RV110W- Apply Access Rules

I have an issue with Single Port Forwarding on these units.
I wanted to try Access Rules as a workaround.
When I set an Access Rule for, let's say, HTTP and point it to an internal IP, when I try browse to the address, I get the router maanagement page instead. This puzzles me as the router is a different IP, and does not have HTTP enabled for management.
If I set an Access Rule for FTP, the connection attempt is blocked.
So, anyone using Access Rules for inbound traffic? Is it possible? How are you configured?
Thanks

Please contact the Cisco Small Business Support Center and open a support case with next available engineer @ 1-866-606-1866
Jasbryan

Similar Messages

RV110W Log Access Rules

Have allow all traffic for 2 IP addresses. Have logging on and marked the rule LOG ALWAYS and never see any recorded events in the log.
I know there is traffic to these addresses.

Dear Jeff,
Thanks again for reaching the Small Business Support Community.
Notice that even you enable the access rule log, you must globally enable logging from the
"Administration > Logging > Log Settings" menu before you get the actual logs. Please refer to page 124 of the admin guide for a step by step guide if needed;
http://www.cisco.com/en/US/docs/routers/csbr/rv110w/administration/guide/rv110w_admin.pdf
I'll be looking forward to your reply and thank you for your time and patience,
Jeffrey Rodriguez S. .:|:.:|:.
Cisco Customer Support Engineer
*Please rate the Post so other will know when an answer has been found.

Applying new access rules fails.

Netware 6.5 SP6 BM 3.9
Ok, new problem. I am trying to add some new access rules to the list in a particular container. When I have defined the rule and click apply I get the following message - Unknown system error. This doesnt happen on the other container which already has rules defined in it. Are the rules from the higher level container being propogated down the tree as I assumed they would be ?
---treename 2 explicit deny rules for the whole company
------it This container to be exempt. cant add rule to allow all.
------helpdesk
------etc
Another aside seems to be that even though "Enforce Access Rules" is always on sometimes the rules do not work and sometimes they do.
Any help much appreciated.

JeffSheehan,
It appears that in the past few days you have not received a response to your posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com/ to search the knowledgebase and check the other support options available on that page under "Self Support" and "Support Programs".
- You could also try posting your message again. Make sure it is posted in the correct newsgroup. (http://support.novell.com/forums)
If this is a reply to a duplicate posting, please ignore and accept our apologies and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://support.novell.com/forums/

BM 3.9 Access Rules Work Only Once

What I want:
Access Rule that blocks ALL attempts to download in a browser any file that ends with a specific extension (.exe for example).
What I have:
Access Rule:
Type: Port
Source DNS Hostname: Any
Destination DNS Hostname: *.exe
Origin Server Port: 1-65535
Action: Deny Access
What is happening:
I apply the rule and test and I am denied the first attempt.
When another attempt is made, the action is allowed.
Monitor shows the following error message when rules changes are applied:
Unable to read configuration from NDS (error - -672)
Note: I just removed ALL rules listed in iManager, saved and I am still able to access web pages. I though that by default access is denied?

In article <[email protected]>, Johnefleming
wrote:
> I apply the rule and test and I am denied the first attempt.
> When another attempt is made, the action is allowed.
>
> Monitor shows the following error message when rules changes are
> applied:
>
> Unable to read configuration from NDS (error - -672)
>
Do you have a replica on the server?
A 672 error sounds like something fundamentally wrong is going on with
NDS on that server. You should have a replica on it that holds the
server objects at least.
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***

Copy Access Rules from 3.8 to 3.9 system

I'm creating a new BM 3.9 server and want to import my current Access
Rule from my 3.8 system into the new 3.9 system. Is it possible? How???

Craig Johnson wrote:
> Did you apply BM 3.9 sp1?
>
> If so, did you (or did you need to) reinstall the SP1 plugins for
> iManager?
>
> Craig Johnson
> Novell Support Connection SysOp
> *** For a current patch list, tips, handy files and books on
> BorderManager, go to http://www.craigjconsulting.com ***
No I didn't reinstall the BM 3.9 SP1 plugins. I'll try that tomorrow.

