Understanding DMZ ACLs

Similar Messages

• Understanding 5505 firewall-site to site and internet traffic

  Hi,
  My question is mutli-faceted. I apologize for the lengthy intro here but i think the info is necessary to understand where I am headed in this.
  I am new to the cisco 5505. I have had very limited exposure to a 5510 that was preset. I have managed to make modifications to it here and there, but dont completely understand how it was put together. I learn by watching, listening, and gleaning what I can from others. I have had no formal training in CLI, but I have learned some of the commands. I know enough to be dangerous, but I respect my limitations.
  That being said, I have been charged with setting up a 5505 at a remote site. I need to accomplish several things.  Our ultimate goal is to use this device as a site to site with the 5510 at the corporate office. However, I need to accomplish this in baby steps, test, test real users and then maybe convert in full. Where I could outsource this in its entirety, that would preclude me from learning so I can address this in the future on my own.
  We need to have this in place by the end of February 2013.
  Currently the remote site is connected via a very slow (by todays standards) T1 line on a MPLS. Stable. Works, but slow. All internet traffic as well as work traffic is routed through that connection. We have added a 50mb cable connection (with static ips) to the office. First we want to set up the 5505 so that it can be used as follows:
  1, Internet traffic can be routed out through this device and all other "work" traffic routed through the MPLS.
  2, Test using this connection as a route out to the internet AND use it as a site to site VPN connection to the home office. (or anyconnect vpn)
            I need to be able to have users in both environments. IE, some still using step 1 and some starting to use and test step 2.
  3, long term, use this as the main connection per number 2, but add the IP address so that if the cable connection drops, the office can access internet via the VoIP T1 line as a life line.
  In all cases, I dont want internet going through the home office as it currently is traveling.
  I have done a lot of searching but so far have come up empty with answers.
  Question 1:     (This one probalby shows my ignorance the worst) - in using the 5505 firewall, will it segregate normal internet traffic from the VPN traffic when used by the workstation? Using the Gui, I didnt see where this was necessarily happening. Do I need to use CLI language (and what) to make this happen? Or is that a basic function that happens during the setup of the firewall using the GUI. Do I need to do some sort of "split tunneling"?
  Question 2:     Do I use this device as the Default gateway for both step 1 and 2/3) for normal use and then change the gateway on the Pcs to the VoIP network during emergency use,(that would bypass the firewall though or is there a way to have it route to that router if there is no connection through the Outside port? Or as long as I have some access to the device, can I make a change remotely to help accomplish this failsafe?
  Question 3:     We have 25 Anyconnect VPN licenses. Should we use these and not the Static site to site, if so, why or why not? They dont need to be used at all.
  Question 4:     In setting up the VoIP line for backup, would using that on the "DMZ" connection help in making this viable so that the device could still ultimately control the internet traffic?
  Question 5:     In setting up the VPN connections, unless i am getting the two methods confused, I will need the 5505 to hand out IP addresses for the vpn connection. I see in using a class c schema that i can use 92.168.0.0 to 192.168.255.0. So for instance, I could use 101.1.20.0 for the inside network Vpn addresses?? I need to stay away from 192.168.0.0 networks as we use that in our normal structure.
  Reasons for setting this up:
  Slow speeds over the T1.
  increasing demand for Skype, Video conferencing etc that the T1 pipe couldnt adequately handle
  Lack of backup pathways for downed connections - ie, backhoe chopping through wire at a construction site).
  I read through the Getting started guides on both the 5510 and the 5505 and feel I can likely get the site to site setup (I have a list of all the Ip addresses i need for inside networks and outside networks etc.
  additional notes:
  I have to email ATT anytime I want a change made on the MPLS router, so doing as little to that as possible would be good.
  I will be onsite for testing at the end of February  and will have direct access to the home office via other methods to work on the asa5510 if any additional work needs to be done on it once i am onsite.
  Thanks for taking the time to read through all of this. please forgive my lack of knowledge...
  Dave

