Static Policy NAT in VPN conflicts with Static NAT

Similar Messages

• Static Nat and VPN conflict

  Hi
  I could not quite find any information that was close enough to my problem that would enable me to solve it so hence I am now reaching out to you guys.
  I have a Cisco ASA running 8.2(1) and I am using ASDM to manage the firewall. I have a Linux VPN server on the inside with and IP address of YYY.YYY.YYY.39 with a static NAT to the outside with an address of XXX.XXX.XXX.171 .
  I have a site to site VPN tunnel which terminates on the outside of the ASA on the outside interface XXX.XXX.XXX.190 .
  Traffic from the YYY.YYY.YYY.0/24 network can't transverse the site to site VPN as there is a conflict of IP address's on the far side so it is natted via a dynamic policy to host address ZZZ.ZZZ.ZZZ.100
  Users remote into the inside(YYY.YYY.YYY.0/24) for support via the Linux VPN server (.39) and then need to communicate down the site to site VPN. The problem is that the static NAT for the incomming connections takes preference and bypasses the site to site VPN tunnel for outbound traffic. I tried to create a policy Static nat but it tries to modify the static nat that handels the incomming traffic to the Linux server.
  I hope the above makes sense.

  Hi
  intersting VPN ACL
  object-group network DM_INLINE_NETWORK_18
       network-object YYY.YYY.YYY.0 255.255.255.0
  object-group network DM_INLINE_NETWORK_22
  network-object UUU.UUU.UUU.0 255.255.255.0
  access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_22 object-group DM_INLINE_NETWORK_18
  Static NAT
  static (Inside,outside) XXX.XXX.XXX.171 YYY.YYY.YYY.39 netmask 255.255.255.255
  No NAT
  object-group network DM_INLINE_NETWORK_20
  network-object UUU.UUU.UUU.0 255.255.255.0
  access-list Inside_nat0_outbound extended permit ip ZZZ.ZZZ.ZZZ.0 255.255.255.0 object-group DM_INLINE_NETWORK_20
  VPN CLient Pool
  No pool configured as it uses the interesting traffic or protected traffic in ASDM - UUU.UUU.UUU.0 is the IP address range at the far side of the site to site VPN.
  I hope this helps
  Thanks

• How to set VPN server with static IP without DHCP on

  I set up a new Mac mini server with OS X 10.9.1 and Server App 3.0.1
  My ISP gave me a static bublic IP address.
  I have on:
  - web server
  - mail server
  - DNS server
  without using DHCP, but now i want to set up L2TP/IPSec VPN server and it requires that i give start IP address of the VPN server.
  Can i use VPN server w/out DHCP server on?
  If yes, how?
  If not, when i turn on the DHCP server, what i have to do with web, mail servers?

  To run a public VPN server, you need to do the following:
  1. Give the gateway either a static external address or a dynamic DNS name. The latter must be a DNS record on a public DNS registrar, not on the server itself. Also in the latter case, you must run a background process to keep the DNS record up to date when your IP address changes.
  2. Give the VPN server a static address on the local network, and a hostname that is not in the top-level domain "local" (which is reserved for Bonjour.)
  3. Forward external UDP ports 500, 1701, and 4500 (for L2TP) and TCP port 1723 (for PPTP) to the corresponding ports on the VPN server.
  If your router is an Apple device, select the Network tab in AirPort Utility and click Network Options. In the sheet that opens, check the box marked
  Allow incoming IPSec authentication
  if it's not already checked, and save the change.
  With a third-party router, there may be a similar setting.
  4. Configure any firewall in use to pass this traffic.