Access rule for Google Cloud Printer

I want my user to access google doc, gmail account, google drive, and google cloud printer only but they dont get access to the google website.
i make rule for it and block google search engine.
after testing.
google docx is accessing, gmail account is accessing and google drive is also accessing but i am not able to access google cloud printer. because google cloud printer is not a namespace
so kindly help me out what should i do then what kind of rule i have to make so my user can also access google cloud printer. i dont want my client to access google search engine
electrifying

Hi,
For this you can try creating a domain name set on the TMG server first. You can name the domain name set as "Google" for example. The entry in the domain set can be set to
*.google.com or the required domains . After that try creating an access rule with these properties:-
1. From ---> Internal and Localhost
2. To ---> Add the name of the created domain name set. (Google)
Apply the changes and check if you are able to access the sites now.
Check out this article : http://technet.microsoft.com/en-us/library/cc441706.aspx.
Regards,
Gijo

ASDM not showing access rules for interfaces

Strangest thing. I have applied the access lists and can see that in CLI, but ASDM isnt displaying them.
in CLI:
access-group inside_access_in in interface inside
But ASDM doesnt display the interface under "Firewall - Access Rules"
Cisco Adaptive Security Appliance Software Version 8.4(5)6
Device Manager Version 7.1(4)
Anyone else seeing this?
I configured this firewall a few months ago and havent touched it since. I have updated Java and suspect that it may have something to do with it.
Java version 7 Update 45

Hi there
I am sorry for any delay.
Please check this out:
ASDM 7.0 Edit Bookmark Window empty.
Symptom:
In the Edit Bookmark Window all fields are empty.
Conditions:
ASDM 7.0
Workaround:
If running any ASA code before 9.0 downgrade to ASDM 6.4.
If running ASA 9.0, there is no workaround.
Fixed-In
7.1(1.2)
You may try with the latest version available Release 7.1.1
HTH.
Please rate any helpful posts

Firewall Access Rules do not work on One to One NAT (RV042G Router)

I have two unique IP addresses, two servers, and one RV042G router.
What I would like to do is have each IP address go to it's own respective server. To do that, I've set the settings on One-to-One NAT to make this happen. Now IP address 1 points to server A and IP address 2 points to server B.
However, I only want port 80 to be open to each server. I've tried setting the Firewall access rules to accommodate this but it doesn't appear to block anything. All ports on the servers are exposed despite the firewall rules.
Here's what I have in the router configuration:
Under One-to-One NAT:
{internal IP address 1} => {external IP address 1}
{internal IP address 2} => {external IP address 2}
Under Firewall Access Rules:
Action | Service | Source Interface | Source | Destination | Time
Allow | HTTP Secondary 80 | WAN1 | Any | {internal IP address 1} | Always
Deny | All Traffic | WAN1 | Any | Any | Always
Is there a proper way to accomplish what I want?

Thanks for replying.
Turns out I had to add new access rules to specifically deny all traffic to the internal addresses, in addition to the rule allowing the specified ports through.
So, with the IP addresses still defined the same way in the One-to-One NAT section, I now have the following rules defined in the firewall section:
Under Firewall Access Rules:
Priority | Action | Service | Source Interface | Source | Destination | Time
[1] | Allow | HTTP Secondary 80 | ANY | Any | {internal IP address 1} | Always
[2] Deny | All Traffic | WAN1 | Any | { internal IP address 1 } | Always <== the new one I ended up adding
(default) | Deny | All Traffic | WAN1 | Any | Any | Always <== built in default rule in router
I originally did not add the second rule because I had assumed that the default deny rule would block all traffic to all internal IP addresses anyway. Perhaps someone can correct me if I'm wrong but I am now assuming that the default deny rule applies to the router only and not to any other defined One-to-One NAT entries. In which case, I had to add another rule that duplicates the default deny rule but for each 1:1 NAT entry.
If this was already in the manual, I probably missed it so that would be my own mistake. Still, I wish this was more apparent in the web GUI as it didn't really specify that I had to do this.
In any case, I hope my solution helps anyone else in the future having this similar issue.

