Static Policy NAT in VPN conflicts with Static NAT
I have a situation where I need to create a site-to-site VPN between an ASA 5505 using IOS 7.2 and a Sonicwall NSA4500. The problem arises in that the LAN behind the Cisco ASA has the same subnet as a currently existing VPN created on the Sonicwall. Since the Sonicwall can't have two VPNs both going to the same subnet, the solution is to use policy NAT on the ASA so that to the Sonicwall, the new VPN appears to have a different subnet.
The current subnet behind the ASA is 192.168.10.0/24 (The Sonicwall already has a VPN created to a different client with that same subnet). I am trying to translate that to 192.168.24.0/24. The peer LAN (behind the Sonicwall) is 10.159.0.0/24. The pertinent configuration of the ASA is:
interface Vlan1
ip address 192.168.10.1 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.24.0 255.255.255.0 10.159.0.0 255.255.255.0
access-list VPN extended permit ip 192.168.10.0 255.255.255.0 10.159.0.0 255.255.255.0
static (inside,outside) 192.168.24.0 access-list VPN
crypto map outside_map 1 match address outside_1_cryptomap
In addition to this, there are other static NAT statements and their associated ACLs that allow certain traffic through the firewall to the server, e.g.:
static (inside,outside) tcp interface smtp SERVER smtp netmask 255.255.255.255
The problem is this: When I enter the static policy NAT statement, I get the message "Warning: real-address conflict with existing static" and then it refers to each of the static NAT statements that translate the outside address to the server. I thought about this, and it seemed to me that the problem was that the policy NAT statement needed to be the first NAT statement (it is last) so that it would be handled first and all traffic destined for the VPN tunnel to the Sonicwall (destination 10.159.0.0/24) would be correctly handled. If I left it as the last statement, then the other static NAT statements would prevent some traffic destined for the 10.159.0.0/24 network from being correctly routed through the VPN.
So I tried first to move my policy NAT statement up in the ASDM GUI. However, moving that statement was not permitted. Then I tried deleting the five static NAT statements that point to the server (one example is above) and then recreating them, hoping that would then move the policy NAT statement to the top. This also failed.
What am I missing?
Hi,
To be honest it should work in the way I mentioned. I am not sure why it would change the order of the NAT configurations. I have run into this situation on some ASA firewalls running the older software (older than 8.2) and the reordering of the configurations has always worked.
So I am not sure are we looking at some bug or what the problem is.
I was wondering if one solution would be to configure all of the Static NAT / Static PAT as Static Policy NAT/PAT
I have gotten a bit rusty on the older (8.2 and older) NAT configuration format as over 90% of our customer firewalls are running 8.3+ software.
I was thinking of this kind of "static" configuration for the existing Static PAT configurations if you want to try
access-list STATICPAT-SMTP permit tcp host eq smtp any
static (inside,outside) tcp interface smtp access-list STATICPAT-SMTP
access-list STATICPAT-HTTPS permit tcp host eq https any
static (inside,outside) tcp interface https access-list STATICPAT-HTTPS
access-list STATICPAT-RDP permit tcp host eq 3389 any
static (inside,outside) tcp interface 3389 access-list STATICPAT-RDP
access-list STATICPAT-TCP4125 permit tcp host eq 4125 any
static (inside,outside) tcp interface 4125 access-list STATICPAT-TCP4125
access-list STATICPAT-POP3 permit tcp host eq pop3 any
static (inside,outside) tcp interface pop3 access-list STATICPAT-POP3
Naturally you would add the Static Policy NAT for the VPN first.
Again I have to say that I am not 100% sure if this was is the correct format maybe you can test it with a single service that has a Static PAT. For example the Static PAT for RDP (TCP/3389). First entering the Static Policy NAT then removing the Static PAT and then entering the Static Policy PAT.
Remember that you should be able to test the translations with the "packet-tracer" command
For example
packet-tracer input outside tcp 1.1.1.1 12345
- Jouni
Similar Messages
-
Hi
I could not quite find any information that was close enough to my problem that would enable me to solve it so hence I am now reaching out to you guys.
I have a Cisco ASA running 8.2(1) and I am using ASDM to manage the firewall. I have a Linux VPN server on the inside with and IP address of YYY.YYY.YYY.39 with a static NAT to the outside with an address of XXX.XXX.XXX.171 .
I have a site to site VPN tunnel which terminates on the outside of the ASA on the outside interface XXX.XXX.XXX.190 .
