Ping from lower security interface to a higher
Hello,
I have a Cisco 5520 ASA firewall with a direct connection to a Checkpoint firewall. On the inside network of my ASA i have a server that needs to ping a server on the dmz on the Checkpoint and vice versa. So i have the correct routing and firewall rules on both devices.
I can successfully ping from my server on the INSIDE interface on the cisco asa to the server on the DMZ on Checkpoint but i cant ping in the other direction.
Q Is this because i am trying to go from a lower security interface on the asa to a higher one?
I cant be sure if the error is on my asa or the checkpoint because neither is showing anything in the logs?
Everything else on both firewalls is fine.
regards,
Kevin
Hi,
Its hard to tell what the actual problem is at the moment.
With regards to the "security-level" value, the situation is if the interface doesn't have an ACL configured on it then traffic sourced from networks behind it will be allowed to networks located behind interfaces of lower "security-level". If the source interface for the direction that is not working doesnt hold an ACL and has lower "security-level" than the destination interface then you will have to configure an interface ACL to allow this traffic.
Then again, the problem might be as simple as the server simply rejecting the ICMP Echo but allowing itself to ICMP Echo some remote destination and receive an Echo Reply for that. In other words, the server can ICMP remote hosts but wont accept ICMP Echo from remote hosts. It might reply to hosts on the directly connected network. So if there is no clear reason for the traffic to not go through I would consider checking the server software firewall.
It might also be that the working direction has been configured with Dynamic PAT and there is no correct translation for the other direction to enable sending ICMP to the server.
You can easily test the ASA configuration with the "packet-tracer" so that would be the first natural step to determening the reason of the problem or atleast narrowing it down.
packet-tracer input icmp 8 0
In the above command you would use the interface nameif behind which the ICMP Echo is coming from (8 0 = ICMP Echo). The source IP address is obvious. The destination IP address should be the NAT IP address of the server IF there is NAT being performed. If NO NAT is done for the destination then you naturally use the real IP address.
Hope this helps
- Jouni
Similar Messages
-
Lower security to higher security interface PAT.
Hi,
Can we have PAT with nat and global statements for source natting a traffic from Lower security interface to Higher security? If nat & global can't achieve this, what are the Possibilities.
merci,
arunWhen you specify a group of IP address(es) in a nat command, then you must perform NAT on that group of addresses when they access any lower or same security level interface; you must apply a global command with the same NAT ID on each interface, or use a static command. NAT is not required for that group when it accesses a higher security interface because to perform NAT from outside to inside you must create a separate nat command using the outside keyword. If you do apply outside NAT, then the NAT requirements preceding come into effect for that group of addresses when they access all higher security interfaces. Traffic identified by a static command is not affected.
nat (outside) 1 network netmaks outside
global (inside) 1 ip_address <--- used for PAT -
Unable to ping from mz to virtual interface of asa
Dear All,
one of my SNMP server 10.242.103.42 sits in MZ zone,and ACE 4710 is connected to core switch,coreswitch is connected to firewall asa.
Now iam trying to ping from MZ zone SNMP server to loadbalancer ip 10.242.105.1,iam unable to ping my LB interface to discover SLB on my SNMP server.
plese help me
srinivasIs your device seeing the mac-address of the ASA in order to send the packets? What do the logs show on the firewall itself? Can you see the ARP entry on the ASA firewall for that host?
Mike -
How do I block pings from the outside to the ASA 5505 outside interface?
I was asked to block pings from the internet to the outside interface of our ASA-5505 firewall. I found a post that said to enter "icmp deny any outside", however that does not do it.
I created an ACL to try and do the trick, also to no avail:
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in in interface outside
access-group outside_in in interface outside
Anyone have a clue what I'm doing wrong? I'm not the firewall guy as you can tell. :/
Thanks in advance...
Block / Deny ICMP Echo (Ping) on Cisco ASA Outside Interface
Most networks that you protect with a Cisco ASA device, will probably want to deny ICMP (maybe not all ICMP types, but a lot of network admins will want to block ICMP Echo, etc.) on the outside interface. This will make the network harder to find through external enumeration, but not impossible.
ASA5505(config)#icmp deny any outside
You will deny ICMP on the outside interface, but if you include ICMP as a protocol in the default global policy map, you can ping from the inside to any host on the outside, and it will be permitted back through the ASA, as it knows about the previous ICMP “connectionYou are allowing echo-reply, thus it will reply to a ping
try this ACL:
icmp deny any echo-reply outside
From:
https://supportforums.cisco.com/thread/223769
Eric -
Moving transport from Lower ERP Version to Higher ERP Version?
Hi All,
I got a quick question regrads to Transporting object frpm ERP 6.0 SP 13 and ERP Ehp 4.0 SP 3.
Currently, We went Go-live with ERP 6.0 with SP13, as part of Release 1 Landsape.