  Thanks for getting back to me and so quickly!
  1) I am not sure if I understand the “ACL” portion of your question, but this is how I want to access info via the VPN tunnel:
  192.168.D.0 inside(NJ) to outside 5505 - 12.175.X.X to outside 5510 - 12.200.X.X to inside network (HQ)192.168.X.0. Routes are needed to find subnets 192.168.A.0, 192.168.B.0 and 192.168.C.0. The default gateway to those subnets right now is: 192.168.X.XX4 inside of HQ. This would be so that the NJ office could find resources of the other offices if needed. This will change as we wean off the MPLS. Inside the ASA 5505, the IP addresses are 192.168.D.0 for data, 10.X.X.0 for the Phone system. All other traffic would be sent out through the internet. Phone system uses the XOcomm conection to route phone traffic.
  2) I did some reading on SLA. Thanks for pointing that out. For purposes of learning here, I am showing this as 12.175.XXX.XXX for Comcast and 12.200.XXX.XXX for XO comm.
  4) I guess I would use an Outside 2 as that makes sense, in description, I would label them “ComCast” for outside 1 and “XOcomm” for outside 2.
  5) I am still not sure I understand this part. Are additional IP addresses needed for the Site to site VPN to talk to the local hosts, or will it use the IP addresses assigned by the local server?
  Next Steps
  1-         Configure the ASA5510 for the 5505 connection
  2-         Configure the ASA5505 for the 5510 connection
  3-         Configure SLA for Comcast and XOcomm outside connections
  4-         For this I need help….I think this is from step 1, but I need help to configure the internet to be segregated via my question from #1. Have I given enough information to do so? Please advise on ACL entries, and route statements needed so that NJ can talk to all the offices when using this connection, not just the Headquarters.
  Thanks
  dave

• DMZ - Help

  Hi,
  Recently we purchased ASA 5510 and need you help to understand why from inside I am not able to see DMZ Server and outside.Physical connectivity is ok, reachability from ASA to DMZ is Ok.
  Traffic is going to internet from ASA
  is the ACL correct as per my need
  outside to DMZ need ports 1080,1081,6588,80,3128
  DMZ to oustide need ports smtp,5512,dns udp and tcp.
  Inside to DMZ, local server 192.168.1.55 should only communicate to DMZ Server
  Can get help
  I have plugged the configuration

  I see a couple of things to fix. In the DMZ ACL you are permitting the traffic you want ot allow from the outside, but it is applied inbound to the DMZ interface. It should be applied to the outside interface. Same for the OUTSIDE ACL. I would rename them to make more sense; outside2dmz or outside_dmz. Second, you're missing NAT for traffic to get to the internet for both the inside and the DMZ. You're also missing NAT for DMZ to inside (if you require it). If you need help with configuring NAT, just shout.

• Inheritance in ACLs Authorization

  Hi Gurus
  I use inheritance in ACLs Authorization . I created a Folder (Doc. Type FOL) and gave ACLs authorization in there  Next I created a new DIR and assigned to this Folder. I mean this Folder is a superior document of new DIR. Have no ACL authorization in new DIR.
  After that, the user is given ACL Authorization can access Folder but he can't access a new DIR.
  For example:
  Folder FOA - get User A activity "Admin"
  Create DIR TEST_DIR with superior document is FOA
  User A can't access DIR with error "you don't have necessary authorization..."
  With my understanding, the ACLs authorization is able to be inherited.
  So why doesn't it work ?
  Give me your idea if you experienced this case.
  Best Regards
  Thanks for advance
  An NLP

  Hi Iring Maeurer 
  When I assign ACLs for the user in DIR "admin". The user can access DIR, that is reason I think the problem is in ACLs authorization.
  I'll check with Tcode su53
  Regards
  An NLP

• ACLs for Hiding Folder and Preventing Opening of Files

  I thought I had a reasonable understanding of ACLs, but the behavior of OS X afp shares baffles me.
  I need to do two things:
  Hide selected directories within a share from all members of a group.  They should be unable to see that these folders even exist.
  Prevent members of a group from opening files on a share, while allowing them the ability to copy the files.  The idea is to force them to copy files to local storage in order to open them.
  I'm clear the deliberately crippled control over ACLs Server.app provides is likely insufficient to the task (really?  no deny capability?  ***?).  My attempts to deny all privileges using the command line look good on paper, but in practice create bizarre effects whent the client views the share, such as the denied folders appearing to be inaccessible replications of the containing sharepoint. 
  Advice will be much appreciated.
  I running Server 3.0.2 under 10.9.1.  All the client systems are running 10.9.1.

  Mac OS X is a form of Unix operating system. Unix originally used a permissions scheme which only allows defining Read, Write and eXecute permissions, for the Owner, the Group, and 'Everyone'. This is generally referred to as 'POSIX' permissions.
  With POSIX permissions you could set a folder to not have write access but this means they cannot create new files, you could set it to not have eXecute permission but this means users could not view its contents. In otherwords POSIX does not have the flexibility you need.
  Because of the limitations of the POSIX style permissions, a new much more powerful scheme was developed called Access Control Lists (ACLs). Mac OS X supports this scheme as well and in fact for Mac OS X 10.5 or later it is the preferred choice. With ACLs you have three main categories of permission, Admin, Read, and Write. Each of these has sub-levels of permission. In your case, one of the sub-permissions of Write is to allow (or disallow) the ability to delete files or sub-folders.
  Therefore what you need to do is run Server Admin on your server, go to Sharing at the top of the Window, and then select the folder you want to adjust the permissions for, you then need to define who can and who cannot delete the contents.
  Note: A folder will always have POSIX permissions listed but might initially have no ACLs defined. Once you define an ACL permission, it will always override any POSIX permissions, you can then ignore any POSIX permissions.

