NAT / PAT config conversion from PIX v6 to ASA Software 8.3 and above
Hi folks,
I'm currently working on converting some PIX firewall configs to ASA and wanted to check I was on the right track, as I don't currently have the ASA's so doing the configs up front!
Everything seems straight forward in the conversion and I've used the pixtoasa tool for some of it, but NAT is implemented differently on 8.3, the PIX was running v6 and I'm used to doing mainly static one to one NAT in ASDM.
The scenario that the PIX has 3 NAT groups which are mapped to 3 separate addresses, where multiple hosts are behint the NAT / PAT. Current config of the PIX is as follows (obviously the names are defined further up the config so this is an extract of the PIX):
global (outside) 1 10.50.50.38
global (outside) 2 10.50.50.39
global (outside) 3 10.50.50.49
nat (inside) 0 access-list no-nat-all
nat (inside) 2 Host_1 255.255.255.255 0 0
nat (inside) 2 Host_2 255.255.255.255 0 0
nat (inside) 2 Host_3 255.255.255.255 0 0
nat (inside) 1 Host_4 255.255.255.255 0 0
nat (inside) 1 Host_5 255.255.255.255 0 0
nat (inside) 1 Host_6 255.255.255.255 0 0
nat (inside) 1 Host_7 255.255.255.255 0 0
nat (inside) 3 Network_3 255.255.255.0 0 0
ASA Config
After a fair amount of reading up on this topic, I'm looking at changing the ASA config in software version 8.3 to the following - Also is it easier to just do this in ASDM? Looks pretty easy from youtube videos but rather have something to put on the box when I arrive at site NAT wise as opposed to working it out there!
Define NAT Objects (outside IP addreses)
object network NAT_1_outside_10.50.50.38
host 10.50.50.38
object network NAT_2_outside_10.50.50.39
host 10.50.50.39
object network NAT_3_outside_10.50.50.49
host 10.50.50.49
exit
Define NAT Objects (inside IP addreses)
object-group network NAT_1_Objects
network-object Host_4 255.255.255.255
network-object Host_5 255.255.255.255
network-object Host_6 255.255.255.255
network-object Host_7 255.255.255.255
nat (inside,outside) dynamic NAT_1_outside_10.50.50.38
object-group network NAT_2_Objects
network-object Host_1 255.255.255.255
network-object Host_2 255.255.255.255
network-object Host_3 255.255.255.255
nat (inside,outside) dynamic NAT_2_outside_10.50.50.39
object-group network NAT_3_Objects
network-object Network_1 255.255.255.0
nat (inside,outside) dynamic NAT_3_outside_10.50.50.49
Any assistance with this would be appreciated.
cheers
Malcolm
I cannot make heads or tails of what your trying to accomplish in plain english first before looking at router setup.
If your talking about hosting servers behind the router on your private LAN (asssuming one public WANIP). Then one uses ACLs to control external users by individual OR GROUP and static NAT to port forward users to the correct server. One does not worry about groups of users for this direction of nat rule.
If what your saying is that you have a LAN and 3 different groups of users on the LAN that need to go to specific external IP addresses (external servers) then once again I would say you should ACLs to limit-authorize users and simply use NAT for port translation purposes. So conceptually speaking allow all lan users static nat, and then only allow group 1 hosts access to first external IP, group 2 hosts to second external IP, and group 3 hosts to third external IP. Note you will have to add a deny rule in firewall in general because normally higher to lower security interface is allowed by default.
Am I close......... before going any further need more details on the requirements nevermind setup.
Similar Messages
-
Poor raw conversion from Fujifilm X100 .raf format in Lightroom 3 and 4
I'm seeing very poor results when doing raw conversion from Fujifilm X100 .raf format. Who can I contact about this? Is there anything I can do?
See below for what is supposed to be a white curtain, lit by stage lighting. It results in a blown out blue channel, serious loss of detail, and very ugly gradient.
(Lightroom 4.2, Camera Raw 7.2 on LEFT --- Fujifilm X100 in-camera jpg on RIGHT)
And for more detail:
(Lightroom 4.2, Camera Raw 7.2 on TOP --- Fujifilm X100 in-camera jpg on BOTTOM)
(Lightroom 4.2, Camera Raw 7.2 on LEFT --- Fujifilm X100 in-camera jpg on RIGHT)The blue light is so intense that it is, or almost is, saturating the sensor.
The camera’s built-in raw conversion handles this by shifting the color to cyan—clipping the blue and allowing the green to contribute more. I doubt there was cyan lighting in the scene, only blue.
Adobe does not shift the hue, but this makes the blue seem over saturated. Adobe’s conversion may be more colorimetrically correct, but less pleasing in this case of intense lighting that the sensor cannot accurately record.
It is a difference in camera profile used between the camera and Adobe. Since Adobe does not supply camera-match profiles for much more than Nikon and Canon cameras, you’re not going to be able to fix things other than managing the over-saturation using HSL or WB or other things like lower-vibrance, higher saturation.
You could try making your own camera profile using an X-Rite Color-Checker Passport or the color-checker and the Adobe DNG Profile Editor:
http://xritephoto.com/ph_product_overview.aspx?id=1257 -
How to upgrade from OSX 10.5.8 to 10.6 and above?
Need help upgrading from Mac OS X 10.5.8 to new version like 10.6 and above so I can access the Apple App Store and get other version software updgrades.
Choose About this Mac from the Apple menu and check the processor.
If it's a PowerPC Mac, it's already running the newest OS it can.
If it's a Core Duo Mac, click here, install the DVD, and run Software Update.
If it's a Core 2 Duo or better Mac, upgrade it as if it was a Core Duo Mac, and once done, if desired, open the Mac App Store and try downloading Yosemite. If you get told it's incompatible, go to the online Apple Store and order a download code for Lion 10.7.
Mac OS X 10.7 and newer don't support PowerPC software such as Microsoft Office 2004. If you upgrade the OS, back up the computer first.
