No traffic from Outside1 (Security level 100) attached Networks to DMZ and Viceversa
I have an ASA5510, i configured an Outside, 1 DMZ and 2 interfaces 100 security level (Outside1 and Inside). I can ping and have fluid traffic between DMZ and Inside interface, but don't have any kind of traffic between DMZ and the Outside1. I wrote the same configuration for both 100 Security Level interfaces. Also I have connected a Cisco 892 router to Outside1. When i have attached a computer instead of 892, traffic between Outside1 and DMZ is fluid. i need to have fluid traffic between networks connected to 892
Someone can help me? Here are the 2 configs:
ASA5510:
: Saved
ASA Version 8.2(1)
hostname ASAFCHFW
domain-name a.b.c
enable password 6Jfo5anznhoG00fM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
nameif Outside
security-level 0
ip address x.y.z.162 255.255.255.248
interface Ethernet0/1
nameif Outside1
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Ethernet0/2
nameif DMZ
security-level 10
ip address 172.16.31.1 255.255.255.0
interface Ethernet0/3
nameif Inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa821-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name farmaciachavez.com.bo
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list dmz_in extended permit tcp host 172.16.31.2 any eq domain
access-list dmz_in extended permit tcp host 172.16.31.2 any eq smtp
access-list dmz_in extended permit tcp host 172.16.31.2 any eq www
access-list dmz_in extended permit tcp host 172.16.31.2 any eq https
access-list dmz_in extended permit tcp host 172.16.31.2 any eq 3000
access-list dmz_in extended permit tcp host 172.16.31.2 any eq 1000
access-list Inside extended permit ip any any
access-list Inside extended permit icmp any any
access-list 100 extended permit tcp any host x.y.z.163 eq smtp
access-list 100 extended permit udp any host x.y.z.163 eq domain
access-list 100 extended permit tcp any host x.y.z.163 eq https
access-list 100 extended permit tcp any host x.y.z.163 eq www
access-list 100 extended permit tcp any host x.y.z.163 eq 3000
access-list 100 extended permit tcp any host x.y.z.163 eq 1000
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu Outside 1500
mtu Outside1 1500
mtu DMZ 1500
mtu Inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit host 192.168.0.22 Outside
icmp permit 192.168.0.0 255.255.255.0 Outside1
icmp permit 192.168.2.0 255.255.255.0 Outside1
icmp permit 172.16.31.0 255.255.255.0 Outside1
icmp permit 192.168.2.0 255.255.255.0 DMZ
icmp permit 192.168.2.0 255.255.255.0 Inside
icmp permit 192.168.0.0 255.255.255.0 Inside
icmp permit 172.16.31.0 255.255.255.0 Inside
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Outside1) 101 0.0.0.0 0.0.0.0
nat (DMZ) 101 0.0.0.0 0.0.0.0
nat (Inside) 101 0.0.0.0 0.0.0.0
static (DMZ,Outside) x.y.z.163 172.16.31.0 netmask 255.255.255.255
static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0
static (Outside1,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (Inside,Outside1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (Outside1,Inside) 172.1.1.0 172.1.1.0 netmask 255.255.255.0
static (DMZ,Outside1) 172.16.31.0 172.16.31.0 netmask 255.255.255.0
static (Outside1,DMZ) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (Outside1,Inside) 172.1.2.0 172.1.2.0 netmask 255.255.255.0
static (Outside1,Inside) 172.1.3.0 172.1.3.0 netmask 255.255.255.0
static (Outside1,Inside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
static (Outside1,DMZ) 172.1.1.0 172.1.1.0 netmask 255.255.255.0
access-group dmz_in in interface DMZ
route Outside 0.0.0.0 0.0.0.0 x.y.z.161 20
route Outside1 172.1.1.0 255.255.255.0 192.168.2.2 1
route Outside1 172.1.2.0 255.255.255.0 192.168.2.2 1
route Outside1 172.1.3.0 255.255.255.0 192.168.2.2 1
route Outside1 192.1.0.0 255.255.192.0 192.168.2.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.0.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.0.0 255.255.255.0 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:7441424d1fcf87c3eb837b569e84aa9e
: end
Cisco 892:
Current configuration : 3296 bytes
! Last configuration change at 01:15:13 UTC Tue Apr 29 2014 by eguerra
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname RouterHQFCH
boot-start-marker
boot-end-marker
enable secret 4
no aaa new-model
ip cef
no ipv6 cef
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-1580540949
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1580540949
revocation-check none
rsakeypair TP-self-signed-1580540949
crypto pki certificate chain TP-self-signed-1580540949
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31353830 35343039 3439301E 170D3134 30343134 31393433
30315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35383035
34303934 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BC61 7D5F7F47 65203EC9 1207B83F 19EC7AC3 00404F99 A89FD64B 1F0F659F
E99062C2 3BB1E517 075BAF59 D361FFC9 4F872A14 A7528061 CF936F40 D03F234B
5641147F D2B4AB7D 9E10F36A 087F511B F68ABC6E 98F96C74 8EF5084B F490D91B
0EC05671 D8C5B7DD EE8F48C2 CD76F7C9 B8405DD6 42375B3C 8D04FDEF 555D0FA0
0FDF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14FCB587 54EE2C1B 2B6DB648 A6FC0ECF 85062C8F 6A301D06
03551D0E 04160414 FCB58754 EE2C1B2B 6DB648A6 FC0ECF85 062C8F6A 300D0609
2A864886 F70D0101 05050003 81810033 A196E361 A273E890 146EF605 D7AB9235
52BA28F8 A526D8AE CD903257 E4E81C76 C85FBCD4 201DFF90 11FB1617 9210037E
B66299B3 FB2173D2 AFEC9B52 D2221BEA 9B8CC180 BE36F3AB D5811F9F 401043B0
4BDA8647 897D8FE7 6D753C4F 3C76A493 2C260C22 24E966EB BEE54A2A 51D58F21
23080B9D 9C5FD690 62C6B0C9 30C3AA
quit
license udi pid C892FSP-K9 sn FTX180484TB
username servicios privilege 15 password 7
username eguerra privilege 15 password 7
interface GigabitEthernet0
no ip address
interface GigabitEthernet1
switchport access vlan 2
no ip address
interface GigabitEthernet2
no ip address
interface GigabitEthernet3
no ip address
interface GigabitEthernet4
no ip address
interface GigabitEthernet5
no ip address
interface GigabitEthernet6
no ip address
interface GigabitEthernet7
no ip address
interface GigabitEthernet8
ip address 172.1.1.1 255.255.255.0
duplex auto
speed auto
interface GigabitEthernet9
ip address 172.1.2.1 255.255.255.0
duplex auto
speed auto
interface Vlan1
ip address 192.168.2.2 255.255.255.0
interface Vlan2
ip address 192.168.100.200 255.255.255.0
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route 172.16.31.0 255.255.255.0 192.168.2.1
ip route 192.168.0.0 255.255.255.0 192.168.2.1
control-plane
line con 0
password 7
login
no modem enable
line aux 0
line vty 0 4
password 7
login local
transport input all
scheduler allocate 20000 1000
end
Thanks in advance
Maybe I did not understand what you are trying to accomplish. What I mentioned was to make your ACL configuration better, meaning more secure. Changing the security level just helps understand that you are not coming from a site that does not require ACLs, thus from lower to higher security interfaces you need to place ACLs, then there is a hole other world regarding NAT/PAT that involve same security interfaces that sometimes confuse customers so I also wanted to avoid that for you.
