Needing to create a DMZ zone/vlan on a small ASA.

Hopefully an easy question as this is not my forte.
I have an a small ASA-5505 running 8.2(2).
I have 2 vlans
inside 192.168.58.0/24 – security level 25
outside 25.65.25.134/30 – security level 0
I want to create a small DMZ with the public range I was given, a /29 block that is being forwarded to me.
How do I setup a DMZ zone to account for this block when I am connecting over a /30 network.

Your ISP should have a route for that new subnet pointing to the outside interface of your ASA.
So you can then either allocate the public IPs to the actual machines in which case you need one IP for the DMZ interface on the ASA or you can give your DMZ machines private IPs and just use the new IPs in your NAT statements on the ASA.
Up to but you don't need to assign any IP from the new block to an actual interface if you don't want to.
Jon

Similar Messages

WLC sitting in a DMZ zone on an ASA

I am trying to figure out a way to do a Guest Network without using an ACL tied to the SSID. (Customer's request) Its a layer 3 network and they suggested creating a DMZ zone off their ASA and connecting the WLC there that way its outside their network and can go straight to the internet.
I have never done this before ... so does anyone know if this would work? Any config guides or explanations would be great.
Thanks

Often times, when you hear about a controller in the DMZ, it is part of a pair of internal/external controllers. The internal controller sits within your network and a guest wlan tunnels to the external(dmz) controller (which doesn't actually have any APs on it).
If you have only one controller, then doing either the trunked vlan, or port 2 straight to the DMZ will work.
I often see the guest in VLAN 10 (for example), and instead of vlan 10 having a routed interface on the network, it is only layer 2 with a port in access vlan10 that connects to the DMZ of the firewall.

Creating a private/isolated vlan on Cisco switch

Hello
I have many Cisco switches 65xx, 37xx at my company with a lot of vlans already configured. I need to create a new isolation vlan that will not be able to communicate with my other existing vlans. We are setting up a NAC solution at my company and we want a vlan that we can send ports to if the computer or device is compromised and cannot talk or risk the existing network (other vlans). What is the best method to make this happen?
I have created VLANs in the past but this is my first dealing with private/isolated vlans and would be grateful for any guidance on how I should implement this.

So are you saying I should just create a new L2 vlan and not configure the vlan interface (which is at L3) for this new vlan so I cannot communicate with any of my existing vlans therefore isolating the new vlan?
Yes, without an SVI clients in that vlan cannot communicate with anything outside that vlan.
The only thing that wasn't clear was whether these clients should still be able to access the internet even though they couldn't talk to any other internal vlans. If they did need the internet, or any other remote network, then you would need an SVI but it sounds as though you don't want any external communication for these clients ?
Jon

Permissions to create Reverse Lookup Zones in DNS

What Active Directory permissions are needed to create Reverse Lookup Zones in DNS? My co-worker is getting an access denied error when completing the wizard for this and the zone is NOT created. He is a member of the "DnsAdmins" group and
he can create Forward Lookup Zones. We are running Server 2008 R2 SP1 on our Domain Controllers where DNS is running. Any ideas?

Set permissions for the DnsAdmins group on the DomainDNSZones application partition. To do this, follow these steps:
Click Start, click Run, type Adsiedit.msc, and then click
OK.
In the task pane, right-click ADSI Edit, and then click
Connect to.
Under Connection Point, click Select or type a Distinguished Name or Naming Context, type the following, and then click
OK:
CN=MicrosoftDNS,DC= DomainDNSZones,DC=<var>Domain</var>,DC=<var>Domain_Extension</var>
In the task pane, locate and right-click CN=MicrosoftDNS,DC= DomainDNSZones,DC=<var>Domain</var>,DC=<var>Domain_Extension</var>, and then click
Properties.
Click the Security tab, and then click Advanced. The
Advanced Security Settings for MicrosoftDNS dialog box appears.
In the Permissions tab, click Add.
In the Enter the object name to select box, type DnsAdmins, and then click
Check Names to verify the name.
Click OK. The Permission Entry for Microsoft DNS dialog box appears.
In the Apply onto drop-down list, click This object only.
Click to select the Allow check box for the Full Control
permission, and then click OK.
In the Advanced Security Settings for MicrosoftDNS dialog box, click
Apply, and then click OK.
Click OK to close the properties dialog box for the DomainDNSZones application partition.
Close the ADSI Edit window.
Test whether you can create a new DNS zone now.
If you found this post helpful, please "Vote as Helpful". If it answered your question, remember to "Mark as Answer". MCSE,MSCITP-EA

Do we need to create two zones for Two HBA for a host connected with SAN ?

