Open firewall Ports despite DENY- ALL access rule

Similar Messages

• 5520 to 5525 all access rules being ignored.

  I copied my config from my old 5520 to our new 5525 and when I cut over to it from the inside out I could get to the internet no problem but from the outside in none of our access rules were working.  Could someone take a look at our config and maybe inlighten me on the problem please.  Thanks,
  http://www.ebay.com/itm/290951611556?ssPageName=STRK:MEWNX:IT&_trksid=p3984.m1497.l2649
  : Saved
  : Written by admin at 02:33:30.875 EDT Mon Sep 30 2013
  ASA Version 8.6(1)2
  hostname ColASA01-HA
  domain-name corp.COMPANY.com
  names
  name 172.22.5.133 ColBarracuda description Colo Barracuda Internal
  name 74.XXX.XXX.133 ColBarracuda- description Colo Barracuda External
  name 74.XXX.XXX.132 ColVPN- description Colo VPN External
  name 172.22.5.138 ww2 description ww2 Internal
  name 74.XXX.XXX.138 ww2- description ww2 External
  name 172.22.5.139 www1 description www1 Internal
  name 74.XXX.XXX.139 www1- description www1 External
  name 172.22.5.140 www1-COMPANY.co.uk description www1 COMPANY.co.uk Internal
  name 172.22.5.143 ColSysAid description ColSysAid Internal
  name 74.XXX.XXX.143 ColSysAid- description ColSysAid External
  name 172.22.5.141 Colww3 description Colww3 Internal
  name 74.XXX.XXX.141 Colww3- description Colww3 External
  name 10.1.1.100 Facts description Facts Internal
  name 74.XXX.XXX.135 Facts- description Facts External
  name 74.XXX.XXX.144 ftp.boundree.co.uk- description ftp.COMPANY.co.uk External
  name 172.22.5.144 ftp.COMPANY.co.uk description ftp.COMPANY.co.uk Internal
  name 10.101.0.24 Dubmss01 description Voicemail Server - Internal
  name 74.XXX.XXX.145 Dubmss01- description Voicemail Sever - External
  name 172.22.5.146 ColBI01 description ColBI01 Internal
  name 74.XXX.XXX.146 ColBI01- description ColBI01 External
  name 172.22.5.147 ColMOSS01 description ColMOSS01 Internal
  name 74.XXX.XXX.147 ColMOSS01- description ColMOSS01 External
  name 172.22.5.149 ambutrak description AmbuTRAK Internal
  name 74.XXX.XXX.149 ambutrak- description AmbuTRAK External
  name 172.22.5.136 NSTrax description NSTrax Internal
  name 74.XXX.XXX.136 NSTrax- description NSTrax External
  name 172.22.5.150 btmu description BTMU Internal
  name 74.XXX.XXX.150 btmu- description BTMU External
  name 172.22.5.155 w2k-isoft description w2k-isoft Internal
  name 74.XXX.XXX.155 w2k-isoft- description w2k-isoft External
  name 172.22.5.142 Colexch01 description Colexch01 Internal
  name 172.22.5.151 Coltixdb description Coltxdb Internal
  name 74.XXX.XXX.151 Coltixdb- description Coltixdb External
  name 172.22.5.156 colexcas description colexcas Internal
  name 74.XXX.XXX.156 colexcas- description colexcas External
  name 172.22.3.74 colexcas01 description colexcas01 Internal
  name 172.22.3.75 colexcas02 description colexcas02 Internal
  name 172.22.5.157 ColFTP01 description ColFTP01 Internal
  name 74.XXX.XXX.157 ColFTP01- description ColFTP01 External
  name 172.22.5.158 www.COMPANY.com description www.COMPANY.com Internal
  name 74.XXX.XXX.158 www.COMPANY.com- description www.COMPANY.com External
  name 172.22.5.159 act.COMPANY.com description COMPANY ACT Internal - colww4
  name 74.XXX.XXX.159 act.COMPANY.com- description COMPANY ACT External
  name 172.22.3.93 test.COMPANY.com description test.COMPANY.com Internal
  name 172.22.5.161 ColdevAS2 description ColdevAS2 Internal
  name 74.XXX.XXX.160 Rewards.COMPANY.com- description COMPANY Rewards External
  name 74.XXX.XXX.153 as2.COMPANY.com- description as2.COMPANY.com External
  name 74.XXX.XXX.161 as2test.COMPANY.com- description as2test.COMPANY.com External
  name 172.22.5.153 colas2 description colas2 Internal
  name 172.22.5.160 colww5 description colww5 Internal
  name 172.22.3.91 colexcas01NLB description colexcas01 NLB Interface
  name 172.22.3.92 colexcas02NLB description colexcas02 NLB Interface
  name 172.22.3.100 ColVPN description Colo VPN Internal
  name 172.22.5.134 intra.COMPANY.com description on NewPortal
  name 74.XXX.XXX.134 intra.COMPANY.com- description It's on NewPortal
  name 10.1.0.80 asgard description asgard Internal
  name 74.XXX.XXX.163 www.COMPANY.net- description www.COMPANY.net External
  name 172.22.5.165 crmws.COMPANY.com description ColCrmRouter01 Internal
  name 74.XXX.XXX.165 crmws.COMPANY.com- description ColCrmRouter01 External
  name 10.1.5.137 dubngwt description Test Next Gen Web Farm Internal
  name 74.XXX.XXX.137 dubngwt- description Test Next Gen Web Farm External
  name 10.1.0.87 dubexcas description Dublin CAS NLB
  name 10.1.0.85 dubexcas01 description Dublin CAS Server
  name 10.1.0.86 dubexcas02 description Dublin CAS Server
  name 74.XXX.XXX.166 collync01- description Lync Edge Server External
  name 74.XXX.XXX.167 coltmg01- description TMG Server External
  name 172.23.2.166 collync01 description Lync Edge Server DMZ
  name 172.23.2.167 coltmg01 description TMG Server DMZ
  name 172.22.5.168 COMPANYfed.com description COMPANYfed.com Internal
  name 74.XXX.XXX.168 COMPANYfed.com- description COMPANYfed.com External
  name 172.22.3.60 www1.COMPANY.com description www1.COMPANY.com Internal
  name 74.XXX.XXX.169 www1.COMPANY.com- description www1.COMPANY.com External
  name 172.22.3.63 www1.COMPANYfed.com description www1.COMPANYfed.com Internal
  name 74.XXX.XXX.171 www1.COMPANYfed.com- description www1.COMPANYfed.com External
  name 172.22.3.61 www2.COMPANY.com description www2.COMPANY.com Internal
  name 74.XXX.XXX.170 www2.COMPANY.com- description www2.COMPANY.com External
  name 172.22.3.64 www2.COMPANYfed.com description www2.COMPANYfed.com Internal
  name 74.XXX.XXX.172 www2.COMPANYfed.com- description www2.COMPANYfed.com External
  name 172.22.5.154 COMPANY.com description COMPANY.com Web Farm Production
  name 74.XXX.XXX.154 COMPANY.com- description COMPANY.com Web Farm Outside
  name 184.XXX.XXX.226 PMISonicWALL description PMI SonicWALL
  name 10.10.0.0 PMI_SonicWALL-Subnet description PMI LAN
  name 10.1.0.0 DublinData description Dublin Data Network
  name 10.2.0.0 SouthavenData description Southaven Data Network
  name 10.0.0.0 BrentwoodData description Brentwood Data Network
  name 10.8.0.0 GilbertData description Gilbert Data Network
  name 10.101.0.0 DublinVoIP description Dublin VoIP Network
  name 10.110.0.0 PMI_SonicWALL-VOICSubnet
  name 172.24.3.50 ColUT04-PCITrust
  name 172.22.3.31 coldc01
  name 172.22.3.4 coldc02
  name 172.22.3.23 ColWSUS02 description Windows Update Server
  name 74.XXX.XXX.175 monitor.COMPANY.com- description PRTG Network Monitor
  name 172.22.3.150 ColPRTG01 description PRTG Monitor
  dns-guard
  interface GigabitEthernet0/0
  description Connected to Internet via COLRTR01
  speed 100
  duplex full
  shutdown
  nameif outside
  security-level 0
  ip address 74.XXX.XXX.130 255.255.255.192 standby 74.XXX.XXX.176
  ospf cost 10
  interface GigabitEthernet0/1
  description Connected to Colo LAN
  speed 100
  duplex full
  nameif inside
  security-level 100
  ip address 172.22.1.8 255.255.0.0 standby 172.22.1.50
  ospf cost 10
  authentication key eigrp 10 Fiyalt1 key-id 1
  authentication mode eigrp 10 md5
  interface GigabitEthernet0/2
  nameif DMZ
  security-level 10
  ip address 172.23.2.1 255.255.255.0 standby 172.23.2.50
  ospf cost 10
  interface GigabitEthernet0/3
  description Connected to COLSW01 port 9 - PCI Trust Area (no internet)
  nameif Colo_PCI_Trust
  security-level 100
  ip address 172.24.3.1 255.255.255.0 standby ColUT04-PCITrust
  ospf cost 10
  interface GigabitEthernet0/4
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/5
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/6
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/7
  description LAN/STATE Failover Interface
  interface Management0/0
  nameif management
  security-level 100
  ip address 10.1.200.20 255.255.0.0 standby 10.1.200.21
  ospf cost 10
  management-only
  boot system disk0:/asa861-2-smp-k8.bin
  ftp mode passive
  clock timezone EST -5
  clock summer-time EDT recurring
  dns server-group DefaultDNS
  domain-name corp.COMPANY.com
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network obj-172.22.255.0
  subnet 172.22.255.0 255.255.255.0
  object network PMI_SonicWALL-Subnet
  subnet 10.10.0.0 255.255.0.0
  object network obj-172.24.3.0
  subnet 172.24.3.0 255.255.255.0
  object network ColWSUS02
  host 172.22.3.23
  object network ambutrak
  host 172.22.5.149
  object network ambutrak-
  host 74.XXX.XXX.149
  object network btmu
  host 172.22.5.150
  object network btmu-
  host 74.XXX.XXX.150
  object network ColBarracuda
  host 172.22.5.133
  object network ColBarracuda-
  host 74.XXX.XXX.133
  object network ColBI01
  host 172.22.5.146