To enforce security between interfaces you need to know what protocols and ports are being used by servers that reside behind the higher security interface so you only open what is needed then block the rest to that higher security interface.
Similar Messages
-
My security cams record in a .264 file format HD. I want to view, edit, etc on my Mac, what software will do that and are there any easy tips to do this? I'm new to Mac's so I'm not sure what is the best format to convert to? mp4? Suggestions?
Thanks in advance. I do love the Mac so far.I have downloaded the trail....and it won't recognize my .264 files....not sure what the deal is? Here is a screen shot-they files are "grayed" out....and won't highlight. Do you see anything wrong? I'm pulling the files off of a Lorex DVR security system. LHD200
-
Speeds in gigabit / 100 mbit network with TC and other devices
My network has a Netgear WGT-624, that serves as DHCP server, NAT and Internet connection.
We have two mac minis (gigabit network), a G4 (standard Ethernet), some PC laptops (running 802.11b/g) and some laser printers and AIOs that runs 100 mbit Ethernet.
There's also an ancient Netgear hub, that I will replace with a D-link gigabit switch. The switch will serve the TC, a printer and the G4.
From what I understand, devices with gigabit will be able to communicate with other gigabit devices on the same network. But, will it work even if the TC is NOT used as the primary AP, but set in brigded mode? There's quite a difference in backup speed if the TC and the minis could talk to each other with gigabit.My network has a Netgear WGT-624, that serves as DHCP server, NAT and Internet connection.
We have two mac minis (gigabit network), a G4 (standard Ethernet), some PC laptops (running 802.11b/g) and some laser printers and AIOs that runs 100 mbit Ethernet.
There's also an ancient Netgear hub, that I will replace with a D-link gigabit switch. The switch will serve the TC, a printer and the G4.
From what I understand, devices with gigabit will be able to communicate with other gigabit devices on the same network. But, will it work even if the TC is NOT used as the primary AP, but set in brigded mode? There's quite a difference in backup speed if the TC and the minis could talk to each other with gigabit. -
How can I permit all traffic from inside-dmz-outside on asa5505
Scenario :
Servers are in DMZ, Internal LAN Users should access ports Specified (5000 & 2048). Router 2801 is facing Leased line; from there it’s connected to firewall.
Router LAN IP: 83.111.X.X - 255.255.255.X
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.X.X 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 83.111.X.X 255.255.255.240
interface Vlan3
nameif dmz
security-level 100
ip address 192.168.100.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
switchport access vlan 3
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 83.111.x.x
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd enable inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:5663409d6ba3ad0bcd163e691f032f76
: endHi Ben,
Thank you for the response. I followed the link and tried reading everything you posted on AEs but I'm afraid that I didn't understand it all. It seems that each AE example had a single input and a single output (e.g. a double). Is this the case?
What I have is a couple of front panel clusters containing (approximately) 18 control doubles, 8 indicator doubles, 5 boolean radio button constructs and 26 boolean control discretes. I clusterized it to make it readable. In addition I'll eventually have a cluster of task references for hardware handles.
All I want to do is update the front panel values like I would do in a C, VB or any other language. I've tried referencing the cluster and using the reference from inside the loops. I've tied using local variables. Neither works. I'm experimenting with globals but it seems that I have to construct the front panel in the gloabal and then I wouldn't know how to repoduce that on the front panel of the main VI. Sometimes it seems that more time is spent getting around Labview constructs than benefitting from them.
I hope the 'Add Attachment' function actuals puts a copy of the VI here and not a link to it.
Thanks again for the suggestion,
Frank
Attachments:
Front Panel Reference.vi 33 KB -
ASA 5505 Interface Security Level Question
I am wondering if someone can shed some light on this for me. I have a new ASA 5505 with a somewhat simple config. I want to set up a guest VLAN on it for a guest wireless connection.
I set up the ASA with the VLAN, made a trunk port, set up DHCP (on the ASA) on the guest VLAN, configured NAT, etc. Everything seem to be working with that. Guests are getting address on the correct subnet, etc.
The only issue I have is that the Guest VLAN (192.168.22.0) can get to the secure (VLAN1 - 172.16.0.0). I set up the guest VLAN (VLAN 5) with a security level of 10, the secure with a level of 100. I figured that would be enough. To stop the guest from accessing the secure, I had to throw on an ACL (access-list Guest-VLAN_access_in line 1 extended deny ip any 172.16.0.0 255.255.255.0)
Can someone show me what I did wrong?
Thank you for any help!
To create the VLAN, I did the following:
int vlan5
nameif Guest-VLAN
security-level 10
ip address 192.168.22.1 255.255.255.0
no shutdown
int Ethernet0/1
switchport trunk allowed vlan 1 5
switchport trunk native vlan 1
switchport mode trunk
no shutdown
below is the whole config.
Result of the command: "sho run"
: Saved
ASA Version 9.1(3)
hostname ciscoasa
enable password zGs7.eQ/0VxLuSIs encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport trunk allowed vlan 1,5
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.16.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address <External IP/Mask>
interface Vlan5
nameif Guest-VLAN
security-level 10
ip address 192.168.22.1 255.255.255.0
boot system disk0:/asa913-k8.bin
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Inside_Server1_80
host <Inside_server1_IP>
object network Inside_Server1_25
host <Inside_server1_IP>
object network Inside_Server1_443
host <Inside_server1_IP>
object network Inside_Server1_RDP
host <Inside_server1_IP>
object service RDP
service tcp destination eq 3389
object network Outside_Network1
host <Outside_Network_IP>
object network Outside_Network2
host <Outside_Network_IP>
object network Outside_Network2
host <Outside_Network_IP>
object network TERMINALSRV_RDP
host <Inside_server2_IP>
object network Inside_Server2_RDP
host <Inside_Server2_IP>
object-group network Outside_Network
network-object object Outside_Network1
network-object object Outside_Network2
object-group network RDP_Allowed
description Group used for hosts allowed to RDP to Inside_Server1
network-object object <Outside_Network_3>
group-object Outside_Network
object-group network SBS_Services
network-object object Inside_Server1_25
network-object object Inside_Server1_443
network-object object Inside_Server1_80
object-group service SBS_Service_Ports
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq smtp
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit object-group SBS_Service_Ports any object-group SBS_Services
access-list outside_access_in extended permit object RDP any object TERMINALSRV_RDP
access-list outside_access_in extended permit object RDP object-group RDP_Allowed object Inside_Server1_RDP
access-list outside_access_in extended permit object RDP object-group RDP_Allowed object Inside_Server2_RDP
access-list Guest-VLAN_access_in extended deny ip any 172.16.0.0 255.255.255.0
access-list Guest-VLAN_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Guest-VLAN 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
object network Inside_Server1_80
nat (inside,outside) static interface service tcp www www
object network Inside_Server1_25
nat (inside,outside) static interface service tcp smtp smtp
object network Inside_Server1_443
nat (inside,outside) static interface service tcp https https
object network Inside_Server1_RDP
nat (inside,outside) static interface service tcp 3389 3389
object network TERMINALSRV_RDP
nat (inside,outside) static <TerminalSRV_outside)IP> service tcp 3389 3389
object network Inside_Server2_RDP
nat (inside,outside) static interface service tcp 3389 3390
nat (Guest-VLAN,outside) after-auto source dynamic obj_any interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group Guest-VLAN_access_in in interface Guest-VLAN
route outside 0.0.0.0 0.0.0.0 <Public_GW> 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 172.16.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.22.50-192.168.22.100 Guest-VLAN
dhcpd dns 8.8.8.8 4.2.2.2 interface Guest-VLAN
dhcpd lease 43200 interface Guest-VLAN
dhcpd enable Guest-VLAN
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.6.15.30 prefer
username <Username> VAn7VeaGHX/c7zWW encrypted privilege 15
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
inspect icmp
inspect icmp error
inspect pptp
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7f5d70668ebeb94f49f312612f76c943
: endHi,
To my understanding they should not be able to connect to the more secure network IF you DONT have an interface ACL configured.
