Using LDAP group to autenticate users from inside network to Internet
Hi team, I got an asa 5510 version 7.2.3 and i need to autenticate my users from inside network to internet using a security group in the Active Directory, anyone can help me with these?
This might not be complete for your needs but it may give you enough of what you need without having to purchase full url filtering etc.
Authenticate with LDAP as shown earlier in this thread, then use this aaa ldap with cut-through proxy -
PIX/ASA : Cut-through Proxy for Network Access using TACACS+ and RADIUS Server Configuration Example
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml
then do some filtering -
ASA/PIX 8.x: Block Certain Websites (URLs) Using Regular Expressions With MPF Configuration Example
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml
Similar Messages
-
I want to protect my EJB using LDAP groups. WLS is recognizing WLS users but unable
to recogniz groups. Here is my weblogic-ejb-jar.xml
<security-role-assignment>
<role-name>channel-role</role-name>
<principal-name>system</principal-name>
<principal-name>mygroup</principal-name>
<principal-name>cn=mygroup,ou=groups,o=mycompany</principal-name>
</security-role-assignment>
It recognizes user system but not the group. LDAP group is cn=mygroup,ou=groups,o=mycompany.
When I pass the credentials from the client of a uniquemember, WLS generates a
security exception. It won't recognise mygroups or cn=mygroup,ou=groups,o=mycompany
either.
Any suggestions?
Thanks
-SuryaYes, It has impact. You create groups in the Repository & Answers and assign the object level permissions.
You Populate Group Variable during authentication via LDAP server. Once you login with X name you see the authorized groups in the my account.
For dashboard A - For group Executive - User X - You have given full access.
Now you have changed the Group name to AD_Executive. When You Login variable values would be
User - X
Group - Ad_Executive
Dashboard A - No permissions.
If you have a scenario of changing the group names then get Groups from database using Init block after authorization. -
Problem using a group which has a space in it's DN when using LDAP Group mappings in UCS 1.4
Hey,
We've been implementing LDAP authentication (Active Directory) using LDAP group mapping in UCS 1.4, and we've noticed that when using a group which has a DN with a space in it (such as "UCS Admins") it wouldn't authenticate the user with the appropriate role.
Using a DN without spaces (such as "UCSAdmins"), works just fine.
I should mention that having a base DN with spaces works just fine as well, it's just the group mappings that doesn't work.
I should also mention that Cisco's "Quick guide to configuring ldap for ucs 1.4" shows an example in which the group's DN doesn't include a space.
Is there a workaround available which can make it possible using a group which has a space in it's name?
Thanks,
DorHey Roman,
Thanks for your prompt reply.
We've tried putting quotes using UCSM which is not possible at all - not for the entire entry nor for the part with spaces.
We've also tried using CLI ("scope security/ldap/ldap-group") where you have to put quotes if you use a DN with spaces, and it still doesn't work. Furthermore, we tried adding quotes only to the part with the spaces, i.e. - CN="UCS Admins",OU=TEST,DC=TEST. It adds the entry without an error, but shows like we would use "CN=UCS Admins,OU=TEST,DC=TEST". Anyway, it doesn't work either.
Thanks again,
Dor -
LDAP Group is empty while the LDAP group have 150 users
Hi,
My BOE is mapped to the corporate LDAP, and the LDAP group is already mapped to a BO group.
The problem is that the LDAP Group is empty while the LDAP group have 150 users.
Currently, just after each user login at the first time the user is created under the BO Group.
Is there any way to populate the BO Group automatically?
Best Regards,
DoronSHi,
yes there is. Check your LDAP Authentication Tab and select "Create new aliases when the Alias Update occurs"
It should be under your Alias settings.
But please note that you than require 150 licenses. So each users gets a license even if he doesnt use the BOE System but is part of the LDAP Group.
Regards
-Seb. -
I would like to use my iPhone 6's wifi hotspot to provide Internet at home (I do not have home internet) via a Time Capsule which I currently use the TC simply as a home wifi network without Internet to enable things like printing wirelessly and backing up data wirelessly via time machine.