ECD ---> ECQ --> ECP
For release 2, which is starting in few months, we are planning to Build a Project Landscape seprate from Support landsacpe.
ECD --> ECQ
| -
> ECP
E2D --> E2Q
2 = Release 2 SID name
Our Support landscape will be on ERP 6.0 with SP 13
and Project landscape we wanted upgrade to ERP 6.0 ehp 4.0 with SP 03. To keep the landscape consistent, whatever work we do on ECD (R1 lanscape), we would like to import to R2 E2D as well, so when we Go-Live with R2 implementation, then our DEV and QA systems will be consitent.
My Question would, can I move/transport object from R1 (lower ERP version) to R2 (higher ERP version)?
My answer is BIG-NO, since version and objects are differenent, all transport will fail.
I want to hear what you Experts say about this?
Thanks in Advance
Kumar
Can you
Edited by: Kumar Subramaniam on Jun 5, 2009 7:25 AMHi,
As per your query it can be moved but you will face some issue in this, there are two type of trandport 1. workbench 2. customizing. If you want to move customizing then your abaper will check this will be transport, but workbench will have some issue due to variotion of verion. But you transport this in your new dev server and do the configuration again in new dev serve then test in your qac. The job is very tipical but its posible.
Anil -
Organizing data from low to high?
Hi Community,
I'm totally out of numbers and such, but I need to organize some data from low values to high values automatically, like for example, the earnings in 12 months, which are always variables but I would like to organize them from the lower to the higher. Is there a way to organize this automatically?
Thanks in advance,
MartMart,
Would sorting your rows by column content do it for you?
Jerry -
Cumulative SUM based on Measure FROM LOWER to HIGHER
Hello,
I tried to find some post like mine but i did not find it.
I have this scenario:
Filter
Cod Store
Value
Cenario 1
City: RJ
1112
574924.05
Type: Infantil
1449
617860.04
Store: Carrefour
1023
873678.53
But i need to create a new calculated member based on VALUE from LOWER to HIGH making a cumulative sum like this:
Filter
Cod Store
Value
What i NEED
Cenario 1
City: RJ
1112
574924.05
574924.05
Type: Infantil
1449
617860.04
1192784.09
Store: Carrefour
1023
873678.53
2066462.62
Here it is ordered by VALUE already, but in my cube is may not be. Can someone help me? i trying many ways but no one works fine.
<b>Fabrizzio A. Caputo</b><br/> Certificações:<br/> MCT<br/> MCC<br/> Oracle OCA 11g<br/> MCITP SQL Server 2008 BI<br/> MCITP SQL Server 2008 Implementation and Maintenance<br/> MCITP SQL Server
2008 Developer<br/> ITIL V3 Foundation <br/> Blog Pessoal: <a href="http://fabrizziocaputo.wordpress.com">www.fabrizziocaputo.wordpress.com</a><br/> Email: [email protected]Hi Fabrizzio,
Most of the running total snippets you will find in the forums contains elements like currentmember, prevmember or ranges [A : B] that also refers to members. Unfortunately the relative position of those elements are extracted from the hierarchy
level of the correspondent members as defined in the cube dimensions and not from the ordered (query scope) set.
The usual solution is to define a measure as the rank in the ordered set and take the cumulative sum with head (): sum( head( ordered set, till the rank) , by the value measure ).
If you choose the recursive solution for the running total you could use item() in combination with rank: maybe something like orderedset.item(rank measure) as an ersatz of currentmember.
Philip, -
I'm getting a very low signal from my Blackbird interface. The fire wire connection is selected properly and track recording sliders set. However the recording level slider in the lower right corner is grayed out. How can I get better signal?
If it's slow on startup it would be extensions loading or LaunchDaemons starting up.