  object network ColBI01-
  host 74.XXX.XXX.146
  object network colexcas
  host 172.22.5.156
  object network colexcas-
  host 74.XXX.XXX.156
  object network ColMOSS01
  host 172.22.5.147
  object network ColMOSS01-
  host 74.XXX.XXX.147
  object network COMPANY.com
  host 172.22.5.154
  object network COMPANY.com-
  host 74.XXX.XXX.154
  object network Coltixdb
  host 172.22.5.151
  object network Coltixdb-
  host 74.XXX.XXX.151
  object network Colww3
  host 172.22.5.141
  object network Colww3-
  host 74.XXX.XXX.141
  object network ColSysAid
  host 172.22.5.143
  object network ColSysAid-
  host 74.XXX.XXX.143
  object network ColVPN
  host 172.22.3.100
  object network ColVPN-
  host 74.XXX.XXX.132
  object network colas2
  host 172.22.5.153
  object network as2.COMPANY.com-
  host 74.XXX.XXX.153
  object network Dubmss01
  host 10.101.0.24
  object network Dubmss01-
  host 74.XXX.XXX.145
  object network Facts
  host 10.1.1.100
  object network Facts-
  host 74.XXX.XXX.135
  object network ftp.COMPANY.co.uk
  host 172.22.5.144
  object network ftp.boundree.co.uk-
  host 74.XXX.XXX.144
  object network NSTrax
  host 172.22.5.136
  object network NSTrax-
  host 74.XXX.XXX.136
  object network w2k-isoft
  host 172.22.5.155
  object network w2k-isoft-
  host 74.XXX.XXX.155
  object network www1
  host 172.22.5.139
  object network www1-
  host 74.XXX.XXX.139
  object network ww2
  host 172.22.5.138
  object network ww2-
  host 74.XXX.XXX.138
  object network ColFTP01
  host 172.22.5.157
  object network ColFTP01-
  host 74.XXX.XXX.157
  object network www.COMPANY.com
  host 172.22.5.158
  object network www.COMPANY.com-
  host 74.XXX.XXX.158
  object network act.COMPANY.com
  host 172.22.5.159
  object network act.COMPANY.com-
  host 74.XXX.XXX.159
  object network colww5
  host 172.22.5.160
  object network Rewards.COMPANY.com-
  host 74.XXX.XXX.160
  object network ColdevAS2
  host 172.22.5.161
  object network as2test.COMPANY.com-
  host 74.XXX.XXX.161
  object network intra.COMPANY.com
  host 172.22.5.134
  object network intra.COMPANY.com-
  host 74.XXX.XXX.134
  object network asgard
  host 10.1.0.80
  object network www.COMPANY.net-
  host 74.XXX.XXX.163
  object network crmws.COMPANY.com
  host 172.22.5.165
  object network crmws.COMPANY.com-
  host 74.XXX.XXX.165
  object network dubngwt
  host 10.1.5.137
  object network dubngwt-
  host 74.XXX.XXX.137
  object network COMPANYfed.com
  host 172.22.5.168
  object network COMPANYfed.com-
  host 74.XXX.XXX.168
  object network www1.COMPANYfed.com
  host 172.22.3.63
  object network www1.COMPANYfed.com-
  host 74.XXX.XXX.171
  object network www2.COMPANYfed.com
  host 172.22.3.64
  object network www2.COMPANYfed.com-
  host 74.XXX.XXX.172
  object network www1.COMPANY.com
  host 172.22.3.60
  object network www1.COMPANY.com-
  host 74.XXX.XXX.169
  object network www2.COMPANY.com
  host 172.22.3.61
  object network www2.COMPANY.com-
  host 74.XXX.XXX.170
  object network ColPRTG01
  host 172.22.3.150
  object network monitor.COMPANY.com-
  host 74.XXX.XXX.175
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network collync01
  host 172.23.2.166
  object network collync01-
  host 74.XXX.XXX.166
  object network coltmg01
  host 172.23.2.167
  object network coltmg01-
  host 74.XXX.XXX.167
  object-group service DM_INLINE_SERVICE_1
  service-object gre
  service-object tcp destination eq pptp
  object-group service Barracuda tcp
  port-object eq 8000
  object-group service DM_INLINE_TCP_1 tcp
  port-object eq www
  port-object eq https
  port-object eq smtp
  port-object eq ssh
  group-object Barracuda
  object-group service DM_INLINE_TCP_2 tcp
  port-object eq www
  port-object eq https
  port-object eq smtp
  object-group service DM_INLINE_TCP_3 tcp
  port-object eq www
  port-object eq https
  port-object eq smtp
  object-group service DM_INLINE_TCP_5 tcp
  port-object eq www
  port-object eq https
  object-group service DM_INLINE_TCP_7 tcp
  port-object eq www
  port-object eq https
  object-group service mySQL tcp
  description mySQL Database
  port-object eq 3306
  object-group service DM_INLINE_TCP_9 tcp
  port-object eq www
  port-object eq https
  object-group service DM_INLINE_TCP_10 tcp
  port-object eq www
  port-object eq https
  object-group service DM_INLINE_TCP_11 tcp
  port-object eq www
  port-object eq https
  object-group service DM_INLINE_TCP_12 tcp
  port-object eq www
  port-object eq https
  object-group service as2 tcp
  description as2
  port-object eq 4080
  port-object eq 5080
  port-object eq https
  port-object eq 6080
  object-group network DM_INLINE_NETWORK_2
  network-object host ColBarracuda
  network-object host ww2
  network-object host www1
  network-object host colexcas01
  network-object host colexcas02
  network-object host colexcas
  network-object host test.COMPANY.com
  network-object host colexcas01NLB
  network-object host colexcas02NLB
  network-object host dubexcas01
  network-object host dubexcas02
  network-object host dubexcas
  object-group service SQLServer tcp
  description Microsoft SQL Server
  port-object eq 1433
  object-group service DM_INLINE_TCP_13 tcp
  port-object eq www
  port-object eq https
  port-object eq smtp
  object-group service DM_INLINE_TCP_14 tcp
  port-object eq www
  port-object eq https
  object-group service DM_INLINE_TCP_15 tcp
  port-object eq www
  port-object eq https
  object-group network DM_INLINE_NETWORK_1
  network-object host as2.COMPANY.com-
  network-object host as2test.COMPANY.com-
  object-group service DM_INLINE_TCP_6 tcp
  port-object eq www
  port-object eq https
  object-group service rdp tcp
  description Remote Desktop Protocol
  port-object eq 3389
  object-group service DM_INLINE_TCP_8 tcp
  port-object eq www
  port-object eq https
  object-group service DM_INLINE_TCP_16 tcp
  port-object eq www
  port-object eq https
  object-group service DM_INLINE_TCP_17 tcp
  port-object eq www
  port-object eq https
  object-group service DM_INLINE_TCP_4 tcp
  port-object eq www
  port-object eq https
  object-group service LyncEdge tcp-udp
  description sip-tls, 443, 444, rtp 50000-59999, stun udp 3478
  port-object eq 3478
  port-object eq 443
  port-object eq 444
  port-object range 50000 59999
  port-object eq 5061
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group service DM_INLINE_TCP_18 tcp
  port-object eq www
  port-object eq https
  object-group service DM_INLINE_TCP_19 tcp
  port-object eq www
  port-object eq https
  object-group service DM_INLINE_TCP_20 tcp
  port-object eq www
  port-object eq https
  object-group service DM_INLINE_TCP_21 tcp
  port-object eq www
  port-object eq https
  object-group service DM_INLINE_TCP_22 tcp
  port-object eq www
  port-object eq https
  object-group network PMIVPNNetworks
  description VPN Networks to PMI
  network-object BrentwoodData 255.255.0.0
  network-object DublinData 255.255.0.0
  network-object SouthavenData 255.255.0.0
  network-object GilbertData 255.255.0.0
  network-object 172.22.0.0 255.255.0.0
  network-object DublinVoIP 255.255.0.0
  object-group network PMI_SonicWALL-Subnets
  network-object PMI_SonicWALL-Subnet 255.255.0.0
  network-object PMI_SonicWALL-VOICSubnet 255.255.0.0
  object-group network COLDCs
  network-object host coldc01
  network-object host coldc02
  access-list inside_access_in remark Allow SMTP from certain servers.
  access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 any eq smtp
  access-list inside_access_in remark No SMTP except from allowed servers
  access-list inside_access_in extended deny tcp any any eq smtp log errors
  access-list inside_access_in extended permit ip any any
  access-list inside_access_in remark For debugging (can enable logging)
  access-list inside_access_in extended deny ip any any
  access-list outside_access_in remark Allow Ping
  access-list outside_access_in extended permit icmp any any
  access-list outside_access_in remark Allow VPN
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object ColVPN-
  access-list outside_access_in remark Allow SMTP, HTTP, and HTTPS to the Exchange CAS NLB Cluster
  access-list outside_access_in extended permit tcp any object colexcas- object-group DM_INLINE_TCP_13
  access-list outside_access_in remark Allow SMTP, SSH, and Web
  access-list outside_access_in extended permit tcp any object ColBarracuda- object-group DM_INLINE_TCP_1
  access-list outside_access_in remark Allow HTTP and HTTPS to AmbuTRAK
  access-list outside_access_in extended permit tcp any object ambutrak- object-group DM_INLINE_TCP_10
  access-list outside_access_in remark Allow SMTP, HTTP and HTTPS to ww2
  access-list outside_access_in extended permit tcp any object ww2- object-group DM_INLINE_TCP_2
  access-list outside_access_in remark Allow SMTP, HTTP and HTTPS to www1