RV220W - port redirection/access rules with multiple WAN IPs

I've just installed a Cisco RV220W - which works fine for outbound traffic, however for inbound it seems unable to work with multiple WAN IPs.
We have a block of 6 WAN IPs assigned to us by our ISP, and I want to make use of all of them to expose certain ports on our servers to the outside world.
I've tried to do this with Access Rules (using HTTP as an example) with the following settings:
Connection Type: Inbound (WAN (Internet) > LAN (Local Network))
Action: Always Allow
Service: HTTP
Source IP: Single Address
Start: <one of the WAN IPs>
Send to Local Server (DNAT IP): <IP of the internal server>
Use Other WAN (Internet) IP Address: disabled
Rule Status: Enabled
Yet the server/port remains inaccessible.
I've tried:
rebooting the server with a power off/on again
implementing the same settings in port forwarding
triple-checking all IP addresses being used
The only way I've got it working is by changing the access rule so that it applies to any source address rather than one specific one... however that's not a solution for us as we need to use specific IP addresses for specific internal servers/ports.
The router's admin interface certainly suggests this should be possible, however making use of it seems to break all incoming access!
Any suggestions welcome.

You should be using "ANY" as the source IP, as you are publishing your internal server to the internet and internet means the request comes from any source IP (you don't know what it is, so it will be any.
Basically, you want any source IP to hit one of your WAN IPs on port 80, and then your firewall will redirect that request to the internal server's private IP address on same port 80. And when the response comes back from the internal server, the firewall will already have this translate entry in it so the reverse NAT will happen (you don't need configure this, it is default firewall feature).
I hope I have answered your question well.
Please mark as correct if you like the response.
Thanks

BM39SP1 Blank Access Rules Page

Hi,
Upgraded from BM38SP5 to BM39 and then applied SP1, when I click on the access rules tab in Imanager, nothing happens. If you switch to the logger screen on the server is says: LaunchService.......103 java.lang.NullPointerException
Any idea whats wrong?
Thanks
Simon

