Public Server on 2 external interfaces
I suspect this is relatively simple, but I'm brand new to the Cisco line (and to the forums), so my apologies if I'm unclear or in violation of forum etiquette.
I have an ASA5515 which will be using 2 external interfaces, and I need to make a single internal server available to the outside world on both interfaces. I can accomplish this easily for the main external interface (the faster circuit), but I'm running into issues getting connections through on the backup circuit. Here's the interface configuration:
interface GigabitEthernet0/0
description ISP-2
nameif backup
security-level 0
ip address 10.177.188.22 255.255.255.248
interface GigabitEthernet0/1
description ISP-1
nameif outside
security-level 0
ip address 10.131.225.158 255.255.255.240
interface GigabitEthernet0/2
description LAN
nameif inside
security-level 100
ip address 192.168.2.250 255.255.255.0
I'd like outside (internet) users to be able to make an HTTP request on port 80 to 10.131.225.146, which comes in GigabitEthernet 0/1, gets translated to the internal web server at 192.168.2.1:80, and then any response traffic leaves GigabitEthernet 0/1, looking to the user like it originated form 10.131.225.146.
Additionally, I'd like the same user to be able to make an HTTP request on port 80 to 10.177.188.18, which comes in GigabitEthernet0/0, goes through the above translation, and then response packets exit via GigabitEthernet0/0.
I've been able to get most of the above working, but when working on the NAT rule for the backup side, packet-tracer tells me that my NAT is fine (it NATs the packet from 192.168.2.1:80 to 10.177.188.18:80, but it wants to then route that packet through the outside interface (GigabitEthernet0/1)
While I've been able to find many references to this on-line (such as this blog post), they all appear to be outdated, using pre-8.3 syntax.
I suspect I'm close on this, but I can't seem to get that last piece to make everything 'click'. Any help would be greatly appreciated.
Basically you need three elements in your config:
An ACL-Entry on both interfaces allowing the needed traffic.
Two NAT-statements, one for each external interface.
A route to the Backup-NH with a higher AD.
object network SERVER-VIA-OUTSIDE
host 192.168.2.1
nat (inside,outside) static 10.131.225.146 service tcp 80 80
object network SERVER-VIA-BACKUP
host 192.168.2.1
nat (inside,backup) static 10.177.188.18 service tcp 80 80
access-list OUTSIDE-IN extended permit tcp any object SERVER-VIA-OUTSIDE eq 80
access-list BACKUP-IN extended permit tcp any object SERVER-VIA-BACKUP eq 80
access-group OUTSIDE-IN in interface outside
access-group BACKUP-IN in interface outside
route outside 0.0.0.0 0.0.0.0 NH-ON-OUTSIDE 1
route backup 0.0.0.0 0.0.0.0 NH-ON-BACKUP 100
Similar Messages
-
ASA 5510 Anyconnect VPN question-"Hairpin" vpn connection on same external interface
I have a Cisco ASA 5510, I want to allow a VPN connection to be established by a client on one of the inside interfaces(10.20.x.x) to be able to go out the single External interface and get authenticated by the ASA to create a VPN tunnel to the other inside interface (10.0.X.X) and access resources on that subnet.
Basically want clients on a WLAN to be able to VPN back in to the LAN with the ASA in the middle to get to company resources,
Is this possible?
Thanks,
TommyWhen we connect any VPN on a device then it is always a TO THE DEVICE connection and I am afraid we can connect only to the local / nearest interface where user is connected in a network with respect to ASA.
I have seen this scenario working though earlier with one of my clients wherein he has configured his DNS server accordingly so that depending upon the source of the DNS request an appropriate IP address was provided for same DNS name. For example if user from IP address range 192.168.0.0 range connects to abc.com then it will get IP address 192.168.1.1 and if a user from range IP address10.0.0.0 connects then it will get 10.1.1.1.