• RV042 with DMZ responding to external dns queries

  Got a call from my ISP saying that my router was responding to dns requests.
  tested with ezdig and it does.
  Two rv042, one facing internet, the 2nd in DMZ port. The only public adress answering to dns requests is the Gateway in the dmz.
  Firmware bug or i dont understand DMZ ?

  Got a call from my ISP saying that my router was responding to dns requests.
  tested with ezdig and it does.
  Two rv042, one facing internet, the 2nd in DMZ port. The only public adress answering to dns requests is the Gateway in the dmz.
  Firmware bug or i dont understand DMZ ?

• ACL restriction of multicast and broadcast on SRW2016

  Hello all,
  I seem to be having difficulty setting up an ACL that restricts multicast and broadcast packets to a specified port on the SRW2016.
  In brief, I have one (physical) port that I need to prevent any broadcast or multicast packets from being sent to.  I need to allow clients which are on that port to send broadcast, however.  My take on this was to create an ACL with one rule of the type:
  Type: Deny
  Protocol: Any
  Source IP: 10.0.0.0/255.255.255.255
  Destination IP: 224.0.0.0/0.255.255.255
  Another type I tried was a 2-rule ACL to explicitly allow only a valid sender and deny all:
  Type: Allow
  Protocol: UDP
  Dest Port: 1234
  Source IP: 10.1.0.100/0.0.0.0
  Dest IP: 10.1.0.101/0.0.0.0
  Type: Deny
  Protocol: All
  I have tried various permutations these types of ACL (changing ordering, etc) but everything I have tried so far has allowed the multicast packets through unless I block it at the sending port (which obviously blocks it from all ports).
  Any suggestions or comments would be appreciated.  Is what I'm trying to do even possible in the SRW2016?
  Thanks,
  Mike

  Just to make sure I was creating/applying the ACLs correctly, I did a simple test with a very basic rule: I just set type to deny (basically a deny all rule).  I applied this rule to one port of the switch and verified that it was working by attempting to access the switch's web configuration interface (which correctly was inaccessable).  However, the multicast packets were still being delivered (verified via both an Ethernet dump and visual inspection of the switch's LED).
  Based on the above information, I feel it's fairly safe to say that Multicast is not filtered correctly via ACLs on the SRW2016.  Apparently Multicast packets take a different logical path than "normal" packets.  Since I don't expect an immediate firmware patch, I suspect that I need to see if I can get a router in addition or as a replacement for the switch.
  Edit: I found a method that appears to restrict the multicast packets via the "Bridge Multicast" interface (basically created a rule for the MAC related to my multicast address, set to Forbidden on one port, but this is not a generic solution for all multicast and I don't seem to be able to have more than 1 MAC address in the list...), but broadcast still gets through, regardless of the ACL I set up for the port.
  I'm beginning to wonder if my understanding of ACLs is flawed - does anyone know if they're applied to incoming packets for a port, outgoing packets for a port or both?  My assumption was both, but if the rule were only applied to incoming packets, it would explain the behavior I'm observing.
  Message Edited by michael.beresford on 03-02-2009 02:46 PM

• Issue of ACL

  hi Experts,
  I am using wcc11.1.1.7, according to Kyle's blog:
  https://blogs.oracle.com/kyle/entry/new_security_configuration_flag_ucm_ps3
  I finished ACL configuration as the following:
  in $domain/ucm/config/config.cfg, added:
  UseEntitySecurity=true
  SpecialAuthGroups=ACLGroup
  AllowQuerySafeUserColumns=true
  I restarted ucm server, then user1 checkin a doc with security grp name of ACLGroup, add user2 with RWDA for user access list, but user2 can not search this doc out, what could be the issue for this?
  Best regards

  Hi ,
  I think the problem here is about understanding how ACL's work .
  Basically , ACL is not meant to give / revoke security access / privileges for a document on the fly . It is used to tighten security structure by 1 more notch so that security can be applied on item level . This means that an item can be sub-classified among users who share the same security group / roles to the content item .
  Please read through the following forum post which illustrates this point : https://forums.oracle.com/thread/1003039?t
  Also , go through the ACL Documentation : http://docs.oracle.com/cd/E28280_01/doc.1111/e26692/securityacls.htm#BEIEIHCA
  Section : 21.4 Access Control List Permissions
  This line captures the core of ACL functionality :
  However, users must also satisfy security criteria for access through the Content Server security group and the account (if Accounts are enabled). If any of these security criteria deny a certain permission, users will not have that permission to the content item.
  When a user searches for a content item, all three ACL rights fields are combined as an "OR" condition. That result is combined in an "AND" condition with the result of the Security Group and Account fields. The user conducting the search must have Read permission to the security group, to the account (if accounts are enabled), and to at least one of the three ACL fields to be able to find the content item.
  Thanks,
  Srinath

