Standalone CA setup in DMZ

Similar Messages

• Everytime I try to setup my DMZ I keep breaking the internet, can someone help

  Hi,
  started this on friday at about 5 pm am about at the point of throwing my hands up in the air from frustration.  I am trying to configure a dmz for a ip camera to be viewed from the outside. I had tried to set this config to NAT 10.1.35.5 to 2.2.2.14.  Immediately after setting up the nat config all hosts on the network lose internet access. After 2 nights of no success, I tried to mimic the port forwarding setup and just forward traffic into the lan rather than trying to get the DMZ working as I could already see a few devices that were setup this way. I feel like I am missing a step while configuring NAT.  It seems to me that touching any other the other public IP's tends to mess up the configuration.  Is there something I need to do with the existing NATing to free up a public IP from the nat pool? (Sanitized config below)
  : Saved
  ASA Version 7.0(7)
  hostname ASA
  domain-name aaa.com
  enable password Iliketurtles encrypted
  names
  dns-guard
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address 2.2.2.2 255.255.255.240
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 10.1.20.10 255.255.254.0
  interface Ethernet0/2
  description Test DMZ for web4
  shutdown
  nameif dmz
  security-level 25
  ip address 10.1.35.1 255.255.255.0
  interface Management0/0
  no nameif
  no security-level
  ip address 192.168.1.1 255.255.255.0
  management-only
  passwd xxx encrypted
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  object-group service camera tcp-udp
  description https2000
  port-object range 443 443
  port-object range 2000 2005
  access-list outside_acl extended permit icmp any any echo-reply
  access-list outside_acl extended permit icmp any any time-exceeded
  access-list outside_acl extended permit icmp any any unreachable          
  access-list outside_acl extended permit esp host Virginia host 2.2.2.2
  access-list outside_acl extended permit ah host Virginia host 2.2.2.2
  access-list outside_acl extended permit udp host Virginia eq isakmp host 2.2.2.2 eq isakmp
  access-list outside_acl extended permit udp host Virginia eq 4500 host 2.2.2.2 eq 4500
  access-list outside_acl extended permit tcp 100.100.100.0 255.255.255.0 host 2.2.2.10
  access-list outside_acl extended permit tcp 100.100.100.0 255.255.255.0 host 2.2.2.11
  access-list inside_acl extended permit ip 10.1.20.0 255.255.254.0 any
  access-list inside_acl extended permit ip 10.1.24.0 255.255.254.0 any
  access-list ltl_irvine_to_va extended permit ip 2.2.2.0 255.255.254.0 any
  access-list ltl_irvine_to_va extended permit ip 10.1.24.0 255.255.254.0 any
  access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.10.0 255.255.255.0
  access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.11.0 255.255.255.0
  access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.250.0 255.255.255.0
  access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.4.0 255.255.255.0
  access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.5.0 255.255.255.0
  access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.6.0 255.255.255.0
  access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.7.0 255.255.255.0
  access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 172.16.31.0 255.255.255.0
  access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.10.0 255.255.255.0
  access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.11.0 255.255.255.0
  access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.250.0 255.255.255.0
  access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.4.0 255.255.255.0
  access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.5.0 255.255.255.0
  access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.6.0 255.255.255.0            
  access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.7.0 255.255.255.0
  access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 172.16.31.0 255.255.255.0
  access-list dmz_in extended permit icmp 10.1.35.0 255.255.255.0 any
  access-list dmz_in extended permit udp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0 range netbios-ns 139
  access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0 range 135 netbios-ssn
  access-list dmz_in extended permit udp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0 eq domain
  access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any eq www
  access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any object-group camera
  access-list dmz_in extended permit udp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0
  access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0
  access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any eq ftp
  access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any eq 990
  access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any range 53000 53010
  access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any eq ftp-data
  pager lines 24
  logging enable
  logging timestamp
  logging buffered warnings
  logging asdm warnings
  logging facility 22
  mtu outside 1500
  mtu inside 1500
  mtu dmz 1500
  icmp permit any inside            
  asdm image disk0:/asdm-509.bin
  asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list no_nat
  nat (inside) 1 10.1.20.0 255.255.254.0
  nat (inside) 1 10.1.24.0 255.255.254.0
  nat (dmz) 0 access-list no_nat
  nat (dmz) 1 10.1.35.0 255.255.255.0
  static (inside,outside) 2.2.2.10 10.1.20.1 netmask 255.255.255.255
  static (inside,outside) 2.2.2.11 10.1.20.13 netmask 255.255.255.255
  static (dmz,outside) 2.2.2.14 10.1.35.5 netmask 255.255.255.255
  static (inside,dmz) 10.1.20.0 10.1.20.0 netmask 255.255.254.0
  static (dmz,inside) 10.1.35.0 10.1.35.0 netmask 255.255.255.0
  access-group outside_acl in interface outside
  access-group inside_acl in interface inside
  access-group dmz_in in interface dmz
  route outside 0.0.0.0 0.0.0.0 2.2.2.1 1
  route inside 10.1.24.0 255.255.254.0 10.1.20.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
  timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute            
  username admin password blahblahblah encrypted privilege 15
  http server enable
  http 10.1.4.0 255.255.255.0 outside
  http 10.1.5.0 255.255.255.0 outside
  http 172.16.31.0 255.255.255.0 outside
  http 100.100.100.0 255.255.255.0 outside
  http 10.1.24.0 255.255.254.0 inside
  http 10.1.20.0 255.255.254.0 inside
  http 10.1.5.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto map outside 100 match address ltl_irvine_to_va
  crypto map outside 100 set peer Virginia
  crypto map outside 100 set transform-set ESP-3DES-SHA
  crypto map outside interface outside
  isakmp enable outside
  isakmp policy 30 authentication pre-share
  isakmp policy 30 encryption 3des
  isakmp policy 30 hash sha          
  isakmp policy 30 group 2
  isakmp policy 30 lifetime 86400
  isakmp policy 65535 authentication pre-share
  isakmp policy 65535 encryption 3des
  isakmp policy 65535 hash sha
  isakmp policy 65535 group 2
  isakmp policy 65535 lifetime 86400
  tunnel-group Virginia type ipsec-l2l
  tunnel-group Virginia ipsec-attributes
  pre-shared-key *
  telnet 10.1.24.93 255.255.255.255 inside
  telnet timeout 5
  ssh 100.100.100.0 255.255.255.0 outside
  ssh timeout 60
  console timeout 0
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy      
  class inspection_default
    inspect dns maximum-length 512
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
  service-policy global_policy global
  Cryptochecksum:c6546262ff82a0b8748f0cbbb189194f
  : end

