Proxy behind ASA configuration questions

Similar Messages

• ASA VPN QUESTION

  Hi All
  The question is pretty simple. I can successfully connect  to my ASA 5505  firewall via cisco vpn client 64 bit , i can ping any ip  address on the LAN behind ASA but none of the LAN computers can see or  ping the IP Address which is assigned to my vpn client from the ASA VPN  Pool.
  The LAN behind ASA is 192.168.0.0 and the VPN Pool for the cisco vpn client is 192.168.30.0
  I would appreciate some help pls
  Here is the config:
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password J7NxNd4NtVydfOsB encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 192.168.0.11 EXCHANGE
  name x.x.x.x WAN
  name 192.168.30.0 VPN_POOL2
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.0.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address WAN 255.255.255.252
  interface Ethernet0/0
  switchport access vlan 2
  <--- More --->
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  boot system disk0:/asa724-k8.bin
  ftp mode passive
  clock timezone EEST 2
  clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  access-list nk-acl extended permit tcp any interface outside eq smtp
  access-list nk-acl extended permit tcp any interface outside eq https
  access-list customerVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 VPN_POOL2 255.255.255.0
  access-list inside_access_in extended permit ip any any
  access-list VPN_NAT extended permit ip VPN_POOL2 255.255.255.0 192.168.0.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool VPN_POOL2 192.168.30.10-192.168.30.90 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (inside) 10 interface
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  nat (outside) 10 access-list VPN_NAT outside
  static (inside,outside) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255
  static (inside,outside) tcp interface https EXCHANGE https netmask 255.255.255.255
  access-group inside_access_in in interface inside
  access-group nk-acl in interface outside
  route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  aaa authentication enable console LOCAL
  aaa authentication http console LOCAL
  aaa authentication serial console LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication telnet console LOCAL
  aaa authorization command LOCAL
  http server enable
  http 192.168.0.0 255.255.255.0 inside
  snmp-server host inside 192.168.0.16 community public
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs group1
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp nat-traversal  20
  telnet 192.168.0.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcp-client client-id interface outside
  dhcpd dns 217.27.32.196
  dhcpd address 192.168.0.100-192.168.0.200 inside
  dhcpd dns 192.168.0.10 interface inside
  dhcpd enable inside
  group-policy DfltGrpPolicy attributes
  banner none
  wins-server none
  dns-server none
  dhcp-network-scope none
  vpn-access-hours none
  vpn-simultaneous-logins 3
  vpn-idle-timeout 30
  vpn-session-timeout none
  vpn-filter none
  vpn-tunnel-protocol IPSec l2tp-ipsec
  password-storage disable
  ip-comp disable
  re-xauth disable
  group-lock none
  pfs disable
  ipsec-udp disable
  ipsec-udp-port 10000
  split-tunnel-policy tunnelall
  split-tunnel-network-list none
  default-domain none
  split-dns none
  intercept-dhcp 255.255.255.255 disable
  secure-unit-authentication disable
  user-authentication disable
  user-authentication-idle-timeout 30
  ip-phone-bypass disable
  leap-bypass disable
  nem disable
  backup-servers keep-client-config
  msie-proxy server none
  msie-proxy method no-modify
  msie-proxy except-list none
  msie-proxy local-bypass disable
  nac disable
  nac-sq-period 300
  nac-reval-period 36000
  nac-default-acl none
  address-pools none
  smartcard-removal-disconnect enable
  client-firewall none
  client-access-rule none
  webvpn
    functions url-entry
    html-content-filter none
    homepage none
    keep-alive-ignore 4
    http-comp gzip
    filter none
    url-list none
    customization value DfltCustomization
    port-forward none
    port-forward-name value Application Access
    sso-server none
    svc none
    svc keep-installer installed
    svc keepalive none
    svc rekey time none
    svc rekey method none
    svc dpd-interval client none
    svc dpd-interval gateway none
    svc compression deflate
  group-policy customerVPN internal
  group-policy customerVPN attributes
  dns-server value 192.168.0.10
  vpn-tunnel-protocol IPSec
  password-storage enable
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value customerVPN_splitTunnelAcl
  default-domain value customer.local
  username xxx password 8SYsAcRU4s6DpQP1 encrypted privilege 0
  username xxx attributes
  vpn-group-policy TUNNEL1
  username xxx password C6M4Xy7t0VOLU3bS encrypted privilege 0
  username xxx attributes
  vpn-group-policy PAPAGROUP
  username xxx password RU2zcsRqQAwCkglQ encrypted privilege 0
  username xxx attributes
  vpn-group-policy customerVPN
  username xxx password zfP8z5lE6WK/sSjY encrypted privilege 15
  tunnel-group customerVPN type ipsec-ra
  tunnel-group customerVPN general-attributes
  address-pool VPN_POOL2
  default-group-policy customerVPN
  tunnel-group customerVPN ipsec-attributes
  pre-shared-key *
  tunnel-group-map default-group DefaultL2LGroup
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:a4dfbb82008f78756fe4c7d029871ec1
  : end
  ciscoasa#                           

