PAT or NOT PAT
Hi everybody, please, forgive my poor language.
I have a neo fis2r (i875p) first release, last bios, till today, i have used 2X 256 pc3200 samsung certified CS 2.5 at 200mhz, i dual channel (bank 1 and 3).
my Pc was running in turbo mode( with pat enabled from sandra 2004 pro).
Today i add 2X256 samsung (cerfified cd 2.5 at 166mhz ???) in bank 2 et 4.
impossible to boot more than fast mod, pat is desabled (even in fast mode) and sandra tell that the bank 4 is empty, but not everest home edition.
What's the matter with PAT and turbo mode, may be poor quality of memory ?
regards
Yes the system has detected 1 GB, i think it's a bug of SANDRA 2004.
Anyway, the reference on the stick are identiticals but i think that the 2 first sticks are really original samsung but the other one have just samsung chipsets.
Everest information (in general/overclock) tell that the 4 sticks are pc3200 cas 3 at 200 mhz @ 2,5 at 200 for the originals but 2.5 at only 166 for the "poor" one.
I try fast mode (the smaller mode for PAT) with 4 sticks, Everest said pat is desabled but enabled with only 2 sticks (original or "poor").
Could you tell me if the 4 sticks must be strickly the sames.
Regards
Similar Messages
-
Hi there.
I just trying to do PAT with gns3. but not working and i don't have any idea.
(Cisco Adaptive Security Appliance Software Version 8.4(2))
and also i figure out that there are some changes in nat configuration. i did but didn't work.
I cannot ping from my host 192.168.100.116 to 1.1.12.1 ~ 1.1.12.2, 8.8.8.8
i turn debug in R1 and i can see the icmp.
R1#
*Mar 1 01:31:28.091: ICMP: echo reply sent, src 1.1.12.1, dst 10.10.10.1
R1#
*Mar 1 01:31:32.739: ICMP: echo reply sent, src 1.1.12.1, dst 10.10.10.1
R1#
And also can see xlate on ASA
ASA-1# sh xlate
1 in use, 9 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
ICMP PAT from inside:192.168.100.116/1 to outside:10.10.10.1/6370 flags ri idle 0:00:04 timeout 0:00:30
ASA-1#
This is my topology.
[ASA1]
ASA-1# sh run ip
interface GigabitEthernet0
nameif outside
security-level 0
ip address 10.10.10.1 255.255.255.0
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.10.20.1 255.255.255.0
ASA-1# sh run object network
object network obj-192.168.100.0
subnet 0.0.0.0 0.0.0.0
ASA-1# conf t
ASA-1(config)# ob
ASA-1(config)# object net
ASA-1(config)# object network obj-192.168.100.0
ASA-1(config-network-object)# nat (in
ASA-1(config-network-object)# nat (inside,ou
ASA-1(config-network-object)# nat (inside,outside) dy
ASA-1(config-network-object)# nat (inside,outside) dynamic inter
ASA-1(config-network-object)# nat (inside,outside) dynamic interface
ASA-1(config-network-object)# end
[R4]
interface FastEthernet0/0
ip address 10.10.20.254 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 192.168.100.254 255.255.255.0
duplex auto
speed auto
no ip http server
no ip http secure-server
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.10.20.1
[HOST]
ip address 192.168.100.116/24
[R1]
interface FastEthernet0/0
ip address 10.10.10.254 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 1.1.12.1 255.255.255.0
duplex auto
speed auto
no ip http server
no ip http secure-server
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
what am i mssing ?
please corret me.
Thank you in advance.just reload... .. i'm still stuck in the ping.
changed topology more simple. but still not working.
Here is all what i did.
[ASA]
access-list ICMP extended permit icmp any any echo-reply
access-list ICMP extended permit icmp any any time-exceeded
access-group ICMP in interface outside
interface GigabitEthernet0
description To_UP
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.0
interface GigabitEthernet1
description To_DOWN
nameif inside
security-level 100
ip address 10.10.20.1 255.255.255.0
[R1]
interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
ip route 10.10.20.0 255.255.255.0 10.10.10.2 (I don't think i need this)
[R4]
interface FastEthernet0/0
ip address 10.10.20.2 255.255.255.0
ip route 10.10.10.0 255.255.255.0 10.10.20.1 (same as well)
[outout tracer]
ciscoasa# packet-tracer input inside icmp 10.10.20.1 8 0 10.10.10.1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.10.0 255.255.255.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP <---??????????????????????????