  Please add this ACL entry on the "outside_acl"
  access-list outside_acl extended permit ip any host 2.2.2.14
  let me know, if this helps.
  thanks

• NTP server setup in DMZ

  Hi Team,
  We have Windows 2008 AD infrastructure with Single domain Single Forest & 30 remote AD sites with RODC in it.
  We are planning for NTP server setup on Windows 2008 server in DMZ......can someone help me with steps for setup.
  What is best practice for NTP architecture so that all DC will sync time from NTP & NTP sync time from external source.
  Please suggest.

  Hi,
  Would you please tell us that has the plan of your security team worked out?
  Because based on what I understand, domain members will synchronize time from Domain Controllers while DCs will synchronize time from PDC.
  Here is a thread below about the best practices of time synchronization in a domain:
  Time Sync best practices
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/043b1ebe-e7bc-40ca-91e0-174a6854808e/time-sync-best-practices?forum=winserverDS
  Best Regards,
  Amy

• PI setup in DMZ

  All,
  I am in the process of firming up our PI architecture. I am unsure of how the setup will work in the DMZ.  The picture at the bottom of the link shows two Integration servers B2B and A2A in different zone.
  http://help.sap.com/saphelp_nw04/helpdata/en/d9/ef2940cbf2195de10000000a1550b0/content.htm
  Based on the figure my questions are :
  1. Does this mean that we need to setup two different PI systems...one in each zone.
  2. If not, then what is involved in setting up the connectivity between the two systems and what exactly is being configured on the B2B server.
  Thanks
  naghman

