Proxy behind ASA configuration questions
Hello,
I have an ASA sitting in front of a proxy server that directs users to certain internal remote sites. I have successfully set up HTTPS authenticaiton via remote LDAP on the ASA for traffic coming inbound. I can also get to Apaches test page on the proxy server if i have no proxy set up in my browser. However, I can not access anything after I authenticate when I have the proxy configured in my browser. I can ping from the proxy to my machine and vice-versa. I was wondering if there is a configuration setting I am missing that needs to be enabled when a proxy server is in place.
ciscoasa(config)# show running-config
: Saved
ASA Version 8.2(4)
hostname ciscoasa
domain-name ciscoasa.xxx.xxx
enable password encrypted
passwd encrypted
names
name 192.168.127.130 henrytown
interface GigabitEthernet0/0
nameif outside
security-level 99
ip address 192.168.12.245 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 0
ip address 10.16.16.4 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name ciscoasa.mitre.osis.gov
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service all
service-object ip
service-object icmp
service-object udp
service-object tcp
service-object tcp-udp eq www
service-object tcp eq www
service-object tcp eq https
service-object tcp eq ldap
service-object tcp eq ldaps
service-object udp eq www
object-group service tcp tcp
port-object eq ftp
port-object eq www
port-object eq https
port-object eq ldap
port-object eq ldaps
access-list inside_access_in extended permit object-group all 192.168.12.0 255.255.255.0 10.16.16.0 255.255.255.0 log debugging
access-list inside_access_in extended permit object-group all any host henrytown
access-list inside_authentication extended permit tcp any any
access-list inside_access_in_1 extended permit object-group all 10.16.16.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list 12-network_authentication extended permit tcp any 10.16.16.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
global (outside) 101 192.168.6.245 netmask 0.0.0.0
access-group inside_access_in in interface outside
access-group inside_access_in_1 in interface inside
route outside 0.0.0.0 0.0.0.0 10.16.16.2 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ldap protocol ldap
aaa-server ldap (outside) host 192.168.12.101
ldap-base-dn ou=people
ldap-scope subtree
ldap-naming-attribute uid
aaa authentication ssh console LOCAL
aaa authentication match 12-network_authentication outside ldap
aaa authentication secure-http-client
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.12.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt Authenticate
auth-prompt accept Hello!!!
auth-prompt reject Intruder Alert.
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 4691cd51
308201ff 30820168 a0030201 02020446 91cd5130 0d06092a 864886f7 0d010105
05003044 3111300f 06035504 03130863 6973636f 61736131 2f302d06 092a8648
86f70d01 09021620 63697363 6f617361 2e636973 636f6173 612e6d69 7472652e
6f736973 2e676f76 301e170d 31333037 30313132 30363034 5a170d32 33303632
39313230 3630345a 30443111 300f0603 55040313 08636973 636f6173 61312f30
2d06092a 864886f7 0d010902 16206369 73636f61 73612e63 6973636f 6173612e
6d697472 652e6f73 69732e67 6f763081 9f300d06 092a8648 86f70d01 01010500
03818d00 30818902 8181009a e0c80a44 a5fe7ec7 0eb54cf3 42917d74 721e70fd
764b8abc 72c7b58d ce8ec3d6 14f84c45 39225e2c 9a0b1664 a2d99b1e 3651a5e2
99c8b769 eb64549c 37364ee1 5306dc71 116d0f5f cd394ddb 8dec8474 10ff0011
49ac6f84 770eb5bd 8785f31e aa0810bd 9dbced6c fddf2bdf 249378e3 46657d70
5e34350b b6f00789 078a4f02 03010001 300d0609 2a864886 f70d0101 05050003
81810032 66c3eda1 25ace7e3 8bfcccae be9b89b3 a63d96f3 6c910207 44f16d3f
4625d8b1 342e9baa cb8834e0 650f6ea9 e61c92ff 3356faab 386cfbdb ee6e1424
b77138e5 d4fdab5e e5487818 2357e4d0 4953ade4 1b2e03cb 1a0d3c80 a0167ce0
89521b65 8de542aa 53cef75e ea596cd6 7871af52 6b5c7fc4 67a72a3b 230a73c8 1d4b70
quit
telnet timeout 5
ssh 192.168.12.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside vpnlb-ip
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 inside vpnlb-ip
ssl trust-point ASDM_TrustPoint0 inside
webvpn
username admin password encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
: end
Similar Messages
-
Hi All
The question is pretty simple. I can successfully connect to my ASA 5505 firewall via cisco vpn client 64 bit , i can ping any ip address on the LAN behind ASA but none of the LAN computers can see or ping the IP Address which is assigned to my vpn client from the ASA VPN Pool.
