PAT or NOT PAT

Hi everybody, please, forgive my poor language.
I have a neo fis2r (i875p) first release, last bios, till today, i have used 2X 256 pc3200 samsung certified CS 2.5 at 200mhz, i dual channel (bank 1 and 3).
my Pc was running in turbo mode( with pat enabled from sandra 2004 pro).
Today i add 2X256 samsung (cerfified cd 2.5 at 166mhz ???) in bank 2 et 4.
impossible to boot more than fast mod, pat is desabled (even in fast mode) and sandra tell that the bank 4 is empty, but not everest home edition.
What's the matter with PAT  and turbo mode, may be poor quality of memory ?
regards

Yes the system has detected 1 GB, i think it's a bug of SANDRA 2004.
Anyway, the reference on the stick are identiticals but i think that the 2 first sticks are really original samsung but the other one have just samsung chipsets.
Everest information (in general/overclock) tell that the 4 sticks are pc3200 cas 3 at 200 mhz @ 2,5 at 200 for the originals but 2.5 at only 166 for the "poor" one.
I try fast mode (the smaller mode for PAT) with 4 sticks, Everest said pat is desabled but enabled with only 2 sticks (original or "poor").
Could you tell me if the 4 sticks must be strickly the sames.
Regards

Similar Messages

  • Pat is not working on my asa

    Hi there. 
    I just trying to do PAT with gns3. but not working and i don't have any idea.
    (Cisco Adaptive Security Appliance Software Version 8.4(2))
    and also i figure out that there are some changes in nat configuration. i did but didn't work. 
    I cannot ping from my host 192.168.100.116 to 1.1.12.1 ~ 1.1.12.2, 8.8.8.8 
    i turn debug in R1 and i can see the icmp. 
    R1#
    *Mar  1 01:31:28.091: ICMP: echo reply sent, src 1.1.12.1, dst 10.10.10.1
    R1#
    *Mar  1 01:31:32.739: ICMP: echo reply sent, src 1.1.12.1, dst 10.10.10.1
    R1#
    And also can see xlate on ASA
    ASA-1# sh xlate
    1 in use, 9 most used
    Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
    ICMP PAT from inside:192.168.100.116/1 to outside:10.10.10.1/6370 flags ri idle 0:00:04 timeout 0:00:30
    ASA-1#
    This is my topology. 
    [ASA1]
    ASA-1# sh run ip
    interface GigabitEthernet0
     nameif outside
     security-level 0
     ip address 10.10.10.1 255.255.255.0
    interface GigabitEthernet1
     nameif inside
     security-level 100
     ip address 10.10.20.1 255.255.255.0
    ASA-1# sh run object network
    object network obj-192.168.100.0
     subnet 0.0.0.0 0.0.0.0
    ASA-1# conf t
    ASA-1(config)# ob
    ASA-1(config)# object net
    ASA-1(config)# object network obj-192.168.100.0
    ASA-1(config-network-object)# nat (in
    ASA-1(config-network-object)# nat (inside,ou
    ASA-1(config-network-object)# nat (inside,outside) dy
    ASA-1(config-network-object)# nat (inside,outside) dynamic inter
    ASA-1(config-network-object)# nat (inside,outside) dynamic interface
    ASA-1(config-network-object)# end
    [R4]
    interface FastEthernet0/0
     ip address 10.10.20.254 255.255.255.0
     duplex auto
     speed auto
    interface FastEthernet0/1
     ip address 192.168.100.254 255.255.255.0
     duplex auto
     speed auto
    no ip http server
    no ip http secure-server
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 10.10.20.1
    [HOST]
    ip address 192.168.100.116/24
    [R1]
    interface FastEthernet0/0
     ip address 10.10.10.254 255.255.255.0
     duplex auto
     speed auto
    interface FastEthernet0/1
     ip address 1.1.12.1 255.255.255.0
     duplex auto
     speed auto
    no ip http server
    no ip http secure-server
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
    what am i mssing ?
    please corret me. 
    Thank you in advance. 