• Python ldap write access (acl) from another machine?

  i've downloaded and installed:
  http://python-ldap.sourceforge.net/
  and used this example code:
  http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/303336
  and i'm using this code to connect to another machine that is running a vanilla install of leopard 10.5.2.
  The search works fine, but add and delete return this error:
  {'info': 'no write access to parent', 'desc': 'Insufficient access'}
  It would appear that the default acl for * doesn't allow for other computers to have write access?
  access to *
  by set="user/uid & [cn=admin,cn=groups,dc=test,dc=mydomain,dc=com]/memberUid" write
  by dn.exact="cn=test.mydomain.com$,cn=computers,dc=test,dc=mydomain,dc=com" write
  by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write
  by * read
  What I don't understand about acls is: are the 'by' lines all additive? if I was to add a new acl like the one below, will that give other computers, when authenticated as someone in the admin group, write access?
  It would appear that the default acl for * doesn't allow for other computers to have write access? or commenting out the dn=exact and sockurl?
  access to *
  by set="user/uid & [cn=admin,cn=groups,dc=test,dc=mydomain,dc=com]/memberUid" write
  by * read
  do i add this to /etc/openldap/slapd_macosxserver.conf and restart the server?

  Hi,
  You can check these few text-book style troubleshooting steps :-
  1. Can you PING the system computername from another System ?
  2. Can you check the ServerName Parameter in httpD.Conf of your IAS's Apahce & check if it contains computername ?
  3. Can you check if you can access http://computername:7777 or http://computername:7778 ( Default Ports ).
  4. Can you Telnet to computername at Port 80 ( using some software like Putty ) and issue Http Commands like GET / HTTP/1.1 ( just to check if the port is open ) ?
  Regards,
  Sandeep