  Well lots of new features have been hinted at for ASA 9.2 but I've not seen anything as far as an Engineering Commit or Customer Commit for that feature.
  Site-site VPN in multiple context mode was added in 9.0(1) and I have customers have been asking for the remote access features as well.
  I will remember to ask about that at Cisco Live next month.

• Reverse Proxy behind a gateway

  hi ,
  I want to put a reverse Proxy behind the gateway. All the access Manager and the portal are behind the reverse proxy.Kindly, send me some steps on how to configure gateway to achieve this deployment.
  thanks in advance
  dhawanmayur

  Hi ,
  Below steps might help you.
  Edit Platform.conf file of the gateway and set the following properties as follows
  * gateway.enable.accelerator = true
  * gateway.enable.customURl = true
  * Append the reverse-proxy server hostname to the gateway.virtualhost property
  * gateway.httpsurl = https://<reverse-porxy-host>:<reverse-proxy-host-no>/
  Note: Don't miss the Fwd slash "/" at the end of the portNo: in https://hostname.india.sun.com:500/ <--
  After that you might have to do URL mapping on the reverse proxy that you are using.

• SAP-JEE, SAP_BUILDT, and SAP_JTECHS and Dev Configuration questions

  Hi experts,
  I am configuring NWDI for our environment and have a few questions that I'm trying to get my arms around.  
  I've read we need to check-in SAP-JEE, SAP_BUILDT, and SAP_JTECHS as required components, but I'm confused on the whole check-in vs. import thing.
  I placed the 3 files in the correct OS directory and checked them in via the check-in tab on CMS.   Next, the files show up in the import queue for the DEV tab.  My questions are what do I do next?
  1.  Do I import them into DEV?  If so, what is this actually doing?  Is it importing into the actual runtime system (i.e. DEV checkbox and parameters as defined in the landscape configurator for this track)? Or is just importing the file into the DEV buildspace of NWDI system?
  2.  Same question goes for the Consolidation tab.    Do I import them in here as well? 
  3.  Do I need to import them into the QA and Prod systems too?  Or do I remove them from the queue?
  Development Configuration questions ***
  4. When I download the development configuration, I can select DEV or CON workspace.  What is the difference?  Does DEV point to the sandbox (or central development) runtime system and CONS points to the configuration runtime system as defined in the landscape configurator?  Or is this the DEV an CON workspace/buildspace of the NWDI sytem.
  5.  Does the selection here dictate the starting point for the development?  What is an example scenarios when I would choose DEV vs. CON?
  6.  I have heard about the concept of a maintenance track and a development track.  What is the difference and how do they differ from a setup perspective?   When would a Developer pick one over the over? 
  Thanks for any advice
  -Dave