(124576) -
Conversion from 10.1.2 to 10.1.3 and persistence Exception
We are in the process of migrating from ocj 10.1.2 to 10.1.3. We are implementing database replication of HttpSession. During that process we get a stack trace like this. It complains about an object not being able to be serialized. Any suggestions and comments are very welcome.
thanks
Sekarsorry forgot to include the stack trace
Internal Exception: java.io.NotSerializableException: common.jsp._setsessionMapping: oracle.toplink.mappings.DirectMapMapping[values]Descriptor: Descriptor(com.evermind[Oracle Containers for J2EE 10g (10.1.3.0.0) ].server.http.persistence.InternalHttpSessionObject --> [DatabaseTable(OC4J_HTTP_SESSION)]) at oracle.toplink.exceptions.DescriptorException.notSerializable(DescriptorException.java:1169) at oracle.toplink.mappings.converters.SerializedObjectConverter.convertObjectValueToDataValue(SerializedObjectConverter.java:77) at oracle.toplink.mappings.DirectCollectionMapping.buildElementClone(DirectCollectionMapping.java:206) at oracle.toplink.mappings.DirectMapMapping.buildCloneForPartObject(DirectMapMapping.java:116) at oracle.toplink.internal.indirection.NoIndirectionPolicy.cloneAttribute(NoIndirectionPolicy.java:45) at oracle.toplink.mappings.ForeignReferenceMapping.buildClone(ForeignReferenceMapping.java:199) at oracle.toplink.internal.descriptors.ObjectBuilder.populateAttributesForClone(ObjectBuilder.java:2116) at oracle.toplink.publicinterface.UnitOfWork.cloneAndRegisterNewObject(UnitOfWork.java:674) at oracle.toplink.publicinterface.UnitOfWork.internalRegisterObject(UnitOfWork.java:2571) at oracle.toplink.internal.sessions.MergeManager.registerObjectForMergeCloneIntoWorkingCopy(MergeManager.java:821) at oracle.toplink.internal.sessions.MergeManager.mergeChangesOfCloneIntoWorkingCopy(MergeManager.java:499) at oracle.toplink.internal.sessions.MergeManager.mergeChanges(MergeManager.java:226) at oracle.toplink.publicinterface.UnitOfWork.mergeClone(UnitOfWork.java:3050) at oracle.toplink.publicinterface.UnitOfWork.deepMergeClone(UnitOfWork.java:1439) at oracle.ias.container.persistence.NonTransactionalInternalPM.writeObject(NonTransactionalInternalPM.java:203) at com.evermind[Oracle Containers for J2EE 10g (10.1.3.0.0) ].server.http.PersistenceHttpSession.removeValueFromMap(PersistenceHttpSession.java:239) at com.evermind[Oracle Containers for J2EE 10g (10.1.3.0.0) ].server.http.EvermindHttpSession.removeAttribute(EvermindHttpSession.java:232) at com.evermind[Oracle Containers for J2EE 10g (10.1.3.0.0) ].server.http.EvermindHttpSession.removeValue(EvermindHttpSession.java:219) at common.jsp._login._jspService(Unknown Source) [common/jsp/login.jsp] at com.orionserver[Oracle Containers for J2EE 10g (10.1.3.0.0) ].http.OrionHttpJspPage.service(OrionHttpJspPage.java:59) at oracle.jsp.runtimev2.JspPageTable.service(JspPageTable.java:416) at oracle.jsp.runtimev2.JspServlet.internalService(JspServlet.java:478) at oracle.jsp.runtimev2.JspServlet.service(JspServlet.java:401) at javax.servlet.http.HttpServlet.service(HttpServlet.java:856) at com.evermind[Oracle Containers for J2EE 10g (10.1.3.0.0) ].server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:719) at com.evermind[Oracle Containers for J2EE 10g (10.1.3.0.0) ].server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:376) at com.evermind[Oracle Containers for J2EE 10g (10.1.3.0.0) ].server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:870) at com.evermind[Oracle Containers for J2EE 10g (10.1.3.0.0) ].server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:451) at com.evermind[Oracle Containers for J2EE 10g (10.1.3.0.0) ].server.http.HttpRequestHandler.serveOneRequest(HttpRequestHandler.java:218) at com.evermind[Oracle Containers for J2EE 10g (10.1.3.0.0) ].server.http.HttpRequestHandler.run(HttpRequestHandler.java:119) at com.evermind[Oracle Containers for J2EE 10g (10.1.3.0.0) ].server.http.HttpRequestHandler.run(HttpRequestHandler.java:112) at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260) at oracle.oc4j.network.ServerSocketAcceptHandler.procClientSocket(ServerSocketAcceptHandler.java:230) at oracle.oc4j.network.ServerSocketAcceptHandler.access$800(ServerSocketAcceptHandler.java:33) at oracle.oc4j.network.ServerSocketAcceptHandler$AcceptHandlerHorse.run(ServerSocketAcceptHandler.java:831) at com.evermind[Oracle Containers for J2EE 10g (10.1.3.0.0) ].util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303) at java.lang.Thread.run(Thread.java:595)Caused by: java.io.NotSerializableException: common.jsp._setsession at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1075) at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1369) at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1341) at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1284) at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1073) at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:291) at oracle.toplink.mappings.converters.SerializedObjectConverter.convertObjectValueToDataValue(SerializedObjectConverter.java:74) -
is this conversion from an AOL username to a new Apple ID legit? Will I lose access to purchases?
Hi Kellyezvous,
Thanks for participating in the Apple Support Communities.
The conversion from AOL Username to Apple ID is legit, and you will not lose access to your iTunes Store purchases as a result of this change.
For more information, see this Apple Support page:
Convert your AOL Username to an Apple ID - Apple Support
You must convert your AOL Username to an Apple ID to maintain access to the stores and to content you purchased previously.
