Stateful inspection for UDP and ICMP protocols
Hi everyone,
Can you tell me how the ASA uses stateful inspection for UDP and ICMP protocols?
Best regards.
Basically each time an ASA receives a new connection being UDP it will record the source IP, source port, destination IP and destination port. That information will be holded into the stateful table of the ASA and a reply for that packet will be expected for a specific amount of time (timeout).
That´s it.
For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
Cheers,
Julio Carvajal Segura
For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
Cheers,
Julio Carvajal Segura
Similar Messages
-
103 movement inspection for spares and engineering materials
can any body tell me how to control engineering and & spares materials when i done GR against 103 movement inspection lot is created but there is no control of goods is keep in quality but system allow 105 movement total quantity also how we will control the quantity if it is in quality stock any settings is required kindly send me guidelines
Hii,
103 movement is GR w.r.t P.O into GR blocked stock. Generally GR blocked stock means keeping the material outside the plant. The stock displayed in GR bloocked does'nt considered into inventory stock.
103 movement will be activated were the stores want to put some Quantity check on the material & where the Purchase dept does'nt want to take any accountability for the supplier deficit stocks. (In 101 immediately accountability take place and reflected in the inventory and FI document gets generated).
In MIGO after 103 movement, user can immediately release stock from GR block stock in the same screen (A05 Release from GR blockd stock). From Quality point of view u need to go with 103-105 movement type. Here don't activate Quality for 103 movement but activate quality for 105 movement type.Bcoz in 103 after inspection, u cannot show defect material in Blocked stock and it will remain in GR blocked stock. Confusion remains between new material and defect material where bothe will remain in GR blocked stock.
In short 103 - Quantity check (stores activty, no Inpsection lot)
105 - Quality check (Quality activity. Inspection lot)
Edited by: Lokesh K on Aug 10, 2010 1:03 PM -
REG selective and % inspection for 03 and 04 types for batch material
Hello Gurus,
The scenariois:
1. Material is batch managed and 03 & 04 types activated.
2. Against a production order, several batches will be generated.
Client requirement is:
1. After the relase of PO, only the first batch will be inspected.
2. After that, if required, 10% of that PO will be inspected (type 03)
3. After all these inspection, RR and UD, next stage will be confirmation of PO and generation of 04 type lot.
Is that possible in SAP? I have my doubts. If we activate 03 type in mat master, it should generate lot for every batch. Is it possible to manage the scenario with 04 type, where next stage becomes stock transfer?
Really appreciate quick help on this.Sorry. I would say you would have to develop all your own custom sample procedures for this. I don't see any easy way for this to be done in standard SAP.
It would even be difficult if you had one PO for each batch. Maybe others might have some ideas but I don't at this time.
FF -
Hello. I want to use my iphone as a viewing screen for a usb endoscope, (its a small camera on a long cable for inspecting down piping and such) with your app is it possible to attach the usb to my iphone using a adapter to watch the live video feed on the iphone?
Thankyou.Hello. I want to use my iphone as a viewing screen for a usb endoscope, (its a small camera on a long cable for inspecting down piping and such) with your app is it possible to attach the usb to my iphone using a adapter to watch the live video feed on the iphone?
Thankyou. -
Ipad 4 won't turn on at all, and is recognized by itunes as being in recovery mode- when I try to restore it stalls on the portion stating "preparing device for restore" and on the page it says "itunes is restoring the software." Been like this for a day. I read the restore notes on apple, but this seems to be a little more unique than the standard recovery issues. Any ideas as to why I seem to keep stalling during the restore process?
Couple of things I can think of before going to the Apple store.
First, if you can, power off the iPad. Then connect it to the charger that came with the iPad and plug that into a known good wall outlet. Leave it there at least an hour then try to reset your device. Press and hold the Home and Sleep buttons simultaneously until the Apple logo appears. Let go of the buttons and let the device restart.