One very important thing to notice and which I think is the most likely reason this happened is the fact that as soon as you attach an interface ACL to an interface then the "security-level" looses its meaning. The "security-level" has meaning as long as the interface is without an ACL. This makes the "security-level" only usable in very simple setups.
What I think happend is that you have "permit ip any any" ACL on the interface that allowed all the traffic.
Your option is to either remove the interface ACL completely or have the ACL configured like you have now. I mean first block traffic to your secure LAN and then allow all other traffic which would allow the traffic to Internet
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed.
- Jouni -
Syn Timeout Traffic From VPNPool
Hello i know theres a lot topics about the subject but i been reading since past 2 weeks and i cant find my solution.
My VPN Cisco client connects to the ASA 5510 and everything looks good but when i try send traffic(RDP) nevers connects and the logs shows a syn timeout. Here is my Configuration i really appreciated any help
ASA Version 8.2(1)
hostname xxx
domain-name xxxx
enable password g.wfzl577L4IVnRL encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface Ethernet0/0
nameif outside
security-level 0
ip address 201.199.135.x 255.255.255.248
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.1.x 255.255.255.0
interface Ethernet0/2
no nameif
security-level 100
ip address 192.168.30.x 255.255.255.0
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa821-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server xx
name-server xx
domain-name xxxxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inbound extended deny ip object-group Deny_Access any
access-list inbound extended permit tcp any object-group web-servers object-group web-ports
access-list inbound extended permit tcp 209.200.128.0 255.255.192.0 host 201.199.135.x object-group web-ports
access-list outbound extended permit ip object-group trusted any
access-list outbound extended permit tcp object-group web-servers any object-group web-ports
access-list outbound extended permit tcp 10.1.1.0 255.255.255.0 any object-group general-access
access-list outbound extended permit tcp host 201.199.135.xx any object-group web-ports
access-list inside_access_in extended permit ip object-group trusted any log disable
access-list inside_access_in extended permit ip object-group DNS-Servers any log disable
access-list inside_access_in extended permit udp host WEB3 any eq ntp inactive
access-list inside_access_in extended permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list ISA_access_in extended permit object-group Ports host 192.168.30.7 any
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list Split_Tunnel_List standard permit 10.1.1.0 255.255.255.0
pager lines 24
logging enable
logging list configLog level debugging class auth
logging list configLog level debugging class config
logging list system-IDSLog level informational class ids
logging list system-IDSLog level informational class sys
logging buffer-size 10000
logging asdm informational
logging from-address xxxx
logging recipient-address xxxxx level notifications
no logging message 111008
no logging message 111007
mtu outside 1500
mtu inside 1500
mtu ISA 1500
mtu management 1500
ip local pool VPN-POOL 192.168.3.2-192.168.3.254 mask 255.255.255.0
ip audit name attackPolicy attack action alarm drop
ip audit name antiSnifferPolicy info action drop
ip audit interface outside attackPolicy
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (ISA) 1 201.199.135.xx netmask 255.255.255.248
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.1.1.0 255.255.255.0
nat (ISA) 1 192.168.30.0 255.255.255.0
static (inside,outside) 201.199.xxx.xx WEB3 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group ISA_access_in in interface ISA
route outside 0.0.0.0 0.0.0.0 201.199.135.113 1
route inside 0.0.0.0 0.0.0.0 10.1.1.3 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.1.0 255.255.255.0 inside
snmp-server host inside 10.1.1.56 community
snmp-server host inside 10.1.1.18 community
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
service resetinbound interface ISA
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=xxx.xxxxxx
keypair sslvpnkeypair
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 6ef8fc4f
308201f3 3082015c a0030201 0202046e f8fc4f30 0d06092a 864886f7 0d010105
0500303e 311a3018 06035504 03131149 4345332e 646f746e 65742e63 6f2e6372
3120301e 06092a86 4886f70d 01090216 11494345 332e646f 746e6574 2e636f2e
6372301e 170d3132 30393035 31333435 35345a17 0d323230 39303331 33343535
345a303e 311a3018 06035504 03131149 4345332e 646f746e 65742e63 6f2e6372
3120301e 06092a86 4886f70d 01090216 11494345 332e646f 746e6574 2e636f2e
63723081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100e4
52687fe4 bc46d95c bb14cb51 c9ba2757 692683e2 315fb2cb 585c9785 295e9090
88dea89d 5a1497f5 49107a1f ea35d71b fd05d9ff 68766519 652f1ff9 d19dc584
310312b2 b369673f 70db355a 8d1e0a5e 4c825c27 7ad5e4f6 d36cbda7 b4ad77a5
f490d942 2ef2488a bcb97b3f 5795bbcd 5f5b5c5a ff965272 2c8deaa5 2aa78902
03010001 300d0609 2a864886 f70d0101 05050003 818100aa c1a3301a ec3898ac
18699233 9aa26005 ad6c326f 51228c6b ba6a91e8 2ac79a0c 2af687c1 17bce83f
bbf94b0e e6f09977 fad72c47 96d206ed c1157e67 79862e20 9f28cfa1 739c0fa2
81272d5d a7124fc0 f95904db 72eacc9a 772208e2 1edba72b 618ed8dc d3c1b8f7
5047604e f767eaf1 7ee5ed95 79ef9184 db62bcfb b71e6f
quit
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd address 192.168.30.5-192.168.30.20 ISA
dhcpd dns 4.2.2.2 200.91.75.5 interface ISA
dhcpd enable ISA
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
enable inside
svc image disk0:/anyconnect-win-2.5.2019-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy VPNGP internal
group-policy VPNGP attributes
wins-server none
dns-server value 10.1.1.11 10.1.1.16
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value dotnet.co.cr
address-pools value VPN-POOL
username xxxx password gsUajqpee0ffkhsw encrypted
username xx password Wl5xhq9rOjTEyzHN encrypted privilege 15
username xxvpn password 9tblNqPJ2.cWaLSD encrypted
username xxvpn attributes
service-type remote-access
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
default-group-policy VPNGP
tunnel-group AnyConnect webvpn-attributes
group-alias VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
service-policy global_policy global
smtp-server 10.1.1.20
prompt hostname context
Cryptochecksum:9720306792f52eac533976d69f0f3daa
: end
ThanksHi Oscar,
The configuration seems to be fine.
