Sa520 ---s2s---- rv110

Similar Messages

• S2S VPN - ASA 5505 to ASA 5540 - Routing Problems

  I'm a software developer (no doubt the issue) trying to setup my remote office (5505) to the main office (5540). No problem getting the S2S VPN up, but I definitely have problems with the routing. Using tracert, it shows it going into the remote network for a couple of hops, but then timing out. Packet tracer shows everything is fine. Using my client VPN credentials to the remote network, same on the return path...does a few hops, then gets lost. I've stripped down the config to the basics and ensured it isn't security settings on both ends, but still doesn't work. I've spent A LOT of hours trying to get this to work, so thanks for any assistance!
  Current running config:
  ASA Version 8.2(5)
  hostname asa15
  enable password XXXXX encrypted
  passwd XXXXX encrypted
  names
  name 10.0.0.0 remote-network
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 172.16.5.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  ftp mode passive
  access-list outside_1_cryptomap extended permit ip 172.16.5.0 255.255.255.0 remote-network 255.0.0.0
  access-list inside_nat0_outbound extended permit ip 172.16.5.0 255.255.255.0 remote-network 255.0.0.0
  access-list inside_access_in extended permit ip 172.16.5.0 255.255.255.0 remote-network 255.0.0.0
  access-list inside_nat0_outbound_1 extended permit ip 172.16.5.0 255.255.255.0 remote-network 255.0.0.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm location remote-network 255.0.0.0 inside
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound_1
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group inside_access_in in interface inside
  route outside 0.0.0.0 0.0.0.0 99.X.X.7 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 172.16.5.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 3600
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set peer 99.X.X.7
  crypto map outside_map 1 set transform-set ESP-AES-128-SHA
  crypto map outside_map 1 set reverse-route
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 28800
  vpn-addr-assign local reuse-delay 5
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 172.16.5.100-172.16.5.130 inside
  dhcpd auto_config outside interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  webvpn
  tunnel-group 99.X.X.7 type ipsec-l2l
  tunnel-group 99.X.X.7 ipsec-attributes
  pre-shared-key XXXXX
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum client auto
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  : end

  just out of curiosity, why do you have
  route outside 0.0.0.0 0.0.0.0 99.X.X.7 1
  You already set your default route through DHCP setroute under the interface. this could be the issue.
  If your VPN config is ok and you are seeing encaps/decaps, it is likely a routing issue.
  Does the remote device have the correct default gateway?
  May be a Natting issue if you have a one-way tunnel (usually send but no receive)...
  Patrick

• SSL VPN Connection error with SA520

  Hi there,
  I have an SA520 setup and all my users can login to the SSL VPN tunnel except one user. The laptop is running windows 7 64bit and had IE9 installed. When I try to connect her to use an SSL VPN Tunnel, I get the following error: Cisco-SSLVPN-Tunnel Install Failed: Error in getting proxy settings!.
  I have made sure the firewall was turned off. Any idea on how to get the ssl tunel connected?
  Thanks

  Hihi,
  we have the same problem, running on Vista 32 bit, and IE9.
  On the same machine, using virtual PC and emulating an XP environment it works, what a paradox!
  It works also on Win 7 64 bit, although only with the 64 bit version of IE.
  Coming back to our Vista issue, we did not find any way to make it work properly.
  Tried to turn off firewall, disinstall a lot of stuff that may interphere, etc. , still same problem.
  We are a bit annoyed there seems to be no documentation about this error nor troubleshooting help.
  Anyone has any suggestion ??
  Tks

• Cisco SA520 - Unable to block all torrents and Poor Performance

  Hi, I have installed a Cisco SA520W Appliance at a Client who has about 40-50 PC's, the device has the latest firmware 2.1.7 and latest IPS signature (17) installed, the client is quite disappointed about the performance of the device as he believes Internet browsing access has slowed down substantially.
  The main problem the client is encountering is that, he is unable to block Utorrent P2P software and this is not allowing him to retain Internet control from the SA520 appliance.
  He had also commented on the fact that there does not appear to be a status monitor on IP usage of Internet access to pinpoint who at that time would be hogging up the bandwidth.
  Any feedback, same encounters scenarios and possible fixes to the above issues would be appreciated.
  Thanks
  Shawn