Apple can't provide support for AOL Username accounts that aren't converted by March 31, 2015. The conversion process applies only to AOL Usernames. You don't need to convert an Apple ID that ends in @aol.com. Also, this transition doesn't affect any AOL services that you use with your AOL Username.
Cheers,
Jeremy -
Can I use my email and phone number to start a new conversation from iMessage?
Can I use my email and phone number to start a new conversation from iMessage?
Can I use my email and phone number to start a new conversation from iMessage?
-
Why does my Menu Bar is scrolling from left to right when I call it and not stabilizing?
I have an an XP Windows system and I use Firefox as my default Browser, I suddenly found that my browaer is hit by something that makes the Menu Bar when I try to use it scrolling all menus from left to right so quickly that I can't point to any choice and keep doing this till I end it by mouse, also the information in the Autocomplete are not accessible as they don't show when trying to get them either by mouse or by the down key. I don.t know what to do putting in consideration that I uninstalled firefox and reinstalled it and this did not solve the problem.
'''Try Firefox Safe Mode''' to see if the problem goes away. [[Troubleshoot Firefox issues using Safe Mode|Firefox Safe Mode]] is a troubleshooting mode that turns off some settings, disables most add-ons (extensions and themes).
If Firefox is open, you can restart in Firefox Safe Mode from the Help menu:
*In Firefox 29.0 and above, click the menu button [[Image:New Fx Menu]], click Help [[Image:Help-29]] and select ''Restart with Add-ons Disabled''.
*In previous Firefox versions, click on the Firefox button at the top left of the Firefox window and click on ''Help'' (or click on ''Help'' in the Menu bar, if you don't have a Firefox button) then click on ''Restart with Add-ons Disabled''.
If Firefox is not running, you can start Firefox in Safe Mode as follows:
* On Windows: Hold the '''Shift''' key when you open the Firefox desktop or Start menu shortcut.
* On Mac: Hold the '''option''' key while starting Firefox.
* On Linux: Quit Firefox, go to your Terminal and run ''firefox -safe-mode'' <br>(you may need to specify the Firefox installation path e.g. /usr/lib/firefox)
When the Firefox Safe Mode window appears, select "Start in Safe Mode".<br>
[[Image:Safe Mode Fx 15 - Win]]
'''''If the issue is not present in Firefox Safe Mode''''', your problem is probably caused by an extension, and you need to figure out which one. Please follow the [[Troubleshoot extensions, themes and hardware acceleration issues to solve common Firefox problems]] article to find the cause.
''To exit Firefox Safe Mode, just close Firefox and wait a few seconds before opening Firefox for normal use again.''
When you figure out what's causing your issues, please let us know. It might help others with the same problem. -
IS THERE HARDWARE TO COPY FROM VCR TO THE ELEMENTS SOFTWARE?
I am considering purchasing the elements 8 to make movies with. However, I have a vcr tape we made some time ago that I want to copy from the tape to the software to edit and make a training movie. Is there hardware that comes with the elements that I can hook to the VCR and to the computer to copy the movie? Thank you folks for the help.
DustyMy way is probably a bit longer but it works for me as I don't need to do this way often, BUT I use my Toshiba VCR to DVD burner. You can buy them fairly cheap, mine has a hard- drive but they come without and just burn directly to DVD. Then I move the resulting VOB file from the DVD to my computer and use it in Premiere Elements.
another way I've done it is to hook up my mini-DV camera to the VCR and tape it onto the camera and then CAPTURE in Premiere Elements.
Have fun!
Patricia -
REMOVING IPSEC VPN CONFIG FROM PIX 6.3 FIREWALL
Hey,
we have pix 6.3 serving as internet firewall and we are int process of replacing it with new ASA Device. currently there are several site to site and remote vpn are configured for access purposes.
i tried to remove one site2site ipsec vpn from pix and it starts acting like a loop generating the same error with qty that processor got 100% CPU, couldn't logged in through normal ssh so i connected via console and place back the isakmp and crypto map commands back in and the error stops.
My purpose of this question is that how can i remove vpn config from pix without generating any error is there any formal process or order of removing rules from pix or we can do it one by one no order is required.
MY PROCESS OF REMOVING CONFIG:
REMOVE THE ACCESS-LIST INSIDEOUT AND OUTSIDE IN COMMANDS
REMOVE THE OBJECTS AND OBJECTS GROUPS
REMOVE THE VPN DEFINED ACCESS-LIST FOR INTERESTING TRAFFIC
REMOVE CRYPTO MAP TRANSFORM-SET
REMOVE ISAKMP-POLICY
REMOVE CRYPTO MAP
WE DO USE ISAKMP SHARED KAY MECHANISM "I DID NOT REMOVE THAT "
BUT AS SOON AS I REMOVE THE CRYPTO MAP FROM THE PIX I GOT THIS ERROR
IPSEC(crypto_map_check): crypto map XYZ 20 incomplete. No peer or access-list specified.
20 IS THE ISAKMP POLICY NUMBER & Peer and Access-list was removed from pix
any help would great
regardsHi
You could do either of 2 things.
1) Enable NAT-Traversal on your ASA
2) Add the following on your pix :
fixup protocol esp-ike
This allows one IPSEC connection to run through PAT.
HTH
Jon -
Upgrading from PIX to ASA 5512X
Hi everyone,
We are in the middle of upgrading from two PIX's to some new ASA5512X's. To give you some background on the situation we are upgrading these since the PIXs are fairly old. We had one extra that we had to use since one PIX has failed already. The guy that implemented the PIXs orginally was learning how to do so as he went so there is alot of needless config in the PIX, atleast from what I can tell. Another guy that works with me has done some configuration on the new ASAs and has done the majority of it so far. Today we went to install the new ASAs and switch everything over hoping it would work, but that didn't happen. It seems that there is something wrong with our NAT and ACLs somewhere along the lines. The way our network is laid out is that we have two school campus with a site-to-site VPN one is 172.17.0.0/16 and the other is 172.18.0.0/16. We also have a remote-access VPN on both ASA's. When we connected the new ASAs up and brought up the interfaces, nothing on the inside could ping the internet nor the other side. The VPN showed active on the ASA's and each ASA could ping the others outside interface, but that was it. I have posted the configs below. If anyone could help out I would GREATLY appreciate it! Thank you in advance!