Also, you mentioned you have the latest iTunes. But it would be good to check the actual version. If the iPad is running iOS 7 you need iTunes 11.1 or later. -
So we just got a new Macbook and I also installed the apple configurator tool. I'm using it to prepare the iPads for deployment and it won't let me prepare them? It gets an error stating "retrieving iOS info from apple" then it stops and says "internet error". My Internet connection is fine with the Mac-book. It shows the iPad is listed under the Prepare logo up top as 1 but under supervise none are shown. Although it does show itself in iTunes. Also the profile I created is fresh and has no errors. We have tryed nearly everything I cna think of and online forums are not giving us to much info on this error.
A wag at this. A port issue?
"Apple Push Notification network setup
When MDM servers and iOS devices are behind a firewall, some network configuration may need to take place in order for the MDM service to function properly. To send notifications from an MDM server to Apple Push Notification service, TCP port 2195 needs to be open. To reach the feedback service, TCP port 2196 will need to be open as well. For devices connecting to the push service over Wi-Fi, TCP port 5223 should
be open."
http://www.google.com/url?sa=t&rct=j&q=ports%20ios%20configure%20ipad&source=web &cd=1&ved=0CC0QFjAA&url=http%3A%2F%2Fimages.apple.com%2Fipad%2Fbusiness%2Fdocs%2 FiOS_MDM.pdf&ei=5lXGUPCcJMXx0gH2wYG4BA&usg=AFQjCNFzINvs7ktT-6o6Q_l4Qk2HkpjtCA&ca d=rja
google: ports ios configure ipad
Try it on your home network where there isn't a lot of 'controls' -- network filtering , firewalls, etc.
Robert -
QM inspection for movement 321 and 322
Dear guru,
Presently there is one new requirement from our business wanting us to create an inspection type that will allow for users to use movement type 321 & 322 through MIGO.
Because the standard SAP setup (i.e. SPRO QM Quality Inspection Inspection Lot Creation Inspection for Goods Movement) for movement type 321 and 322 are not tied to any inspection lot origin, further, if I will to use u201Dcopy..asu201D method or hit create New method, the inspection lot origin field box is grey out and not allow input of inspection lot origin.
May I know how to resolve this issue? Or 321 and 322 should not involve QM? or other?
Thanks.
TuffTuffy,
What I have understood is, I try to re quote the same.
1. Your declare production and stock goes to quality inspection with 04 inspection type
2. You clear this inspection lot and post the stock to unrestricted use through QA32 / QA12
3. Now you want to reverse the production movement.
4. System doesnu2019t allow you to reverse this and throws error as u201CDeficit of stock in qualityu201D
5. If you try to cancel 321 material document system throws error as u201CMaterial document cannot be processedu201D
If above is the scenario then perhaps you have following 2 options
1. Document specific reversal
a. You need to implement SAP Note 175842
b. As a result of which you get a program in system, give inspection lot as reference.
c. System reverses the stock and posts back to quality inspection
d. Now if you try to cancel 101 material document (production reversal) through MBST, system will allow you.
2. Without document specific
a. Go to MB31
b. Input production order and opt for 102 movement.
c. Enter
d. Select the stock type as unrestricted. (default it would be X i.e. quality inspection)
Under ideal circumstances the need to use any of above options shouldnu2019t arise. If requirement is the production reversal, I think to stop inspection lot creation or use of MIGO / MB1B would not work as this eliminates the utilization of QM module.
Regards,
Anand Rao -
I have the CC Photography subscription. The last several days, every time I bring up Photoshop, I get a window stating "Sign In Required" and "Terms and Conditions for Trial Software". Why? This is not trial software.
Asked to sign in after paying may help
-http://helpx.adobe.com/x-productkb/policy-pricing/activation-network-issues.html
or
Chat Now button near the bottom for Activation and Deactivation problems may help
http://helpx.adobe.com/x-productkb/policy-pricing/activation-deactivation-products.html -
Fix for Airport Wireless Connection Problem stating Self-Assigned IP and not wanting to connect in Lion OSX.
