RV220W access rules (related to wireless deactivation)
I would like to find a workaround in order to have an "advanced SSID scheduler" to activate wireless connections at different times depending on the day. There currently is only one single setting available, which activates a wireless network at the same time every single day, 365 days/year... Even on weekends and during the holidays.
I actually managed to program an access rule to slightly modify this behaviour, but I can't manage to disable the signal completely, and connections are still active (on specific applications, at least), which is a real issue to me.
This is the access rule I have currently set:
Connection type: Outbound
Action: Block by schedule (using a different schedule than the one set on the basic wireless settings)
Service: Any
Source IP: Address range (all the devices I want to control with the rule)
Destination IP: Any
This rule works, but when the "off" time triggers, if a device was connected on facebook Messenger or on Skype, it will keep the connection and not lose it as expected. Actually, facebook Messenger will still accept incoming messages, but won’t send outgoing messages.
Of course, I’d like to make sure the wireless signal is completely blocked...
Any suggestion?
Update - I managed to get the firewall to pass the HTTPS requests by changing the remote management port to 60443 and changing the NAT rule from ANY to HTTP and adding access policies for the other ports. The problem now is that the firewall is not always passing SSH traffic.
Intermittently the firewall accepts the SSH traffic intended to go to the xxx.xxx.xxx.219 on xxx.xxx.xxx.218.
NAT:
Private Range Begin: xxx.xxx.xxx.32
Public Range Begin: xxx.xxx.xxx.219
Range Length: 1 Service: HTTP
ACL:
Connection Type: Inbound > LAN
Action: Always Allow
Service: HTTPS
Source IP: Any
DNAT IP: xxx.xxx.xxx.32
WAN IP Address: xxx.xxx.xxx.219
Connection Type: Inbound > LAN
Action: Always Allow
Service: SSH
Source IP: Any
DNAT IP: xxx.xxx.xxx.32
WAN IP Address: xxx.xxx.xxx.219
I know that it is a bad idea to have SSH open on a public IP, but until I can get IPSEC VPN set up this is necessary. I'm not willing to start with the IPSEC setup until I can get the other rules to be stable.
One nightmare at a time, please.
Similar Messages
-
RV220W Access Rules Failing - Requests Answered By Firewall
I have setup my RV220W with NAT rules and access policies to accept HTTPS and SSH requests on a web server. When I set the policies up the site works fine for a while and then the firewall itself begins to answer the requests instead of forwarding them onto the web server.
Firewall WAN IP: xxx.xxx.xxx.218
Subnet Mask: 255.255.255.248
I have a one to one NAT policy set up this way:
Private Range Begin: xxx.xxx.xxx.32
Public Range Begin: xxx.xxx.xxx.219
Range Length: 1 Service: ANY
ACL:
Connection Type: Inbound > LAN
Action: Always Allow
Service: HTTPS
Source IP: Any
DNAT IP: xxx.xxx.xxx.32
WAN IP Address: xxx.xxx.xxx.219
When I make a request to the site the Firewall WAN IP(xxx.xxx.xxx.218) will respond to the request instead of the web server IP (xxx.xxx.xxx.219).
I need help with this, please.Update - I managed to get the firewall to pass the HTTPS requests by changing the remote management port to 60443 and changing the NAT rule from ANY to HTTP and adding access policies for the other ports. The problem now is that the firewall is not always passing SSH traffic.
Intermittently the firewall accepts the SSH traffic intended to go to the xxx.xxx.xxx.219 on xxx.xxx.xxx.218.
NAT:
Private Range Begin: xxx.xxx.xxx.32
Public Range Begin: xxx.xxx.xxx.219
Range Length: 1 Service: HTTP
ACL:
Connection Type: Inbound > LAN
Action: Always Allow
Service: HTTPS
Source IP: Any
DNAT IP: xxx.xxx.xxx.32
WAN IP Address: xxx.xxx.xxx.219
Connection Type: Inbound > LAN
Action: Always Allow
Service: SSH
Source IP: Any
DNAT IP: xxx.xxx.xxx.32
WAN IP Address: xxx.xxx.xxx.219
I know that it is a bad idea to have SSH open on a public IP, but until I can get IPSEC VPN set up this is necessary. I'm not willing to start with the IPSEC setup until I can get the other rules to be stable.
One nightmare at a time, please. -
RV220W - Scheduled Access Rules
I have an RV220W managing my home/home office network. Since it is summer time and my kids have a lot of free time on their hands, I have established some Scheduled Access Rules to regulate their online activities. The rules are set up as scheduled blocks (my basic rule is allow all) and they were created using the schedule manager and the access rules wizard. For some reason that escapes me, the router engages the block just fine. But when the time rolls around to allow access (or I manually disable the rule), nothing changes on the network until I reboot the router. This routine gets old, fast. Am I doing something wrong?
Naresh,
I have read through all of the documentation (print and online) forwards and backwards. Let me reiterate what is happening:
I have an RV220W (latest firmware) attached to my Comcast Business Class cable modem.
The cable modem is in bridge mode.
My default Outbound Policy is ALLOW.
I have a set of BLOCK BY SCHEDULE rules for controlling access to Minecraft game servers (port 25565) at three different times a day. Using ALLOW BY SCHEDULE is pointless as the DEFAULT OUTBOUND POLICY overrides this.
If I disable one of the rules while it is active, it's deactivation does not take effect unless I reboot the RV220W. If the time schedule lapses, the block is still in force.
That is not the way it is supposed to work. -
RV220W - port redirection/access rules with multiple WAN IPs
I've just installed a Cisco RV220W - which works fine for outbound traffic, however for inbound it seems unable to work with multiple WAN IPs.
We have a block of 6 WAN IPs assigned to us by our ISP, and I want to make use of all of them to expose certain ports on our servers to the outside world.
I've tried to do this with Access Rules (using HTTP as an example) with the following settings:
Connection Type: Inbound (WAN (Internet) > LAN (Local Network))
Action: Always Allow
Service: HTTP
Source IP: Single Address
Start: <one of the WAN IPs>
Send to Local Server (DNAT IP): <IP of the internal server>
Use Other WAN (Internet) IP Address: disabled
Rule Status: Enabled
Yet the server/port remains inaccessible.
I've tried:
rebooting the server with a power off/on again
implementing the same settings in port forwarding
triple-checking all IP addresses being used
The only way I've got it working is by changing the access rule so that it applies to any source address rather than one specific one... however that's not a solution for us as we need to use specific IP addresses for specific internal servers/ports.
The router's admin interface certainly suggests this should be possible, however making use of it seems to break all incoming access!
Any suggestions welcome.You should be using "ANY" as the source IP, as you are publishing your internal server to the internet and internet means the request comes from any source IP (you don't know what it is, so it will be any.
Basically, you want any source IP to hit one of your WAN IPs on port 80, and then your firewall will redirect that request to the internal server's private IP address on same port 80. And when the response comes back from the internal server, the firewall will already have this translate entry in it so the reverse NAT will happen (you don't need configure this, it is default firewall feature).
I hope I have answered your question well.
Please mark as correct if you like the response.
Thanks -
Hi!,
Im having a problem with BM 3.9 access rules. When I create a Rule and
then I try to modify the rule I only have a blank Screen and I couldn't
modify the rules.
and in Logger screen I see Device Choosen is null.