    just reload... .. i'm still stuck in the ping. 
    changed topology more simple. but still not working. 
    Here is all what i did. 
    [ASA]
    access-list ICMP extended permit icmp any any echo-reply
    access-list ICMP extended permit icmp any any time-exceeded
    access-group ICMP in interface outside
    interface GigabitEthernet0
     description To_UP
     nameif outside
     security-level 0
     ip address 10.10.10.2 255.255.255.0
    interface GigabitEthernet1
     description To_DOWN
     nameif inside
     security-level 100
     ip address 10.10.20.1 255.255.255.0
    [R1]
    interface FastEthernet0/0
     ip address 10.10.10.1 255.255.255.0
    ip route 10.10.20.0 255.255.255.0 10.10.10.2 (I don't think i need this)
    [R4]
    interface FastEthernet0/0
     ip address 10.10.20.2 255.255.255.0
    ip route 10.10.10.0 255.255.255.0 10.10.20.1 (same as well)
    [outout tracer]
    ciscoasa# packet-tracer input inside icmp 10.10.20.1 8 0 10.10.10.1
    Phase: 1
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   10.10.10.0      255.255.255.0   outside
    Phase: 2
    Type: ACCESS-LIST
    Subtype:
    Result: DROP <---??????????????????????????
    Config:
    Implicit Rule
    Additional Information:
    Result:
    input-interface: inside
    input-status: up
    input-line-status: up
    output-interface: outside
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule
    ciscoasa#
    [ASA]
    ciscoasa# show access-list
    access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
                alert-interval 300
    access-list ICMP; 2 elements; name hash: 0x2d2cf426
    access-list ICMP line 1 extended permit icmp any any echo-reply (hitcnt=0) 0x0b307247
    access-list ICMP line 2 extended permit icmp any any time-exceeded (hitcnt=0) 0x1e6b1395
    ciscoasa#
    I created acl and permit it
    Thank you. 

  • NAT issue - (over same link) static-NAT works but PAT (for rest of hosts) does not !

    Hello fellow engineers!
    I have a puzzling situation implementing an Internet routing pilot project and I need someone with a fresh look at the matter because I cannot make-out what the problem is…
    Scenario description:
    2901 router with two (one used) DSL intf’s on board and its two GE ports connected to a switch via Port-Channel sub-int’f (router-on-a-stick is implemented).    The router has two other WAN (Internet) connections via a Satelite link and a MetroEthernet link.   These two are terminated on the switch on intf’s at the appropriate VLAN’s.   At attached topology scheme I depict them all collocated on the router for “simplicity” (logical topology) since the router has intf’s at the corresponding networks.   The aDSL and Metro links have an 8-IP public set, each.
    Most servers/hosts utilize VLAN 10 (int port-channel 1.10) but they need to forward their internet traffic to corresponding Internet links so PBR is used.    VLAN/subnet (all /24) pairs are:
    VLAN 11 -> 10.0.1.x
    VLAN 12 -> 10.0.2.x
    VLAN 13 -> 10.0.3.x
    VLAN 71 -> 192.168.17.x
    VLAN 204 -> 172.16.204.x
    and – last but not least ! – VLAN 10 -> 10.0.0.x
    All servers use static 1-1 NAT while all other hosts/PC’s use the Metro link (PAT).
    Situation: All PBR rules and static NAT’s of VLAN 10 behave as expected.   So does the PAT for hosts of all other VLAN’s (11, 12, 13, …).   The rest of the hosts of VLAN 10, i.e. PC’s with IP’s 10.0.0.x (in red), cannot get to the Internet !
    What is puzzling is that traffic is matched (by ACL) and NAT does occur but all I see (via “sh ip nat tra”) are the translations of the DNS requests !   Nothing else !   To top that, tracerouting a public IP does lead to the target but when hitting that same public IP (not by name) on the browser can’t load the page !
    Could pls someone spot what I’m missing !!
    To help you I also attach the router config and some command outputs…
    All help is appreciated.
    Thanx
    Costas

    That last PBR statement
    (route-map 10.0.0.X_hosts_PBR permit 70
     description *** rest of 10.0.0.x net --> Oxygen ***
     match ip address rest_of_10.0.0.x
     set ip next-hop 212.251.64.153)
    was not there in the first place - I got it there assuming it would help but it didn't.   Actually - as mentioned - it does not get any hits !
    (route-map 10.0.0.X_hosts_PBR, permit, sequence 255
      Match clauses:
        ip address (access-lists): rest_of_10.0.0.x
      Set clauses:
        ip next-hop 212.251.64.153
      Policy routing matches: 0 packets, 0 bytes)