Bought my girlfriend the newest Macbook Pro 13" and began experiencing problems with my wifi the moment we got home. Her Macbook would not connect to our home Wi-Fi while my old Macbook Late 2008 running Snow Leopard connected without a problem. Airport would say that it had a Self-Assigned IP address (168.x.x.x). Did not realize it was a Lion problem until after using her Macbook Pro and becoming jealous of the new OSX, I upgraded. Soon after I was unable to go online. Luckily I had my iPad 2 and I began to scoure the net for help. Ran into allot of suggestions but it was not until I tried the following all together was I able to share the good new, from my Macbook. Hope this works:
First go to Preferences > Network and click on the cog next to the + and - on the sidebar and click Set Service Order
- Move Wi-Fi to the top and click ok.
- Set location to Automatic
- Click Apply
- Click Advanced
- Click the "-" on the selected Wi-Fi router you wish to connect to
- Click Apply
- Click Lock to Prevent Further Changes
Go to your Mac's harddrive, (Macintosh)
- Go to Library > Preferences > SystemConfiguration >
- Delete "com.apple.airport.preferences.plist" file
Turn off your computer
- push and hold Option+Command+R+P
- turn on computer
- when the grey screen turns on you will hear the OS X "ON" sound (for lack of a proper term) and it will momentarily restart.
- you will once again hear the "ON" sound, let go of all keys.
- this resets your PRAM
Go to Preferences > Network > Advanced > + sign
- click Choose a Network
- Select your network and enter password
Viola!!! I tried this on my Macbook Late 2008 and my girlfriends new Macbook Pro 2010No you are clearly mistaken. The Self-Assigned IP address problem exists on many Macbook Pro models, including the current model, which I mentioned as being the original computer with the problem. While my 2008 Macbook is older it was working perfectly on Snow Leopard and didn't suffer issues until switching to Lion. So clearly the problem exists on the operating system and not so much the hardware.
I called Apple Support and they had no fix for the problem and told me that this would hopefully be addressed in a subsequent update. It wasn't until I came accross the answer after trying many different methods that I got both of the Macbooks to connect to my router. Otherwise I wouldn't or could not have been surfing the internet for the last 4 months.
Cheers. -
%DMVPN-3-DMVPN_NHRP_ERROR: Tunnel0: NHRP Encap Error for Resolution Request , Reason: protocol generic error (7)
I had pre-allocated tunnel ip's to remote spokes , some of them were implemented and put into production. Some of them got the config but the tunnel interfaces were left at shut.
Its because of this reason that the DMVPN HUB keeps getting nhrp request from one of the inactive spokes. Following is the sh ip nhrp extract :-
10.x.x22/32
Tunnel0 created 00:02:58, expire 00:00:06
Type: incomplete, Flags: negative
Cache hits: 7
I just cant seem to find the spoke WAN ip to identify it. I tried debugs but just cant get it.
From HUB:-
Nov 30 10:36:31: %DMVPN-3-DMVPN_NHRP_ERROR: Tunnel0: NHRP Encap Error for Resolution Request , Reason: protocol generic error (7) on (Tunnel: 10.x.x.1 NBMA: 20.x.x.x)
Nov 30 10:36:32: NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 86
Nov 30 10:36:32: (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1
Nov 30 10:36:32: shtl: 4(NSAP), sstl: 0(NSAP)
Nov 30 10:36:32: pktsz: 86 extoff: 52
Nov 30 10:36:32: (M) flags: "router auth src-stable nat ", reqid: 46113
Nov 30 10:36:32: src NBMA: 20.x.x.x.
Nov 30 10:36:32: src protocol: 10.x.x.1, dst protocol: 10.x.x.22
Nov 30 10:36:32: (C-1) code: no error(0)
Nov 30 10:36:32: prefix: 32, mtu: 17912, hd_time: 360
Nov 30 10:36:32: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0 Nov 30 10:36:31: %DMVPN-3-DMVPN_NHRP_ERROR: Tunnel0: NHRP Encap Error for Resolution Request , Reason: protocol generic error (7) on (Tunnel: 10.x.x.1 NBMA: 20.x.x.x)
So my question is , How do i find out the spoke wan ip , so i can do something about it. For now, its just filling up my logs on HUb router...not good ;-))Hello Marcin,
If tunnel interface is shut no NHRP activity should be going, on top, in debugs you point the hub is sending resolution request, not receiving it.
