Passing Public IPs through multiple ASA's (Part 2) - Continued
This is the continuation of an issue posted on : https://supportforums.cisco.com/discussion/12463791/passing-public-ips-through-multiple-asas-part-1
Here is a Show Run from the 5510 (heavily filtered)
names
name 10.40.0.0 MCST-FW-Net
name 70.x.x.179 Masked_FW_Outside
name 70.x.x.185 Dummy description Placeholder for 182
name 10.40.128.25 EMAIL
name 10.40.0.4 OpenVPN
name 68.x.x.176 NEW_WAN
name 10.39.0.2 CORE-ASA
name 70.x.x.224 PublicIPs
dns-guard
interface Ethernet0/0
nameif outside
security-level 0
ip address 68.x.x.178 255.255.255.240
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.40.0.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
boot system disk0:/asa825-13-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
domain-name MASKED
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service TCP-Services tcp
port-object eq 10101
port-object eq 123
port-object range 15000 19999
port-object eq 2000
port-object eq 2195
port-object eq 2196
port-object eq 5038
port-object eq 5061
port-object eq 5228
port-object eq 5229
port-object eq 5230
port-object eq 5432
port-object eq h323
port-object eq www
port-object eq https
port-object eq kerberos
port-object eq ldap
port-object eq ldaps
port-object eq sip
port-object eq smtp
port-object eq ssh
port-object eq citrix-ica
port-object eq 943
port-object eq pptp
port-object eq imap4
object-group service UDP-Services udp
port-object eq 1718
port-object eq 1719
port-object eq 2727
port-object eq 3478
port-object eq 4500
port-object eq 4520
port-object eq 4569
port-object eq 5000
port-object range 50000 54999
port-object range 60000 61799
port-object eq 88
port-object eq domain
port-object eq sip
port-object eq syslog
port-object eq ntp
port-object eq 1194
port-object eq 8888
object-group protocol VPN-Traffic
protocol-object esp
protocol-object ah
object-group service TCP-Services-Inbound
service-object esp
service-object tcp eq 5228
service-object tcp eq 5229
service-object tcp eq 5230
service-object tcp eq 5432
service-object tcp eq ssh
object-group service UDP-Services-Inbound udp
port-object eq 4500
port-object eq domain
port-object eq isakmp
object-group network test
network-object 10.40.0.2 255.255.255.255
object-group service DM_INLINE_UDP_2 udp
port-object eq 4500
port-object eq isakmp
object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo
icmp-object echo-reply
object-group icmp-type DM_INLINE_ICMP_2
icmp-object echo
icmp-object echo-reply
object-group service DM_INLINE_TCP_2 tcp
group-object Samsung_TCP_Ports
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_1
network-object MCST-FW-Net 255.255.0.0
network-object 70.x.x.160 255.255.255.224
object-group service DM_INLINE_SERVICE_1
service-object tcp eq 1701
service-object udp eq 4500
service-object udp eq isakmp
service-object udp eq ntp
service-object tcp eq www
object-group service DM_INLINE_SERVICE_2
service-object tcp eq https
service-object udp eq 1194
service-object udp eq 8080
object-group service DM_INLINE_SERVICE_3
service-object icmp
service-object tcp eq https
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object udp
protocol-object tcp
object-group network publicips
access-list inside_access_in extended permit ip PublicIPs 255.255.255.240 any
access-list inside_access_in extended permit ip host 70.x.x.225 any
access-list inside_access_in extended permit ip host 70.x.x.236 any
access-list inside_access_in extended permit udp MCST-FW-Net 255.255.0.0 any object-group UDP-Services log
access-list inside_access_in extended permit tcp MCST-FW-Net 255.255.0.0 any object-group TCP-Services log
access-list inside_access_in extended permit esp MCST-FW-Net 255.255.0.0 any log
access-list inside_access_in extended permit udp MCST-FW-Net 255.255.0.0 any object-group DM_INLINE_UDP_2 log
access-list inside_access_in extended permit tcp MCST-FW-Net 255.255.0.0 any object-group DM_INLINE_TCP_2 log
access-list inside_access_in extended permit icmp MCST-FW-Net 255.255.0.0 any log
access-list inside_access_in extended permit tcp 10.10.10.0 255.255.255.0 any eq 873 inactive
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 host OpenVPN any
access-list inside_access_in extended permit udp host 70.x.x.182 any eq 1194
access-list inside_access_in extended permit tcp host 70.x.x.182 any eq ssh