The LAN behind ASA is 192.168.0.0 and the VPN Pool for the cisco vpn client is 192.168.30.0
I would appreciate some help pls
Here is the config:
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password J7NxNd4NtVydfOsB encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.0.11 EXCHANGE
name x.x.x.x WAN
name 192.168.30.0 VPN_POOL2
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address WAN 255.255.255.252
interface Ethernet0/0
switchport access vlan 2
<--- More --->
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list nk-acl extended permit tcp any interface outside eq smtp
access-list nk-acl extended permit tcp any interface outside eq https
access-list customerVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 VPN_POOL2 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list VPN_NAT extended permit ip VPN_POOL2 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_POOL2 192.168.30.10-192.168.30.90 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 access-list VPN_NAT outside
static (inside,outside) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255
static (inside,outside) tcp interface https EXCHANGE https netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group nk-acl in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
snmp-server host inside 192.168.0.16 community public
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd dns 217.27.32.196
dhcpd address 192.168.0.100-192.168.0.200 inside
dhcpd dns 192.168.0.10 interface inside
dhcpd enable inside
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy customerVPN internal
group-policy customerVPN attributes
dns-server value 192.168.0.10
vpn-tunnel-protocol IPSec
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value customerVPN_splitTunnelAcl
default-domain value customer.local
username xxx password 8SYsAcRU4s6DpQP1 encrypted privilege 0
username xxx attributes
vpn-group-policy TUNNEL1
username xxx password C6M4Xy7t0VOLU3bS encrypted privilege 0
username xxx attributes
vpn-group-policy PAPAGROUP
username xxx password RU2zcsRqQAwCkglQ encrypted privilege 0
username xxx attributes
vpn-group-policy customerVPN
username xxx password zfP8z5lE6WK/sSjY encrypted privilege 15
tunnel-group customerVPN type ipsec-ra
tunnel-group customerVPN general-attributes
address-pool VPN_POOL2
default-group-policy customerVPN
tunnel-group customerVPN ipsec-attributes
pre-shared-key *
tunnel-group-map default-group DefaultL2LGroup
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:a4dfbb82008f78756fe4c7d029871ec1
: end
ciscoasa#Well lots of new features have been hinted at for ASA 9.2 but I've not seen anything as far as an Engineering Commit or Customer Commit for that feature.
Site-site VPN in multiple context mode was added in 9.0(1) and I have customers have been asking for the remote access features as well.
I will remember to ask about that at Cisco Live next month. -
Reverse Proxy behind a gateway
hi ,
I want to put a reverse Proxy behind the gateway. All the access Manager and the portal are behind the reverse proxy.Kindly, send me some steps on how to configure gateway to achieve this deployment.
thanks in advance
dhawanmayurHi ,
Below steps might help you.
Edit Platform.conf file of the gateway and set the following properties as follows
* gateway.enable.accelerator = true
* gateway.enable.customURl = true
* Append the reverse-proxy server hostname to the gateway.virtualhost property
* gateway.httpsurl = https://<reverse-porxy-host>:<reverse-proxy-host-no>/
Note: Don't miss the Fwd slash "/" at the end of the portNo: in https://hostname.india.sun.com:500/ <--
After that you might have to do URL mapping on the reverse proxy that you are using. -
SAP-JEE, SAP_BUILDT, and SAP_JTECHS and Dev Configuration questions
Hi experts,
I am configuring NWDI for our environment and have a few questions that I'm trying to get my arms around.