Agree, I expected the same, but unfortunately this is not the case. Spoke does sent out NHRP requests even with Tunnel status as admin shut.
If your hub does not have NHS, it will not know where to send it's resolution request.
I am still on DMVPN Phase 1, so Spokes dont talk to other spokes yet.
Are you positive that there is nothing that is sending packets towards 10.x.x.22 on hub side (sniffer trace of classyfing ACL on "LAN")?
Other then a spoke, it cant be anthing, as the subnet is dedicted for tunnel interface's.
If you know it's not a misconfig and there is no traffic on hub side initiated to 10.x.x.22, try removing and adding full tunnel configuration. i.e. we want to make sure that crypto socket gets closed and restrated.
I can do this over weekend, but i am sure this is not going to fix the problem, reason being, that the HUB was setup before anything else and then we started migrating spokes from primary legacy gre tunnels to dmvpn tunnel as primary and legacy as a backup.
Guess, I am still looking for the answer...Is there a WAN acl that i can use to filter the successfully migrated spokes and log the deny message as in to know what remote wan ip carries along the tunnel ip of .22 or any other debug ?? -
I have an iMac and a MacBook with Intel Core 2 Duo processors. I realize that this is within the stated requirements for Lion. However was wondering if by migrating to Lion this will result in too much demand on processor resources, thus a slower machine than using Snow Leopard?
Which iMac? Which Macbook? Both have had several model
itertations, even within the framework of a Core2Duo processor.
With that said, I have an early 2009 iMac 24", with 2.66 GHz
Core2Duo with 8 gig of RAM, and in my opinion, seems to be running
smoother and faster with Lion. -
Something software related prevented me from being able to boot up my iMAC. The remedy was to wipe the computer of all soft wear and re-inatall everything via my time capsule. All good there.. but now I cannot open Ai and a box stating"Licensing for this product has stopped working" and to reference error code 150:30. How do I get my Ai to open?
Run the cleaner tool and reinstall it properly.
Use the CC Cleaner Tool to solve installation problems | CC, CS3-CS6
Download CS6 products
Mylenium -
I downloaded Yosemite last night and tried to look at my photos in iPhoto and noticed that needed updating. When I tried to update as requested, I got an error message stating that the app (and several others including Pages and Numbers) couldn't be updated because they weren't purchased by the user ID I had entered. I'm the only user of the computer and now I can't find my photos anywhere! Any help would be appreciated.
ThanksSome folks have solved this issue by dragging the apps to an external disk, then disconnecting it, and then are able to download. Apparently it can arise if you upgraded from an OS the than Mavericks.
Failing that: Contact App Store support. There's a link on the right hand side of the App Store Window. They're the only ones who can sort out account issues. -
Asymmetric NAT rules matched for forward and reverse flows - NAT Issue
Having a problem with a VPN site trying to communicate to a subnet off my ASA 5505. The network is simple, VPN IPSEC remote site is 192.168.6.0/24 and I can ping and access hosts on 192.168.10.0/24 (called InfraNet). I am now trying to allow communications between 192.168.6.0/24 (called FD_net) to 192.168.9.0/24 (called Inside)
The Error:
5 Nov 12 2012 13:52:50 192.168.9.19 Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:192.168.6.11 dst inside:192.168.9.19 (type 8, code 0) denied due to NAT reverse path failure
I understand this is a NAT issue; but I not seeing the error and could use a second set of eyes. Here's my current running configuration.