Hi,While creating Zone , Do we need to create two zones for Two HBA for a host connected with SAN ? Or a zone is enough for
a host which having Two HBAs...We have two 9124s for our SAN fabric...
As I found like one zone below, I little bit confused that , if a host having two HBA connected with SAN, should I expect two zones for every Host?
from the zone set, I gave the command show zoneset
zone name SQLSVR-X-NNN_CX4 vsan 1
    pwwn 50:06:NN:NN:NN:NN:NN:NN
    pwwn 50:06:NN:NN:NN:NN:NN:NN
          pwwn 10:00:NN:NN:NN:NN:NN:NN
But I found only one zone for the server's HBA2:by the same time in the fabric I found switches A & B showing the WWNs of those HBAs on its
connected N port...Its not only for this server alone, but for all hosts..Can you help me to clarify on this please..that should we need to create one zone for
one HBA?

if u have two independent fabrics between hosts and storage, i think the below confs are recommended.
Scenario 1: 2 HBAs single port each ( redundancy across HBA / Storage port )
HBA1 - port 0 ---------> Fabric A ----------> Storage port ( FAx/CLx )
HBA2 - port 0 ---------> Fabirc B ----------> Storage port ( FAy/CLy )
Scenario 2: 2 HBAs of dual port each
HBA1 - port 0 -------> Fabric A ---------> Storage port ( FAx/CLx )
HBA2 - port0 ---------> Fabric A ---------> Storage port ( FAs/CLs )
HBA1 - port 1 --------> Fabric A --------> Storage port ( FAy/CLy )
HBA2 - port 1 ---------> Fabric B --------> Storage port ( FAt/CLt )
the zone which is in your output is VSAN 1. if its a production VSAN, Cisco doesn't recomends to use VSAN 1 ( default vsan ) for production.

ASA DMZ zone and Unix proxy server

Hi.
i have router which all nat translation done at here. i have a asa and core sw.
192.168.1930.0/24 subnet my user and some server are located at this subnet. this subnet created at core sw.
int vlan 393
ip address 192.168.193.1 255.255.255.0
core sw connected to asa inside interface.asa inside interface ip 172.30.30.1 and at core sw site this port access vlan 8 which is
int vlan 8
ip address 172.30.30.2
at core sw at i have a default route to asa.
ip route 0.0.0.0 0.0.0.0 172.30.30.1
and asa site
route inside 192.168.193.0 255.255.255.0 172.30.30.2
all of them are ok.
i think that is ok.
at asa i have dmz zone which ip address:
interface Ethernet0/1
description connect to CoreSW
nameif inside
security-level 100
ip address 172.30.30.1 255.255.255.0 standby 172.30.30.3
interface Ethernet0/2
description DMZ zone connect mail server
nameif DMZ
security-level 50
ip address 172.16.10.1 255.255.255.0 standby 172.16.10.2
my proxy server inside interface connected to asa dmz zone and ip address 172.16.10.254 and outside interface is connected asa outside site which mean that is same subnet of asa outside interface which is 10.0.0.254 and then 10.0.0.254 i do static nat at router. i have no problem at nat translation.
i want my 192.168.193.0 subnet pass througth from proxy when this subnet want to connet internet.
i wrote
static (inside,DMZ) 192.168.193.0 192.168.193.0 netmask 255.255.255.0
and access-list
access-list from_dmz_to_in extended permit ip host 172.16.10.254 any
access-group from_dmz_to_in in interface DMZ
at this time what is up?
the user can not access internet and what i do? i wrote proxy server inside ip and default port 3128 at user internet explorer properties.
internet explorerr--tools-properties-connection-lan settting and show there 172.16.10.254 and port 3128.
at this time my user connect internet when i wrote this. when i remove this they can not connect internet
but i do not want write anything at my user. how i solved this?
after that one problem occur.
when my server to do nslookup it can not work.
i thnik that it is true because we have only one port 3128 is open and my server need udp 53.so it can not work
how i solve this issue?
as you see my access-list all of is open and i do
static (inside,DMZ) 192.168.193.0 192.168.193.0 netmask 255.255.255.0
it is this wrong proxy connection???
musti change proxy server inside interface to other device or asa other interface?
thanks.

There is 2 way the proxy server can work, ie: either transparent or explicit proxy.
From your explaination, explicit proxy works just fine when you configure the proxy settings on your browser.
The reason why transparent proxy does not work is because:
1) When user browser connects to the Internet, the ASA default gateway is via the outside interface, that is why the Internet traffic is not being routed transparently towards your proxy server which is connected to the DMZ interface.
The static NAT statement configured on the ASA does not perform redirection. If you would like to transparently route the internet traffic towards the proxy server on DMZ, you would need to route the traffic towards the proxy server. With the current topology that you have, it is not achievable on the ASA. ASA does not support Policy Based Routing, nor it supports WCCP when the user and the proxy server is on different interfaces.
2) Also need to find out if the proxy server itself supports transparent proxy.
Otherwise, since explicit proxy works, why don't you just push the proxy settings to the browser via Active Directory Group Policy?

Create a "New Zone" in the "Forward Lookup Zone"

I am working I Windows Server 2008 R2 SP1.
I went to DNS Server and tried to create a "New Zone" in the "Forward Lookup Zone" under "subdomain.domain.com".
I got the error: "Zone Not Loaded by DNS Server".
Tried to F5 to Refresh but still same error.
How do I get a new child or "subdomain" that will work in forest or "domain.com"?