  You might find this thread interesting regarding the router's performance with IPS turned on.  An SA540, and an access point, would yield slightly better performance.  That's what we use.
  https://supportforums.cisco.com/thread/2022832?tstart=60
  There are some older threads regarding the SA500 series router's ability to detect torrent activity.  You might want to dig them up and respond to them.  The Cisco folks were working diligently at optimizing the IPS engine's ability to detect different types of torrent activity.
  There is no way to monitor Internet access usage at the individual IP level that I am aware of.  I suggest turning on network logging (to a syslog server as there will be a lot of data to capture) and monitor traffic that way.  Kiwi Syslog Server has a free version that your client could use.
  http://www.solarwinds.com/register/kiwi_registration.aspx?Program=874&c=70150000000EIV7

• 1 small office + 2 companies + shared resources = ? (SG300, SA520, WAP2000)

  I need to configure a network in 1 small office space that segregates 2 company domains but allows them to share an Internet connection, a WAP, a couple of printers, and a non-Cisco VoIP phone system. And, it needs to provide guest access to the internet and printers via wireless. I have a SG300-28P, an SA520W, and a WAP2000 to make it all happen. Here's the plan below. Will this work? Is there a better approach that uses the available equipment? Thanks in advance!!!
  VLANs:
  VLAN 1 - default, mgmt vlan, 192.168.1.0
  VLAN 10 - CompanyA-Data, 192.168.10.0
  VLAN 20 - CompanyB-Data, 192.168.20.0
  VLAN 30 - Guest, 192.168.30.0
  VLAN 50 - Printers, 192.168.50.0
  VLAN 100 - Internet, 192.168.100.0
  VLAN 200 - Voice, 192.168.200.0
  Device IPs:
  SG300 = 192.168.1.254
  SA520 = 192.168.1.1
  WAP2000 = 192.168.1.245
  DHCP Servers:
  VLAN 10 = SBS-A
  VLAN 20 = SBS-B
  VLANs 30,50,200 = SA520
  VLAN 1,200 = NO DHCP
  Wireless:
  SA520 is primary, WAP2000 is repeater (will it repeat multiple SSIDs???)
  SSIDA - VLAN10
  SSIDB - VLAN20
  SSID-Guest - VLAN30
  Switch Ports:
  SG300:
  1 = trunk, VLAN 1
  2-6, 25 = access, VLAN 10
  7-12, 26 = access, VLAN 20
  13 = access, VLAN 30 (unmanaged switch providing additional ports)
  14 = access, VLAN 50 (unmanaged switch providing additional ports)
  15-23 = access, VLAN 200
  24 = trunk, VLANs 10, 20, 30 (connect to WAP2000)
  27 = unallocated
  28 = trunk, all VLANs (connect to SA520 p4)
  SA520:
  1-3 = access VLAN 1
  4 = trunk all VLANs (connect to SG300 p28)
  Routing:
  SG300 in L2 mode using SA520 as router on a stick??

  Hi Rick,
  This is a great question that our Partner Design Support team can help you with.  Please go here to start chatting with them:
  https://supportforums.cisco.com/community/netpro/small-business/partnerzone/pds
  Refer the engineer to this post so that they can see what you have.
  Regards,
  Cindy Toy
  Cisco Small Business Community Manager
  for Cisco Small Business Products
  www.cisco.com/go/smallbizsupport
  twitter: CiscoSBsupport

• How can I improve performance over a Branch Office IPsec vpn tunnel between and SA540 and an SA520