high
okay. done this, also with english language.
here the hole info from the logger screen.
Filename sys:\tomcat\5.0\webapps\nps\portal\modules/bmpxy/conf/sc-web.conf
Email Priority was null
Email Priority was null
PageContext Navigation level is 1
PageContext Navigation level Str is null
In do Start tag of Use Device
Use info is true
Start static construct
Start construct
end construct
Get device infonull
Info Attribute Name BRDSRVS: PROXY Info DeviceXML
of Object JLE3.Resourcen.JLE
Got device infocom.volera.vcdn.application.sc.core.DeviceInfo @2c01b6
Get Document Name BRDSRVS: PROXY Info DeviceXML
Appname Info attribute ID BRDSRVS: PROXY Info DeviceXML
Appname Attribute is null
Appname Info attribute ID BRDSRVS: PROXY Info DeviceXML attr
com.volera.vcdn.app
lication.sc.core.InfoAttribute@1247bd2
reading strings
Use info is complete
Use config is true
Getting the device configuration
Get working config for PROXY
Get Object
Creating the NBM proxy device
Device Created with name JLE3
Creating the device configuration
attribute back up
Get the attribute components
reading strings
Got device working
configcom.volera.vcdn.application.sc.core.AGDevice Config@3d2e
1e
Setting the device configuration
device config is not null
Use config is complete
in The End tag of Use device
Context path is /nps
bundleid null, use panel
Email Priority was null
PageContext Navigation level is -1
In do Start tag of Use Device
Use info is true
Use info is complete
Use config is true
Getting the device configuration
Return the device config
device config is not null
Use config is complete
in The End tag of Use device
bundleid null, use panel
Appname after middle is JLE3.Resourcen.JLE
bundleid null, use panel
Appname in checkLocked JLE3.Resourcen.JLE
Appname check locked com.volera.vcdn.application.sc.core.DeviceInfo@2c0 1b6
Appname In is config locked
Appname after is config locked
Appname check complete
bundleid null, use panel
bundleid null, use panel
Appname is body JLE3.Resourcen.JLE
Data = <form name="form1" id="form1" method="POST"
action="/nps/servlet/webacc
?NPService=fw.LaunchService&NPAction=Delegate&dele gate=sdk.BasicTask&launche
r=fw
..HomePage&lifecycle=Recreate&appname=JLE3.Resourc en.JLE" >
<input type="hidden" name="basexpath" id="basexpath" value="">
<input type="hidden" name="lastmodxpaths" id="lastmodxpaths" value="">
<input type="hidden" name="command" id="command" value="">
<input type="hidden" name="addelementmap" id="addelementmap" value="">
<input type="hidden" name="removemap" id="removemap" value="">
<input type="hidden" name="removelist" id="removelist" value="">
<input type="hidden" name="setvaluemap" id="setvaluemap" value="">
<input type="hidden" name="setldapvaluemap" id="setldapvaluemap" value="">
<input type="hidden" name="showdialogmap" id="showdialogmap" value="">
<input type="hidden" name="invokemethodmap" id="invokemethodmap" value="">
<input type="hidden" name="cancelxpaths" id="cancelxpaths" value="">
<input type="hidden" name="forward" id="forward" value="">
<input type="hidden" name="path" id="path" value="">
<input type="hidden" name="submit_handler" id="submithandler"
value="handler">
Appname is formJLE3.Resourcen.JLE
Info is not null
Appname is start check access JLE3.Resourcen.JLE
Appname In is config locked
Appname after is config locked
Appname is end check access JLE3.Resourcen.JLE
Appname is after check access JLE3.Resourcen.JLE
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
Email Priority was null
Appname before page config navigate
PageContext Navigation level is -1
Appname after page config navigate
In do Start tag of Use Device
Use config is true
Getting the device configuration
Return the device config
device config is not null
Use config is complete
in The End tag of Use device
Appname after use device navigate
In breadcrumbs
Navigation is
Navigation History