You should have a look in:
/Library/LaunchDaemons
/Library/Extensions
You can count out anything in your home folder and it shouldn't put anything in /System as that's reserved for Apple. -
No traffic from Outside1 (Security level 100) attached Networks to DMZ and Viceversa
I have an ASA5510, i configured an Outside, 1 DMZ and 2 interfaces 100 security level (Outside1 and Inside). I can ping and have fluid traffic between DMZ and Inside interface, but don't have any kind of traffic between DMZ and the Outside1. I wrote the same configuration for both 100 Security Level interfaces. Also I have connected a Cisco 892 router to Outside1. When i have attached a computer instead of 892, traffic between Outside1 and DMZ is fluid. i need to have fluid traffic between networks connected to 892
Someone can help me? Here are the 2 configs:
ASA5510:
: Saved
ASA Version 8.2(1)
hostname ASAFCHFW
domain-name a.b.c
enable password 6Jfo5anznhoG00fM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
nameif Outside
security-level 0
ip address x.y.z.162 255.255.255.248
interface Ethernet0/1
nameif Outside1
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Ethernet0/2
nameif DMZ
security-level 10
ip address 172.16.31.1 255.255.255.0
interface Ethernet0/3
nameif Inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa821-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name farmaciachavez.com.bo
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list dmz_in extended permit tcp host 172.16.31.2 any eq domain
access-list dmz_in extended permit tcp host 172.16.31.2 any eq smtp
access-list dmz_in extended permit tcp host 172.16.31.2 any eq www
access-list dmz_in extended permit tcp host 172.16.31.2 any eq https
access-list dmz_in extended permit tcp host 172.16.31.2 any eq 3000
access-list dmz_in extended permit tcp host 172.16.31.2 any eq 1000
access-list Inside extended permit ip any any
access-list Inside extended permit icmp any any
access-list 100 extended permit tcp any host x.y.z.163 eq smtp
access-list 100 extended permit udp any host x.y.z.163 eq domain
access-list 100 extended permit tcp any host x.y.z.163 eq https
access-list 100 extended permit tcp any host x.y.z.163 eq www
access-list 100 extended permit tcp any host x.y.z.163 eq 3000
access-list 100 extended permit tcp any host x.y.z.163 eq 1000
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu Outside 1500
mtu Outside1 1500
mtu DMZ 1500
mtu Inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit host 192.168.0.22 Outside
icmp permit 192.168.0.0 255.255.255.0 Outside1
icmp permit 192.168.2.0 255.255.255.0 Outside1
icmp permit 172.16.31.0 255.255.255.0 Outside1
icmp permit 192.168.2.0 255.255.255.0 DMZ
icmp permit 192.168.2.0 255.255.255.0 Inside
icmp permit 192.168.0.0 255.255.255.0 Inside
icmp permit 172.16.31.0 255.255.255.0 Inside
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Outside1) 101 0.0.0.0 0.0.0.0
nat (DMZ) 101 0.0.0.0 0.0.0.0
nat (Inside) 101 0.0.0.0 0.0.0.0
static (DMZ,Outside) x.y.z.163 172.16.31.0 netmask 255.255.255.255
static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0
static (Outside1,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (Inside,Outside1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (Outside1,Inside) 172.1.1.0 172.1.1.0 netmask 255.255.255.0
static (DMZ,Outside1) 172.16.31.0 172.16.31.0 netmask 255.255.255.0
static (Outside1,DMZ) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (Outside1,Inside) 172.1.2.0 172.1.2.0 netmask 255.255.255.0
static (Outside1,Inside) 172.1.3.0 172.1.3.0 netmask 255.255.255.0
static (Outside1,Inside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
static (Outside1,DMZ) 172.1.1.0 172.1.1.0 netmask 255.255.255.0
access-group dmz_in in interface DMZ
route Outside 0.0.0.0 0.0.0.0 x.y.z.161 20
route Outside1 172.1.1.0 255.255.255.0 192.168.2.2 1
route Outside1 172.1.2.0 255.255.255.0 192.168.2.2 1
route Outside1 172.1.3.0 255.255.255.0 192.168.2.2 1
route Outside1 192.1.0.0 255.255.192.0 192.168.2.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.0.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.0.0 255.255.255.0 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:7441424d1fcf87c3eb837b569e84aa9e