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ciscoasa#
[ASA]
ciscoasa# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list ICMP; 2 elements; name hash: 0x2d2cf426
access-list ICMP line 1 extended permit icmp any any echo-reply (hitcnt=0) 0x0b307247
access-list ICMP line 2 extended permit icmp any any time-exceeded (hitcnt=0) 0x1e6b1395
ciscoasa#
I created acl and permit it
Thank you. -
Hello fellow engineers!
I have a puzzling situation implementing an Internet routing pilot project and I need someone with a fresh look at the matter because I cannot make-out what the problem is…
Scenario description:
2901 router with two (one used) DSL intf’s on board and its two GE ports connected to a switch via Port-Channel sub-int’f (router-on-a-stick is implemented). The router has two other WAN (Internet) connections via a Satelite link and a MetroEthernet link. These two are terminated on the switch on intf’s at the appropriate VLAN’s. At attached topology scheme I depict them all collocated on the router for “simplicity” (logical topology) since the router has intf’s at the corresponding networks. The aDSL and Metro links have an 8-IP public set, each.
Most servers/hosts utilize VLAN 10 (int port-channel 1.10) but they need to forward their internet traffic to corresponding Internet links so PBR is used. VLAN/subnet (all /24) pairs are:
VLAN 11 -> 10.0.1.x
VLAN 12 -> 10.0.2.x
VLAN 13 -> 10.0.3.x
VLAN 71 -> 192.168.17.x
VLAN 204 -> 172.16.204.x
and – last but not least ! – VLAN 10 -> 10.0.0.x
All servers use static 1-1 NAT while all other hosts/PC’s use the Metro link (PAT).
Situation: All PBR rules and static NAT’s of VLAN 10 behave as expected. So does the PAT for hosts of all other VLAN’s (11, 12, 13, …). The rest of the hosts of VLAN 10, i.e. PC’s with IP’s 10.0.0.x (in red), cannot get to the Internet !
What is puzzling is that traffic is matched (by ACL) and NAT does occur but all I see (via “sh ip nat tra”) are the translations of the DNS requests ! Nothing else ! To top that, tracerouting a public IP does lead to the target but when hitting that same public IP (not by name) on the browser can’t load the page !
Could pls someone spot what I’m missing !!
To help you I also attach the router config and some command outputs…
All help is appreciated.
Thanx
CostasThat last PBR statement
(route-map 10.0.0.X_hosts_PBR permit 70
description *** rest of 10.0.0.x net --> Oxygen ***
match ip address rest_of_10.0.0.x
set ip next-hop 212.251.64.153)
was not there in the first place - I got it there assuming it would help but it didn't. Actually - as mentioned - it does not get any hits !
(route-map 10.0.0.X_hosts_PBR, permit, sequence 255
Match clauses:
ip address (access-lists): rest_of_10.0.0.x
Set clauses:
ip next-hop 212.251.64.153
Policy routing matches: 0 packets, 0 bytes) -
PAT file not shown in Support package manager
Hi All,
We had to create a custom BAPI to achieve an functionality in our product.
We are doing this for the first time.
As a standard procedure we followed the AAK (Assembly Add On ) toolkit to create the deploy-able.
Finally in the consolidation system we could see the following PAT file created in the out directory.
QA70020777848_0000002.PAT
I copied the file to the in directory of the production SAP server where this needs to be deployed.
I ran the transaction SPAM on the server.
Load packages from Application server
QA70020777848_0000002.PAT SAPK-170COINCOMPANY1 @EB\QUpload Already Occurred@ 0004 OCS file already exists in inbox. Upload not required.
IT decompresses the file properly.
Now the problem occurs ahead.
IF i click on the New Support package nothing is shown visible .
Am i missing any steps here.
Regards
ManojGot the solution in fact it's not a solution it's just an awareness on how the disks are available in fail-over cluster manager.
1) All the available disks are shown in fail-over cluster manager "storage".
2) While installation it asks us to add available disks for SQL Server then add accordingly. (Ex: E:drive for data files and L:drive for Log files)
3) Once the installation is done you see those disks in MSSQL (SQL Server) group.
Means when you click on Active node it should show you MSSQL (SQL Server) group in which you can find network name, network ip, E: & L: Drives, SQL Server and Agent services.