  access-list outside_access_in extended permit tcp any object www1- object-group DM_INLINE_TCP_3
  access-list outside_access_in remark Allow portal.bouindtree.com to COLMOSS01
  access-list outside_access_in extended permit tcp any object ColMOSS01- object-group DM_INLINE_TCP_9
  access-list outside_access_in remark Allow HTTP and HTTPS to ems.COMPANY.com
  access-list outside_access_in extended permit tcp any object Colww3- object-group DM_INLINE_TCP_5
  access-list outside_access_in remark Allow HTTP and HTTPS to helpdesk.COMPANY.com
  access-list outside_access_in extended permit tcp any object ColSysAid- object-group DM_INLINE_TCP_7
  access-list outside_access_in remark Allow SSH to Facts
  access-list outside_access_in extended permit tcp any object Facts- eq ssh inactive
  access-list outside_access_in remark Allow mySQL to NSTrax for IQ
  access-list outside_access_in extended permit tcp any object NSTrax- object-group mySQL inactive
  access-list outside_access_in remark Allow FTP to ftp.COMPANY.co.uk
  access-list outside_access_in extended permit tcp any object ftp.boundree.co.uk- eq ftp inactive
  access-list outside_access_in remark Allow IMAP to the Voice Mail Server
  access-list outside_access_in extended permit tcp any object Dubmss01- eq imap4
  access-list outside_access_in remark Permit HTTPS to ColBI01 for https://reports.COMPANY.com
  access-list outside_access_in extended permit tcp any object ColBI01- eq https inactive
  access-list outside_access_in remark Allow FTP to btmu.COMPANY.com
  access-list outside_access_in extended permit tcp any object btmu- eq ftp
  access-list outside_access_in remark Allow HTTP and HTTPS to colngwt - the Test Next Gen Web Farm
  access-list outside_access_in extended permit tcp any object dubngwt- object-group DM_INLINE_TCP_17 inactive
  access-list outside_access_in remark Allow HTTP and HTTPS to COMPANYfed.com
  access-list outside_access_in extended permit tcp any object COMPANYfed.com- object-group DM_INLINE_TCP_18
  access-list outside_access_in remark Allow HTTP and HTTPS to colngwp - the Next Gen Web Farm
  access-list outside_access_in extended permit tcp any object COMPANY.com- object-group DM_INLINE_TCP_11
  access-list outside_access_in remark Allow HTTP and HTTPS to Colww5, which is one of our web servers.
  access-list outside_access_in remark rewards.COMPANY.com is going live first on this web server.
  access-list outside_access_in extended permit tcp any object Rewards.COMPANY.com- object-group DM_INLINE_TCP_12
  access-list outside_access_in remark Allow HTTP and HTTPS to act.COMPANY.com
  access-list outside_access_in extended permit tcp any object act.COMPANY.com- object-group DM_INLINE_TCP_15
  access-list outside_access_in remark Allow AS2 (443, 4080, 5080, 6080) to the AS2 Production and Test Machines
  access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 object-group as2
  access-list outside_access_in remark Allow HTTP and HTTPS to www.COMPANY.com
  access-list outside_access_in extended permit tcp any object www.COMPANY.com- object-group DM_INLINE_TCP_14
  access-list outside_access_in remark Allow AS2 to w2k-isoft
  access-list outside_access_in extended permit tcp any object w2k-isoft- object-group as2
  access-list outside_access_in remark All SQL Server (SSL) to Coltixdb
  access-list outside_access_in extended permit tcp any object Coltixdb- object-group SQLServer
  access-list outside_access_in remark Allow FTP to ColFTP01
  access-list outside_access_in extended permit tcp any object ColFTP01- eq ftp
  access-list outside_access_in remark allow http/https access in intra.COMPANY.com
  access-list outside_access_in extended permit tcp any object intra.COMPANY.com- object-group DM_INLINE_TCP_6
  access-list outside_access_in remark Allow http and https to asgard
  access-list outside_access_in extended permit tcp any object www.COMPANY.net- object-group DM_INLINE_TCP_8
  access-list outside_access_in remark Allow HTTP and HTTPS to ColCrmRouter01 (crmws.COMPANY.com)
  access-list outside_access_in extended permit tcp any object crmws.COMPANY.com- object-group DM_INLINE_TCP_16
  access-list outside_access_in remark Allow HTTP and HTTPS to coltmg01
  access-list outside_access_in extended permit tcp any object coltmg01- object-group DM_INLINE_TCP_4
  access-list outside_access_in remark Allow Lync Edgel traffic to collync01
  access-list outside_access_in extended permit object-group TCPUDP any object collync01- object-group LyncEdge
  access-list outside_access_in remark Allow HTTP and HTTPS to www1.COMPANY.com
  access-list outside_access_in extended permit tcp any object www1.COMPANY.com- object-group DM_INLINE_TCP_19
  access-list outside_access_in remark Allow HTTP and HTTPS to www2.COMPANY.com
  access-list outside_access_in extended permit tcp any object www2.COMPANY.com- object-group DM_INLINE_TCP_20
  access-list outside_access_in remark Allow HTTP and HTTPS to www1.COMPANYfed.com
  access-list outside_access_in extended permit tcp any object www1.COMPANYfed.com- object-group DM_INLINE_TCP_21
  access-list outside_access_in remark Allow HTTP and HTTPS to www2.COMPANYfed.com
  access-list outside_access_in extended permit tcp any object www2.COMPANYfed.com- object-group DM_INLINE_TCP_22
  access-list outside_access_in extended permit tcp any object monitor.COMPANY.com- eq www
  access-list outside_access_in remark For debugging (can enable logging)
  access-list outside_access_in extended deny ip any any
  access-list inside_nat0_outbound extended permit ip any 172.22.255.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip object-group PMIVPNNetworks object PMI_SonicWALL-Subnet
  access-list inside_nat0_outbound remark Domain Controller one to many rule so PCI Trust servers can reslove DNS names and authenticate.
  access-list inside_nat0_outbound extended permit ip object-group COLDCs 172.24.3.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip object ColWSUS02 172.24.3.0 255.255.255.0
  access-list outside_1_cryptomap extended permit ip object-group PMIVPNNetworks object-group PMI_SonicWALL-Subnets
  access-list Colo_PCI_Trust_access_in extended permit ip any any
  pager lines 24
  logging enable
  logging asdm warnings
  logging mail critical
  logging from-address [email protected]
  mtu outside 1500
  mtu inside 1500
  mtu DMZ 1500
  mtu Colo_PCI_Trust 1500
  mtu management 1500
  ip local pool vpnphone-ip-pool 172.22.255.1-172.22.255.254 mask 255.255.255.0
  failover
  failover lan unit primary
  failover lan interface HA GigabitEthernet0/7
  failover key Fiyalt!
  failover link HA GigabitEthernet0/7
  failover interface ip HA 172.16.200.1 255.255.255.248 standby 172.16.200.2
  no monitor-interface DMZ
  no monitor-interface Colo_PCI_Trust
  no monitor-interface management
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  icmp permit 172.24.3.0 255.255.255.0 Colo_PCI_Trust
  asdm image disk0:/asdm-66114.bin
  asdm location ColVPN- 255.255.255.255 inside
  asdm location ColBarracuda- 255.255.255.255 inside
  asdm location ColBarracuda 255.255.255.255 inside
  asdm location ww2- 255.255.255.255 inside
  asdm location www1- 255.255.255.255 inside
  asdm location ww2 255.255.255.255 inside
  asdm location www1 255.255.255.255 inside
  asdm location Colww3- 255.255.255.255 inside
  asdm location Colww3 255.255.255.255 inside
  asdm location ColSysAid- 255.255.255.255 inside
  asdm location ColSysAid 255.255.255.255 inside
  asdm location Facts 255.255.255.255 inside
  asdm location Facts- 255.255.255.255 inside
  asdm location NSTrax- 255.255.255.255 inside
  asdm location ftp.boundree.co.uk- 255.255.255.255 inside
  asdm location ftp.COMPANY.co.uk 255.255.255.255 inside
  asdm location Dubmss01 255.255.255.255 inside
  asdm location Dubmss01- 255.255.255.255 inside
  asdm location ColBI01- 255.255.255.255 inside
  asdm location ColBI01 255.255.255.255 inside
  asdm location ColMOSS01 255.255.255.255 inside
  asdm location ColMOSS01- 255.255.255.255 inside
  asdm location ambutrak- 255.255.255.255 inside
  asdm location ambutrak 255.255.255.255 inside
  asdm location NSTrax 255.255.255.255 inside
  asdm location btmu- 255.255.255.255 inside
  asdm location btmu 255.255.255.255 inside
  asdm location COMPANY.com- 255.255.255.255 inside
  asdm location COMPANY.com 255.255.255.255 inside
  asdm location as2.COMPANY.com- 255.255.255.255 inside
  asdm location colas2 255.255.255.255 inside
  asdm location w2k-isoft- 255.255.255.255 inside
  asdm location w2k-isoft 255.255.255.255 inside
  asdm location Coltixdb- 255.255.255.255 inside
  asdm location Coltixdb 255.255.255.255 inside
  asdm location colexcas- 255.255.255.255 inside
  asdm location colexcas01 255.255.255.255 inside