I've read we need to check-in SAP-JEE, SAP_BUILDT, and SAP_JTECHS as required components, but I'm confused on the whole check-in vs. import thing.
I placed the 3 files in the correct OS directory and checked them in via the check-in tab on CMS. Next, the files show up in the import queue for the DEV tab. My questions are what do I do next?
1. Do I import them into DEV? If so, what is this actually doing? Is it importing into the actual runtime system (i.e. DEV checkbox and parameters as defined in the landscape configurator for this track)? Or is just importing the file into the DEV buildspace of NWDI system?
2. Same question goes for the Consolidation tab. Do I import them in here as well?
3. Do I need to import them into the QA and Prod systems too? Or do I remove them from the queue?
Development Configuration questions ***
4. When I download the development configuration, I can select DEV or CON workspace. What is the difference? Does DEV point to the sandbox (or central development) runtime system and CONS points to the configuration runtime system as defined in the landscape configurator? Or is this the DEV an CON workspace/buildspace of the NWDI sytem.
5. Does the selection here dictate the starting point for the development? What is an example scenarios when I would choose DEV vs. CON?
6. I have heard about the concept of a maintenance track and a development track. What is the difference and how do they differ from a setup perspective? When would a Developer pick one over the over?
Thanks for any advice
-DaveHi David,
"Check-In" makes SCA known to CMS, "import" will import the content of the SCAs into CBS/DTR.
1. Yes. For these three SCAs specifically (they only contain buildarchives, no sources, no deployarchives) the build archives are imported into the dev buildspace on CBS. If the SCAs contain deployarchives and you have a runtime system configured for the dev system then those deployarchives should get deployed onto the runtime system.
2. Have you seen /people/marion.schlotte/blog/2006/03/30/best-practices-for-nwdi-track-design-for-ongoing-development ? Sooner or later you will want to.
3. Should be answered indirectly.
4. Dev/Cons correspond to the Dev/Consolidation system in CMS. For each developed SC you have 2 systems with 2 workspaces in DTR for each (inactive/active)
5. You should use dev. I would only use cons for corrections if they can't be done in dev and transported. Note that you will get conflicts in DTR if you do parallel changes in dev and cons.
6. See link in No.2 ?
Regards,
Marc -
Can't save Cisco ASA configuration in GNS3 via write memory command
Hi all,
I’m having a problem to save Cisco ASA configuration in GNS3 via write memory command.
ciscoasa(config)# wr mem
Building configuration…
Cryptochecksum: c066a7ab b5b9071e bb5ee1f6 2d93be53
%Error copying system:/running-config (Not enough space on device)
Error executing command
[FAILED]
ciscoasa(config)#
Here are the details of the lab setup.
PC DETAILS:
Windows 7 Enterprise SP1 64bit
GNS3 v0.8.6 all-in-one (installer for 32-bit and 64-bit which includes Dynamips, Qemu/Pemu, Putty, VPCS, WinPCAP and Wireshark)
ASA DETAILS:
13,279,888 asa802-k8.bin.unpacked.initrd
1,095,856 asa802-k8.bin.unpacked.vmlinuz
Please advise. Thanks in advance.
http://firewallengineer.wordpress.com/2014/02/19/problem-cisco-asa-in-gns3-error-copying-systemrunning-config-not-enough-space-on-device/instead of this:
To create a flash file
cd "C:\Program Files\GNS3\qemu-2.1.0"
qemu-img.exe create c:\FLASH 256M
try this:
To create a flash file
cd "C:\Program Files\GNS3\qemu-2.1.0"
qemu-img.exe create c:\User\usuario\GNS3\FLASH 256M
Let me know if is helpfull. -
I have configure remote access feature web application proxy but not configure give the error. The remote name could not be resolved in server 2012 R2.