access-list inside_access_in extended permit ip host 70.x.x.231 any log
access-list inside_access_in extended permit ip host 70.x.x.232 any
access-list inside_access_in extended permit ip host 70.x.x.233 any log
access-list inside_access_in extended permit ip NEW_WAN 255.255.255.248 interface inside inactive
access-list inside_access_in extended deny ip any any log
access-list inside extended permit tcp 70.x.x.240 255.255.255.240 72.x.x.64 255.255.255.224 object-group TCP-Services
access-list inside extended permit udp 70.x.x.240 255.255.255.240 72.x.x.64 255.255.255.224 object-group UDP-Services
access-list outside extended permit udp 72.x.x.64 255.255.255.224 70.x.x.240 255.255.255.240 object-group UDP-Services
access-list outside extended permit tcp 72.x.x.64 255.255.255.224 70.x.x.240 255.255.255.240 object-group TCP-Services
access-list outside_access_in remark STEALTH RULE
access-list outside_access_in extended deny ip any host Masked_FW_Outside log
access-list outside_access_in extended permit ip any PublicIPs 255.255.255.240
access-list outside_access_in extended permit ip any host 70.x.x.225
access-list outside_access_in extended permit ip any host 70.x.x.231 log
access-list outside_access_in extended permit ip any host 70.x.x.232
access-list outside_access_in extended permit ip any host 70.x.x.233 log
access-list outside_access_in extended permit ip any host 70.x.x.236 log
access-list outside_access_in extended permit esp any 70.x.x.160 255.255.255.224 log
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any 70.x.x.160 255.255.255.224 log
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any 70.x.x.160 255.255.255.224
access-list outside_access_in extended permit udp any host 70.x.x.182 eq 1194
access-list outside_access_in extended permit tcp any host 70.x.x.182 eq ssh
access-list outside_access_in remark Ping
access-list outside_access_in extended permit icmp any host 10.40.0.33 inactive
access-list outside_access_in extended permit tcp any 70.x.x.160 255.255.255.224 object-group TCP-Services inactive
access-list outside_access_in extended permit udp any 70.x.x.160 255.255.255.224 object-group UDP-Services inactive
access-list outside_access_in extended permit ip PublicIPs 255.255.255.240 NEW_WAN 255.255.255.248 inactive
access-list outside_access_in extended deny ip any any log
access-list Mobility_Infrastructure_access_in remark Ping Test
access-list inside_access_out extended permit ip any any log
access-list inside_access_out extended permit esp any object-group DM_INLINE_NETWORK_1 log
access-list inside_access_out extended permit icmp any any
access-list Inside2_access_in extended permit ip 10.39.0.0 255.255.255.0 any
access-list Inside2_access_in extended permit ip any 10.39.0.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging console debugging
logging monitor informational
logging buffered debugging
logging trap informational
logging history critical
logging asdm warnings
logging device-id hostname
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 70.x.x.182 10.40.0.7 netmask 255.255.255.255
static (inside,outside) 70.x.x.180 10.40.0.2 netmask 255.255.255.255
static (inside,outside) 70.x.x.181 10.40.0.17 netmask 255.255.255.255
static (outside,inside) 10.40.0.7 70.x.x.182 netmask 255.255.255.255
static (outside,inside) 10.40.0.2 70.x.x.180 netmask 255.255.255.255
static (outside,inside) 10.40.0.17 70.x.x.181 netmask 255.255.255.255
static (inside,outside) PublicIPs PublicIPs netmask 255.255.255.240
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 68.101.41.177 1
route inside 10.40.64.0 255.255.192.0 10.40.0.17 1
route inside 10.40.128.0 255.255.192.0 10.40.0.17 1
route inside 10.50.0.0 255.255.255.0 10.40.0.21 1
route inside 10.50.0.11 255.255.255.255 10.40.0.21 1
route inside 10.50.112.0 255.255.255.0 10.40.0.21 1
route inside 10.60.0.233 255.255.255.255 10.40.0.21 1
route inside PublicIPs 255.255.255.224 10.40.0.21 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http server session-timeout 10
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
sysopt noproxyarp inside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 30
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
service-type nas-prompt
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:bd962a8c0dd6b27b5b024778602f8b60
: end
Similar Messages
-
Multiple Public IP's on ASA 5520
Hi,
I have ASA 5520 with Ver 8.2.