  asdm location colexcas02 255.255.255.255 inside
  asdm location colexcas 255.255.255.255 inside
  asdm location ColFTP01- 255.255.255.255 inside
  asdm location ColFTP01 255.255.255.255 inside
  asdm location www.COMPANY.com- 255.255.255.255 inside
  asdm location www.COMPANY.com 255.255.255.255 inside
  asdm location act.COMPANY.com- 255.255.255.255 inside
  asdm location act.COMPANY.com 255.255.255.255 inside
  asdm location Rewards.COMPANY.com- 255.255.255.255 inside
  asdm location colww5 255.255.255.255 inside
  asdm location as2test.COMPANY.com- 255.255.255.255 inside
  asdm location ColdevAS2 255.255.255.255 inside
  asdm location test.COMPANY.com 255.255.255.255 inside
  asdm location colexcas01NLB 255.255.255.255 inside
  asdm location colexcas02NLB 255.255.255.255 inside
  asdm location ColVPN 255.255.255.255 inside
  asdm location intra.COMPANY.com- 255.255.255.255 inside
  asdm location intra.COMPANY.com 255.255.255.255 inside
  asdm location asgard 255.255.255.255 inside
  asdm location www.COMPANY.net- 255.255.255.255 inside
  asdm location crmws.COMPANY.com- 255.255.255.255 inside
  asdm location crmws.COMPANY.com 255.255.255.255 inside
  asdm location dubngwt- 255.255.255.255 inside
  asdm location dubngwt 255.255.255.255 inside
  asdm location dubexcas01 255.255.255.255 inside
  asdm location dubexcas02 255.255.255.255 inside
  asdm location dubexcas 255.255.255.255 inside
  asdm location collync01- 255.255.255.255 inside
  asdm location coltmg01- 255.255.255.255 inside
  asdm location collync01 255.255.255.255 inside
  asdm location coltmg01 255.255.255.255 inside
  asdm location COMPANYfed.com- 255.255.255.255 inside
  asdm location COMPANYfed.com 255.255.255.255 inside
  asdm location www1.COMPANY.com- 255.255.255.255 inside
  asdm location www2.COMPANY.com- 255.255.255.255 inside
  asdm location www1.COMPANYfed.com- 255.255.255.255 inside
  asdm location www2.COMPANYfed.com- 255.255.255.255 inside
  asdm location www1.COMPANY.com 255.255.255.255 inside
  asdm location www2.COMPANY.com 255.255.255.255 inside
  asdm location www1.COMPANYfed.com 255.255.255.255 inside
  asdm location www2.COMPANYfed.com 255.255.255.255 inside
  asdm location PMI_SonicWALL-Subnet 255.255.0.0 inside
  asdm location PMISonicWALL 255.255.255.255 inside
  asdm location BrentwoodData 255.255.0.0 inside
  asdm location GilbertData 255.255.0.0 inside
  asdm location coldc01 255.255.255.255 inside
  asdm location coldc02 255.255.255.255 inside
  asdm location ColWSUS02 255.255.255.255 inside
  asdm location monitor.COMPANY.com- 255.255.255.255 inside
  asdm location ColPRTG01 255.255.255.255 inside
  no asdm history enable
  arp timeout 14400
  nat (inside,any) source static any any destination static obj-172.22.255.0 obj-172.22.255.0 no-proxy-arp
  nat (inside,any) source static PMIVPNNetworks PMIVPNNetworks destination static PMI_SonicWALL-Subnet PMI_SonicWALL-Subnet no-proxy-arp
  nat (inside,any) source static COLDCs COLDCs destination static obj-172.24.3.0 obj-172.24.3.0 no-proxy-arp
  nat (inside,any) source static ColWSUS02 ColWSUS02 destination static obj-172.24.3.0 obj-172.24.3.0 no-proxy-arp
  object network ambutrak
  nat (inside,outside) static ambutrak-
  object network btmu
  nat (inside,outside) static btmu-
  object network ColBarracuda
  nat (inside,outside) static ColBarracuda-
  object network ColBI01
  nat (inside,outside) static ColBI01-
  object network colexcas
  nat (inside,outside) static colexcas-
  object network ColMOSS01
  nat (inside,outside) static ColMOSS01-
  object network COMPANY.com
  nat (inside,outside) static COMPANY.com-
  object network Coltixdb
  nat (inside,outside) static Coltixdb-
  object network Colww3
  nat (inside,outside) static Colww3-
  object network ColSysAid
  nat (inside,outside) static ColSysAid-
  object network ColVPN
  nat (inside,outside) static ColVPN-
  object network colas2
  nat (inside,outside) static as2.COMPANY.com-
  object network Dubmss01
  nat (inside,outside) static Dubmss01-
  object network Facts
  nat (inside,outside) static Facts-
  object network ftp.COMPANY.co.uk
  nat (inside,outside) static ftp.COMPANY.co.uk-
  object network NSTrax
  nat (inside,outside) static NSTrax-
  object network w2k-isoft
  nat (inside,outside) static w2k-isoft-
  object network www1
  nat (inside,outside) static www1-
  object network ww2
  nat (inside,outside) static ww2-
  object network ColFTP01
  nat (inside,outside) static ColFTP01-
  object network www.COMPANY.com
  nat (inside,outside) static www.COMPANY.com-
  object network act.COMPANY.com
  nat (inside,outside) static act.COMPANY.com-
  object network colww5
  nat (inside,outside) static Rewards.COMPANY.com-
  object network ColdevAS2
  nat (inside,outside) static as2test.COMPANY.com-
  object network intra.COMPANY.com
  nat (inside,outside) static intra.COMPANY.com-
  object network asgard
  nat (inside,outside) static www.COMPANY.net-
  object network crmws.COMPANY.com
  nat (inside,outside) static crmws.COMPANY.com-
  object network dubngwt
  nat (inside,outside) static dubngwt-
  object network COMPANYfed.com
  nat (inside,outside) static COMPANYfed.com-
  object network www1.COMPANYfed.com
  nat (inside,outside) static www1.COMPANYfed.com-
  object network www2.COMPANYfed.com
  nat (inside,outside) static www2.COMPANYfed.com-
  object network www1.COMPANY.com
  nat (inside,outside) static www1.COMPANY.com-
  object network www2.COMPANY.com
  nat (inside,outside) static www2.COMPANY.com-
  object network ColPRTG01
  nat (inside,outside) static monitor.COMPANY.com-
  object network obj_any
  nat (inside,outside) dynamic 74.XXX.XXX.131
  object network collync01
  nat (DMZ,outside) static collync01-
  object network coltmg01
  nat (DMZ,outside) static coltmg01-
  access-group outside_access_in in interface outside
  access-group inside_access_in in interface inside
  access-group Colo_PCI_Trust_access_in in interface Colo_PCI_Trust
  router eigrp 10
  no auto-summary
  eigrp router-id 172.22.1.8
  network 172.22.0.0 255.255.0.0
  route outside 0.0.0.0 0.0.0.0 74.XXX.XXX.129 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server Colo protocol radius
  aaa-server Colo (inside) host coldc02
  timeout 5
  key Bound/\Tree
  radius-common-pw Bound/\Tree
  aaa-server Colo (inside) host coldc01
  timeout 5
  key Bound/\Tree
  user-identity default-domain LOCAL
  http server enable
  http 172.22.0.0 255.255.0.0 inside
  http DublinData 255.255.0.0 inside
  http DublinData 255.255.0.0 management
  snmp-server host inside 10.1.0.59 community public
  snmp-server host inside ColPRTG01 community public
  snmp-server location Columbus, OH - Colo
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer PMISonicWALL
  crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
  crypto map outside_map 1 set nat-t-disable
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ikev1 enable outside
  crypto ikev1 enable inside
  crypto ikev1 policy 30
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 28800
  telnet BrentwoodData 255.0.0.0 inside
  telnet coldc02 255.255.255.255 inside
  telnet DublinData 255.255.0.0 management
  telnet timeout 5
  ssh 172.22.0.0 255.255.0.0 inside
  ssh DublinData 255.255.0.0 inside
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ntp server 74.14.179.211 source outside prefer
  ntp server 69.64.72.238 source outside prefer
  ntp server coldc02 source inside
  ntp server 74.120.8.2 source outside prefer
  ntp server 108.61.56.35 source outside prefer
  ntp server coldc01 source inside
  webvpn
  group-policy GroupPolicy_74.XXX.XXX.130 internal
  group-policy GroupPolicy_74.XXX.XXX.130 attributes
  vpn-tunnel-protocol ikev1
  group-policy VPNPHONE internal
  group-policy VPNPHONE attributes
  dns-server value 172.22.3.4 172.22.3.31
  vpn-tunnel-protocol ikev1
  default-domain value corp.COMPANY.com
  tunnel-group VPNPHONE type remote-access
  tunnel-group VPNPHONE general-attributes
  address-pool vpnphone-ip-pool
  authentication-server-group Colo
  default-group-policy VPNPHONE
  tunnel-group VPNPHONE ipsec-attributes
  ikev1 pre-shared-key *
  tunnel-group 184.XXX.XXX.226 type ipsec-l2l
  tunnel-group 184.XXX.XXX.226 ipsec-attributes
  ikev1 pre-shared-key *
  peer-id-validate nocheck
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns migrated_dns_map_1
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect tftp
    inspect http
    inspect icmp
    inspect pptp
    inspect icmp error
    inspect ip-options
  class class-default
  service-policy global_policy global
  smtp-server 172.22.5.156
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly 18
    subscribe-to-alert-group configuration periodic monthly 18
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:65e78911eefb94bd98892700b143f716
  : end