I have configure Ad and ADFS different server and try to configure web application proxy different server. what setting are required for connect web application proxy to Ad and ADFS.Hi,
In addition, please make sure that the port 443 is not blocked by the firewall.
Web Application Proxy requires internal name resolution to resolve the names of backend servers, and AD FS servers. When publishing web applications via Web Application Proxy, every web application you publish requires an external URL. For clients to reach
these web applications, a public DNS server must be able to resolve each external URL that you configure. Note that the external URL must resolve to the same IP address as the Web Application Proxy server, or the external IP address of a firewall or load-balancer
placed in front of the Web Application Proxy server.
Best regards,
Susie
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Configuration question on css11506
Hi
One of our vip with 4 local servers, currently has https. the http is redirected to https.
Now, my client has problem which a seriel directories need use http, not https. some thing like. quistion:
1. If there is any possible, I can configure the vip to filter the special directories and let them to use http not https. and rest pages and directories redirect to https?
2. If not, I can make another vip to use same local servers, but, is possible to only limited to special directories? and with wild code? some like the directories are partially wild coded, something like, http://web.domain/casedir*/casenumber?
3. if not on both option, is any way I can fix this problem?
Any comments will be appreciated
Thanks in advance
JulieI run my Tangosol cluster with 12 nodes on 3
machines(each machine with 4 cache server nodes). I
have 2 important configuration questions. Appreciate
if you can answer them ASAP.
- My requirement is that I need only 10000 objects to
be in cluster so that the resources can be freed upon
when other caches are loaded. I configured the
<high-units> to be 10000 but I am not sure if this is
per node or for the whole cluster. I see that the
total number of objects in the cluster goes till
15800 objects even when I configured for the 10K as
high-units (there is some free memory on servers in
this case). Can you please explain this?
It is per backing map, which is practically per node in case of distributed caches.
- Is there an easy way to know the memory stats of
the cluster? The memory command on the cluster
doesn't seem to be giving me the correct stats. Is
there any other utility that I can use?
Yes, you can get this and quite a number of other information via JMX. Please check this wiki page for more information.
I started all the nodes with the same configuration
as below. Can you please answer the above questions
ASAP?
<distributed-scheme>
<scheme-name>TestScheme</scheme-name>
<service-name>DistributedCache</service-name>
<backing-map-scheme>
<local-scheme>
<high-units>10000</high-units>
<eviction-policy>LRU</eviction-policy>
<expiry-delay>1d</expiry-delay>
<flush-delay>1h</flush-delay>
</local-scheme>
</backing-map-scheme>
</distributed-scheme>
Thanks
RaviBest regards,
Robert -
Configuration Question on local-scheme and high-units
I run my Tangosol cluster with 12 nodes on 3 machines(each machine with 4 cache server nodes). I have 2 important configuration questions. Appreciate if you can answer them ASAP.
- My requirement is that I need only 10000 objects to be in cluster so that the resources can be freed upon when other caches are loaded. I configured the <high-units> to be 10000 but I am not sure if this is per node or for the whole cluster. I see that the total number of objects in the cluster goes till 15800 objects even when I configured for the 10K as high-units (there is some free memory on servers in this case). Can you please explain this?
- Is there an easy way to know the memory stats of the cluster? The memory command on the cluster doesn't seem to be giving me the correct stats. Is there any other utility that I can use?
I started all the nodes with the same configuration as below. Can you please answer the above questions ASAP?
<distributed-scheme>
<scheme-name>TestScheme</scheme-name>
<service-name>DistributedCache</service-name>
<backing-map-scheme>
<local-scheme>
<high-units>10000</high-units>
<eviction-policy>LRU</eviction-policy>
<expiry-delay>1d</expiry-delay>
<flush-delay>1h</flush-delay>
</local-scheme>
</backing-map-scheme>
</distributed-scheme>
Thanks
RaviI run my Tangosol cluster with 12 nodes on 3
machines(each machine with 4 cache server nodes). I
have 2 important configuration questions. Appreciate
if you can answer them ASAP.
