAP:Main>
  - <SAP:ReliableMessaging xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" SOAP:mustUnderstand="1">
    <SAP:QualityOfService>BestEffort</SAP:QualityOfService>
    </SAP:ReliableMessaging>
  - <SAP:Error xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" SOAP:mustUnderstand="1">
    <SAP:Category>XIAdapter</SAP:Category>
    <SAP:Code area="PLAINHTTP_ADAPTER">ATTRIBUTE_CLIENT_DEST</SAP:Code>
    <SAP:P1>GB_DPSRetrieve</SAP:P1>
    <SAP:P2 />
    <SAP:P3 />
    <SAP:P4 />
    <SAP:AdditionalText />
    <SAP:ApplicationFaultMessage namespace="" />
    <SAP:Stack>Error while creating the HTTP client with destination GB_DPSRetrieve</SAP:Stack>
    <SAP:Retry>N</SAP:Retry>
    </SAP:Error>
  - <SAP:HopList xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" SOAP:mustUnderstand="1">
  - <SAP:Hop timeStamp="2007-11-21T15:51:30Z" wasRead="false">
    <SAP:Engine type="BS">SAP_DEV_ERP2005</SAP:Engine>
    <SAP:Adapter namespace="http://sap.com/xi/XI/System">XI</SAP:Adapter>
    <SAP:MessageId>DC98499C-A1EA-BEF1-B4DD-00110A63BF06</SAP:MessageId>
    <SAP:Info>3.0</SAP:Info>
    </SAP:Hop>
  - <SAP:Hop timeStamp="2007-11-21T15:51:30Z" wasRead="false">
    <SAP:Engine type="IS">is.00.lbsth-tb1ci</SAP:Engine>
    <SAP:Adapter namespace="http://sap.com/xi/XI/System">XI</SAP:Adapter>
    <SAP:MessageId>DC98499C-A1EA-BEF1-B4DD-00110A63BF06</SAP:MessageId>
    <SAP:Info>3.0</SAP:Info>
    </SAP:Hop>
  - <SAP:Hop timeStamp="2007-11-21T15:51:30Z" wasRead="false">
    <SAP:Engine type="IS" />
    <SAP:Adapter namespace="http://sap.com/xi/XI/System">HTTP</SAP:Adapter>
    <SAP:MessageId>DC98499C-A1EA-BEF1-B4DD-00110A63BF06</SAP:MessageId>
    <SAP:Info />
    </SAP:Hop>
    </SAP:HopList>
  - <SAP:RunTime xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
    <SAP:Date>20071121</SAP:Date>
    <SAP:Time>155130</SAP:Time>
    <SAP:Host>lbsth-tb1ci</SAP:Host>
    <SAP:SystemId>XIS</SAP:SystemId>
    <SAP:SystemNr>00</SAP:SystemNr>
    <SAP:OS>Windows NT</SAP:OS>
    <SAP:DB>ORACLE</SAP:DB>
    <SAP:Language />
    <SAP:ProcStatus>023</SAP:ProcStatus>
    <SAP:AdapterStatus>000</SAP:AdapterStatus>
    <SAP:User>PISUPER</SAP:User>
    <SAP:TraceLevel>1</SAP:TraceLevel>
    <SAP:LogSeqNbr>000</SAP:LogSeqNbr>
    <SAP:RetryLogSeqNbr>000</SAP:RetryLogSeqNbr>
    <SAP:PipelineIdInternal>SAP_CENTRAL</SAP:PipelineIdInternal>
    <SAP:PipelineIdExternal>CENTRAL</SAP:PipelineIdExternal>
    <SAP:PipelineElementId>60C3C53B4BB7B62DE10000000A1148F5</SAP:PipelineElementId>
    <SAP:PipelineService>PLSRV_CALL_ADAPTER</SAP:PipelineService>
    <SAP:QIdInternal />
    <SAP:CommitActor>X</SAP:CommitActor>
    <SAP:SplitNumber>0</SAP:SplitNumber>