Any Idea.
I have BM 3.9 on Netware 6.5.6 and all teh post support pack required.
I have Imanager 2.6 support pack 4.
Thanks.Please have a look at the recent thread iManager Java Error in this
newsgroup. Perhaps your issue is related.
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com *** -
Good Day,
I have been using Access Rules Block by Schedule successfully on my RV180. I block all outbound traffic to a single IP address with two rules, 1) from 21:30 to 23:59 Every Day and 2) from 00:00 to 07:30 Every Day. This works fine.
However I am wanting to refine this to include days of the week. I have the following:
1) from 21:30 to 23:59 Sunday through Thursday;
2) from 00:00 to 07:30 Every Day;
3) from 22:30 to 23:59 Friday through Saturday.
They are in this order in the Access Rules page but as they are all unique I cannot see why the order would affect it.
The default Outbound Policy is Allow. I have not rebooted the router and maybe this is what I need to do but the help does not say this needs to be done.
Rule 3 is not working and access is allowed well past 22:30. As I have only implemented this on Friday I have not yet tested if the other rules are working or not. I know I could change the time to test it and will do if necessary but thought I would ask the forum first if anyone has come across this issue.
All the best,
KarlHello,
I have found out one reason for the access rules not working that was the TCP session timeout period. That is to say that the current TCP session would continue until the TCP timeout period expired even if it was after the cut off time had been passed. But there are other issues where the web interface indicated a change was made but it hadn't updated the router configuration, i.e. wireless disabled but it continued to run. The web interface is prone to freezing. The spec sheet says it supports port mirror but it doesn't. I am thoroughly disappointed in the unit. I am in the process of asking for a refund as I need a router that does what it is advertised to do.
This is not a Cisco product that they (Cisco) should be proud of.
Regards,
Karl Wraith -
ASA 5505, error in Access Rule
Hello.
Tha ASA 5505 is working, but I try to allow http and https from internet to a server running 2012 Essentials. The server has the internal IP 192.168.0.100. I have created an Object called SERVER with IP 192.168.0.100
The outside Interface is called ICE
I have configured NAT:
I have also configured Access Rules:
But when I test it With the Packet Tracer I get an error:
Whats wrong With the Access Rule?
I do prefer the ASDM :)
Best regards AndreasHello Jeevak.
This is the running config (Vlan 13 (Interface ICE) is the one in use:
domain-name DOMAIN.local
names
name 192.168.0.150 Server1 description SBS 2003 Server
name 192.168.10.10 IP_ICE
name x.x.x.0 outside-network
name x.x.x.7 IP_outside
name 192.168.0.100 SERVER description Hovedserver
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface Vlan2
description Direct Connect
backup interface Vlan13
nameif outside
security-level 0
pppoe client vpdn group PPPoE_DirectConnect
ip address pppoe
interface Vlan3
description Gjestenettet
nameif dmz
security-level 50
ip address 10.0.0.1 255.255.255.0
interface Vlan13
description Backupnett ICE
nameif ICE
security-level 0
ip address IP_ICE 255.255.255.0
interface Vlan23
description
nameif USER
security-level 50
ip address 10.1.1.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 13
interface Ethernet0/2
switchport access vlan 23
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
switchport access vlan 3
interface Ethernet0/7
switchport access vlan 3
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup dmz
dns server-group DefaultDNS
domain-name DOMAIN.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any host IP_outside eq https
access-list outside_access_in extended permit tcp any host IP_outside eq www
access-list outside_access_in extended permit icmp any host IP_outside echo-reply
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list DOMAINVPN_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.168.0.192 255.255.255.192
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.192 255.255.255.192
access-list DOMAIN_VPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list ICE_access_in extended permit tcp any host IP_ICE eq https
access-list ICE_access_in extended permit tcp any host IP_ICE eq www
access-list ICE_access_in extended permit icmp any host IP_ICE echo-reply
access-list ICE_access_in remark For RWW
access-list ICE_access_in remark For RWW
access-list USER_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm warnings
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu ICE 1500
mtu USER 1500
ip local pool VPNPool 192.168.10.210-192.168.10.225 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
monitor-interface ICE
monitor-interface USER
icmp unreachable rate-limit 1 burst-size 1
icmp permit outside-network 255.255.255.0 outside
icmp permit 192.168.10.0 255.255.255.0 ICE
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (ICE) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 10.0.0.0 255.255.255.0
nat (USER) 1 10.1.1.0 255.255.255.0
static (inside,ICE) tcp interface www SERVER www netmask 255.255.255.255
static (inside,outside) tcp interface www SERVER www netmask 255.255.255.255
static (inside,ICE) tcp interface https SERVER https netmask 255.255.255.255
static (inside,outside) tcp interface https SERVER https netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group ICE_access_in in interface ICE
access-group USER_access_in in interface USER
route outside 0.0.0.0 0.0.0.0 x.x.x.1 1 track 123
route ICE 0.0.0.0 0.0.0.0 192.168.10.1 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 1
type echo protocol ipIcmpEcho x.x.x.1 interface outside
num-packets 3
frequency 10
sla monitor schedule 1 life forever start-time now
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
track 123 rtr 1 reachability
no vpn-addr-assign local
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd address 10.0.0.10-10.0.0.39 dmz
dhcpd dns y.y.y.2 z.z.z.z interface dmz
dhcpd lease 6000 interface dmz
dhcpd enable dmz
dhcpd address 10.1.1.100-10.1.1.120 USER
dhcpd dns y.y.y.2 z.z.z.z interface USER
dhcpd lease 6000 interface USER
dhcpd domain USER interface USER
dhcpd enable USER
ntp server 64.0.0.2 source outside
group-policy DOMAIN_VPN internal
group-policy DOMAIN_VPN attributes
dns-server value 192.168.0.150
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DOMAIN_VPN_splitTunnelAcl
default-domain value DOMAIN.local
class-map inspection_default
match default-inspection-traffic
class-map imblock
match any
class-map P2P
match port tcp eq www
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect im impolicy
parameters
match protocol msn-im yahoo-im
drop-connection log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
policy-map type inspect http P2P_HTTP
parameters
match request uri regex _default_gator
drop-connection log
match request uri regex _default_x-kazaa-network
drop-connection log
match request uri regex _default_msn-messenger
drop-connection log
match request uri regex _default_gnu-http-tunnel_arg
drop-connection log
policy-map IM_P2P
class imblock
inspect im impolicy
class P2P
inspect http P2P_HTTP
service-policy global_policy global
service-policy IM_P2P interface inside
prompt hostname context
: end
asdm image disk0:/asdm-524.bin
asdm location Server1 255.255.255.255 inside
asdm location IP_ICE 255.255.255.255 inside
asdm location outside-network 255.255.255.0 inside
asdm location SERVER 255.255.255.255 inside
no asdm history enable
What is wrong? Everything Works well except port forwarding.
Andreas -
Problem with nat / access rule for webserver in inside network asa 5505 7.2
Hello,
i have trouble setting up nat and access rule for webserver located in inside network.
I have asa 5505 version 7.2 and it has to active interfaces, inside 192.168.123.0 and outside x.x.x.213
Webserver has ip 192.168.123.11 and it needs to be accessed from outside, ip x.x.x.213.