Outside interface is directly connected to ISP's router(TelePacific) and is assigned one of public IP:198.24.210.226.
There are two servers inside the network with the private IP's:192.168.1.20 for DB Server, and 192.168.1.91 for Web Server.
I did Static NAT 198.24.210.226 to 192.168.1.20 and 198.24.210.227 to 192.168.1.91.
When I access DB Server(198.24.210.226) it's working OK but when I access Web Server(198.24.210.227) there is no response at all.
I checked the inside traffic, it even did not get into the firewall.
Is this the problem with ISP's router? How can we route all of our public IP's to the outside interface(198.24.210.226)?
interface GigabitEthernet0/1
nameif inside
ip address 192.168.1.1 255.255.255.0
security-level 100
no shutdown
interface GigabitEthernet0/0
nameif outside
ip address 198.24.210.226 255.255.255.248
security-level 0
no shutdown
route outside 0.0.0.0 0.0.0.0 198.24.210.225
nat (inside) 1 192.168.1.0 255.255.255.0
global (outside) 1 198.24.210.226 255.255.255.255
static (inside,outside) tcp 198.24.210.226 3389 192.168.1.10 3389 netmask 255.255.255.255 dns
static (inside,outside) tcp 198.24.210.226 9070 192.168.1.10 9070 netmask 255.255.255.255 dns
static (inside,outside) tcp 198.24.210.227 3389 192.168.1.20 3389 netmask 255.255.255.255 dns
static (inside,outside) tcp 198.24.210.227 80 192.168.1.20 80 netmask 255.255.255.255 dns
access-list OUTSIDE-IN extended permit tcp any host 198.24.210.226 eq 3389
access-list OUTSIDE-IN extended permit tcp any host 198.24.210.226 eq 9070
access-list OUTSIDE-IN extended permit tcp any host 198.24.210.227 eq 3389
access-list OUTSIDE-IN extended permit tcp any host 198.24.210.227 eq 80
access-group OUTSIDE-IN in interface outsideAlso,
You seen to have an /29 public subnet. You should be able to use IP addresses from this subnet to configure NAT on your firewall. I dont think you need any specific configurations to allow the usage of the whole subnet as NAT IP addresses.
You can naturally check the following
show run sysopt
Check that you DONT have the following
sysopt noproxyarp outside
At the moment you are not actually configuring Static NAT but rather Static PAT.
You are only forwarding some ports from certain public IP addresses to the local IP address. If you were doing Static NAT, then you would actually be staticly binding the public IP addresses to the local IP address. So it would apply to any TCP/UDP port and you would only need to use the ACL to allow traffic.
Though in that case you would have to replace the .226 IP address with something else as its the firewall interface IP address and it should not be assigned to be used by a single host on the LAN usually.