  Hi,
  Any ASA using software 8.3 or above that does Static NAT between private and public IP addresses (or any NAT at all) and you want to allow traffic from public network to those Static NATed servers you will need to use the local/real IP address in the ACL statements.
  If your ASA5520 was running 8.3 or above software levels then there should be no major changes compared to an ASA5525-X running 8.6 software level.
  The only situation I can think of right now is if you had used ASA5520 with software 8.2 or below BUT in that case you WOULD NOT have been able to directly copy/paste the configuration to the ASA5525-X device as the lowest software level that the ASA5525-X supports is 8.6(1)
  So I am kind of wondering what the situation has actually been.
  But one thing is certain. You need to use the real/local IP address of the server in the ACL rules even if you are allowing traffic from the public/external network.
  The "packet-tracer" test used to simulate a connection coming to one of your Static NAT public IP address should also tell if your ACLs are configured correctly, among other things.
  - Jouni

• I have denied all access to the hard drive on my i mac what can i do to be able to use it again

  I have denied all acess to the hard drive on my Imac I purchased a refurbished imac about 6  months ago and im still not really familiar with every thing as i used to use a windows computer so ill try my best to describe what i have done. On the desk top it had a hard drive icon I open it. There was a section about allowing access. There were three different ones (now Im not exactly sure but i believe it looked something like this
  System     Read and Write
                  Read only
                 Write to drop box
  User    
                  Read and Write
                  Read only
                 Write to drop box
  Shared     Read only
                 deny access
  I then changed the bottom one to deny access, the middle one to write to drop box and then the top one to write to drop box ( I quickly realized how stupid this was) It then wouldn't let me do or open anything. I ended up turning it off by pressing the button on the back of the I MAC. When I turned it back on it asked for my password which i entered, then it went to the screen with the apple in the center and the loading icon underneath and has not changed.
  What can i do so i can use it again?
  I think it was OS 9.5.? I dont really know and cant even access this info anymore