: Saved
ASA Version 8.3(2)
hostname fw1
domain-name xxxxxxxx.xxx
enable password <removed>
passwd <removed>
names
interface Vlan1
description Town Internal Network
nameif inside
security-level 100
ip address 192.168.9.1 255.255.255.0
interface Vlan2
description Public Internet
nameif outside
security-level 0
ip address 173.xxx.xxx.xxx 255.255.255.248
interface Vlan3
description DMZ (CaTV)
nameif dmz
security-level 50
ip address 192.168.2.1 255.255.255.0
interface Vlan10
description Infrastructure Network
nameif InfraNet
security-level 100
ip address 192.168.10.1 255.255.255.0
interface Vlan13
description Guest Wireless
nameif Wireless-Guest
security-level 25
ip address 192.168.1.1 255.255.255.0
interface Vlan23
nameif StateNet
security-level 75
ip address 10.63.198.2 255.255.255.0
interface Vlan33
description Police Subnet
shutdown
nameif PDNet
security-level 90
ip address 192.168.0.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport trunk allowed vlan 1,5,10,13
switchport trunk native vlan 1
switchport mode trunk
speed 100
duplex full
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
switchport trunk allowed vlan 1,10,13
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/5
switchport access vlan 23
interface Ethernet0/6
shutdown
interface Ethernet0/7
switchport trunk allowed vlan 1
switchport trunk native vlan 1
switchport mode trunk
shutdown
banner exec Access Restricted to Personnel Only
banner login Access Restricted to Personnel Only
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name xxxxxxx.xxx
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object service IMAPoverSSL
service tcp destination eq 993
description IMAP over SSL
object service POPoverSSL
service tcp destination eq 995
description POP3 over SSL
object service SMTPwTLS
service tcp destination eq 465
description SMTP with TLS
object network obj-192.168.9.20
host 192.168.9.20
object network obj-claggett-https
host 192.168.9.20
object network obj-claggett-imap4
host 192.168.9.20
object network obj-claggett-pop3
host 192.168.9.20
object network obj-claggett-smtp
host 192.168.9.20
object network obj-claggett-imapoverssl
host 192.168.9.20
object network obj-claggett-popoverssl
host 192.168.9.20
object network obj-claggett-smtpwTLS
host 192.168.9.20
object network obj-192.168.9.120
host 192.168.9.120
object network obj-192.168.9.119
host 192.168.9.119
object network obj-192.168.9.121
host 192.168.9.121
object network obj-wirelessnet
subnet 192.168.1.0 255.255.255.0
object network WirelessClients
subnet 192.168.1.0 255.255.255.0
object network obj-dmznetwork
subnet 192.168.2.0 255.255.255.0
object network FD_Firewall
host 74.94.142.229
object network FD_Net
subnet 192.168.6.0 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
object network obj-TownHallNet
subnet 192.168.9.0 255.255.255.0
object network obj_InfraNet
subnet 192.168.10.0 255.255.255.0
object-group service EmailServices
description Normal Email/Exchange Services
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq https
service-object tcp destination eq imap4
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group service DM_INLINE_SERVICE_1
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq pop3
service-object tcp destination eq https
service-object tcp destination eq smtp
object-group service DM_INLINE_SERVICE_2
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq https
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group network obj_clerkpc
description Clerk's PCs
network-object object obj-192.168.9.119
network-object object obj-192.168.9.120
network-object object obj-192.168.9.121
object-group network TownHall_Nets
network-object 192.168.10.0 255.255.255.0
network-object object obj-TownHallNet
object-group network DM_INLINE_NETWORK_1
network-object 192.168.10.0 255.255.255.0
network-object 192.168.9.0 255.255.255.0
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any interface outside
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.9.20
access-list StateNet_access_in extended permit ip object-group obj_clerkpc any
access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object FD_Net
pager lines 24
logging enable
logging asdm debugging
logging mail errors
logging from-address hostmaster@xxxxxxxxx
logging recipient-address john@xxxxxxxxx level errors
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu Wireless-Guest 1500
mtu StateNet 1500
mtu InfraNet 1500