Hi
You need to create a new child Domain in a new server.
Build a new server and follow the belwo link as how to create a new child domain. This will create a subdomain as well a DNS
http://technet.microsoft.com/en-us/library/cc771856(v=ws.10).aspx

ZBFW - dmz-zone to in-zone access

Hi IOSers,
I have a Cisco 2901 which terminates a Class C address pool.
I have split the Class C address pool into 3 sub-nets and 2 zones and created a non-addressable pool (private pool):
dmz-zone : x.x.x.0 TO x.x.x.127 (x.x.x.0/25)
in-zone: x.x.x.128 TO x.x.x.159 (x.x.x.128/27) & x.x.x.160 TO x.x.x.191 (x.x.x.160/27)
private-zone: 192.168.x.0 TO 192.168.x.255 (192.168.x.0/24)
I have configured private-zone NAT to use address pool x.x.x.161 TO x.x.x.189 within the in-zone.
Within the:
dmz-zone - are servers for : DNS, Syslog, SIP & HTTP/HTTPS
in-zone - is a SMTP mail server which is behind VPN Gateway/NAT, TomCat (Application Server) and PostgreSQL Server
private-zone - is where all standard users are operating from and they can access the SIP & HTTP/HTTPS servers within dmz-zone
My problem is that I cannot seem to configure the ZBFW to allow the dmz-zone HTTP/HTTP server to redirect to in-zone TomCat server.
I do not want to make the TomCat server generally visible and am instead using the Apache proxy/ajp13 to connect from dmz-zone server to in-zone server.
However I cannot seem to get anything (including icmp) to work from dmz-zone to in-zone.
I have Policy:
POLICY-DMZ-IN (dmz-zone to in-zone) which has:
any any udp/tcp inspect
any any icmp inspect
unmatched traffic DROP/LOG
But I still cannot get anything from dmz-zone to in-zone...
Can anyone please advise...
Could the POLICY-DMZ-IN be being overridden by other dmz-zone to out-zone policies?
I think I am making a basically incorrect assumption somewhere ...
NOTE: I have routing rules for each of various sub-nets and all out-zone to dmz-zone, out-zone to in-zone and private-zone to out-zone, in-zone and dmz-zone routing works ok, so it appears problem is with ZBFW not routing table.
Thank for any expertise you can bring to help resolve this.
Regards,
Zebity.