At this point lets troubleshoot the VPN communication.
The SYN timeout means that the server does not repond, or the SYN ACK never reached the ASA.
We need to place a packet capture on the inside interface as follows:
capture capin interface inside match ip 10.1.1.0 255.255.255.0 192.168.3.0 255.255.255.0
Then you try to access the server via RDP and issue the "show capture capin" command.
Another good test would be the following:
packet-tracer input inside icmp 10.1.1.250 8 0 192.168.3.1 detail ---> where the 192.168.3.1 must be the IP of the VPN client
Attach the output of the "show capture capin" and "packet-tracer" output.
Let me know.
Portu.
Please rate any post you find useful. -
Allowing traffic from inside to outside ASA5505 7.2(3)
Hello,
Let me start by saying that I'm just starting to study for CCNA, so the ASA seems to be a bit above me yet. The ASA's we are using is for VPN to our corporate office and only allowing access to our Citrix environment, so no direct internet allowed. We have a person who works in the remote office who has need for a caption telephone that requires direct access to the internet. The phone only supports DHCP, and getting the ASA to do an ARP reservations is proving difficult. For now I wrote an access list to allow it's DHCP address out but it still isn't working. The access list I wrote is:
access-list 101 extended permit ip host xxx.xxx.xxx.124 any log
access-list 101 extended permit ip any any
access-group 101 out interface outside
When I do a show access-list I'm seeing that traffic is hitting the access list as the hit counter has increased. When I do a show conn I'm seeing one of the IP's that the phone should have access to, however the flags are: saA, so I'm assuming they are not getting a response. According to the manufacturer, only outbound connections are needed, no incoming ports required. All traffic is TCP.
Any help would be greatly appreciated. Thank you.Hi Kevin,
I can ping the outside world from the ASA itself. Unfortunately, I cannot assign DNS manually, it only accepts DHCP. I have set up a PC there with the same access list for testing purposes. I assigned public DNS to the test PC and that is unable to get out. When i do a show conn, this is what i get:
UDP out 8.8.8.8:53 in x.x.x.113:64918 idle 0:00:14 flags -
UDP out 8.8.4.4:53 in x.x.x.113:64458 idle 0:00:29 flags -
UDP out 8.8.8.8:53 in x.x.x.113:64458 idle 0:00:29 flags -
Here is my scrubbed config.
ASA Version 7.2(3)
hostname
domain-name .org
names
dns-guard
interface Vlan1
nameif inside
security-level 100
ip address x.x.x.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address y.y.y.y
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
***Banner Removed***
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server x.x.x.34
name-server x.x.x.5
domain-name .org
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type ALLOWED_ICMP
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
icmp-object traceroute
icmp-object echo
icmp-object timestamp-reply
object-group icmp-type ALLOWED_ICMP_RESTRICTED
icmp-object echo-reply
access-list tempacl extended permit ip any any
access-list inside_out extended permit icmp any any object-group ALLOWED_ICMP
access-list inside_out extended permit ip any any
access-list outside_in extended permit icmp any any object-group ALLOWED_ICMP_RESTRICTED
access-list outside_in extended permit tcp any any eq ssh
access-list 101 extended permit ip host x.x.x.124 any log
access-list 101 extended permit ip host x.x.x.113 any log
access-list 101 extended permit ip any any
pager lines 40
logging enable
logging timestamp
logging buffer-size 256000
logging asdm-buffer-size 512
logging buffered notifications
logging trap errors
logging history informational
logging asdm errors
no logging message 400014
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ip audit name attack action alarm
ip audit name info action alarm
ip audit interface inside
ip audit interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-522.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_out in interface inside
access-group outside_in in interface outside
access-group 101 out interface outside
route outside 0.0.0.0 0.0.0.0 y.y.y.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
***http, SNMP, SSH info removed***
management-access inside
dhcpd dns x.x.x.5 x.x.x.34
dhcpd ping_timeout 750
dhcpd domain .org
dhcpd auto_config outside
dhcpd update dns
dhcpd address x.x.x.100-x.x.x.227 inside
dhcpd enable inside
vpnclient server xy.xy.xy.xy xy.xy.xy.xy
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup password
vpnclient username password
vpnclient management clear
vpnclient enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Thanks for all your help! -
ASA Version 7.0(8)
hostname BUJ-IT-ASA-LAN-2
domain-name leo.bi
enable password MgKXXPviZgW4zhKc encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
interface Ethernet0/0
description connects ucom lan
nameif inside
security-level 100
ip address 192.168.0.13 255.255.248.0
interface Ethernet0/1
description out interface
nameif outside
security-level 0
ip address 192.168.254.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username UcomIT password Tx95VR7l4gIiavnh encrypted
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.0.0 255.255.248.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.0.0 255.255.248.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
service-policy global_policy global
Cryptochecksum:ba068a6f85d256ce9351d903c60873e5
: endHi,
Its success really depends on the rest of the network that I dont know about.
If you hosts that you are using to PING/ICMP through the ASA are connected to the same network as the ASAs interface then you will have to make sure that the hosts both have routes towards the other network.
Also if on the "outside" of the ASA there are additional networking devices then you have to configure default route on the ASA also as mentioned in the other discussion.
route outside 0.0.0.0 0.0.0.0
The above replys ACL was just an example of the configuration format. If you wanted to allow ICMP then you would also have to allow ICMP
access-list OUTSIDE-IN permit icmp 192.168.254.0 255.255.255.0 192.168.0.0 255.255.248.0 echo
I dont see anything else wrong with the ASA configuration related to ICMP other than possibly the lacking of default route and allowing the ICMP from the "outside" with the ACL "OUTSIDE-IN".
Go through the network setup from one host to the other. On each step confirm that that device has route towards both of the networks. Otherwise the devices will naturally not be able to forward the ICMP messages from end to end.
- Jouni -
Help with asp ... security levels
I made a change to the security level for the end user. i add
a security feature by adding 12345 to their security level.
<%@LANGUAGE="VBSCRIPT"%>
<%Option Explicit%>
<%
'check to see if the page is submitted
Dim validLogin
Dim strErrorMessage
Dim intLevel
Dim sLevel
If (Request.Form("uname")<>"") Then
'user has submitted the form
'get the entered values and hit the database
Dim strUserName
Dim strPassword
'going to use an implicit connection, no connection object
needed
Dim objRS
strUserName = UCase(Request.Form("uname"))
strPassword = UCase(Request.Form("pwd"))
response.write("strUserName")
'prepare the RS
Set objRS = Server.CreateObject("ADODB.Recordset")
'set the sql statement
objRS.Source = "SELECT * FROM tblEmployee WHERE
strEmpUserName = '" & strUserName & "' AND strEmpPassword =
'" & strPassword & "'"
' heres the implicit connection
objRS.ActiveConnection =
"Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=c:\Inetpub\db\IMPCustomers.mdb"
objRS.CursorType = 0
objRS.CursorLocation = 3
objRS.Open
'check for EOF
If(objRS.EOF) Then
'no records matched, invalid login
Response.Redirect("invalidLogin.asp")
'strErrorMessage = "Invalid Login. Try Again."
validLogin = false
Else
'added intLevel to add more security on 3/29/07
intLevel = Cint(objRS("intEmpSecurityLevel"))
intLevel = intLevel + 12345
sLevel = intLevel
'valid login, set session variables
Session("username") = UCase(strUserName)
Session("userpass") = UCase(strPassword)
Session("sLevel") = sLevel
'Session("sLevel") = objRS("intEmpSecurityLevel") - changed
to add more security on 3/29/07
Session("fn") = objRS("strEmpFN")
'release the RS
Set objRS.ActiveConnection = Nothing
Set objRS = nothing
'redirect off this page
Response.Redirect("custSearch.asp")
End If
End If
%>
I'm now having trouble removing the 12345 from their security
level in the custSearch.asp.