I have a Mac Pro, iPhone 6, iPad, Apple TV and Time Capsule. No home Internet.
Is is possible to have my iPhone 6's wifi hotspot used to provide Internet to my wifi network on time capsule? Has anyone else had success doing this? I'm not a tech head and really know very little about things like this. Thanks. JenYou can have a go using a wireless bridge.. eg the airport express will do this.. you can join it to the iphone wireless running as a hotspot.. and then plugged into the TC wan port.. the TC has to be setup in router mode.. so this is going to give you double NAT errors.. and of course errors for all the time the hotspot is turned off.. but it can work. However you might find it requires you to manually connect up each time.. If you are really going to try and do this you will manage it.. but how fiddly it becomes might put you off after a week.
You will chew up your 5GB very fast using any streaming media even radio. So be very careful to track the usage.
Apple should have built in the TC the ability to plug in a wireless 3G modem.. via the USB but Apple have ceased to do adventurous stuff.
If you give up the TC as main router there are plenty of better products on the market that will handle multiple wan connections.. !! -
AD Group Membership with User From Domain Outside of Forest
Here's one to twist your brain around -
I have kerberos authentication using Active Directory working between a client's web browser and my web-app hosted in JBoss. I also have limited authorization working by checking group memberships using LDAP. This currently only works if all users are in the same domain. The ever-helpful adler_steven has detailed in another thread (http://forum.java.sun.com/thread.jspa?threadID=603815&tstart=15) how to do a group membership check for all Users/Groups in a single forest using the Global Context.
I need to go beyond the domain and even beyond the forest and try to authorize a user from a trusted domain by checking if the user is a member of a group in my domain. Authentication works fine using kerberos. It's the authorization by group check I am having trouble with. I believe there are two ways to approach this:
Approach #1
Access the MS-specific PAC in the kerberos token from the client to get the group SIDs. The structure of the PAC is nicely defined in this article: http://appliedcrypto.com/spnego/pac/ms_kerberos_pac.html. However, I have no idea how to access the decrypted token. I pass the encrypted token that I receive from the browser to myGssContext.acceptSecContext(...) to complete the authentication.
Question: Does anyone know how to get the decrypted kerberos ticket from there, specifically the authorization-data field?
Approach #2
Try to walk through the Active Directory structures in both domains using LDAP. In the domain group that I am checking, I can see a member attribute that references a foreignSecurityPrincipal object. The CN of this object happens to be the objectSID of the user I am looking for in the remote domain. Unfortunately, I have to check the remote domain server directly to verify that. The foreignSecurityPrincipal object itself does not contain any hint about what user it refers to aside from the SID (no originalDomainName attribute or something similar). It is feasible that I could walk the chain of references back to the remote domain AD server. That would require that my configuration include a list of remote domain servers to check (since I could have users from multiple trusted domains) and that my JBoss server have access to those servers.
Question: Does anyone know of some other LDAP-related way of finding information about a user from a remote, trusted domain without having to hit the server for that domain directly?
adTHANKSvance
EricYou should be able to work back from the foreignSecurityPrincipal object :-) He says with a wry smile..
This post prompts me to think whether one day someone will draw the entity relationship diagram for AD. Oh well, I've been procrastinating for years, a few more won't hurt !
If it was a user from within the same forest, you should just be able to perform a search against a GC using the objectSID as the search filter. I've forgotten, but I don't think they will be represented as foreign security principals.
Have a look at the post titled JNDI, Active Directory and SID's (Security Identifiers) available at
http://forum.java.sun.com/thread.jspa?threadID=585031&tstart=150 that describes how to search for an object based on their SID.
Now if it is a user from another forest, with which you have a trust relationship, then we begin the navigation excercise.