  Hi David,
  "Check-In" makes SCA known to CMS, "import" will import the content of the SCAs into CBS/DTR.
  1. Yes. For these three SCAs specifically (they only contain buildarchives, no sources, no deployarchives) the build archives are imported into the dev buildspace on CBS. If the SCAs contain deployarchives and you have a runtime system configured for the dev system then those deployarchives should get deployed onto the runtime system.
  2. Have you seen /people/marion.schlotte/blog/2006/03/30/best-practices-for-nwdi-track-design-for-ongoing-development ? Sooner or later you will want to.
  3. Should be answered indirectly.
  4. Dev/Cons correspond to the Dev/Consolidation system in CMS. For each developed SC you have 2 systems with 2 workspaces in DTR for each (inactive/active)
  5. You should use dev. I would only use cons for corrections if they can't be done in dev and transported. Note that you will get conflicts in DTR if you do parallel changes in dev and cons.
  6. See link in No.2 ?
  Regards,
  Marc

• Can't save Cisco ASA configuration in GNS3 via write memory command

  Hi all,
  I’m having a problem to save Cisco ASA configuration in GNS3 via write memory command.
     ciscoasa(config)# wr mem
     Building configuration…
     Cryptochecksum: c066a7ab b5b9071e bb5ee1f6 2d93be53
     %Error copying system:/running-config (Not enough space on device)
     Error executing command
     [FAILED]
     ciscoasa(config)#
  Here are the details of the lab setup.
  PC DETAILS:
     Windows 7 Enterprise SP1 64bit
     GNS3 v0.8.6 all-in-one (installer for 32-bit and 64-bit which includes Dynamips, Qemu/Pemu, Putty, VPCS, WinPCAP and Wireshark)
  ASA DETAILS:
     13,279,888 asa802-k8.bin.unpacked.initrd
     1,095,856 asa802-k8.bin.unpacked.vmlinuz
  Please advise. Thanks in advance.
  http://firewallengineer.wordpress.com/2014/02/19/problem-cisco-asa-in-gns3-error-copying-systemrunning-config-not-enough-space-on-device/

  instead of this:
  To create a flash file
  cd "C:\Program Files\GNS3\qemu-2.1.0"
  qemu-img.exe create c:\FLASH 256M
  try this:
  To create a flash file
  cd "C:\Program Files\GNS3\qemu-2.1.0"
  qemu-img.exe create c:\User\usuario\GNS3\FLASH 256M
  Let me know if is helpfull.

• I have configure remote access feature web application proxy but not configure give the error. The remote name could not be resolved.

  I have configure remote access feature web application proxy but not configure give the error. The remote name could not be resolved in server 2012 R2.
  I have configure Ad and ADFS different server and try to configure web application proxy different server. what setting are required for connect web application proxy to Ad and ADFS.

  Hi,
  In addition, please make sure that the port 443 is not blocked by the firewall.
  Web Application Proxy requires internal name resolution to resolve the names of backend servers, and AD FS servers. When publishing web applications via Web Application Proxy, every web application you publish requires an external URL. For clients to reach
  these web applications, a public DNS server must be able to resolve each external URL that you configure. Note that the external URL must resolve to the same IP address as the Web Application Proxy server, or the external IP address of a firewall or load-balancer
  placed in front of the Web Application Proxy server.
  Best regards,
  Susie
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Configuration question on css11506

  Hi
  One of our vip with 4 local servers, currently has https. the http is redirected to https.
  Now, my client has problem which a seriel directories need use http, not https. some thing like. quistion:
       1. If there is any possible, I can configure the vip to filter the special directories and let them to use http not https. and rest pages and directories redirect to https?
       2. If not, I can make another vip to use same local servers, but, is possible to only limited to special directories? and with wild code? some like the directories are partially wild coded, something like, http://web.domain/casedir*/casenumber?
       3. if not on both option, is any way I can fix this problem?
  Any comments will be appreciated
  Thanks in advance
  Julie