: end
Cisco 892:
Current configuration : 3296 bytes
! Last configuration change at 01:15:13 UTC Tue Apr 29 2014 by eguerra
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname RouterHQFCH
boot-start-marker
boot-end-marker
enable secret 4
no aaa new-model
ip cef
no ipv6 cef
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-1580540949
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1580540949
revocation-check none
rsakeypair TP-self-signed-1580540949
crypto pki certificate chain TP-self-signed-1580540949
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31353830 35343039 3439301E 170D3134 30343134 31393433
30315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35383035
34303934 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BC61 7D5F7F47 65203EC9 1207B83F 19EC7AC3 00404F99 A89FD64B 1F0F659F
E99062C2 3BB1E517 075BAF59 D361FFC9 4F872A14 A7528061 CF936F40 D03F234B
5641147F D2B4AB7D 9E10F36A 087F511B F68ABC6E 98F96C74 8EF5084B F490D91B
0EC05671 D8C5B7DD EE8F48C2 CD76F7C9 B8405DD6 42375B3C 8D04FDEF 555D0FA0
0FDF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14FCB587 54EE2C1B 2B6DB648 A6FC0ECF 85062C8F 6A301D06
03551D0E 04160414 FCB58754 EE2C1B2B 6DB648A6 FC0ECF85 062C8F6A 300D0609
2A864886 F70D0101 05050003 81810033 A196E361 A273E890 146EF605 D7AB9235
52BA28F8 A526D8AE CD903257 E4E81C76 C85FBCD4 201DFF90 11FB1617 9210037E
B66299B3 FB2173D2 AFEC9B52 D2221BEA 9B8CC180 BE36F3AB D5811F9F 401043B0
4BDA8647 897D8FE7 6D753C4F 3C76A493 2C260C22 24E966EB BEE54A2A 51D58F21
23080B9D 9C5FD690 62C6B0C9 30C3AA
quit
license udi pid C892FSP-K9 sn FTX180484TB
username servicios privilege 15 password 7
username eguerra privilege 15 password 7
interface GigabitEthernet0
no ip address
interface GigabitEthernet1
switchport access vlan 2
no ip address
interface GigabitEthernet2
no ip address
interface GigabitEthernet3
no ip address
interface GigabitEthernet4
no ip address
interface GigabitEthernet5
no ip address
interface GigabitEthernet6
no ip address
interface GigabitEthernet7
no ip address
interface GigabitEthernet8
ip address 172.1.1.1 255.255.255.0
duplex auto
speed auto
interface GigabitEthernet9
ip address 172.1.2.1 255.255.255.0
duplex auto
speed auto
interface Vlan1
ip address 192.168.2.2 255.255.255.0
interface Vlan2
ip address 192.168.100.200 255.255.255.0
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route 172.16.31.0 255.255.255.0 192.168.2.1
ip route 192.168.0.0 255.255.255.0 192.168.2.1
control-plane
line con 0
password 7
login
no modem enable
line aux 0
line vty 0 4
password 7
login local
transport input all
scheduler allocate 20000 1000
end
Thanks in advanceMaybe I did not understand what you are trying to accomplish. What I mentioned was to make your ACL configuration better, meaning more secure. Changing the security level just helps understand that you are not coming from a site that does not require ACLs, thus from lower to higher security interfaces you need to place ACLs, then there is a hole other world regarding NAT/PAT that involve same security interfaces that sometimes confuse customers so I also wanted to avoid that for you.
To enforce security between interfaces you need to know what protocols and ports are being used by servers that reside behind the higher security interface so you only open what is needed then block the rest to that higher security interface. -
How to allow ping from inside to outside in 2900 router?
Hi,
I have a Cisco router 2900 with firewall, i need to know how can i allow the ping from self zone to outside zone, i trried to create policy from self to outside but i still didn't allow ping or tracert, i get that message when i try to ping from cisco router:
"Unrecognized host or address, or protocol not running"
any help will be appreciated.
Thank youHi jcarvaja
here is the used configuration:
Building configuration...
Current configuration : 5584 bytes
! Last configuration change at 09:00:20 UTC Tue Apr 9 2013 by admin
version 15.1
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service udp-small-servers
service tcp-small-servers