mtu PDNet 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
nat (InfraNet,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net
nat (inside,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net
object network obj_any
nat (inside,outside) static interface
object network obj-claggett-https
nat (inside,outside) static interface service tcp https https
object network obj-claggett-imap4
nat (inside,outside) static interface service tcp imap4 imap4
object network obj-claggett-pop3
nat (inside,outside) static interface service tcp pop3 pop3
object network obj-claggett-smtp
nat (inside,outside) static interface service tcp smtp smtp
object network obj-claggett-imapoverssl
nat (inside,outside) static interface service tcp 993 993
object network obj-claggett-popoverssl
nat (inside,outside) static interface service tcp 995 995
object network obj-claggett-smtpwTLS
nat (inside,outside) static interface service tcp 465 465
object network obj-192.168.9.120
nat (inside,StateNet) static 10.63.198.12
object network obj-192.168.9.119
nat (any,StateNet) static 10.63.198.10
object network obj-192.168.9.121
nat (any,StateNet) static 10.63.198.11
object network obj-wirelessnet
nat (Wireless-Guest,outside) static interface
object network obj-dmznetwork
nat (any,outside) static interface
object network obj_InfraNet
nat (InfraNet,outside) static interface
access-group outside_access_in in interface outside
access-group StateNet_access_in in interface StateNet
route outside 0.0.0.0 0.0.0.0 173.166.117.190 1
route StateNet 10.0.0.0 255.0.0.0 10.63.198.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 5443
http 192.168.9.0 255.255.255.0 inside
http 74.xxx.xxx.xxx 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 173.xxx.xxx.xxx
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.9.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.9.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd lease 10800
dhcpd auto_config outside
dhcpd address 192.168.2.100-192.168.2.254 dmz
dhcpd dns 8.8.8.8 8.8.4.4 interface dmz
dhcpd enable dmz
dhcpd address 192.168.1.100-192.168.1.254 Wireless-Guest
dhcpd enable Wireless-Guest
threat-detection basic-threat
threat-detection statistics host number-of-rate 2
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 63.240.161.99 source outside prefer
ntp server 207.171.30.106 source outside prefer
ntp server 70.86.250.6 source outside prefer
webvpn
group-policy FDIPSECTunnel internal
group-policy FDIPSECTunnel attributes
vpn-idle-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec
username support password <removed> privilege 15
tunnel-group 173.xxx.xxx.xxx type ipsec-l2l
tunnel-group 173.xxx.xxx.xxx general-attributes
default-group-policy FDIPSECTunnel
tunnel-group 173.xxx.xxx.xxx ipsec-attributes
pre-shared-key *****
smtp-server 192.168.9.20
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e4dc3cef0de15123f11439822880a2c7
: end
Any ideas would be appreciated.
JohnI don't see any inspection-commands in your config. Is there a reason for not using any of them?
If your problem is only with ICMP, then you should enable at least icmp-inspection. You can do that easiely with the legacy command " fixup protocol icmp"
Sent from Cisco Technical Support iPad App -
ACE - Inspection per VIP and other Questions
I have my ACE up and running with SLB for HTTP, terminating SSL and inspection for the traffic flowing through the ACE.
One thing i haven't figured out yet is how to let the ACE distinguish between inspecting only the VIP traffic versus inspecting the whole traffic flowing through the routed VLAN.
My service-policy is currently bound on the xfer net VLAN which also services the VIP.
I made a "match url" rule with action reset for the regex "admin". If try to access the link "slb.foo.local/admin" via the VIP it works but it unfortunatly also works if i access the real servers in the VLAN behind the ACE directly.
A: Any idea how to solve that with best practice?
B: I haven't found a way to create a self signed certificate so far. Is it not implemented or did i just miss it?
C: Is an ACL mandatory to get traffic flowing via the VIP to the real servers? I have the feeling that without an ACL permitting the traffic explicitly there won't be a flow at all.
D: The commands "loadbalance vip icmp-reply active" and "loadbalance vip advertise active" for RHI are now two times in my config. Do i only need them once in my policy or does it make sense to keep them per HTTP and HTTPS Class?