ASA1:
: Saved
: Written by enable_15 at 04:26:18.240 CDT Tue Mar 12 2013
ASA Version 8.6(1)2
hostname dallasroadASA
enable password **** encrypted
passwd **** encrypted
names
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 70.x.x.x 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.18.1.1 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 172.18.2.21
name-server 172.18.2.20
object network WS_VLAN2
subnet 172.17.2.0 255.255.255.0
object network WS_VLAN3
subnet 172.17.3.0 255.255.255.0
object network WS_VLAN4
subnet 172.17.4.0 255.255.255.0
object network WS_VLAN5
subnet 172.17.5.0 255.255.255.0
object network WS_VLAN6
subnet 172.17.6.0 255.255.255.0
object network WS_VLAN7
subnet 172.17.7.0 255.255.255.0
object network WS_VLAN8
subnet 172.17.8.0 255.255.255.0
object network WS_VLAN9
subnet 172.17.9.0 255.255.255.0
object network WS_VLAN10
subnet 172.17.10.0 255.255.255.0
object network WS_VLAN11
subnet 172.17.11.0 255.255.255.0
object network WS_VLAN12
subnet 172.17.12.0 255.255.255.0
object network WS_VLAN13
subnet 172.17.13.0 255.255.255.0
object network WS_VLAN14
subnet 172.17.14.0 255.255.255.0
object network WS_VLAN15
subnet 172.17.15.0 255.255.255.0
object network WS_VLAN16
subnet 172.17.16.0 255.255.255.0
object network DR_VLAN2
subnet 172.18.2.0 255.255.255.0
object network DR_VLAN3
subnet 172.18.3.0 255.255.255.0
object network DR_VLAN4
subnet 172.18.4.0 255.255.255.0
object network DR_VLAN5
subnet 172.18.5.0 255.255.255.0
object network DR_VLAN6
subnet 172.18.6.0 255.255.255.0
object network DR_VLAN7
subnet 172.18.7.0 255.255.255.0
object network DR_VLAN8
subnet 172.18.8.0 255.255.255.0
object network DR_VLAN9
subnet 172.18.9.0 255.255.255.0
object network DR_VLAN10
subnet 172.18.10.0 255.255.255.0
object network DR_CORE_SW
host 172.18.2.1
object network dallasdns02_internal
host 172.18.2.21
object network faithdallas03_internal
host 172.18.2.20
object network dns_external
host 70.x.x.x
object network WorthStreet
subnet 172.17.0.0 255.255.0.0
object network DallasRoad
subnet 172.18.0.0 255.255.0.0
object-group network DALLAS_VLANS
network-object object DR_VLAN10
network-object object DR_VLAN2
network-object object DR_VLAN3
network-object object DR_VLAN4
network-object object DR_VLAN5
network-object object DR_VLAN6
network-object object DR_VLAN7
network-object object DR_VLAN8
network-object object DR_VLAN9
object-group network WORTH_VLANS
network-object object WS_VLAN10
network-object object WS_VLAN11
network-object object WS_VLAN12
network-object object WS_VLAN13
network-object object WS_VLAN14
network-object object WS_VLAN15
network-object object WS_VLAN16
network-object object WS_VLAN2
network-object object WS_VLAN3
network-object object WS_VLAN4
network-object object WS_VLAN5
network-object object WS_VLAN6
network-object object WS_VLAN7
network-object object WS_VLAN8
network-object object WS_VLAN9
object-group network dallasitnetwork
network-object host 172.18.2.20
network-object host 172.18.2.40
object-group protocol tcpudp
protocol-object udp
protocol-object tcp
object-group network dallasroaddns
network-object host 172.18.2.20
network-object host 172.18.2.21
object-group service tcpservices tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq ssh
object-group network remotevpnnetwork
network-object 172.18.50.0 255.255.255.0
access-list L2LAccesslist extended permit ip 172.18.0.0 255.255.0.0 172.17.0.0 255.255.0.0
access-list NONAT extended permit ip any 172.18.50.0 255.255.255.0
access-list inside_inbound_access extended permit ip 172.18.0.0 255.255.0.0 172.17.0.0 255.255.0.0
access-list inside_inbound_access extended permit ip object-group dallasitnetwork any
access-list inside_inbound_access extended permit object-group tcpudp object-group dallasroaddns any eq domain
access-list inside_inbound_access extended permit ip host 172.18.4.10 any
access-list inside_inbound_access extended deny object-group tcpudp any any eq domain
access-list inside_inbound_access extended deny tcp any any eq smtp
access-list inside_inbound_access extended permit ip any any
access-list outside_inbound_access extended permit tcp any host 70.x.x.x object-group tcpservices
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpnaddresspool 172.18.50.0-172.18.50.255
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static dallasdns02_internal dns_external
nat (inside,outside) source static faithdallas03_internal dns_external
nat (inside,outside) source dynamic any interface
nat (any,outside) source static remotevpnnetwork remotevpnnetwork destination static remotevpnnetwork remotevpnnetwork description NONAT for remote vpn users
nat (inside,outside) source static DallasRoad DallasRoad destination static WorthStreet WorthStreet
access-group outside_inbound_access in interface outside
access-group inside_inbound_access in interface inside
route outside 0.0.0.0 0.0.0.0 70.x.x.x 1
route inside 172.18.0.0 255.255.0.0 172.18.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map CISCOMAP
map-name VPNALLOW IETF-Radius-Class
map-value VPNALLOW FALSE NOACESS
map-value VPNALLOW TRUE ALLOWACCESS
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 172.17.2.28
server-port 389
ldap-base-dn DC=campus,DC=fcschool,DC=org
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password ****
ldap-login-dn CN=fcsadmin,CN=Users,DC=campus,DC=fcschool,DC=org
server-type microsoft
ldap-attribute-map CISCOMAP
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.17.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac
crypto map outside_map 10 match address L2LAccesslist
crypto map outside_map 10 set peer 71.x.x.x
crypto map outside_map 10 set ikev1 transform-set myset