I have created an static nat rule with pat (as an appendix) and access rules from outside network to inside interface ip 192.168.123.11 (tcp 80) but no luck.
What am i doing wrong?Command:
packet-tracer input outside tcp 188.x.x.213 www 192.168.123.11 www detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.123.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x35418d8, priority=500, domain=permit, deny=true
hits=1, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=188.x.x.213, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule -
High memory usage and error creating access rules
Hi guys
I'm having a problem with the memory and also trying to create some rules on the CISCO ASA. The version that I got installed was the 8.2.5.33 on a CISCO 5520 with 512 RAM, the memory usage is on 99% used, 1% free and because of that when I'm trying to create a new rule the firewall brings me the next error
So what I did was a downgrade to the version 8.2 (4) 4 and the memory went down a little (82% used, 18% free) but I still got the error when I'm creating an access rule on the device. One thing and I'm not sure if this could affect on the performance are the number of access list and the object groups that are created.
I already open a case with CISCO TAC and they are checking if the problem is with the memory capacity or maybe a memory leak.
Also the doubt that I got is with the memory that I got now available should I can create access rules or 82 is still to hig to create a rule or and object group?
RegardsHi,
Can you check what is the amount of ACEs you have on the ACLs in use?
I think if you use the command "show access-list " the first line should give you the total amount of ACEs in the ACL
- Jouni -
Not showing top 10 access rule after upgrade to 9.1(5)
Hi
I have recently upgraded ASA 5505 from 8.2 to 9.1 and the ASDM to 7.3 but I can no longer can view the Top 10 Access Rules on the home tab. Is it a bug or do I have to enable anything?
I hope someone can help.Hi Andre
for security reasons I cannot give you the Access rules page. FYI the logging is enabled
However in the home page , when I click on show rule it says the following
Unable to determine corresponding access rule The configuration in ASDM may be out of sync with the device. Please refreah configuration and try again
I refreshed the screen and no change. Welcome any advise. -
The problem related to wireless service Wi-Fi connectivity Never work properly
Hi
i am bashair from KSA
I have iPhone 5, you update your iPhone to version 6.1.3
The problem related to wireless service Wi-Fi connectivity
Never work properly, you try Method posed but did not succeed..
i need help me please
thanks..UPDATE
Hey this is totally weird. I haven't done jailbreak at all and I won't But how is possible that default apps such as Safari and Appstore have the problem I've mentioned before and Skyfire works perfectly without any trouble.
So to sum up:
Safari: loading stucks after few seconds on wi-fi, mostly doesn't load pictures
Appstore: loading stucks after few seconds on wifi and it keeps saying "loading"
Facebook and Youtube: doesn't load pictures
SKYFIRE: loads everything without any trouble
and completely everything works on Edge...
So tell me W.T.F. :-D -
I have a problem with one of the clients on my LAN which is running uTorrent to detriment of everyone else. It saturates the pipe. I have been unable to prod this user into bothering to tweak their settings to throttle bandwidth back and so have resorted to an access rule on the router which kicks that MAC address off during a particular time period during the day. But as irritated as I am about this slacker sense of outrageous entitlement, kicking them off entirely seems a tad heavy handed even for me.
So, In the router I can create a rule per MAC address and specify time. But is it possible to limit this to denying uTorrent ONLY? And if so what port or port ranges would I use.
Alternatively I already use a QoS setting for one of my VoIP TA's. Would I gain anything by degrading the application indirectly by creating a QoS = LOW for that port range? Again, I don't really care about any other application, just uTorrent and just that client. How much degradation is there really in setting QoS to LOW?Well it wont make much difference, when you enable QOS service on your router. Yes it is possible to Deny uTorrent application from your Router. When you are Under "Application and Gaming" Tab, Under "Blocked Application" you will find "Application Name" , "Port Range" and "Protocol" so you need to input under Application Name "uTorrent" and under port range you need to input the port number which uTorrent application use and then under protocol select "Both" and click on ADD. Then again in Application you will find uTorrent , select and click on (>>) right arrow so it will block that application on your Router. By doing this it will block uTorrent from your Router.
-
5520 to 5525 all access rules being ignored.
I copied my config from my old 5520 to our new 5525 and when I cut over to it from the inside out I could get to the internet no problem but from the outside in none of our access rules were working. Could someone take a look at our config and maybe inlighten me on the problem please. Thanks,
http://www.ebay.com/itm/290951611556?ssPageName=STRK:MEWNX:IT&_trksid=p3984.m1497.l2649
: Saved
: Written by admin at 02:33:30.875 EDT Mon Sep 30 2013
ASA Version 8.6(1)2
hostname ColASA01-HA
domain-name corp.COMPANY.com
names
name 172.22.5.133 ColBarracuda description Colo Barracuda Internal
name 74.XXX.XXX.133 ColBarracuda- description Colo Barracuda External
name 74.XXX.XXX.132 ColVPN- description Colo VPN External
name 172.22.5.138 ww2 description ww2 Internal
name 74.XXX.XXX.138 ww2- description ww2 External
name 172.22.5.139 www1 description www1 Internal
name 74.XXX.XXX.139 www1- description www1 External
name 172.22.5.140 www1-COMPANY.co.uk description www1 COMPANY.co.uk Internal
name 172.22.5.143 ColSysAid description ColSysAid Internal
name 74.XXX.XXX.143 ColSysAid- description ColSysAid External
name 172.22.5.141 Colww3 description Colww3 Internal
name 74.XXX.XXX.141 Colww3- description Colww3 External
name 10.1.1.100 Facts description Facts Internal
name 74.XXX.XXX.135 Facts- description Facts External
name 74.XXX.XXX.144 ftp.boundree.co.uk- description ftp.COMPANY.co.uk External
name 172.22.5.144 ftp.COMPANY.co.uk description ftp.COMPANY.co.uk Internal