The corresponding config:
class-map match-all HTTP-INSPECT-L4CLASS
description HTTP protcol deep packet inspection
2 match port tcp eq www
class-map type http inspect match-any HTTP-INSPECT-L7CLASS
description HTTP - Deep packet Inspection - Definition
2 match content length range 0 256
3 match url [/]admin
4 match url .asp
class-map match-all L4-VIP-CLASS
2 match virtual-address 10.10.10.85 tcp eq www
class-map match-all L4-VIP-CLASS-SSL
2 match virtual-address 10.10.10.85 tcp eq https
class-map type http loadbalance match-any L7-SLB-CLASS-1
3 match http header Host header-value "10.10.10.85*"
4 match http header Host header-value "slb.foo.local*"
class-map type management match-any REMOTE_ACCESS
2 match protocol ssh any
3 match protocol icmp any
policy-map type management first-match REMOTE_MGM_ALLOW_POLICY
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match L7-SLB-Policy
class L7-SLB-CLASS-1
serverfarm LB-Testfarm
policy-map type inspect http all-match HTTP-INSPECT-L7POLICY
class HTTP-INSPECT-L7CLASS
reset
policy-map multi-match L4-SLB-POLICY
class L4-VIP-CLASS
loadbalance vip inservice
loadbalance policy L7-SLB-Policy
loadbalance vip icmp-reply active
loadbalance vip advertise active
appl-parameter http advanced-options HTTP_PARAMETER_MAP
class L4-VIP-CLASS-SSL
loadbalance vip inservice
loadbalance policy L7-SLB-Policy
loadbalance vip icmp-reply active
loadbalance vip advertise active
ssl-proxy server SSL-PSERVICE-Server
class HTTP-INSPECT-L4CLASS
inspect http policy HTTP-INSPECT-L7POLICY
interface vlan 444
description XFER-ACE
ip address 10.10.10.83 255.255.255.240
access-group input All
access-group output All
service-policy input L4-SLB-POLICY
service-policy input REMOTE_MGM_ALLOW_POLICY
no shutdown
interface vlan 555
description ACE-Server
ip address 10.10.10.97 255.255.255.240
access-group input All
access-group output All
no shutdown
Thanks for reading...
RobleGilles hope you still read this thread :)
In another Post you mentioned that the ACE features URL rewriting. I am desperate looking for this feature but can't find it anywhere in the docs.
Since i am terminating ssl on the front and speaking plain http on the back end i have some problems with the portal application and links to non-secure documents.
I don't think i can make the appl. admins fix the problem or make the company for the portal
rewrite the code. (3 letters NOT starting with an I)
From the SCA Docs i found following description which matches my problem.
[quote]
When you have configured the urlrewrite command, the SCA can inspect the full HTML answer to replace all links to a nonsecure document with a link to the same document via HTTPS
[/quote]
EDIT:
Another thing...
I currently redirect all my http traffic to a certain https url with a redirect rserver. Works fine.
I am still thinking about how to solve the same problem with ssl/https portion of my vip.
vip:443 -> redirect to vip:443/url/foo/bar/
I tried something like...
vip:443 -> redirect to vip:444/url/foo/bar/
But somehow that didn't work out. You have a valid "conceptional" approach to this issue?
Roble
Maybe you are looking for
-
Work Manager 6.0 - Order & Notification assignment type Z
Hi Agentry experts, for WM 6.0 we have the idea to get a more flexible assignment for notifications and work orders, as our business process requires more flexibility than the standard available assignment types e.g. Work Center User A should only se
-
The abstract says it all. I close the cover of my MacBook and when I reopen it - the computer fails to attempt to connect to the last known wifi hotspot I was connected to or search for a known connection. I have to manually connect wifi to my home c
-
SAP external files link with DMS
Hi I have one application (like GED) external SAP. My scenario is: I create one doc in this application that contains (for example: doc number and file). This file can be DOC, PDF, DWG. When I save this doc, automatically must be create doc in SAP DM
-
Profit Center Group Access - " No Authorization error"
Hi All, Brief background: We used to have a inidividual profit center for a business unit. We created this under one profit center group for reporting purpose (KE30 here) Issue: While entering profit center group in KE30, It says "No authorization fo
-
Item category for pricing only
Hey Gurus, I am looking for an item category where the material that we enter as a line item on the sales order is only valid for pricing. We do not want to create a delivery for the material or perform an availability check on that material at the