service sequence-numbers
hostname Router
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
no logging buffered
no logging console
enable secret 5
no aaa new-model
no ipv6 cef
ip source-route
ip gratuitous-arps
ip icmp rate-limit unreachable 1
ip cef
ip name-server 163.121.128.134
ip name-server 163.121.128.135
ip port-map user-custom-fleet port tcp 2000 list 1
multilink bundle-name authenticated
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-324261422
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-324261422
revocation-check none
crypto pki certificate chain TP-self-signed-324261422
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323432 36313432 32301E17 0D313330 34303930 38343034
375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3332 34323631
34323230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B8ABD60F 8C879B3B BC1C1643 48059AD2 F940A700 6D58161E 37D53E6E E028B806
61EAA942 CED2A3C6 3FB3A47E 20E05B10 0941A9D8 38FFA6F9 D2B9E52C 225A57BA
14F8842A A26E7E02 38E9F7C8 328504D0 5C3EEE41 CC75B237 BBD07CBA 1A850540
2A5AAFAD 4553FB03 0E366211 9AC09967 4DC03082 0AF546A3 F6AA2739 1D8A8AA9
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 16801428 FEEB3910 B7A1D374 1F86BCD5 96CEDF75 8DF11E30 1D060355
1D0E0416 041428FE EB3910B7 A1D3741F 86BCD596 CEDF758D F11E300D 06092A86
4886F70D 01010405 00038181 006BBF7A 430905F6 D5B27B0D 96315504 87816DAA
B5EA86D9 6E9A1D58 7B328C88 A6A358D0 00D035A9 8CDDEC41 15AF0108 F5CB1072
B0485D7D CFC0D0CB 71E9B153 FB7B8B40 40C157E4 B254D01C 890D615F D8395545
F0B47E0B 57341EB2 C0CE0039 DC18EAD6 078986F0 A5A5D04F D5041DB6 23CAA002
4901248C 95B61A0B 3ED5B26A EF
quit
license udi pid CISCO2901/K9 sn FCZ1526C3JL
object-group service Outside-Reply
icmp echo-reply
username admin privilege 15 secret 5
redundancy
ip finger
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
class-map type inspect match-any Deny_ALL
match access-group name dwdwd
class-map type inspect match-any Inside-Outside
match protocol http
match protocol https
match protocol dns
class-map type inspect match-any ICMP_RQST
match protocol icmp
policy-map type inspect Inside-Outside
class type inspect Inside-Outside
inspect
class class-default
drop
policy-map type inspect Self_to_Outside
class type inspect ICMP_RQST
inspect
class class-default
drop
policy-map type inspect Outside_to_Self
class type inspect Deny_ALL
pass log
class class-default
drop
zone security IN
zone security OUT
zone-pair security Self_to_Outside source self destination OUT
service-policy type inspect Self_to_Outside
zone-pair security Outside_to_Self source OUT destination self
service-policy type inspect Outside_to_Self
zone-pair security Inside-Outside source IN destination OUT
service-policy type inspect Inside-Outside
interface GigabitEthernet0/0
ip address 101.101.100.245 255.255.255.0
ip mask-reply
ip directed-broadcast
ip flow ingress
duplex auto
speed auto
interface GigabitEthernet0/1
description $FW_INSIDE$
ip address 49.31.152.80 255.255.255.248
ip mask-reply
ip directed-broadcast
ip flow ingress
zone-member security IN
duplex auto
speed auto
interface Serial0/0/0
no ip address
ip mask-reply
ip directed-broadcast
ip flow ingress
encapsulation frame-relay IETF
no fair-queue
frame-relay lmi-type q933a
interface Serial0/0/0.16 point-to-point
description $FW_OUTSIDE$
ip address 172.17.18.122 255.255.255.252
ip mask-reply
ip directed-broadcast
ip flow ingress
ip verify unicast reverse-path
zone-member security OUT
frame-relay interface-dlci 16
interface Serial0/0/1
no ip address
ip mask-reply
ip directed-broadcast
ip flow ingress
shutdown
clock rate 2000000
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 Serial0/0/0.16
ip identd
ip access-list extended ICMP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended deeef
remark CCP_ACL Category=128
permit ip any any
ip access-list extended dwdwd
remark CCP_ACL Category=1
permit object-group Outside-Reply any any
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 196.219.234.77
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 101.101.100.0 0.0.0.255
access-list 2 permit 10.20.10.0 0.0.1.255
no cdp run
control-plane