    <SAP:NumberOfRetries>0</SAP:NumberOfRetries>
    <SAP:NumberOfManualRetries>0</SAP:NumberOfManualRetries>
    <SAP:TypeOfEngine client="200">CENTRAL</SAP:TypeOfEngine>
    <SAP:PlsrvExceptionCode />
    <SAP:EOReferenceRuntime type="TID" />
    <SAP:EOReferenceInbound type="TID" />
    <SAP:EOReferenceOutbound type="TID" />
    <SAP:MessageSizePayload>0</SAP:MessageSizePayload>
    <SAP:MessageSizeTotal>2918</SAP:MessageSizeTotal>
    <SAP:PayloadSizeRequest>0</SAP:PayloadSizeRequest>
    <SAP:PayloadSizeRequestMap>0</SAP:PayloadSizeRequestMap>
    <SAP:PayloadSizeResponse>0</SAP:PayloadSizeResponse>
    <SAP:PayloadSizeResponseMap>0</SAP:PayloadSizeResponseMap>
    <SAP:Reorganization>INI</SAP:Reorganization>
    <SAP:AdapterInbound>PLAINHTTP</SAP:AdapterInbound>
    <SAP:AdapterOutbound>IENGINE</SAP:AdapterOutbound>
    <SAP:InterfaceAction>INIT</SAP:InterfaceAction>
    <SAP:RandomNumber>15</SAP:RandomNumber>
    <SAP:AckStatus>000</SAP:AckStatus>
    <SAP:SkipReceiverDetermination />
    <SAP:Receiver_Agreement_GUID>24422A5646443F8E9D975D57A3EE8162</SAP:Receiver_Agreement_GUID>
    </SAP:RunTime>
  - <SAP:PerformanceHeader xmlns:SAP="http://sap.com/xi/XI/Message/30">
  - <SAP:RunTimeItem>
    <SAP:Name type="ADAPTER_IN">INTEGRATION_ENGINE_HTTP_ENTRY</SAP:Name>
    <SAP:Timestamp type="begin" host="lbsth-tb1ci">20071121155130.5</SAP:Timestamp>
    </SAP:RunTimeItem>
  - <SAP:RunTimeItem>
    <SAP:Name type="ADAPTER_IN">INTEGRATION_ENGINE_HTTP_ENTRY</SAP:Name>
    <SAP:Timestamp type="end" host="lbsth-tb1ci">20071121155130.515</SAP:Timestamp>
    </SAP:RunTimeItem>
  - <SAP:RunTimeItem>
    <SAP:Name type="CORE">INTEGRATION_ENGINE</SAP:Name>
    <SAP:Timestamp type="begin" host="lbsth-tb1ci">20071121155130.515</SAP:Timestamp>
    </SAP:RunTimeItem>
  - <SAP:RunTimeItem>
    <SAP:Name type="CORE">INTEGRATION_ENGINE</SAP:Name>
    <SAP:Timestamp type="end" host="lbsth-tb1ci">20071121155130.515</SAP:Timestamp>
    </SAP:RunTimeItem>
  - <SAP:RunTimeItem>
    <SAP:Name type="PLSRV">PLSRV_RECEIVER_DETERMINATION</SAP:Name>
    <SAP:Timestamp type="begin" host="lbsth-tb1ci">20071121155130.515</SAP:Timestamp>
    </SAP:RunTimeItem>
  - <SAP:RunTimeItem>
    <SAP:Name type="PLSRV">PLSRV_RECEIVER_DETERMINATION</SAP:Name>
    <SAP:Timestamp type="end" host="lbsth-tb1ci">20071121155130.515</SAP:Timestamp>
    </SAP:RunTimeItem>
  - <SAP:RunTimeItem>
    <SAP:Name type="PLSRV">PLSRV_INTERFACE_DETERMINATION</SAP:Name>
    <SAP:Timestamp type="begin" host="lbsth-tb1ci">20071121155130.515</SAP:Timestamp>
    </SAP:RunTimeItem>
  - <SAP:RunTimeItem>
    <SAP:Name type="PLSRV">PLSRV_INTERFACE_DETERMINATION</SAP:Name>