If you wanted to staticly assing public IPs to both of these servers you could do
static (inside,outside) 198.24.210.227 192.168.1.91 netmask 255.255.255.255
static (inside,outside) 198.24.210.228 192.168.1.10 netmask 255.255.255.255
access-list OUTSIDE-IN extended permit tcp any host 198.24.210.228 eq 3389
access-list OUTSIDE-IN extended permit tcp any host 198.24.210.228 eq 9070
access-list OUTSIDE-IN extended permit tcp any host 198.24.210.227 eq 3389
access-list OUTSIDE-IN extended permit tcp any host 198.24.210.227 eq 80
- Jouni -
Map SMTP port on multiple Public IPs to single private IP.
Hello,
we have a need to map smtp on multiple external public IPs to a single Internal IP. We need https,www, and pop3 for the external IP to go to one internal, and smtp to go to a different internal.
What we'd like to do:
static (inside,outside) tcp <ip1>.39 80 10.1.1.63 http
static (inside,outside) tcp <ip1>.39 pop3 10.1.1.63 pop3
static (inside,outside) tcp <ip1>.39 https 10.1.1.63 https
static (inside,outside) tcp <ip1>.39 smtp 10.1.1.41 smtp
static (inside,outside) tcp <ip2>.40 80 10.1.1.64 http
static (inside,outside) tcp <ip2>.40 pop3 10.1.1.64 pop3
static (inside,outside) tcp <ip2>.40 https 10.1.1.64 https
static (inside,outside) tcp <ip2>.40 smtp 10.1.1.41 smtp
But the PIX cries about overlapping NAT statements.
We need this because we're an IT outsourcing company and we typically manage our customer's DNS zones. Of course, in every bunch there's an exception and one customer has their DNS hosted elsewhere. We changed the necessary DNS on our side for our customers when we made a mail change (which is close to 100 customers), but when we did this it broke this one-of customer. The DNS hoster for the customer is a little one-man shop and the guy is out of the office for two weeks. What a mess. For some reason their DNS is not using our MX record, so it broke when we made our upgrade.
Is there any way we can accomplish anythign similar to what we're trying to do? This is a PIX 515E with 7.0(6) Thanks.Ok, we found a work-around that wil be fine for now. We added a 2nd IP to the 10.1.1.41 server and just the .39 server to that. So we're only using 1 server for the time being, but that's ok.
-
Use multiple public IPs addresses
Hello there!
In my environment, I have four public IPs, and I have a TMG Firewall working.
When I publish servers by TMG using one of my IP adresses, it works.
But, when I use anyone else, it isn't work.
I'm new in TMG Server, so I want to know if there is some setting to do to use other public IP adresses to publish servers by TMG.
Thanks in advance.
Lucas GustavoHi,
You don't need any additional configuration apart from creating a Server Publishing Rule or (Secure) Web Publishing Rule. Can you be a bit more specific? Some questions:
- Does your TMG have one or two network interfaces?
- Have you configured all four IP Addresses manually on the interface with the same subnet mask?
- What are you trying to publish
- When you create a Server-/Web Publishing Rule, do you select a specific IP Address or All IP Addresses?
Boudewijn
Boudewijn Plomp, BPMi Infrastructure & Security | Please remember, if you see a post that helped you please click "Vote as Helpful" and if it answered your question, please click "Mark as Answer". -
How do I search for a word through multiple files in my directories ??
Hello everyone
How do I search for a word through multiple files in my directories ??
I am guessing one tedious way to do it would be to pass all the file names as command line arguments but I"m sure there exist a much easier and faster way to do it.
Thanks a lotYou need to pass only the directory name as parameter and then retrieve the files(recursively throug subdirs or not, however you wish) of that directory.
There were at least 2 threads yesterday on how to retrieve files from directory, and there are many others in the archive so I leave the search part to you ;)
HTH
Mike -
Trying to pass internet with a Cisco ASA 5505
Hello,
I have not been having much success configuring my 5505 for Internet access, and I'm sure there are a few small things I'm missing. At times I believe I got it to the point where I could ping, but still not pass through the Internet traffic. At this point, I reset the 5505 and only changed a couple of settings.