  Hello,
  I just deployed one Cisco SA540 and three SA520s.
  The SA540 is at the Main Site.
  The three SA520s are the the spoke sites.
  Main Site:
  Downstream Speed: 32 Mbps
  Upstream Speed: 9.4 Mbps
  Spoke Site#1:
  Downstream Speed: 3.6 Mbps
  Upstream Speed: 7.2 Mbps (yes, the US is faster than the DS at the time the speed test was taken).
  The SA tunnels are "Established"
  I see packets being tranmsitted and received.
  Pinging across the tunnel has an average speed of 32 ms (which is good).
  DNS resolves names to ip addresses flawlessly and quickly across the Inter-network.
  But it takes from 10 to 15 minutes to log on to the domain from the Spoke Site#1 to the Main Site across the vpn tunnel.
  It takes about 15 minutes to print across the vpn tunnel.
  The remedy this, we have implemented Terminal Services across the Internet.
  Printing takes about 1 minute over the Terminal Service Connection, while it takes about 15 minutes over the VPN.
  Logging on to the network takes about 10 minutes over the vpn tunnel.
  Using an LOB application takes about 2 minutes per transaction across the vpn tunnel; it takes seconds using Terminal Services.
  I have used ASAs before in other implementation without any issues at all.
  I am wondering if I replaced the SAs with ASAs, that they may fix my problem.
  I wanted to go Small Business Pro, to take advantage of the promotions and because I am a Select Certified Partner, but from my experience, these SA vpn tunnels are unuseable.
  I opened a case with Small Business Support on Friday evening, but they couldnt even figure out how to rename an IKE Policy Name (I figured out that you had to delete the IKE Policy; you cannot rename them once they are created).
  Maybe the night weekend shift has a skeleton crew, and the best engineers are available at that time or something....i dont know.
  I just know that my experience with the Cisco TAC has been great for the last 10 years.
  My short experience with the Cisco Small Business Support Center has not been as great at all.
  Bottom Line:
  I am going to open another case with the Day Shift tomorrow and see if they can find a way to speed things up.
  Now this is not just happening between the Main Site and Spoke Site #1 above. It is also happeninng between the Main Site and Spoke #2 (I think Spoke#2 has a Download Speed of about 3Mbps and and Upload Speed of about 0.5 Mbps.
  Please help.
  I would hate to dismiss SA5xx series without making sure it is not just a simple configuration setting.

  Hi Anthony,
  I agree!.  My partner wants to just replace the SA5xxs with ASAs, as we have never had problems with ASA vpn performance.
  But I want to know WHY this is happening too.
  I will definitely run a sniffer trace to see what is happening.
  Here are some other things I have learned from the Cisco Small Business Support Center (except for Item 1 which I learned from you!)
  1.  Upgrade the SA540 at the Main Site to 2.1.45.
  2a. For cable connections, use the standard MTU of 1500 bytes.
  2.b For DSL, use the following command to determine the largets MTU that will be sent without packet fragmentation:
  ping -f -l packetsize
  Perform the items below to see if this increases performance:
  I was told by the Cisco Small Business Support Center that setting up a Manual Policy is not recommended; I am not sure why they stated this.
  3a. Lower the IKE encryption algorithm from "AES-128" to DES.
  3b. Lower the IKE authentication algorithm to MD5
  3c. Also do the above for the VPN Policy
  Any input is welcome!

• Border Manager 3.8.5 and S2S VPN

  I have a couple of questions with Border Manager and S2S VPN. Everything
  is up and running, we can ping both servers (Netware 6.5.6), we can ping
  workstations attached to each others network, we can access programs from
  each others network. Everything seems to be working great. The question I
  have is this - on both servers, under Remote Manager, VPN Monitoring, both
  show as 'Being Configured'. I do not think that this is an issue but there
  is another error in the Audit Log. The error -
  "Proposal Mismatch - Quick Mode: ESP - transform mismatch mine: esp des
  his: esp 3des dst: xx.xx.xx.xx src: xx.xx.xx.xx cookies
  my-his:17B2D88772DE1D61 - 4F15FFD50824F821".
  This appears on both servers Audit Log.
  Is this a legit error or a information error? I used Craig Johnson's 'A
  Beginner's Guide To BorderManager 3.x' but ended up making both VPN's
  masters as per Novell TID - 10095268.
  If anyone has an insight as to what these errors are and if there is a
  fix it would be greatly appreciated.
  Kelly

  Kelly Burnside wrote:
  > I have a couple of questions with Border Manager and S2S VPN. Everything
  > is up and running, we can ping both servers (Netware 6.5.6), we can ping
  > workstations attached to each others network, we can access programs
  > from each others network. Everything seems to be working great. The
  > question I have is this - on both servers, under Remote Manager, VPN
  > Monitoring, both show as 'Being Configured'.
  Sometimes the imanager snapin can not get the current status of the
  connection from vpinf so it shows 'Being Configured'. It can take some
  times, maybe days to change the status.
  I do not think that this is
  > an issue but there is another error in the Audit Log. The error -
  > "Proposal Mismatch - Quick Mode: ESP - transform mismatch mine: esp des
  > his: esp 3des dst: xx.xx.xx.xx src: xx.xx.xx.xx cookies
  > my-his:17B2D88772DE1D61 - 4F15FFD50824F821".
  This is not an error, it is an information message.
  > This appears on both servers Audit Log. Is this a legit error or a
  > information error? I used Craig Johnson's 'A Beginner's Guide To
  > BorderManager 3.x' but ended up making both VPN's masters as per Novell
  > TID - 10095268. If anyone has an insight as to what these errors are
  > and if there is a fix it would be greatly appreciated.
  > Kelly
  Everything is fine, nothing to be worry about.
  gonzalo