- My requirement is that I need only 10000 objects to
be in cluster so that the resources can be freed upon
when other caches are loaded. I configured the
<high-units> to be 10000 but I am not sure if this is
per node or for the whole cluster. I see that the
total number of objects in the cluster goes till
15800 objects even when I configured for the 10K as
high-units (there is some free memory on servers in
this case). Can you please explain this?
It is per backing map, which is practically per node in case of distributed caches.
- Is there an easy way to know the memory stats of
the cluster? The memory command on the cluster
doesn't seem to be giving me the correct stats. Is
there any other utility that I can use?
Yes, you can get this and quite a number of other information via JMX. Please check this wiki page for more information.
I started all the nodes with the same configuration
as below. Can you please answer the above questions
ASAP?
<distributed-scheme>
<scheme-name>TestScheme</scheme-name>
<service-name>DistributedCache</service-name>
<backing-map-scheme>
<local-scheme>
<high-units>10000</high-units>
<eviction-policy>LRU</eviction-policy>
<expiry-delay>1d</expiry-delay>
<flush-delay>1h</flush-delay>
</local-scheme>
</backing-map-scheme>
</distributed-scheme>
Thanks
RaviBest regards,
Robert -
ASA 5505 VPN configuration question
I have a asa 5505 v7.2(3) asdm 5.2(3) th I am trying to get reconfigured after our cable company was bought out and they replaced the cable modem with a router. My asa now has a non routable "10" address on the outside instead of one of the 5 statics I have assigned to me. I have natted my servers, but I cannot get my vpn clients connected. I am not sure how to get one of my statics assigned to the asa to use for the VPN tunnel. Used to be I just tunneled to the static "outside" address with my Cisco VPN clients (remote pc's). I tried assigning one of my statics to the outside, but then I had no connectivity at all since there is a router now before me, where it was just a modem before. I am used to working on larger pix's with my own IP address range, and not used to dealing with DHCP assigned outside addresses, so I am sure it is something simple I am missing. Any help would be greatly appreciated, this is for a small charity animal shelter, that has been down since the cable company made their "transparent change" when the bought another one out.
The ISP router has an interface with one of my static on the outside facing interface, and a 10 address on the interface directly connected to my ASA. The ISP router then assigns a 10 address to my outside interface on the ASA. I then have 192 addresses on my inside interfaces with statics for their servers. I am just not sure now how to connect my VPN clients since I do not have a routable outside address anymore. I have tried connecting to the static on the ISP hinking they might pass the packet, but they don't. I thought maybe a loopback could be assigned to the ASA, but could not see a way to do that. also the ethernet interfaces cannot have address assigned, only vlans, which there can only be two, and both are used (inside, outside) so I am out of ideas.
Thanks for any help
Thanks muchHi Kevin
Your current design causes administrative overhead. You either need one-to-one mapping with outside int or a PAT which is forwarding UDP 4500 and TCP 10000 (may cause troubles in GRE)
Ask your ISP to configure the router in bridged mode and let your outside interface have the public IPs instead 10.x.x.x
Regards -
ASA VPN configuration question
I am trying to configure a VPN tunnel to a remote 3rd party site from an ASA. I have set up a new tunnel group
But it seems to be trying to use the DefaultRAGroup and then the Defaultl2lGroup one. What do I need to do to ensure it uses the new one I have set up ?The name of the tunnel-group has to be the ip address of the remote gateway. With that, the ASA can match the IPsec packets to the correct tunnel-group.
-
Setting the proxy in a configuration file
Hello All, Is there a configuration file where you can set http.proxyHost and http.proxyPort for a jsp web app (maybe web.xml)? I'm using tomcat 4.1. The web app in question is behind a firewall and needs to go through a proxy server to pull information from the internet. I'm looking for a way that doesn't involve setting the proxy parameters within the code of the web app. I've also read that you can set environment variables with "CATALINA_OPTS = -DproxySet=true -DproxyHost='proxy host' -DproxyPort=8080", will this work for my situation and in what file would I add this line?