<%@LANGUAGE="VBSCRIPT"%>
<%Option Explicit%>
<%
Dim strUserName
Dim strPassword
Dim intSLevel
Dim isum
Dim intS
Dim intNewSLevel
Dim sLevel
Dim strFN
Dim strErrorMessage
Dim strError
'get pass parameters
strUserName = Session("username")
strPassword = Session("userpass")
intSLevel = Session("sLevel")
'add on 3/29/07 for security
'get the security level
isum = sLevel
'take isum which contains sLevel and subtract 12345 from it
isum = isum - 12345
'now intS equals security level in the db
intS = isum
'put into a session
Session("intS") = intS
strFN = Session("fn")
strErrorMessage = ("strError")
'If strErrorMessage = "" Then
'strError = "There is no customer with that last name."
'End If
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0
Transitional//EN" "
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="
http://www.w3.org/1999/xhtml">
<head>
<title>Employee Intranet - Customer Database, Search
for a particular customer.</title>
<meta http-equiv="content-type" content="text/html;
charset=utf-8" />
<link rel="stylesheet" type="text/css"
href="../css/pop_style.css" />
<link rel="stylesheet" type="text/css"
href="../css/forms.css" />
<style type="text/css">
/* HMTL selectors start here */
h2 {
margin-bottom:15px;
p {
margin-bottom:20px;
hr {
border:thin;
border-color:#CCCCCC;
border-style:dotted;
width:100%;
text-align:center;
table {
width:300;
align:center;
cellpadding:2px;
cellspacing:2px;
margin-left:30%;
td {
font-size:14px;
font-style:normal;
font-weight:normal;
border:0;
padding:0;
/* HMTL selectors start here */
/* ID selectors start */
#mainText {
height:400px;
font-family:Arial, Helvetica, sans-serif;
font-size:14px;
text-align:left;
margin-left:1%;
margin-right:1%;
padding: 10px 5px;
word-spacing:1px;
letter-spacing:1px;
/* id ends here */
</style>
<script language="JavaScript" type="text/JavaScript">
<!-- function MM_reloadPage(init) { //reloads the window
if Nav4 resized if (init==true) with (navigator) {if
((appName=="Netscape")&&(parseInt(appVersion)==4)) {
document.MM_pgW=innerWidth; document.MM_pgH=innerHeight;
onresize=MM_reloadPage; }} else if (innerWidth!=document.MM_pgW ||
innerHeight!=document.MM_pgH) location.reload(); }
MM_reloadPage(true); //-->
</script>
</head>
<body>
<!-- CASCADING POPUP MENUS v5.2 by Angus Turnbill
http://www.twinhelix.com -->
<script language="javascript" type="text/javascript"
src="../js/pop_core.js"></script>
<script language="javascript" type="text/javascript"
src="../js/pop_data.js"></script>
<!-- border begins here -->
<div id="border">
<!-- second nav start here -->
<div id="secNavBar"><a
href="../index.htm">Home</a> | <a
href="../htm/quality.htm">Quality</a>
| <a href="../htm/contactUs.htm">Contact
Us</a> | <a
href="../htm/siteMap.htm"> Site
Map</a></div>
<!-- logo starts here -->
<div id="logo">
<img src="../art/NewLogo.jpg" alt="Logo of IMPulse NC,
INC." usemap="#Map" />
<map name="Map" id="Map">
<area shape="rect" coords="5,3,280,74"
href="../index.htm" alt="Return to home page" />
</map>
</div>
<!-- primary navigation div tags starts here -->
<div id="priNav">
<a id="home" name="home"
style="visibility:hidden;">Home</a>
<!-- primary navigation div tags ends here -->
</div>
<!-- main text starts here -->
<div id="mainText">
<h2>Customer Database </h2>
<p
style="font-size:14px;font-style:normal;font-weight:normal;">Welcome
<%=strFN%></p>
<p
style="font-size:14px;font-style:normal;font-weight:normal;">Please
search for a customer by using the fields below. You can use one
field or multiple fields for your search.</p>
<!-- signIn form starts here -->
<div id="signIn">
<div id="CSearch">
<table>
<form action="results.asp" method="post" name="search"
id="search">
<tr>
<td width="98" height="29">Last Name:</td>
<td width="150" tabindex="1"><input type="text"
name="clname" size="25" maxlength="25" /></td>
</tr>
<tr>
<td height="30">First Name:</td>
<td tabindex="2"><input type="text" size="25"
maxlength="25" name="cfname" /></td>
</tr>
<tr>
<td height="30">Company:</td>
<td tabindex="3"><input type="text" size="25"
maxlength="25" name="ccomp" /></td>
</tr>
<tr>
<td height="48" colspan="2" tabindex="4">
<input type="submit" name="login" value="Submit" />
<input type="reset" name="Reset" value="Reset" />
<a href="logOut.asp">
<input type="button" name="logOut" value="Log Out" />
</a> </td>
</tr>
</form>
</table>
<!-- customer search form ends here -->
</div>
<blockquote> </blockquote>
<!-- signIn form ends here -->
</div>
<!-- main text ends here -->
</div>
<div id="btm_Bar">
100 IMPulse Way • Mount Olive, North Carolina 28365
• Main (919) 658-2200 • Fax (919) 658-2268<br />
©2006 IMPulse NC, Inc. All Rights Reserved. </div>
</div>
<script language="javascript" type="text/javascript"
src="../js/pop_events.js"></script>
<!-- Places text blinker in the uname text box thru
javascript -->
<script language="javascript" type="text/javascript">
document.search.clname.focus();
</script>
<!-- javascript ends here -->
<%
Response.Write(Session("username")) & "<br />"
Response.Write(Session("userpass")) & "<br />"
Response.Write(Session("sLevel")) & "<br />"
Response.Write(Session("intS")) & "<br />"
%>
</body>
</html>
What am I doing wrong?"pqer" <[email protected]> wrote in message
news:eugsik$kt5$[email protected]..
> What am I doing wrong?
1. You're allowing unfiltered user input into your SQL query.
I could do
some horrible damage to your system.