• Sqlnet Communication problem

  Hi Community,
  I have a challenge getting 2 Oracle servers with each located in "internal" and "DMZ" network segments.
  The oracle server on the internal network can communicate with the one on the DMZ but the one on the DMZ can NOT talk to the one on the internal network.
  The customer wants the architecture to enable realtime data updates on the Oracle in DMZ.
  My config is as follows: I need help.
  ciscoasa# wr t
  : Saved
  ASA Version 8.4(3)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 10.1.184.131 Proxy_Server
  name 192.168.10.1 Internet_Router
  name 10.1.184.122 Mail_Server
  name 10.1.184.116 Mail_Server_2
  name 10.1.184.121 Mail_Server_3
  dns-guard
  interface GigabitEthernet0/0
  nameif Inside
  security-level 100
  ip address 10.1.184.1 255.255.248.0 standby 10.1.184.254
  interface GigabitEthernet0/1
  description LAN/STATE Failover Interface
  interface GigabitEthernet0/2
  nameif DMZ
  security-level 50
  ip address 192.168.30.1 255.255.255.0 standby 192.168.30.2
  interface GigabitEthernet0/3
  nameif Outside
  security-level 0
  ip address 192.168.10.2 255.255.255.0 standby 192.168.10.20
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  boot system disk0:/asa843-k8.bin
  ftp mode passive
  clock timezone GMT 1
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  object network Proxy_Server
  host 10.1.184.131
  object network Mail_Server
  host 10.1.184.122
  object network Internet_Router
  host 192.168.10.1
  description Created during name migration
  object network Mail_Server_2
  host 10.1.184.116
  description Created during name migration
  object network Mail_Server_3
  host 10.1.184.121
  description Created during name migration
  object network WebServer1
  host 192.168.30.3
  object network InternalNetwork
  subnet 10.1.184.0 255.55.248.0
  object network DMZ-IdentityPool
  range 192.168.30.30 192.168.30.254
  object network WebServer2
  host 192.168.30.4
  object network obj-remote
  subnet 192.168.0.0 255.255.255.0
  object network obj-DMZ
  subnet 192.16.30.0 255.255.255.0
  object network DatabaseServer
  host 10.1.184.134
  object network AppServer
  host 10.1.184.126
  object network MailServer
  host 10.1.184.116
  access-list Inside_access_in extended permit ip object Proxy_Server any
  access-list Inside_access_in extended permit ip host 10.1.184.190 any
  access-list Inside_access_in extended permit ip host 10.1.184.83 any
  access-list Inside_access_in extended permit icmp host 10.1.184.190 any
  access-list Inside_access_in extended permit ip host 10.1.184.67 any inactive
  access-list Inside_access_in extended permit ip host 10.1.184.83 object Internet_Router
  access-list Inside_access_in extended permit ip host 10.1.184.190 object Internet_Router
  access-list Inside_access_in extended permit udp any any
  access-list Inside_access_in extended permit icmp any any
  access-list Inside_access_in extended permit ip object Mail_Server any
  access-list Inside_access_in extended permit tcp object Mail_Server any eq smtp
  access-list Inside_access_in extended permit ip object Mail_Server_2 any
  access-list Inside_access_in extended permit tcp object Mail_Server_2 any eq smtp
  access-list Inside_access_in extended deny tcp any any eq smtp
  access-list Inside_access_in extended permit icmp host 10.1.184.43 any
  access-list Inside_access_in extended permit ip object Mail_Server_3 any
  access-list Inside_access_in extended permit tcp object Mail_Server_3 any eq smtp
  access-list Inside_access_in extended permit ip host 10.1.184.190 host 192.168.30.3
  access-list Inside_access_in extended permit tcp object InternalNetwork host 192.168.30.3 eq www
  access-list Inside_access_in extended permit ip host 10.1.184.137 host 10.1.184.133
  access-list Inside_access_in extended permit ip host 10.1.184.62 host 10.1.184.133
  access-list Inside_access_in extended permit ip host 10.1.184.117 any
  access-list Inside_access_in extended permit ip host 10.1.184.117 object Internet_Router
  access-list Inside_access_in extended permit ip host 10.1.184.129 any
  access-list Inside_access_in extended permit ip host 10.1.184.129 object Internet_Router
  access-list Inside_access_in extended permit ip host 10.1.184.150 host 10.1.184.133
  access-list Inside_access_in extended permit ip host 10.1.184.150 any
  access-list Inside_access_in extended permit ip host 10.1.184.190 host 192.168.30.4
  access-list Inside_access_in extended permit tcp object InternalNetwork host 192.168.30.4 eq www
  access-list Inside_access_in extended permit tcp host 10.1.184.134 host 192.168.30.4 eq sqlnet
  access-list Outside_access_in extended permit udp any eq domain object Proxy_Server
  access-list Outside_access_in extended permit icmp object Internet_Router any
  access-list Outside_access_in extended permit icmp any host 10.1.184.190
  access-list Outside_access_in extended permit icmp any host 10.1.184.83 inactive
  access-list Outside_access_in extended permit tcp any object Proxy_Server eq https
  access-list Outside_access_in extended permit tcp any object Proxy_Server eq www
  access-list Outside_access_in extended permit tcp any object Mail_Server eq smtp inactive
  access-list Outside_access_in extended permit tcp any object Mail_Server_2 eq pop3
  access-list Outside_access_in extended permit udp any eq domain object Mail_Server_2
  access-list Outside_access_in extended permit tcp any object Mail_Server eq imap4 inactive
  access-list Outside_access_in extended permit icmp any object Mail_Server inactive
  access-list Outside_access_in extended permit tcp any object Mail_Server_2 eq smtp
  access-list Outside_access_in extended permit tcp any object Mail_Server_2 eq imap4
  access-list Outside_access_in extended permit icmp any object Mail_Server_2
  access-list Outside_access_in extended permit icmp any host 10.1.184.43
  access-list Outside_access_in extended permit tcp any host 192.168.30.3 eq www
  access-list Outside_access_in extended permit tcp any host 192.168.30.3 eq https
  access-list Outside_access_in extended permit icmp any host 192.168.30.3
  access-list Outside_access_in extended permit icmp any any echo-reply
  access-list Outside_access_in extended permit icmp any host 192.168.30.3 echo
  access-list Outside_access_in extended permit tcp any host 192.168.30.4 eq www
  access-list Outside_access_in extended permit tcp any host 192.168.30.4 eq https
  access-list Outside_access_in extended permit icmp any host 192.168.30.4 echo
  access-list Outside_access_in extended permit icmp any host 192.168.30.4
  access-list branchgroup-SplitACL standard permit 10.0.0.0 255.0.0.0
  access-list branchgroup-SplitACL standard permit 192.168.30.0 255.255.255.0
  access-list DMZ_access_in extended permit tcp host 192.168.30.4 host 192.168.30.116 eq smtp
  access-list DMZ_access_in extended permit icmp host 192.168.30.4 any
  access-list DMZ_access_in extended permit ip host 192.168.30.4 host 192.168.30.134
  access-list DMZ_access_in extended permit tcp host 192.168.30.4 host 192.168.30.134 eq sqlnet
  pager lines 24
  logging enable
  logging timestamp
  logging standby
  logging emblem
  logging list InformationalLog level informational
  logging list InformationalLog message 101001
  logging buffer-size 16384
  logging console notifications
  logging monitor errors
  logging buffered critical
  logging trap errors
  logging asdm critical
  logging mail informational
  logging host Inside 10.1.184.132
  logging host Inside 10.1.184.190 6/1470
  logging debug-trace
  logging ftp-server 10.1.184.190 \\marinasec\akanoa akanoa *****
  logging permit-hostdown
  logging class auth buffered emergencies trap emergencies
  logging class bridge buffered emergencies trap emergencies
  logging class config buffered alerts trap emergencies
  logging class ip buffered emergencies trap alerts
  logging class sys trap alerts
  logging class ca trap emergencies
  logging class email buffered emergencies trap errors
  mtu Inside 1500
  mtu DMZ 1500
  mtu Outside 1500
  mtu management 1500
  ip local pool remoteusers 192.168.0.1-192.168.0.254
  failover
  failover lan unit secondary
  failover lan interface stateful_failover GigabitEthernet0/1
  failover replication http
  failover link stateful_failover GigabitEthernet0/1
  failover interface ip stateful_failover 192.168.20.1 255.255.255.252 standby 192.168.20.2
  no monitor-interface management
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any Inside
  asdm image disk0:/asdm-647.bin
  no asdm history enable
  arp timeout 14400
  nat (DMZ,Outside) source static obj-DMZ obj-DMZ destination static obj-remote obj-remote
  nat (Inside,Outside) source static InternalNetwork InternalNetwork destination static obj-remote obj-remote
  object network Mail_Server
  nat (Inside,Outside) static Mail_Server no-proxy-arp route-lookup
  object network WebServer1
  nat (DMZ,Outside) static 192.168.30.3 dns
  object network WebServer2
  nat (DMZ,Outside) static 192.168.30.4 dns
  object network DatabaseServer
  nat (Inside,DMZ) static 192.168.30.134
  object network AppServer
  nat (Inside,DMZ) static 192.168.30.126
  object network MailServer
  nat (Inside,DMZ) static 192.168.30.116
  access-group Inside_access_in in interface Inside
  access-group DMZ_access_in in interface DMZ
  access-group Outside_access_in in interface Outside
  route Outside 0.0.0.0 0.0.0.0 Internet_Router 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server vpn protocol radius
  aaa-server vpn (Inside) host 10.1.184.119
  key *****
  aaa-server vpn (Inside) host 10.1.184.120
  key *****
  user-identity default-domain LOCAL
  http server enable
  http 10.1.184.190 255.255.255.255 Inside
  http 10.1.184.2 255.255.255.255 Inside
  http 10.1.184.83 255.255.255.255 Inside
  http 192.168.1.0 255.255.255.0 management
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev1 transform-set rmtset esp-3des esp-md5-hmac
  crypto dynamic-map dyn1 1 set ikev1 transform-set rmtset
  crypto dynamic-map dyn1 1 set reverse-route
  crypto map mymap 1 ipsec-isakmp dynamic dyn1
  crypto map mymap interface Outside
  crypto ikev1 enable Outside
  crypto ikev1 policy 1
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 43200
  telnet 10.1.184.83 255.255.255.255 Inside
  telnet 10.1.184.190 255.255.255.255 Inside
  telnet 10.1.184.167 255.255.255.255 Inside
  telnet timeout 5
  ssh 10.1.184.83 255.255.255.255 Inside
  ssh 10.1.184.190 255.255.255.255 Inside
  ssh 10.1.184.43 255.255.255.255 Inside
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  webvpn
  group-policy branchgroup internal
  group-policy branchgroup attributes
  dns-server value 10.1.184.120
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value branchgroup-SplitACL
  default-domain value marinasecuritieslimited.com
  username sannib password 3gB/xWLMBVp/AjjW encrypted
  username adebimpel password O./lZ/3rlYD/87u2 encrypted
  username ojoawob password w1h9Aq2Welzv1fuW encrypted
  username agbajer password NuDaZPLHC0BcF7iI encrypted
  username oyenihib password eoxptVEUfczen6VR encrypted
  username odewolef password yB12L9t1gcr.Wgx/ encrypted
  username mainuser password 8KBTvbq5FOuoFce2 encrypted privilege 15
  username maakano password c1Cb3uSluyfsyWUb encrypted
  tunnel-group branchgroup type remote-access
  tunnel-group branchgroup general-attributes
  address-pool remoteusers
  default-group-policy branchgroup
  tunnel-group branchgroup ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns migrated_dns_map_1
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  class class-default
    user-statistics accounting
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  hpm topN enable
  Cryptochecksum:bbe838eb9af33fc84083989823bc0c22
  : end
  [OK]
  ciscoasa#