  I run my Tangosol cluster with 12 nodes on 3
  machines(each machine with 4 cache server nodes). I
  have 2 important configuration questions. Appreciate
  if you can answer them ASAP.
  - My requirement is that I need only 10000 objects to
  be in cluster so that the resources can be freed upon
  when other caches are loaded. I configured the
  <high-units> to be 10000 but I am not sure if this is
  per node or for the whole cluster. I see that the
  total number of objects in the cluster goes till
  15800 objects even when I configured for the 10K as
  high-units (there is some free memory on servers in
  this case). Can you please explain this?
  It is per backing map, which is practically per node in case of distributed caches.
  - Is there an easy way to know the memory stats of
  the cluster? The memory command on the cluster
  doesn't seem to be giving me the correct stats. Is
  there any other utility that I can use?
  Yes, you can get this and quite a number of other information via JMX. Please check this wiki page for more information.
  I started all the nodes with the same configuration
  as below. Can you please answer the above questions
  ASAP?
  <distributed-scheme>
  <scheme-name>TestScheme</scheme-name>
  <service-name>DistributedCache</service-name>
  <backing-map-scheme>
  <local-scheme>
  <high-units>10000</high-units>
  <eviction-policy>LRU</eviction-policy>
  <expiry-delay>1d</expiry-delay>
  <flush-delay>1h</flush-delay>
  </local-scheme>
  </backing-map-scheme>
  </distributed-scheme>
  Thanks
  RaviBest regards,
  Robert

• Configuration Question on  local-scheme and high-units

  I run my Tangosol cluster with 12 nodes on 3 machines(each machine with 4 cache server nodes). I have 2 important configuration questions. Appreciate if you can answer them ASAP.
  - My requirement is that I need only 10000 objects to be in cluster so that the resources can be freed upon when other caches are loaded. I configured the <high-units> to be 10000 but I am not sure if this is per node or for the whole cluster. I see that the total number of objects in the cluster goes till 15800 objects even when I configured for the 10K as high-units (there is some free memory on servers in this case). Can you please explain this?
  - Is there an easy way to know the memory stats of the cluster? The memory command on the cluster doesn't seem to be giving me the correct stats. Is there any other utility that I can use?
  I started all the nodes with the same configuration as below. Can you please answer the above questions ASAP?
  <distributed-scheme>
  <scheme-name>TestScheme</scheme-name>
  <service-name>DistributedCache</service-name>
  <backing-map-scheme>
  <local-scheme>
  <high-units>10000</high-units>
  <eviction-policy>LRU</eviction-policy>
  <expiry-delay>1d</expiry-delay>
  <flush-delay>1h</flush-delay>
  </local-scheme>
  </backing-map-scheme>
  </distributed-scheme>
  Thanks
  Ravi

  I run my Tangosol cluster with 12 nodes on 3
  machines(each machine with 4 cache server nodes). I
  have 2 important configuration questions. Appreciate
  if you can answer them ASAP.
  - My requirement is that I need only 10000 objects to
  be in cluster so that the resources can be freed upon
  when other caches are loaded. I configured the
  <high-units> to be 10000 but I am not sure if this is
  per node or for the whole cluster. I see that the
  total number of objects in the cluster goes till
  15800 objects even when I configured for the 10K as
  high-units (there is some free memory on servers in
  this case). Can you please explain this?
  It is per backing map, which is practically per node in case of distributed caches.
  - Is there an easy way to know the memory stats of
  the cluster? The memory command on the cluster
  doesn't seem to be giving me the correct stats. Is
  there any other utility that I can use?
  Yes, you can get this and quite a number of other information via JMX. Please check this wiki page for more information.
  I started all the nodes with the same configuration
  as below. Can you please answer the above questions
  ASAP?
  <distributed-scheme>
  <scheme-name>TestScheme</scheme-name>
  <service-name>DistributedCache</service-name>
  <backing-map-scheme>
  <local-scheme>
  <high-units>10000</high-units>
  <eviction-policy>LRU</eviction-policy>
  <expiry-delay>1d</expiry-delay>
  <flush-delay>1h</flush-delay>
  </local-scheme>
  </backing-map-scheme>
  </distributed-scheme>
  Thanks
  RaviBest regards,
  Robert