• Using a non-static vector in a generic class with static methods

  I have a little problem with a class (the code is shown underneath). The problem is the Assign method. This method should return a clone (an exact copy) of the set given as an argument. When making a new instance of a GenericSet (with the Initialize method) within the Assign method, the variables of the original set and the clone have both a reference to the same vector, while there exists two instances of GenericSet. My question is how to refer the clone GenericSet's argument to a new vector instead of the existing vector of the original GenericSet. I hope you can help me. Thanks
  package genericset;
  import java.util.*;
  public class GenericSet<E>{
  private Vector v;
  public GenericSet(Vector vec) {
  v = vec;
  private <T extends Comparable> Item<T> get(int index) {
  return (Item<T>) v.get(index);
  public static <T extends Comparable> GenericSet<T> initialize() {
  return new GenericSet<T>(new Vector());
  public Vector getVector() {
  return v;
  public static <T extends Comparable> GenericSet<T> insert (GenericSet<T> z, Item<T> i){
  GenericSet<T> g = assign(z);
  Vector v = g.getVector();
  if (!member(g,i))
  v.addElement(i);
  return g;
  public static <T extends Comparable> GenericSet<T> delete(GenericSet<T> z, Item<T> i){
  GenericSet<T> g = assign(z);
  Vector v = g.getVector();
  if (member(g,i))
  v.remove(i);
  return g;
  public static <T extends Comparable> boolean member(GenericSet<T> z, Item<T> i) {
  Vector v = z.getVector();
  return v.contains(i);
  public static <T extends Comparable> boolean equal(GenericSet<T> z1, GenericSet<T> z2) {
  Vector v1 = z1.getVector();
  Vector v2 = z2.getVector();
  if((v1 == null) && (v2 != null))
  return false;
  return v1.equals(v2);
  public static <T extends Comparable> boolean empty(GenericSet<T> z) {
  return (cardinality(z) == 0);
  public static <T extends Comparable> GenericSet<T> union(GenericSet<T> z1, GenericSet<T> z2) {
  GenericSet<T> g = assign(z1);
  for(int i=0; i<cardinality(z2); i++) {
  Item<T> elem = z2.get(i);
  insert(g, elem);
  return g;
  public static <T extends Comparable> GenericSet<T> intersection(GenericSet<T> z1, GenericSet<T> z2) {
  GenericSet<T> g = initialize();
  for(int i=0; i<cardinality(z2); i++) {
  Item<T> elem = z2.get(i);
  if(member(z1, elem))
  insert(g, elem);
  return g;
  public static <T extends Comparable> GenericSet<T> difference(GenericSet<T> z1, GenericSet<T> z2) {
  GenericSet<T> g = initialize();
  for(int i=0; i<cardinality(z1); i++) {
  Item<T> elem = z1.get(i);
  if(!member(z2, elem))
  insert(g, elem);
  for(int i=0; i<cardinality(z2); i++) {
  Item<T> elem = z2.get(i);
  if(!member(z1, elem))
  insert(g, elem);
  return g;
  public static <T extends Comparable> GenericSet<T> assign(GenericSet<T> z) {
  GenericSet<T> g = initialize();
  for(int i=0; i<cardinality(z); i++) {
  Item<T> elem = z.get(i);
  insert(g, elem);
  return g;
  public static <T extends Comparable> boolean subset(GenericSet<T> z1, GenericSet<T> z2) {
  for(int i=0; i<cardinality(z1); i++) {
  Item<T> elem = z1.get(i);
  if(!member(z2, elem))
  return false;
  return true;
  public static <T extends Comparable> int cardinality(GenericSet<T> z){
  Vector v = z.getVector();
  return v.size();
  }

  The issue is not "reference a non-static interface", but simply that you cannot reference a non-static field in a static method - what value of the field ed would the static method use? Seems to me your findEditorData should look something like this:   public static EditorBean findEditorData( String username, EditorBean editorData )
        return editorData.ed.findEditor( username );
     }

• Using modem Sagem f@st 3464 (Scarlet One : vdsl   tv   VoIP   wi-fi) : impossible to create a new Wi-Fi network (2.4 or 5 GHz) ? Conflict with DHCP / NAT and so on. No answer from the Apple help desk, Air Port Utility 6.1 unusable (configuration = Win 7)

  Good afternoon,
  My internet connection is delivered by a modem Sagem f@st 3464 (Scarlet One : vdsl   tv   VoIP   wi-fi), it's almost the same than a BBox-2 from Belgacom (software and configuration).
  This modem has 4 ethernet port, 2 for TV, 2 for LAN, the WAN port is RJ-11 and the connection is a PPPoE (in fact, it's the Belgacom network). I also got a Wi-Fi 802.11g on it.
  The main raison why I bought a TC is the dual Wi-Fi 2.4 GHz and 5 GHz (for 802.11n), especially for my MacBook Pro and my iPad 3.
  First of all, can I do the following with my TC :
  1) connecting the TC using a ethernet cable from one of the two modem's LAN ports to the TC's WAN port
  2) create a new Wi-Fi network using the TC ?
  Up to now, after 2 man days of configuration, my TC is connected to my existing LAN network, as a bridge, but there is no new Wi-Fi network.
  The Airport Utility 6.1 "Wizard" is just un-usable and I need to use a Win 7 laptop in order to get access to all the configuration !
  The standard manual is very poor.
  Does someone already create a new Wi-Fi network using its TC connected by Ethernet on a modem/router device ? How do you set up the DHCP (and NAT) ? Which range did you use ?
  Sincerely yours,
  AVDB