• S2S VPN only works in one direction

  I'm very new to cisco devices but we recently acquired a catalyst 2911 device for our co-lo cabinet and I am trying to get a site-to-site vpn connection working between the facility and my offices network as well as a remote access VPN for me to use in case I have to fix something while outside of the office. 
  The office's gateway is 66.119.163.2 and the device is a TZ210 with it's LAN network being 192.168.1.0 /24
  The co-los gateway is 204.244.50.254 and the device is an ASR 2911 with it's LAN network being 10.0.10.0 /24
  The S2S VPN connection is up between the two locations and the 2911 device and the servers within it's LAN can ping and RDP to the office's machines.  The office network can only ping the LAN interface IP on the 2911 which is 10.0.10.1 but not the servers in the network.  the site-to-site VPN was set up with the CCP wizard.
  How can I allow the 192.168.1.0/24 network to see the 10.0.10.1/24 network and why do I only currently see the gateway?
  If need be I can post my running-config file with the preshare keys redacted. 

  I would suggest that you change your vpn client pool to be in a totally unique subnet.
  For example:
  10.20.20.0/24
  ip local pool SDM_POOL_1 10.20.20.200 10.20.20.250
  Then a few ACLs to be modified:
  access-list 101 permit ip 10.10.10.0 0.0.0.255 any
  access-list 105 permit ip 10.20.20.0 0.0.0.255 10.0.10.0 0.0.0.255
  access-list 105 permit ip 10.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
  ip access-list extended 106
     5 deny   ip 10.0.10.0 0.0.0.255 10.20.20.0 0.0.0.255
  ip access-list extended 107
     5 deny   ip 10.0.10.0 0.0.0.255 10.20.20.0 0.0.0.255

• Successmaker program not working behind Cisco SA520

  My customer is a small school in British Columbia. They have used the Successmaker program (written by Pearson Education) to teach numeracy and literacy skills. Since installing a SA520 the teachers are saying that Successmaker does not work properly.
  I am at my wits end.
  I have disabled content filtering for the SA520, I have disabled IDS on the SA520. I am using the default outbound firewall rule allowing inside addresses access anywhere on the Internet, and I have created an inbound firewall rule allowing all traffic and all services from the Successmaker server IP address that their tech support gave us.Their app is still unable to work properly.
  What am I missing?
  Before the SA520 was installed the school was using PAT to map different ports on the public IP on the school cable modem to inside addresses. The whole school was a big DMZ, and any port scanning would have reached into their network. The port mappings were never communicated to the Successmaker folks, so I doubt they were ever relevant to the issue. The Successmaker App is web based, and according to their tech support uses "transfer encoding:chunked" technology. I read up on this and it dates back pre Web 2.0 (pre flash, pre silverlight, pre basically the silicon chip). It is discussed in RFC 2616, the SA520 is Linux based, not IOS based. Does that mean that it does not understand RFC2616? I doubt it, and even if it didn't understand RFC 2616 surely all the steps I have taken above would blow a hole the size of a barn door through the firewall?
  If this weren't a school would not be as emotionally connected as I am to their situation. Without this firewall they will be without much protection at all.
  Can you help?
  Message was edited by: dirkventer - I added the feedback received from Successmaker tech support. It suggests that the Cisco SA520 may be a problem, something I don't want to believe.