Traffic from the YYY.YYY.YYY.0/24 network can't transverse the site to site VPN as there is a conflict of IP address's on the far side so it is natted via a dynamic policy to host address ZZZ.ZZZ.ZZZ.100
Users remote into the inside(YYY.YYY.YYY.0/24) for support via the Linux VPN server (.39) and then need to communicate down the site to site VPN. The problem is that the static NAT for the incomming connections takes preference and bypasses the site to site VPN tunnel for outbound traffic. I tried to create a policy Static nat but it tries to modify the static nat that handels the incomming traffic to the Linux server.
I hope the above makes sense.Hi
intersting VPN ACL
object-group network DM_INLINE_NETWORK_18
network-object YYY.YYY.YYY.0 255.255.255.0
object-group network DM_INLINE_NETWORK_22
network-object UUU.UUU.UUU.0 255.255.255.0
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_22 object-group DM_INLINE_NETWORK_18
Static NAT
static (Inside,outside) XXX.XXX.XXX.171 YYY.YYY.YYY.39 netmask 255.255.255.255
No NAT
object-group network DM_INLINE_NETWORK_20
network-object UUU.UUU.UUU.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip ZZZ.ZZZ.ZZZ.0 255.255.255.0 object-group DM_INLINE_NETWORK_20
VPN CLient Pool
No pool configured as it uses the interesting traffic or protected traffic in ASDM - UUU.UUU.UUU.0 is the IP address range at the far side of the site to site VPN.
I hope this helps
Thanks -
How to set VPN server with static IP without DHCP on
I set up a new Mac mini server with OS X 10.9.1 and Server App 3.0.1
My ISP gave me a static bublic IP address.
I have on:
- web server
- mail server
- DNS server
without using DHCP, but now i want to set up L2TP/IPSec VPN server and it requires that i give start IP address of the VPN server.
Can i use VPN server w/out DHCP server on?
If yes, how?
If not, when i turn on the DHCP server, what i have to do with web, mail servers?To run a public VPN server, you need to do the following:
1. Give the gateway either a static external address or a dynamic DNS name. The latter must be a DNS record on a public DNS registrar, not on the server itself. Also in the latter case, you must run a background process to keep the DNS record up to date when your IP address changes.
2. Give the VPN server a static address on the local network, and a hostname that is not in the top-level domain "local" (which is reserved for Bonjour.)
3. Forward external UDP ports 500, 1701, and 4500 (for L2TP) and TCP port 1723 (for PPTP) to the corresponding ports on the VPN server.
If your router is an Apple device, select the Network tab in AirPort Utility and click Network Options. In the sheet that opens, check the box marked
Allow incoming IPSec authentication
if it's not already checked, and save the change.
With a third-party router, there may be a similar setting.
4. Configure any firewall in use to pass this traffic. -
Using a non-static vector in a generic class with static methods
I have a little problem with a class (the code is shown underneath). The problem is the Assign method. This method should return a clone (an exact copy) of the set given as an argument. When making a new instance of a GenericSet (with the Initialize method) within the Assign method, the variables of the original set and the clone have both a reference to the same vector, while there exists two instances of GenericSet. My question is how to refer the clone GenericSet's argument to a new vector instead of the existing vector of the original GenericSet. I hope you can help me. Thanks
package genericset;
import java.util.*;
public class GenericSet<E>{
private Vector v;
public GenericSet(Vector vec) {
v = vec;
private <T extends Comparable> Item<T> get(int index) {
return (Item<T>) v.get(index);
public static <T extends Comparable> GenericSet<T> initialize() {
return new GenericSet<T>(new Vector());
public Vector getVector() {
return v;
public static <T extends Comparable> GenericSet<T> insert (GenericSet<T> z, Item<T> i){
GenericSet<T> g = assign(z);
Vector v = g.getVector();
if (!member(g,i))
v.addElement(i);
return g;
public static <T extends Comparable> GenericSet<T> delete(GenericSet<T> z, Item<T> i){
GenericSet<T> g = assign(z);
Vector v = g.getVector();
if (member(g,i))
v.remove(i);
return g;
public static <T extends Comparable> boolean member(GenericSet<T> z, Item<T> i) {
Vector v = z.getVector();
return v.contains(i);
public static <T extends Comparable> boolean equal(GenericSet<T> z1, GenericSet<T> z2) {
Vector v1 = z1.getVector();