  1) connecting the TC using a ethernet cable from one of the two modem's LAN ports to the TC's WAN port
  2) create a new Wi-Fi network using the TC ?
  Does someone already create a new Wi-Fi network using its TC connected by Ethernet on a modem/router device ? How do you set up the DHCP (and NAT) ? Which range did you use ?
  This is easy enough to do..
  Plug the TC directly into a computer.. without other connections to do the setup.
  Using the newly installed 5.6 utility.
  Bridge the TC.
  Create a wireless network.
  This is an older screen shot and I would set security to WPA2 Personal only not WPA/WPA2 Personal as shown above.
  I do recommend you use wireless names that are short, no spaces, pure alphanumeric.
  Update the TC..
  Now plug it into the modem router.. it will be a part of the network without doing NAT and DHCP itself.. which you do not want.. that leads to double NAT issues.. but it is a WAP that provides access to devices on both 2.4ghz and 5ghz bands directly to the main router.

• Problem iPhone WiFi Connection to Airport Express with static IP addresses

  We have our Airport Express configured on the LAN with a fixed IP. It is not distributing IP addresses, or providing DHCP services; it simply links the WiFi to the LAN.
  To connect via WiFi you set a static IP for the wireless device and enter all IP information by hand (IP/Router/Mask/DHCP etc). Laptops can connect fine, and use the network.
  The iPhone connects to the wireless network ok (we tried with security on and off), however, it seems to be unable to successfully use the network. Any attempt to browse a web page using a numeric IP address, or regular IP address, fails.
  Has anyone successfully used the iPhone on a WiFi network with static IP addresses, and a Wireless access point that also uses a static IP address?

  The problem with static IP on iPhone was caused by the IP address being blocked by over-zealous network manager...

• Static-nat and vpn tunnel bound traffic from same private address?

  Hi guys,
  I have site-to-site tunnel local host @192.168.0.250 and remote-host @172.16.3.3.
  For this local host @192.168.0.250, I also have a static one-to-one private to public.
  static (mgmt-192,outside-50) 216.9.50.250 192.168.0.250 netmask 255.255.255.255
  As you can see, IPSec SA shows end-points in question and traffic is being decrypted but not encrypted host traffic never enter into the tunnel, why?
  How can I resolve this problem, without complicating the setup ?
  BurlingtonASA1# packet-tracer input mgmt-192 icmp 192.168.0.250 8 0 172.16.3.3
  Phase: 1
  Type: CAPTURE
  Subtype: 
  Result: ALLOW
  Config:
  Additional Information:
  MAC Access list
  Phase: 2
  Type: ACCESS-LIST
  Subtype: 
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  MAC Access list
  Phase: 3
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   0.0.0.0         0.0.0.0         outside-50
  Phase: 4
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   192.168.0.0     255.255.255.0   mgmt-192
  Phase: 5
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group mgmt_intf in interface mgmt-192
  access-list mgmt_intf extended permit icmp any any 
  access-list mgmt_intf remark *** Permit Event02 access to DMZ Intf ***
  Additional Information:
  Phase: 6
  Type: IP-OPTIONS
  Subtype: 
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 7
  Type: INSPECT
  Subtype: np-inspect
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 8
  Type: NAT-EXEMPT
  Subtype: 
  Result: ALLOW
  Config:
  nat-control
    match ip mgmt-192 host 192.168.0.250 outside-50 host 172.16.3.3
      NAT exempt
      translate_hits = 5, untranslate_hits = 0
  Additional Information:
  Phase: 9
  Type: NAT
  Subtype: 
  Result: ALLOW
  Config:
  static (mgmt-192,outside-50) 216.9.50.250 192.168.0.250 netmask 255.255.255.255 
  nat-control
    match ip mgmt-192 host 192.168.0.250 outside-50 any
      static translation to 216.9.50.250
      translate_hits = 25508, untranslate_hits = 7689
  Additional Information:
  Phase: 10
  Type: NAT
  Subtype: host-limits
  Result: ALLOW
  Config:
  static (mgmt-192,dmz2-172) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 
  nat-control
    match ip mgmt-192 192.168.0.0 255.255.255.0 dmz2-172 any
      static translation to 192.168.0.0
      translate_hits = 28867754, untranslate_hits = 29774713
  Additional Information:
  Phase: 11
  Type: VPN
  Subtype: encrypt
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 12
  Type: FLOW-CREATION
  Subtype: 
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 1623623685, packet dispatched to next module
  Result:
  input-interface: mgmt-192
  input-status: up
  input-line-status: up
  output-interface: outside-50
  output-status: up
  output-line-status: up
  Action: allow
  BurlingtonASA1# 
  Crypto map tag: map1, seq num: 4, local addr: 216.9.50.4
        access-list newvpn extended permit ip host 192.168.0.250 host 172.16.3.3 
        local ident (addr/mask/prot/port): (192.168.0.250/255.255.255.255/0/0)
        remote ident (addr/mask/prot/port): (172.16.3.3/255.255.255.255/0/0)
        current_peer: 216.9.62.4
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 53, #pkts decrypt: 53, #pkts verify: 53
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 216.9.50.4, remote crypto endpt.: 216.9.62.4
        path mtu 1500, ipsec overhead 74, media mtu 1500
        current outbound spi: 37CA63F1
        current inbound spi : 461C843C
      inbound esp sas:
        spi: 0x461C843C (1176273980)
           transform: esp-aes-256 esp-sha-hmac no compression 
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 77398016, crypto-map: map1
           sa timing: remaining key lifetime (kB/sec): (3914997/25972)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap: 
            0x003FFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0x37CA63F1 (936010737)
           transform: esp-aes-256 esp-sha-hmac no compression 
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 77398016, crypto-map: map1
           sa timing: remaining key lifetime (kB/sec): (3915000/25972)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap: 
            0x00000000 0x00000001