You'll need obtain the user's SID (either from the cn or from the objectSID attributes) from the foreignSecurityPrincipal object. For example CN=S-1-5-21-3771862615-1804478405-1612909269-2143,CN=ForeignSecurityPrincipals,DC=antipodes,DC=com
objectSID=S-S-1-5-21-3771862615-1804478405-1612909269-2143Then obtain the domain RID, eg.S-1-5-21-3771862615-1804478405-1612909269Next you will have to recurse each of the crossRef objects in the Partitions container, in the configuration naming context (which you will find listed in the RootDSE). The crossref objects that represent trusted domains or forests will have values for their trustParent attributes. A sample query would be something like//specify the LDAP search filter
String searchFilter = "(&(objectClass=crossRef)(trustParent=*))";
//Specify the Base for the search
String searchBase = "CN=Partitions,CN=Configuration,DC=antipodes,DC=com";For each crossRef object, you can then use the dnsRoot attribute to determine the dns domain name of the forest/domain (if you want to later use dns to search for the dns name,ip address of the domain controllers in the trusted domains/forests), and then use the nCName attribute to determine the distinguished name of the trusted forest/domain.dnsRoot = contoso.com
ncName = dc=contoso,dc=comPerform another bind to the ncName for the trusted domain/forest and retrieve the objectSID attribute, which will be the domain's RID. You may want to cache this information as a lookup table to match domain RID's with domain distingusihed names and dns names.String ldapURL = "ldap://contoso.com:389";
Attributes attrs = ctx.getAttributes("dc=contoso,dc=com");
System.out.println("Domain SID: " + attrs.get("objectSID").get());Once you find out which domain matches the RID for the foreignSecurityPrincipal, you can then perform a search for the "real user" .And then finally you should have the user object that represents the foreign security principal !
Just one thing to note. Assume that CONTOSO and ANTIPODES are two separate forests. If you bind as CONTOSO\cdarwin against the CONTOSO domain, the tokenGroups attribute (which represents teh process token) will contain all of the group memberships of Charles Darwin in the CONTOSO domain/forest. It will not contain his memberships if any, of groups in the ANTIPODES forest. If Charles Darwin accesses a resource in ANTIPODES, then his process token used by the ANTIPODES resource will be updated with his group memberships of the ANTIPODES forest. Also you can have "orphaned foreignn security principal", where the original user object has been deleted !
BTW, If I was doing this purely on Windows, IIRC, you just use one API call DsCrackNames, to get the "real user", and then the appropriate ImpersonateUser calls to update the process token etc..
Good luck. -
LDAP authentication in AD (users from other trusted domain)
Hi
I have two domain: my - DOMAINA.LOCAL and other trusted - DOMAINB.LOCAL
I use LDAP authentication in AD for authentication users (AnyConnect).
Now, I need to authenticate few users from other trusted domain (DOMAINB.LOCAL).
I do not want direct connect with the domain contoller in the trusted domain.
My domain controller (DOMAINA.LOCAL), can authenticate users from other trusted domain (if I use username "DOMAINB\userindomainb"), if I try to connect by RDP client to some server (for example, to my domain controller).
But if I try to test aaa-server authentication from ASA
I get error.
I think, I must use username like "DOMAINB\userindomainb" but this not work.
Help me please.
Thanks!
My config:
aaa-server ADA protocol ldap
aaa-server ADA (inside) host 10.0.0.1
ldap-base-dn dc=domaina, dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=Cisco ASA, ou=ServiceAccounts, ou=Services, dc=domaina, dc=local
server-type microsoftHello!
I see in console (debug LDAP):
Request for [email protected] returned code (10) Referral
Does ASA support authentication via LDAP referrals?
I read old thread:
https://supportforums.cisco.com/discussion/11132591/cisco-asa-and-ldap-authentification
And see: CSCsj32153 Symptom:the ASA/PIX doesn't currently support LDAP Referall searches.
But I use:
Cisco Adaptive Security Appliance Software Version 9.2(3)
Device Manager Version 7.3(3)
Compiled on Mon 15-Dec-14 05:10 PST by builders
System image file is "disk0:/asa923-smp-k8.bin"
Thanks! -
LDAP query to fetch users from Two different OU
I am looking for an AD query to get AD enabled users from two different OU Stores & ServiceOffice under root domain.
Using below syntax to fetch it simultaneously but not succeeding. Please help me.