If we configure the same scenario as well then your requirement will be fulfiled with same name however VPN has to be enabled on wireless interface again. If not, then as you have described configuring a new domain name for VPN connection only for wireless users should do the deal.
Regards,
Anuj -
Port Forwarding on OSX 10.5 Server using Dynamic External IP Address
I have been able to get Port Forwarding to work properly on OSX Server by following the documentation and following discussion:
http://discussions.apple.com/thread.jspa?messageID=6700460
The problem however, is that you specify a static ip address on the natd.plist file.
I do not have a static ip address, and sometimes it changes. When this happens, of course all the port forwarding configuration will not work, and I need to replace the old external ip with the new external ip address.
This is an easy task to be accomplished, however having the internal network down just for the change of ip address is a hassle.
Is there any way the string entry can be updated with the ip address of the external interface (en0), instead of applying an ip address?
<key>aliasIP</key>
<string>17.128.128.128</string>
I would like to have the ip address (ex: 17.128.128.128) to be updated automatically from my interface ip address. So if my external ip address changes to 17.128.30.30, the natd.plist file will be automatically updated with correct values.
If I could do the following would be great but doesn't work
<key>aliasIP</key>
<string>en0</string>
Any ideas on how to get this accomplished?
Or better yet, can it be accomplished as of now?
I know I can use IPNetRouterX (www.sustworks.com) and that will work just fine. Have tested using the trial and it works, however I do not want to spend $100 for the software either, and I bet there should be a way this can be done on OSX 10.5 Server.
Thanks a lot!!!This would be best reposted in the appropriate Leopard server forum
http://discussions.apple.com/category.jspa?categoryID=96 -
Problem adding CSA external interface in IPS 6
I configured my AIP-SSM sensor running IPS 6 to connect to the CSA MC, but I get a connection failure. The sensor is showing the following error when trying to connect:
evError: eventId=1168311248090659938 severity=warning vendor=Cisco
originator:
hostId: os-ips
appName: externalProductInterface
appInstanceId: 317
time: 2007/01/20 02:50:22 2007/01/19 20:50:22 GMT-06:00
errorMessage: name=errNotAvailable Failure opening a subscription on the Management Center for Cisco Security Agents external interface at 1.1.1.1: Parse response found a different element when expecting the SOAP Envelope elementThe interface is currently disabled, but I think you'll get the picture.
cisco-security-agents-mc-settings (min: 0, max: 2, current: 1)
ip-address: 1.1.1.1
interface-type: extended-sdee
enabled: no default: yes
url: /csamc/sdee-server
port: 443
use-ssl
always-yes: yes
username: adminuser
password:
host-posture-settings
enabled: yes default: yes
allow-unreachable-postures: yes
posture-acls (ordered min: 0, max: 10, current: 1 - 1 active, 0 inactive)
ACTIVE list-contents
NAME: 1-subnet
network-address: 192.168.1.0/24
action: permit
watchlist-address-settings
enabled: yes
manual-rr-increase: 25
session-rr-increase: 25
packet-rr-increase: 10 -
Creating PO in SRM through external interface
Is there a way to create a PO in SRM through an external interface without creating a shopping cart? I see that we can create a shopping cart through BBP_PD_SC_CREATE_EXTERNAL. But we need to create a PO in the SRM system without the shopping cart. Is this possible? It's neither the classic nor extended classic nor the standalone SRM scenarios that all have the shopping cart generate the PO. Is there a way to create the PO without the shopping cart? Is there a BAPI to do this?
Right now, we generate an XI ABAP server proxy which allows us to push the PO information from an external system through XI into SRM, but we do not know what SRM function we need to invoke.
Any help would be appreciated.
Thanks,
Jay
SAP Integration ConsultantI can give you the technical example of how to create a PO. You can get the sample logic of creating PO's from the program MBT_PO_MASS_CREATE.
Regards,
Mani -
Using External Interface on local content
We're using External Interface for interfacing between Flash
and
JavaScript on the HTML page. All works fine online. When we
try to
localize the pages though (so that a Salesperson can have a
CD full of
demos), none of them seem to work.