  Hi,
  Seems to me that you have configured Static NAT from "inside" to "dmz" so that the "inside" servers are visible to the "dmz" with the IP address belonging to the "dmz"
  Is this something that you absolutely need? Is there something preventing you from using the IP address ranges on both "inside" and "dmz" and not doing NAT for them at all between those interfaces?
  IF you want to keep the current setup intact regarding NAT, change the DMZ ACL to use the actual 10.1.184.x IP addresses as the destination IP address in the ACL.
  In other words, always use the Real IP address of the host in the ACL configuration, NOT the NAT IP address. After doing that change I suppose it should also work for "dmz" to "inside". (NAT IP was used in the ACL in the ASA versions 8.2 and below, the Real IP address is used in software 8.3 and above)
  Change
  access-list DMZ_access_in extended permit tcp host 192.168.30.4 host 192.168.30.116 eq smtp
  access-list DMZ_access_in extended permit icmp host 192.168.30.4 any
  access-list DMZ_access_in extended permit ip host 192.168.30.4 host 192.168.30.134
  access-list DMZ_access_in extended permit tcp host 192.168.30.4 host 192.168.30.134 eq sqlnet
  To
  access-list DMZ_access_in extended permit tcp host 192.168.30.4 host 10.1.184.116 eq smtp
  access-list DMZ_access_in extended permit icmp host 192.168.30.4 any
  access-list DMZ_access_in extended permit ip host 192.168.30.4 host 10.1.184.134
  access-list DMZ_access_in extended permit tcp host 192.168.30.4 host 10.1.184.134 eq sqlnet
  You can also use the "object" names in the ACL.
  Which would be
  access-list DMZ_access_in extended permit tcp host 192.168.30.4 object MailServer eq smtp
  access-list DMZ_access_in extended permit icmp host 192.168.30.4 any
  access-list DMZ_access_in extended permit ip host 192.168.30.4 object DatabaseServer
  access-list DMZ_access_in extended permit tcp host 192.168.30.4 object DatabaseServer eq sqlnet
  Hope the above helps Please ask more if needed.
  - Jouni