2. You have SELECT * in your query.
3. You're doing something that doesn't make any sense. Why
add a constant
to the security level just to subtract it again when you
actually want to
use it? You're just making more work for yourself. There is
no benefit
there. -
Permit traffic from Inside to Outside, but not Inside to medium security interface
Can someone just clarify the following. Assume ASA with interfaces as :
inside (100) (private ip range 1)
guest (50) (private ip range 2)
outside (0) (internet)
Example requirement is host on inside has http access to host on outside, but it shouldn’t have http access to host on guest – or any future created interfaces (with security between 1-99).
What’s the best practice way to achieve this?Hi,
The "security-level" alone is ok when you have a very simple setup.
I would suggest creating ACLs for each interface and use them to control the traffic rather than using the "security-level" alone for that.
If you want to control traffic from "inside" to any other interfaces (and its networks) I would suggest the following
Create and "object-group" containing all of the other network
Create an ACL for the "inside" interface
First block all traffic to other networks using the "object-group" created
After this allow all rest of the traffic
In the case where you need to allow some traffic to the other networks, insert the rule at the top of the ACL before the rule that blocks all traffic to other networks
For example a situation where you have interfaces and networks
WAN
LAN-1 = 10.10.10.0/24
LAN-2 = 10.10.20.0/24
DMZ = 192.168.10.0/24
GUEST = 192.168.100.0/24
You could block all traffic from "LAN-1" to any network other than those behind the "WAN" interface with the following configuration.
object-group network BLOCKED-NETWORKS
network-object 10.10.20.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
network-object 192.168.100.0 255.255.255.0
access-list LAN-1-IN remark Block Traffic to Other Local Networks
access-list LAN-1-IN deny ip any object-group BLOCKED-NETWORKS
access-list LAN-1-IN remark Allow All Other Traffic
access-list LAN-1-IN permit ip 10.10.10.0 255.255.255.0 any
This should work if your only need is to control the traffic of the interface "LAN-1". If you want to control each interfaces connections to the others then you could do minor additions
Have all your local networks configured under the "object-group"This way you can use the same "object-group" for each interface ACL
object-group network BLOCKED-NETWORKS
network-object 10.10.10.0 255.255.255.0
network-object 10.10.20.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
network-object 192.168.100.0 255.255.255.0
access-list LAN-1-IN remark Block Traffic to Other Local Networks
access-list LAN-1-IN deny ip any object-group BLOCKED-NETWORKS
access-list LAN-1-IN remark Allow All Other Traffic
access-list LAN-1-IN permit ip 10.10.10.0 255.255.255.0 any
access-list LAN-2-IN remark Block Traffic to Other Local Networks
access-list LAN-2-IN deny ip any object-group BLOCKED-NETWORKS
access-list LAN-2-IN remark Allow All Other Traffic
access-list LAN-2-IN permit ip 10.10.20.0 255.255.255.0 any
access-list DMZ-IN remark Block Traffic to Other Local Networks
access-list DMZ-IN deny ip any object-group BLOCKED-NETWORKS
access-list DMZ-IN remark Allow All Other Traffic
access-list DMZ-IN permit ip 192.168.10.0 255.255.255.0 any
access-list GUEST-IN remark Block Traffic to Other Local Networks
access-list GUEST-IN deny ip any object-group BLOCKED-NETWORKS
access-list GUEST-IN remark Allow All Other Traffic
access-list GUEST-IN permit ip 192.168.100.0 255.255.255.0 any
Then you could basically use the same type ACLs in each interface. (Though still separate ACLs for each interface) And as I said if you need to open something between local networks then insert the correct "permit" tule at the top of the ACL.
Hope this helps
- Jouni -
Use of Security Level on ASA with ACLs
Hi,
On my configuration, I'm using extended on the inbound of my 3 interfaces (inside,dmz,outside). I was wondering if there I should remove the security levels or if they are of any use since I have ACL in place already.Hi,
After you have attached an ACL inbound to an interface it controls the traffic for networks behind that interface. So security-levels dont have a major role anymore.
Though you should consider that there are still situations where the "security-level" might come into the picture.
If you have identical "security-level" interfaces and you want to allow traffic between them then ACLs wont be enough but you also need to use the "same-security-traffic permit " format command to allow the traffic.
Atleast in software 8.2 there is still some limitations regarding NAT depending on the "security-level" of the source and destination of the interface. I think for example you need to do Dynamic NAT/PAT between interfaces you cant do this from lower to higher direction.
Best bet is to refer to your current software level Cisco documents. Both the Command Reference and Configuration Guide PDFs found online provide good information on these commands
Please rate if the information was helpfull and/or ask more questions if needed
- Jouni -
Cisco 881 ISR IPSec VPN Tunnel does not pass traffic from the vlan.
I have a cisco 881 ISR Router with a site-to-site IPsec vpn tunnel to a mikrotik device on the other end (I inherited this from my client). The tunnel is constructed properly and is up, however traffic does not pass or get routed to the FA4 interface. I see in my packet captures that it hits the vlan1 interface (vlans are required on the L2 ports) and does not pass to the tunnel.
This is my configuration:
141Kerioth#sh config
Using 3763 out of 262136 bytes
! Last configuration change at 01:02:41 UTC Mon May 26 2014 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname 141Kerioth
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
141Kerioth#do wr mem
^
% Invalid input detected at '^' marker.
141Kerioth#wr mem
Building configuration...
[OK]
141Kerioth#sh run
Building configuration...