  Hi
  intersting VPN ACL
  object-group network DM_INLINE_NETWORK_18
       network-object YYY.YYY.YYY.0 255.255.255.0
  object-group network DM_INLINE_NETWORK_22
  network-object UUU.UUU.UUU.0 255.255.255.0
  access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_22 object-group DM_INLINE_NETWORK_18
  Static NAT
  static (Inside,outside) XXX.XXX.XXX.171 YYY.YYY.YYY.39 netmask 255.255.255.255
  No NAT
  object-group network DM_INLINE_NETWORK_20
  network-object UUU.UUU.UUU.0 255.255.255.0
  access-list Inside_nat0_outbound extended permit ip ZZZ.ZZZ.ZZZ.0 255.255.255.0 object-group DM_INLINE_NETWORK_20
  VPN CLient Pool
  No pool configured as it uses the interesting traffic or protected traffic in ASDM - UUU.UUU.UUU.0 is the IP address range at the far side of the site to site VPN.
  I hope this helps
  Thanks

• ASA5505 NAT CONFIG QUESTION? OPEN STATIC IP

  8.2
  HI ALL
  Here is my scenerio and I have worked on this with TAC support over the last month, we finally made progress by getting our ISP to activate the 5 static IPs but here is my issue.
  basically we have a VOIP phone that is "remote". This phone needs to come through the Public IP to an internal address of 192.168.10.57.
  We tried only allowing certain "ports" to pass, such as SIP, RTP> but the remote phone still cannot reach the phone server at 192.168.10.57
  So
  I want to open it completely as this phone pc is the ONLY device on that public IP.
  so my 2 questions are.
  what do i need to config as a rule/ command to make this happen. were I want the public IP of 50.x.x.x to corelate directly and openly to the internal of 192.168.10.57?
  Also what is the command to allow the public IP to be pingable? so i can just confirm that it is reachable. I know at the very end we turned it off with a sort of ICMP command.
  Thank you all for your time and help. if you need more info please ask.