name 10.101.0.24 Dubmss01 description Voicemail Server - Internal
name 74.XXX.XXX.145 Dubmss01- description Voicemail Sever - External
name 172.22.5.146 ColBI01 description ColBI01 Internal
name 74.XXX.XXX.146 ColBI01- description ColBI01 External
name 172.22.5.147 ColMOSS01 description ColMOSS01 Internal
name 74.XXX.XXX.147 ColMOSS01- description ColMOSS01 External
name 172.22.5.149 ambutrak description AmbuTRAK Internal
name 74.XXX.XXX.149 ambutrak- description AmbuTRAK External
name 172.22.5.136 NSTrax description NSTrax Internal
name 74.XXX.XXX.136 NSTrax- description NSTrax External
name 172.22.5.150 btmu description BTMU Internal
name 74.XXX.XXX.150 btmu- description BTMU External
name 172.22.5.155 w2k-isoft description w2k-isoft Internal
name 74.XXX.XXX.155 w2k-isoft- description w2k-isoft External
name 172.22.5.142 Colexch01 description Colexch01 Internal
name 172.22.5.151 Coltixdb description Coltxdb Internal
name 74.XXX.XXX.151 Coltixdb- description Coltixdb External
name 172.22.5.156 colexcas description colexcas Internal
name 74.XXX.XXX.156 colexcas- description colexcas External
name 172.22.3.74 colexcas01 description colexcas01 Internal
name 172.22.3.75 colexcas02 description colexcas02 Internal
name 172.22.5.157 ColFTP01 description ColFTP01 Internal
name 74.XXX.XXX.157 ColFTP01- description ColFTP01 External
name 172.22.5.158 www.COMPANY.com description www.COMPANY.com Internal
name 74.XXX.XXX.158 www.COMPANY.com- description www.COMPANY.com External
name 172.22.5.159 act.COMPANY.com description COMPANY ACT Internal - colww4
name 74.XXX.XXX.159 act.COMPANY.com- description COMPANY ACT External
name 172.22.3.93 test.COMPANY.com description test.COMPANY.com Internal
name 172.22.5.161 ColdevAS2 description ColdevAS2 Internal
name 74.XXX.XXX.160 Rewards.COMPANY.com- description COMPANY Rewards External
name 74.XXX.XXX.153 as2.COMPANY.com- description as2.COMPANY.com External
name 74.XXX.XXX.161 as2test.COMPANY.com- description as2test.COMPANY.com External
name 172.22.5.153 colas2 description colas2 Internal
name 172.22.5.160 colww5 description colww5 Internal
name 172.22.3.91 colexcas01NLB description colexcas01 NLB Interface
name 172.22.3.92 colexcas02NLB description colexcas02 NLB Interface
name 172.22.3.100 ColVPN description Colo VPN Internal
name 172.22.5.134 intra.COMPANY.com description on NewPortal
name 74.XXX.XXX.134 intra.COMPANY.com- description It's on NewPortal
name 10.1.0.80 asgard description asgard Internal
name 74.XXX.XXX.163 www.COMPANY.net- description www.COMPANY.net External
name 172.22.5.165 crmws.COMPANY.com description ColCrmRouter01 Internal
name 74.XXX.XXX.165 crmws.COMPANY.com- description ColCrmRouter01 External
name 10.1.5.137 dubngwt description Test Next Gen Web Farm Internal
name 74.XXX.XXX.137 dubngwt- description Test Next Gen Web Farm External
name 10.1.0.87 dubexcas description Dublin CAS NLB
name 10.1.0.85 dubexcas01 description Dublin CAS Server
name 10.1.0.86 dubexcas02 description Dublin CAS Server
name 74.XXX.XXX.166 collync01- description Lync Edge Server External
name 74.XXX.XXX.167 coltmg01- description TMG Server External
name 172.23.2.166 collync01 description Lync Edge Server DMZ
name 172.23.2.167 coltmg01 description TMG Server DMZ
name 172.22.5.168 COMPANYfed.com description COMPANYfed.com Internal
name 74.XXX.XXX.168 COMPANYfed.com- description COMPANYfed.com External
name 172.22.3.60 www1.COMPANY.com description www1.COMPANY.com Internal
name 74.XXX.XXX.169 www1.COMPANY.com- description www1.COMPANY.com External
name 172.22.3.63 www1.COMPANYfed.com description www1.COMPANYfed.com Internal
name 74.XXX.XXX.171 www1.COMPANYfed.com- description www1.COMPANYfed.com External
name 172.22.3.61 www2.COMPANY.com description www2.COMPANY.com Internal
name 74.XXX.XXX.170 www2.COMPANY.com- description www2.COMPANY.com External
name 172.22.3.64 www2.COMPANYfed.com description www2.COMPANYfed.com Internal
name 74.XXX.XXX.172 www2.COMPANYfed.com- description www2.COMPANYfed.com External
name 172.22.5.154 COMPANY.com description COMPANY.com Web Farm Production
name 74.XXX.XXX.154 COMPANY.com- description COMPANY.com Web Farm Outside
name 184.XXX.XXX.226 PMISonicWALL description PMI SonicWALL
name 10.10.0.0 PMI_SonicWALL-Subnet description PMI LAN
name 10.1.0.0 DublinData description Dublin Data Network
name 10.2.0.0 SouthavenData description Southaven Data Network
name 10.0.0.0 BrentwoodData description Brentwood Data Network
name 10.8.0.0 GilbertData description Gilbert Data Network
name 10.101.0.0 DublinVoIP description Dublin VoIP Network
name 10.110.0.0 PMI_SonicWALL-VOICSubnet
name 172.24.3.50 ColUT04-PCITrust
name 172.22.3.31 coldc01
name 172.22.3.4 coldc02
name 172.22.3.23 ColWSUS02 description Windows Update Server
name 74.XXX.XXX.175 monitor.COMPANY.com- description PRTG Network Monitor
name 172.22.3.150 ColPRTG01 description PRTG Monitor
dns-guard
interface GigabitEthernet0/0
description Connected to Internet via COLRTR01
speed 100
duplex full
shutdown
nameif outside
security-level 0
ip address 74.XXX.XXX.130 255.255.255.192 standby 74.XXX.XXX.176
ospf cost 10
interface GigabitEthernet0/1
description Connected to Colo LAN
speed 100
duplex full
nameif inside
security-level 100
ip address 172.22.1.8 255.255.0.0 standby 172.22.1.50
ospf cost 10
authentication key eigrp 10 Fiyalt1 key-id 1
authentication mode eigrp 10 md5
interface GigabitEthernet0/2
nameif DMZ
security-level 10
ip address 172.23.2.1 255.255.255.0 standby 172.23.2.50
ospf cost 10
interface GigabitEthernet0/3
description Connected to COLSW01 port 9 - PCI Trust Area (no internet)
nameif Colo_PCI_Trust
security-level 100
ip address 172.24.3.1 255.255.255.0 standby ColUT04-PCITrust
ospf cost 10
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/7
description LAN/STATE Failover Interface
interface Management0/0
nameif management
security-level 100
ip address 10.1.200.20 255.255.0.0 standby 10.1.200.21
ospf cost 10
management-only
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name corp.COMPANY.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-172.22.255.0
subnet 172.22.255.0 255.255.255.0
object network PMI_SonicWALL-Subnet
subnet 10.10.0.0 255.255.0.0
object network obj-172.24.3.0
subnet 172.24.3.0 255.255.255.0
object network ColWSUS02
host 172.22.3.23
object network ambutrak
host 172.22.5.149
object network ambutrak-
host 74.XXX.XXX.149
object network btmu
host 172.22.5.150
object network btmu-
host 74.XXX.XXX.150
object network ColBarracuda
host 172.22.5.133