Is this an over-sensitive Flash security issue? We already
have
allowscriptaccess='always' and swliveconnect=true in the
object/embed tags.
What can we do that doesn't require changes on each
individual machine
to set trust paths or any other kind of browser
configuration? Not only
do we want to have this content working on the machine of a
salesperson,
we may get clients that want to deploy content offline
(kiosks, machines
without any network access).
~ddI believe you also need to have the user add the Flash file's location as a trusted
source in the Flash Player settings.
This is obviously an enormous pain. To get around this, you can run a temporary server from the CD. My team has used the Flying Ant server (http://www.wrensoft.com/flyingant/) and it worked quite well, and it runs on Mac, Windows, and Linux.
Alternatively, you could create an installable AIR app to get around the security sandbox issue. If you don't want to have the customer install anything or have to go through loads of instructions to change Flash Player settings, go with the server solution. -
Configuring a5505 setup public server + DMZ
Please bear with me, as am I utter new to the a5505 and Cisco products in general.
Setup:
LAN (192.168.1.X, with .3 as gateway)
DMZ (192.168.2.X with .1 as gateway)
WAN (X.X.X.146 as primary public IP, .145 as gateway and .147-150 as additional public IPs)
I want to set it up so that X.146 is where all my outbound traffic appears to originate.
I want tcp HTTPS and SMTP to be allowed from the WAN (via the X.147 IP) to a specific server (192.168.1.11) on the LAN.
Also, HTTP traffic to X.148, X.149 and X.150 should go to DMZ and 192.168.2.8, 192.168.2.15 and 192.168.2.18 respectively, but I haven't added that to my config yet. Looking to get the HTTPS and SMTP ones working first, then I'll fix the others (one step at a time)
I've got contact with the outside world when I've configured it using the ASDMs "Public Server" interface, but it refuses to properly establish the connection, I get a "SYN timeout".
I'm sure it is a simple mistake I've made someplace, but some of this stuff is greek to me sofar, I must admit..
My config:
: Saved
ASA Version 8.2(5)
hostname kcisco
enable password X encrypted
passwd X encrypted
names
name X.X.X.144 outside-network
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 5
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.3 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address X.X.X.146 255.255.255.248
interface Vlan5
description DMZ interface
no forward interface Vlan1
nameif DMZ
security-level 50
ip address 192.168.2.1 255.255.255.0
ftp mode passive
clock timezone GMT 0
object-group service DM_INLINE_SERVICE_0
service-object gre
service-object tcp eq pptp
service-object udp eq isakmp
service-object udp eq 1701
service-object udp eq 1723
service-object udp eq 4500
object-group service DM_INLINE_TCP_1 tcp
port-object eq https
port-object eq smtp
object-group service DM_INLINE_TCP_3 tcp
port-object eq https
port-object eq smtp
access-list outside_access extended permit tcp any object-group DM_INLINE_TCP_3 host X.X.X.147 object-group DM_INLINE_TCP_1
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) X.X.X.147 192.168.1.11 netmask 255.255.255.255
access-group outside_access in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.145 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:cc8458013e545e2e7ba1e2c0caa3dd6a
: end
no asdm history enableThanks, fixed that at least.
But still no further in getting the connection to be established.
I see this in my logs:
6 Oct 09 2012 15:29:22 Z.Z.Z.Z 42061 192.168.1.11 443 Built inbound TCP connection 1064 for outside:Z.Z.Z.Z/42061 (Z.Z.Z.Z/42061) to inside:192.168.1.11/443 (X.X.X.147/443)
6 Oct 09 2012 15:29:52 Z.Z.Z.Z 42061 192.168.1.11 443 Teardown TCP connection 1064 for outside:Z.Z.Z.Z/42061 to inside:192.168.1.11/443 duration 0:00:30 bytes 0 SYN Timeout
(Z.Z.Z.Z is the outside host I am testing from)
(I've connected the mailserver to the firewall and configured it to use the FW gateway (192.168.1.3) -
Delete Intransit from APO which Loaded by PI from external interface
Hi all,
I am facinf a problem in deleting the Order created by External Interface.