  in the folders on the left your will have your mail account and local folders.
  Anything in local folders is stored only on your local hard disk.
  * Right click the mail account. Select settings
  * Select copies and folders for your university account
  * Click archive options and select the type of structure you want the archive in. (keep existing folder structure would be important to you think)
  * in the copies and folders, change the archive folder to other and select the archive folder for local folders (the local folders account entry in the list will expand if you hover the mouse over it)
  Now some other points. ''
  * Holding shift while clicking select everything in the list between clicks. Holding Ctrl while clicking will hold the selections and allow other entries to be toggles on and off by clicking them.
  * Ctrl+A will select the entire list
  Finally''
  Pressing the A key when mail is selected archives it.

• Cannot open any ports, they are ALL stealth.

  After spending hours on end trying to open the port 25565 on my Mac and finding that it was always closed I decided to use a different port checker now if I check my ports on Shields Up! 'https://www.grc.com/x/ne.dll?bh0bkyd2' it says ALL ports are stealth no matter which I try. How can I 'un-stealth' the port 25565 and open it. On my router's homepage (BTHOMEHUB3 (A)) it says I have set up the port correctly and that it has been applied. Any help would be greatly apprieciated.

  I assume you're trying to get a process to listen on that port. If so, deactivate the built-in firewall and any third-party firewall you may have installed. If your router has a firewall, deactivate that too.

• Opening Firewall Port 5353 solves problems?!