I have an external range with these characteristics: Network Address 67.139.113.16 (.17 is Gateway), SM: 255.255.255.248, available IP: 67.139.113.218
The external connection is through a T1 modem, and when I put those settings in my laptop, I can access just fine.
When I went through the startup wizard in the ADSM, I maded the internal interface 10.209.0.3, subnet mask: 255.255.255.0
I selected PAT in the Wizard, but don't know if I should have, or if the NAT rules I tried to put in are fine.
Eventually I want to add a Site to Site VPN to the rest of the 10.0.0.0 network, but I can't even pass the Internet through to the inside.
Also, this will eventually be behind another hosted firewall, so I'm not worried about restricting access, even currently.
However, I suspect the problem is that traffic is being blocked with the NAT rules or Access rules.
I wish I could just disable those inherent deny rules
Outside of pings to 10.209.0.3, all pings come back as request timed out.
Can someone please review this, and see if they notice anything I can change?
I do appreciate it....
Config:
: Saved
ASA Version 8.2(5)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.0.0 Eventual
name 10.209.0.0 Local
name 67.139.113.216 T1
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 0
ip address 10.209.0.3 255.0.0.0
interface Vlan2
nameif outside
security-level 0
ip address 67.139.113.218 255.255.255.248
time-range Indefinite
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 Local 255.255.255.0 any time-range Indefinite
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 0.0.0.0 0.0.0.0 dns tcp 255 255 udp 255
access-group inside_access_in in interface inside
route inside 0.0.0.0 0.0.0.0 67.139.113.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http Eventual 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.209.0.201-10.209.0.232 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:d3c4872f997a93984332213f98fbe12b
: end
asdm location Eventual 255.0.0.0 inside
asdm location Local 255.255.255.0 inside
asdm location T1 255.255.255.248 inside
asdm history enableUnfortunately that didn't work....
The new config:
: Saved
ASA Version 8.2(5)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.0.0 Eventual
name 10.209.0.0 Local
name 67.139.113.216 T1
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 0
ip address 10.209.0.3 255.0.0.0
interface Vlan2
nameif outside
security-level 0
ip address 67.139.113.218 255.255.255.248
time-range Indefinite
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route inside 0.0.0.0 0.0.0.0 67.139.113.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http Eventual 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.209.0.201-10.209.0.232 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:64bbf533cf1bd591e797c053ea9e107a
: end
asdm location Eventual 255.0.0.0 inside
asdm location Local 255.255.255.0 inside
asdm location T1 255.255.255.248 inside
asdm history enable
I am getting some more encouraging messages in the Syslog, but I still cannot bing 8.8.8.8 or the outside interface.
5
Aug 29 2008
01:42:55
8.8.4.4
53
Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src inside:10.209.0.6/64477 dst inside:8.8.4.4/53 denied due to NAT reverse path failure
6
Aug 29 2008
01:42:54
10.209.0.6
1686
SSL session with client inside:10.209.0.6/1686 terminated.
6
Aug 29 2008
01:42:54
10.209.0.6
1686
10.209.0.3
443
Deny TCP (no connection) from 10.209.0.6/1686 to 10.209.0.3/443 flags FIN ACK on interface inside -
Using multiple refinement web parts on the same page but have them hidden until needed
I have a search results page that has several different Core Results web parts on it (each is connected to a different result source). all hidden by tabs using the HillbillyTabs interface
http://www.sharepointhillbilly.com/Lists/Posts/Post.aspx?ID=42
unfortunately you cant share a refinement web part across multiple results web parts. So I am left trying to figure out how to hide several refinement web parts and only show the active refinement webpart when the result source tab is selected.
The template im using is an OOTB standard search results template with the refinement panel on the left navigation zone and the core results web parts configured in the main content zone.
Scenario:
Search text box passes query to multiple results web parts on a page. Only one results web part is displayed at a time (active tab). The refiner for the active tab shows and displays its refiners in the navigation panel.