We are loading Inransit as PO Mamo (ATP Category AH). Now we need to delete all the Record with AH ATP categoy before we reload new intransit to APO.
Problem is we are not able to delete those order as those are not in Live Cache.
We try using transaction /n/sapapo/bp2 but every time its throwing error "SAP APO system Q51CLNT100 has been declared as an SAP R/3 system.
and even i try deleting from /SAPAPO/RLCDEL. but its not deleting those order.
Can some one suggest what to do.
What all the option that we can try to delete the intransit.
Thanks & Regards,
Amit SharmaHi Amit,
You can use BAPI to delete AH ATP Category.
1. Read all Purchase Documents from BAPI_POSRVAPS_GETLIST3 for product u2013 location for AH Type ATP Category only.
2.Get the ORDID on the selection made.
3.Call BAPI_POSRVAPS_REMOVEITEMS and load the list of order no. and then delete it.
Please try this.
Thanks,
Dipankar -
Is anyone using the Calendar Server to send external invites?
Is anyone using the Calendar Server to send external invites?
We have a Mountain Lion server running DNS, Open Directory, File Sharing and VPN. We have recently stood up the Calendar server and it is working very well. Internal invites work fine and are instantaneous to computer, iPhone, iPad. We have the ports working so that calendar items created outside the network work fine as well. Only problem is we cannot invite anyone with an external e-mail address. Each time we do the Calendar Error Log populates with:
2013-04-15 13:11:03-0500 [-] [mailgateway] 2013-04-15 13:11:03-0500 [Uninitialized] SMTP Client retrying server. Retry: 5
2013-04-15 13:11:03-0500 [-] [mailgateway] 2013-04-15 13:11:03-0500 [Uninitialized] SMTP Client retrying server. Retry: 4
2013-04-15 13:11:03-0500 [-] [mailgateway] 2013-04-15 13:11:03-0500 [Uninitialized] SMTP Client retrying server. Retry: 3
2013-04-15 13:11:03-0500 [-] [mailgateway] 2013-04-15 13:11:03-0500 [Uninitialized] SMTP Client retrying server. Retry: 2
2013-04-15 13:11:03-0500 [-] [mailgateway] 2013-04-15 13:11:03-0500 [Uninitialized] SMTP Client retrying server. Retry: 1
2013-04-15 13:11:03-0500 [-] [mailgateway] 2013-04-15 13:11:03-0500 [Uninitialized] [twistedcaldav.mail.MailHandler#error] Mail gateway failed to send message <[email protected]> from [email protected] to mailto:[email protected] (Reason: Failure with multiple causes.)
We have set up an internal e-mail address. I have confined that it works fine. I have tried more than one internal account. I have also verified the settings through the command line by typing "sudo serveradmin settings calendar" The iMIP sending and receiving information is correct. There is no authentication type setting listed in the command line output even though there's a place to choose it in the Enable invitations by email - Edit button on the third screen. No matter what I choose it goes back to "login" and still doesn't work.
The command line settings mention a port number 62310 as being the MailGatewayPort but opening that port on the network's firewall makes no difference. As I said external set up works fine from Mac/iPhone/iPad and push notification works fine as well.