Level-01, Entry = Panel = sc.config.ag.configmanager, URL =
/servlet/web
acc?&objectName=JLE3.Resourcen.JLE&launcher=fw.Hom ePage&taskId=sdk.BasicTask
le=configmanager.device.title&NPAction=Delegate&NP Service=fw.LaunchService&d
eleg
ate=sdk.BasicTask&appname=JLE3.Resourcen.JLE&devna me=JLE3.Resourcen.JLE&next
Stat
e=initialState&lifecycle=Recreate&chooseDevice=1&p anelType=device&loadJsp=bm
pxy%
2Fag%2FActivityView.jsp
Navigation current level 1
bundleid null, use panel
Email Priority was null
Appname before page config navigate
PageContext Navigation level is -1
Appname after page config navigate
Appname before use device navigate
In do Start tag of Use Device
Use info is true
Use info is complete
Use config is true
Getting the device configuration
Return the device config
device config is not null
Use config is complete
in The End tag of Use device
Appname after use device navigate
Appname after navigation
bundleid null, use panel
bundleid null, use panel
bundleid null, use panel
Appname before form
Data = <form name="buttonform" id="buttonform" method="POST"
target="_paren
t">
<input type="hidden" name="basexpath" id="basexpath"
value="/AccessGatewayConfig
uration">
<input type="hidden" name="lastmodxpaths" id="lastmodxpaths" value="/.">
<input type="hidden" name="command" id="command" value="">
<input type="hidden" name="addelementmap" id="addelementmap" value="">
<input type="hidden" name="removemap" id="removemap" value="">
<input type="hidden" name="removelist" id="removelist" value="">
<input type="hidden" name="setvaluemap" id="setvaluemap" value="">
<input type="hidden" name="setldapvaluemap" id="setldapvaluemap" value="">
<input type="hidden" name="showdialogmap" id="showdialogmap" value="">
<input type="hidden" name="invokemethodmap" id="invokemethodmap" value="">
<input type="hidden" name="cancelxpaths" id="cancelxpaths" value="">
<input type="hidden" name="forward" id="forward" value="">
<input type="hidden" name="path" id="path" value="">
<input type="hidden" name="submit_handler" id="submithandler"
value="handler">
Appname before config check
Appname In is config locked
Appname after is config locked
Appname after config locked
Appname after config pending check
Appname after config check
Appname bundleId null message Žnderungen bernehmen
Appname bundleId null desc Žnderungen bernehmen
Appname message Žnderungen bernehmen
Appname target target='Content'
Appname implementor ./button.jsp
Appname bundleId null message Sicherung
Appname bundleId null desc Sicherung
Appname message Sicherung
Appname target
Appname implementor ./button.jsp
Appname bundleId null message Schlieáen
Appname bundleId null desc Schlieáen
Appname message Schlieáen
Appname target target='Content'
Appname implementor ./button.jsp
LaunchService.......103 java.lang.NullPointerException
hope that helps.
Sascha
>>> mysterious<[email protected]> schrieb am 08.04.2008 um 09:33 in Nachricht
<[email protected]>:
> Sascha Oetiker wrote:
>> high
>>
>> the same with firefox 2.0.0.13
>>
>> which logger output do you mean ? is there a log-file ?
>>
>> Thanks
>>
>> Sascha
>>
>>>>> mysterious<[email protected]> schrieb am 04.04.2008 um 12:02 in Nachricht
>> <[email protected]>:
>>> Sascha Oetiker wrote:
>>>> high
>>>>
>>>> 1. i have IE7 on Windows XPSP2 english and IE6.0sp2 on german XP.
>>> try firefox
>>>
>>>> 2. server is english, NW6.5SP7
>>>> 3. Imanager also english or german
>>>> 4. logger says: "Launch Service.....103
java.lang.NullPointerException"
>>> Paste all the logger output
>
> 1. Verify that your browsers have javascript enable
> 2. When you click on the imanager menu, some info will be written to the
>
> logger screen. Copy and paste the whole info on the logger, not only one
>
> line, to see the whole message
> 3. Set you imanager and browser to use only english language and try it
> again