There are multiple refinement web parts in the navigation panel associated with each core results web part in the main content zone. These refiner web parts are configured with custom refiners.
the results page displays just one results web part at a time via tabbed interface.
I am trying to figure out how to make the refiner web parts show and hide depending on which tab is selected.
Any help pointing to someone thats already attempted this would be appreciated!
EricHi,
For your issue, you can consider using SharePoint Search Navigation which can achieve a similar feature but not on the same page.
Search Navigation allows users to move quickly between search experiences listed in the Navigation. Navigation is displayed in the Quick Launch control on search pages, and can also be shown as a drop-down menu from the search box.
For more information, you can refer to the blog:
http://blogs.technet.com/b/tothesharepoint/archive/2013/11/13/how-to-add-a-customized-search-vertical-to-your-search-results-page-in-sharepoint-2013.aspx
Best Regards,
Eric
TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
[email protected] -
HI.......
We have Cisco router 2851 and asa firewall. We configured on he router for IP phones and ISP connected. The ISP directly connected on the router and asa firewall connected to the router. We have plan to configure VPN on the router. We have available public ip address. if i configure the VPN on the firewall we need to configure firewall local ip address to public ip address. SO how to configure firewall local ip to public ip ? Where we can configure , mean on the router or firewall. please see my firewall and router configuration ...
Please help .....The ASA would typically be where you setup your public IP Address(es). The firewall normally needs to have a public IP on the outside interface for that to work. Once it does, you can perform dynamic NAT for outbound connections ("global (Outside) 1 xxx.xxx.xxx.185 netmask 255.255.255.255" does this).
However on the config you attached your outside interface has a private (RFC 1918) address:
interface Ethernet0/3
speed 100
duplex full
nameif Outside
security-level 0
ip address 192.168.255.2 255.255.255.252
Plus it being a /30 only gives you two addresses - one for the ASA and one for the router's Gi0/0 (per that config which you also attached). This is a bit odd setup but it seems to have been hacked together to work using the routing statement on the router "ip route xxx.xxx.xxx.184 255.255.255.248 192.168.255.2".
It's really a bit of a mess and extending it further may be possible but will make it even more complicated. I'd advise having someone sit down and re-work how the public IPs are routed to make it look like a more typical setup. -
Edit table data through multiple forms
Hi everyone,
I have a report page with records from a table. I want to edit the records through multiple forms: one form holds half of the columns to edit, another form holds the rest.
I'm not sure how to create the connections between the pages with the forms and the report page with the record to edit.
Any help would be greatly appreciated!
Thank you!Ways you could go about this:
1. Manually create the items on each page, then on the final page have your own process with the code: insert into <table> (1,2,3,4,5) values (:p1_item, :p1_item2, :p1_item3, :p2_item1, :p2_item2);
2. Have a DML process on each page, only with the columns you want to insert - of course, the items on the pages after the first form page would have to be nullable (which isn't really a good idea imo, unless of course it follows the business rules), otherwise you wouldn't be able to do the initial insert on the first form page - then after create have a branch to the next form page, passing in the primary key to the next page, so its just updating the row when you hit apply changes.
3. APEX_COLLECTION?
Trent -
Photoshop Mask Layer, see through multiple layers.
Dear All -
I am a new learner to Photoshop and working on Layers and Layer Mask to obtain see through multiple Layers effect.
Below is the description of my problem that I am looking forward towards resolution in this forum. I will be glad if some expert can guide me on this.
I have three layers of different colors as below.
Layer 1topmost layer) with Red color filled rectangle.
Layer 2(below Layer 1) with Green color filled rectangle.
Layer 3(bottom most layer, below Layer 2) with Blue color filled rectangle.
When I erase something with brush on Layer 1 using masking Layer 1, it hollows the erased part and start showing the Green color of Layer 2 in hollow section of Layer 1.