(&(objectCategory=person)(|(ou=Stores)(ou=ServiceOffice)))Hi Thanks for the revert. Actly i am setting this syntax in application not running powershell script to fetch users.
So i need query in Ldap filter format only...
i.e.
(&(objectCategory=person)(|(OU=Stores,DC=Mumbai,DC=Users,DC=ABC,DC=com)(ou=ServiceOffice,DC=Chennai,DC=users,DC=ABC,DC=com)))
Please correct my above query. -
OIM OES Integration to use LDAP groups for policy making
Hi ,
I am trying to make policy for the OIM application using OES. i want to use my LDAP groups as principals to control the access in OIM. How it can be achieved
Thanks
Edited by: user10660448 on May 21, 2013 1:35 AMNote that you can use the internal LDAP that comes with WebLogic, for your users and groups if you want.
When you have multiple domains, you have a problem with this set-up as the internal LDAP is coupled to
a specific domain. This means that users you created in one domain are not visible in the other. When using
a separate LDAP that contains the users. You can configure in each domain an authenticator that points
to the LDAP. In this way you can share to user accross multiple domains.
When you are planning to use one domain you can stick with the internal LDAP if you want.
An example set-up (that uses access manager not identity manager) can be found here: http://middlewaremagic.com/weblogic/?p=7819,
which might help you in how to proceed. -
Using Powershell to delete all users from the Portal
Summary
This script will delete all users from the Portal except for Administrator and the Built-In Sync account.
Based on Markus's "Delete a User" script.
Useful when developing your system if you want to quickly clear out the data and start again.
set-variable -name URI -value "http://localhost:5725/resourcemanagementservice' " -option constant
function DeleteObject
PARAM($objectType, $objectId)
END
$importObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
$importObject.ObjectType = $objectType
$importObject.TargetObjectIdentifier = $objectId
$importObject.SourceObjectIdentifier = $objectId
$importObject.State = 2
$importObject | Import-FIMConfig -uri $URI
if(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {add-pssnapin FIMAutomation}
$allobjects = export-fimconfig -uri $URI `
–onlyBaseResources `
-customconfig "/Person"
$allobjects | Foreach-Object {
$displayName = $_.ResourceManagementObject.ResourceManagementAttributes | `
Where-Object {$_.AttributeName -eq "DisplayName"}
if([string]::Compare($displayName.Value, "Administrator", $True) -eq 0)
{write-host "Administrator NOT deleted"}
elseif([string]::Compare($displayName.Value, "Built-in Synchronization Account", $True) -eq 0)
{write-host "Built-in Synchronization Account NOT deleted"}
else {
$objectId = (($_.ResourceManagementObject.ObjectIdentifier).split(":"))[2]
DeleteObject -objectType "Person" `
-objectId $objectId
write-host "`nObject deleted`n" $displayName.Value }
Go to the FIM ScriptBox
http://www.wapshere.com/missmiisThe DeleteObject function opens and closes a connection for each object. This approach is faster:
http://social.technet.microsoft.com/wiki/contents/articles/23570.how-to-use-powershell-to-delete-fim-users-that-have-a-null-attribute-name.aspx
Mike Crowley | MVP
My Blog --
Planet Technologies -
How to manage c877(outside) in RFC1483 mode through ASA5505 from (inside)network
Hi All
Here is a quick summary of my network setup.
ISP ADSL2 -- C877 Router(RFC1483) -- ASA5505(PPPoE) -- Internal network(s).
I am trying to figure out how to correctly configure my C877 & my ASA so I can telnet and manage the C877 from one of the inside networks on the ASA5505.
With the current configuration I can ping the C877 but only from the outside (PPPoE) interface of my ASA5505. I cannot connect to it from any other inside network.
Interface connectivity is as follows:
ISP <-> C877 PoTS
C877 FA/0 <-> ASA Eth0/0[outside_public] [Zone SEC=0]
ASA Eth0/1[inside_private][Zone SEC=100] <-> HP L2 Switch
HP L2 Switch <-> Home PC.