  Hi ,
  Appreciate if someone could please reply to this.
  Thanks in advance.
  Mikey

• Server setup in DMZ

  Hi,
   Iam setting up a DMZ environment to have External customers access my Servers sitting in the DMZ. I have attached the diagram for reference.
  Proposed Setup
  1) 2x ISP links (redundant) - IPSEC connections from customer terminating on our Internet Facing FWs.
  2) There are 2 DMZ FWs separting the Corporate (internal) and External environment.
  3) The APP server and Jump server is placed behind the Server switches.
  Requirement
  1) External customer needs to access Jump server and APP server from over the Internet IPSEC VPN
  2) Internal (Corporate) users need to access the Jump server and App server.
  3) Any user accessing the Jump server would need to get authenticated with from a Domain controller. Domain controller would be on the Internal corporate segment
  Questions
  1) With the current design, Internal users have to pass DMZ FW and Internet FW to access server. Is it recommended? Is it ok to connect the servers behind a separate pair of server switches? Or can they connect directly to DMZ switches? What is the best possible solution (standard) that is generally followed in this case?
  2) If there are multiple customers with IPSEC VPNs coming in, can VLANs be defined and access given accordingly to the servers?
  Appreciate your inputs.
  Cheers
  Mikey

  Hi ,
  Appreciate if someone could please reply to this.
  Thanks in advance.
  Mikey

• Server setup in DMZ Environment

  Hi,
   Iam setting up a DMZ environment to have External customers access my Servers sitting in the DMZ. I have attached the diagram for reference.
  Proposed Setup
  1) 2x ISP links (redundant) - IPSEC connections from customer terminating on our Internet Facing FWs.
  2) There are 2 DMZ FWs separting the Corporate (internal) and External environment.
  3) The APP server and Jump server is placed behind the Server switches.
  Requirement
  1) External customer needs to access Jump server and APP server from over the Internet IPSEC VPN
  2) Internal (Corporate) users need to access the Jump server and App server.
  3) Any user accessing the Jump server would need to get authenticated with from a Domain controller. Domain controller would be on the Internal corporate segment
  Questions
  1) With the current design, Internal users have to pass DMZ FW and Internet FW to access server. Is it recommended? Is it ok to connect the servers behind a separate pair of server switches? Or can they connect directly to DMZ switches? What is the best possible solution (standard) that is generally followed in this case?
  2) If there are multiple customers with IPSEC VPNs coming in, can VLANs be defined and access given accordingly to the servers?
  Appreciate your inputs.
  Cheers
  Mikey

  Hi Mikey,
  I am not sure why you have kept the corporate network under the dmz zone. In general security practice we use to keep the dmz zone/dmz firewall for having the server/hosting environment where external parties requires access to those.... for example web server / application server.....
  So your design requires some change in order to have a better architecture....
  internet
  |
  router
  |
  external SW
  |
  internet facing firewalls
  |
  DMZ SW and Junp Server / Application Server (DMZ Interface of the Firewall).
  Internet facing Firewall
  |
  LAN Interface SW (Inside Interface of the firewall)
  |
  LAN FW (If you really want to keep it)
  |
  Corporate Network
  Regards
  Karthik