Is anyone using this functionality?I'm sorry. I forgot to add Mail to the list of services. I AM using mail on that server. Here's the iMIP portion of my settings output from Terminal.
calendar:Scheduling:iMIP:Sending:Server = "boardwalkserver.kuhnwitt.com"
calendar:Scheduling:iMIP:Sending:UseSSL = yes
calendar:Scheduling:iMIP:Sending:Username = "calendarserver"
calendar:Scheduling:iMIP:Sending:Address = "[email protected]"
calendar:Scheduling:iMIP:Sending:Password = "password"
calendar:Scheduling:iMIP:Sending:Port = 465
calendar:Scheduling:iMIP:Enabled = yes
calendar:Scheduling:iMIP:MailGatewayPort = 62310
calendar:Scheduling:iMIP:Receiving:Server = "boardwalkserver.kuhnwitt.com"
calendar:Scheduling:iMIP:Receiving:UseSSL = yes
calendar:Scheduling:iMIP:Receiving:Username = "calendarserver"
calendar:Scheduling:iMIP:Receiving:PollingSeconds = 30
calendar:Scheduling:iMIP:Receiving:Type = "imap"
calendar:Scheduling:iMIP:Receiving:Password = "password"
calendar:Scheduling:iMIP:Receiving:Port = 993
calendar:Scheduling:iMIP:AddressPatterns:_array_index:0 = "mailto:.*"
calendar:Scheduling:iMIP:MailGatewayServer = "localhost"
So Add mail to the services being used. Since Calendar is running on the mail server one would assume that it could communicate with it fairly easily. -
File transfer from a FTP server to another External FTP server
Hi,
I have one FTP server , I need to transfer a file from this FTP server to aother external FTP server. Could any one please help me how to write a batch file on FTP server so that my file is transfered to another FTP server by executing the Batch file. I don't want to use SAP server for this.
best regards
bobbyCREATE CONTROLFILE
Caution:
Oracle recommends that you perform a full backup of all files in the database before using this statement. For more information, see Oracle9i User-Managed Backup and Recovery Guide.
Purpose
Use the CREATE CONTROLFILE statement to re-create a control file in one of the following cases:
All copies of your existing control files have been lost through media failure.
You want to change the name of the database.
You want to change the maximum number of redo log file groups, redo log file members, archived redo log files, datafiles, or instances that can concurrently have the database mounted and open.
Note:
If it is necessary to use the CREATE CONTROLFILE statement, do not include in the DATAFILE clause any datafiles in temporary or read-only tablespaces. You can add these types of files to the database later.
An alternative to the CREATE CONTROLFILE statement is ALTER DATABASE BACKUP CONTROLFILE TO TRACE, which generates a SQL script in the trace file to re-create the controlfile. If your database contains any read-only or temporary tablespaces, that SQL script will also contain all the necessary SQL statements to add those files back into the database.
http://download-west.oracle.com/docs/cd/B10501_01/server.920/a96540/statements_54a.htm#SQLRF01203 -
ASA 5505 external interface dying
Hi,
We have an ASA 5505 ( version 9.1(2) ) that frequently stopped functioning ie the external interface refuses to pass any traffic , ASDM wont connect,etc.
The internal interface does continue to function and if we SSH into the unit and do a reload , everything springs back into life again.
What are the best steps to troubleshooting and finding a fix to this problem?
ChrisHi Amrin,
you can configure SLA monitoring on ASA and that woudl work fine for you:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
Hope that helps.
Thanks,
Varun -
External interface.call is not working
hi, i am trying to call one java script function in
actionscript by using External interface.call method. but its not
working .can u pls tell me why this happend"angadala" <[email protected]> wrote in
message
news:gmpc58$g9p$[email protected]..
> skill status.mxml
>
>
> <mx:Script>
> <![CDATA[
> if (ExternalInterface.available) {
> ExternalInterface.call(getDataFromXml);
> }
>
> it is javascript
> <script type="javascript">
> var data = new Array();
> data[0]=[1,2,3];
> function getData()
> {
> return data;
> }
> </script>
> </head>
> <body>
> <div id="SkillStatus">
> <p>Alternative content</p>
> </div>
>
> </body>
> </HTML>
>
1) Your JavaScript function name and the function name you
are calling
don't match.