  Hi Quendale
  I'm sorry to say that putting a student computer in the DMZ didn't resolve the issue.
  In setting up the DMZ I made the following changes -
  1) I confirmed that the Option interface was in DMZ mode, and that it had a static IP on a new subnet.
  2) We also configured the DMZ DHCP to assign addresses in the subnet, using the firewall DMZ IP as default gateway, and using the firewall DMZ IP as DNS server.
  3) I created a default firewall rule allowing all outbound traffic from the DMZ to the Internet, and created a firewall rule allowing all inbound traffic from the Successmaker server on the Internet (insecure) zone to the DMZ.
  4) I confirmed that IPS was off for the DMZ (Default) and that the content filter exception for the DMZ was still disabled.
  The same problem occurred, which makes me believe that the reason for the application not working in the LAN zone had nothing to do with IPS or content filtering. As far as the firewall rule goes, the impact of the inbound rule seems to have been the same - i.e. ineffectual.
  Connecting the PC running successmaker directly to the school cable modem works.
  The possibility that the application in question has traffic blocked because of a RFC (2616?)  governing the way get and post requests should be formatted would still exist so long as integrity/compliance checking of packets is something that cannot be bypassed via the firewall configuration. Suffice it to say that the application appears dated and uses nothing of web 2.0. One of the options available to my customer is the purchase of the Web 2.0 version of successmaker ($600/seat), but they are only prepared to explore this option if the indications are that the older application, not the firewall is at fault. Pearson Education support swears blindly that thousands of BC school children continue to use the old app behind Cisco firewalls. I don't deny that the possibility exists that the Pearson support technician is stretching the truth, having an older application that has ceased to function with more sophisticated firewalls because RFC violations in packet formatting have become significant would doubtless present a solid easy-sell for their upgraded version, which is expensive, especially for a school.

• Multiple subnets on SA520

  Hi - I am new to Cisco products. We have currently got a Netgear FVX538 running in front of a few servers. We currently have 2 ranges of IP addresses provided to us on 2 separate subnets. We configured the netgear box with the first IP addresses of each subnet as the IP address of each of the primary and secondary LANs. This then allowed us to set the gateway addresses of servers on the network to either of those 2 addresses, depending on it's range.
  This all worked fine - except for the fact that the Netgear box is incredibly flakey, so we decided to get a Cisco box.
  We have gone for the SA520, which I have been trying to configure this afternoon. Unfortunately I am now having concerns as to whether it is possible to configure 2 separate subnets internally on this box in the same way we have done with the netgear box. If I am right and this is not possible, does anyone know if there is a way of achieving what we want? ie - classical routing, one incoming WAN interface with multiple subnets?
  Thanks,
  Giles

  Thanks for getting back to me Julio. I'm not sure whether this helps or not. I'll try and explain the current setup a bit better:
  (IP addresses have been changed)
  WAN IP : 31.2.3.70
  WAN SUBNET : 255.255.255.252
  Gateway : 31.2.3.69
  Primary LAN : 31.20.1.135
  Primary LAN Subnet : 255.255.255.248
  Secondary LAN : 78.92.47.165
  Secondary LAN Subnet : 255.255.255.248
  I can then configure servers on the network on the following ranges:
  31.20.1.136 - 31.20.1.140
  Gateway: 31.20.1.135
  Or
  78.92.47.166 - 78.92.47.170
  Gateway: 78.92.47.165
  I can configure the new Cisco box with one of these ranges, but as it doesn't seem to have LAN Multi-homing, I don't seem to be able to add the 2nd subnet. Is this right? Is there another way of configuring it?
  Thanks,
  Giles

• SA520 NAT/PAT not working with NAT address

  The SA520 I have is configured on one public IP address and an exchange server is behind it.  THe exchange server is configured with an internal address and the SA520 is performing NAT translation to a unique public address for the email server itself which is independant of the SA520.  It seems that the SA520 is sending email out the NAT address correctly at some time and at other times it seems to be sending the email traffic over the PAT address of the SA520 public address.  When this happens the email gets blocked due to spam lists.  Then the email will work again correctly.. and then go back.  If I use a 3rd party website to test the IP address sometime I get the correct one and sometimes I get the wrong address.
  Is there a way I can confirm that the SA520 NAT settings are correct to allow ALL outbound communications from the exchange server (which is behind the SA520)?  I may have the SA520 configuration wrong and it is possible that the SA520 is only providing inbound PAT for port 25.  How do I tell the SA520 to do a 1 to 1 NAT with the exchange server?