  • PAT file not shown in Support package manager

    Hi All,
    We had to create a custom BAPI to achieve an functionality in our product.
    We are doing this for the first time.
    As a standard procedure we followed the AAK (Assembly Add On ) toolkit to create the deploy-able.
    Finally in the consolidation system we could see the following PAT file created in the out directory.
    QA70020777848_0000002.PAT
    I copied the file to the in directory of the production SAP server where this needs to be deployed.
    I ran the transaction SPAM on the server.
    Load packages from Application server
    QA70020777848_0000002.PAT    SAPK-170COINCOMPANY1    @EB\QUpload Already Occurred@    0004    OCS file already exists in inbox. Upload not required.
    IT decompresses the file properly.
    Now the problem occurs ahead.
    IF i click on the New Support package nothing is shown visible .
    Am i missing any steps here.
    Regards
    Manoj

    Got the solution in fact it's not a solution it's just an awareness on how the disks are available in fail-over cluster manager.
    1) All the available disks are shown in fail-over cluster manager "storage".
    2) While installation it asks us to add available disks for SQL Server then add accordingly. (Ex: E:drive for data files and L:drive for Log files) 
    3) Once the installation is done you see those disks in MSSQL (SQL Server) group.
    Means when you click on Active node it should show you MSSQL (SQL Server) group in which you can find network name, network ip, E: & L: Drives, SQL Server and Agent services.
    Note: MSDTC and Quorum are also clustered disks which can reside (Preferably Active Node) in any of the nodes but automatically fail-overs to active node in case of any passive node failures.
    Regards,
    Kalyan
    Grateful to your time and support. Regards, Shiva

  • SA520 NAT/PAT not working with NAT address

    The SA520 I have is configured on one public IP address and an exchange server is behind it.  THe exchange server is configured with an internal address and the SA520 is performing NAT translation to a unique public address for the email server itself which is independant of the SA520.  It seems that the SA520 is sending email out the NAT address correctly at some time and at other times it seems to be sending the email traffic over the PAT address of the SA520 public address.  When this happens the email gets blocked due to spam lists.  Then the email will work again correctly.. and then go back.  If I use a 3rd party website to test the IP address sometime I get the correct one and sometimes I get the wrong address.
    Is there a way I can confirm that the SA520 NAT settings are correct to allow ALL outbound communications from the exchange server (which is behind the SA520)?  I may have the SA520 configuration wrong and it is possible that the SA520 is only providing inbound PAT for port 25.  How do I tell the SA520 to do a 1 to 1 NAT with the exchange server?

    Hi John,
    In order to establish a 1 to 1 NAT on the SA 500 series, as in your case, you must first you must first add an IP Alias for your 2nd WAN.  Next, you create a Firewall rule to "force" all or selected traffic from your NATed server (LAN) to the WAN to go out thru the IP ALIAS address.  Finally, we forward specific traffic from the WAN to your NATed Server (LAN) thru Firewall Rule(s).  See sample wan2lan bitmaps attached. Do this for each of the services that you will allow to come in thru the SA 520 to your Server.  As long as there are no other Firewall rules overlapping with the newly created rules, traffic to and from your NATed server will come/exit thru your ALIAS IP.
    We can verify this by performing a WAN Packet Trace (Administration-->Diagnostics -->Packet Trace)  After choosing Dedicated WAN as the Network to be captured, Click on Start to perform Packet Capture.  Go to your NATed server, and perform the following, on a command prompt window Ping google.com, open a browser window and open google.com.  On a remote machine, open a web page on your server (OWA?) to test incoming HTTP/HTTPS requests. Stop your capture, and save the packet capture file by pressing the Download button.  Open file with Wireshark/Ethereal and observe the source and destination address of the packets.  They should have the ALIAS address and not the WAN IP address.
    If the above step is good, then we have to take a look as to if and why your SMTP or email services are not being routed out the ALIAS interface. Repeat capture steps as above, but this time send an outgoing email, and test an incoming email by emailing an internal account from an outside email acount (yahoo, gmail, hotmail).
    If you still have failure, and you have IPS or ProtectLink enabled, can you run the steps that failed with IPS and/or ProtectLink both disabled?
    If there are issues, you can post the captures as a personal message to me.
    I hope the above will help narrow the issue a bit.
    Best regards,
    Julio

  • Trying to load patterns, .pat files not showing

    I am trying to load patterns, and when I click on Load Patterns..., none of my .pat files are showing. I only have one showing right now, and that is only because i did the following: I clicked the "Reset to Default" button, which brought up the default patterns. Once that was loaded, I reset that as the default and now that is the only .pat file that shows. If I go to the preset folder in CS5, I can see the list of .pat files, yet they won't show up when I try to load a new pattern folder.
    Any help is appreciated. Just to show what I'm seeing, here is what I see trying to load a pattern from the presets/Patterns folder in CS5:
    And here is that same folder opened in explorer:
    thanks!