Hi Karthikeyan,
thank you for offering to look at this, I do all my configuration using CCP, which is a lot easier than pawing over IOS commands.
I have dumped out the config, but as it is hard to pull out the partiular part of the config, so find following screen snap & config:
The areas where I think there are problems are with "self" zone items (can I get rid of self zone case completely, with exception of blocking any external (DSL) access to self?)
and the dmz-zone to in-zone and in-zone to dmz-zone configs.
Building configuration...
Current configuration : 32292 bytes
! Last configuration change at 00:16:54 UTC Mon Jun 11 2012 by admin
! NVRAM config last updated at 07:37:35 UTC Sun Jun 10 2012 by admin
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname big
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 informational
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXX
no aaa new-model
no ipv6 cef
no ip source-route
ip cef
ip dhcp excluded-address 168.192.200.1 168.192.200.99
ip dhcp excluded-address 168.192.200.126 168.192.200.254
ip dhcp excluded-address 200.200.200.1 200.200.200.79
ip dhcp excluded-address 200.200.200.91 200.200.200.126
ip dhcp pool PRIVATE-POOL-1
   import all
   network 168.192.200.0 255.255.255.0
   domain-name in.froghop.com
   dns-server 200.200.200.20 200.200.200.4
   default-router 168.192.200.1
ip dhcp pool FROGHOP-POOL-2
   import all
   network 200.200.200.0 255.255.255.128
   domain-name froghop.com
   dns-server 200.200.200.20 200.200.200.4
   default-router 200.200.200.1
no ip bootp server
ip domain name froghop.com
ip name-server 200.200.200.4
ip name-server 200.200.200.20
ip inspect log drop-pkt
ip inspect audit-trail
ip inspect name CCP_MEDIUM appfw CCP_MEDIUM
ip inspect name CCP_MEDIUM dns
ip inspect name CCP_MEDIUM ftp
ip inspect name CCP_MEDIUM h323
ip inspect name CCP_MEDIUM sip
ip inspect name CCP_MEDIUM https
ip inspect name CCP_MEDIUM icmp
ip inspect name CCP_MEDIUM imap reset
ip inspect name CCP_MEDIUM pop3 reset
ip inspect name CCP_MEDIUM netshow
ip inspect name CCP_MEDIUM rcmd
ip inspect name CCP_MEDIUM realaudio
ip inspect name CCP_MEDIUM rtsp
ip inspect name CCP_MEDIUM esmtp
ip inspect name CCP_MEDIUM sqlnet
ip inspect name CCP_MEDIUM streamworks
ip inspect name CCP_MEDIUM tftp
ip inspect name CCP_MEDIUM tcp
ip inspect name CCP_MEDIUM udp
ip inspect name CCP_MEDIUM vdolive
ip inspect name dmzinspect tcp
ip inspect name dmzinspect udp
appfw policy-name CCP_MEDIUM
application im aol
    service default action allow alarm
    service text-chat action allow alarm
    server permit name login.oscar.aol.com
    server permit name toc.oscar.aol.com
    server permit name oam-d09a.blue.aol.com
    audit-trail on
application im msn
    service default action allow alarm
    service text-chat action allow alarm
    server permit name messenger.hotmail.com
    server permit name gateway.messenger.hotmail.com
    server permit name webmessenger.msn.com
    audit-trail on
application http
    strict-http action allow alarm
    port-misuse im action reset alarm
    port-misuse p2p action reset alarm
    port-misuse tunneling action allow alarm
application im yahoo
    service default action allow alarm
    service text-chat action allow alarm
    server permit name scs.msg.yahoo.com
    server permit name scsa.msg.yahoo.com
    server permit name scsb.msg.yahoo.com
    server permit name scsc.msg.yahoo.com
    server permit name scsd.msg.yahoo.com
    server permit name cs16.msg.dcn.yahoo.com
    server permit name cs19.msg.dcn.yahoo.com
    server permit name cs42.msg.dcn.yahoo.com
    server permit name cs53.msg.dcn.yahoo.com
    server permit name cs54.msg.dcn.yahoo.com
    server permit name ads1.vip.scd.yahoo.com
    server permit name radio1.launch.vip.dal.yahoo.com
    server permit name in1.msg.vip.re2.yahoo.com
    server permit name data1.my.vip.sc5.yahoo.com
    server permit name address1.pim.vip.mud.yahoo.com
    server permit name edit.messenger.yahoo.com
    server permit name messenger.yahoo.com
    server permit name http.pager.yahoo.com
    server permit name privacy.yahoo.com
    server permit name csa.yahoo.com
    server permit name csb.yahoo.com
    server permit name csc.yahoo.com
    audit-trail on
multilink bundle-name authenticated
parameter-map type inspect global
log dropped-packets enable
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-2085601892
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2085601892
revocation-check none
crypto pki certificate chain TP-self-signed-2085601892
certificate self-signed 01
XXXXXXXX 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
4A6B4C93 CEE0C972 CEA5A38E 3C041EAD 803F43B2 DD121173 4302DC1E XXXXXXXX
4F5E79FE 8C76B0EC BC5DD668 69BE1A
            quit
license udi pid CISCO2901/K9 sn FTXXXXXXXXXX
hw-module pvdm 0/0
username admin privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
redundancy
ip tcp synwait-time 10
no ip ftp passive
class-map type inspect match-any OPEN-TRAFFIC-OUT-190
match access-group name OPEN-TRAFFIC-OUT-190
class-map type inspect match-any SMTPS-TRAFFIC-IN
match access-group name SMTPS-IN
class-map type inspect match-all NAT-POOL-TCP-TRAFFIC-OUT
match access-group name NAT-POOL-TRAFFIC-OUT
match protocol tcp
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-all NAT-POOL-UDP-TRAFFIC-OUT
match access-group name NAT-POOL-TRAFFIC-OUT
match protocol udp
class-map type inspect match-all SELF-DNS-OUT
match access-group name SELF-DNS-OUT
match protocol dns
class-map type inspect match-any SMTP-PROTOCOL
match protocol smtp
class-map type inspect match-all ccp-cls-POLICY-DMZ-OUT-1
match class-map SMTP-PROTOCOL
match access-group name DMZ-MAIL-OUT
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any SIP-PROTOCOLS
match protocol sip
match protocol sip-tls
class-map type inspect match-all ccp-cls-POLICY-DMZ-OUT-2
match class-map SIP-PROTOCOLS
match access-group name DMS-SIP-TRAFFIC
class-map type inspect match-any OPEN-TRAFFIC-OUT-140
match access-group name OPEN-TRAFFIC-OUT-140
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect match-any OPENDIR-PROTOCOLS
match protocol kerberos
match protocol ldap
match protocol ldaps
match protocol ldap-admin
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
match service text-chat
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect match-any SYSLOG-PROTOCOL
match protocol syslog
class-map type inspect match-any ICMP-PROTOCOLS
match protocol icmp
class-map type inspect match-all SELF-ICMP
match access-group name SELF-ICMP-TRAFFIC
match class-map ICMP-PROTOCOLS
class-map type inspect match-any DMZ-DNS
match protocol dns
class-map type inspect match-all OPENDIR-OUT
match class-map OPENDIR-PROTOCOLS
match access-group name OPENDIR-TRAFFIC
class-map type inspect match-all SMTPS-TRAFFIC
match class-map SMTPS-TRAFFIC-IN
match protocol tcp
class-map type inspect match-any TRUSTED-HOSTS
match access-group name TRUSTED-HOSTS