Vector v2 = z2.getVector();
if((v1 == null) && (v2 != null))
return false;
return v1.equals(v2);
public static <T extends Comparable> boolean empty(GenericSet<T> z) {
return (cardinality(z) == 0);
public static <T extends Comparable> GenericSet<T> union(GenericSet<T> z1, GenericSet<T> z2) {
GenericSet<T> g = assign(z1);
for(int i=0; i<cardinality(z2); i++) {
Item<T> elem = z2.get(i);
insert(g, elem);
return g;
public static <T extends Comparable> GenericSet<T> intersection(GenericSet<T> z1, GenericSet<T> z2) {
GenericSet<T> g = initialize();
for(int i=0; i<cardinality(z2); i++) {
Item<T> elem = z2.get(i);
if(member(z1, elem))
insert(g, elem);
return g;
public static <T extends Comparable> GenericSet<T> difference(GenericSet<T> z1, GenericSet<T> z2) {
GenericSet<T> g = initialize();
for(int i=0; i<cardinality(z1); i++) {
Item<T> elem = z1.get(i);
if(!member(z2, elem))
insert(g, elem);
for(int i=0; i<cardinality(z2); i++) {
Item<T> elem = z2.get(i);
if(!member(z1, elem))
insert(g, elem);
return g;
public static <T extends Comparable> GenericSet<T> assign(GenericSet<T> z) {
GenericSet<T> g = initialize();
for(int i=0; i<cardinality(z); i++) {
Item<T> elem = z.get(i);
insert(g, elem);
return g;
public static <T extends Comparable> boolean subset(GenericSet<T> z1, GenericSet<T> z2) {
for(int i=0; i<cardinality(z1); i++) {
Item<T> elem = z1.get(i);
if(!member(z2, elem))
return false;
return true;
public static <T extends Comparable> int cardinality(GenericSet<T> z){
Vector v = z.getVector();
return v.size();
}The issue is not "reference a non-static interface", but simply that you cannot reference a non-static field in a static method - what value of the field ed would the static method use? Seems to me your findEditorData should look something like this: public static EditorBean findEditorData( String username, EditorBean editorData )
return editorData.ed.findEditor( username );
} -
Good afternoon,
My internet connection is delivered by a modem Sagem f@st 3464 (Scarlet One : vdsl tv VoIP wi-fi), it's almost the same than a BBox-2 from Belgacom (software and configuration).
This modem has 4 ethernet port, 2 for TV, 2 for LAN, the WAN port is RJ-11 and the connection is a PPPoE (in fact, it's the Belgacom network). I also got a Wi-Fi 802.11g on it.
The main raison why I bought a TC is the dual Wi-Fi 2.4 GHz and 5 GHz (for 802.11n), especially for my MacBook Pro and my iPad 3.
First of all, can I do the following with my TC :
1) connecting the TC using a ethernet cable from one of the two modem's LAN ports to the TC's WAN port
2) create a new Wi-Fi network using the TC ?
Up to now, after 2 man days of configuration, my TC is connected to my existing LAN network, as a bridge, but there is no new Wi-Fi network.
The Airport Utility 6.1 "Wizard" is just un-usable and I need to use a Win 7 laptop in order to get access to all the configuration !
The standard manual is very poor.
Does someone already create a new Wi-Fi network using its TC connected by Ethernet on a modem/router device ? How do you set up the DHCP (and NAT) ? Which range did you use ?
Sincerely yours,
AVDB1) connecting the TC using a ethernet cable from one of the two modem's LAN ports to the TC's WAN port
2) create a new Wi-Fi network using the TC ?
Does someone already create a new Wi-Fi network using its TC connected by Ethernet on a modem/router device ? How do you set up the DHCP (and NAT) ? Which range did you use ?
This is easy enough to do..
Plug the TC directly into a computer.. without other connections to do the setup.
Using the newly installed 5.6 utility.
Bridge the TC.
Create a wireless network.
This is an older screen shot and I would set security to WPA2 Personal only not WPA/WPA2 Personal as shown above.
I do recommend you use wireless names that are short, no spaces, pure alphanumeric.
Update the TC..
Now plug it into the modem router.. it will be a part of the network without doing NAT and DHCP itself.. which you do not want.. that leads to double NAT issues.. but it is a WAP that provides access to devices on both 2.4ghz and 5ghz bands directly to the main router. -
Problem iPhone WiFi Connection to Airport Express with static IP addresses
We have our Airport Express configured on the LAN with a fixed IP. It is not distributing IP addresses, or providing DHCP services; it simply links the WiFi to the LAN.
To connect via WiFi you set a static IP for the wireless device and enter all IP information by hand (IP/Router/Mask/DHCP etc). Laptops can connect fine, and use the network.