    Yes, I've sort of found a solution. While they didn't show up in the folder, they DID show up in the flyout at the bottom. I could open a .pat (and this same thing happened with my brushes btw) at the bottom of the flyout menu, then once the brushes were opened, I could save the set of patterns/brushes as a new set, and after doing that, they show up when i try to load new brushes/patterns/etc.
    Not sure if this is how things work normally, but I've been using photoshop for many years and don't remember that ever happening before. This is the first time I've tried to load patterns/brushes on this computer, so maybe it's a first time use thing.

  • I´m doing a design for presale, where I will need a router what support PAT for 500 or a little more of users, it not need any more features only static routing and dhcp pool for 500 users, can you help me for know what router recommend?

    I´m doing a design for presale, where  I will  need a router what support PAT for 500 or a little more of users, it  not need any more features only static routing and dhcp pool for 500 users, can you help me for know what router recommend?

    What is your WAN speed currently and projected WAN speed in the next 3 years?

  • RS480M2-IL: Drives do not power up if PATA cables are connected

    I am building a system around a the RS480M2-IL and I'm having a bizzare problem.
    When I plug the hard drive and DVD into the power supply and turn the system on without connecting the  ATA133 connectors, the drives power up.  If I connect the drives to an other system, both are detected and usable.  I've tried a different ATA133 cable and using either PATA controller on the motherboard.  The drives work fine and the power supply works fine, but when the drives are connected to the ATA133 connector, either together or seperately, they are unable to recieve power.
    Do you know what could be causing this?  The only thing I can think of is a defective IDE controller on the motherboard.

    Make sure the integrated IDE controllers you are trying to use are enabled in the BIOS.  You will want to put the optical drive on one IDE controller and the hard drive on the other.  i.e. don't have them both connected on a single cable.  Check the settings - both should be on master or cable select.

  • I downloaded to the latest Firefox yesterday 5-5-2011 & everything was screwed up. Uninstalled Firefox now how do I get it back, not the latest version? Been to your site & it will not download. Thanks Pat

    Can't think of anything else to add, just want to download Firefox. The older nor newer versions will not load, I click where it says if downloading does not start, just stays at 0%.

    See;
    * http://kb.mozillazine.org/Backing_up_and_restoring_bookmarks_-_Firefox
    * http://kb.mozillazine.org/Profile_backup
    Did you check your security software (firewall)?
    A possible cause is security software (firewall) that blocks or restricts Firefox without informing you about that, possibly after detecting changes (update) to the Firefox program.
    Remove all rules for Firefox from the permissions list in the firewall and let your firewall ask again for permission to get full unrestricted access to internet for Firefox.
    See [[Server not found]] and [[Firewalls]] and http://kb.mozillazine.org/Firewalls

  • I cannot get pat step two of the download without buying a product?  I do not need the other products.

    I cannot get past step two of download without buying an app that I do not want?  Blocked plug in is persistent.  Help

    "blocked plugin" means you are using an outdated Flash Player version; Apple/Safari will block anything older than 15.0.0.189.
    You do not need to buy anything to download or install Flash Player; best use the offline installer http://download.macromedia.com/pub/flashplayer/current/support/install_flash_player_osx.dm g

  • RV042 - PAT not working

    Hi,
    I have to access different machines behind the RV042 on the ports 80 or 443.
    Each machine can be reach localy on the private IP address.
    So if i read it right I have to configure the UPnP feature to do the translation but it does not work:
    HostA
    TCP
    2000
    80
    192.168.1.50
    Enabled
    HostB
    TCP
    2002
    443
    192.168.1.14
    Enabled
    HostC
    TCP
    2003
    443
    192.168.1.15
    Enabled
    UPnP table
    But I still cannot connect to HostA on a web browser using " http://xxx.xxx.xxx.xxx:2000 ".
    I have read severals topic on this matter and I don't understand what I am missing.
    Any help would be very appreciated.
    Thanks!
    Solved!
    Go to Solution.

    What type of servers are they?
    You might want to cluster them.
    Another potion would be to change the servers services ports.
    Please remember to Kudo those that help you.
    Linksys
    Communities Technical Support

  • P965 NeoF + PATA DVD drive + Hiren's Boot CD == CD not found!!!