• SOA-INFRA server is not starting up D8B3 Standalone server setup

  while starting the Managed Server hitting with this error:
  Caused By: oracle.mds.config.MDSConfigurationException: MDS-01330: unable to load MDS configuration document
  MDS-01329: unable to load element "persistence-config"
  MDS-01370: MetadataStore configuration for metadata-store-usage "OWSM_TargetRepos" is invalid.
  MDS-00912: MDS repository is incompatible with the middle tier. Repository version "11.1.1.55.16" is older than minimum repository version "11.1.1.56.32" required.
  at oracle.mds.config.PConfig.loadFromBean(PConfig.java:695)
  at oracle.mds.config.PConfig.<init>(PConfig.java:504)
  at oracle.mds.config.MDSConfig.loadFromBean(MDSConfig.java:692)
  at oracle.mds.config.MDSConfig.loadFromElement(MDSConfig.java:749)
  at oracle.mds.config.MDSConfig.<init>(MDSConfig.java:407)
  at oracle.mds.core.MDSInstance.getMDSConfigFromDocument(MDSInstance.java:2011)
  at oracle.mds.core.MDSInstance.createMDSInstanceWithCustomizedConfig(MDSInstance.java:1171)
  at oracle.mds.core.MDSInstance.getOrCreateInstance(MDSInstance.java:571)
  at oracle.adf.share.config.ADFMDSConfig.parseADFConfiguration(ADFMDSConfig.java:137)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at oracle.adf.share.config.ADFConfigImpl.getResultFromComponent(ADFConfigImpl.
  Using ZIP DB as SOA INFRA Dehyderation Database example: SCM_FUSION_SOAINFRA and FUSION_MDS etc.....
  While deploying the EAR it throw this error:
  An error occurred during activation of changes, please see the log for details.
  Message icon - Error weblogic.application.ModuleException:
  Message icon - Error Substituted for the exception oracle.mds.exception.MDSExceptionList which lacks a String contructor, original message - MDS-01329: unable to load element "persistence-config" MDS-01370: MetadataStore configuration for metadata-store-usage "ess-cp-store-usage" is invalid. MDS-00912: MDS repository is incompatible with the middle tier. Repository version "11.1.1.55.16" is older than minimum repository version "11.1.1.56.32" required.

  your MDS repository and the middle tier seems to be of different patch levels. You need to patch up the MDS repo or rollback the patches to the middle tier.
  Regards,
  Shanmu.