match protocol udp
match protocol tcp
match protocol icmp
class-map type inspect match-any TRANSPORT-PROTOCOLS
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map type inspect match-any WEB-PROTOCOLS
match protocol http
match protocol https
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map type inspect match-any SELF-DNS-IN
match access-group name SELF-DNS-IN
match protocol dns
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any OPEN-TRAFFIC-IN-140
match access-group name OPEN-TRAFFIC-IN-140
class-map type inspect match-all SYSLOG-IN-DMZ
match access-group name SYSLOG-TRAFFIC
match class-map SYSLOG-PROTOCOL
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
match service any
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-1
match class-map SMTP-PROTOCOL
match access-group name SMTP-TRAFFIC
class-map type inspect match-any DNS-PROTOCOL
match protocol dns
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-2
match class-map ICMP-PROTOCOLS
match access-group name IN-ZONE-ICMP
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ACCESS-PROTOCOLS
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-3
match class-map ACCESS-PROTOCOLS
match access-group name DMZ-ZONE-TRAFFIC
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all PUSH-NOTIFICATIONS
match access-group name PUSH-NOTIFICATIONS
match protocol tcp
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect match-all DEST-DNS
match access-group name DEST-DNS
match class-map DNS-PROTOCOL
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-1
match class-map SYSLOG-PROTOCOL
match access-group name DMZ-SYSLOG
class-map type inspect match-any FTP-PROTOCOL
match protocol ftp
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-2
match class-map ICMP-PROTOCOLS
match access-group name DMZ-ICMP
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-3
match class-map WEB-PROTOCOLS
match access-group name DMZ-WEB
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-4
match class-map SIP-PROTOCOLS
match access-group name DMZ-SIP
class-map type inspect match-any TIME-PROTOCOLS
match protocol ntp
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-5
match class-map DMZ-DNS
match access-group name DMZ-DNS-TRAFFIC
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-6
match class-map ACCESS-PROTOCOLS
match access-group name IN-ZONE-TRAFFIC
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect POLICY-PRIVATE-TRANSIT
class type inspect ACCESS-PROTOCOLS
pass log
class class-default
drop
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect POLICY-IN-SELF
class type inspect ICMP-PROTOCOLS
inspect
class class-default
drop log
policy-map type inspect POLICY-SELF-IN
class type inspect OPEN-TRAFFIC-OUT-190
pass
class type inspect ccp-icmp-access
inspect
class class-default
drop
policy-map type inspect POLICY-DMZ-OUT
class type inspect TIME-PROTOCOLS
inspect
class type inspect WEB-PROTOCOLS
inspect
class type inspect FTP-PROTOCOL
inspect
class type inspect ccp-cls-POLICY-DMZ-OUT-2
inspect
class type inspect ccp-cls-POLICY-DMZ-OUT-1
inspect
class type inspect PUSH-NOTIFICATIONS
inspect
class type inspect DEST-DNS
inspect
class class-default
drop log
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
allow
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
allow
class type inspect http ccp-app-httpmethods
log
allow
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ICMP-PROTOCOLS
inspect
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
inspect
service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class type inspect ccp-insp-traffic
inspect
class class-default
drop log
policy-map type inspect POLICY-PRIVATE-IN-DMZ
class type inspect TRANSPORT-PROTOCOLS
inspect
class type inspect ICMP-PROTOCOLS
inspect
class class-default
drop log
policy-map type inspect POLICY-IN-OUT
class type inspect OPEN-TRAFFIC-OUT-140
pass log
class type inspect WEB-PROTOCOLS
inspect
class type inspect OPENDIR-OUT
inspect
class type inspect DEST-DNS
inspect
class type inspect PUSH-NOTIFICATIONS
inspect
class class-default
drop log
policy-map type inspect ccp-permit
class class-default
drop
policy-map type inspect POLICY-DMZ-SELF
class type inspect ICMP-PROTOCOLS
inspect
class type inspect TRANSPORT-PROTOCOLS
inspect
class class-default
drop log
policy-map type inspect POLICY-SELF-OUT
class type inspect SELF-DNS-OUT
pass
class type inspect TIME-PROTOCOLS
pass
class type inspect NAT-POOL-UDP-TRAFFIC-OUT
inspect
class type inspect NAT-POOL-TCP-TRAFFIC-OUT
inspect
class class-default
drop log
policy-map type inspect POLICY-OUT-SELF
class type inspect SELF-DNS-IN
pass
class type inspect TIME-PROTOCOLS
pass
class type inspect SELF-ICMP
inspect
class class-default
drop log
policy-map type inspect POLICY-IN-DMZ
class type inspect SYSLOG-IN-DMZ
pass
class type inspect ICMP-PROTOCOLS
inspect
class class-default
drop log
policy-map type inspect POLICY-DMZ-IN
class type inspect TRANSPORT-PROTOCOLS
inspect
class type inspect ICMP-PROTOCOLS
inspect
class class-default
drop log
policy-map type inspect ccp-permit-dmzservice
class type inspect ccp-cls-ccp-permit-dmzservice-4
inspect
class type inspect ccp-cls-ccp-permit-dmzservice-1
pass
class type inspect ccp-cls-ccp-permit-dmzservice-3
inspect
class type inspect ccp-cls-ccp-permit-dmzservice-5
inspect
class type inspect ccp-cls-ccp-permit-dmzservice-2
inspect
class class-default
drop log
policy-map type inspect ccp-pol-outToIn
class type inspect OPEN-TRAFFIC-IN-140
pass
class type inspect ccp-cls-ccp-pol-outToIn-1
inspect
class type inspect ccp-cls-ccp-pol-outToIn-2
inspect
class type inspect SMTPS-TRAFFIC
inspect
class type inspect SMTPS-TRAFFIC-IN
pass log
class class-default
drop log
policy-map sdmappfwp2p_CCP_MEDIUM
class sdm_p2p_edonkey
class sdm_p2p_gnutella
class sdm_p2p_kazaa
class sdm_p2p_bittorrent
zone security dmz-zone
zone security in-zone
zone security out-zone
zone security PRIVATE-ZONE
zone security PRIVATE-IN
zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone
service-policy type inspect ccp-permit-dmzservice
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect POLICY-IN-OUT
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ZP-DMZ-IN source dmz-zone destination in-zone
service-policy type inspect POLICY-DMZ-IN
zone-pair security ZP-DMZ-OUT source dmz-zone destination out-zone
service-policy type inspect POLICY-DMZ-OUT
zone-pair security ZP-IN-DMZ source in-zone destination dmz-zone
service-policy type inspect POLICY-IN-DMZ
zone-pair security ZP-OUT-SELF source out-zone destination self
service-policy type inspect POLICY-OUT-SELF
zone-pair security ZP-SELF-OUT source self destination out-zone
service-policy type inspect POLICY-SELF-OUT
zone-pair security ZP-PRIVATE-OUT source PRIVATE-ZONE destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ZP-PRIVATE-IN source PRIVATE-ZONE destination in-zone
service-policy type inspect POLICY-PRIVATE-IN-DMZ
zone-pair security ZP-PRIVATE-DMZ source PRIVATE-ZONE destination dmz-zone