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
login local
transport input all
line vty 5 15
login local
transport input all
scheduler allocate 20000 1000
end -
WRT160Nv2 Cannot be pinged from external network
Hi,
My WRT160Nv2 can not be pinged from an external network. How do I configure the WRT160Nv2 reply to the ICMP requests from the external interface?
GerwinLogin to your router setup page and click on the Security tab and below uncheck "Filter Anonymous Internet request" and click on Save Settings. Now try to ping from your external network and check if you are getting any response or not.
-
Packet loss when pinging from/to a cisco 3560e switch
I see Packet loss when pinging from/to a cisco 3560e switch. CPU utilization is normal.
Switches are running with IOS c3560e-universalk9-mz.122-35.SE5.bin.
Packet loss is observed for all the devices irrespective of directly connected or remote devices.
If i do self pinging, there are no packet loss.
I don't see any error on interface.
Can anyone please help me in resolving this issue.TCB Local Address Foreign Address (state)
03737C48 10.47.0.229.60053 10.41.81.55.49 CLOSEWAIT
039ACDC4 10.47.0.229.61929 10.41.35.250.49 CLOSEWAIT
03B316C0 10.47.0.229.27544 10.41.81.55.49 CLOSEWAIT
038228F0 10.47.0.229.16506 10.41.35.250.49 CLOSEWAIT
039C3D04 10.47.0.229.15207 10.41.81.55.49 CLOSEWAIT
039A9BD0 10.47.0.229.52983 10.41.81.55.49 CLOSEWAIT
0394152C 10.47.0.229.22425 161.61.35.250.49 CLOSEWAIT
037D811C 10.47.0.229.21117 10.41.81.55.49 CLOSEWAIT
039C12BC 10.47.0.229.37437 10.41.81.55.49 CLOSEWAIT
03933B84 10.47.0.229.34085 161.61.35.250.49 TIMEWAIT
03B32340 10.47.0.229.45729 10.41.81.55.49 CLOSEWAIT
038247D0 10.47.0.229.32816 10.41.81.55.49 CLOSEWAIT
039A92D8 10.47.0.229.38680 161.61.35.250.49 CLOSEWAIT
037370F0 10.47.0.229.13212 10.41.81.55.49 CLOSEWAIT
037D85F0 10.47.0.229.38728 10.41.81.55.49 CLOSEWAIT
03B2B284 10.47.0.229.23428 10.41.81.55.49 CLOSEWAIT
03B2ADB0 10.47.0.229.56836 10.41.81.55.49 CLOSEWAIT
0394BFF0 10.47.0.229.23257 161.61.35.250.49 CLOSEWAIT
036604DC 10.47.0.229.44437 10.41.81.55.49 CLOSEWAIT
0394C700 10.47.0.229.22 192.37.184.211.61639 ESTAB
039B9A68 10.47.0.229.20543 10.41.81.55.49 CLOSEWAIT
03739B28 10.47.0.229.15392 10.41.81.55.49 CLOSEWAIT
TCB Local Address Foreign Address (state)
0392EA48 10.47.0.229.13862 10.41.81.55.49 CLOSEWAIT
0365E23C 10.47.0.229.27856 10.41.81.55.49 CLOSEWAIT
03817C0C 10.47.0.229.64929 10.41.81.55.49 CLOSEWAIT
039357C8 10.47.0.229.22088 10.41.81.55.49 CLOSEWAIT
037375C4 10.47.0.229.21832 10.41.81.55.49 CLOSEWAIT
039C20E8 10.47.0.229.18169 10.41.81.55.49 CLOSEWAIT
03716D08 10.47.0.229.61993 10.41.81.55.49 CLOSEWAIT
039A74E4 10.47.0.229.62948 10.41.81.55.49 CLOSEWAIT
03655480 10.47.0.229.14052 10.41.81.55.49 CLOSEWAIT
039407F0 10.47.0.229.49643 161.61.35.250.49 CLOSEWAIT
039A53AC 10.47.0.229.13233 10.41.81.55.49 CLOSEWAIT
03739FFC 10.47.0.229.16605 10.41.81.55.49 CLOSEWAIT
039B82B8 10.47.0.229.16458 10.41.35.250.49 CLOSEWAIT
039BEBA4 10.47.0.229.64377 10.41.81.55.49 CLOSEWAIT
03741980 10.47.0.229.13866 10.41.81.55.49 CLOSEWAIT
03B3ABF8 10.47.0.229.19365 10.41.81.55.49 CLOSEWAIT
039B5810 10.47.0.229.24768 10.41.81.55.49 CLOSEWAIT
03956E48 10.47.0.229.55980 161.61.35.250.49 CLOSEWAIT
03946820 10.47.0.229.65053 161.61.35.250.49 CLOSEWAIT
037DBE94 10.47.0.229.15283 10.41.81.55.49 CLOSEWAIT
039A4854 10.47.0.229.48562 10.41.81.55.49 CLOSEWAIT
TCB Local Address Foreign Address (state)
03B33320 10.47.0.229.29803 10.41.81.55.49 CLOSEWAIT
03B3B79C 10.47.0.229.12142 10.41.81.55.49 CLOSEWAIT
03713C9C 10.47.0.229.63799 10.41.81.55.49 CLOSEWAIT
039BBECC 10.47.0.229.14763 10.41.81.55.49 CLOSEWAIT
03656E40 10.47.0.229.16357 10.41.81.55.49 CLOSEWAIT
0362A73C 10.47.0.229.62450 10.41.81.55.49 CLOSEWAIT
039B878C 10.47.0.229.64402 161.61.35.250.49 CLOSEWAIT
03826CFC 10.47.0.229.16108 10.41.81.55.49 CLOSEWAIT
03B2CA34 10.47.0.229.17634 10.41.81.55.49 CLOSEWAIT
03AD78D0 10.47.0.229.15249 161.61.35.250.49 CLOSEWAIT
03AD967C 10.47.0.229.20389 161.61.35.250.49 CLOSEWAIT
03B2C560 10.47.0.229.37079 10.41.81.55.49 CLOSEWAIT
039C5128 10.47.0.229.24711 10.41.81.55.49 CLOSEWAIT
03822F74 10.47.0.229.54866 10.41.81.55.49 CLOSEWAIT