Note: MSDTC and Quorum are also clustered disks which can reside (Preferably Active Node) in any of the nodes but automatically fail-overs to active node in case of any passive node failures.
Regards,
Kalyan
Grateful to your time and support. Regards, Shiva -
SA520 NAT/PAT not working with NAT address
The SA520 I have is configured on one public IP address and an exchange server is behind it. THe exchange server is configured with an internal address and the SA520 is performing NAT translation to a unique public address for the email server itself which is independant of the SA520. It seems that the SA520 is sending email out the NAT address correctly at some time and at other times it seems to be sending the email traffic over the PAT address of the SA520 public address. When this happens the email gets blocked due to spam lists. Then the email will work again correctly.. and then go back. If I use a 3rd party website to test the IP address sometime I get the correct one and sometimes I get the wrong address.
Is there a way I can confirm that the SA520 NAT settings are correct to allow ALL outbound communications from the exchange server (which is behind the SA520)? I may have the SA520 configuration wrong and it is possible that the SA520 is only providing inbound PAT for port 25. How do I tell the SA520 to do a 1 to 1 NAT with the exchange server?Hi John,
In order to establish a 1 to 1 NAT on the SA 500 series, as in your case, you must first you must first add an IP Alias for your 2nd WAN. Next, you create a Firewall rule to "force" all or selected traffic from your NATed server (LAN) to the WAN to go out thru the IP ALIAS address. Finally, we forward specific traffic from the WAN to your NATed Server (LAN) thru Firewall Rule(s). See sample wan2lan bitmaps attached. Do this for each of the services that you will allow to come in thru the SA 520 to your Server. As long as there are no other Firewall rules overlapping with the newly created rules, traffic to and from your NATed server will come/exit thru your ALIAS IP.
We can verify this by performing a WAN Packet Trace (Administration-->Diagnostics -->Packet Trace) After choosing Dedicated WAN as the Network to be captured, Click on Start to perform Packet Capture. Go to your NATed server, and perform the following, on a command prompt window Ping google.com, open a browser window and open google.com. On a remote machine, open a web page on your server (OWA?) to test incoming HTTP/HTTPS requests. Stop your capture, and save the packet capture file by pressing the Download button. Open file with Wireshark/Ethereal and observe the source and destination address of the packets. They should have the ALIAS address and not the WAN IP address.
If the above step is good, then we have to take a look as to if and why your SMTP or email services are not being routed out the ALIAS interface. Repeat capture steps as above, but this time send an outgoing email, and test an incoming email by emailing an internal account from an outside email acount (yahoo, gmail, hotmail).
If you still have failure, and you have IPS or ProtectLink enabled, can you run the steps that failed with IPS and/or ProtectLink both disabled?
If there are issues, you can post the captures as a personal message to me.
I hope the above will help narrow the issue a bit.
Best regards,
Julio -
Trying to load patterns, .pat files not showing
I am trying to load patterns, and when I click on Load Patterns..., none of my .pat files are showing. I only have one showing right now, and that is only because i did the following: I clicked the "Reset to Default" button, which brought up the default patterns. Once that was loaded, I reset that as the default and now that is the only .pat file that shows. If I go to the preset folder in CS5, I can see the list of .pat files, yet they won't show up when I try to load a new pattern folder.
Any help is appreciated. Just to show what I'm seeing, here is what I see trying to load a pattern from the presets/Patterns folder in CS5:
And here is that same folder opened in explorer:
thanks!Yes, I've sort of found a solution. While they didn't show up in the folder, they DID show up in the flyout at the bottom. I could open a .pat (and this same thing happened with my brushes btw) at the bottom of the flyout menu, then once the brushes were opened, I could save the set of patterns/brushes as a new set, and after doing that, they show up when i try to load new brushes/patterns/etc.
Not sure if this is how things work normally, but I've been using photoshop for many years and don't remember that ever happening before. This is the first time I've tried to load patterns/brushes on this computer, so maybe it's a first time use thing. -
I´m doing a design for presale, where I will need a router what support PAT for 500 or a little more of users, it not need any more features only static routing and dhcp pool for 500 users, can you help me for know what router recommend?
What is your WAN speed currently and projected WAN speed in the next 3 years?