I may be wrong but I think that the "Use System Proxy Settings" makes sense only on Linux and generally speaking "other OSes". As far as I know there is no generic proxy settings in Windows operating system.
The one I know is in the registry part of Internet Explorer.
So in my understanding in Windows, Use System Proxy Settings = No Proxy -
How to Add Cisco 861's behind ASA 5505
I will be setting up a VPN with a client soon. They are shipping 2 Cisco 861's that are planning to go behind our ASA 5505. They are set up to be NATed.
I am trying to understand what the best way to do this would be as I seem to keep running into limitations of the ASA 5505.
Our ASA has a public IP of 2.1.2.14/30 assigned to it's outside interface.
The public IPs to be NATed to the 861's are 2.1.2.218 and 2.1.2.219/29.
1. How can I assign this seperate public IP block to the ASA? Is it even possible?
2. If not possible, what would other options be?
3. Would an upgraded license that allows for additional interfaces make this easier? (I would not do the NATing then, just assign the new public IP block to another interface)
Appreciate any help or suggestions.Hi,
I personally run into these situations too and more than one occasion the users start to run into different kind of problems when they got additional hardware on their LAN that we dont manage.
If you HAVE to do this as you described I would need some additional information
What software version is your ASA?
Do you have a Base License version of the ASA5505?Can confirm this with "show version" command
In the original post, do you mean that you have a small link network (/30) with the ISP and that the ISP has also provided you with a small subnet for NAT purposes (/29)
The first thing mentioned above would be needed to confirm what NAT format to use.
Otherwise if the following 2 are true then there should be no problem using the additional IP address range on your ASA5505 firewall.
There are 2 ways to go.
Option 1.
Make sure that the ISP has routed the additional /29 network towards your ASA5505 "outside" IP address
Now just configure the needed NAT configurations (can naturally help with the configurations when I know the software level of the ASA)Notice that the additional public subnet doesnt need to be configured on any interface of the ASA. You can just configure NATs using those IP addresses as usual. The critical thing here is that the ISP has routed the network towards your ASA and HAS NOT configured this additional /29 subnet on their gateway as a secondary network.
Option 2.
Even if you have the ASA5505 at Base License you can still configure 3 interfaces on the ASA5505. The one thing to notice here is that you need to configure the "no forward interface Vlanx" to the third Vlan interface which will prevent this third Vlan from connecting to networks behind the interface Vlanx. This however doesnt stop Vlanx from connecting to networks behind third Vlan interface.This might provide a possibility to use the WAN side of the VPN routers on the third interface of the ASA since they you can limit their connectivity to the "inside" Vlan and this would mean they could still connect to "outside"
Hopefully I made any sense. Please ask more if I was unclear about something above (which might be possible )
- Jouni -
Can't Send or Receive Email from Exchange behind ASA 5510 with CSC SSM
We are upgrading from a Pix 515e to a ASA 5510 with CSC SSM. We cannot send outbound email or receive any email from the outside world. I have placed a call with Cisco Support with no luck. Here is a copy of my config: Any Help would be appreciated.