    <SAP:Timestamp type="end" host="lbsth-tb1ci">20071121155130.515</SAP:Timestamp>
    </SAP:RunTimeItem>
  - <SAP:RunTimeItem>
    <SAP:Name type="PLSRV">PLSRV_RECEIVER_MESSAGE_SPLIT</SAP:Name>
    <SAP:Timestamp type="begin" host="lbsth-tb1ci">20071121155130.515</SAP:Timestamp>
    </SAP:RunTimeItem>
  - <SAP:RunTimeItem>
    <SAP:Name type="PLSRV">PLSRV_RECEIVER_MESSAGE_SPLIT</SAP:Name>
    <SAP:Timestamp type="end" host="lbsth-tb1ci">20071121155130.515</SAP:Timestamp>
    </SAP:RunTimeItem>
  - <SAP:RunTimeItem>
    <SAP:Name type="PLSRV">PLSRV_MAPPING_REQUEST</SAP:Name>
    <SAP:Timestamp type="begin" host="lbsth-tb1ci">20071121155130.515</SAP:Timestamp>
    </SAP:RunTimeItem>
  - <SAP:RunTimeItem>
    <SAP:Name type="PLSRV">PLSRV_MAPPING_REQUEST</SAP:Name>
    <SAP:Timestamp type="end" host="lbsth-tb1ci">20071121155130.531</SAP:Timestamp>
    </SAP:RunTimeItem>
  - <SAP:RunTimeItem>
    <SAP:Name type="PLSRV">PLSRV_OUTBOUND_BINDING</SAP:Name>
    <SAP:Timestamp type="begin" host="lbsth-tb1ci">20071121155130.531</SAP:Timestamp>
    </SAP:RunTimeItem>
  - <SAP:RunTimeItem>
    <SAP:Name type="PLSRV">PLSRV_OUTBOUND_BINDING</SAP:Name>
    <SAP:Timestamp type="end" host="lbsth-tb1ci">20071121155130.531</SAP:Timestamp>
    </SAP:RunTimeItem>
  - <SAP:RunTimeItem>
    <SAP:Name type="PLSRV">PLSRV_CALL_ADAPTER</SAP:Name>
    <SAP:Timestamp type="begin" host="lbsth-tb1ci">20071121155130.531</SAP:Timestamp>
    </SAP:RunTimeItem>
  - <SAP:RunTimeItem>
    <SAP:Name type="CORE">INTEGRATION_ENGINE</SAP:Name>
    <SAP:Timestamp type="end" host="lbsth-tb1ci">20071121155130.656</SAP:Timestamp>
    </SAP:RunTimeItem>
    </SAP:PerformanceHeader>
  - <SAP:Diagnostic xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" SOAP:mustUnderstand="1">
    <SAP:TraceLevel>Information</SAP:TraceLevel>
    <SAP:Logging>Off</SAP:Logging>
    </SAP:Diagnostic>
  - <SAP:Trace xmlns:SAP="http://sap.com/xi/XI/Message/30">
    <Trace level="1" type="T">SystemError message generated. Guid: DC98499F7E4274F1A41F0017A4107EE6</Trace>
    <Trace level="1" type="T">Error during execution of message : DC98499CA1EABEF1B4DD00110A63BF06</Trace>
    <Trace level="1" type="T">ApplicationMessage was (=RefToMsgId): DC98499CA1EABEF1B4DD00110A63BF06</Trace>
    <Trace level="1" type="B" name="CL_XMS_MAIN-WRITE_MESSAGE_TO_PERSIST" />
  - <!--  ************************************
    -->
    </SAP:Trace>
    </SOAP:Header>
  - <SOAP:Body>
    <SAP:Manifest xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:wsu="http://www.docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="wsuid-manifest-5CABE13F5C59AB7FE10000000A1551F7" />
    </SOAP:Body>
    </SOAP:Envelope>
  Regards,
  Kishore