-
RS480M2-IL: Drives do not power up if PATA cables are connected
I am building a system around a the RS480M2-IL and I'm having a bizzare problem.
When I plug the hard drive and DVD into the power supply and turn the system on without connecting the ATA133 connectors, the drives power up. If I connect the drives to an other system, both are detected and usable. I've tried a different ATA133 cable and using either PATA controller on the motherboard. The drives work fine and the power supply works fine, but when the drives are connected to the ATA133 connector, either together or seperately, they are unable to recieve power.
Do you know what could be causing this? The only thing I can think of is a defective IDE controller on the motherboard.Make sure the integrated IDE controllers you are trying to use are enabled in the BIOS. You will want to put the optical drive on one IDE controller and the hard drive on the other. i.e. don't have them both connected on a single cable. Check the settings - both should be on master or cable select.
-
Can't think of anything else to add, just want to download Firefox. The older nor newer versions will not load, I click where it says if downloading does not start, just stays at 0%.
See;
* http://kb.mozillazine.org/Backing_up_and_restoring_bookmarks_-_Firefox
* http://kb.mozillazine.org/Profile_backup
Did you check your security software (firewall)?
A possible cause is security software (firewall) that blocks or restricts Firefox without informing you about that, possibly after detecting changes (update) to the Firefox program.
Remove all rules for Firefox from the permissions list in the firewall and let your firewall ask again for permission to get full unrestricted access to internet for Firefox.
See [[Server not found]] and [[Firewalls]] and http://kb.mozillazine.org/Firewalls -
I cannot get past step two of download without buying an app that I do not want? Blocked plug in is persistent. Help
"blocked plugin" means you are using an outdated Flash Player version; Apple/Safari will block anything older than 15.0.0.189.
You do not need to buy anything to download or install Flash Player; best use the offline installer http://download.macromedia.com/pub/flashplayer/current/support/install_flash_player_osx.dm g -
Hi,
I have to access different machines behind the RV042 on the ports 80 or 443.
Each machine can be reach localy on the private IP address.
So if i read it right I have to configure the UPnP feature to do the translation but it does not work:
HostA
TCP
2000
80
192.168.1.50
Enabled
HostB
TCP
2002
443
192.168.1.14
Enabled
HostC
TCP
2003
443
192.168.1.15
Enabled
UPnP table
But I still cannot connect to HostA on a web browser using " http://xxx.xxx.xxx.xxx:2000 ".
I have read severals topic on this matter and I don't understand what I am missing.
Any help would be very appreciated.
Thanks!
Solved!
Go to Solution.What type of servers are they?
You might want to cluster them.
Another potion would be to change the servers services ports.
Please remember to Kudo those that help you.
Linksys
Communities Technical Support -
Hi all,
I have got NEC 3551 installed as slave along with a master IDE hard drive. I am trying to get Hiren's Boot CD to load properly without any success. When I select any of the available menu choices and the CD DOS driver tries to install I get error messages of CD drive not found... Has anyone of you succeeded in loading Hiren's Boot CD at all with this board?
Thanks in advance for you replies.Quote from: S.O.D. on 20-December-06, 18:26:24
Problem with playing DVD occured just whew days ago, ihave MSI neo P965 and JMICRON latest online driver 1.4 i guess,'
i have Conneced seagate 160gb sata in jmicron sata port , LG's DVD combo ram driver in IDE , when i put the dvd in drive starts normally to run but just when i click in my VLC play , problems begins whole PC freezes and no else solutiion than switch off the power..
dont own a floppy drive..
Quote from: S.O.D. on 21-December-06, 18:48:28
Last evening suddenly had a blue screen , and i couldn log to windows, had to work to late night that i could get this machine to boot to windows, and i seriously suspect its that friggin JMICRON !id change my sata wire to other port and i manged to log in windows..is there a working driver for that JMICRON??
Well everything else seems to wotk properly but some DVD' movies and couple of DVD rom games wont run at all..
dam that JMICRON..
S.O.D., can you open a new thread instead? I wanted to help you on your problem but it's difficult to do that in this thread. Thanks. -
Update on BIOS & MEMORY problems? also DOT, PAT, settings...
Okie dokie, I'm new here, and I've been pouring through threads for the past 2-3 hours and doing searches, so please excuse these questions if they seem to have already been answered, but I would like to just ask a few (hopefully susinct) questions to get the quickest and most direct answers possible...