• I have BOTH Tiger and Leopard installed in my new iMac now .... and ...

  Yesterday I decided to take the risk - I formated my iMac's HD, made three partitions - one for Tiger, one for Leopard and another for the CS3 usage. I installed Tiger without the 1.1 upgrade but installed ALL upgrades including 1.1 and 1.3 in Leopard.
  All day today I tried different apps under Leopard including iTunes, iPhoto, Photoshop and illustrator CS3. So far so good ... haven't got any serious problem, such as sys freeze or crush, yet.
  It was actually a wonderful delight to know that I could easily access all my files from each OS without reboot.
  I love Leopard but was a bit disappointed to find out it's not as fast and stable as Tiger. I see the rainbow ball spinning quite often in Leopard (rarely see it in tiger.) The internet connection drop very often while working perfectly in Tiger. The most annoying thing is: my 5 month old Canon printer does not work under Leopard. Whenever I need to print anything I have to reboot and login to Tiger.
  Another very strange problem which occurred in Leopard really puzzled me.
  I was going to install the diver for my printer in Leopard this morning. Before I did it, I went to Disc Utility to verify and repair permissions. I read a article somewhere here that says one should do this verify and repair permission task every time BEFORE and AFTER install or upgrade anything. Although I never actually understand the concept of repairing permissions and why it's necessary to do it all the time ( can anyone kind enough to make it a bit easier to understand? ... IF the system can check and repair the error itself, why can't it do it automatically without us order the task EVRY TIME we install or upgrade anything?) , I followed the advice anyway.
  The whole process of 'verify and repair permission' took about 20 minutes. During the process it concerned me why it took so long since my Leopard is 'fresh' - newly installed in a formated partition without any 3rd party app installed. When the result came out I found myself saying ' OH MY G**!!!' ....
  Have a look:
  *There were more than 100 repaired items!!! why?* (What you see above is only part of it)
  I don't understand what ACL is and why this has happened ... Can anyone kind enough to help me understand it?)
  Thanks a lot!!

  wawalulu wrote:
  I don't understand what ACL is and why this has happened ... Can anyone kind enough to help me understand it?)
  Well, here's what Wikipedia has to say about ACLs.

• 10.7.5 update has deleted my Entrourage email account.