The iPhone connects to the wireless network ok (we tried with security on and off), however, it seems to be unable to successfully use the network. Any attempt to browse a web page using a numeric IP address, or regular IP address, fails.
Has anyone successfully used the iPhone on a WiFi network with static IP addresses, and a Wireless access point that also uses a static IP address?The problem with static IP on iPhone was caused by the IP address being blocked by over-zealous network manager...
-
Static-nat and vpn tunnel bound traffic from same private address?
Hi guys,
I have site-to-site tunnel local host @192.168.0.250 and remote-host @172.16.3.3.
For this local host @192.168.0.250, I also have a static one-to-one private to public.
static (mgmt-192,outside-50) 216.9.50.250 192.168.0.250 netmask 255.255.255.255
As you can see, IPSec SA shows end-points in question and traffic is being decrypted but not encrypted host traffic never enter into the tunnel, why?
How can I resolve this problem, without complicating the setup ?
BurlingtonASA1# packet-tracer input mgmt-192 icmp 192.168.0.250 8 0 172.16.3.3
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside-50
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.0.0 255.255.255.0 mgmt-192
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group mgmt_intf in interface mgmt-192
access-list mgmt_intf extended permit icmp any any
access-list mgmt_intf remark *** Permit Event02 access to DMZ Intf ***
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat-control
match ip mgmt-192 host 192.168.0.250 outside-50 host 172.16.3.3
NAT exempt
translate_hits = 5, untranslate_hits = 0
Additional Information:
Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
static (mgmt-192,outside-50) 216.9.50.250 192.168.0.250 netmask 255.255.255.255
nat-control
match ip mgmt-192 host 192.168.0.250 outside-50 any
static translation to 216.9.50.250
translate_hits = 25508, untranslate_hits = 7689
Additional Information:
Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (mgmt-192,dmz2-172) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
nat-control
match ip mgmt-192 192.168.0.0 255.255.255.0 dmz2-172 any
static translation to 192.168.0.0
translate_hits = 28867754, untranslate_hits = 29774713
Additional Information:
Phase: 11
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1623623685, packet dispatched to next module
Result:
input-interface: mgmt-192
input-status: up
input-line-status: up
output-interface: outside-50
output-status: up
output-line-status: up
Action: allow
BurlingtonASA1#
Crypto map tag: map1, seq num: 4, local addr: 216.9.50.4
access-list newvpn extended permit ip host 192.168.0.250 host 172.16.3.3
local ident (addr/mask/prot/port): (192.168.0.250/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.16.3.3/255.255.255.255/0/0)
current_peer: 216.9.62.4
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 53, #pkts decrypt: 53, #pkts verify: 53
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 216.9.50.4, remote crypto endpt.: 216.9.62.4
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 37CA63F1
current inbound spi : 461C843C
inbound esp sas:
spi: 0x461C843C (1176273980)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 77398016, crypto-map: map1
sa timing: remaining key lifetime (kB/sec): (3914997/25972)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x003FFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x37CA63F1 (936010737)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 77398016, crypto-map: map1
sa timing: remaining key lifetime (kB/sec): (3915000/25972)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001Hi
intersting VPN ACL
object-group network DM_INLINE_NETWORK_18
network-object YYY.YYY.YYY.0 255.255.255.0
object-group network DM_INLINE_NETWORK_22
network-object UUU.UUU.UUU.0 255.255.255.0
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_22 object-group DM_INLINE_NETWORK_18
Static NAT
static (Inside,outside) XXX.XXX.XXX.171 YYY.YYY.YYY.39 netmask 255.255.255.255
No NAT
object-group network DM_INLINE_NETWORK_20
network-object UUU.UUU.UUU.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip ZZZ.ZZZ.ZZZ.0 255.255.255.0 object-group DM_INLINE_NETWORK_20
VPN CLient Pool
No pool configured as it uses the interesting traffic or protected traffic in ASDM - UUU.UUU.UUU.0 is the IP address range at the far side of the site to site VPN.
I hope this helps
Thanks -
ASA5505 NAT CONFIG QUESTION? OPEN STATIC IP
8.2
HI ALL
Here is my scenerio and I have worked on this with TAC support over the last month, we finally made progress by getting our ISP to activate the 5 static IPs but here is my issue.
basically we have a VOIP phone that is "remote". This phone needs to come through the Public IP to an internal address of 192.168.10.57.