Device IPs:
Cisco ASA [inside_private] gateway IP = 192.168.50.1 / 24
Home PC = 192.168.50.81 / 24
Router C877 IP = 192.168.50.2 / 24
Everything is working as expected, except I want to be able to manage the C877 from the Home PC, but currently I am not able to establish any connectivity to the C877 from the [inside_private] network.
Here is what I have tried so far but without luck:
Connected (a 2nd) network cable from the C877 to the L2 switch. No connectivity from the Home PC.
Connected (a 2nd) network cable from the C877 to ASA on another interface added to the [inside_private] network. No connectivity from the Home PC.
Any help much appreciated!
C877 config below:
Current configuration : 1422 bytes
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname c877
boot-start-marker
boot-end-marker
no aaa new-model
clock timezone UTC 11 0
crypto pki token default removal timeout 0
dot11 syslog
ip source-route
ip cef
ip domain name --CUT--
no ipv6 cef
multilink bundle-name authenticated
username --CUT-- privilege 15 password 7 --CUT--
bridge irb
interface ATM0
no ip address
no atm ilmi-keepalive
bridge-group 1
pvc 8/35
encapsulation aal5snap
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface Vlan1
no ip address
bridge-group 1
interface BVI1
ip address 192.168.50.2 255.255.255.0
ip default-gateway 192.168.50.1
ip forward-protocol nd
no ip http server
no ip http secure-server
snmp-server community public RO
snmp-server ifindex persist
control-plane
bridge 1 protocol ieee
line con 0
exec-timeout 0 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
exec-timeout 0 0
logging synchronous
login local
transport input all
end
ASA5505 config below:
ASA Version 9.1(3)
hostname asa5505
enable password --CUT-- encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd --CUT-- encrypted
names
interface Ethernet0/0
switchport access vlan 10
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 20
interface Ethernet0/3
switchport access vlan 30
interface Ethernet0/4
switchport access vlan 40
interface Ethernet0/5
interface Ethernet0/6
switchport access vlan 70
interface Ethernet0/7
switchport access vlan 70
interface Vlan1
nameif inside_private
security-level 100
ip address 192.168.50.1 255.255.255.0
interface Vlan10
nameif outside_public
security-level 0
pppoe client vpdn group ADSL2
ip address pppoe setroute
interface Vlan20
nameif inside_dmz
security-level 70
ip address 192.168.60.1 255.255.255.0
interface Vlan30
nameif inside_guest
security-level 50
ip address 192.168.70.1 255.255.255.0
interface Vlan40
nameif inside_experimental
security-level 60
ip address 10.0.0.1 255.255.0.0
interface Vlan70
nameif inside_phone
security-level 10
ip address 192.168.80.1 255.255.255.192
boot system disk0:/asa913-k8.bin
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns domain-lookup inside_dmz
dns server-group DefaultDNS
name-server 192.168.60.2
same-security-traffic permit intra-interface
object network LAN_private
subnet 192.168.50.0 255.255.255.0
object network LAN_dmz
subnet 192.168.60.0 255.255.255.0
object network LAN_guest
subnet 192.168.70.0 255.255.255.0
object network LAN_experimental
subnet 10.0.0.0 255.255.0.0
object network QNAP_host
host 192.168.50.9
object network INTELNUC_host
host 192.168.60.2
object network INTELNUC_prtgservice
host 192.168.60.2
object network INTELNUC_webservice
host 192.168.60.2
object network QNAP_management
host 192.168.50.9
object network QNAP_transmission
host 192.168.50.9
object network LAN_guest_wireless
range 192.168.70.31 192.168.70.50
object network QNAP_t51413
host 192.168.50.9
object network QNAP_u51413
host 192.168.50.9
object service 9000-9049
service udp destination range 9000 9049
object network C7940_u10000-20000
host 192.168.80.11
object network C7940_t5060
host 192.168.80.11
object network LAN_phone
subnet 192.168.80.0 255.255.255.192
object network SPINTEL_host
host --CUT--
object service 16384-32766
service udp source range 16384 32766
object network C7940_host
host 192.168.80.11
object service 10000-20000
service udp destination range 10000 20000
object network C7940_u5060
host 192.168.80.11
object-group network LAN_all
network-object object LAN_dmz
network-object object LAN_experimental
network-object object LAN_guest