service-policy type inspect POLICY-PRIVATE-IN-DMZ
zone-pair security ZP-IN-SELF source in-zone destination self
service-policy type inspect POLICY-IN-SELF
zone-pair security ZP-SELF-IN source self destination in-zone
service-policy type inspect POLICY-SELF-IN
zone-pair security ZP-DMZ-SELF source dmz-zone destination self
service-policy type inspect POLICY-DMZ-SELF
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
interface Loopback0
ip address 200.200.200.190 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
zone-member security in-zone
interface Null0
no ip unreachables
interface GigabitEthernet0/0
description $ETH-LAN$$FW_INSIDE$
ip address 200.200.200.130 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security in-zone
duplex auto
speed auto
no mop enabled
interface GigabitEthernet0/1
description $ETH-LAN$$FW_INSIDE$
ip address 168.192.200.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security PRIVATE-ZONE
duplex auto
speed auto
no mop enabled
interface FastEthernet0/2/0
description $ETH-LAN$$FW_INSIDE$
ip address 192.168.1.160 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security PRIVATE-ZONE
duplex auto
speed auto
no mop enabled
interface FastEthernet0/2/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
no mop enabled
interface ATM0/3/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
interface ATM0/3/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface GigabitEthernet0/0/0
interface GigabitEthernet0/0/1
interface GigabitEthernet0/0/2
interface GigabitEthernet0/0/3
interface Virtual-Template1 type serial
description $FW_INSIDE$
ip unnumbered Loopback0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security in-zone
interface Vlan1
description $ETH-4ESG$$INTF-INFO-10/100/1000 Ethernet$$ETH-LAN$FW-DMZ$$FW_INSIDE$
ip address 200.200.200.1 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
zone-member security dmz-zone
interface Dialer0
description $FW_OUTSIDE$
ip address 210.210.210.154 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password 7 XXXXXXXXXXXXXXXX
ppp pap sent-username [email protected] password 7 XXXXXXXXXXXX
service-policy input sdmappfwp2p_CCP_MEDIUM
service-policy output sdmappfwp2p_CCP_MEDIUM
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip flow-top-talkers
top 200
sort-by bytes
cache-timeout 500
ip dns server
ip nat pool NAT-POOL1 200.200.200.161 200.200.200.189 netmask 255.255.255.224
ip nat inside source route-map SDM_RMAP_1 pool NAT-POOL1
ip route 0.0.0.0 0.0.0.0 210.210.210.1
ip route 10.210.210.0 255.255.255.0 192.168.1.1 permanent
ip route 192.168.1.0 255.255.255.0 FastEthernet0/2/0 permanent
ip route 168.192.200.0 255.255.255.0 GigabitEthernet0/1 permanent
ip route 200.200.200.0 255.255.255.128 Vlan1 permanent
ip route 200.200.200.128 255.255.255.224 GigabitEthernet0/0 permanent
ip route 200.200.200.160 255.255.255.224 Loopback0 permanent
ip access-list extended DEST-DNS
remark CCP_ACL Category=1
permit udp any any eq domain
ip access-list extended DMS-SIP-TRAFFIC
remark CCP_ACL Category=128
permit ip host 200.200.200.30 any
permit ip host 200.200.200.40 any
ip access-list extended DMZ-DNS-TRAFFIC
remark CCP_ACL Category=128
permit ip any host 200.200.200.20
ip access-list extended DMZ-ICMP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended DMZ-MAIL-OUT
remark CCP_ACL Category=128
permit ip any host 230.211.70.60
permit ip any host 230.250.90.137
ip access-list extended DMZ-SIP
remark CCP_ACL Category=128
permit ip any host 200.200.200.40
permit ip any host 200.200.200.30
ip access-list extended DMZ-SYSLOG
remark CCP_ACL Category=128
permit ip 230.211.70.0 0.0.0.255 host 200.200.200.32
permit ip 200.200.200.128 0.0.0.127 host 200.200.200.32
ip access-list extended DMZ-WEB
remark CCP_ACL Category=128
permit ip any host 200.200.200.35
permit ip any host 200.200.200.20
ip access-list extended DMZ-ZONE-TRAFFIC
remark CCP_ACL Category=128
permit ip 200.200.200.0 0.0.0.128 any
ip access-list extended ESP-TRAFFIC
remark CCP_ACL Category=1
permit esp any any
ip access-list extended IN-ZONE-ICMP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended IN-ZONE-TRAFFIC
remark CCP_ACL Category=128
permit ip host 200.200.200.140 any
ip access-list extended NAT-POOL-TRAFFIC-IN
remark CCP_ACL Category=128
permit ip any 0.0.0.0 255.255.255.224
ip access-list extended NAT-POOL-TRAFFIC-OUT
remark CCP_ACL Category=128
permit ip 0.0.0.30 255.255.255.224 any
ip access-list extended OPEN-TRAFFIC-IN-140
remark CCP_ACL Category=1
permit udp host 230.211.70.60 host 200.200.200.140 eq isakmp
permit esp host 230.211.70.60 host 200.200.200.140
permit ip host 230.211.70.10 host 200.200.200.140
permit tcp host 230.211.70.35 host 200.200.200.140
deny   ip host 230.211.70.60 host 200.200.200.140
ip access-list extended OPEN-TRAFFIC-OUT-140
remark CCP_ACL Category=1
permit udp host 200.200.200.140 host 230.211.70.60 eq isakmp
permit esp host 200.200.200.140 host 230.211.70.60
permit ip host 200.200.200.140 host 230.211.70.10
permit tcp host 200.200.200.140 host 230.211.70.35
deny   ip host 200.200.200.140 host 230.211.70.60
ip access-list extended OPENDIR-TRAFFIC
remark CCP_ACL Category=128
permit ip any host 230.211.70.10
ip access-list extended PUSH-NOTIFICATIONS
remark CCP_ACL Category=1
permit tcp any any eq 5223
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SELF-DNS-IN
remark CCP_ACL Category=1
permit udp any eq domain any
ip access-list extended SELF-DNS-OUT
remark CCP_ACL Category=128
permit ip any host 200.200.200.20
permit ip any host 200.200.200.4
ip access-list extended SELF-ICMP-TRAFFIC
remark CCP_ACL Category=128
permit ip any host 200.200.200.190
ip access-list extended SMTP-TRAFFIC
remark CCP_ACL Category=128
permit ip any host 200.200.200.140
ip access-list extended SMTPS-IN
remark CCP_ACL Category=1
permit tcp any any eq 465
permit tcp any any eq 587
ip access-list extended SMTPS-OUT
remark CCP_ACL Category=1
permit tcp any eq 465 any
permit tcp any eq 587 any
ip access-list extended SYSLOG-TRAFFIC
remark CCP_ACL Category=128
permit ip any host 200.200.200.32
ip access-list extended TRUSTED-HOSTS
remark CCP_ACL Category=128
permit ip host 230.211.70.35 any
permit ip host 230.211.70.60 any
logging 200.200.200.32
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 168.192.200.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 210.210.210.0 0.0.0.255 any
access-list 100 permit ip 200.200.200.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=2
access-list 102 permit ip 168.192.200.0 0.0.0.255 any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 102
control-plane
banner login ^CThis device is propoerty of FROGHOP and all activity is logged.^C
line con 0
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
scheduler allocate 20000 1000
ntp update-calendar
ntp server 192.189.54.17
ntp server 192.189.54.33
ntp server 203.161.12.165
ntp server 130.102.2.123
end
Thanks in advance for any tips.
Regards,
John.