crypto map outside_map 10 set reverse-route
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 172.18.0.0 255.255.0.0 inside
ssh 172.17.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1
group-policy DfltGrpPolicy attributes
dns-server value 172.18.2.20
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
password-storage enable
group-policy DallasRoad internal
group-policy DallasRoad attributes
dns-server value 172.18.2.20 172.18.2.21
password-storage enable
default-domain value campus.fcschool.org
group-policy ALLOWACCESS internal
group-policy ALLOWACCESS attributes
banner value Now connected to the FCS Network
vpn-tunnel-protocol ikev1
username iwerkadmin password i6vIlW5ctGaR0l7n encrypted privilege 15
tunnel-group remoteaccessvpn type remote-access
tunnel-group remoteaccessvpn general-attributes
address-pool vpnaddresspool
authentication-server-group LDAP
tunnel-group 71.x.x.x type ipsec-l2l
tunnel-group 71.x.x.x ipsec-attributes
ikev1 pre-shared-key ****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:fd69fbd7a2cb0a6a125308dd85302198
: end
ASA2:
: Saved
: Written by enable_15 at 09:27:47.579 UTC Tue Mar 12 2013
ASA Version 8.6(1)2
hostname worthstreetASA
enable password **** encrypted
passwd **** encrypted
names
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 71.x.x.x 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.17.1.1 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 172.17.2.23
name-server 172.17.2.28
object network mail_external
host 71.x.x.x
object network mail_internal
host 172.17.2.57
object network faweb_external
host 71.x.x.x
object network netclassroom_external
host 71.x.x.x
object network blackbaud_external
host 71.x.x.x
object network netclassroom_internal
host 172.17.2.41
object network nagios
host 208.x.x.x
object network DallasRoad_ASA
host 70.x.x.x
object network WS_VLAN2
subnet 172.17.2.0 255.255.255.0
object network WS_VLAN3
subnet 172.17.3.0 255.255.255.0
object network WS_VLAN4
subnet 172.17.4.0 255.255.255.0
object network WS_VLAN5
subnet 172.17.5.0 255.255.255.0
object network WS_VLAN6
subnet 172.17.6.0 255.255.255.0
object network WS_VLAN7
subnet 172.17.7.0 255.255.255.0
object network WS_VLAN8
subnet 172.17.8.0 255.255.255.0
object network WS_VLAN9
subnet 172.17.9.0 255.255.255.0
object network WS_VLAN10
subnet 172.17.10.0 255.255.255.0
object network WS_VLAN11
subnet 172.17.11.0 255.255.255.0
object network WS_VLAN12
subnet 172.17.12.0 255.255.255.0
object network WS_VLAN13
subnet 172.17.13.0 255.255.255.0
object network WS_VLAN14
subnet 172.17.14.0 255.255.255.0
object network WS_VLAN15
subnet 172.17.15.0 255.255.255.0
object network WS_VLAN16
subnet 172.17.16.0 255.255.255.0
object network DR_VLAN2
subnet 172.18.2.0 255.255.255.0
object network DR_VLAN3
subnet 172.18.3.0 255.255.255.0
object network DR_VLAN4
subnet 172.18.4.0 255.255.255.0
object network DR_VLAN5
subnet 172.18.5.0 255.255.255.0
object network DR_VLAN6
subnet 172.18.6.0 255.255.255.0
object network DR_VLAN7
subnet 172.18.7.0 255.255.255.0
object network DR_VLAN8
subnet 172.18.8.0 255.255.255.0
object network DR_VLAN9
subnet 172.18.9.0 255.255.255.0
object network DR_VLAN10
subnet 172.18.10.0 255.255.255.0
object network WS_CORE_SW
host 172.17.2.1
object network blackbaud_internal
host 172.17.2.26
object network spiceworks_internal
host 172.17.2.15
object network faweb_internal
host 172.17.2.31
object network spiceworks_external
host 71.x.x.x
object network WorthStreet
subnet 172.17.0.0 255.255.0.0
object network DallasRoad
subnet 172.18.0.0 255.255.0.0
object network remotevpnnetwork
subnet 172.17.50.0 255.255.255.0
object-group icmp-type echo_svc_group
icmp-object echo
icmp-object echo-reply
object-group service mail.fcshool.org_svc_group
service-object icmp
service-object icmp echo
service-object icmp echo-reply
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq imap4
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group service nagios_svc_group tcp
port-object eq 12489
object-group service http_s_svc_group tcp
port-object eq www
port-object eq https
object-group network DALLAS_VLANS
network-object object DR_VLAN10
network-object object DR_VLAN2
network-object object DR_VLAN3
network-object object DR_VLAN4
network-object object DR_VLAN5
network-object object DR_VLAN6
network-object object DR_VLAN7
network-object object DR_VLAN8
network-object object DR_VLAN9
object-group network WORTH_VLANS
network-object object WS_VLAN10
network-object object WS_VLAN11
network-object object WS_VLAN12
network-object object WS_VLAN13
network-object object WS_VLAN14
network-object object WS_VLAN15
network-object object WS_VLAN16
network-object object WS_VLAN2
network-object object WS_VLAN3
network-object object WS_VLAN4
network-object object WS_VLAN5
network-object object WS_VLAN6
network-object object WS_VLAN7
network-object object WS_VLAN8
network-object object WS_VLAN9
object-group network MailServers
network-object host 172.17.2.57
network-object host 172.17.2.58
network-object host 172.17.2.17
object-group protocol DM_INLINE_PROTOCOL
protocol-object ip
protocol-object udp
protocol-object tcp
object-group network DNS_Servers
network-object host 172.17.2.23
network-object host 172.17.2.28
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit object-group mail.fcshool.org_svc_group any object mail_internal
access-list outside_access_in extended permit tcp object nagios object mail_internal object-group nagios_svc_group
access-list outside_access_in extended permit tcp any object faweb_external object-group http_s_svc_group
access-list outside_access_in extended permit tcp any object netclassroom_external object-group http_s_svc_group