  Thank you very much for your help.
  I applied 
  access-list out-in extended permit icmp any host 50.x.x.x
  and now i can ping TY
  But,
  I applied
  static (inside,outside) 50.245.59.98 192.168.10.57 netmask 255.255.255.255
  ANd got this error:
  ciscoasa(config)# static (inside,outside) 50.245.59.98 192.168.10.57 netmask 2$
  ERROR: mapped-address conflict with existing static
    inside:192.168.10.57 to outside:50.245.59.98 netmask 255.255.255.255
  I just want this port "wide open" to see if the remote phone will connect to it.
  here is my edited SH RUN
  ASA Version 8.2(1)
  hostname ciscoasa
  enable password PfdcbR/f90Mel1yp encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.10.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 50.X.X.X 255.255.255.248
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  banner login
  banner login &
  banner login ~
  banner login ***********Warning*******
  banner login
  banner login ^
  ftp mode passive
  access-list out-in extended permit tcp any host 50.X.X.X eq 3462
  access-list out-in extended permit tcp any host 50.X.X.X eq sip
  access-list out-in extended permit tcp any host 40.X.X.X eq ftp-data
  access-list out-in extended permit tcp any host 40.X.X.X eq ftp
  access-list out-in extended permit icmp any host 50.X.X.X
  access-list split standard permit 192.168.10.0 255.255.255.0
  access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.169.169.0 255.255.255.0
  access-list FTP remark Allow
  access-list FTP extended permit tcp any eq ftp any eq ftp
  access-list FTP extended permit tcp any any eq ftp-data
  pager lines 24
  logging enable
  logging buffered debugging
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool ippool 192.169.169.1-192.169.169.254 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list nonat
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) tcp interface ftp 192.168.10.2 ftp netmask 255.255.255.255
  static (inside,outside) tcp interface ftp-data 192.168.10.2 ftp-data netmask 255.255.255.255
  static (inside,outside) 50.X.X.X 192.168.10.57 netmask 255.255.255.255
  access-group out-in in interface outside
  route outside 0.0.0.0 0.0.0.0 50.X.X.X 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  aaa authentication telnet console LOCAL
  aaa authentication http console LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 inside
  http 192.168.10.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  sysopt connection timewait
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet 0.0.0.0 0.0.0.0 inside
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 inside
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 5
  console timeout 0
  management-access inside
  dhcpd address 192.168.10.50-192.168.10.100 inside
  dhcpd dns 75.75.75.75 75.75.76.76 interface inside
  dhcpd lease 86400 interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics port
  threat-detection statistics protocol
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  enable outside
  svc image disk0:/anyconnect-dart-win-2.5.3041-k9.pkg 1
  svc enable
  port-forward rdpfromsslvpn 5050 50.X.X.X 5050 remote desktop server from ssl vpn
  tunnel-group-list enable
  group-policy RemoteAccess internal
  group-policy RemoteAccess attributes
  banner value *****************************WARNING**********************************
  banner value Access Beyond This Point Requires Prior Authorization from your Network Administrator
  banner value ****************************************************************************
  vpn-tunnel-protocol svc webvpn
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split
  webvpn
    url-list none
    svc ask enable default webvpn
  username aalmonte password m7vzxUlfTDi05gS6 encrypted privilege 0
  username aalmonte attributes
  vpn-group-policy RemoteAccess
  username mmaccormack password IWIdkIPCDtg4CmHR encrypted privilege 0
  username mmaccormack attributes
  vpn-group-policy RemoteAccess
  username lmaccormack password qRsbIpdvRgZhIVS/ encrypted privilege 0
  username lmaccormack attributes
  vpn-group-policy RemoteAccess
  username admin password V8ctuy0OtxmDU4HD encrypted privilege 15
  username rdirkee password mHVkPntgw4LQyh.U encrypted
  username rdirkee attributes
  service-type remote-access
  username wmaccormack password AhNi5Rk6JFlHU9Fy encrypted privilege 0
  username wmaccormack attributes
  vpn-group-policy RemoteAccess
  username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
  username rickg password 46/GVMAZTuz4ywzs encrypted privilege 0
  username rickg attributes
  vpn-group-policy RemoteAccess
  service-type remote-access
  username jgoucher password fMhOfzHeEB1lu9z6 encrypted privilege 0
  username jgoucher attributes
  vpn-group-policy RemoteAccess
  username smaccormack password LCkB1kwdtIbPmtQK encrypted privilege 0
  username smaccormack attributes
  vpn-group-policy RemoteAccess
  username rmaccormack password JG98o0q2ozZeYYrv encrypted privilege 0
  username rmaccormack attributes
  vpn-group-policy RemoteAccess
  username bmaccormack password JTx67mnIFw62G6kx encrypted privilege 0
  username bmaccormack attributes
  vpn-group-policy RemoteAccess
  tunnel-group RemoteAccess type remote-access
  tunnel-group RemoteAccess general-attributes
  address-pool ippool
  default-group-policy RemoteAccess
  tunnel-group RemoteAccess webvpn-attributes
  group-alias RemoteAccess enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  TYVM

• How to setup AirPort Time Capsule with static IP?