• ASA 5505 VPN configuration question

  I have a asa 5505 v7.2(3) asdm 5.2(3) th I am trying to get reconfigured after our cable company was bought out and they replaced the cable modem with a router. My asa now has a non routable "10" address on the outside instead of one of the 5 statics I have assigned to me. I have natted my servers, but I cannot get my vpn clients connected. I am not sure how to get one of my statics assigned to the asa to use for the VPN tunnel. Used to be I just tunneled to the static "outside" address with my Cisco VPN clients (remote pc's). I tried assigning one of my statics to the outside, but then I had no connectivity at all since there is a router now before me, where it was just a modem before. I am used to working on larger pix's with my own IP address range, and not used to dealing with DHCP assigned outside addresses, so I am sure it is something simple I am missing. Any help would be greatly appreciated, this is for a small charity animal shelter, that has been down since the cable company made their "transparent change" when the bought another one out.
  The ISP router has an interface with one of my static on the outside facing interface, and a 10 address on the interface directly connected to my ASA. The ISP router then assigns a 10 address to my outside interface on the ASA. I then have 192 addresses on my inside interfaces with statics for their servers. I am just not sure now how to connect my VPN clients since I do not have a routable outside address anymore. I have tried connecting to the static on the ISP hinking they might pass the packet, but they don't. I thought maybe a loopback could be assigned to the ASA, but could not see a way to do that. also the ethernet interfaces cannot have address assigned, only vlans, which there can only be two, and both are used (inside, outside) so I am out of ideas.
  Thanks for any help
  Thanks much

  Hi Kevin
  Your current design causes administrative overhead. You either need one-to-one mapping with outside int or a PAT which is forwarding UDP 4500 and TCP 10000 (may cause troubles in GRE)
  Ask your ISP to configure the router in bridged mode and let your outside interface have the public IPs instead 10.x.x.x
  Regards

• ASA VPN configuration question

  I am trying to configure a VPN tunnel to a remote 3rd party site from an ASA. I have set up a new tunnel group
  But it seems to be trying to use the DefaultRAGroup and then the Defaultl2lGroup one. What do I need to do to ensure it uses the new one I have set up ?

  The name of the tunnel-group has to be the ip address of the remote gateway. With that, the ASA can match the IPsec packets to the correct tunnel-group.

• Setting the proxy in a configuration file

  Hello All, Is there a configuration file where you can set http.proxyHost and http.proxyPort for a jsp web app (maybe web.xml)? I'm using tomcat 4.1. The web app in question is behind a firewall and needs to go through a proxy server to pull information from the internet. I'm looking for a way that doesn't involve setting the proxy parameters within the code of the web app. I've also read that you can set environment variables with "CATALINA_OPTS = -DproxySet=true -DproxyHost='proxy host' -DproxyPort=8080", will this work for my situation and in what file would I add this line?

  I may be wrong but I think that the "Use System Proxy Settings" makes sense only on Linux and generally speaking "other OSes". As far as I know there is no generic proxy settings in Windows operating system.
  The one I know is in the registry part of Internet Explorer.
  So in my understanding in Windows, Use System Proxy Settings = No Proxy

• How to Add Cisco 861's behind ASA 5505

  I will be setting up a VPN with a client soon.  They are shipping 2 Cisco 861's that are planning to go behind our ASA 5505.  They are set up to be NATed.
  I am trying to understand what the best way to do this would be as I seem to keep running into limitations of the ASA 5505.
  Our ASA has a public IP of 2.1.2.14/30 assigned to it's outside interface.
  The public IPs to be NATed to the 861's are 2.1.2.218 and 2.1.2.219/29.
  1. How can I assign this seperate public IP block to the ASA? Is it even possible?
  2. If not possible, what would other options be?
  3. Would an upgraded license that allows for additional interfaces make this easier? (I would not do the NATing then, just assign the new public IP block to another interface)
  Appreciate any help or suggestions.