I just bought the 865pe-LS board, p-4 2.6ghz 800FSB HT CPU, and value-select Corsair PC3200 512MB dual-channel kit, and it has become apparent that there is or has been a HUGE problem with this board accepting corsiar memory. ARGH or should is say DOH for not checking into all of this BEFOREHAND!
But it seems that several bios versions have come out since the majority of those threads I have been reading about back in august. Sooo, can anyone tell me if the current version, 1.9 bios, has fixed these incompatibilities with the corsairs memory sticks? I realize that most people are going the LL version routes for the memory, and I have opted for the value-select versions...but it still seems to be a possible dilemma. I am wondering if it is worth it to try to pay the 15% restock fee or sell it on ebay (hopefully for about what I paid) and go get the same stuff in kingston memory instead, since these seem to be much more compatible? Or has this problem been fixed with newer bios versions?
Another important factor to consider, I think, is that I may not be THAT interested in overclocking much of anything, but perhaps just wishing to use the fast or turbo modes, probably not ultra-turbo since i would need the XMS or hyper-X versions to even try this. If the bios is now accepting corsair, I am trying to figure out, short of "experimenting" since i have not gotten all of my components in yet, if its even possible or recommended to overclock or use the fast/turbo mode with the cas-3 value select dual-channel setup I will be using...any clues?
Lastly, which may have been already answered by now, is it best to use the PAT or DOT settings or opt for manual setting for any sort of higher-performance setup, considering my specs for my soon-to-be new computer? Or does it really make THAT much difference? Im not into squeezing out every nano-second of speed, but if a little tweaking would make a BIG difference and wouldnt require me spending MANY hours or days to do so, then I'm all for it. I'm practically a noob at this stuff, only really educating myself in any depth about all this stuff tonight (going off of what outhers have recommended in making these purchases)...thanks for the understanding and the help in advance!
*looking for any help*
is how i feel, haha...*sigh*There doesn't seem to be any particular Ram type that is working for everybody. Also, many people that are experiencing problems are trying to overclock(some to extremes). You don't seem very interested in that aspect. For the Ram, you really just have to put it in and see what happens.
If you haven't already, read the FAQ HERE for the Neo/Neo2 boards. Particularly #5 which will help you setup the SATA/IDE devices in the Bios. Use Native mode for Windows XP.
Things I would set in the Bios right out of the box:
(Some of these might already be set by default)
Boot device select- Order that you want to boot from particular devices. Might have to set "On-chip IDE Config" items first and re-boot to see all your devices here.
HT-On
MPS revision-1.4
APIC ACPI....- Enabled
Dram Timing- By SPD
Integrated Peripherals is fairly intuitive except the "On-chip IDE config" see FAQ page.
DOT- disabled for now
MAT- slow to start
DRAM freq- 400
CPU Bus- 201(seems strange but do it; try a search here for "201" and you'll know why)
DDR voltage- 2.7v (like reilly said)
If this works OK(try something that stresses it) you can try raising the MAT to fast. After you're happy that this is stable, you can try turbo if you want but I'm not sure with the value Ram. Once you settle on this, try playing with the DOT features. I think General is the equivalent of a 10% increase on the system. Once you've found a setting you like here, you should leave it for a while and just enjoy your new compputer!
If you get bored, you can always go in and disable the DOT and manually raise FSB for more fun.