  Untill few days ago I have been using Airport Extreme as router for my network. It was cabled to the modem from my internet-provider.
  I had 2 printers, 1 iMac, 1 MB-Pro, several SONOS-devices, iPhone, Loewe-TV and iPad setup for it.
  AND IT HAS BEEN WORKING GREAT FOR MORE THAN 4 years
  Then I bought my new Time Capsule:
  It is connected in the same way as the Extreme but now via a static IPadress.
  The Airport-Utility says that I am using these set-ups:
  Internet - connection "DHCP"
  Network - "DCHP+NAT"
  The STATUS is:
  "DOBB. NAT"-message at the Airport-utility.
  Internet-connection is VERY-good and with high-speed.
  I am NOT able to get connection to the TV - it shows 100% connection but will NOT allow me to connect to it (password IS correct:-)
  It is only possible to get connected to the one SONOS Play:5 which is connected to the Internet - all the other devices can only be connected when I change the network-setting in AirportUtility from "DCHP+NAT" to "OFF (bridge)".
  I have been told that when I am using a static IP-adress for my Airport then "DCHP+NAT" is the right setting in order to make the Airport set-up dynamic-adresses for the wireless connected devices.
  I am not very-clever in this - but an old man who wants to get the right advice from a clever-person in order to find a solution.
  ANYONE inhere who wants to help me?
  THANK YOU in advance,

  Sailalong wrote:
  Untill few days ago I have been using Airport Extreme as router for my network. It was cabled to the modem from my internet-provider.
  I had 2 printers, 1 iMac, 1 MB-Pro, several SONOS-devices, iPhone, Loewe-TV and iPad setup for it.
  AND IT HAS BEEN WORKING GREAT FOR MORE THAN 4 years
  Then I bought my new Time Capsule:
  It is connected in the same way as the Extreme but now via a static IPadress.
  The Airport-Utility says that I am using these set-ups:
  Internet - connection "DHCP"
  Network - "DCHP+NAT"
  I am unclear as to what has a static IP address. And why did you change the setup.. Would it not have worked in exactly the same way as the Extreme?
  Is the static address in the WAN setup or the LAN side setup?
  Lan side it should be fine.. WAN side is not fine. There are strict rules to apply to using static IP on WAN.
  If you can fill that in, it will help me understand the rest.
  Also have you updated the firmware in the TC yet? As soon as you have a WAN connection please do a firmware update as there are major issues with SONOS.. which requires Spanning Tree Protocol to work. Apple bungled that one in the first firmware of the TC.. so you must have 7.7.2 and I am not sure it is fully repaired even in that.
  I hope you did not reset your AE yet.. sometimes it is better to stick with what works and use the TC in bridge to it.

• No Internet Access with Static IP and RVS 4000

  I have an RVS 4000.  I have several PC's to which I have assigned static IP addresses.  I have recently upgraded most of the PC's to Win 7 (64) machines.  I updated the firmware on the RVS4000 to 1.3.3.5 in conjunction with this.  After such update (and actually before as well) I could not assign a static IP address to a PC and have access to the internet.  It connects fine to my LAN, just no internet access.  This is also affected on several other machines running Win XP and Win 2003 Server, so it's not just this computer. 
  I have:
       1.  Shut down (powered off/unplugged) everything, router, DSL modem, switches, server, etc.
       2.  As I said firmware is current.
       3.  Yes, DNS servers and gateway, subnet, etc. are all correctly specified on the PC.
       4.  Router is set for gateway mode.
       5.  Set to only IPV4.
  The only way it allows internet access is to use DHCP.  I've even tried taking the IP address via DHCP and manually assigning the DNS servers and that works fine, but as soon as I assign a static IP internet access is immediately gone.
  There must be something I'm missing, but I can't seem to find it.
  Everything worked fine prior to the conversion of the Win 7 machines, i.e. I had several PC's with static IP's and no problems.
  Any thoughts appreciated.

  As an addendum, if I turn off the Firewall (internet access policy to disable) it will allow the static IP computer to have internet access.  I have the DHCP range set to be .5 - .54 and am using a static ip outside this range.  The Internet access policy is to restrict those PC's getting IP via DHCP.