  Hi John,
  In order to establish a 1 to 1 NAT on the SA 500 series, as in your case, you must first you must first add an IP Alias for your 2nd WAN.  Next, you create a Firewall rule to "force" all or selected traffic from your NATed server (LAN) to the WAN to go out thru the IP ALIAS address.  Finally, we forward specific traffic from the WAN to your NATed Server (LAN) thru Firewall Rule(s).  See sample wan2lan bitmaps attached. Do this for each of the services that you will allow to come in thru the SA 520 to your Server.  As long as there are no other Firewall rules overlapping with the newly created rules, traffic to and from your NATed server will come/exit thru your ALIAS IP.
  We can verify this by performing a WAN Packet Trace (Administration-->Diagnostics -->Packet Trace)  After choosing Dedicated WAN as the Network to be captured, Click on Start to perform Packet Capture.  Go to your NATed server, and perform the following, on a command prompt window Ping google.com, open a browser window and open google.com.  On a remote machine, open a web page on your server (OWA?) to test incoming HTTP/HTTPS requests. Stop your capture, and save the packet capture file by pressing the Download button.  Open file with Wireshark/Ethereal and observe the source and destination address of the packets.  They should have the ALIAS address and not the WAN IP address.
  If the above step is good, then we have to take a look as to if and why your SMTP or email services are not being routed out the ALIAS interface. Repeat capture steps as above, but this time send an outgoing email, and test an incoming email by emailing an internal account from an outside email acount (yahoo, gmail, hotmail).
  If you still have failure, and you have IPS or ProtectLink enabled, can you run the steps that failed with IPS and/or ProtectLink both disabled?
  If there are issues, you can post the captures as a personal message to me.
  I hope the above will help narrow the issue a bit.
  Best regards,
  Julio

• Channels response on SA520

  Hi
  A customer of mine is asking of SA520 supports channel response for integration into SMS Passcode. I have tried searching the datasheet on information about this but with no luck. Can anyone shed some light on this?
  Kind Regards,
  Michael

  Are you able to see a contact person for this vendor under Surrogate bidding tab? If not, then pl create one and check again.
  Nikhil

• ContentDB 10.1.3.2.0 of WebCenter Suite and S2S Trusted Application error

  Hi ,
  Any one have tryed creating trusted s2s application entry in OID, using steps provided under contentdb devkit (cdb\doc\authentication.html) ?
  When I run ./runs2s.sh Permission denied even though I have updated jazn-data.xml file
  Then I have try running
  /home/oracle/cdb/jdk/bin/java -classpath /home/oracle/jk/cdb_bpel/cdb/lib/trusted-app-utility.jar:/home/oracle/cdb/jlib/repository.jar oracle.ifs.examples.s2s.TrustedApplicationUtility -create applicationInfo=/home/oracle/jk/cdb_bpel/cdb/conf/application.info
  got this error
  oracle.ias.repository.schema.SchemaException: oracle.ias.repository.schema.SchemaException: iAS Property could not be foundProperty Name OIDsslport in /home/oracle/cdb/config/ias.properties
  ias.properties file
  [ComponentConfig]
  Apache.LaunchSuccess=true
  J2EE.LaunchSuccess=true
  Portal.LaunchSuccess=true
  ContentDB.LaunchSuccess=true
  WebCenter.LaunchSuccess=false
  [InstallData]
  Version=10.1.3.2.0
  InstallType=contentdatabase
  Components=j2ee,apache,content database
  IASname=cdb.contentdb.sjrwmd.com
  InstanceNamesList=%InstanceNamesList%
  IASpassword=
  IASSvcpassword=
  UserName=oc4jadmin
  InfrastructureUse=false
  DatabaseManagedClusterSupport=false
  SSLOnly=%SSLOnly%
  VirtualHostName=contentdb.sjrwmd.com
  InfrastructureInstallOnRAC=%b_InfrastructureInstallOnRAC%
  OIDhost=%s_oidHost%
  OIDport=%s_oidPort%
  OIDSSLport=%s_oidSSLPort%
  OC4JAdminpassword=05491107c9440243e58219322b068c4dbd59dddff4c5575902
  [InfraStructureDatabase]
  InfrastructureDBCommonName=%s_infrastructureGlobalDBName%
  [EMConfigData]
  IMAdminSupported=%IMAdminSupported%
  IMServerLocConfigurable=%IMServerLocConfigurable%
  IMReposAdminSupported=%IMReposAdminSupported%
  CentralAdminSupported=%CentralAdminSupported%
  MRAdminSupported=%MRAdminSupported%
  FarmAdminSupported=%FarmAdminSupported%
  I can notice OIDSSLport and lower case OIDsslport in error output.
  Any idea to resolve this.
  Thanks,
  Jigar