• Cisco ASA 5505 DMZ Setup

  Hello,
  I am new to Cisco firewalls and am attempting to setup a DMZ on the firewall.
  I have managed to create the interface and vlan and ip address settings etc. But im a bit lost with the NAT settings and rules i need to create for it.
  I need to be able to do the following:
  - RDP access from inside network to the DMZ servers
  - Internet access for the DMZ
  I am also setting up Active Directory Federation and requirre HTTPS traffic from the following:
  - DMZ HTTPS to outside (Office 365 Services)
  - Outside HTTPS to DMZ (ADFS Servers on DMZ only)
  - DMZ HTTPS to inside (ADFS Servers Only)
  -  Inside HTTPS to DMZ (ADFS Servers Only)      
  Running Config:
  interface Vlan1
  nameif inside
  security-level 100
  ip address ccl-sua-asa 255.255.255.0
  ospf cost 10
  interface Vlan3
  no forward interface Vlan1
  nameif dmz
  security-level 50
  ip address 172.16.0.1 255.255.255.0
  interface Vlan100
  nameif outside
  security-level 0
  ip address 77.107.90.202 255.255.255.248
  ospf cost 10
  interface Ethernet0/0
  switchport access vlan 100
  speed 100
  duplex full
  interface Ethernet0/1
  description Connected to CCL-SUA-SW1 port 16
  interface Ethernet0/2
  switchport access vlan 3
  access-list inbound extended permit icmp any any
  access-list inbound extended permit tcp host 87.86.204.100 host 77.107.90.203 eq smtp
  access-list inbound remark Inbound ACT for Ruth Edmonds Only
  access-list inbound extended permit tcp any interface outside eq www
  access-list inbound extended permit tcp any interface outside eq 5022 inactive
  access-list inbound remark Inbound rules for OWA 30/06/09 MD
  access-list inbound extended permit tcp any host 77.107.90.203 eq https log
  access-list inbound remark Inbound access for LDAP and SMTP from mimecast 02/07/09 MD
  access-list inbound extended permit tcp object-group mimecast interface outside eq ldap
  access-list inbound extended permit tcp object-group mimecast host 77.107.90.203 eq smtp
  access-list inbound remark change request MET 56030 inbound POP3 for mimecast
  access-list inbound extended permit tcp object-group mimecast host 77.107.90.203 eq pop3
  access-list inbound remark Inbound rule for helpdesk 10/07/2012 ML
  access-list inbound extended permit tcp any host 77.107.90.205 eq https
  access-list inbound remark Inbound rule for survey 011012 ML
  access-list inbound extended permit tcp any host 77.107.90.205 eq www
  access-list inbound extended deny ip any any
  access-list nonat extended permit ip 192.168.40.0 255.255.255.0 192.168.245.0 255.255.255.0
  access-list nonat extended permit ip 192.168.40.0 255.255.255.0 192.168.252.0 255.255.252.0
  access-list vpn-met-bir extended permit ip 192.168.40.0 255.255.255.0 192.168.252.0 255.255.252.0
  access-list outbound extended permit ip object-group servers 192.168.255.0 255.255.255.0
  access-list outbound extended deny ip any 192.168.255.0 255.255.255.0
  access-list outbound extended permit ip 192.168.40.0 255.255.255.0 192.168.254.0 255.255.255.0
  access-list outbound extended deny udp any 192.168.255.0 255.255.255.0
  access-list outbound extended deny ip any 10.0.0.0 255.0.0.0
  access-list outbound extended deny ip any 192.168.0.0 255.255.0.0
  access-list outbound extended permit ip any any
  global (outside) 1 interface
  nat (inside) 0 access-list nonat
  nat (inside) 1 192.168.40.0 255.255.255.0
  nat (inside) 1 192.168.41.0 255.255.255.0
  nat (dmz) 1 172.16.0.0 255.255.255.0
  static (inside,outside) tcp interface 5022 192.168.41.1 ssh netmask 255.255.255.255
  static (outside,outside) tcp interface ssh 192.168.41.1 ssh netmask 255.255.255.255
  static (inside,outside) tcp interface www WEB www netmask 255.255.255.255
  static (inside,outside) tcp interface ldap FILESERVER ldap netmask 255.255.255.255
  static (inside,outside) 77.107.90.203 MAILSERVER netmask 255.255.255.255
  static (inside,outside) 77.107.90.205 helpdesk netmask 255.255.255.255
  static (dmz,outside) 77.107.90.206 172.16.0.7 netmask 255.255.255.255
  access-group outbound in interface inside
  access-group inbound in interface outside
  route outside 0.0.0.0 0.0.0.0 77.107.90.201 1
  route inside 192.168.41.0 255.255.255.0 ccl-sua-sw1 1
  Like i mentioned I have already setup the DMZ itself but its just the NAT and rules im struggling to get working
  Many Thanks
  James          

  Hi,
  If you have only a ASA5505 Base License then you can initiate/open connections from the DMZ to INSIDE
  You can confirm the License level with "show version" command. It should read at the end of the output.
  In the Base License you only have a restricted DMZ/3rd interface on the ASA. You can connect to it from anywhere BUT you have to limit it from connecting towards one of the other 2 intefaces. You have already done this with the command
  no forward interface Vlan1
  Which to my understanding is required to get the 3rd interface active when you only have Base License on ASA5505.
  OUTSIDE -> DMZ
  INSIDE -> DMZ
  Connection initiating should be possible.
  So it seems to me that you already have one problem that will limit connectivity and not just the NAT.
  You already seem to have the Default PAT configuration for DMZ Internet traffic.
  You dont have the NAT for DMZ <-> INSIDE traffic but as mentioned above it might already be limited by something else even though your configurations were fine.
  The corrent NAT configuration to enable that traffic would be to use
  static (inside,dmz) netmask
  Repeat for all
  EDIT: Naturally you would also need an ACL on the DMZ interface for DMZ -> INSIDE traffic since the INSIDE is of higher "security-level". But as soon as you add the ACL to the DMZ interface you would also have to use it to allow Internet bound traffic since the "security-level" looses its meaning after an ACL is attached to the interface.
  - Jouni