    Hi all,
    I have got NEC 3551 installed as slave along with a master IDE hard drive.  I am trying to get Hiren's Boot CD to load properly without any success.  When I select any of the available menu choices and the CD DOS driver tries to install I get error messages of CD drive not found...  Has anyone of you succeeded in loading Hiren's Boot CD at all with this board?
    Thanks in advance for you replies.

    Quote from: S.O.D. on 20-December-06, 18:26:24
    Problem with playing DVD occured just whew days ago, ihave MSI neo P965 and JMICRON latest online driver 1.4 i guess,'
    i have Conneced seagate 160gb sata in jmicron sata port ,  LG's DVD combo ram driver in IDE , when i put the dvd in drive starts normally to run but just when i click in my VLC play , problems begins whole PC freezes and no else solutiion than switch off the power..
    dont own a floppy drive.. 
    Quote from: S.O.D. on 21-December-06, 18:48:28
    Last evening suddenly had a blue screen , and i couldn log to windows, had to work to late night that i could get this machine to boot to windows, and i seriously suspect its that friggin JMICRON !id change my sata wire to other port and i manged to log in windows..is there a working driver for that JMICRON?? 
    Well everything else seems to wotk properly but some DVD' movies and couple of DVD rom games wont run at all.. 
    dam that JMICRON..
    S.O.D., can you open a new thread instead? I wanted to help you on your problem but it's difficult to do that in this thread. Thanks.

  • Update on BIOS & MEMORY problems? also DOT, PAT, settings...

    Okie dokie, I'm new here, and I've been pouring through threads for the past 2-3 hours and doing searches, so please excuse these questions if they seem to have already been answered, but I would like to just ask a few (hopefully susinct) questions to get the quickest and most direct answers possible...
    I just bought the 865pe-LS board, p-4 2.6ghz 800FSB HT CPU, and value-select Corsair PC3200 512MB dual-channel kit, and it has become apparent that there is or has been a HUGE problem with this board accepting corsiar memory.  ARGH   or should is say DOH for not checking into all of this BEFOREHAND!  
    But it seems that several bios versions have come out since the majority of those threads I have been reading about back in august.  Sooo, can anyone tell me if the current version, 1.9 bios, has fixed these incompatibilities with the corsairs memory sticks?  I realize that most people are going the LL version routes for the memory, and I have opted for the value-select versions...but it still seems to be a possible dilemma.  I am wondering if it is worth it to try to pay the 15% restock fee or sell it on ebay (hopefully for about what I paid) and go get the same stuff in kingston memory instead, since these seem to be much more compatible?  Or has this problem been fixed with newer bios versions?
    Another important factor to consider, I think, is that I may not be THAT interested in overclocking much of anything, but perhaps just wishing to use the fast or turbo modes, probably not ultra-turbo since i would need the XMS or hyper-X versions to even try this.  If the bios is now accepting corsair, I am trying to figure out, short of "experimenting" since i have not gotten all of my components in yet, if its even possible or recommended to overclock or use the fast/turbo mode with the cas-3 value select dual-channel setup I will be using...any clues?  
    Lastly, which may have been already answered by now, is it best to use the PAT or DOT settings or opt for manual setting for any sort of higher-performance setup, considering my specs for my soon-to-be new computer?  Or does it really make THAT much difference?  Im not into squeezing out every nano-second of speed, but if a little tweaking would make a BIG difference and wouldnt require me spending MANY hours or days to do so, then I'm all for it.  I'm practically a noob at this stuff, only really educating myself in any depth about all this stuff tonight (going off of what outhers have recommended in making these purchases)...thanks for the understanding and the help in advance!  
    *looking for any help*  
      is how i feel, haha...*sigh*

    There doesn't seem to be any particular Ram type that is working for everybody. Also, many people that are experiencing problems are trying to overclock(some to extremes). You don't seem very interested in that aspect. For the Ram, you really just have to put it in and see what happens.
    If you haven't already, read the FAQ HERE for the Neo/Neo2 boards. Particularly #5 which will help you setup the SATA/IDE devices in the Bios. Use Native mode for Windows XP.
    Things I would set in the Bios right out of the box:
    (Some of these might already be set by default)
    Boot device select- Order that you want to boot from particular devices. Might have to set "On-chip IDE Config" items first and re-boot to see all your devices here.
    HT-On
    MPS revision-1.4
    APIC ACPI....- Enabled
    Dram Timing- By SPD
    Integrated Peripherals is fairly intuitive except the "On-chip IDE config" see FAQ page.
    DOT- disabled for now
    MAT- slow to start
    DRAM freq- 400
    CPU Bus- 201(seems strange but do it; try a search here for "201" and you'll know why)
    DDR voltage- 2.7v (like reilly said)
    If this works OK(try something that stresses it) you can try raising the MAT to fast. After you're happy that this is stable, you can try turbo if you want but I'm not sure with the value Ram. Once you settle on this, try playing with the DOT features. I think General is the equivalent of a 10% increase on the system. Once you've found a setting you like here, you should leave it for a while and just enjoy your new compputer!
    If you get bored, you can always go in and disable the DOT and manually raise FSB for more fun.
    Things you should read up on before you do any overclocking:
    Clearing CMOS
    5:4 FSB/MEM ratio
    Have fun!