We tried only allowing certain "ports" to pass, such as SIP, RTP> but the remote phone still cannot reach the phone server at 192.168.10.57
So
I want to open it completely as this phone pc is the ONLY device on that public IP.
so my 2 questions are.
what do i need to config as a rule/ command to make this happen. were I want the public IP of 50.x.x.x to corelate directly and openly to the internal of 192.168.10.57?
Also what is the command to allow the public IP to be pingable? so i can just confirm that it is reachable. I know at the very end we turned it off with a sort of ICMP command.
Thank you all for your time and help. if you need more info please ask.Thank you very much for your help.
I applied
access-list out-in extended permit icmp any host 50.x.x.x
and now i can ping TY
But,
I applied
static (inside,outside) 50.245.59.98 192.168.10.57 netmask 255.255.255.255
ANd got this error:
ciscoasa(config)# static (inside,outside) 50.245.59.98 192.168.10.57 netmask 2$
ERROR: mapped-address conflict with existing static
inside:192.168.10.57 to outside:50.245.59.98 netmask 255.255.255.255
I just want this port "wide open" to see if the remote phone will connect to it.
here is my edited SH RUN
ASA Version 8.2(1)
hostname ciscoasa
enable password PfdcbR/f90Mel1yp encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 50.X.X.X 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
banner login
banner login &
banner login ~
banner login ***********Warning*******
banner login
banner login ^
ftp mode passive
access-list out-in extended permit tcp any host 50.X.X.X eq 3462
access-list out-in extended permit tcp any host 50.X.X.X eq sip
access-list out-in extended permit tcp any host 40.X.X.X eq ftp-data
access-list out-in extended permit tcp any host 40.X.X.X eq ftp
access-list out-in extended permit icmp any host 50.X.X.X
access-list split standard permit 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.169.169.0 255.255.255.0
access-list FTP remark Allow
access-list FTP extended permit tcp any eq ftp any eq ftp
access-list FTP extended permit tcp any any eq ftp-data
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ippool 192.169.169.1-192.169.169.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface ftp 192.168.10.2 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.10.2 ftp-data netmask 255.255.255.255
static (inside,outside) 50.X.X.X 192.168.10.57 netmask 255.255.255.255
access-group out-in in interface outside
route outside 0.0.0.0 0.0.0.0 50.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection timewait
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.10.50-192.168.10.100 inside
dhcpd dns 75.75.75.75 75.75.76.76 interface inside
dhcpd lease 86400 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-dart-win-2.5.3041-k9.pkg 1
svc enable
port-forward rdpfromsslvpn 5050 50.X.X.X 5050 remote desktop server from ssl vpn
tunnel-group-list enable
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
banner value *****************************WARNING**********************************
banner value Access Beyond This Point Requires Prior Authorization from your Network Administrator
banner value ****************************************************************************
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
webvpn
url-list none
svc ask enable default webvpn
username aalmonte password m7vzxUlfTDi05gS6 encrypted privilege 0
username aalmonte attributes
vpn-group-policy RemoteAccess
username mmaccormack password IWIdkIPCDtg4CmHR encrypted privilege 0
username mmaccormack attributes
vpn-group-policy RemoteAccess
username lmaccormack password qRsbIpdvRgZhIVS/ encrypted privilege 0
username lmaccormack attributes
vpn-group-policy RemoteAccess
username admin password V8ctuy0OtxmDU4HD encrypted privilege 15
username rdirkee password mHVkPntgw4LQyh.U encrypted
username rdirkee attributes
service-type remote-access
username wmaccormack password AhNi5Rk6JFlHU9Fy encrypted privilege 0
username wmaccormack attributes
vpn-group-policy RemoteAccess
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
username rickg password 46/GVMAZTuz4ywzs encrypted privilege 0
username rickg attributes
vpn-group-policy RemoteAccess
service-type remote-access
username jgoucher password fMhOfzHeEB1lu9z6 encrypted privilege 0
username jgoucher attributes
vpn-group-policy RemoteAccess
username smaccormack password LCkB1kwdtIbPmtQK encrypted privilege 0
username smaccormack attributes
vpn-group-policy RemoteAccess
username rmaccormack password JG98o0q2ozZeYYrv encrypted privilege 0
username rmaccormack attributes
vpn-group-policy RemoteAccess
username bmaccormack password JTx67mnIFw62G6kx encrypted privilege 0
username bmaccormack attributes
vpn-group-policy RemoteAccess
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool ippool
default-group-policy RemoteAccess
tunnel-group RemoteAccess webvpn-attributes
group-alias RemoteAccess enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
service-policy global_policy global
prompt hostname context
TYVM -
How to setup AirPort Time Capsule with static IP?