Current configuration : 5053 bytes
! Last configuration change at 01:38:06 UTC Mon May 26 2014 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname 141Kerioth
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
aaa authentication login default local
aaa authentication ppp default local
aaa session-id common
memory-size iomem 10
crypto pki trustpoint TP-self-signed-580381394
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-580381394
revocation-check none
rsakeypair TP-self-signed-580381394
crypto pki certificate chain TP-self-signed-580381394
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35383033 38313339 34301E17 0D313430 35323231 38323333
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3538 30333831
33393430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B001A012 2CA6970C 0648798B 2A786704 84F2D989 83974B19 9B4287F2 4503D2C9
173F23C4 FF34D160 202A7565 4A1CE08B 60B3ADAE 6E19EE6E 9CD39E72 71F9650E
930F22FE C4441F9C 2D7DD420 71F75DFC 3CCAC94E BA304685 E0E62658 A3E8D01C
D01D7D6A 5AF0B0E6 3CF6AF3A B7E51F83 9BF6D38E 65254E1F 71369718 ADADD691
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 168014D6 24878F12 1FFADF2F 537A438E 6DD7FB6B D79E4130 1D060355
1D0E0416 0414D624 878F121F FADF2F53 7A438E6D D7FB6BD7 9E41300D 06092A86
4886F70D 01010505 00038181 00771667 FCA66002 8AB9E5FB F210012F C50B586F
9A9640BB 45B4CEFD 030A38C0 E610AAC8 B41EF3C4 E55810F9 B2C727CF C1DEFCF1
0846E7BC 1D95420E 5DADB5F8 EFE7EB37 B5433B80 4FF787D4 B1F2A527 06F065A4
00522E97 A9D2335C E83C4AE1 E68D7A41 9D0046A7 ADCC282B 7527F84D E71CC567
14EF37EA 15E57AD0 3C5D01F3 EF
quit
ip dhcp excluded-address 10.0.16.1
ip dhcp pool ccp-pool
import all
network 10.0.16.0 255.255.255.0
default-router 10.0.16.1
dns-server 8.8.8.8
lease 0 2
ip domain name kerioth.com
ip host hostname.domain z.z.z.z
ip name-server 8.8.8.8
ip name-server 4.2.2.2
ip cef
no ipv6 cef
license udi pid CISCO881-K9 sn FTX180483DD
username admin privilege 15 secret 4 CmmfIy.RPySmo4Q2gEIZ2jlr3J.bTBAszoe5Bry0z4c
username meadowbrook privilege 0 password 0 $8UBr#Ux
username meadowbrook autocommand exit
policy-map type inspect outbound-policy
crypto isakmp policy 1
encr 3des
authentication pre-share
group 5
crypto isakmp key 141Township address z.z.z.z
crypto isakmp keepalive 10
crypto ipsec transform-set TS esp-3des esp-sha-hmac
mode tunnel
crypto map mymap 10 ipsec-isakmp
set peer z.z.z.z
set transform-set TS
match address 115
interface Loopback0
no ip address
interface Tunnel1
no ip address
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
description $FW_OUTSIDE_WAN$
ip address 50.y.y.y 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map mymap
interface Vlan1
description $ETH_LAN$
ip address 10.0.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 115 interface Vlan1 overload
ip nat inside source list 199 interface FastEthernet4 overload
ip nat inside source route-map nonat interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 50.x.x.x
access-list 110 deny ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 110 permit ip 10.0.16.0 0.0.0.255 any
access-list 115 permit ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 144 permit icmp host c.c.c.c host 10.0.1.50
access-list 144 permit icmp host p.p.p.p host 10.0.16.105
access-list 199 permit ip a.a.a.a 0.0.0.255 any
no cdp run
route-map nonat permit 10
match ip address 100
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 30 0
privilege level 15
transport preferred ssh
transport input ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
cns trusted-server all-agents x.x.x.x
cns trusted-server all-agents hostname
cns trusted-server all-agents hostname.domain
cns id hardware-serial
cns id hardware-serial event
cns id hardware-serial image
cns event hostname.domain 11011
cns config initial hostname.domain 80
cns config partial hostname.domain 80
cns exec 80
endWhy do you have following command on the PIX?
crypto map outside_map 40 set transform-set 165.228.x.x
Also you have this transform set on the PIX:
crypto ipsec transform-set 10.112.60.0 esp-aes-256 esp-sha-hmac
This does not match the transfor set on the router:
crypto ipsec transform-set tritest esp-3des esp-md5-hmac
Where are you using the access-list/route-map
101 ? -
ASA 5510 traffic from inside to outside
Hello,
I'm working on a basic configuration of a 5510 ASA.
inside network of 192.168.23.0 /24
outside network 141.0.x.0 /24
config is as follows:
interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address 141.0.x.0 255.255.255.0
interface Ethernet0/1
nameif INSIDE
security-level 50
ip address 192.168.23.1 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list OUTSIDE_access_in extended permit icmp any any
access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq https
access-list INSIDE_access_in extended permit icmp any any
global (OUTSIDE) 1 interface
nat (INSIDE) 1 192.168.23.0 255.255.255.0
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 141.0.x.57 1
In the LAB When I plug a laptop into the outside interface with address 141.0.x.57 I can ping it from a laptop from the inside interface and I can even access the IIS page. However, when I connect the ISP's firewall into the outside interface with the same address that I used the testing laptop with, I cannot seem to be able to access the outside world.
I can ping from the ASA's outside interface (x.58, to the ISP's x.57), but I cannot ping from the inside 192.168.23.x to it or access anything.
So traffic between inside and outside interface is not going through when in live setup. However, when in the lab it works fine.
Any ideas please?Version of FW:
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.3(1)
Output of Packet-Trace Command is:
SDH-PUBLIC-ASA(config)# packet-tracer input INSIDE icmp 192.168.23.10 8 0 1xpacket-tracer input INSIDE icmp 192.168.23.10 8 0 141.$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 141.0.x.0 255.255.255.0 OUTSIDE
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE_access_in in interface INSIDE
access-list INSIDE_access_in extended permit icmp any any
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE) 0 192.168.23.0 255.255.255.0
match ip INSIDE 192.168.23.0 255.255.255.0 OUTSIDE any
identity NAT translation, pool 0
translate_hits = 104, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.23.10/0 to 192.168.23.10/0 using netmask 255.255.255.255
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (INSIDE) 0 192.168.23.0 255.255.255.0
match ip INSIDE 192.168.23.0 255.255.255.0 OUTSIDE any
identity NAT translation, pool 0
translate_hits = 107, untranslate_hits = 0
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 141, packet dispatched to next module
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow -
Ms word95 to pdf - "security level too high"?
I'm a brand new user of Acrobat 9.0 (on XP system) - all kinds of problems (including major file crash and loss during 9.0 installation - more on that later). for now, I need to get started immediately on converting some MS Word doc files to pdfs - What I get from 9.0 is the message that "The Security Level is Too High". If it's referring to the MS word docs, they are unprotected (I've checked and tried several - Word shows they are not protected, and as far as I know, never have been). They were originally created on a mac with macWord - but were not protected and converted to windows with MacDrive7. They show in MS Word in good condition and unprotected. What do I need to do to get them into acrobat and into pdf format? I've also check the knowledge base here and elswhere without any clues except one chap who seemed to be having similar problems (along with serious crashes) using 8.1. Other than that, I'm mistified.
I've also tried using the context menu 'covert to pdf' method and also creating a new pdf (blank) and inserting them. In both cases the security message aborted the process. Need to do this right away. I'm not technically skilled, so if someone can give me some clear instructions I'd be grateful. - redThank you all for responding so quickly. First, I'll mention the serious message and a warning. DO NOT INSTALL ACROBAT 9.0 IN AN ENVIRONMENT WITH WORD 7.0 (or any old(er) MS Word version before 2k). The consequences are ghastly, including the deletion of half or more of your program files (including your email clients, av software and other primary programs), the corruption of your browser, registry (including restore points) and other not so nice events - worse than most bad viruses. That's a problem Adobe and I will probably be taking a look at next week. Mean time, they indicate that they are going to add the matter to their KB and elswhere so that users have a heads-up on the issue.
As for the conversion problem from Word 7.0 .doc to .pdf - Bill, you just about nailed it. It was, indeed, a problem that could be circumvented by going to the printer dialog and setting the printer to 'Adobe pdf file' (something a novice wouldn't think of, nor line tech-support for that matter.). As far as Word/pdf 'printer' is concerned you're just printing the file. However, as I understand things, that's how Adobe attaches the Word documents - It does it through the printer interface. Once that setting is changed to 'Adobe pdf printer' the file is simply picked from the print queue (or before) and loaded into A9. Save it from A9, and the job is done. So, Bill, If Adobe hadn't found the answer, I do believe you would have been telling me exactly how to do it after a few more posts. The credit, though, goes to Neo Johnson, tech-support supervisor in New Delhi. The last two days (almost 9 hours of phone time) were spent with various tech-support agents at Adobe; but, he was the one who finely thought about the interaction between A9 and Word and figured it out.