• Trying to install WSUS role on Windows Server 2012 R2 using dedicated SQL Instance with static port on remote SQL Server 2012 SP1 CU7 on Windows Server 2012 R2.

  I am trying to install WSUS role on Windows Server 2012 R2 using dedicated SQL Instance with static port on remote SQL Server 2012 SP1 CU7 on Windows Server 2012 R2.
  It verifies the connection and then throws the error:
  The request to add or remove features on the specified server failed. The operation cannot be completed, because the server you specified requires a restart.
  WSUS Server : Windows Server 2012 R2
  Remote SQL Server: 2012 SP1 CU7 hosted on Windows Server 2012 R2
  Please let me know if anyone has experienced this issue.

  We were trying to install WSUS role on Windows Server 2012 R2 using dedicated SQL Instance with static port on remote SQL Server 2012 SP1 CU7 on Windows Server 2012 R2.
  It verifies the connection and then throws the error:
  The request to add or remove features on the specified server failed. The operation cannot be completed, because the server you specified requires a restart.
  Same error even after rebooting the server multiple times.
  WSUS Server : Windows Server Standard2012 R2
  Remote SQL Server: Windows Server 2012 SP1 CU7 hosted on Windows Server 2012 R2
  Event ID 7000:
  The Windows Internal Database service failed to start due to the following error:
  The service did not start due to a logon failure.
  Event ID 7041
  The MSSQL$MICROSOFT##WID service was unable to log on as NT SERVICE\MSSQL$MICROSOFT##WID with the currently configured password due to the following error:
  Logon failure: the user has not been granted the requested logon type at this computer.
  Service: MSSQL$MICROSOFT##WID
  Domain and account: NT SERVICE\MSSQL$MICROSOFT##WID
  This service account does not have the required user right "Log on as a service."
  User Action
  Assign "Log on as a service" to the service account on this computer. You can use Local Security Settings (Secpol.msc) to do this. If this computer is a node in a cluster, check that this user
  right is assigned to the Cluster service account on all nodes in the cluster.
  If you have already assigned this user right to the service account, and the user right appears to be removed, check with your domain administrator to find out if a Group Policy object associated
  with this node might be removing the right.
  I found following article:
  "MSSQL$MICROSOFT##WID service was unable to log on as NT SERVICE\MSSQL$MICROSOFT##WID" error when you install WID in Windows Server 2012
  http://support.microsoft.com/kb/2832204/en-us
  To work around the issue, use one of the following methods:
  Assign the Log on as a service user right to NT SERVICE\ALL SERVICES in the GPO that defines the user right.
  Exclude the computer from the GPO that defines the user right.
  We moved the SCCM server to OU where no policies were getting applied and then applied the new GPO to that OU. Restarted the server and we were able to install WSUS role.
  Regards
  PR

• How to use both wired and wireless connection with static addresses

  Now that I have setup my home network with static addresses (router, mini1, mini2 and PC) in the way I want, (big thanks to BDAqua http://discussions.apple.com/thread.jspa?threadID=1271635&tstart=0) I would like to understand some more advanced network concepts.
  I would like to change the network so that I use both the wireless connection and the built-in ethernet connection at the same time in my Mac mini1. I would like to connect my PC to my Mac mini by using the wired ethernet connection so that I reach the Internet from my PC as well. I would also like to be in control of all the addresses therefore I want to assign the addresses manually.
  The question: What addresses should I use between mini1 and PC? Should I use the same wireless address space as I already use between the wireless router and the other computers (router: 192.168.1.1, mini1: 192.168.1.101, mini2: 192.168.1.103) or should I use something totally different like 10.X.X.X? What should I put in ethernet connection "Router"-field, the same as in Airport (192.168.1.1)? What about DNS, same as in Airport?

  If I understand this correctly, you wish your Mini to perform Internet Sharing for your PC, correct!?
  If so you'll pretty much have to let the Mini handle DHCP & NAT on the Ethernet port. You also want to be sure Airport is dragged to the top of Network>Show:>Network Port Configurations, that's what position the Mini will use 1st for Internet itself.
  On the Mini turn on both Web Sharing & Internet Sharing. The PC once connected will have the Mini's Ethernet IP as it's Gateway addy.