Need to create a login page to my Adobe Muse site - how do I do that?

Hi all,
I need to create a login page on my Adobe Muse site, as I need to post information that only authorized personnel have acces to. Is that possible. I use Business Catalyst to host my site.
Thanks,

Hi Michael,
The Business Catalyst site should be on web Marketing plan.
You can create the secure zone in Business Catalyst and then place the secure zone login form code from Business Catalyst to the page in Muse.
Business Catalyst Help | Add a secure area to your site
Regards,
Gaurav Aggarwal

Oc 11gR1 update 3: doesn't show ZFS file systems created on brownfield zone

Subject is a pretty concise description here. I have several brownfield Solaris 10U10 containers running on M5000s, and I have delegated three zpool to each container for use by Oracle. Below is relevant output from zonecfg export for one of these containers. They were all built in the same manner, then placed under management by OC. (Wish I'd been able to build them as green field with Ops Center, but there just wasn't enough time to learn how to configure OpsCenter the way I needed to use it.)
set name=Oracle-DB-Instance
set type=string
set value="Oracle e-Business Suite PREPROD"
end
add dataset
set name=PREPRODredoPOOL
end
add dataset
set name=PREPRODarchPOOL
end
add dataset
set name=PREPRODdataPOOL
end
The problem is, none of the file systems built on these delegated pools in the container appear in the Ops Center File System Utilization charts. Does anyone have a suggestion for how to get OC to monitor the file systems in the zone?
Here's the output from zfs list within the zone described by the zonecfg output above:
[root@acdpreprod ~]# zfs list
NAME USED AVAIL REFER MOUNTPOINT
PREPRODarchPOOL 8.91G 49.7G 31K none
PREPRODarchPOOL/d05 8.91G 49.7G 8.91G /d05
PREPRODdataPOOL 807G 364G 31K none
PREPRODdataPOOL/d02 13.4G 36.6G 13.4G /d02
PREPRODdataPOOL/d03 782G 364G 782G /d03
PREPRODdataPOOL/d06 11.4G 88.6G 11.4G /d06
PREPRODredoPOOL 7.82G 3.93G 31K none
PREPRODredoPOOL/d04 7.82G 3.93G 7.82G /d04
None of the file systems in the delegated datasets appear in Ops Center for this zone. Are there any suggestions for how I correct this?