Ok -that's the brief. The rest is a little history/background for whomever is interested (skip, otherwise - not important). The problem begins with failure to install - first, setup can't find the msi file - it was there, and I browsed it, so that was solved. Then 'invalid licensing - process stopped' messages appear. That was a little tougher and http://kb2.adobe.com/cps/405/kb405970.html and some other articles had me doing repair, reinstall, and other complex (for me) procedures. One of the problems was that flexnet had failed to install, which was a stumper for me (I couldn't find it to download separately - barely knew what it was/did - and finally understood that Adobe was supposed to install it. After that, I did several uninstalls, to no effect. Finally I did a few moderate and then deep uninstalls (with Revo) and several reinstalls. Things got progressively worse. On one reboot, my desktop came up and all the program icons were broken links. I examined targets and such and then went to my 'program files' directory. To my horror, nearly all my primary program (including thunderbird email client, AVG etc.) files had disappeared. The folders were simply empty. Firefox still loaded, but the tabs were non functional. Several checks and some light disc analysis indicated the files vanished. No trace. However, my document folders and data were intact (also backed-up). I went to restore and found that all the old restore points (including the one's Revo sets before uninstalling) were gone. If it had been a virus, it couldn't have done a better job at making a mess of things. At that point, I knew the registry had been toasted and I was facing a complete OS reinstall. Instead, I opted for reinstalling some of the critical programs (and because the document files appeared to be intact). After the first few - thunderbird, firefox etc. - I was relieve to find that they were picking up on the old settings and restoring themselves to their previous states. I still have a number of these to do - and a few must be re-configured. But that's going ok.
Then the saga of Adobe, several phone calls; several times the phone connection was cut off and I had to call again and start over from the beginning with a new person. The matter always had to be esculated to the next tier - more time, more cues, no solutions. They went over the firefox settings, the adobe settings. They were puzzled about the broken links. Attempts to open doc files (after a fresh install of winword) were resulting in 'invalid win32 application'. All kinds of problems made progress difficult. We cleared up the 'invalid....' messages by reparing the file associations (in XP folder options) and then opening the docs in Word and resaving them as something else. It was a labor. Finally, there was simply no answer except, like the post here, Word 7 is simply too old and uses different scripting. The only solution was to either buy (ugh, ouch!) Word 2007 (and hope that it would load them and save them in A9 useable form) or, try installing Word2k (which I have) and processing them through that; and, then using Acrobat 8.x to load those and save the pdfs for A9 to use. However, when Adobe said they could not provide me with a free (even trial) version of 8.x to do the job - licensing problems etc. -- It seemed like a really ugly solution. Finally, I'm begging Adobe to give me a free copy of 8.x and in steps Neo. He can't provide the free copy, but he asks a few questions himself. We go to Adobe and reset some of the security settings (something other agents didn't know or think of). No dice - still can't load the docs. But then he says, Open up Word. Ok. load the file and then hit 'print' - ok, the print dialog comes up. 'Now,' he says, 'open the properties and see what printers are listed.' Ok I do that, and I'll be... 'Adobe pdf printer' is among them. "Just what I thought," he said, Adobe was hooking up with word, but didn't have its printer to attach." So we set 'Adobe pdf' as the printer and lo and behold, the docs loaded into Adobe as pdfs. End of that story. (so bill, you had it too - wish you had answered the phone in the first place!)
Clean up. So, there's a few simple solutions, I think (though i'm no techie and you folks will certainly have better ideas). First, I don't buy the story that early versions of Word are either 1) unsupported by MS or, 2) nobody uses them, as valid reasons why not to fix the problem of the "unloadable" docs. I figure there are at least a couple of aproaches and easy patches that will correct the matter. One is from the Word side - to is to set the current printer setting to use 'Adobe printer', get the file and then reset the printer back to what it was - default. The other is to patch A9 to detect legacy source applications and bypass things that would normally make the file unloadable, unless, of course, they were actually protected or, read only files. In that case, Adobe could simply inform the user to 'unprotect' them, the same as it now does with its 'Security Setting too High' message for later versions. I'm sure there are even better ways. But, that would fix things as far as file loading and conversion.
As to the installation and crash problems - those need to be addressed. Even if its only a few dozen people that might have the same problem, it needs 1) to be given as a noticable warning and keyword in Adobe documents (which now simply indicate that it can process .doc files); 2) it needs to be examined to insure systems that have Word 7.x or older can install without problem, and certainly without harming their system. Adobe has a good reputation and does a good job. That's worth protecting with all customers, even if Marketing can't quite see why and the bean counters can't find much profit in the task. It's what I expect from professionals and to do less certainly subtracts from Adobe's standing. That should be worth a great deal, I would imagine.
Anyway, thanks folks - got to get some sleept, and then get those pdfs done and sent to people who are waiting for them. - best to you all, red. -
I've just bought this phone. I've never used a Nokia, and so I am not familiar with the interface. I've had a play around though and have figured out most of it. Regarding security, I have done the following:
- Reset PIN and phone now asks for it at start-up;
- Reset security code;
- Turned on automatic keyguard, but left it so it does not ask for security code.
I'm unsure though about the Security Level setting (Menu>Settings>Security>Security_Level).
It gives 2 options, Memory or Phone. If someone could explain what this setting is for, it would be much appreciated.
Is it also possible to lock the phone to only use my sim?
Regarding the PIN at start-up, is it attached to the sim or the phone? In other words, if I change the sim, will the phone still ask for and require the same PIN?
Thank you in advance for any response. : )here is answer from nokia web site (i underline answer)
(http://www.nokia.co.uk/support/product-support/2720-fold/faq#08 )
How do I set the security level on my Nokia device?
Select Menu > Settings > Security (or Security settings) > Security level. Enter your security code and select OK.
Select Phone, and the phone will request the security code whenever a new Subscriber Identity Module (SIM) card is inserted into the phone.
Select Memory, and the phone will request the security code when the SIM card memory is selected and you want to change the memory in use.
hope this helps
cheers!
Maybe you are looking for
-
How do I get the spinning circle to stop?
I've had this for 2 months and it has been great until this morning. I tried to turn it off and it is just stuck on the spinning shut down circle on the black background. Won't respond to anything. Thanks for the help.
-
Why use so much memory?!
I am using Java Desktop on Solaris 10. The Sun Blade150 machine has 768M physical memory and more than 400M is used before I start anything other than mozilla! That's more than double than any windows machines I have ever used. I just joined this com
-
How many open ports on router?
We just made an appointment for FIOS internet/TV/phone. We currently have Dish TV, Charter Cable internet and Verizon phone all billing seperate so we're getting the bundle and saving a ton. :-) The phone rep didn't know much about the router. She s
-
Machine Description - Windows 8.1 x64 (Keypoard, touchpad only no touchscreen !) 8Gb Ram, i7 Processor, Nvidia 630M 2GB Adobe reader installed on my 128Gb SSD. Problem is same whether small/large file is opened from SSD or my another HDD. Disabled al
-
Mac Audio Driver (for Screenflow) will not install
I have downloaded a program called Screenflow, which records video and audio of my desktop. It used to work fine with my MacBook Pro but it doesn't work with my new iMac (Lion). The program is supposed to record the computer audio, and when I try to