  I found this by Google:
  If you have tried to operate AirTunes with an Airport Express on a Windows XP PC with the firewall (or a third-party firewall) enabled, then you will realise you have problems.
  Rather than disable the firewall, you can just open port 5353 and all will work fine.
  Having said that if you have router with NAT and DHCP this acts as a hardware firewall and computers on your internal network do not need software firewalls. Though some people like them for security and to stop unauthorised (ie spyware) outgoing connections.

  I thought I recognised my own writing...
  Opening port 5353 in the Windows XP Firewall to enable an XP PC with SP1 to configure the Airport Express and use AirTunes
  http://www.ifelix.co.uk/tech/2005.html
  Principles are virtually the same for XP SP2
  "Well Known" TCP and UDP Ports Used By Apple Software Products
  http://docs.info.apple.com/article.html?artnum=106439

• How to pull all Access Rules details from CSM

  Currently we having around 10 Firewalls managed by CSM, and we looking for solution to pull all Firewalls Access Rules into one file by automatically, so giving possibility to compare what rules have changed on every week and make it document to excel file ... is that possible?

  Hi,
  You can create procedure to move file from application server to oracle server.
  Code for list all files in directory
  ops$tkyte@8i> GRANT JAVAUSERPRIV to ops$tkyte
    2  /
  Grant succeeded.
  That grant must be given to the owner of the procedure..  Allows them to read
  directories.
  ops$tkyte@8i> create global temporary table DIR_LIST
    2  ( filename varchar2(255) )
    3  on commit delete rows
    4  /
  Table created.
  ops$tkyte@8i> create or replace
    2     and compile java source named "DirList"
    3  as
    4  import java.io.*;
    5  import java.sql.*;
    6 
    7  public class DirList
    8  {
    9  public static void getList(String directory)
  10                     throws SQLException
  11  {
  12      File path = new File( directory );
  13      String[] list = path.list();
  14      String element;
  15 
  16      for(int i = 0; i < list.length; i++)
  17      {
  18          element = list;
  19 #sql { INSERT INTO DIR_LIST (FILENAME)
  20 VALUES (:element) };
  21 }
  22 }
  23
  24 }
  25 /
  Java created.
  ops$tkyte@8i>
  ops$tkyte@8i> create or replace
  2 procedure get_dir_list( p_directory in varchar2 )
  3 as language java
  4 name 'DirList.getList( java.lang.String )';
  5 /
  Procedure created.
  ops$tkyte@8i>
  ops$tkyte@8i> exec get_dir_list( '/tmp' );
  PL/SQL procedure successfully completed.
  ops$tkyte@8i> select * from dir_list where rownum < 5;
  FILENAME
  data.dat
  .rpc_door
  .pcmcia
  ps_data
  http://asktom.oracle.com/pls/asktom/f?p=100:11:3597961203953876::::P11_QUESTION_ID:439619916584

• Opening Firewall Ports for BitTorrent

  I just got a shiny new Mac and installed the regular no-frills BitTorrent client. It downloads, but never at more than 1 KB/s. So I Googled around a bit and found instructions on how to open ports 6681-6999 on the firewall. I followed the instructions, and I do believe those ports are open, at least according to the System Preferences--rebooted and everything. But it has no effect on BitTorrent--it still says "Online, maybe firewalled" in the lower right corner and won't go above 1 KB/s.
  I have an ethernet router, but it always worked fine with BitTorrent on my Windows computer, so I sincerely hope that is not the problem. (The only reason it's there is to give the long ethernet cable something to plug into, as the apartment came with a ridiculously short ethernet cable sticking out of the wall.)
  Does anyone know what I can do to get BitTorrent working?
  Thanks

  The first 3 numbers were the same as the router and the last number was unique. When I let it set its own IP address, it is 3, and I figure the other computer I have, which is not currently on or plugged in to anything, is probably 2.
  The changes I made in the router settings don't seem to have stuck. A friend recommended I use Azureus instead of the basic BitTorrent client, and it keeps telling me "UPnP: Lost connection to service WANIPConnection on UPnP device '192.168.11.1'" and ditto WANPPPConnection. Eventually, though, it stopped complaining about being firewalled. So far it hasn't picked up much speed, but I'm hoping that's just the usual phenomenon of my upload speed being slow as I have nothing to upload yet.
  Also, when I later tried to log in to the router without changing the IP address, it worked. (So the problem where it wouldn't let me log in unless I used the same IP address as before solved itself.)
  I think my problem may be solved, but I'm gonna give it a while to make sure.

• Inactive firewall access rule can still work?

  Hi all,
  I have a asa firewall which has a inactive access rule whose enabled checkbox is not checked. However it seem that this access rule can still work.
  Hence i would like to know what is the difference in having the access rule's enabled checkbox check or uncheck. Pls advise, thks in advance.

  I'm assuming by rule you mean an inactive access-list entry?  If so, did you try clearing the translations (clear xlate) after disabling it?
  Try running packet-tracer to determine if that is the rule that the traffic is hitting.

• Connection to port 80 denied

  On opening Firefox (Mac user, Snow Leopard), Google.com is set as my home page, a pop-up was displayed requesting permission to allow / deny an outgoing connection. As this pop-up is not normally displayed I selected "Deny".
  Now, for all regular web page connections a pop-up message is displayed "Firefox Connection to Port 80 Denied" - all web pages appear blocked, except for access to Mozilla.
  I have attempted to problem solve this issue but cannot locate relevant settings for Port 80 web access in Mac Preferences, Firefox, not in Intego VirusBarrier X6 which I use for firewall and anti-virus protection.
  Safari and IE are completely unaffected by this problem.
  Thanks in advance for your assistance.
  Update : this problem is not present when using Firefox in other User accounts.

  Hi 330D-
  Unfortunately it is much easier to block this port than it is to reverse it- as it's buried in the system preferences of your Mac. I've linked two articles below that detail how to un-do this. HTTP requires Port 80 to function, which is why you're experiencing issues now.
  You might consider removing your current version of Firefox and updating to the most recent version. This would be much easier than mucking around with ports, although I can't guarantee it will work [since I've never tried it] The newest version is found here: [http://www.mozilla.org/en-US/firefox/new/ http://www.mozilla.org/en-US/firefox/new/] http://www.mozilla.org/en-US/firefox/new/
  Good luck!
  http://homepage.mac.com/car1son/change_apache_port.html
  http://www.macobserver.com/tip/2007/02/21.1.shtml

• DNS for internal network and Firewall ports?

  Hello,
  I don't know were to begin, so I guess I'll start with my setup.
  I have Mac OS X server 10.5.7 running DNS, Firewall, Mail, iChat, RADIUS, VPN, SMB. Behind an Airport Base Station in DMZ.
  My DSN setup is just for the server and local clients. I'm also setup to forward my ISP DNS.
  My question is do I need to open any ports in the firewall. I currently have my local subnet 172.16.4.x to allow all. The "Any" subnet to allow DNS outbound. Is this correct or am I creating a security risk?
  I dont want the public to be able to use my DNS server. (I would like to ONLY allow my local network, and VPN users.)
  Thanks!
  Message was edited by: Robert LaRocca

  I always recommend going with a hardware device (including the base station) over IPFW when running a server.
  The main reason is that when you're running behind a NAT device (such as the AirPort Base Station), ALL incoming traffic is blocked unless you specifically enabled it via port forwarding. A positive security model.
  In contrast, Mac OS X Server will open firewall ports based on the services you're running, without regard to whether that service should be publicly accessible or not.
  You then have to go through the motions of securing each service to either block external traffic at the service level (e.g. by telling the application what addresses it can listen to), or at the network level (by configuring the firewall to block external access). This is a bad security model since each service is public by default and you have to go out of your way to secure it.
  Also bear in mind that you might not think this is a problem today since you can just configure IPFW and be done, but what about next week? or next month? or next year when you add another service. Will you remember to reconfigure the firewall to secure it then?