• How to setup DMZ on Watchguard XMT 330

  Hi PCITech,there is nothing, that could be directly called a 'DMZ' as you find it on some low end routers.Instead you have network interfaces, that each may represent their own full blown network (if you set them up for that). By default WatchGuard allows you to select between 'trusted' and 'optional' for a new network, that you configure, but you can also select 'custom'. Later, when you write firewall rules, you can than reference 'Any-Trusted' and 'Any-Optional' in your rules. But sometimes you don't want a network to follow the rules, that you have in place for 'Any-Optional' and than you need to set that network as a 'Custom' network.If you want to make a server in one of these additional networks accessible by the outside world, you have to set up SNAT rules, that connect between an external interface IP/port and your internal...

  Hello,
   I'm either blind or over-worked (probably both) but I can't seem to find how to setup a DMZ on the XTM 330. I need to add an Avaya IP phone system and don't want to try using SIP because the vendor said they need no NAT.
  Can someone please either direct me to the correct spot in the documentation or tell me how to do it?
  Thanks in advance
  This topic first appeared in the Spiceworks Community

• Accessing E-business suite in another network without configuring DMZ

  Hi
  How can i enable to access E-business sutie externally or to a different location.I dont want to setup the DMZ configurations and reverse proxy.Our Company have another Remote branch and they are not in same network.How can they able to access the E-business suite without enabling DMZ and reverse proxy.Is there anything like make the
  IP of the Apps server as public will solve the issue ?
  rgds
  rosh

  To make it public, you just need to change the IP Address of the application and the database servers to the real one and follow the steps in the following notes. Once you are done, the system will be accessible to the users then.
  Note: 338003.1 - How to change the hostname and/or port of the Database Tier using AutoConfig
  https://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=338003.1
  Note: 341322.1 - How to change the hostname of an Applications Tier using AutoConfig
  https://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=341322.1

• Needing to create a DMZ zone/vlan on a small ASA.

  Hopefully an easy question as this is not my forte.
  I have an a small ASA-5505 running 8.2(2).
  I have 2 vlans
  inside 192.168.58.0/24 – security level 25
  outside 25.65.25.134/30 – security level 0
  I want to create a small DMZ with the public range I was given, a /29 block that is being forwarded to me. 
  How do I setup a DMZ zone to account for this block when I am connecting over a /30 network.

  Your ISP should have a route for that new subnet pointing to the outside interface of your ASA.
  So you can then either allocate the public IPs to the actual machines in which case you need one IP for the DMZ interface on the ASA or you can give your DMZ machines private IPs and just use the new IPs in your NAT statements on the ASA.
  Up to but you don't need to assign any IP from the new block to an actual interface if you don't want to.
  Jon

• DMZ zone with PIX 501

  - How do I setup a DMZ zone with PIX 501 firewall? Do I need to use an additional router? I have CISCO 1605 at my disposal.
  - If I can't do that, what would be an alterantive way to set an FTP server similarly to the DMZ way.
  (We're using IPsec/GRE VPN between our 3 sites. we're on W2K network).
  thanks,
  oleg

  When talking about setting up a DMZ, a PIX model with atleast three interfces is required. On a PIX 501, only two interfaces are available, an outside interface (ethernet) and an inside interface (availabe as a 4 port switch). For stting up a DMZ, you will need an additional interface and that would mean getting a higher model of the PIX. The idea of using a router on the inside interface and then configuring restrictive policies on it might work but will make the setup messy and you are unlikely to find a satisfactory level of support for it for the simple reason that not many neworks are deployed that way.

• How to setup a Default Playlist to Airport but allows BYOD playlist override?