0372C5FC 10.47.0.229.13298 10.41.81.55.49 CLOSEWAIT
0372D278 10.47.0.229.12407 10.41.81.55.49 CLOSEWAIT
039A33D0 10.47.0.229.36573 10.41.81.55.49 CLOSEWAIT
039BCEF8 10.47.0.229.53853 10.41.81.55.49 CLOSEWAIT
039C02D8 10.47.0.229.53725 10.41.81.55.49 CLOSEWAIT
039B5CE4 10.47.0.229.58027 10.41.81.55.49 CLOSEWAIT
0381866C 10.47.0.229.17100 10.41.81.55.49 CLOSEWAIT
TCB Local Address Foreign Address (state)
039BB374 10.47.0.229.53148 10.41.81.55.49 CLOSEWAIT
03AD3634 10.47.0.229.19716 161.61.35.250.49 CLOSEWAIT
0362DAA4 10.47.0.229.19479 10.41.81.55.49 CLOSEWAIT
0365AE60 10.47.0.229.62209 10.41.81.55.49 CLOSEWAIT
0362D5D0 10.47.0.229.41327 10.41.81.55.49 CLOSEWAIT
037D7C48 10.47.0.229.58283 10.41.81.55.49 CLOSEWAIT
03955474 10.47.0.229.33810 161.61.35.250.49 CLOSEWAIT
0373B15C 10.47.0.229.23331 10.41.81.55.49 CLOSEWAIT
036628D0 10.47.0.229.46856 10.41.81.55.49 CLOSEWAIT
03819584 10.47.0.229.19861 10.41.81.55.49 CLOSEWAIT
0394D000 10.47.0.229.64732 10.41.35.250.49 CLOSEWAIT
0394B760 10.47.0.229.19967 161.61.35.250.49 CLOSEWAIT
039B6BD4 10.47.0.229.40096 10.41.81.55.49 CLOSEWAIT
03AD7150 10.47.0.229.65184 10.41.35.250.49 CLOSEWAIT
039BC3A0 10.47.0.229.64702 10.41.81.55.49 CLOSEWAIT
03B3A724 10.47.0.229.60399 10.41.81.55.49 CLOSEWAIT
037145E0 10.47.0.229.43951 10.41.81.55.49 CLOSEWAIT
03955EDC 10.47.0.229.29015 161.61.35.250.49 TIMEWAIT
0365FB34 10.47.0.229.13961 10.41.81.55.49 CLOSEWAIT
03828D54 10.47.0.229.12743 10.41.81.55.49 CLOSEWAIT
037DB40C 10.47.0.229.23708 10.41.81.55.49 CLOSEWAIT
TCB Local Address Foreign Address (state)
039AF814 10.47.0.229.15100 10.41.81.55.49 CLOSEWAIT
0392E344 10.47.0.229.23399 10.41.35.250.49 CLOSEWAIT
0393DC3C 10.47.0.229.15393 161.61.35.250.49 CLOSEWAIT
03AD85D0 10.47.0.229.40932 161.61.35.250.49 TIMEWAIT
039574CC 10.47.0.229.25935 10.41.35.250.49 CLOSEWAIT
03738B74 10.47.0.229.58656 10.41.81.55.49 CLOSEWAIT
039AD91C 10.47.0.229.56760 10.41.81.55.49 CLOSEWAIT
03B3BC70 10.47.0.229.15058 10.41.81.55.49 CLOSEWAIT
03B2DC54 10.47.0.229.51131 161.61.35.250.49 CLOSEWAIT
03B393F0 10.47.0.229.11957 10.41.35.250.49 CLOSEWAIT
039B2610 10.47.0.229.33728 10.41.81.55.49 CLOSEWAIT
03B311EC 10.47.0.229.18047 10.41.81.55.49 CLOSEWAIT
039A8E04 10.47.0.229.52022 161.61.35.250.49 CLOSEWAIT
0365D460 10.47.0.229.12241 10.41.81.55.49 CLOSEWAIT
03B33E78 10.47.0.229.47640 10.41.81.55.49 CLOSEWAIT
0372C128 10.47.0.229.60323 10.41.81.55.49 CLOSEWAIT
03661CD8 10.47.0.229.39923 10.41.81.55.49 CLOSEWAIT
0393C73C 10.47.0.229.41864 10.41.35.250.49 CLOSEWAIT
03829584 10.47.0.229.56673 161.61.35.55.49 CLOSEWAIT
0362AC10 10.47.0.229.31952 10.41.81.55.49 CLOSEWAIT
039BF078 10.47.0.229.22636 10.41.81.55.49 CLOSEWAIT
TCB Local Address Foreign Address (state)
0365CF8C 10.47.0.229.14476 10.41.81.55.49 CLOSEWAIT
039B443C 10.47.0.229.59226 10.41.81.55.49 CLOSEWAIT
0393E794 10.47.0.229.56282 10.41.35.250.49 CLOSEWAIT
03657740 10.47.0.229.25769 10.41.81.55.49 CLOSEWAIT
03B2F6E8 10.47.0.229.19328 10.41.81.55.49 CLOSEWAIT
0373AC88 10.47.0.229.25766 10.41.81.55.49 CLOSEWAIT
039B213C 10.47.0.229.28882 10.41.81.55.49 CLOSEWAIT
039C07AC 10.47.0.229.38201 10.41.81.55.49 CLOSEWAIT
03AD8DD0 10.47.0.229.23002 10.41.35.250.49 CLOSEWAIT
03739048 10.47.0.229.29572 10.41.35.250.49 CLOSEWAIT
039BA464 10.47.0.229.32273 10.41.81.55.49 CLOSEWAIT
03B31E6C 10.47.0.229.32521 10.41.81.55.49 CLOSEWAIT
0365EBE0 10.47.0.229.41319 10.41.81.55.49 CLOSEWAIT
03938804 10.47.0.229.62841 10.41.35.250.49 CLOSEWAIT
039A1AF8 10.47.0.229.12758 10.41.81.55.49 CLOSEWAIT
039B7DE4 10.47.0.229.20921 10.41.81.55.49 CLOSEWAIT
036549F8 10.47.0.229.51903 10.41.81.55.49 CLOSEWAIT
03714CC8 10.47.0.229.45145 10.41.81.55.49 CLOSEWAIT
037425F8 10.47.0.229.56492 10.41.81.55.49 CLOSEWAIT
03B39D74 10.47.0.229.18174 10.41.81.55.49 CLOSEWAIT -
Help me in the issue, Asp dot net exe which run from server in IE 8 window 7 32 bit client machine show security file save download message. This app was running fine if we don't apply any window 7 or IE8 patches. same issue when running in
IE9. I already run the caspol, add the server link to trusted site with low security. I wonder why it was working fine without any patches.