network-object object LAN_private
network-object object LAN_phone
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service 5060 tcp-udp
port-object eq sip
object-group service 53 tcp-udp
port-object eq domain
access-list public_ACL extended permit tcp any object QNAP_host eq 8080
access-list public_ACL extended permit tcp any object QNAP_host eq 51413
access-list public_ACL extended permit udp any object QNAP_host eq 51413
access-list public_ACL extended permit tcp any object QNAP_host eq 9091
access-list public_ACL extended permit tcp any object INTELNUC_host eq 444
access-list public_ACL extended permit tcp any object INTELNUC_host eq www
access-list public_ACL extended permit object-group TCPUDP any object C7940_host eq domain inactive
access-list public_ACL extended permit tcp object SPINTEL_host object C7940_host eq sip
access-list public_ACL extended permit udp object SPINTEL_host object C7940_host eq sip
access-list public_ACL extended permit icmp object SPINTEL_host object C7940_host
access-list public_ACL extended permit object 10000-20000 object SPINTEL_host object C7940_host
access-list public_ACL extended permit ip object SPINTEL_host object C7940_host
access-list dmz_ACL extended permit icmp any any echo
access-list dmz_ACL extended permit udp any any eq snmp
access-list dmz_ACL extended permit ip object INTELNUC_host object-group LAN_all
access-list dmz_ACL extended deny ip any object LAN_private
access-list dmz_ACL extended deny ip any object LAN_guest
access-list dmz_ACL extended deny ip any object LAN_experimental
access-list dmz_ACL extended deny ip any object LAN_phone
access-list dmz_ACL extended permit ip any any
access-list guest_ACL extended permit icmp any any echo
access-list guest_ACL extended permit udp any any eq snmp
access-list guest_ACL extended permit object-group TCPUDP object LAN_guest_wireless object INTELNUC_host eq domain
access-list guest_ACL extended deny ip object LAN_guest_wireless object INTELNUC_host
access-list guest_ACL extended deny ip object LAN_guest_wireless object QNAP_host
access-list guest_ACL extended permit ip any object INTELNUC_host
access-list guest_ACL extended permit ip any object QNAP_host
access-list guest_ACL extended deny ip any object LAN_private
access-list guest_ACL extended deny ip any object LAN_dmz
access-list guest_ACL extended deny ip any object LAN_experimental
access-list guest_ACL extended deny ip any object LAN_phone
access-list guest_ACL extended permit ip any any
access-list phone_ACL extended permit udp object C7940_host object INTELNUC_host eq tftp
access-list phone_ACL extended permit icmp object C7940_host object SPINTEL_host
access-list phone_ACL extended permit object 16384-32766 object C7940_host object SPINTEL_host
access-list phone_ACL extended permit object-group TCPUDP object C7940_host any eq domain
access-list phone_ACL extended permit udp object C7940_host any eq ntp
access-list phone_ACL extended permit tcp object C7940_host any eq sip
access-list phone_ACL extended permit udp object C7940_host any eq sip
access-list phone_ACL extended permit ip object C7940_host any inactive
access-list phone_ACL extended permit ip object LAN_phone any inactive
pager lines 24
logging enable
logging asdm notifications
mtu inside_private 1500
mtu outside_public 1492
mtu inside_dmz 1500
mtu inside_guest 1500
mtu inside_experimental 1500
mtu inside_phone 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside_private,outside_public) source static C7940_u10000-20000 interface service 10000-20000 10000-20000
object network LAN_private
nat (inside_private,outside_public) dynamic interface
object network LAN_dmz
nat (inside_dmz,outside_public) dynamic interface
object network LAN_guest
nat (inside_guest,outside_public) dynamic interface
object network LAN_experimental
nat (inside_experimental,outside_public) dynamic interface
object network INTELNUC_prtgservice
nat (inside_dmz,outside_public) static interface service tcp 444 444
object network INTELNUC_webservice
nat (inside_dmz,outside_public) static interface service tcp www www
object network QNAP_management
nat (inside_private,outside_public) static interface service tcp 8080 8080
object network QNAP_transmission