ASA 5505, error in Access Rule

Hello.
Tha ASA 5505 is working, but I try to allow http and https from internet to a server running 2012 Essentials. The server has the internal IP 192.168.0.100. I have created an Object called SERVER with IP 192.168.0.100
The outside Interface is called ICE
I have configured NAT:
I have also configured Access Rules:
But when I test it With the Packet Tracer I get an error:
Whats wrong With the Access Rule?
I do prefer the ASDM :)
Best regards Andreas

Hello Jeevak.
This is the running config (Vlan 13 (Interface ICE) is the one in use:
domain-name DOMAIN.local
names
name 192.168.0.150 Server1 description SBS 2003 Server
name 192.168.10.10 IP_ICE
name x.x.x.0 outside-network
name x.x.x.7 IP_outside
name 192.168.0.100 SERVER description Hovedserver
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface Vlan2
description Direct Connect
backup interface Vlan13
nameif outside
security-level 0
pppoe client vpdn group PPPoE_DirectConnect
ip address pppoe
interface Vlan3
description Gjestenettet
nameif dmz
security-level 50
ip address 10.0.0.1 255.255.255.0
interface Vlan13
description Backupnett ICE
nameif ICE
security-level 0
ip address IP_ICE 255.255.255.0
interface Vlan23
description
nameif USER
security-level 50
ip address 10.1.1.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 13
interface Ethernet0/2
switchport access vlan 23
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
switchport access vlan 3
interface Ethernet0/7
switchport access vlan 3
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup dmz
dns server-group DefaultDNS
domain-name DOMAIN.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any host IP_outside eq https
access-list outside_access_in extended permit tcp any host IP_outside eq www
access-list outside_access_in extended permit icmp any host IP_outside echo-reply
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list DOMAINVPN_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.168.0.192 255.255.255.192
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.192 255.255.255.192
access-list DOMAIN_VPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list ICE_access_in extended permit tcp any host IP_ICE eq https
access-list ICE_access_in extended permit tcp any host IP_ICE eq www
access-list ICE_access_in extended permit icmp any host IP_ICE echo-reply
access-list ICE_access_in remark For RWW
access-list ICE_access_in remark For RWW
access-list USER_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm warnings
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu ICE 1500
mtu USER 1500
ip local pool VPNPool 192.168.10.210-192.168.10.225 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
monitor-interface ICE
monitor-interface USER
icmp unreachable rate-limit 1 burst-size 1
icmp permit outside-network 255.255.255.0 outside
icmp permit 192.168.10.0 255.255.255.0 ICE
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (ICE) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 10.0.0.0 255.255.255.0
nat (USER) 1 10.1.1.0 255.255.255.0
static (inside,ICE) tcp interface www SERVER www netmask 255.255.255.255
static (inside,outside) tcp interface www SERVER www netmask 255.255.255.255
static (inside,ICE) tcp interface https SERVER https netmask 255.255.255.255
static (inside,outside) tcp interface https SERVER https netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group ICE_access_in in interface ICE
access-group USER_access_in in interface USER
route outside 0.0.0.0 0.0.0.0 x.x.x.1 1 track 123
route ICE 0.0.0.0 0.0.0.0 192.168.10.1 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 1
type echo protocol ipIcmpEcho x.x.x.1 interface outside
num-packets 3
frequency 10
sla monitor schedule 1 life forever start-time now
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
track 123 rtr 1 reachability
no vpn-addr-assign local
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd address 10.0.0.10-10.0.0.39 dmz
dhcpd dns y.y.y.2 z.z.z.z interface dmz
dhcpd lease 6000 interface dmz
dhcpd enable dmz
dhcpd address 10.1.1.100-10.1.1.120 USER
dhcpd dns y.y.y.2 z.z.z.z interface USER
dhcpd lease 6000 interface USER
dhcpd domain USER interface USER
dhcpd enable USER
ntp server 64.0.0.2 source outside
group-policy DOMAIN_VPN internal
group-policy DOMAIN_VPN attributes
dns-server value 192.168.0.150
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DOMAIN_VPN_splitTunnelAcl
default-domain value DOMAIN.local
class-map inspection_default
match default-inspection-traffic
class-map imblock
match any
class-map P2P
match port tcp eq www
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect im impolicy
parameters
match protocol msn-im yahoo-im
drop-connection log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
policy-map type inspect http P2P_HTTP
parameters
match request uri regex _default_gator
drop-connection log
match request uri regex _default_x-kazaa-network
drop-connection log
match request uri regex _default_msn-messenger
drop-connection log
match request uri regex _default_gnu-http-tunnel_arg
drop-connection log
policy-map IM_P2P
class imblock
inspect im impolicy
class P2P
inspect http P2P_HTTP
service-policy global_policy global
service-policy IM_P2P interface inside
prompt hostname context
: end
asdm image disk0:/asdm-524.bin
asdm location Server1 255.255.255.255 inside
asdm location IP_ICE 255.255.255.255 inside
asdm location outside-network 255.255.255.0 inside
asdm location SERVER 255.255.255.255 inside
no asdm history enable
What is wrong? Everything Works well except port forwarding.
Andreas

Problem with nat / access rule for webserver in inside network asa 5505 7.2

Hello,
i have trouble setting up nat and access rule for webserver located in inside network.
I have asa 5505 version 7.2 and it has to active interfaces, inside 192.168.123.0 and outside x.x.x.213
Webserver has ip 192.168.123.11 and it needs to be accessed from outside, ip x.x.x.213.
I have created an static nat rule with pat (as an appendix) and access rules from outside network to inside interface ip 192.168.123.11 (tcp 80) but no luck.
What am i doing wrong?