show config
: Saved
: Written by enable_15 at 07:17:44.760 CST Wed Jan 18 2012
ASA Version 8.4(3)
names
interface Ethernet0/0
nameif outside
security-level 0
ip address 216.XXX.XXX.XXX 255.XXX.XXX.XXX
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.5 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
<--- More --->
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
object network obj-192.168.5.0
subnet 192.168.5.0 255.255.255.0
object network obj-192.168.0.0
subnet 192.168.0.0 255.255.255.0
<--- More --->
object network obj-192.168.9.2
host 192.168.9.2
object network obj-192.168.1.65
host 192.168.1.65
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network obj-192.168.6.0
subnet 192.168.6.0 255.255.255.0
object network obj-192.168.8.0
subnet 192.168.8.0 255.255.255.0
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq www
port-object eq pop3
port-object eq smtp
object-group network Red-Condor
description Email Filtering
network-object host 66.234.112.69
network-object host 66.234.112.89
object-group service NetLink tcp
<--- More --->
port-object eq 36001
object-group network AECSouth
network-object 192.168.11.0 255.255.255.0
object-group service Email_Filter tcp-udp
port-object eq 389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_0 tcp
group-object Email_Filter
port-object eq pop3
port-object eq smtp
object-group network Exchange-Server
description Exchange Server
network-object host 192.168.1.65
access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1
access-list outside_access extended permit tcp any object obj-192.168.9.2
access-list outside_access extended permit icmp any any
access-list outside_access extended permit tcp any object-group Exchange-Server eq https
access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq smtp
access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq pop3
access-list outside_access extended permit object-group TCPUDP object-group Red-Condor object-group Exchange-Server object-group Email_Filter
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
<--- More --->
pager lines 24
logging enable
logging console debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpnpool 192.168.5.1-192.168.5.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
object network obj-192.168.9.2
nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp
object network obj-192.168.1.65
nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp
object network obj-192.168.1.0
nat (inside,outside) dynamic interface
object network obj-192.168.2.0
nat (inside,outside) dynamic interface
object network obj-192.168.3.0
<--- More --->
nat (inside,outside) dynamic interface
object network obj-192.168.6.0
nat (inside,outside) dynamic interface
object network obj-192.168.8.0
nat (inside,outside) dynamic interface
access-group outside_access in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 216.XXX.XXX.XXX 1
route inside 192.168.0.0 255.255.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server isaconn protocol radius
aaa-server isaconn (inside) host 192.168.1.9
timeout 5
key XXXXXXX
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
<--- More --->
http server enable
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set AEC esp-des esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca server
shutdown
<--- More --->
smtp from-address [email protected]
crypto ca certificate chain _SmartCallHome_ServerCA
certificate
quit
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 208.66.175.36 source outside prefer
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
<--- More --->
class-map global-class
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
<--- More --->
inspect netbios
inspect tftp
inspect ip-options
class global-class
csc fail-close
service-policy global_policy global
prompt hostname context
call-home reporting anonymousHello Scott,
So Exchange server ip is obj-192.168.1.65 natted to 216.x.x.x
object network obj-192.168.1.65
"nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp"
The ACL says
access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq smtp
access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq pop3
From witch ip addresses are you trying to send traffic to the exchange server?
Please do a packet-tracer and give us the output
packet-tracer input outside tcp x.x.x.x( Outside host ip) 1025 216.x.x.x.x 25
Regards,
Julio
Rate helpful posts!!! -
Abap server proxy on IS configured as HUB
Hi,
My scenario is;
web serv. client (soap) => XI srv => abap proxy
In the abap proxy I want to return some binary data as attachment. Seems to me that I'm not allowed to execute
abap proxy on the XI IS since the error msg is;
- <SAP:Error xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" SOAP:mustUnderstand="1">
<SAP:Category>XIServer</SAP:Category>
<SAP:Code area="INTERNAL">PROXY_NOT_ALLOWED_ON_IS</SAP:Code>
<SAP:P1 />
<SAP:P2 />
<SAP:P3 />
<SAP:P4 />
<SAP:AdditionalText />
<SAP:ApplicationFaultMessage namespace="" />
<SAP:Stack>Proxy calls on the sender or receiver side are not permitted on the IS (client)</SAP:Stack>
<SAP:Retry>N</SAP:Retry>
</SAP:Error>
The engine type is configured as HUB.
Can someone confirm this, or is it something I can do?
best regards
TorsteinHi,
>>>>Are there any configuration settings need to be done for using same client.
yes there's one: TCODE - SXMB_ADM - integration engine config
if you set your client as HUB then you cannot use proxies
if you set it as application server then you can use proxies
but this is not a problem how can you use proxies on the same client but why?