nat (inside_private,outside_public) static interface service tcp 9091 9091
object network QNAP_t51413
nat (inside_private,outside_public) static interface service tcp 51413 51413
object network QNAP_u51413
nat (inside_private,outside_public) static interface service udp 51413 51413
object network C7940_t5060
nat (inside_private,outside_public) static interface service tcp sip sip
object network LAN_phone
nat (inside_phone,outside_public) dynamic interface
object network C7940_u5060
nat (inside_private,outside_public) static interface service udp sip sip
access-group public_ACL in interface outside_public
access-group dmz_ACL in interface inside_dmz
access-group guest_ACL in interface inside_guest
access-group phone_ACL in interface inside_phone
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.50.0 255.255.255.0 inside_private
snmp-server host inside_dmz 192.168.60.2 community *****
snmp-server location inside_dmz
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint localtrust
enrollment self
fqdn asa5505.--CUT--
subject-name CN=sasa5505.--CUT--
keypair sslvpnkey
crl configure
crypto ca trustpool policy
crypto ca certificate chain localtrust
certificate --CUT--
telnet 192.168.50.0 255.255.255.0 inside_private
telnet timeout 60
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group ADSL2 request dialout pppoe
vpdn group ADSL2 localname --CUT--
vpdn group ADSL2 ppp authentication pap
vpdn username --CUT-- password --CUT-- store-local
dhcpd auto_config outside_public
dhcprelay server 192.168.60.2 inside_dmz
dhcprelay enable inside_private
dhcprelay enable inside_guest
dhcprelay enable inside_experimental
dhcprelay enable inside_phone
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics host number-of-rate 3
threat-detection statistics port number-of-rate 3
threat-detection statistics protocol number-of-rate 3
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server --CUT-- source inside_private
ssl encryption aes256-sha1 aes128-sha1 3des-sha1 rc4-sha1
ssl trust-point localtrust outside_public
webvpn
anyconnect-essentials
username --CUT-- password --CUT-- encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect icmp
inspect pptp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:--CUT--Ansar,
A source group or "group" is what you need to configure on the CSS in order for the backend servers to initiate a connection outbound on the CSS. It would be helpful if you could email me directly a piece of your config. Specifically I would need the "service" section in terms of which servers need outbound access as well as the content rules you have configured and the ACL section to confirm you are not blocking anything.
As an example.
If you had
service pete
ip address 1.1.1.1
active
content pete
add service pete
protocol tcp
port 80
vip address 2.2.2.2
active
group pete_out
vip address 2.2.2.2
add service pete
active
So what happens is when the service makes an outbound connection, the source ip address is now the vip address. When the return packet comes back, the CSS recognizes it and gets it back to the backend server.
You can also apply a source group via an acl as another option.
Regards
Pete..
[email protected] -
Complex DNS? Cannot reach XServe from inside network
I'm trying to make DNS work on a XServe with Leopard Server installed.
I had to migrate (mostly manually) DNS from the old server.
The server runs DNS for about 50 websites, most of them on the server itself, some on other local machines. All these are configured with their external ip addresses.
From inside the building i cannot reach the server unless i make a subnet so the xserve acts as a router to. Then I can also use Server Admin e.g., which I cannot use without that subnet.
From witin the server DNS seems to work while just browsing the domains with Safari.
sudo changeip -checkhostname
Primary address = 10.0.2.15
Current HostName = dns.myserver.com
The DNS hostname is not available, please repair DNS and re-run this tool.
So i guess i made a mess..
host on xserve ip address (also from within xserve)
odin:~ admin$ host 10.0.2.15
Host 15.2.0.10.in-addr.arpa not found: 3(NXDOMAIN
host command on external ip address gave me one of the domains, but not dns.myserver.com.