Untill few days ago I have been using Airport Extreme as router for my network. It was cabled to the modem from my internet-provider.
I had 2 printers, 1 iMac, 1 MB-Pro, several SONOS-devices, iPhone, Loewe-TV and iPad setup for it.
AND IT HAS BEEN WORKING GREAT FOR MORE THAN 4 years
Then I bought my new Time Capsule:
It is connected in the same way as the Extreme but now via a static IPadress.
The Airport-Utility says that I am using these set-ups:
Internet - connection "DHCP"
Network - "DCHP+NAT"
The STATUS is:
"DOBB. NAT"-message at the Airport-utility.
Internet-connection is VERY-good and with high-speed.
I am NOT able to get connection to the TV - it shows 100% connection but will NOT allow me to connect to it (password IS correct:-)
It is only possible to get connected to the one SONOS Play:5 which is connected to the Internet - all the other devices can only be connected when I change the network-setting in AirportUtility from "DCHP+NAT" to "OFF (bridge)".
I have been told that when I am using a static IP-adress for my Airport then "DCHP+NAT" is the right setting in order to make the Airport set-up dynamic-adresses for the wireless connected devices.
I am not very-clever in this - but an old man who wants to get the right advice from a clever-person in order to find a solution.
ANYONE inhere who wants to help me?
THANK YOU in advance,Sailalong wrote:
Untill few days ago I have been using Airport Extreme as router for my network. It was cabled to the modem from my internet-provider.
I had 2 printers, 1 iMac, 1 MB-Pro, several SONOS-devices, iPhone, Loewe-TV and iPad setup for it.
AND IT HAS BEEN WORKING GREAT FOR MORE THAN 4 years
Then I bought my new Time Capsule:
It is connected in the same way as the Extreme but now via a static IPadress.
The Airport-Utility says that I am using these set-ups:
Internet - connection "DHCP"
Network - "DCHP+NAT"
I am unclear as to what has a static IP address. And why did you change the setup.. Would it not have worked in exactly the same way as the Extreme?
Is the static address in the WAN setup or the LAN side setup?
Lan side it should be fine.. WAN side is not fine. There are strict rules to apply to using static IP on WAN.
If you can fill that in, it will help me understand the rest.
Also have you updated the firmware in the TC yet? As soon as you have a WAN connection please do a firmware update as there are major issues with SONOS.. which requires Spanning Tree Protocol to work. Apple bungled that one in the first firmware of the TC.. so you must have 7.7.2 and I am not sure it is fully repaired even in that.
I hope you did not reset your AE yet.. sometimes it is better to stick with what works and use the TC in bridge to it. -
No Internet Access with Static IP and RVS 4000
I have an RVS 4000. I have several PC's to which I have assigned static IP addresses. I have recently upgraded most of the PC's to Win 7 (64) machines. I updated the firmware on the RVS4000 to 1.3.3.5 in conjunction with this. After such update (and actually before as well) I could not assign a static IP address to a PC and have access to the internet. It connects fine to my LAN, just no internet access. This is also affected on several other machines running Win XP and Win 2003 Server, so it's not just this computer.
I have:
1. Shut down (powered off/unplugged) everything, router, DSL modem, switches, server, etc.
2. As I said firmware is current.
3. Yes, DNS servers and gateway, subnet, etc. are all correctly specified on the PC.
4. Router is set for gateway mode.
5. Set to only IPV4.
The only way it allows internet access is to use DHCP. I've even tried taking the IP address via DHCP and manually assigning the DNS servers and that works fine, but as soon as I assign a static IP internet access is immediately gone.
There must be something I'm missing, but I can't seem to find it.
Everything worked fine prior to the conversion of the Win 7 machines, i.e. I had several PC's with static IP's and no problems.
Any thoughts appreciated.As an addendum, if I turn off the Firewall (internet access policy to disable) it will allow the static IP computer to have internet access. I have the DHCP range set to be .5 - .54 and am using a static ip outside this range. The Internet access policy is to restrict those PC's getting IP via DHCP.
-
I am trying to install WSUS role on Windows Server 2012 R2 using dedicated SQL Instance with static port on remote SQL Server 2012 SP1 CU7 on Windows Server 2012 R2.
It verifies the connection and then throws the error:
The request to add or remove features on the specified server failed. The operation cannot be completed, because the server you specified requires a restart.