access-list outside_access_in extended permit tcp any object blackbaud_external eq https
access-list outside_access_in extended permit tcp any object spiceworks_external object-group http_s_svc_group
access-list L2LAccesslist extended permit ip 172.17.0.0 255.255.0.0 172.18.0.0 255.255.0.0
access-list inside_inbound extended permit object-group TCPUDP object-group DNS_Servers any eq domain
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL host 172.17.15.10 any inactive
access-list inside_access_in extended permit tcp object-group MailServers any eq smtp
access-list inside_access_in extended permit tcp host 172.17.14.10 any eq smtp
access-list inside_access_in extended deny object-group TCPUDP any any eq domain
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
access-list vpn_access extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpnaddresspool 172.17.50.1-172.17.50.255
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static mail_internal mail_external
nat (inside,outside) source static netclassroom_internal netclassroom_external
nat (inside,outside) source static faweb_internal faweb_external
nat (inside,outside) source static spiceworks_internal interface
nat (inside,outside) source static blackbaud_internal blackbaud_external
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static WorthStreet WorthStreet destination static DallasRoad DallasRoad
nat (any,outside) source static remotevpnnetwork remotevpnnetwork destination static remotevpnnetwork remotevpnnetwork description NONAT for remote vpn users
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 71.x.x.x 1
route inside 172.17.0.0 255.255.0.0 172.17.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map CISCOMAP
map-name VPNALLOW IETF-Radius-Class
map-value VPNALLOW FALSE NOACESS
map-value VPNALLOW TRUE ALLOWACCESS
dynamic-access-policy-record DfltAccessPolicy
network-acl vpn_access
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 172.17.2.28
ldap-base-dn DC=campus,DC=fcschool,DC=org
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password Iw@FCS730w
ldap-login-dn CN=VPN Admin,CN=Users,DC=campus,DC=fcschool,DC=org
server-type microsoft
ldap-attribute-map CISCOMAP
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.17.0.0 255.255.0.0 inside
http 172.18.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac
crypto map outside_map 10 match address L2LAccesslist
crypto map outside_map 10 set peer 70.x.x.x
crypto map outside_map 10 set ikev1 transform-set myset
crypto map outside_map 10 set reverse-route
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet 172.17.0.0 255.255.0.0 inside
telnet 172.18.0.0 255.255.0.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 172.17.0.0 255.255.0.0 inside
ssh 172.18.0.0 255.255.0.0 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access management
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes256-sha1 aes128-sha1 3des-sha1
webvpn
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1
group-policy ALLOWACCESS internal
group-policy ALLOWACCESS attributes
banner value Now connected to the FCS Network
vpn-tunnel-protocol ikev1
username iwerkadmin password i6vIlW5ctGaR0l7n encrypted privilege 15
tunnel-group 70.x.x.x type ipsec-l2l
tunnel-group 70.x.x.x ipsec-attributes
ikev1 pre-shared-key FC$vpnn3tw0rk
tunnel-group remoteaccessvpn type remote-access
tunnel-group remoteaccessvpn general-attributes
address-pool vpnaddresspool
authentication-server-group LDAP
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:b599ba0f719f39b213e7f01fe55588ac
: endHi Derrick,
I just did the same for a customer; replaced 2 PIX515s failover cluster with 5512X. The NAT change is major with ASAs version 8.3 and later...
here's what you need: a manual NAT rule called twice NAT (policy NAT or NONAT is the old terminology) for the VPNs to work. also add the no-proxy-arp keyword:
nat (inside,outside) source static INSIDE_NETWORKS INSIDE_NETWORKS VPN_NETWORKS VPN_NETWORKS no-proxy-arp
nat (inside,outside) source static INSIDE_NETWORKS INSIDE_NETWORKS RA_VPN_NETWORKS RA_VPN_NETWORKS no-proxy-arp
then the dynamic PAT for internet access (after the twice NATs for VPN); could be a manual NAT like you did, or preferred an object NAT.
you did:
nat (inside,outside) source dynamic any interface
would also work with object nat:
object network INSIDE_NETWORKS
subnet ...
nat (inside,outside) dynamic interface
Same on the other side (except the networks are reversed since the inside network is now what the other side refers to as vpn network and vice versa)
If you don't put the no-proxy-arp, your NAT configuration will cause network issues.
also to be able to pass pings through ASA, add the following:
policy-map global_policy
class inspection_default
inspect icmp
The asa will do some basic inspection of the ICMP protocol with that config ex. it will make sure there is 1 echo-reply for each echo-request...
hope that helps,
Patrick -
Shared Public IP to two Servers - ASA 5510 8.3. NAT/PAT
I have a situation where we have a single DMZ server currently statically forwarded to a single public IP. TCP ports 80, 443, 8080, 8500, 53, and 21 are open to this server via an access list.
However, we have added an additional server to the DMZ, and because our web developers did not communicate with me beforehand, we are forced to use the same DNS name (thus, the same piblic IP) for this server. This server only needs traffic on TCP/8800 forwarded to it.
I am using ASDM 6.4 for configuration of this, as I am required to take multiple screen shots of the procedure for our change control policy.