• Protection Domains with static permissions are improperly constructed

  I'm pretty new to the java security model, but this doesn't look right. It seems as though ProtectionDomains with static permissions have symantically different functionality than those that are constructed with the "variant" constructor(CodeSource, PermissionCollection, ClassLoader, Principal[]). The documentation enforces this idea "The only permissions granted to this domain are the ones specified; the current Policy will not be consulted". Why then are the ProtectionDomains reconstructed improperly in combine(ProtectionDomain[], ProtectionDomain[]) method of the javax.security.auth.SubjectDomainCombiner? The wrong constructor is being called.
  The reason the SubjectDomainCombiner is reconstructing these improperly is because it ownly uses the second form of the ProtectionDomain constructor. In my case the SubjectDomainCombiner is reconstructing a ProtectionDomain that was constructed with the first form. Basically this means that the staticPermissions variable in my ProtectionDomain changes from true to false. Then when it's time to call the implies(Permission) method it consults the current policy instead of ONLY using static permissions.
  This is causing havic with my custom classloader because I don't want the security manager checking the current Policy for permissions. I only want the ProtectionDomain's static permissions. Bug 4687166 also deals with combiners improperly constructing ProtectionDomains, but it is NOT a duplicate.
  Now this means I'm going to have to extend the Policy class to get around this problem. Something isn't right, if it's me, please let me know.

  interesting - if i follow what you're saying, you expect SubjectDomainCombiner to inspect the input ProtectionDomains. if one was constructed with "static" permissions, do you expect SubjectDomainCombiner to create a new ProtectionDomain with the additional Principal info, while retaining the static permissions?
  or do you expect SubjectDomainCombiner to just leave that ProtectionDomain alone - in particular, do not update it with Principal info since it won't affect the permissions granted to that domain anyways?
  either is an interesting change to contemplate, and is a technical possibility for SubjectDomainCombiner (since it is J2SE code). however, to come up with a true solution available to any custom DomainCombiner would probably require public API changes to ProtectionDomain.

• Port Forwarding and Printing with Static IP Address

  Hey there -
  I am trying to setup a network printer that can be printed to from anywhere in the world. My organization has 5 static IP addresses given to us by our ISP. Four of those I have on computers, and one of them I have on my Linksys router (WRT54G v.8).
  What I want to do is be able to setup a printer on my router that I can print to from anywhere I have an internet connection. My wireless router's static IP address is 74.172.54.XXX - The address on my network is 192.168.7.1 - I have a printer statically assigned the IP address 192.168.7.2 - and I have a port forwarding for port 70 to forward to 192.168.7.2
  In theory, I would think that now I could print to 74.172.54.XXX:70 and have no problems. But that doesn't seem to be working. Even printing to 192.168.7.1:70 doesn't seem to work either.
  Also, the printer has a web GUI interface that if I type http://192.168.7.1/ into my browser it comes up, so in theory I would think typing http://74.172.54.XXX:70 into my browser it should come up (but it doesn't nor does http://192.168.7.1:70).
  Anybody got any suggestions? I tried to do a search about this, but ever Port Forwarding question seemed to deal with gaming (which I have no desire to do). Thanks!
  I will include two screen snapshots of what I am talking about:
  Thanks for any help.

  Is the router setup to accept static connections?
  I have my router set up to accept both, so from 192.168.1.100 to 192.168.1.192 the addresses are static the other addresses are given by DHCP.
  If you do not define a range and the address your laptop has as static IP conflicts with the address given by DHCP your loose ... as in you get no address.
  Set up of that feature may depend on your type of router but usually any decent router will have that capability ... read your manual for specifics about your unit.
  Best of luck.
  R.
  Last edited by ralvez (2009-12-10 00:08:50)

• Compiling program VC++ (and ComponentWork++) in release's mode with static library ...

  When i try to compil the program, there are conflicts between "nafxcw.lib" and an other library. The conflicts doesn't exist when i compil the program with shared library. Can you help me ?
  my OS is Windows NT 4.0
  thanks

  Which "other library" does nafxcw.lib conflict with? Nafxcw.lib is an mfc library and is not distributed with Componentworks++.
  When you say the conflict does not exist when you use the shared library, are you talking about the selection in the Measurement Studio App Wizard where it asks how you want to access the mfc library? What exactly is the conflict that you get?
  In general I would always select to use the mfc library as a shared dll, because it is a known issue to statically link the library into any arbitrary project, not just a Componentworks++ project.
  Jason Foster
  Application Engineer
  National Instruments
  www.ni.com/ask