  Hi,
  I personally run into these situations too and more than one occasion the users start to run into different kind of problems when they got additional hardware on their LAN that we dont manage.
  If you HAVE to do this as you described I would need some additional information
  What software version is your ASA?
  Do you have a Base License version of the ASA5505?Can confirm this with "show version" command
  In the original post, do you mean that you have a small link network (/30) with the ISP and that the ISP has also provided you with a small subnet for NAT purposes (/29)
  The first thing mentioned above would be needed to confirm what NAT format to use.
  Otherwise if the following 2 are true then there should be no problem using the additional IP address range on your ASA5505 firewall.
  There are 2 ways to go.
  Option 1.
  Make sure that the ISP has routed the additional /29 network towards your ASA5505 "outside" IP address
  Now just configure the needed NAT configurations (can naturally help with the configurations when I know the software level of the ASA)Notice that the additional public subnet doesnt need to be configured on any interface of the ASA. You can just configure NATs using those IP addresses as usual. The critical thing here is that the ISP has routed the network towards your ASA and HAS NOT configured this additional /29 subnet on their gateway as a secondary network.
  Option 2.
  Even if you have the ASA5505 at Base License you can still configure 3 interfaces on the ASA5505. The one thing to notice here is that you need to configure the "no forward interface Vlanx" to the third Vlan interface which will prevent this third Vlan from connecting to networks behind the interface Vlanx. This however doesnt stop Vlanx from connecting to networks behind third Vlan interface.This might provide a possibility to use the WAN side of the VPN routers on the third interface of the ASA since they you can limit their connectivity to the "inside" Vlan and this would mean they could still connect to "outside"
  Hopefully I made any sense. Please ask more if I was unclear about something above (which might be possible )
  - Jouni