Do you mean adopt the zone? That requires the zone be halted and it also says something about copying all file systems to the pool created for the zone. Of the 12 zones I have (four on each of three M5000s), seven of them are already in "production" status, and four of those seven now support 7x24 world-wide operations. A do-over is not an option here.

Accessing a oracle DB from web AS in a DMZ zone

Hi all,
I using a webdynpro application where the backend is a oracle system.This system is different from the server.
say the Web AS server is SYS1
and the server which has oracle as SYS2.
I have created a DB in oracle DB of SYS2 and created a SID,user etc.
When i connect to this DB from inside a network there is no problem in connecting.But i have a requirement where the webAS server (SYS1 ) is placed outside the local network we are in i.e its placed in a DMZ zone. Now when i run the applcation the data from the oracle DB is not accessible..Are there any settings in visual admn which i shud enable.(I have opened the ports 1521 and 1527 also !)
And one more point ..I am not using a datasource. I am using EJB where i am directly using the driver manager class with system ip to connect to the oracle system.
how do i solve the problem
Regards
Bharathwaj
Message was edited by: Bharathwaj R

Hi,
Are you able to ping from SYS1 to SYS2.
If yes then you will be able to access the SYS2 otherwise seek help from network Administrator to do the settings at his end so that you can ping from SYS1 to SYS2. or make that machine internet enbale so that you can access it directly over the internet.
Alok Sahu

Moving SharePoint Form to another DMZ zone

Hi,
We have SharePoint application deployed on DMZ zone.So entire farm (WFE, APP & DB server) is under DMZ zone. however for some reason client is looking to move entire farm to another DMZ zone. I would like to know what are the aspects we need to
consider for this activity.
Best Regards,
Safder

A few things come to mind:
Active Directory location & firewall access
Network Routing
Reverse Proxies (if applicable)
Network Load Balancers
Server name / DNS / IP changes
URL changes (if needed)
Dimitri Ayrapetov (MCSE: SharePoint)

Setting multiple R12 iModules on same external tier which is in DMZ Zone

Experts,
Could some one guide me on how to setup more than one iModules on same external tier which is in DMZ Zone.
We have already setup iStore and its working fine.
Now we would like to extend it to other modules like : iPayables, iReceivables and iRecruitment.
Our current setup is :
Whenever external users try to access iStore : https://iStore.domain.com, It reaches F5 Load Balancer using SSL Port 443.
LB has the redirection rule setup to http://hostname.internal.domain.com:8000, with the help of 8000 port the requests reaches External Web Tier in DMZ Zone and gets served.
If we need to deploy/enable another iModules, how the setup needs to be served.
We referred the Metalink Note: 380490.1 for iStore setup.
Please advise as I am new to these external web tier setup.
Regards,
RR.

>
Yes, We have un-commented and written the rule as below for iStore as per the Metalink note.
RewriteRule ^/$ https://iStore.domain.com/OA_HTML/ibeCZzpHome.jsp [R,L]
However I am worried more about the defining routing rules in the reverse proxy:
as of now F5 mapping has -- https://iStore.domain.com:443 -> http://hostname.internal.domain.com:8000
Would it fine if we write the mapping as https://iStore.domain.com:443 -> http://hostname.internal.domain.com:8002
Apologies if my understanding is wrong, as updated I am new to this external tier setups.
Regards,
RR.
>
Hi,
From your reverse proxy server setting it looks like you are planning on using module name in the url (i.e. https://iStore.domain.com:443) - in my case
what I did was I used a more generic url (e.g. https://sswa.domain.com - sswa meaning self service web apps) that way my url was not dependent upon a particular
module from the reverse proxy server. Since you mentioned change of port from 8000 (port pool zero) to 8002 (port pool two) - were you using
port 8000 and now planning on changing
your port on the system where you were already running iStore or is this for a non production/test system?
Hope this helps :-)
Regards,

Urgent: What ports should be required in DMZ zone?

Hi,
I am thinking the ports question might need to posted here. Please have a look on my posting in the following link:
Urgent: What ports should be required in DMZ zone?
Thanks and Regards,

Thanks, Ravi.
The environment I am working now won't allow me to guess and test. We are on the project and to submit a change request would take very long. So I need submit all neccessary ports correctly at one time.
Could anybody give me any suggestion? I read the TCP/IP ports for SAP documentation. But I don't think it can answer my questions above.

Exchange servers in DMZ zone

is it's right practice whether all exchange 2010 role servers in Dmz zone??
or need to place only cas server in DMZ ZOne??

Hello,
It is required to place at least one writable Domain Controller with Global Catalog in every Ad site where Exchange servers are going to be deployed.
Hope it helps,
Adam
www.codetwo.com
If this post helps resolve your issue, please click the "Mark as Answer" or "Helpful" button at the top of this message. By marking a post as Answered, or Helpful you help others
find the answer faster.

Needing to create a DMZ zone/vlan on a small ASA.

Similar Messages

Maybe you are looking for