object network ColBarracuda-
host 74.XXX.XXX.133
object network ColBI01
host 172.22.5.146
object network ColBI01-
host 74.XXX.XXX.146
object network colexcas
host 172.22.5.156
object network colexcas-
host 74.XXX.XXX.156
object network ColMOSS01
host 172.22.5.147
object network ColMOSS01-
host 74.XXX.XXX.147
object network COMPANY.com
host 172.22.5.154
object network COMPANY.com-
host 74.XXX.XXX.154
object network Coltixdb
host 172.22.5.151
object network Coltixdb-
host 74.XXX.XXX.151
object network Colww3
host 172.22.5.141
object network Colww3-
host 74.XXX.XXX.141
object network ColSysAid
host 172.22.5.143
object network ColSysAid-
host 74.XXX.XXX.143
object network ColVPN
host 172.22.3.100
object network ColVPN-
host 74.XXX.XXX.132
object network colas2
host 172.22.5.153
object network as2.COMPANY.com-
host 74.XXX.XXX.153
object network Dubmss01
host 10.101.0.24
object network Dubmss01-
host 74.XXX.XXX.145
object network Facts
host 10.1.1.100
object network Facts-
host 74.XXX.XXX.135
object network ftp.COMPANY.co.uk
host 172.22.5.144
object network ftp.boundree.co.uk-
host 74.XXX.XXX.144
object network NSTrax
host 172.22.5.136
object network NSTrax-
host 74.XXX.XXX.136
object network w2k-isoft
host 172.22.5.155
object network w2k-isoft-
host 74.XXX.XXX.155
object network www1
host 172.22.5.139
object network www1-
host 74.XXX.XXX.139
object network ww2
host 172.22.5.138
object network ww2-
host 74.XXX.XXX.138
object network ColFTP01
host 172.22.5.157
object network ColFTP01-
host 74.XXX.XXX.157
object network www.COMPANY.com
host 172.22.5.158
object network www.COMPANY.com-
host 74.XXX.XXX.158
object network act.COMPANY.com
host 172.22.5.159
object network act.COMPANY.com-
host 74.XXX.XXX.159
object network colww5
host 172.22.5.160
object network Rewards.COMPANY.com-
host 74.XXX.XXX.160
object network ColdevAS2
host 172.22.5.161
object network as2test.COMPANY.com-
host 74.XXX.XXX.161
object network intra.COMPANY.com
host 172.22.5.134
object network intra.COMPANY.com-
host 74.XXX.XXX.134
object network asgard
host 10.1.0.80
object network www.COMPANY.net-
host 74.XXX.XXX.163
object network crmws.COMPANY.com
host 172.22.5.165
object network crmws.COMPANY.com-
host 74.XXX.XXX.165
object network dubngwt
host 10.1.5.137
object network dubngwt-
host 74.XXX.XXX.137
object network COMPANYfed.com
host 172.22.5.168
object network COMPANYfed.com-
host 74.XXX.XXX.168
object network www1.COMPANYfed.com
host 172.22.3.63
object network www1.COMPANYfed.com-
host 74.XXX.XXX.171
object network www2.COMPANYfed.com
host 172.22.3.64
object network www2.COMPANYfed.com-
host 74.XXX.XXX.172
object network www1.COMPANY.com
host 172.22.3.60
object network www1.COMPANY.com-
host 74.XXX.XXX.169
object network www2.COMPANY.com
host 172.22.3.61
object network www2.COMPANY.com-
host 74.XXX.XXX.170
object network ColPRTG01
host 172.22.3.150
object network monitor.COMPANY.com-
host 74.XXX.XXX.175
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network collync01
host 172.23.2.166
object network collync01-
host 74.XXX.XXX.166
object network coltmg01
host 172.23.2.167
object network coltmg01-
host 74.XXX.XXX.167
object-group service DM_INLINE_SERVICE_1
service-object gre
service-object tcp destination eq pptp
object-group service Barracuda tcp
port-object eq 8000
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq smtp
port-object eq ssh
group-object Barracuda
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
port-object eq smtp
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
port-object eq smtp
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_7 tcp
port-object eq www
port-object eq https
object-group service mySQL tcp
description mySQL Database
port-object eq 3306
object-group service DM_INLINE_TCP_9 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_10 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_11 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_12 tcp
port-object eq www
port-object eq https
object-group service as2 tcp
description as2
port-object eq 4080
port-object eq 5080
port-object eq https
port-object eq 6080
object-group network DM_INLINE_NETWORK_2
network-object host ColBarracuda
network-object host ww2
network-object host www1
network-object host colexcas01
network-object host colexcas02
network-object host colexcas
network-object host test.COMPANY.com
network-object host colexcas01NLB
network-object host colexcas02NLB
network-object host dubexcas01
network-object host dubexcas02
network-object host dubexcas
object-group service SQLServer tcp
description Microsoft SQL Server
port-object eq 1433
object-group service DM_INLINE_TCP_13 tcp
port-object eq www
port-object eq https
port-object eq smtp
object-group service DM_INLINE_TCP_14 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_15 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_1
network-object host as2.COMPANY.com-
network-object host as2test.COMPANY.com-
object-group service DM_INLINE_TCP_6 tcp
port-object eq www
port-object eq https
object-group service rdp tcp
description Remote Desktop Protocol
port-object eq 3389
object-group service DM_INLINE_TCP_8 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_16 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_17 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_4 tcp
port-object eq www
port-object eq https
object-group service LyncEdge tcp-udp
description sip-tls, 443, 444, rtp 50000-59999, stun udp 3478
port-object eq 3478
port-object eq 443
port-object eq 444
port-object range 50000 59999
port-object eq 5061
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_18 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_19 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_20 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_21 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_22 tcp
port-object eq www
port-object eq https
object-group network PMIVPNNetworks
description VPN Networks to PMI
network-object BrentwoodData 255.255.0.0
network-object DublinData 255.255.0.0
network-object SouthavenData 255.255.0.0
network-object GilbertData 255.255.0.0
network-object 172.22.0.0 255.255.0.0
network-object DublinVoIP 255.255.0.0
object-group network PMI_SonicWALL-Subnets
network-object PMI_SonicWALL-Subnet 255.255.0.0
network-object PMI_SonicWALL-VOICSubnet 255.255.0.0
object-group network COLDCs
network-object host coldc01
network-object host coldc02
access-list inside_access_in remark Allow SMTP from certain servers.