WSUS Server : Windows Server 2012 R2
Remote SQL Server: 2012 SP1 CU7 hosted on Windows Server 2012 R2
Please let me know if anyone has experienced this issue.We were trying to install WSUS role on Windows Server 2012 R2 using dedicated SQL Instance with static port on remote SQL Server 2012 SP1 CU7 on Windows Server 2012 R2.
It verifies the connection and then throws the error:
The request to add or remove features on the specified server failed. The operation cannot be completed, because the server you specified requires a restart.
Same error even after rebooting the server multiple times.
WSUS Server : Windows Server Standard2012 R2
Remote SQL Server: Windows Server 2012 SP1 CU7 hosted on Windows Server 2012 R2
Event ID 7000:
The Windows Internal Database service failed to start due to the following error:
The service did not start due to a logon failure.
Event ID 7041
The MSSQL$MICROSOFT##WID service was unable to log on as NT SERVICE\MSSQL$MICROSOFT##WID with the currently configured password due to the following error:
Logon failure: the user has not been granted the requested logon type at this computer.
Service: MSSQL$MICROSOFT##WID
Domain and account: NT SERVICE\MSSQL$MICROSOFT##WID
This service account does not have the required user right "Log on as a service."
User Action
Assign "Log on as a service" to the service account on this computer. You can use Local Security Settings (Secpol.msc) to do this. If this computer is a node in a cluster, check that this user
right is assigned to the Cluster service account on all nodes in the cluster.
If you have already assigned this user right to the service account, and the user right appears to be removed, check with your domain administrator to find out if a Group Policy object associated
with this node might be removing the right.
I found following article:
"MSSQL$MICROSOFT##WID service was unable to log on as NT SERVICE\MSSQL$MICROSOFT##WID" error when you install WID in Windows Server 2012
http://support.microsoft.com/kb/2832204/en-us
To work around the issue, use one of the following methods:
Assign the Log on as a service user right to NT SERVICE\ALL SERVICES in the GPO that defines the user right.
Exclude the computer from the GPO that defines the user right.
We moved the SCCM server to OU where no policies were getting applied and then applied the new GPO to that OU. Restarted the server and we were able to install WSUS role.
Regards
PR -
How to use both wired and wireless connection with static addresses
Now that I have setup my home network with static addresses (router, mini1, mini2 and PC) in the way I want, (big thanks to BDAqua http://discussions.apple.com/thread.jspa?threadID=1271635&tstart=0) I would like to understand some more advanced network concepts.
I would like to change the network so that I use both the wireless connection and the built-in ethernet connection at the same time in my Mac mini1. I would like to connect my PC to my Mac mini by using the wired ethernet connection so that I reach the Internet from my PC as well. I would also like to be in control of all the addresses therefore I want to assign the addresses manually.
The question: What addresses should I use between mini1 and PC? Should I use the same wireless address space as I already use between the wireless router and the other computers (router: 192.168.1.1, mini1: 192.168.1.101, mini2: 192.168.1.103) or should I use something totally different like 10.X.X.X? What should I put in ethernet connection "Router"-field, the same as in Airport (192.168.1.1)? What about DNS, same as in Airport?If I understand this correctly, you wish your Mini to perform Internet Sharing for your PC, correct!?
If so you'll pretty much have to let the Mini handle DHCP & NAT on the Ethernet port. You also want to be sure Airport is dragged to the top of Network>Show:>Network Port Configurations, that's what position the Mini will use 1st for Internet itself.
On the Mini turn on both Web Sharing & Internet Sharing. The PC once connected will have the Mini's Ethernet IP as it's Gateway addy. -
Protection Domains with static permissions are improperly constructed
I'm pretty new to the java security model, but this doesn't look right. It seems as though ProtectionDomains with static permissions have symantically different functionality than those that are constructed with the "variant" constructor(CodeSource, PermissionCollection, ClassLoader, Principal[]). The documentation enforces this idea "The only permissions granted to this domain are the ones specified; the current Policy will not be consulted". Why then are the ProtectionDomains reconstructed improperly in combine(ProtectionDomain[], ProtectionDomain[]) method of the javax.security.auth.SubjectDomainCombiner? The wrong constructor is being called.
The reason the SubjectDomainCombiner is reconstructing these improperly is because it ownly uses the second form of the ProtectionDomain constructor. In my case the SubjectDomainCombiner is reconstructing a ProtectionDomain that was constructed with the first form. Basically this means that the staticPermissions variable in my ProtectionDomain changes from true to false. Then when it's time to call the implies(Permission) method it consults the current policy instead of ONLY using static permissions.