• Internal error: Unable to find the access rule.

  I have a Cisco ASA 5550 and using ASDM 6.2.
  Opening the ASDM, in Firewall Dashboard, in Top 10 Access Rules, show the second rule with more hit: "interface X | source: any | Dest: any | Service: ip | Action: Permit.
  During the day, the hits increase and decrease.
  Well, the problem: That rule there isn't.
  When I click with the right mouse button and click on show rule, a message is displayed:
  "Internal error: Unable to find the access rule."
  I can't find the rule in Configuration Mode and in Console Mode.
  Well, the rule there isn't.
  What can I do for this rule disappears from the Top 10 Dashboard?

  I suggest opening a case with Cisco TAC.  This could be an issue with the device itself.
  Please remember to select a correct answer and rate helpful posts

• WPD Devices: Deny read access user policy

  Hi All,
  I have configured the following settings on my main group policy (user policy) and it has linked to my domain. 
  All Removable Storage classes: Deny all access Enabled  
  WPD Devices: Deny read access Enabled  
  WPD Devices: Deny write access Enabled 
  and in one of my sub ou GPO I have configured as "WPD Devices: Deny read access Enabled" (computer policy). when I checked with one user I found found that this user can access USB. there is no other configuration I made on this OU. as per above
  domain policy I have disabled All Removable Storage classes (mentioned above). then how it comes open ?. I just tried one more thing that is when I change WPD Devices: Deny read access in sub OU as Not-configured then USB will be denied. 
  I coudnt find any referrals in online regarding this.. can anyone suggest why it is happening ??

  Hi,
  >>as per above domain policy I have disabled All Removable Storage classes (mentioned above). then how it comes open ?.
  Before going further, what's the operating system we are using? Based on the description, this seems a litter bit odd. Here, had we run
  gpupdate/force to immediately update the policy setting? Besides, we can follow the procedure below to further collect group policy result to check how policy settings were applied.
  1. On domain controller, click Start -> Run, type GPMC.MSC, it will load the GPMC console.
  2. Right click on "Group Policy Result" and choose wizard to generate a report for the problematic computer and user account (please place appropriately). (Choose computer and select
  the proper user in the wizard)
  3. Right click the resulting group policy result and click the "Save Report…" => save report to save the report to a HTML file.
  >>in one of my sub ou GPO I have configured as "WPD Devices: Deny read access Enabled" (computer policy).
  If we try to enable the setting back, will the user still be able to access USB?
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• 1605 R - how to open a port

  I need to open a port for remote database access, and have no documentation or schematic for how this was set up by a volunteer ages ago. I have found some Cisco docs on how to get in to configure, but nothing on the process for opening a port. any advice appreciated!

  I haven't gotten in to get that information off it yet...there is no browser interface, so I have to connect directly. We have the Cisco 1605 R in front of a Linksys switch. It is not in default setup, it was configured at install...I know this port is not open, because we pinged it from outside.
  We deal with a lot of confidential client information, so we are locked down tight. I want to open up this port for remote database access. And as I said, this was set up so long ago there is no documentation. But once I get in I will post the config if I can do that without compromising our data.
  I'm not even sure I can get past whatever passwords are on there to get the config off it...we may have to contact the volunteer to try to find out how it is set up. I was just hoping someone could point me towards a procedure for setup once I am in there, but maybe it will be apparent in the interface.

• Firewall Access Rules do not work on One to One NAT (RV042G Router)

  I have two unique IP addresses, two servers, and one RV042G router. 
  What I would like to do is have each IP address go to it's own respective server. To do that, I've set the settings on One-to-One NAT to make this happen. Now IP address 1 points to server A and IP address 2 points to server B.
  However, I only want port 80 to be open to each server. I've tried setting the Firewall access rules to accommodate this but it doesn't appear to block anything. All ports on the servers are exposed despite the firewall rules.
  Here's what I have in the router configuration:
  Under One-to-One NAT:
  {internal IP address 1} => {external IP address 1}
  {internal IP address 2} => {external IP address 2}
  Under Firewall Access Rules:
  Action | Service | Source Interface | Source | Destination | Time
  Allow | HTTP Secondary 80 | WAN1 | Any | {internal IP address 1} | Always
  Deny | All Traffic | WAN1 | Any | Any | Always
  Is there a proper way to accomplish what I want?

  Thanks for replying. 
  Turns out I had to add new access rules to specifically deny all traffic to the internal addresses, in addition to the rule allowing the specified ports through.
  So, with the IP addresses still defined the same way in the One-to-One NAT section, I now have the following rules defined in the firewall section:
  Under Firewall Access Rules:
  Priority | Action | Service | Source Interface | Source | Destination | Time
  [1] | Allow | HTTP Secondary 80 | ANY | Any | {internal IP address 1} | Always
  [2] Deny | All Traffic | WAN1 | Any | { internal IP address 1 } | Always <== the new one I ended up adding
  (default) | Deny | All Traffic | WAN1 | Any | Any | Always <== built in default rule in router
  I originally did not add the second rule because I had assumed that the default deny rule would block all traffic to all internal IP addresses anyway. Perhaps someone can correct me if I'm wrong but I am now assuming that the default deny rule applies to the router only and not to any other defined One-to-One NAT entries. In which case, I had to add another rule that duplicates the default deny rule but for each 1:1 NAT entry.
  If this was already in the manual, I probably missed it so that would be my own mistake. Still, I wish this was more apparent in the web GUI as it didn't really specify that I had to do this.
  In any case, I hope my solution helps anyone else in the future having this similar issue.

• Does configuring an endpoint opens a port in the guest VM firewall?

  Hi there. I found out that if I want to access a specific port in a VM (Java RMI in my case), I have to configure an endpoint for this port. However, I was surprised that configuring an endpoint was enough to access the port. I didn't change the firewall
  rules in the guest for this port and it was immediately accessible from outside Microsoft Azure.
  Does configuring an endpoint opens a port in the guest VM firewall?

  Hi,
  According to the official article below, it indicates that "Firewall configuration is done automatically for ports associated with Remote Desktop and Secure Shell (SSH), and in most cases for Windows PowerShell Remoting. For ports specified for
  all other endpoints, no configuration is done automatically to the firewall in the guest operating system. When you create an endpoint, you'll need to configure the appropriate ports in the firewall to allow the traffic you intend to route through the endpoint."
  How to Set Up Endpoints to a Virtual Machine
  Best regards,
  Susie