My question lies in the reconfiguration of NAT/ PAT. Since our current server has a single static NAT to a single public IP, it is simply natted for "any" port. I understand that I can add the new server as an object, and only PAT it on TCP 8800, but will I then have to go back and reconfigure the first server multiple times for PAT, or will the ASA notice the specific PAT, and forward 8800 to the new server without affecting the existing "old" server?
It appears ASDM will not allow me to put multiple ports into a single network object. I am assuming I will need to add 6 separate object translations for the "old" server based on TCP port, and 1 object translation for the "new" server, correct?OK, so I beleive I've truncated this down to what you need in order to give me a hand. Remember that I must configure this using ADSM for screenshot purposes. There is currently a temporary static one-to-one NAT in place for NCAFTP01 until we resolve the outbound issue, but I realize this must be removed to properly test. I'll explain the desired topology below the config.:
: Saved
ASA Version 8.3(1)
hostname ASA-SVRRM-5510
domain-name domain.corp
names
name 10.20.1.23 NCASK333
name 10.20.1.40 Barracuda
interface Ethernet0/0
nameif Outside
security-level 0
ip address 1.1.1.3 255.255.255.248
interface Ethernet0/1
description DMZ
nameif DMZ
security-level 20
ip address 172.16.10.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
nameif Inside
security-level 100
ip address 10.20.1.249 255.255.0.0
object network mail.domain.com
host 10.20.1.40
object network NCASK333
host 10.20.1.23
object network obj-10.20.1.218
host 10.20.1.218
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.192.0.0_16
subnet 10.192.0.0 255.255.0.0
object network NETWORK_OBJ_10.20.0.0_16
subnet 10.20.0.0 255.255.0.0
object network Remote Site
host 10.1.1.1
object network NCAFTP01:80
host 172.16.10.10
object network 1.1.1.5
host 1.1.1.5
object network NCASK820
host 10.20.1.61
description Exchange Server/ KMS
object service AS2
service tcp source eq 8800 destination eq 8800
object network NCAFTP01:21
host 172.16.10.10
object network NCAFTP01:443
host 172.16.10.10
object network NCAFTP01:53
host 172.16.10.10
object network NCAFTP01:53UDP
host 172.16.10.10
object network NCAFTP01:8080
host 172.16.10.10
object network NCAFTP01:8500
host 172.16.10.10
object network NCAFTP01:5080
host 172.16.10.10
object network NCADMZ02:8800
host 172.16.10.11
object network NCAFTP01
host 172.16.10.10
object-group service DM_INLINE_SERVICE_1
service-object gre
service-object tcp destination eq pptp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq imap4
port-object eq pop3
port-object eq smtp
port-object eq domain
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object icmp traceroute
object-group service DM_INLINE_SERVICE_3
service-object tcp destination eq 8080
service-object tcp destination eq 8500
service-object tcp destination eq domain
service-object tcp destination eq ftp
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq domain
service-object icmp
service-object tcp destination eq 5080
service-object object AS2
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_3 tcp
port-object eq 8080
port-object eq www
port-object eq https
port-object eq echo
object-group network DM_INLINE_NETWORK_5
network-object 172.16.10.0 255.255.255.0
nat (Inside,any) source static any any destination static obj-10.192.0.0 obj-10.192.0.0
nat (Inside,ATTOutside) source static NETWORK_OBJ_10.20.0.0_16 NETWORK_OBJ_10.20.0.0_16 destination static NETWORK_OBJ_10.192.0.0_16 NETWORK_OBJ_10.192.0.0_16
nat (Inside,ATTOutside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_10.192.0.0_16 NETWORK_OBJ_10.192.0.0_16
object network mail.domain.com
nat (Inside,ATTOutside) static 1.1.1.4
object network NCASK333
nat (Inside,ATTOutside) static 1.1.1.6
object network obj-10.20.1.218
nat (Inside,ATTOutside) static 1.1.1.2
object network obj_any
nat (Inside,ATTOutside) dynamic interface
object network NCAFTP01:80
nat (any,ATTOutside) static 1.1.1.5 service tcp www www
object network NCAFTP01:21
nat (any,ATTOutside) static 1.1.1.5 service tcp ftp ftp
object network NCAFTP01:443
nat (any,ATTOutside) static 1.1.1.5 service tcp https https
object network NCAFTP01:53
nat (any,ATTOutside) static 1.1.1.5 service tcp domain domain
object network NCAFTP01:53UDP
nat (any,ATTOutside) static 1.1.1.5 service udp domain domain
object network NCAFTP01:8080
nat (any,ATTOutside) static 1.1.1.5 service tcp 8080 8080
object network NCAFTP01:8500
nat (any,ATTOutside) static 1.1.1.5 service tcp 8500 8500
object network NCAFTP01:5080
nat (any,ATTOutside) static 1.1.1.5 service tcp 5080 5080
object network NCADMZ02:8800
nat (any,ATTOutside) static 1.1.1.5 service tcp 8800 8800
object network NCAFTP01
nat (any,ATTOutside) static 1.1.1.5
nat (DMZ,ATTOutside) after-auto source dynamic obj_any interface
timeout xlate 3:00:00
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
class class-default
: end
Coming from the outside to public IP 1.1.1.5, we want ports 80, 443, 8080, 8500, 21, and 53 to translate to NCAFTP01/ 172.16.10.10. We want traffic sent to 1.1.1.5 on "AS2" (tcp port 8800) to translate to NCADMZ02/172.16.10.11.
This part is functional, as you instructed above, I simply needed to create individual PAT statements.
My current issue lies in the outbound translation. When we send a request out from NCAFTP01/ 172.16.10.10 on any port, we want it to translate to a public IP of 1.1.1.5. When we send a request out from NCADMZ02/172.16.10.11, we also want it to translate to 1.1.1.5. So in effect, we want it to NAT both devices outbound to the same public IP, but use PAT inbound. These are the only two devices in our DMZ, so if I can simply translate all traffic from the DMZ network outbound to 1.1.1.5, I feel it would be the simplest solution. My question is if we do this, when a request comes inbound from the outside, would the translation fall over to PAT?