Command:
packet-tracer input outside tcp 188.x.x.213 www 192.168.123.11 www detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.123.0   255.255.255.0   inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x35418d8, priority=500, domain=permit, deny=true
    hits=1, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip=188.x.x.213, mask=255.255.255.255, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

High memory usage and error creating access rules

Hi guys
I'm having a problem with the memory and also trying to create some rules on the CISCO ASA. The version that I got installed was the 8.2.5.33 on a CISCO 5520 with 512 RAM, the memory usage is on 99% used, 1% free and because of that when I'm trying to create a new rule the firewall brings me the next error
So what I did was a downgrade to the version 8.2 (4) 4 and the memory went down a little (82% used, 18% free) but I still got the error when I'm creating an access rule on the device. One thing and I'm not sure if this could affect on the performance are the number of access list and the object groups that are created.
I already open a case with CISCO TAC and they are checking if the problem is with the memory capacity or maybe a memory leak.
Also the doubt that I got is with the memory that I got now available should I can create access rules or 82 is still to hig to create a rule or and object group?
Regards

Hi,
Can you check what is the amount of ACEs you have on the ACLs in use?
I think if you use the command "show access-list " the first line should give you the total amount of ACEs in the ACL
- Jouni

Not showing top 10 access rule after upgrade to 9.1(5)

Hi
I have recently upgraded ASA 5505 from 8.2 to 9.1 and the ASDM to 7.3 but I can no longer can view the Top 10 Access Rules on the home tab. Is it a bug or do I have to enable anything?
I hope someone can help.

Hi Andre
for security reasons I cannot give you the Access rules page. FYI the logging is enabled
However in the home page , when I click on show rule it says the following
Unable to determine corresponding access rule The configuration in ASDM may be out of sync with the device. Please refreah configuration and try again
I refreshed the screen and no change. Welcome any advise.

How can I apply a rule to an attribute in XML

Hi,
I have a simple XML file like this:
<FitnessCenter>
     <Member level = "platinum">
          <Name>Jeff</Name>
          <Phone type = "home">555-1234</Phone>
          <Phone type = "work">555-4321</Phone>
          <FavoriteColor>lightgrey</FavoriteColor>
     </Member>
</FitnessCenter>
I would like to apply template rule (in XSL file) to an attribute �level� of �Member� element in the above XML, but I can�t get it to work. Below is the code that I thought would work, but it doesn�t. Can someone suggest the better way?
     <xsl:template match = "/">
          <xsl:apply-templates/>
     </xsl:template>
     <xsl:template match = "FitnessCenter">
          <xsl:element name = "FitnessCenter">
               <xsl:apply-templates/>
          </xsl:element>
     </xsl:template>
     <xsl:template match = "Member">
          <xsl:element name = "Member">
               <xsl:apply-templates select = "@*"/>
          </xsl:element>
     </xsl:template>
     <xsl:template match = "level">
          <xsl:element name = "I got here">
          </xsl:element>
     </xsl:template>
</xsl:stylesheet>�
regards,
Janusz

Thank you for the response � yep it works � thanks again.
Now, that brings me to another problem I am facing now � because my �level� attribute is from another schema � in my real XML it looks like this xsi:type=�SomeNonAbstractType�. If I add the rule like this to XSL:
<xsl:template match = "Member[@type]">
<xsl:element name = "I got here">
</xsl:element>
</xsl:template>
and I have in my XML element like this:
<Member xsi:type = "platinum">
<Name>Jeff</Name>
<Phone type = "home">555-1234</Phone>
<Phone type = "work">555-4321</Phone>
<FavoriteColor>lightgrey</FavoriteColor>
</Member>
This doesn�t work � this rule simply does not get called � I have tried a couple of variations but couldn�t get it to work.
Any suggestions would be appreciated.
Regards
Janusz

RV110W- Apply Access Rules

Similar Messages

Maybe you are looking for