• Can't Send or Receive Email from Exchange behind ASA 5510 with CSC SSM

  We are upgrading from a Pix 515e to a ASA 5510 with CSC SSM.  We cannot send outbound email or receive any email from the outside world. I have placed a call with Cisco Support with no luck. Here is a copy of my config:  Any Help would be appreciated.
  show config
  : Saved
  : Written by enable_15 at 07:17:44.760 CST Wed Jan 18 2012
  ASA Version 8.4(3)
  names
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address 216.XXX.XXX.XXX 255.XXX.XXX.XXX
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 192.168.0.5 255.255.255.0
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  <--- More --->
    no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  shutdown
  nameif management
  security-level 100
  no ip address
  management-only
  boot system disk0:/asa843-k8.bin
  ftp mode passive
  clock timezone CST -6
  clock summer-time CDT recurring
  object network obj-192.168.5.0
  subnet 192.168.5.0 255.255.255.0
  object network obj-192.168.0.0
  subnet 192.168.0.0 255.255.255.0
  <--- More --->
  object network obj-192.168.9.2
  host 192.168.9.2
  object network obj-192.168.1.65
  host 192.168.1.65
  object network obj-192.168.1.0
  subnet 192.168.1.0 255.255.255.0
  object network obj-192.168.2.0
  subnet 192.168.2.0 255.255.255.0
  object network obj-192.168.3.0
  subnet 192.168.3.0 255.255.255.0
  object network obj-192.168.6.0
  subnet 192.168.6.0 255.255.255.0
  object network obj-192.168.8.0
  subnet 192.168.8.0 255.255.255.0
  object-group service DM_INLINE_TCP_1 tcp
  port-object eq ftp
  port-object eq www
  port-object eq pop3
  port-object eq smtp
  object-group network Red-Condor
  description Email Filtering
  network-object host 66.234.112.69
  network-object host 66.234.112.89
  object-group service NetLink tcp
  <--- More --->
    port-object eq 36001
  object-group network AECSouth
  network-object 192.168.11.0 255.255.255.0
  object-group service Email_Filter tcp-udp
  port-object eq 389
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group service DM_INLINE_TCP_0 tcp
  group-object Email_Filter
  port-object eq pop3
  port-object eq smtp
  object-group network Exchange-Server
  description Exchange Server
  network-object host 192.168.1.65
  access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1
  access-list outside_access extended permit tcp any object obj-192.168.9.2
  access-list outside_access extended permit icmp any any
  access-list outside_access extended permit tcp any object-group Exchange-Server eq https
  access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq smtp
  access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq pop3
  access-list outside_access extended permit object-group TCPUDP object-group Red-Condor object-group Exchange-Server object-group Email_Filter
  access-list inside_access_in extended permit ip any any
  access-list inside_access_in extended permit icmp any any
  <--- More --->
  pager lines 24
  logging enable
  logging console debugging
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu management 1500
  ip local pool vpnpool 192.168.5.1-192.168.5.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any outside
  icmp permit any inside
  asdm image disk0:/asdm-647.bin
  no asdm history enable
  arp timeout 14400
  object network obj-192.168.9.2
  nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp
  object network obj-192.168.1.65
  nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp
  object network obj-192.168.1.0
  nat (inside,outside) dynamic interface
  object network obj-192.168.2.0
  nat (inside,outside) dynamic interface
  object network obj-192.168.3.0
  <--- More --->
    nat (inside,outside) dynamic interface
  object network obj-192.168.6.0
  nat (inside,outside) dynamic interface
  object network obj-192.168.8.0
  nat (inside,outside) dynamic interface
  access-group outside_access in interface outside
  access-group inside_access_in in interface inside
  route outside 0.0.0.0 0.0.0.0 216.XXX.XXX.XXX 1
  route inside 192.168.0.0 255.255.0.0 192.168.0.1 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server isaconn protocol radius
  aaa-server isaconn (inside) host 192.168.1.9
  timeout 5
  key XXXXXXX
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  <--- More --->
  http server enable
  http 192.168.0.0 255.255.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set AEC esp-des esp-md5-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpoint _SmartCallHome_ServerCA
  crl configure
  crypto ca server
  shutdown
  <--- More --->
    smtp from-address [email protected]
  crypto ca certificate chain _SmartCallHome_ServerCA
  certificate
    quit
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet 192.168.0.0 255.255.0.0 inside
  telnet timeout 5
  ssh 192.168.0.0 255.255.0.0 inside
  ssh timeout 5
  console timeout 0
  management-access inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 208.66.175.36 source outside prefer
  webvpn
  username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
  <--- More --->
  class-map global-class
  match access-list global_mpc
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
  <--- More --->
     inspect netbios
    inspect tftp
    inspect ip-options
  class global-class
    csc fail-close
  service-policy global_policy global
  prompt hostname context
  call-home reporting anonymous

  Hello Scott,
  So Exchange server ip is obj-192.168.1.65 natted to 216.x.x.x
  object network obj-192.168.1.65
  "nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp"
  The ACL says
  access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq smtp
  access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq pop3
  From witch ip addresses are you trying to send traffic to the exchange server?
  Please do a packet-tracer and give us the output
  packet-tracer input outside tcp x.x.x.x( Outside host ip) 1025 216.x.x.x.x 25
  Regards,
  Julio
  Rate helpful posts!!!