  I have a similar problem on a similar environment (Win 2003/ 10.1.3.2.0/DB 10.2.0.1) installation of Webcenter Suite using Basic installation.
  I have tried creating the table spaces according to the specifications given in oracle documentation, yet the installer complained about the table spaces not having free space left (specially, the WORK_IFS tables space). I also tried giving spaces on average 15MB more then the suggested space for their datafiles, and it still complained about the table space issue.
  - When the configuration assistant fails, and you exit out of the Universal Installer, is there any option or way to just rerun the configuration assistant for content db again?
  - I see on the EM for WebCenter Suite that all the other components seem to install properly and are up and running yet there is no mention of Content DB. Nor there is any option to try to reconfigure it.
  - or do we have to uninstall the whole WCSuite, and/or the database 10201 too and then reinstall the software?
  Can someone please help in finding a way forward?
  thanks for your cooperation.
  AMN

• Quesiton about PVID , SA520, Native VLAN

  Is PVID the same thing as "native vlan"? Can the native VLAN be changed on a SA520? Currently I believe it to be 1, I'd like to change the native VLAN to 10.
  I have a scenario where I have a prexisting production LAN of  192.168.1.0/24 . It's a small organization (a church), but they purchased 3 Aironet 1130ag units. They want to have a "private" WLAN that is part of 192.168.1.0/24 , and a guest WLAN of a different subnet (I chose 192.168.20.0/24) . The two should never meet. There will likely never be a guest computer connected via ethernet. Guest computers would always have to connect wirelessly.
  I accomplished this to a point.
  I left VLAN 1 on the SA520 192.168.75.0/24 subnet as default.I created a VLAN 10 , 192.168.1.0/24 subnet, and I created a VLAN 20, 192.168.20.0/24 subnet.
  VLAN Recap:
  VLAN 1 , 192.168.75.0/24
  VLAN 10, 192.168.1.0/24
  VLLAN 20, 192.168.20.0/34
  Ports 1-3 of the SA520 are members of VLAN 1, 10, and 20 (cannot remove membership of VLAN1, which is pretty annoying).
  The Aironets have been configured correctly.
  SSID: Priv is part of VLAN 10
  SSID: Pub is part of VLAN 20
  Both are secured by WPA, and when I connect, the proper DHCP subnet passes from the firewall through to the wireless client, for each respective SSID.
  Ultimately, I'd like the SBS 2003 server to handle DHCP for VLAN 10, and have the SA520 handle DHCP for VLAN 20, but i'll take what I can get.
  Here's my challenge:
  The original production LAN is connected via an unmanged switch.
  I'd like to trunk the unmanaged switch to Port 4 on the SA520. However, since the PVID (native vlan?) of SA520 is 1, and I cannot make Port 4 on the SA520 ony a member of VLAN 10, then anything traffic coming from the unanaged switch will automatically be tagged with VLAN1, correct? Thus causing the already existing production network to start receiving DHCP from the firewall in the 192.168.75.0/24 range.
  Any ideas or help on the above?
  What I would do if I had a managed switch on the production LAN:
  If I had a managed switch on the production LAN, what I think I would do is make one port a trunk port, connect that port to Port 4 on the SA520, then make all the rest of the ports on the managed switch access ports, and members of VLAN 10. Am I on the right track there?
  Hiccups when setting up the WAP:
  I would have changed the VLAN 1 on SA520 to 192.168.1.0/24  subnet, and only created a second subnet, but there was a challenge  with that and the WAP's.
  Cannot change the VLAN the dot11radio0 is a part of. There's not encapsulation command.
  Could  not broadcast the SSID's successfully and secure via WPA unless the  SSID's were on VLAN's other than 1. The dot11radio0 would go into a  "reset" state.
  Could change the VLAN subinterfaces  of dot11radio0 were on, for example dot11radio0.10 is a member of VLAN  10.  Dot11radio0.20 is a member of VLAN2.
  In any event, it's working, but the rest of the infrastructure is the challenge.
  Here's one of my  WAP configs as an example:
  Building configuration...
  Current configuration : 2737 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname WAP2
  enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx
  no aaa new-model
  no ip domain lookup
  dot11 syslog
  dot11 ssid CASPRIV
     vlan 10
     authentication open
     authentication key-management wpa
     mbssid guest-mode
     wpa-psk ascii 7 107E1B101345425A5D4769
  dot11 ssid CASPUB
     vlan 20
     authentication open
     authentication key-management wpa
     mbssid guest-mode
     wpa-psk ascii 7 132616013B19066968
  username Cisco password 7 0802455D0A16
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption vlan 20 mode ciphers aes-ccm
  encryption vlan 10 mode ciphers aes-ccm
  ssid CASPRIV
  ssid CASPUB
  mbssid
  channel 6
  station-role root
  bridge-group 1
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio0.10
  encapsulation dot1Q 10
  ip address 192.168.1.5 255.255.255.0
  no ip route-cache
  bridge-group 10
  bridge-group 10 subscriber-loop-control
  bridge-group 10 block-unknown-source
  no bridge-group 10 source-learning
  no bridge-group 10 unicast-flooding
  bridge-group 10 spanning-disabled
  interface Dot11Radio0.20
  encapsulation dot1Q 20
  ip address 192.168.20.3 255.255.255.0
  no ip route-cache
  bridge-group 20
  bridge-group 20 subscriber-loop-control
  bridge-group 20 block-unknown-source
  no bridge-group 20 source-learning
  no bridge-group 20 unicast-flooding
  bridge-group 20 spanning-disabled
  interface Dot11Radio1
  no ip address
  no ip route-cache
  shutdown
  encryption mode ciphers aes-ccm
  ssid CASPRIV
  dfs band 3 block
  channel dfs
  station-role root
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface FastEthernet0.10
  encapsulation dot1Q 10
  no ip route-cache
  bridge-group 10
  no bridge-group 10 source-learning
  bridge-group 10 spanning-disabled
  interface FastEthernet0.20
  encapsulation dot1Q 20
  no ip route-cache
  bridge-group 20
  no bridge-group 20 source-learning
  bridge-group 20 spanning-disabled
  interface BVI1
  no ip address
  no ip route-cache
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  bridge 1 route ip
  line con 0
  line vty 0 4
  login local