2) On the Flex side, you are calling a JS function that I
think you are
expecting to return a value, but not assigning the result of
the value to a
function. -
Is there a way to run an existing PS-JS script using external interface
I have several previously written Photoshop JS scripts which I'd like to run through buttons on PS panels, much like the example for the HelloWorld introduction. I assume that--using external interface--I'll somehow be able to fire off these script files. Is this a correct assumption?
Thanks!Certainly, but not with external interface.
Have a look at the cookbooks. There are examples of how to use the root host object to call directly into extendscript. -
Memory leak in external interface SetReturnValue?
I'm having trouble with a memory leak in my application. I'm
hoping someone out there can help me find a fix or workaround, or
tell me what I'm doing wrong.
The leak seems to be coming from the flash external
interface; specifically, IShockwaveFlash.SetReturnValue(String). My
application is written in Visual Basic 2008, connecting to Flash
9.0.124.0 (activex version).
I've written a fairly simple flash/VB program pair to
illustrate the problem.
The SWF contains a button, 2 dynamic text fields, and the
ActionScript 2 code below.
The VB project contains a Form with a AxShockwaveFlash object
and the VB code below.
When this program is run, and the button is clicked a lot
(10's of thousands of times), the application's memory creeps up
and never seems to fall back down. If the string passed to
SetReturnValue is longer, memory is consumed faster. But if the
call to SetReturnValue is commented-out, the application's memory
usage remains stable.
If anyone has any suggestions on how to proceed, I'd be
grateful.
(By the way: I'm using a freeware program called DoItAgain to
automate the button pressing.)I have developed two simple Java and corresponding
C++ classes. Use code tags when you post your code.
You are missing a lot of error checking. JNI calls, every single one, will usually be followed by some sort of error checking. Any that access classes, methods, fields or allocate object must be followed by checks for java exceptions.
You will need to reduce your code to a smaller sample. Otherwise it is unlikely anyone will look at it.
You also need to specify how you know that a memory leak is occurring. -
I'm configuring our ASA and we have two AT&T circuits which we're only using one with our current Juniper firewall. I know the ASA doesn't support policy based routing so I'm wondering if the following hypothetical "config" is possible.
External Interfaces:
OUT_01 - 12.133.X.X
OUT_02 - 201.61.X.X
I would route all internal traffic to go out through OUT_01.
We have over 5 site-to-site VPN and 30 external facing servers. Could I use OUT_2 to configure all the inbound connections for the VPN and NAT rules?You can configure the ASA to allow asynchronous routing, as you are describing, by configuring TCP bypass.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html
What this will do is you will still need to send traffic out one interface but the ASA will accept return traffic on either of the outside interfaces. Configuring this can be a security risk as the ASA will ignor the state table.
Or you could wait until ASA version 9.4 which will have support for PBR. Ofcourse this is the first version that will support it, so don't be suprised if it has a few bugs.
Please remember to select a correct answer and rate helpful posts
Maybe you are looking for
-
New Desktop for PC a step back?
I like my BBerry 9810 and think it's the best phone you make and I recommend it. I've had BBerrys, iPhones and an Android phone and still stick with BBerry. However, your new BlackBerry Desktop Software for PC looks like a step back to me. First,
-
Hello there I have a MacBook Pro Intel Core 2 Duo 2.2Ghz with Mac OS X 10.5.4, and Im experiencing slow data transfers from my Western Digital My Book 500gb external harddrive. This results in video-lag when trying to play dvd or other video files fr
-
how do i uninstall yahoo weather on iphone, it no good, and the weather apps i do download say widjet for on screen lockscreen dont work as it says compatable but doesnt, and how do i change the apperance of lockscreen swip and the factory sound on s
-
hi . Could you please let me know from where I can get fright information from ecc to bw . I have below requirement about fright reporting . Analysis of freight paid by client , customer, and direct shipments by business unit, inbound and outbound,
-
Itunes is asking repetitively to activate the apple id on the computer (2nd id) although computer is already activated for that id (Windows 8)