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 any eq smtp
access-list inside_access_in remark No SMTP except from allowed servers
access-list inside_access_in extended deny tcp any any eq smtp log errors
access-list inside_access_in extended permit ip any any
access-list inside_access_in remark For debugging (can enable logging)
access-list inside_access_in extended deny ip any any
access-list outside_access_in remark Allow Ping
access-list outside_access_in extended permit icmp any any
access-list outside_access_in remark Allow VPN
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object ColVPN-
access-list outside_access_in remark Allow SMTP, HTTP, and HTTPS to the Exchange CAS NLB Cluster
access-list outside_access_in extended permit tcp any object colexcas- object-group DM_INLINE_TCP_13
access-list outside_access_in remark Allow SMTP, SSH, and Web
access-list outside_access_in extended permit tcp any object ColBarracuda- object-group DM_INLINE_TCP_1
access-list outside_access_in remark Allow HTTP and HTTPS to AmbuTRAK
access-list outside_access_in extended permit tcp any object ambutrak- object-group DM_INLINE_TCP_10
access-list outside_access_in remark Allow SMTP, HTTP and HTTPS to ww2
access-list outside_access_in extended permit tcp any object ww2- object-group DM_INLINE_TCP_2
access-list outside_access_in remark Allow SMTP, HTTP and HTTPS to www1
access-list outside_access_in extended permit tcp any object www1- object-group DM_INLINE_TCP_3
access-list outside_access_in remark Allow portal.bouindtree.com to COLMOSS01
access-list outside_access_in extended permit tcp any object ColMOSS01- object-group DM_INLINE_TCP_9
access-list outside_access_in remark Allow HTTP and HTTPS to ems.COMPANY.com
access-list outside_access_in extended permit tcp any object Colww3- object-group DM_INLINE_TCP_5
access-list outside_access_in remark Allow HTTP and HTTPS to helpdesk.COMPANY.com
access-list outside_access_in extended permit tcp any object ColSysAid- object-group DM_INLINE_TCP_7
access-list outside_access_in remark Allow SSH to Facts
access-list outside_access_in extended permit tcp any object Facts- eq ssh inactive
access-list outside_access_in remark Allow mySQL to NSTrax for IQ
access-list outside_access_in extended permit tcp any object NSTrax- object-group mySQL inactive
access-list outside_access_in remark Allow FTP to ftp.COMPANY.co.uk
access-list outside_access_in extended permit tcp any object ftp.boundree.co.uk- eq ftp inactive
access-list outside_access_in remark Allow IMAP to the Voice Mail Server
access-list outside_access_in extended permit tcp any object Dubmss01- eq imap4
access-list outside_access_in remark Permit HTTPS to ColBI01 for https://reports.COMPANY.com
access-list outside_access_in extended permit tcp any object ColBI01- eq https inactive
access-list outside_access_in remark Allow FTP to btmu.COMPANY.com
access-list outside_access_in extended permit tcp any object btmu- eq ftp
access-list outside_access_in remark Allow HTTP and HTTPS to colngwt - the Test Next Gen Web Farm
access-list outside_access_in extended permit tcp any object dubngwt- object-group DM_INLINE_TCP_17 inactive
access-list outside_access_in remark Allow HTTP and HTTPS to COMPANYfed.com
access-list outside_access_in extended permit tcp any object COMPANYfed.com- object-group DM_INLINE_TCP_18
access-list outside_access_in remark Allow HTTP and HTTPS to colngwp - the Next Gen Web Farm
access-list outside_access_in extended permit tcp any object COMPANY.com- object-group DM_INLINE_TCP_11
access-list outside_access_in remark Allow HTTP and HTTPS to Colww5, which is one of our web servers.
access-list outside_access_in remark rewards.COMPANY.com is going live first on this web server.
access-list outside_access_in extended permit tcp any object Rewards.COMPANY.com- object-group DM_INLINE_TCP_12
access-list outside_access_in remark Allow HTTP and HTTPS to act.COMPANY.com
access-list outside_access_in extended permit tcp any object act.COMPANY.com- object-group DM_INLINE_TCP_15
access-list outside_access_in remark Allow AS2 (443, 4080, 5080, 6080) to the AS2 Production and Test Machines
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 object-group as2
access-list outside_access_in remark Allow HTTP and HTTPS to www.COMPANY.com
access-list outside_access_in extended permit tcp any object www.COMPANY.com- object-group DM_INLINE_TCP_14
access-list outside_access_in remark Allow AS2 to w2k-isoft
access-list outside_access_in extended permit tcp any object w2k-isoft- object-group as2
access-list outside_access_in remark All SQL Server (SSL) to Coltixdb
access-list outside_access_in extended permit tcp any object Coltixdb- object-group SQLServer
access-list outside_access_in remark Allow FTP to ColFTP01
access-list outside_access_in extended permit tcp any object ColFTP01- eq ftp
access-list outside_access_in remark allow http/https access in intra.COMPANY.com
access-list outside_access_in extended permit tcp any object intra.COMPANY.com- object-group DM_INLINE_TCP_6
access-list outside_access_in remark Allow http and https to asgard
access-list outside_access_in extended permit tcp any object www.COMPANY.net- object-group DM_INLINE_TCP_8
access-list outside_access_in remark Allow HTTP and HTTPS to ColCrmRouter01 (crmws.COMPANY.com)
access-list outside_access_in extended permit tcp any object crmws.COMPANY.com- object-group DM_INLINE_TCP_16
access-list outside_access_in remark Allow HTTP and HTTPS to coltmg01
access-list outside_access_in extended permit tcp any object coltmg01- object-group DM_INLINE_TCP_4
access-list outside_access_in remark Allow Lync Edgel traffic to collync01
access-list outside_access_in extended permit object-group TCPUDP any object collync01- object-group LyncEdge
access-list outside_access_in remark Allow HTTP and HTTPS to www1.COMPANY.com
access-list outside_access_in extended permit tcp any object www1.COMPANY.com- object-group DM_INLINE_TCP_19
access-list outside_access_in remark Allow HTTP and HTTPS to www2.COMPANY.com
access-list outside_access_in extended permit tcp any object www2.COMPANY.com- object-group DM_INLINE_TCP_20
access-list outside_access_in remark Allow HTTP and HTTPS to www1.COMPANYfed.com
access-list outside_access_in extended permit tcp any object www1.COMPANYfed.com- object-group DM_INLINE_TCP_21
access-list outside_access_in remark Allow HTTP and HTTPS to www2.COMPANYfed.com
access-list outside_access_in extended permit tcp any object www2.COMPANYfed.com- object-group DM_INLINE_TCP_22
access-list outside_access_in extended permit tcp any object monitor.COMPANY.com- eq www
access-list outside_access_in remark For debugging (can enable logging)
access-list outside_access_in extended deny ip any any
access-list inside_nat0_outbound extended permit ip any 172.22.255.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group PMIVPNNetworks object PMI_SonicWALL-Subnet
access-list inside_nat0_outbound remark Domain Controller one to many rule so PCI Trust servers can reslove DNS names and authenticate.
access-list inside_nat0_outbound extended permit ip object-group COLDCs 172.24.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object ColWSUS02 172.24.3.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip object-group PMIVPNNetworks object-group PMI_SonicWALL-Subnets
access-list Colo_PCI_Trust_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm warnings
logging mail critical
logging from-address [email protected]
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu Colo_PCI_Trust 1500
mtu management 1500
ip local pool vpnphone-ip-pool 172.22.255.1-172.22.255.254 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface HA GigabitEthernet0/7
failover key Fiyalt!