  Hello Paul,
  You have a lot going on here so forgive me if I miss something.
  PVID is for Primary/Port Vlan ID. It is used to identify the vlan on a port and can be used to change the native vlan of a port. You can change the PVID on port 4 of the SA520 to be vlan 10 if you need to.
  The simplest setup would be for you to have your private network all be on the native vlan 1 and set your guest to be on another vlan. All of this would be possible without any problem on the SA520. Unfortunately I do not have much experience with the Aironet APs but they should allow you to continue this configuration onto the wireless network. For assistance with the Aironet APs I would have to refer you to someone more familiar.
  I do hope this helps with setting your network.

• SA520 Optional port WAN mode for isolated network?

  Long story short, client bought 2 SA520's, one for each site due to it's ability to have a second wan/lan port (Optional Port).  They have a 2nd WAN connection installed that does not have internet.  Esentially it is a hospital link that was install to gain access to some Citrix systems and custom web portals for hispital use. 
  The IDEA was to enable optional port for WAN mode.  Then I was going to add a route statement that any traffic destined to the hospital network would route to the optional wan port,
  Problem - When just enabling WAN port in Optional settings, the WAN port won't come online.  I have to chose load balancing or failover.  Neither of which are true;  I don't want balancing or failover since it isn't a real "internet" connection.
  I thought about setting port to LAN mode but it appears that simply makes the router a 5 port switch instead of 4.  I was hoping I could just simply create a second LAN segment and route to it as well for certain traffic.  Once I enable LAN mode however all configuration disappears and the Networking>LAN menu shows no specific Optional Port configuration options.
  ???  Can this not be configured as such?  Saying it offers a optional port for LAN/WAN/DMZ configurations sort of means doing what I need it to do.  I'm missing something, somewhere.
  Help!
  Eric

  Hi Eric,
  One thing you can do is to enable the Optional WAN port.  Set the 'WAN Mode' to load balancing.  Then use the 'Protocol' Bindings' to handle your routes.  You would configure your Hospital network IP network range as the destination network and select your Optional WAN.  Another rule would be a destination of ANY for the Destination that would go out the dedicated WAN.  You may have to add a rule for DNS resolution to go through your hospital network so the local hospital DNS entries resolve.
  Hope this helps.
  Chris