  • Cisco asa 5505 issues ( ROUTING AND PAT)

    I have some issues with my cisco asa 5505 config. Please see details below:
    NETWORK SETUP:
    gateway( 192.168.223.191)   - cisco asa 5505 ( outside - 192.168.223.200 , inside - 192.168.2.253, DMZ - 172.16.3.253 )  -
    ISSUES:
    1)
    no route from DMZ to outside
    example:
    ping from 172.16.3201 to the gateway
    6          Jan 27 2014          11:15:33                    172.16.3.201          39728                              Failed to locate egress interface for ICMP from outside:172.16.3.201/39728 to 172.16.3.253/0
    2)
    not working access from external to DMZ AT ALL
    ASA DETAILS:
    cisco asa5505
    Device license          Base
    Maximum Physical Interfaces          8          perpetual
    VLANs          3      DMZ Restricted
    Inside Hosts          Unlimited          perpetual
    configuration:
    firewall200(config)# show run
    : Saved
    ASA Version 9.1(3)
    hostname firewall200
    domain-name test1.com
    enable password xxxxxxxxxxx encrypted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    passwd XXXXXXXXXXX encrypted
    names
    interface Ethernet0/0
    switchport access vlan 100
    interface Ethernet0/1
    switchport access vlan 200
    interface Ethernet0/2
    switchport access vlan 200
    interface Ethernet0/3
    switchport access vlan 200
    interface Ethernet0/4
    switchport access vlan 300
    interface Ethernet0/5
    switchport access vlan 300
    interface Ethernet0/6
    switchport access vlan 300
    interface Ethernet0/7
    switchport access vlan 300
    interface Vlan100
    nameif outside
    security-level 0
    ip address 192.168.223.200 255.255.255.0
    interface Vlan200
    mac-address 001b.539c.597e
    nameif inside
    security-level 100
    ip address 172.16.2.253 255.255.255.0
    interface Vlan300
    no forward interface Vlan200
    nameif DMZ
    security-level 50
    ip address 172.16.3.253 255.255.255.0
    boot system disk0:/asa913-k8.bin
    boot config disk0:/startup-config.cfg
    ftp mode passive
    clock timezone GMT/BST 0
    clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
    dns server-group DefaultDNS
    domain-name test1.com
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object network office1-int
    host 172.16.2.1
    object network firewall-dmz-gateway
    host 172.16.3.253
    object network firewall-internal-gateway
    host 172.16.2.253
    object network com1
    host 192.168.223.227
    object network web2-ext
    host 192.168.223.201
    object network web2-int
    host 172.16.3.201
    object network gateway
    host 192.168.223.191
    object network office1-int
    host 172.16.2.1
    object-group network DMZ_SUBNET
    network-object 172.16.3.0 255.255.255.0
    object-group service www tcp
    port-object eq www
    port-object eq https
    access-list DMZ_access_in extended permit icmp any any
    access-list DMZ_access_in extended permit ip any any
    access-list outside_access_in extended permit tcp any object web2-ext eq www
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500 
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-714.bin
    no asdm history enable
    arp DMZ 172.16.4.199 001b.539c.597e alias
    arp DMZ 172.16.3.199 001b.539c.597e alias
    arp timeout 14400
    no arp permit-nonconnected
    object network web2-int
    nat (DMZ,outside) static web2-ext service tcp www www
    access-group outside_access_in in interface outside
    access-group DMZ_access_in in interface DMZ
    route inside 172.168.2.0 255.255.255.0 192.168.223.191 1
    route inside 172.168.3.0 255.255.255.0 192.168.223.191 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.223.227 255.255.255.255 outside
    http 172.163.2.5 255.255.255.255 outside
    http 172.163.2.5 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec security-association pmtu-aging infinite
    crypto ca trustpool policy
    telnet timeout 5
    ssh 192.168.223.227 255.255.255.255 outside
    ssh 172.163.2.5 255.255.255.255 outside
    ssh 172.163.2.5 255.255.255.255 inside
    ssh timeout 60
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    dhcpd address 172.16.2.10-172.16.2.10 inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 176.58.109.199 source outside prefer
    ntp server 81.150.197.169 source outside
    ntp server 82.113.154.206
    username xxxx password xxxxxxxxx encrypted
    class-map DMZ-class
    match any
    policy-map global_policy
    policy-map DMZ-policy
    class DMZ-class
      inspect icmp
    service-policy DMZ-policy interface DMZ
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:9c73fa27927822d24c75c49f09c67c24
    : end