I just found that client machine win 7 32 bit has dot net 4.5.1 installed when updated all the patches. after uninstall the dot net 4.5.1. the application worked fine. now I wonder what are the settings need to change to run the application with dot net 4.5.1
installed on machine. as Microsoft always has these things in window updates. thanks in advance.Hi Gparhar,
In case you are posting on .NET setup forum, I suspect it is not the right forum for your issue, we talks about "setup and deployment of .NET Framework.", if you have problem on installing and uninstalling .NET 4.5.1, we can share you some advice.
For your specific case, I recommend you consult ASP.NET forum instead:
http://forums.asp.net/
Regards,
Barry Wang
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
Low Execute to Parse % and high soft parse %
Hello Folks
I am working on oracle 10g release2 on HP-UX
After going through awr reports observed it have low Execute to Parse % but high soft parse % (Instance Efficiency Percentages)
so cannot say issue with less use of bind variables,then what is cause of Execute to Parse %
searched sites like ask.tom,burselon counsulting etc as usual they had given generic/diplomatic(escaping) replies on this
like due to problem in application code,ineffecient sharing ,due to problem in database parameters etc
without any clear indication for cause and solution like if some database parameters not set properly then should say which database parameters can be checked,cause due to more parsing and less execution
please share if you had faced such issue and any suggestions to solve this
examples why this could happen ,like possibilities in application code
ThanksLoad Profile
Per Second Per Transaction
Redo size: 11,685.79 3,660.98
Logical reads: 71,445.74 22,382.86
Block changes: 70.89 22.21
Physical reads: 58.63 18.37
Physical writes: 2.80 0.88
User calls: 652.93 204.55
Parses: 48.39 15.16
Hard parses: 0.33 0.10
Sorts: 6.90 2.16
Logons: 0.23 0.07
Executes: 52.71 16.51
Transactions: 3.19
% Blocks changed per Read: 0.10 Recursive Call %: 30.48
Rollback per transaction %: 2.57 Rows per Sort: 29.66
Instance Efficiency Percentages (Target 100%)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Buffer Nowait %: 100.00 Redo NoWait %: 100.00
Buffer Hit %: 99.92 In-memory Sort %: 100.00
Library Hit %: 98.47 Soft Parse %: 99.32
Execute to Parse %: 8.19 Latch Hit %: 99.63
Parse CPU to Parse Elapsd %: 89.90 % Non-Parse CPU: 99.62There rdbms performs approximately 48 soft parse per second ,Soft Parse % and Library Hit very close to 99 it means there main part of sql are shared.Also here user calls similar high per second but executions less,however you should be try minimizing soft parsing.I do not know exactly for which interval you get this report but Execute to Parse % indicate that when executing query oracle can not find early cursor handles(open or closed) but it can find sql text and plan information from shared pool according hash values,in this case oracle perform soft parse again.In your case you also investigate shared pool size/fragmentation.To avoid little Execute to Parse % you can increase SESSION_CACHED_CURSORS or implement CURSOR_SPACE_FOR_TIME.So refer documentation and find how to use these parameters. -
When i rlogin using "rlogin oracle" I am encountering the below message
suddently
cannot open from lower shell
What could be the reasonSucurity adminsitrator has restricted my oracle login password as they need to install security patch
I do i start my oracle database, without login oracle
Maybe you are looking for
-
Help - using custom login module with embedded jdev oc4j to access ejb 3
Hi All (Frank ??), I'm just wondering if anyone has successfully been able to leverage a custom login module in combination with a client that connects to a local EJB 3 stateless session bean through Jdeveloper 10.1.3.2's embedded oc4j. I have spent
-
When I move pages from one document to another, it creates a new alternate layout.
Hello, I'm having an issue with combining some documents. Usually I use the "move pages" command and tell the pages to integrate with another document. However, because of the new alternate layout feature, both documents have the default layouts as "
-
Basic connection of data of oracle express with oracle BPA suite
hello, by this means I ask for its aid to be able to solve the following problem, have oracle express edition and business process architect besides business process to publisher and need that both connect to the base of express edition, can help me?
-
How i can apply ANSI standared in i.e LEFT OUTER JOIN because in the query given below it's showing error SELECT NVL(uiq.question,ucq.question) as question, iqa.answer as answer, iqa.seperate_cover as reference_attached, iqa.attachment_extension as f
-
Difference between Actual Cost and Allocable costs in splitting KSS2
I have Cost splitting structure results with me(KSS2) What is the difference between Actual Costs, Control Costs, Allocable Actual, Actual cost balance and which amount will system consider for calculating the rate with dividing the activity rates.