  Sorry for the unclear description.
  Here is what I am trying to accomplish.  I have my laptop or ipod playing a default playlist to my Airport express attached to my Stereo system.  The music plays fine with no issues.  I come into the house and want to play music from my iphone or ipad, I cannot connect or play to airport express since it is already sync'd or acquired by my laptop.
  My goal is to have a default playlist playing all the time.  When myself, my kids, or anyone comes in to house they can have priority over my laptop to play their music.  Then when they disconnect, stop playing music, or leave the house; the default playlist kicks back on and continues to play out the speakers via the airport.  I am trying to do this without human manual interaction.
  I can do all of this manually like disconnect laptop, new device syncs to airport, then when they leave manually start playlist.  But I am trying to figure out how to do this dynamically without human interaction.
  Any ideas or solutions on how to get this to work?
  Thanks!
  T.

  Hello,
   I'm either blind or over-worked (probably both) but I can't seem to find how to setup a DMZ on the XTM 330. I need to add an Avaya IP phone system and don't want to try using SIP because the vendor said they need no NAT.
  Can someone please either direct me to the correct spot in the documentation or tell me how to do it?
  Thanks in advance
  This topic first appeared in the Spiceworks Community

• Missing printer setup utility

  I am trying to add a printer to complete a install, and the printer setup utility is gone-- vanished!! How can I get this restored? Any input is appreciated!!

  moblest wrote:
  I wish I had the install CD. I bought the computer refurbished ...
  A reputable seller would include the original system disks. Some people consider it illegal to sell a used computer without them. Too late for that now...
  How do I check for disk corruption?
  Run Disk Utility, assuming it's still there. Click the disk and click "verify disk". You won't be able to repair it from there, but if something is obviously wrong with your disk it will tell you.
  If it checks out ok, let's assume that you just accidentally deleted Printer Setup Utility.
  Read that thread I referenced earlier... you'll find a link to a standalone Printer Setup Utility (courtesy of BDAqua):
  http://web.fastermac.net/~bdaqua/PrinterSetupUtility.zip
  It's identical to the one I have installed.

• DMZ and DHCP ????

  Hi all: We have setup and DMZ off of our BM39 server. The
  only purpose of the DMZ is to allow a few clients relatively
  unencumbered internet access. We have had lots of problems
  with our BM proxy interfering with secure Citrix implemented
  by some partner we work with (Hospitals).
  We also have visiting review staff from Drug companies as we
  do many drug studies. These visitors often need internet
  access and up to this point I have been placing them on our
  internal subnet. But I am rethinking this and am
  considering moving our visitors to the DMZ instead.
  To do this I want to setup a DHCP server on our BM server
  (Done) to serve up addresses for the DMZ. However during
  testing the clients are not seeing the DHCP server. I
  suspect this is a filtering issue. I currently only have
  one set of filters for the DMZ which allows all traffic from
  the public interface to the DMZ and back.
  I am assuming the DHCP server needs a filter to allow
  traffic but I have no idea what that would look like. Can
  you help me out? Thanks, Chris.

  OK, got this working suing Craig's filter book _ glad to
  have purchased it.
  >>> On 9/21/2009 at 11:05 AM, in message
  <4AB75DE5.CE15.0032.0@N0_$pam.vrapc.com>,
  Chris<cmosentine@N0_$pam.vrapc.com> wrote:
  > Hi all: We have setup and DMZ off of our BM39 server.
  > The
  > only purpose of the DMZ is to allow a few clients
  > relatively
  > unencumbered internet access. We have had lots of
  > problems
  > with our BM proxy interfering with secure Citrix
  > implemented
  > by some partner we work with (Hospitals).
  >
  > We also have visiting review staff from Drug companies
  > as we
  > do many drug studies. These visitors often need
  > internet
  > access and up to this point I have been placing them on
  > our
  > internal subnet. But I am rethinking this and am
  > considering moving our visitors to the DMZ instead.
  >
  > To do this I want to setup a DHCP server on our BM
  > server
  > (Done) to serve up addresses for the DMZ. However during
  > testing the clients are not seeing the DHCP server. I
  > suspect this is a filtering issue. I currently only
  > have
  > one set of filters for the DMZ which allows all traffic
  > from
  > the public interface to the DMZ and back.
  >
  > I am assuming the DHCP server needs a filter to allow
  > traffic but I have no idea what that would look like.
  > Can
  > you help me out? Thanks, Chris.