    Thank you one more time for everthing. It is workingin indeed
    Reason why maybe sometimes I had some 'weird' results was because I had all devices connected to the same switch.Separtated all networks to a different switches helped.Anyway if you could take a look one last time to my configuration and let me know if it's good enough to deploy it on live ( only www for all , ssh restricted from outside, lan to dmz) .Thanks one more time.
    show run
    : Saved
    ASA Version 9.1(3)
    hostname firewall200
    domain-name test1.com
    enable password xxxxxxxxxx encrypted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    passwd xxxxxxxxxxxx encrypted
    names
    interface Ethernet0/0
    switchport access vlan 100
    interface Ethernet0/1
    switchport access vlan 200
    interface Ethernet0/2
    switchport access vlan 200
    interface Ethernet0/3
    switchport access vlan 200
    interface Ethernet0/4
    switchport access vlan 300
    interface Ethernet0/5
    switchport access vlan 300
    interface Ethernet0/6
    switchport access vlan 300
    interface Ethernet0/7
    switchport access vlan 300
    interface Vlan100
    nameif outside
    security-level 0
    ip address 192.168.223.200 255.255.255.0
    interface Vlan200
    mac-address 001b.539c.597e
    nameif inside
    security-level 100
    ip address 172.16.2.253 255.255.255.0
    interface Vlan300
    no forward interface Vlan200
    nameif DMZ
    security-level 50
    ip address 172.16.3.253 255.255.255.0
    boot system disk0:/asa913-k8.bin
    boot config disk0:/startup-config.cfg
    ftp mode passive
    clock timezone GMT/BST 0
    clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
    dns domain-lookup inside
    dns domain-lookup DMZ
    dns server-group DefaultDNS
    name-server 8.8.8.8
    name-server 8.8.4.4
    domain-name test1.com
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object network firewall-dmz-gateway
    host 172.16.3.253
    object network firewall-internal-gateway
    host 172.16.2.253
    object network com1
    host 192.168.223.227
    object network web2-ext
    host 192.168.223.201
    object network web2-int
    host 172.16.3.201
    object network gateway
    host 192.168.223.191
    object network office1-int
    host 172.16.2.1
    object-group network DMZ_SUBNET
    network-object 172.16.3.0 255.255.255.0
    object-group service www tcp
    port-object eq www
    port-object eq https
    access-list DMZ_access_in extended permit icmp any any
    access-list DMZ_access_in extended permit ip any any
    access-list DMZ_access_in extended permit tcp 172.16.3.0 255.255.255.0 interface outside eq ssh
    access-list outside_access_in extended permit tcp any object web2-int eq www
    access-list outside_access_in extended permit tcp any object web2-int eq ssh
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any inside
    icmp permit any DMZ
    asdm image disk0:/asdm-714.bin
    no asdm history enable
    arp DMZ 172.16.4.199 001b.539c.597e alias
    arp DMZ 172.16.3.199 001b.539c.597e alias
    arp timeout 14400
    no arp permit-nonconnected
    object network web2-int
    nat (DMZ,outside) static web2-ext net-to-net
    access-group outside_access_in in interface outside
    access-group DMZ_access_in in interface DMZ
    route outside 0.0.0.0 0.0.0.0 192.168.223.191 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.223.227 255.255.255.255 outside
    http 172.163.2.5 255.255.255.255 outside
    http 172.163.2.5 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec security-association pmtu-aging infinite
    crypto ca trustpool policy
    telnet timeout 5
    ssh 192.168.223.227 255.255.255.255 outside
    ssh 172.163.2.5 255.255.255.255 outside
    ssh 172.16.3.253 255.255.255.255 outside
    ssh 172.163.2.5 255.255.255.255 inside
    ssh timeout 60
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 176.58.109.199 source outside prefer
    ntp server 81.150.197.169 source outside
    ntp server 82.113.154.206
    username xxxxx password xxxxxxxxx encrypted
    class-map DMZ-class
    match any
    policy-map global_policy
    policy-map DMZ-policy
    class DMZ-class
      inspect icmp
    service-policy DMZ-policy interface DMZ
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:f264c94bb8c0dd206385a6b72afe9e5b
    : end