failover link HA GigabitEthernet0/7
failover interface ip HA 172.16.200.1 255.255.255.248 standby 172.16.200.2
no monitor-interface DMZ
no monitor-interface Colo_PCI_Trust
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit 172.24.3.0 255.255.255.0 Colo_PCI_Trust
asdm image disk0:/asdm-66114.bin
asdm location ColVPN- 255.255.255.255 inside
asdm location ColBarracuda- 255.255.255.255 inside
asdm location ColBarracuda 255.255.255.255 inside
asdm location ww2- 255.255.255.255 inside
asdm location www1- 255.255.255.255 inside
asdm location ww2 255.255.255.255 inside
asdm location www1 255.255.255.255 inside
asdm location Colww3- 255.255.255.255 inside
asdm location Colww3 255.255.255.255 inside
asdm location ColSysAid- 255.255.255.255 inside
asdm location ColSysAid 255.255.255.255 inside
asdm location Facts 255.255.255.255 inside
asdm location Facts- 255.255.255.255 inside
asdm location NSTrax- 255.255.255.255 inside
asdm location ftp.boundree.co.uk- 255.255.255.255 inside
asdm location ftp.COMPANY.co.uk 255.255.255.255 inside
asdm location Dubmss01 255.255.255.255 inside
asdm location Dubmss01- 255.255.255.255 inside
asdm location ColBI01- 255.255.255.255 inside
asdm location ColBI01 255.255.255.255 inside
asdm location ColMOSS01 255.255.255.255 inside
asdm location ColMOSS01- 255.255.255.255 inside
asdm location ambutrak- 255.255.255.255 inside
asdm location ambutrak 255.255.255.255 inside
asdm location NSTrax 255.255.255.255 inside
asdm location btmu- 255.255.255.255 inside
asdm location btmu 255.255.255.255 inside
asdm location COMPANY.com- 255.255.255.255 inside
asdm location COMPANY.com 255.255.255.255 inside
asdm location as2.COMPANY.com- 255.255.255.255 inside
asdm location colas2 255.255.255.255 inside
asdm location w2k-isoft- 255.255.255.255 inside
asdm location w2k-isoft 255.255.255.255 inside
asdm location Coltixdb- 255.255.255.255 inside
asdm location Coltixdb 255.255.255.255 inside
asdm location colexcas- 255.255.255.255 inside
asdm location colexcas01 255.255.255.255 inside
asdm location colexcas02 255.255.255.255 inside
asdm location colexcas 255.255.255.255 inside
asdm location ColFTP01- 255.255.255.255 inside
asdm location ColFTP01 255.255.255.255 inside
asdm location www.COMPANY.com- 255.255.255.255 inside
asdm location www.COMPANY.com 255.255.255.255 inside
asdm location act.COMPANY.com- 255.255.255.255 inside
asdm location act.COMPANY.com 255.255.255.255 inside
asdm location Rewards.COMPANY.com- 255.255.255.255 inside
asdm location colww5 255.255.255.255 inside
asdm location as2test.COMPANY.com- 255.255.255.255 inside
asdm location ColdevAS2 255.255.255.255 inside
asdm location test.COMPANY.com 255.255.255.255 inside
asdm location colexcas01NLB 255.255.255.255 inside
asdm location colexcas02NLB 255.255.255.255 inside
asdm location ColVPN 255.255.255.255 inside
asdm location intra.COMPANY.com- 255.255.255.255 inside
asdm location intra.COMPANY.com 255.255.255.255 inside
asdm location asgard 255.255.255.255 inside
asdm location www.COMPANY.net- 255.255.255.255 inside
asdm location crmws.COMPANY.com- 255.255.255.255 inside
asdm location crmws.COMPANY.com 255.255.255.255 inside
asdm location dubngwt- 255.255.255.255 inside
asdm location dubngwt 255.255.255.255 inside
asdm location dubexcas01 255.255.255.255 inside
asdm location dubexcas02 255.255.255.255 inside
asdm location dubexcas 255.255.255.255 inside
asdm location collync01- 255.255.255.255 inside
asdm location coltmg01- 255.255.255.255 inside
asdm location collync01 255.255.255.255 inside
asdm location coltmg01 255.255.255.255 inside
asdm location COMPANYfed.com- 255.255.255.255 inside
asdm location COMPANYfed.com 255.255.255.255 inside
asdm location www1.COMPANY.com- 255.255.255.255 inside
asdm location www2.COMPANY.com- 255.255.255.255 inside
asdm location www1.COMPANYfed.com- 255.255.255.255 inside
asdm location www2.COMPANYfed.com- 255.255.255.255 inside
asdm location www1.COMPANY.com 255.255.255.255 inside
asdm location www2.COMPANY.com 255.255.255.255 inside
asdm location www1.COMPANYfed.com 255.255.255.255 inside
asdm location www2.COMPANYfed.com 255.255.255.255 inside
asdm location PMI_SonicWALL-Subnet 255.255.0.0 inside
asdm location PMISonicWALL 255.255.255.255 inside
asdm location BrentwoodData 255.255.0.0 inside
asdm location GilbertData 255.255.0.0 inside
asdm location coldc01 255.255.255.255 inside
asdm location coldc02 255.255.255.255 inside
asdm location ColWSUS02 255.255.255.255 inside
asdm location monitor.COMPANY.com- 255.255.255.255 inside
asdm location ColPRTG01 255.255.255.255 inside
no asdm history enable
arp timeout 14400
nat (inside,any) source static any any destination static obj-172.22.255.0 obj-172.22.255.0 no-proxy-arp
nat (inside,any) source static PMIVPNNetworks PMIVPNNetworks destination static PMI_SonicWALL-Subnet PMI_SonicWALL-Subnet no-proxy-arp
nat (inside,any) source static COLDCs COLDCs destination static obj-172.24.3.0 obj-172.24.3.0 no-proxy-arp
nat (inside,any) source static ColWSUS02 ColWSUS02 destination static obj-172.24.3.0 obj-172.24.3.0 no-proxy-arp
object network ambutrak
nat (inside,outside) static ambutrak-
object network btmu
nat (inside,outside) static btmu-
object network ColBarracuda
nat (inside,outside) static ColBarracuda-
object network ColBI01
nat (inside,outside) static ColBI01-
object network colexcas
nat (inside,outside) static colexcas-
object network ColMOSS01
nat (inside,outside) static ColMOSS01-
object network COMPANY.com
nat (inside,outside) static COMPANY.com-
object network Coltixdb
nat (inside,outside) static Coltixdb-
object network Colww3
nat (inside,outside) static Colww3-
object network ColSysAid
nat (inside,outside) static ColSysAid-
object network ColVPN
nat (inside,outside) static ColVPN-
object network colas2
nat (inside,outside) static as2.COMPANY.com-
object network Dubmss01
nat (inside,outside) static Dubmss01-
object network Facts
nat (inside,outside) static Facts-
object network ftp.COMPANY.co.uk
nat (inside,outside) static ftp.COMPANY.co.uk-
object network NSTrax
nat (inside,outside) static NSTrax-
object network w2k-isoft
nat (inside,outside) static w2k-isoft-
object network www1
nat (inside,outside) static www1-
object network ww2
nat (inside,outside) static ww2-
object network ColFTP01
nat (inside,outside) static ColFTP01-
object network www.COMPANY.com
nat (inside,outside) static www.COMPANY.com-
object network act.COMPANY.com
nat (inside,outside) static act.COMPANY.com-
object network colww5
nat (inside,outside) static Rewards.COMPANY.com-
object network ColdevAS2
nat (inside,outside) static as2test.COMPANY.com-
object network intra.COMPANY.com
nat (inside,outside) static intra.COMPANY.com-
object network asgard
nat (inside,outside) static www.COMPANY.net-
object network crmws.COMPANY.com
nat (inside,outside) static crmws.COMPANY.com-
object network dubngwt
nat (inside,outside) static dubngwt-
object network COMPANYfed.com
nat (inside,outside) static COMPANYfed.com-
object network www1.COMPANYfed.com
nat (inside,outside) static www1.COMPANYfed.com-
object network www2.COMPANYfed.com
nat (inside,outside) static www2.COMPANYfed.com-
object network www1.COMPANY.com
nat (inside,outside) static www1.COMPANY.com-
object network www2.COMPANY.com
nat (inside,outside) static www2.COMPANY.com-
object network ColPRTG01
nat (inside,outside) static monitor.COMPANY.com-
object network obj_any
nat (inside,outside) dynamic 74.XXX.XXX.131
object network collync01
nat (DMZ,outside) static collync01-
object network coltmg01
nat (DMZ,outside) static coltmg01-