XI is an integration server - use for message transfer not for building applications on it
XI offers many ways to communite with it but not for being an application sever itself
ERP 2004 can have XI on the same instance (server)
but you also need to use another client to work with XI
so most probably this will not change
the conclusion: build your applications on applicaiton servers (r3 for instance) and leave XI for message transfer only
Hope it clears a little
Regards,
michal
<a href="/people/michal.krawczyk2/blog/2005/06/28/xipi-faq-frequently-asked-questions">XI FAQ - Frequently Asked Questions</a> -
Simple question:
I'm doing a one-off PHP/MySQL application where everything runs locally. Firewall activated, so I'm not too worried about security. :-/ Apache is configured as included with Tiger. Using Marc Lianage's PHP binary. MySQL is 5.0.
Here the rub: I have a bunch of images in /Users/MyDir/Images that I want to access from HTML pages being served from /Library/WebServer/Documents/Dir/Path/prog.php.
This is what I added right under the <Directory /> block (under, not in) in httpd.conf:
<pre>
<Directory /Users/MyUser/Images>
Order allow,deny
Allow from all
</Directory>
</pre>
Horribly insecure. I know. The problem is that these files aren't being served. The HTML is fine, but nothing is rendered. Is my directive correct? Is there something else I'm missing?
Thanks,
Mark
P.S. I couldn't find a high-traffic Usenet group for this question--any suggestions?
Message was edited by: chollapete for formatting.Gnarlodious for the win!
I'll just recap the fix for anyone who searches after me:
The way I read the apache.org documentation, being able to access directories and files not under the Apache Documents root seems to require both the Alias directive and the Directory directive in the httpd.conf configuration file.
It also requires that the entire filepath be have *nix file permissions set so the Apache user has permission to access the entire actual pathname. Experimentation showed that all directories in the pathname have to have both read and execute permissions set. Since Apache as configured by Apple runs as a different user and group than you, all directories in the pathname must be world-readable and world-executable.
However, when I commented out the <Directory> block shown below, it still worked the way I wanted. So, maybe you just need the Alias directive.
I'm certainly no Unix guru and everything I'm doing runs locally behind a firewall, so know what you're doing if you use this information. :-/
Here's the recap of what I added to httpd.conf:
<pre>
Alias /image_dir /Users/MyDir/SubDir
#<Directory /Users/MyDir/SubDir>
#Options Indexes FollowSymLinks MultiViews
#AllowOverride None
#Order allow,deny
#Allow from all
#</Diretory>
</pre>
This was placed immediately after the <Directory "/Library/WebServer/Documents"> block that is part of the as-shipped configuration file. This, and the aforementioned changes to make the actual filepath accessible to the apache process.
HTH. Use at your own risk!
Peace out.
Maybe you are looking for
-
Video chatting is NOT working.. please HELP!
alright, this is driving me CRAZY! my firewall is off on my mac and my router. all my ports are open 1-65535. this is driving me nuts.. why isn't video chatting working??!!? i am using leopard.
-
Diif between Stored procedure and function
HI I want all the differences between Stored procedure and function. Even the basic diff is Procedure does not return any value and Function must be... Thansk In advance...
-
Hello! I'm fairly new to Illustrator, and I'm hoping that this is a feature that I'm just having a hard time understanding. I have about 5 files that I'm working on (elevations of a buildings), and what I'd like to do is have them all reference one s
-
How to find all WXP drivers for Satellite A100 (PSAAR)?
I have Windows Vista, but i want return to Windows XP, i can install the operating sistem, but i need drivers for my notebook model, i have try to see in the site but i haven't find. Someone can help plz ?? I need in italian if possible: - Acoustic S
-
Cisco 1200 Access Points as Bridges - Won't work
I could use some help. I have a pair of Cisco 1200 AP's that I'm trying to use as bridges. I have selected one as a Root Bridge, the other as Non-Root. The non-root shows the wireless interface down and the log reveals 'no association'. I have verifi