Things you should read up on before you do any overclocking:
Clearing CMOS
5:4 FSB/MEM ratio
Have fun! -
Cisco asa 5505 issues ( ROUTING AND PAT)
I have some issues with my cisco asa 5505 config. Please see details below:
NETWORK SETUP:
gateway( 192.168.223.191) - cisco asa 5505 ( outside - 192.168.223.200 , inside - 192.168.2.253, DMZ - 172.16.3.253 ) -
ISSUES:
1)
no route from DMZ to outside
example:
ping from 172.16.3201 to the gateway
6 Jan 27 2014 11:15:33 172.16.3.201 39728 Failed to locate egress interface for ICMP from outside:172.16.3.201/39728 to 172.16.3.253/0
2)
not working access from external to DMZ AT ALL
ASA DETAILS:
cisco asa5505
Device license Base
Maximum Physical Interfaces 8 perpetual
VLANs 3 DMZ Restricted
Inside Hosts Unlimited perpetual
configuration:
firewall200(config)# show run
: Saved
ASA Version 9.1(3)
hostname firewall200
domain-name test1.com
enable password xxxxxxxxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd XXXXXXXXXXX encrypted
names
interface Ethernet0/0
switchport access vlan 100
interface Ethernet0/1
switchport access vlan 200
interface Ethernet0/2
switchport access vlan 200
interface Ethernet0/3
switchport access vlan 200
interface Ethernet0/4
switchport access vlan 300
interface Ethernet0/5
switchport access vlan 300
interface Ethernet0/6
switchport access vlan 300
interface Ethernet0/7
switchport access vlan 300
interface Vlan100
nameif outside
security-level 0
ip address 192.168.223.200 255.255.255.0
interface Vlan200
mac-address 001b.539c.597e
nameif inside
security-level 100
ip address 172.16.2.253 255.255.255.0
interface Vlan300
no forward interface Vlan200
nameif DMZ
security-level 50
ip address 172.16.3.253 255.255.255.0
boot system disk0:/asa913-k8.bin
boot config disk0:/startup-config.cfg
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name test1.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network office1-int
host 172.16.2.1
object network firewall-dmz-gateway
host 172.16.3.253
object network firewall-internal-gateway
host 172.16.2.253
object network com1
host 192.168.223.227
object network web2-ext
host 192.168.223.201
object network web2-int
host 172.16.3.201
object network gateway
host 192.168.223.191
object network office1-int
host 172.16.2.1
object-group network DMZ_SUBNET
network-object 172.16.3.0 255.255.255.0
object-group service www tcp
port-object eq www
port-object eq https
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any object web2-ext eq www
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp DMZ 172.16.4.199 001b.539c.597e alias
arp DMZ 172.16.3.199 001b.539c.597e alias
arp timeout 14400
no arp permit-nonconnected
object network web2-int
nat (DMZ,outside) static web2-ext service tcp www www
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route inside 172.168.2.0 255.255.255.0 192.168.223.191 1
route inside 172.168.3.0 255.255.255.0 192.168.223.191 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.223.227 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.223.227 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 172.16.2.10-172.16.2.10 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 176.58.109.199 source outside prefer
ntp server 81.150.197.169 source outside
ntp server 82.113.154.206
username xxxx password xxxxxxxxx encrypted
class-map DMZ-class
match any
policy-map global_policy
policy-map DMZ-policy
class DMZ-class
inspect icmp
service-policy DMZ-policy interface DMZ
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9c73fa27927822d24c75c49f09c67c24
: endThank you one more time for everthing. It is workingin indeed
Reason why maybe sometimes I had some 'weird' results was because I had all devices connected to the same switch.Separtated all networks to a different switches helped.Anyway if you could take a look one last time to my configuration and let me know if it's good enough to deploy it on live ( only www for all , ssh restricted from outside, lan to dmz) .Thanks one more time.
show run
: Saved
ASA Version 9.1(3)
hostname firewall200
domain-name test1.com
enable password xxxxxxxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd xxxxxxxxxxxx encrypted
names
interface Ethernet0/0
switchport access vlan 100
interface Ethernet0/1
switchport access vlan 200
interface Ethernet0/2
switchport access vlan 200
interface Ethernet0/3
switchport access vlan 200
interface Ethernet0/4
switchport access vlan 300
interface Ethernet0/5
switchport access vlan 300
interface Ethernet0/6
switchport access vlan 300
interface Ethernet0/7
switchport access vlan 300
interface Vlan100
nameif outside
security-level 0
ip address 192.168.223.200 255.255.255.0
interface Vlan200
mac-address 001b.539c.597e
nameif inside
security-level 100
ip address 172.16.2.253 255.255.255.0
interface Vlan300
no forward interface Vlan200
nameif DMZ
security-level 50
ip address 172.16.3.253 255.255.255.0
boot system disk0:/asa913-k8.bin
boot config disk0:/startup-config.cfg
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns domain-lookup DMZ
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name test1.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network firewall-dmz-gateway
host 172.16.3.253
object network firewall-internal-gateway
host 172.16.2.253
object network com1
host 192.168.223.227
object network web2-ext
host 192.168.223.201
object network web2-int