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group Colo_PCI_Trust_access_in in interface Colo_PCI_Trust
router eigrp 10
no auto-summary
eigrp router-id 172.22.1.8
network 172.22.0.0 255.255.0.0
route outside 0.0.0.0 0.0.0.0 74.XXX.XXX.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Colo protocol radius
aaa-server Colo (inside) host coldc02
timeout 5
key Bound/\Tree
radius-common-pw Bound/\Tree
aaa-server Colo (inside) host coldc01
timeout 5
key Bound/\Tree
user-identity default-domain LOCAL
http server enable
http 172.22.0.0 255.255.0.0 inside
http DublinData 255.255.0.0 inside
http DublinData 255.255.0.0 management
snmp-server host inside 10.1.0.59 community public
snmp-server host inside ColPRTG01 community public
snmp-server location Columbus, OH - Colo
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer PMISonicWALL
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 1 set nat-t-disable
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
telnet BrentwoodData 255.0.0.0 inside
telnet coldc02 255.255.255.255 inside
telnet DublinData 255.255.0.0 management
telnet timeout 5
ssh 172.22.0.0 255.255.0.0 inside
ssh DublinData 255.255.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 74.14.179.211 source outside prefer
ntp server 69.64.72.238 source outside prefer
ntp server coldc02 source inside
ntp server 74.120.8.2 source outside prefer
ntp server 108.61.56.35 source outside prefer
ntp server coldc01 source inside
webvpn
group-policy GroupPolicy_74.XXX.XXX.130 internal
group-policy GroupPolicy_74.XXX.XXX.130 attributes
vpn-tunnel-protocol ikev1
group-policy VPNPHONE internal
group-policy VPNPHONE attributes
dns-server value 172.22.3.4 172.22.3.31
vpn-tunnel-protocol ikev1
default-domain value corp.COMPANY.com
tunnel-group VPNPHONE type remote-access
tunnel-group VPNPHONE general-attributes
address-pool vpnphone-ip-pool
authentication-server-group Colo
default-group-policy VPNPHONE
tunnel-group VPNPHONE ipsec-attributes
ikev1 pre-shared-key *
tunnel-group 184.XXX.XXX.226 type ipsec-l2l
tunnel-group 184.XXX.XXX.226 ipsec-attributes
ikev1 pre-shared-key *
peer-id-validate nocheck
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect tftp
inspect http
inspect icmp
inspect pptp
inspect icmp error
inspect ip-options
class class-default
service-policy global_policy global
smtp-server 172.22.5.156
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 18
subscribe-to-alert-group configuration periodic monthly 18
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:65e78911eefb94bd98892700b143f716
: endHi,
Any ASA using software 8.3 or above that does Static NAT between private and public IP addresses (or any NAT at all) and you want to allow traffic from public network to those Static NATed servers you will need to use the local/real IP address in the ACL statements.
If your ASA5520 was running 8.3 or above software levels then there should be no major changes compared to an ASA5525-X running 8.6 software level.
The only situation I can think of right now is if you had used ASA5520 with software 8.2 or below BUT in that case you WOULD NOT have been able to directly copy/paste the configuration to the ASA5525-X device as the lowest software level that the ASA5525-X supports is 8.6(1)
So I am kind of wondering what the situation has actually been.
But one thing is certain. You need to use the real/local IP address of the server in the ACL rules even if you are allowing traffic from the public/external network.
The "packet-tracer" test used to simulate a connection coming to one of your Static NAT public IP address should also tell if your ACLs are configured correctly, among other things.
- Jouni -
GRC AC 10:How to generate Access Rule? No output from User or Risk Analysis
Hello Gurus,
We have done configuration of GRC AC 10, and uploaded files via
SoD rules -->Upload Rules
After that we generated SoD rules for Risk Id : B001 and B002
Now when we go to NWBC --> Reports & Analytics >Access Dashboards>Access Rule Library
The report shows (for Group Rule level : Action)
Number of Active rules : 0
Number of Disabled Rules : 0
Number of Functions : 151
Where as for Group Rule level : Action Risk
The report shows
Number of Active Risk : 42
Disabled risk : 161
Nmr. of functions : 151 .
When we perform Risk Analysis at User Level or Role Level, the output is empty !!!
Note: All the background jobs have run successfully.
Also the SoD files also have been uploaded successfully.
Will you please guide how can i activate the "rules" for the uploaded risk ??
regards,
VictorHello Victor/ Inder,
For Risk ID B001functions are BS02 and BS11 if you open any one of them you can see system maintained as SAP BASIS which is SAP_BAS_LG (logical connector group).
Post installation you can check in SPRO>Governance, Risk and Compliance-> common Component---> integration framework-> maintain connector and connector types->select SAP and click Define connector Group.
BUSINESS Business Roles SAP
SAP_BAS_LG SAP Basis SAP
SAP_CRM_LG SAP CRM SAP
SAP_ECC_LG SAP ECCS SAP
SAP_HR_LG SAP HR SAP
SAP_NHR_LG SAP R3 - NON HR Basis Logical Group SAP
SAP_R3_LG SAP R3 SAP
SAP_SRM_LG SAP SRM SAP
(If not present then manually you can create the same)
Select SAP_BAS_LG and put connector type as SAP, select SAP_BAS_LG and click Assign Connector group to group types as AM & LG, then click on Assign Connector to connector group and maintain you connector.
Post this activity re generate SOD for B001 and then check for user level and role level analysis.
Hope it will resolve your issue.
Regards,
Sudesh -
RV180W - Access Rules Don't Work
Hi,
We have a RV180W and the Access Rules will not work. I'm trying to block HTTP and HTTPS services for a specific workstation on our LAN, but the access rules don't seem to be working. I've also tried blocking different services as well as ANY service, but it's not working. I've tried rebooting the router after adjusting settings; I've tried adjusting services from the Port Forwarding menu first; and a couple weeks ago, I upgraded the firmware to version 1.0.2.6 and repeated all the previous steps. Nothing seems to be working. So far the only solution I could come up with is to block the workstation's MAC address altogether, but I don't want that because I still need it to hit the internet for other services.
Thank you,
RyanThese are the Access Rules I've tried (firmware v1.0.2.6):
Outbound:
Inbound along with the auto added Port Forwarding setting:
Maybe you are looking for
-
Error message when clicking hyperlink in Excel file
Hi all, I am working on SSRS 2012. In main report having hyperlink. When click this hyperlink in browser (IE 11 or Chrome), it open sub report correctly. But once i download the main report to Excel 2013 and click hyperlink, it can't open sub report.
-
Help in retreiving database data using a loop
Hi, new here, please help me with my problem. In my database table, (SQL) I have 2 coloumns AgtName and Tier1. Within this table there are these data AgtName Tier1 a b b c c d d NA e b My orginal plan was to use JSTL to retreive the data in a loop fu
-
HELLO I need some help please , I have a 32Gb microSD on my Xperia z2 whit some photos and music , but now I want to upgrade my microSD to a 64Gb , its possible to copy the files from the older microSD on my computer to the new ( 64Gb) . When I inser
-
New Sync function email link not working - only http\\: in link
The email to verify Sync account has an invalid link to verify the account
-
I have iphone 5 but in that i do not have facetime so what should i do
i have iphone 5 but in that i do not have facetime so what should i do