• Abap server proxy on IS configured as HUB

  Hi,
  My scenario is;
  web serv. client (soap) => XI srv => abap proxy
  In the abap proxy I want to return some binary data as attachment. Seems to me that I'm not allowed to execute
  abap proxy on the XI IS since the error msg is;
  - <SAP:Error xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" SOAP:mustUnderstand="1">
    <SAP:Category>XIServer</SAP:Category>
    <SAP:Code area="INTERNAL">PROXY_NOT_ALLOWED_ON_IS</SAP:Code>
    <SAP:P1 />
    <SAP:P2 />
    <SAP:P3 />
    <SAP:P4 />
    <SAP:AdditionalText />
    <SAP:ApplicationFaultMessage namespace="" />
    <SAP:Stack>Proxy calls on the sender or receiver side are not permitted on the IS (client)</SAP:Stack>
    <SAP:Retry>N</SAP:Retry>
    </SAP:Error>
  The engine type is configured as HUB.
  Can someone confirm this, or is it something I can do?
  best regards
  Torstein

  Hi,
  >>>>Are there any configuration settings need to be done for using same client.
  yes there's one: TCODE - SXMB_ADM - integration engine config
  if you set your client as HUB then you cannot use proxies
  if you set it as application server then you can use proxies
  but this is not a problem how can you use proxies on the same client but why?
  XI is an integration server - use for message transfer not for building applications on it
  XI offers many ways to communite with it but not for being an application sever itself
  ERP 2004 can have XI on the same instance (server)
  but you also need to use another client to work with XI
  so most probably this will not change
  the conclusion: build your applications on applicaiton servers (r3 for instance) and leave XI for message transfer only
  Hope it clears a little  
  Regards,
  michal
  <a href="/people/michal.krawczyk2/blog/2005/06/28/xipi-faq-frequently-asked-questions">XI FAQ - Frequently Asked Questions</a>

• Apache Configuration Question

  Simple question:
  I'm doing a one-off PHP/MySQL application where everything runs locally. Firewall activated, so I'm not too worried about security. :-/ Apache is configured as included with Tiger. Using Marc Lianage's PHP binary. MySQL is 5.0.
  Here the rub: I have a bunch of images in /Users/MyDir/Images that I want to access from HTML pages being served from /Library/WebServer/Documents/Dir/Path/prog.php.
  This is what I added right under the <Directory /> block (under, not in) in httpd.conf:
  <pre>
  <Directory /Users/MyUser/Images>
  Order allow,deny
  Allow from all
  </Directory>
  </pre>
  Horribly insecure. I know. The problem is that these files aren't being served. The HTML is fine, but nothing is rendered. Is my directive correct? Is there something else I'm missing?
  Thanks,
  Mark
  P.S. I couldn't find a high-traffic Usenet group for this question--any suggestions?
  Message was edited by: chollapete for formatting.

  Gnarlodious for the win!
  I'll just recap the fix for anyone who searches after me:
  The way I read the apache.org documentation, being able to access directories and files not under the Apache Documents root seems to require both the Alias directive and the Directory directive in the httpd.conf configuration file.
  It also requires that the entire filepath be have *nix file permissions set so the Apache user has permission to access the entire actual pathname. Experimentation showed that all directories in the pathname have to have both read and execute permissions set. Since Apache as configured by Apple runs as a different user and group than you, all directories in the pathname must be world-readable and world-executable.
  However, when I commented out the <Directory> block shown below, it still worked the way I wanted. So, maybe you just need the Alias directive.
  I'm certainly no Unix guru and everything I'm doing runs locally behind a firewall, so know what you're doing if you use this information. :-/
  Here's the recap of what I added to httpd.conf:
  <pre>
  Alias /image_dir /Users/MyDir/SubDir
  #<Directory /Users/MyDir/SubDir>
  #Options Indexes FollowSymLinks MultiViews
  #AllowOverride None
  #Order allow,deny
  #Allow from all
  #</Diretory>
  </pre>
  This was placed immediately after the <Directory "/Library/WebServer/Documents"> block that is part of the as-shipped configuration file. This, and the aforementioned changes to make the actual filepath accessible to the apache process.
  HTH. Use at your own risk!
  Peace out.