What I want to achieve is that, when I erase Layer 1 using layer mask, then it should hollow Layer 1 as well as Layer 2 and should show Blue color in the hollow section of Layer 1.
i.e: Hollow section made on Layer 1(using Layer Mask on Layer 1) should also be applied on Layer 2 so that Layer 1 and Layer 2 becomes hollow using eraser and I should see through Layer 1 and Layer 2 and Blue color of Layer 3 should be visible from the hollow section.
Though I can do this by Flattening Layer 1 and Layer 2 together so that it forms one single Image, and then when I hollow this Flattened image using Layer Mask, then it will show me Blue color. But I do not want to do this, as I would lose the flexibility to unhollow/recover the hollow region on both Layer 1 and Layer 2 independently in the future.
Thank You,
Saurabh Khanna.Here's a sample of copying the layer mask onto layer 2 using a hard cutout.
Here's the same thing using a soft feather cutout. -
1 isp(T1), 1 unmanaged switch, 2 routers(WRT54G), 2 public ips
1 isp(T1), 1 unmanaged switch, 2 routers(WRT54G), 2 public ips - How should I connect everthing?
Help. I got a client with a T1 and multiple public IP's that he wants to share with his neighboring companies. How should I connect everying.You need a manageable switch and create VLAN so you can segement the taffic between the 2 internet connections.
-
Trying to add multiple ship to parties using BAPI_BUPR_PFCT_CREATEFROMDATA
Hi all,
I am trying to add relation ship to a business partner. I have two business partners BP1 and BP2. I need to assign BP2 as u201CShip to Partyu201D for BP1. I was able to do this using BAPI_BUPR_PFCT_CREATEFROMDATA.
But my actual requirement is to add more than one business partner as u201CShip to partyu201D to BP1 in my ZFunction Module in one instance itself.
BAPI_BUPR_PFCT_CREATEFROMDATA. Will take input as Business partners and assigns BP2 as Ship to party to BP1.
But my requirement is I have to assign more than one business partners as Ship to parties for this BP1.
But BAPI_BUPR_PFCT_CREATEFROMDATA accepts only a single business partner at a time. So I created a Z function Module and declared a tables paramters which accepts any number of Businesss partner. I also declared an import paramter to accept the business parter number for which all the business partners in table should be assigned as Ship to parties.
I tried passing the values from this table to the BAPI but it shows me a waring message saying
u201CAfter Enhancement you may not be able to convert the structure WA_SOLDu201D into a number and it would no longer be a valid operandu201D
If I execute the Zfunction Module it is not assigning the business partners from the input table as ship to parties to the business partner(import paramters).
Please help me...how can i assign multiple ship to parties for a business partner at one instance iteslf using BAPI_BUPR_PFCT_CREATEFROMDATA...
here is how i desgined my Zfunction Module...........
Impot paramters = CUST_NO) TYPE BU_NAMEP_F
Tables paramters = I_SOLD like ZSOLD_TO OPTIONAL
My structure Zsold_to has follwing componenet
BP type BU_NAMEP_F
Here is my codeu2026u2026..
FUNCTION Z_FUNCTION.
""Local Interface:
*" IMPORTING
*" VALUE(CUST_NO) TYPE BU_NAMEP_F
*" TABLES
*" I_SOLD STRUCTURE ZSOLD_TO OPTIONAL
*" IT_RETURN1 STRUCTURE BAPIRET2 OPTIONAL
*" IT_RETURN2 STRUCTURE BAPIRET2 OPTIONAL
DATA: WA_SOLD TYPE ZSOLD_TO.
LOOP AT I_SOLD TO WA_SOLD.
*Call the BAPI BAPI_BUPR_PFCT_CREATEFROMDATA.
CALL FUNCTION 'BAPI_BUPR_PFCT_CREATEFROMDATA'
EXPORTING
BUSINESSPARTNER1 = CUST_NO
BUSINESSPARTNER2 = WA_SOLD-BP
RELATIONSHIPCATEGORY = 'CRMH02'
TABLES
RETURN = it_RETURN1.