  • Cisco ASA 5505 Simple PAT

    Good morning you clever bunch,
    Having a real issue here, am used to the Router\Switch CLI but been asked to set up an ASA 5505 8.4.
    Quite simply I am trying to at least test out a static PAT from an external source to an internal server in a test environment and no matter whether I set it up as an auto-nat or a twice-nat whenever I run a packet tracer I end up with the same error. This is the packet-tracer I am running -
    packet-trace input outside tcp 80.80.80.80 3389 10.240.0.10 3389
    Phase: 5
    Type: NAT
    Subtype: rpf-check
    Result: DROP
    Config:
    nat (inside,outside) source static server publicIP service RDP RDP
    Additional Information:
    Result:
    input-interface: outside
    input-status: up
    input-line-status: up
    output-interface: inside
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule
    Now I have a couple of questions initially. I have made the presumption that packet-tracer does not look at any external devices while running - as in as long as the ports are up it doesn't matter what is on the end of them for testing purposes? Is there anything I am missing?
    I have this morning wiped the config and have simply set up the adapters, a default route and twice nat and am not sure why I keep getting the error. I am sure it is something very simple and I'm being a massive donut! Any help ios greatly appreciated as I've gotten quite stuck and feel like I have followed all the instructions online and just about trie everything.
    Many thanks,
    Sam - below is my running config
    ASA Version 8.4(4)1
    hostname ciscoasa
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
    interface Ethernet0/1
    switchport access vlan 2
    interface Ethernet0/2
    shutdown
    interface Ethernet0/3
    shutdown
    interface Ethernet0/4
    shutdown
    interface Ethernet0/5
    shutdown
    interface Ethernet0/6
    shutdown
    interface Ethernet0/7
    shutdown
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.240.0.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 80.*.*.203 255.255.255.248
    ftp mode passive
    object network server
    host 10.240.0.10
    object network publicIP
    host 80.*.*.37
    object service RDP
    service tcp source eq 3389
    access-list ouside_in extended permit tcp any host 10.240.0.10 eq 3389
    pager lines 24
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source static server publicIP service RDP RDP
    access-group ouside_in in interface outside
    route outside 0.0.0.0 0.0.0.0 80.*.*.201 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    telnet timeout 5
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:e67c79a8361f7b6aa3a7dd549f85e818
    : end

    Hi Jennifer,
    No I just changed that for testing purposes as I had tried everything I thought was correct to no avail.
    You, Jennifer, are my new hero.... literally on the config side I was trying everything and was completely barking up the wrong tree! Every time I had set up packet tracer that way, you can understand my logic when it comes to the destination address, seeing as I had already specified the outside adapter, but it makes a lot more sense using the outside host. Flow is now running perfectly.
    Many thanks.
    Sam

Maybe you are looking for

  • How to delete a photo on Icloud

    How long does Icloud hold a photo? Why is there not an option to delete?

  • Ms Project 2013 report for resource name, tasks less than 100% complete within a date range I can set each time

    I have seen I can create a report for a resource name with a specified date range, and one that can show me for a resource name any incomplete tasks, but I want to do the following and cant work out how to state it in the report constructor: resource

  • Custom button control at SC Level

    Hello friends, I have enhanced a WD component on SC(/SAPSRM/WDC_DODC_SC_I_BD) to add some custom fields on the click of a button. I have added the custom fields in SPRO >,...> extension and field control-->.. configure custom fields at item level.  a

  • I can't get rid of an application!

    I am trying to install Divx 6 and I keep getting this error:"You cannot install DivX 6 for Mac on this volume. A newer version of this software already exists on this volume." I've uninstalled it, tried throwing it into the trash and also deleted it

  • Safari in 10.5.2 is making my computer useless.

    Back before Leopard, Safari used to bring my computer to a crawl. The villain seemed to be Flash, but I was never sure. I just started using Firefox and that mostly solved the problem. Now, with 10.5.2, the problem has returned. Safari starts up fine