  Hi,
  In the HTTP Receiver what is the Addressing Type used ? (URL Address or HTTP Destination).
  If its URL Addressing Type, check if right Authentication Type is used with valid values and for HTTP Addressing Type check this HTTP Client Create Error, it could be helpful.
  Also check if the Target system can be reached from the XI server to validate the configuration parameters.
  Regards,
  S.Santhosh Kumar

• Error while creating the HTTP client with destination

  Hi ,
  I am getting this error while connecting to https location on receiver channel . The below error i am getting in SXMB_moni
  Error while creating the HTTP client with destination
  The receiver party is doing some security setting on there end and for that purpose we have provided the external IP address to them , after that we are getting the above error.
  We have already installed the client certificate on our staging server , and have done the correct setting in SM59 and channel.

  Check few things..
  1) I believe you use specify destination for the addressing type field in the comm channel. If so make sure you entered valid target URL address in the SM59 of type http destination.
  2) Check the validitity of the certificate. You can import the certificate both in java and abap stack.
  3) Make sure certificate is installed as expected.
  4) Send the request and talk to the target system and check what error information they get in their log related to ssl.

• How to use both wired and wireless connection with static addresses

  Now that I have setup my home network with static addresses (router, mini1, mini2 and PC) in the way I want, (big thanks to BDAqua http://discussions.apple.com/thread.jspa?threadID=1271635&tstart=0) I would like to understand some more advanced network concepts.
  I would like to change the network so that I use both the wireless connection and the built-in ethernet connection at the same time in my Mac mini1. I would like to connect my PC to my Mac mini by using the wired ethernet connection so that I reach the Internet from my PC as well. I would also like to be in control of all the addresses therefore I want to assign the addresses manually.
  The question: What addresses should I use between mini1 and PC? Should I use the same wireless address space as I already use between the wireless router and the other computers (router: 192.168.1.1, mini1: 192.168.1.101, mini2: 192.168.1.103) or should I use something totally different like 10.X.X.X? What should I put in ethernet connection "Router"-field, the same as in Airport (192.168.1.1)? What about DNS, same as in Airport?

  If I understand this correctly, you wish your Mini to perform Internet Sharing for your PC, correct!?
  If so you'll pretty much have to let the Mini handle DHCP & NAT on the Ethernet port. You also want to be sure Airport is dragged to the top of Network>Show:>Network Port Configurations, that's what position the Mini will use 1st for Internet itself.
  On the Mini turn on both Web Sharing & Internet Sharing. The PC once connected will have the Mini's Ethernet IP as it's Gateway addy.

• Specific Destination Address Lookup?

  Now on a dedicated GPS device, you can enter an exact destination address, and the GPS device can find it, quickly, and create a route to your destination.
  Does Nokia Ovi Maps support direct address lookup on the phone?  I have not been able to get it to work.
  Now you can locate an address on the phone by finding it on the map, save it to favorites, but this is tedious and time consuming, to get the street number right.
  You can also enter the address online to Ovi Maps, and sync the location to the phone into your Favorites.  This works well too.   Now you have your precise destination.
  Am I missing something or is this a limitation with respect to the downloaded maps to the phone?
  To have precise address to GPS coordinates on the phone offline to all known addresses would make the maps too large.
  This is using the phone offline.  For example, doing route planning, inside your house with no GPS or network connection.
  The second case is you have your current GPS position known to the phone, since you are outside, yet the phone cannot determine your specific destination, when you enter it.  In this case, you only have a GPS satellite connection, nothing else.   I cannot enter a destination here either.
  My belief is you must be "online", either WiFi or with a phone data plan, to get specific destinations.   Is this belief correct?

  Biff27 wrote:Does Nokia Ovi Maps support direct address lookup on the phone?  
  To have precise address to GPS coordinates on the phone offline to all known addresses would make the maps too large.
  My belief is you must be "online", either WiFi or with a phone data plan, to get specific destinations.   Is this belief correct?
  Hi Biff27
  The answer appears to be that it is regional variation whether or not you can navigate "Offline" to a specific address. Using v3.04 with UK maps downloaded there is no problem but talking here about small surface area compared with other countries. At one point I had world maps downloaded together with all "ClientIndex" so it certainly wasn't absence of available data to blame but no comparison to that on remote server.
  Happy to have helped forum in a small way with a Support Ratio = 37.0

• Syslog Destination Address

  Hi there,
  since my ABSE is constantly rebooting I'm trying to get some logs. I can't use the Airport Utility for that purpose since it's not streaming the logs. Also, as soon as the ABSE reboots it dumps the logs.
  So I'm trying to stream the logs to my MacBook using the Advanced/Logging & SNMP/Syslog Destination Address.
  In that field I've entered the IP address of my MacBook. I've connected it using Ethernet, disabled Airport. Syslog Level to "Debug" -> Update
  Then I open my Console and nothing, I've looked in the different Logs everywhere and can't find anything.
  Has anyone got it working?
  Micha

  Hi,
  I have not got it working, I would also like to do the same thing, but I believe it is quite tricky. By default I believe that OS X 10.4 is NOT configured to be able to receive syslog log messages over the network.
  The program that actually listens for log messages, from the network or from local apps, is called syslogd. www.macosxhintss.com hints has a somewhat confusing write-up on how to reconfigure it to receive messages from the network (http://www.macosxhints.com/article.php?story=20060327074531639). However, this involves tampering with files off of the /System/Library subdirectory, so I'd rather not risk it.
  MacBook Pro Mac OS X (10.4.9)
  MacBook Pro   Mac OS X (10.4.9)