This comes about because the client on the outside requires us to use a specific IP to connect to thier EDI server on port 5080. -
Need to create a transport of SD config data from DEV 120 to DEV 110
During our conversion some config modifications were mad in DEV 120 instead of DEV 110.
I need to get the config:
SPRO> Sales Distribution> Billing> Billing Documents> copy sales documents to Billing documents
From 120 to 110.
I have tried to force a transport creation in 120, and used SCC1 to import into 110, but no data comes over.
How can I force all the data from these config tables to load into a transport so can send from 120 to 110.
Thanks,
Bev BarbushHi Beverly,
I would try bringing this transport in via STMS and then reviewing the import log to see why the data is not going across. What I've normally seen in this situation is the data was not correctly added to the transport before it was imported.
I would NOT copy config tables back from the QAS system. Copying select portions of config data from one system to another is likely to break all sorts of logical relationships between tables.
Have you guys tried running a config comparison between 110 and 120 to see what the actual differences are?
Hope that helps.
J. Haynes -
Link to configuration convertor tool from PIX to ASA
Hi,
I have been looking unsuccessfully for the Cisco tool that take the PIX config an dconvert it to ASA (PIX 5125 to ASA 5520). I was wondering if I need that and if its a Yes, where I can find that Tool on the Cisco Site please?
Regards,
Masoodhello again,
this cofiguration has really confused me since it has the standby keyword under the inside interface!? I do not want to change any configs under the inside interface of my current PIX confiuration.
Would you please be able to tell me what I need to type on the ASAs to configure them for this cable based failover?
here is what the link you suggested has listed which ias confusing since it has the standby keyowrd under the inside interface?
interface Ethernet0/0
nameif outside
security-level 0
ip address 172.22.1.252 255.255.255.0 standby 172.22.1.253
no shut
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.10.10 255.255.255.0 standby 10.10.10.11
no shut
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.60.1 255.255.255.0 standby 192.168.60.2
no shut interface Ethernet0/0
nameif outside
security-level 0
ip address 172.22.1.252 255.255.255.0 standby 172.22.1.253
no shut
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.10.10 255.255.255.0 standby 10.10.10.11
no shut
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.60.1 255.255.255.0 standby 192.168.60.2
no shut
and the STANDBY:
failover
failover lan unit secondary
failover lan interface failover Ethernet0/3
failover key *****
failover interface ip failover 192.168.55.1 255.255.255.0 standby 192.168.55.2
Now, I already have the configs from PIX 525 which I am going to paste directly onto the ASA which has been doengraded to 8.2.3.
so how does it works with the failover configuration?
can you please advise on how I go about the followings:
1- configure failover before I past the PIX config onto the ASA?
2- paste config for PIX 525 onto the ASA which I have already downgraded the ASA to 8.2.3 version.
Please advise.
Regards,
Masood -
Field setting when collective conversion from planned order to PR
Dear expert:
Is there any way(except ABAP enhancement) to add the field "tracking number" in MD15 when I conduct collective conversion from planned order to PR. Seems in standard config this field in not included in this screen. I have set this field as a mandatory field, but even though when I conduct the conversion, this field still can not be displayed in the MD15 conversion screen.Hi,
There are following T. Codes to convert Planned Order to PR;
MD14 - Individual Conversion
MD15 - Collective Conversion
MDUM - In Background
Also MD04
User Exit is LMDZU001 - User exits in additional planning -
3 SATA and 1 PATA config problem
I have been using 2 non-RAID SATA drives and 1 DVD drive and now want to add an additional SATA drive. No matter what I change in the BIOS for the SATA/PATA config, I can not get this 3rd SATA to be seen.
Any suggestions?
TIA,
RickYou don't say which board specifically you have but since you are adding a 3rd SATA drive, I assume it's an FIS2R with Serial1-4 connectors and IDE1-3 connectors.
I'll also assume you are adding the SATA drive to Serial3 or 4.
Serial3&4, and IDE 3 are on the Promise controller(a seperate controller from the Intel one where all your other stuff is located). The only place to activate this controller in the Bios is Bios>>Integrated Peripherals>>Promise Controller-Set to "As SATA" if you have no interest in setting up a Raid here.
Save Bios and you should see a very quick screen flash during the next boot with the drive info. There's nothing to configure in "As SATA" mode.
When XP boots it will probably find a "new device". Choose not to install drivers. Then load your MSI CD and select to install the Promise U-SATA driver for WinXP.
You should now be able to partition/format the drive if it isn't already.
Maybe you are looking for
-
Error while importing connections back into SQLDeveloper 1.5
I have the XML export file from version 1.2 which is erroring out while getting imported to version 1.5 The following is the error message: "No connections are defined in c:\SqlDeveloperConnections082404.xml" The export file contents look readable an
-
Non-unicode program support?
Hi, I'm new to mac. In Windows' international setting, I can select a language to use for non-unicode programs, so that non-unicode characters in the selected language (such as song tags) can be displayed properly. But in Leopard, I cannot find the e
-
Opening photo in camera raw using cs5 and photo has lots of red and blue in the image?
I am trying to open a photo in camera raw and the image always has a lot of red and blue in the picture? What can I do to avoid this. When I first started learning photoshop this did not happen? Thanks and any help would be greatly appreciated. CT
-
Converting raw images to jpegs using PSE 11
I have started to capture only RAW images from my Sony NEX 7 camera. However, I wish to be able to send JPEG images to my friends ( prior to RAW editing ). How do I convert/copy my RAW images to JPEGs using PSE 11? Thanks Derek
-
TS1436 When trying to burn a cd I get "disc recording not found" why and what can I do
When trying to burn a cd I get "recording not found". Why and what can I do to change this. I do have Windows Media player loaded tried to to burn on that also but did not work.