host 172.16.3.201
object network gateway
host 192.168.223.191
object network office1-int
host 172.16.2.1
object-group network DMZ_SUBNET
network-object 172.16.3.0 255.255.255.0
object-group service www tcp
port-object eq www
port-object eq https
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit tcp 172.16.3.0 255.255.255.0 interface outside eq ssh
access-list outside_access_in extended permit tcp any object web2-int eq www
access-list outside_access_in extended permit tcp any object web2-int eq ssh
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any DMZ
asdm image disk0:/asdm-714.bin
no asdm history enable
arp DMZ 172.16.4.199 001b.539c.597e alias
arp DMZ 172.16.3.199 001b.539c.597e alias
arp timeout 14400
no arp permit-nonconnected
object network web2-int
nat (DMZ,outside) static web2-ext net-to-net
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 192.168.223.191 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.223.227 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.223.227 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 outside
ssh 172.16.3.253 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 176.58.109.199 source outside prefer
ntp server 81.150.197.169 source outside
ntp server 82.113.154.206
username xxxxx password xxxxxxxxx encrypted
class-map DMZ-class
match any
policy-map global_policy
policy-map DMZ-policy
class DMZ-class
inspect icmp
service-policy DMZ-policy interface DMZ
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f264c94bb8c0dd206385a6b72afe9e5b
: end -
Good morning you clever bunch,
Having a real issue here, am used to the Router\Switch CLI but been asked to set up an ASA 5505 8.4.
Quite simply I am trying to at least test out a static PAT from an external source to an internal server in a test environment and no matter whether I set it up as an auto-nat or a twice-nat whenever I run a packet tracer I end up with the same error. This is the packet-tracer I am running -
packet-trace input outside tcp 80.80.80.80 3389 10.240.0.10 3389
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside,outside) source static server publicIP service RDP RDP
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Now I have a couple of questions initially. I have made the presumption that packet-tracer does not look at any external devices while running - as in as long as the ports are up it doesn't matter what is on the end of them for testing purposes? Is there anything I am missing?
I have this morning wiped the config and have simply set up the adapters, a default route and twice nat and am not sure why I keep getting the error. I am sure it is something very simple and I'm being a massive donut! Any help ios greatly appreciated as I've gotten quite stuck and feel like I have followed all the instructions online and just about trie everything.
Many thanks,
Sam - below is my running config
ASA Version 8.4(4)1
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
nameif inside
security-level 100
ip address 10.240.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 80.*.*.203 255.255.255.248
ftp mode passive
object network server
host 10.240.0.10
object network publicIP
host 80.*.*.37
object service RDP
service tcp source eq 3389
access-list ouside_in extended permit tcp any host 10.240.0.10 eq 3389
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static server publicIP service RDP RDP
access-group ouside_in in interface outside
route outside 0.0.0.0 0.0.0.0 80.*.*.201 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e67c79a8361f7b6aa3a7dd549f85e818
: endHi Jennifer,
No I just changed that for testing purposes as I had tried everything I thought was correct to no avail.
You, Jennifer, are my new hero.... literally on the config side I was trying everything and was completely barking up the wrong tree! Every time I had set up packet tracer that way, you can understand my logic when it comes to the destination address, seeing as I had already specified the outside adapter, but it makes a lot more sense using the outside host. Flow is now running perfectly.
Many thanks.
Sam
Maybe you are looking for
-
How to delete a photo on Icloud
How long does Icloud hold a photo? Why is there not an option to delete?
-
I have seen I can create a report for a resource name with a specified date range, and one that can show me for a resource name any incomplete tasks, but I want to do the following and cant work out how to state it in the report constructor: resource
-
Custom button control at SC Level
Hello friends, I have enhanced a WD component on SC(/SAPSRM/WDC_DODC_SC_I_BD) to add some custom fields on the click of a button. I have added the custom fields in SPRO >,...> extension and field control-->.. configure custom fields at item level. a
-
I can't get rid of an application!
I am trying to install Divx 6 and I keep getting this error:"You cannot install DivX 6 for Mac on this volume. A newer version of this software already exists on this volume." I've uninstalled it, tried throwing it into the trash and also deleted it
-
Safari in 10.5.2 is making my computer useless.
Back before Leopard, Safari used to bring my computer to a crawl. The villain seemed to be Flash, but I was never sure. I just started using Firefox and that mostly solved the problem. Now, with 10.5.2, the problem has returned. Safari starts up fine