*Call Commit Work
CALL FUNCTION 'BAPI_TRANSACTION_COMMIT'
EXPORTING
WAIT = 'X'
IMPORTING
RETURN = it_RETURN2.
ENDLOOP.
ENDFUNCTION.
Please help me...how can i assign multiple ship to parties for a business partner at one instance iteslf using BAPI_BUPR_PFCT_CREATEFROMDATA...
Regards,
Jessica Sam
Edited by: jessica sam on Jan 19, 2009 1:57 AM
Edited by: jessica sam on Jan 19, 2009 2:09 PMHi,
I am facing the same issue I have created the Target Group and then assigned the BP to target group using BAPI
BAPI_TARGETGROUP_ADD_BP . Called BAPI
BAPI_TRANSACTION_COMMIT after this. Table CRMD_MKTTG_TG_I is getting updated with BP guid but its not showing in WEB UI screen.
Please help me.
Thanks and Regards,
Ranadev -
Unable to establish OSPFv3 neighbors through transparent ASA
I have 2 devices running IPv6 with an ASA ver 8.4(2) in transparent mode with multiple contexts in between them. I can ipv6 ping the devices through the ASA but can not get the 2 devices to establish OSPFv3 adjacency. They are able to establish adjacency with ipv4 OSPF. When running debug ipv6 ospf hello I see each of the devices sending hellos but not receiving them from the device on the other side of the ASA. I notice that the hellos are coming from the link local addresses and not the unique global addresses that I applied to the interfaces. If I connect a device directly to one of the devices I can establish OSPFv3 adjacency without a problem.
Any thoughts?
BobBob,
It is expected that OSPF/EIGRP etc use link local rather than unique global ;-)
Regarding the problem.
- please enable
logging buffered infologging buffer-size 1000000
- and ASP drop capure.
cap ASP type asp all
Try establishing the adjacency and check
show logg sh cap ASP
I would also try establishing the adjacency without multicast (point-to-multipoint network should allow this).
Marcin -
Hi Guys,
This is a little bit of an odd request however I need to allow a sync routing due to some legacy routing to pass through my ASA.
I have allowed IP any any between the particular hosts involved to allow for high ports etc..
However the ASA is tearing down the session as it never see's the ACK.
Hence is there a way to turn off the ip inspection or some other way to get this traffic through the firewall.
Thanks
ScottOn an iPad I don't believe that you can. If you made the iPad tunnel through your laptop or desktop computer is may be possible to specify what traffic you want sent through the VPN or otherwise. But I have a feeling that would be very complicated to setup and keep working well.
-
I can see a preview of the photos, but I cannot access or edit them. They say "the folder cannot be located" and "the photo is missing". I have gone through multiple Adobe tutorials to try and recover them to no avail. Any tips?
Backup catalogs wouldn't have helped with this problem anyway, but naturally, you shouldn't delete backup catalogs for a while.
The solution to reconnecting the folders is given here: Adobe Lightroom - Find moved or missing files and folders
Maybe you are looking for
-
Client_text_io.fopen causes java.lang.NullPointerException
Hi all I have the following very simple snippet of code: declare f client_text_io.file_type; begin f := client_text_io.fopen('C:\test.txt', 'r'); end; If "C:\Test.txt" does NOT exist on the client, Webutil correctly pops up and complains "C
-
Why do ALL my bookmarks open when I double click the Safari Icon!?!?
Have I caused this or is it malfunctioning? And then I usually have to force close it because Option+X on the tab is not working for such a situation most of the time.
-
Saving a PDF using Mac OS X Lion 10.7
How can I restore the save as feature when I open a pdf? I am using lion 10.7 on a macbook pro.
-
What privileges do I need to install the latest version of adobe
I have been trying to download the correct version of adobe to allow me to watch video content from the bbc website. Each time it fails because I do not have sufficient privileges. What do I need to do to gain these "privilges"?
-
Hi, Please tell me the esiest way to order ink. Thanks
It's time for me to order ink, what is the easiest way to do that? Thanks