  I have just completed the 10.7.5 update and when the computer restarted post-update, I found that my entire Entourage email account has been deleted.
  No emails, no saved folders, no inbox and I can't receive anything unless I set up a new account. After the restart, Entourage had loaded up welcoming me as if it was my first time ever using it and asking me to set-up my account.
  Someone please help! I need to get my old email account back up and running as it has all the correspondence from my business.

  Thanks macjack and FatMac\>MacPro ,
  After repaiing permissions in disc utility I couldn’t log in again, and couldn’t understand rebuilding ACL permissions as I had printed out your replies and had no access to my email to get the link.
  After trying to install the update from the combo updater thing got even worse, next I did a reinstall from recovery, which spent six hour downloading then failed with no error. I did an erase of my partition and reinstall which then failed but gave me an error about encryption. So I erased the whole drive and reinstalled. This worked. I then ran the update again and it was broken the same as the first update!
  After another erase and reinstall I decided not to update, so I stated the restore from time machine. After this completed it crashed with the error message saying I must power off and then on again. restarting didn’t help.
  After another erase of the whole drive, and reinstall I did a partial restore from time machine and am running again.
  However, I don’t want to attempt another upgrade to 10.7.5. Will Apple comeout with a statement about what went wrong? When will you fix this update?
  In the mean time I suggest to any owners of MacBook Air to avoid this update.
  For reference this is my model:
    Model Name:          MacBook Air
    Model Identifier:          MacBookAir4,1
    Processor Name:          Intel Core i5
    Processor Speed:          1.6 GHz
    Number of Processors:          1
    Total Number of Cores:          2
    L2 Cache (per Core):          256 KB
    L3 Cache:          3 MB
    Memory:          4 GB
    Boot ROM Version:          MBA41.0077.B0F
    SMC Version (system):          1.74f1
  Cheers.

• HT5313 OS 10.7.5 update has trashed my macbook air.

  OS 10.7.5 update has trashed my macbook air. It now takes ages to boot and does not shut down. How can I restore my computer? Also textedit can't open files saying I don't have permission. I can cat them in Terminal fine and the permissions are OK in Get Info.

  Thanks macjack and FatMac\>MacPro ,
  After repaiing permissions in disc utility I couldn’t log in again, and couldn’t understand rebuilding ACL permissions as I had printed out your replies and had no access to my email to get the link.
  After trying to install the update from the combo updater thing got even worse, next I did a reinstall from recovery, which spent six hour downloading then failed with no error. I did an erase of my partition and reinstall which then failed but gave me an error about encryption. So I erased the whole drive and reinstalled. This worked. I then ran the update again and it was broken the same as the first update!
  After another erase and reinstall I decided not to update, so I stated the restore from time machine. After this completed it crashed with the error message saying I must power off and then on again. restarting didn’t help.
  After another erase of the whole drive, and reinstall I did a partial restore from time machine and am running again.
  However, I don’t want to attempt another upgrade to 10.7.5. Will Apple comeout with a statement about what went wrong? When will you fix this update?
  In the mean time I suggest to any owners of MacBook Air to avoid this update.
  For reference this is my model:
    Model Name:          MacBook Air
    Model Identifier:          MacBookAir4,1
    Processor Name:          Intel Core i5
    Processor Speed:          1.6 GHz
    Number of Processors:          1
    Total Number of Cores:          2
    L2 Cache (per Core):          256 KB
    L3 Cache:          3 MB
    Memory:          4 GB
    Boot ROM Version:          MBA41.0077.B0F
    SMC Version (system):          1.74f1
  Cheers.

• QoS for individual users

  Hello all,
  I'm trying to apply QoS in my LAN network in order to give dedicated bandwidth to 100 users if any user is trying to go to www.youtube.com. For rest of the traffic, I don't need to dedicate the amount of bandwidth.
  As per my solution, I can create a class-map matching pattern "*youtube*" to classify the destination but not sure how can I define these 100 users in separate way.
  The issue is, if I give the range 192.168.10.0 0.0.0.127 in ACL, I think the bandwidth will be shared amongst the users in 10.0/25 network. Or, I have to write 100 individual ACLs & class-maps right?
  Can somene help me finding the feasible solution for the same? I think I have only issue with my LAN side where i'm not being able to understand how ACL & Class-map works in this situation.
  Thanks in advance!

  Hi Hari!
  What platform and software is this for? Some platforms support microflow policing but I think it's only available for higher end equipment such as 6500.
  Daniel Dib
  CCIE #37149
  Please rate helpful posts.

• Apache Umask

  How do you change the umask in Apache 2.2 in OS X Server 10.5.8?

  If I understand correctly, ACLs are set for directories that will get deleted during cache cleaning, so they will get purged as well. Also according to http://symfony.com/doc/current/book/installation.html you don't have to set umask in apache, but in some php files, just check the part about "Without using ACL" at the same webpage.