This is causing havic with my custom classloader because I don't want the security manager checking the current Policy for permissions. I only want the ProtectionDomain's static permissions. Bug 4687166 also deals with combiners improperly constructing ProtectionDomains, but it is NOT a duplicate.
Now this means I'm going to have to extend the Policy class to get around this problem. Something isn't right, if it's me, please let me know.interesting - if i follow what you're saying, you expect SubjectDomainCombiner to inspect the input ProtectionDomains. if one was constructed with "static" permissions, do you expect SubjectDomainCombiner to create a new ProtectionDomain with the additional Principal info, while retaining the static permissions?
or do you expect SubjectDomainCombiner to just leave that ProtectionDomain alone - in particular, do not update it with Principal info since it won't affect the permissions granted to that domain anyways?
either is an interesting change to contemplate, and is a technical possibility for SubjectDomainCombiner (since it is J2SE code). however, to come up with a true solution available to any custom DomainCombiner would probably require public API changes to ProtectionDomain. -
Port Forwarding and Printing with Static IP Address
Hey there -
I am trying to setup a network printer that can be printed to from anywhere in the world. My organization has 5 static IP addresses given to us by our ISP. Four of those I have on computers, and one of them I have on my Linksys router (WRT54G v.8).
What I want to do is be able to setup a printer on my router that I can print to from anywhere I have an internet connection. My wireless router's static IP address is 74.172.54.XXX - The address on my network is 192.168.7.1 - I have a printer statically assigned the IP address 192.168.7.2 - and I have a port forwarding for port 70 to forward to 192.168.7.2
In theory, I would think that now I could print to 74.172.54.XXX:70 and have no problems. But that doesn't seem to be working. Even printing to 192.168.7.1:70 doesn't seem to work either.
Also, the printer has a web GUI interface that if I type http://192.168.7.1/ into my browser it comes up, so in theory I would think typing http://74.172.54.XXX:70 into my browser it should come up (but it doesn't nor does http://192.168.7.1:70).
Anybody got any suggestions? I tried to do a search about this, but ever Port Forwarding question seemed to deal with gaming (which I have no desire to do). Thanks!
I will include two screen snapshots of what I am talking about:
Thanks for any help.Is the router setup to accept static connections?
I have my router set up to accept both, so from 192.168.1.100 to 192.168.1.192 the addresses are static the other addresses are given by DHCP.
If you do not define a range and the address your laptop has as static IP conflicts with the address given by DHCP your loose ... as in you get no address.
Set up of that feature may depend on your type of router but usually any decent router will have that capability ... read your manual for specifics about your unit.
Best of luck.
R.
Last edited by ralvez (2009-12-10 00:08:50) -
When i try to compil the program, there are conflicts between "nafxcw.lib" and an other library. The conflicts doesn't exist when i compil the program with shared library. Can you help me ?
my OS is Windows NT 4.0
thanksWhich "other library" does nafxcw.lib conflict with? Nafxcw.lib is an mfc library and is not distributed with Componentworks++.
When you say the conflict does not exist when you use the shared library, are you talking about the selection in the Measurement Studio App Wizard where it asks how you want to access the mfc library? What exactly is the conflict that you get?
In general I would always select to use the mfc library as a shared dll, because it is a known issue to statically link the library into any arbitrary project, not just a Componentworks++ project.
Jason Foster
Application Engineer
National Instruments
www.ni.com/ask
Maybe you are looking for
-
HP (my printer) sent me to apple and Apple tried and then sent me to adobe, but adobe doesn't help people unless they pay for it. Can anyone out there figure this out. It's just one pdf doc so far. All the other things I print are fine. example attac
-
Finally got a recovery CD but how to use it?
Hello, after months of trying i finally got my self a product recovery CD https://backupmedia.toshiba.eu/landing.aspx I hope this was the right place to get one, as it was the only one i could find. Anyway i as far as i know i have keep pressing f10
-
Hi All, Is it possible to create a mutiple spool files which contains different data from the abap program at once. Please let me know your thoughts. Thanks & Regards Santhosh
-
I have Acrobat v5 on my 8-year old laptop. I started to have difficulty reading the latest pdf files. But because of its age, I didn't try to put the latest Acrobat v10 on it. Instead I tried v8 with an installer downloaded couple of years ago. But w
-
Java app with web service and servlets
Hi. I intend to make a java application which exposes some methods as a web service and as jsp/servlets. It's core functionality is not really web centric, but its more a java app with a web tier. I am not sure about how the architecture of such a sy