$ host 192.xxx.xxx.xxx (of course i used the full external ip address)
192.xxx.xxx.xxx.in-addr.arpa domain name pointer dns.myserver.com.
Can anybody help?
Message was edited by: skipx2I'm trying to make DNS work on a XServe with Leopard Server installed.
I had to migrate (mostly manually) DNS from the old server.
The server runs DNS for about 50 websites, most of them on the server itself, some on other local machines. All these are configured with their external ip addresses.
From inside the building i cannot reach the server unless i make a subnet so the xserve acts as a router to. Then I can also use Server Admin e.g., which I cannot use without that subnet.
From witin the server DNS seems to work while just browsing the domains with Safari.
sudo changeip -checkhostname
Primary address = 10.0.2.15
Current HostName = dns.myserver.com
The DNS hostname is not available, please repair DNS and re-run this tool.
So i guess i made a mess..
host on xserve ip address (also from within xserve)
odin:~ admin$ host 10.0.2.15
Host 15.2.0.10.in-addr.arpa not found: 3(NXDOMAIN
host command on external ip address gave me one of the domains, but not dns.myserver.com.
$ host 192.xxx.xxx.xxx (of course i used the full external ip address)
192.xxx.xxx.xxx.in-addr.arpa domain name pointer dns.myserver.com.
Can anybody help?
Message was edited by: skipx2 -
Is there a way to provision FF to multiple users from a network share?
Rather than deploying FF to 150,000 users, I would like to centrally provision the applicaiton from a network location. Is this possible?
You can only use one library at a time in an Aperture slideshow, so I'd suggest to simply collect the audio that you want to use in a folder (export the songs from both iTunes Libraries) and then import this folder to Aperture. Now you have a project containing the audio files; you will see it in the Aperture Audio section of the audio Browser, right above the iTunes section.
You can use the Apperture audio just like the audio in iTunes to drag to the timeline of your slideshow.
Regards
Léonie -
Using .htaccess file to block access from certain networks
Does anybody have any tips on getting a .htaccess file to work to block access to my Web Access server from certain network ranges on SuSE 10 SP3 with GW 8.0.2.
It does seem like the file does anything? With Web Access I'm not exactly sure where to put the file. I used to accomplish this using iptables, but I was seeing if I could do the same with .htaccess.
Thanks!Originally Posted by bbilut
Does anybody have any tips on getting a .htaccess file to work to block access to my Web Access server from certain network ranges on SuSE 10 SP3 with GW 8.0.2.
It does seem like the file does anything? With Web Access I'm not exactly sure where to put the file. I used to accomplish this using iptables, but I was seeing if I could do the same with .htaccess.
Thanks!
You can block a range with the .htaccess file, for example by defining the range as
Code:
order allow,deny
deny from 10.0.
allow from all
...that would block all 10.0.0.0 upto 10.0.255.255 addresses
You cannot use this file in tomcat, so useless I think... but as Apache is used as frontend for the tomcat webacc application and you might be able to edit the gw conf apache files to include the range denies (which by default can be found in /etc/opt/novell/groupwise/webaccess/gw.conf).
Maybe this thread might help as there are some examples in howto include denies in the .conf files.
Deny IP Ranges in httpd.conf Apache Web Server forum at WebmasterWorld
Do make a backup of you current gw.conf in case it blows up :)
-Willem -
How to get list of groups and the users from OID
Hi,
Can someone please tell me how to get the list of GROUPS and all the USERS in each group in OID using Java. Need to recursively get all the Groups and Users in each group using Java any samples.
Thanksuse examples from OTN like
http://www.oracle.com/technology/sample_code/products/jdev/readmes/samples/ldapdatacontrol/ldapapplication/src/dc/ldap/model/LDAPSearch.java
and modify it to your needs
Bernhard
Maybe you are looking for
-
Bluetooth Keyboard/Mouse/Trackpad won't automatically connect after installing Boot Camp
Hey guys! Another peculiar thing happened to me today with my 3-week-old maxed-out 2012 iMac (other than it kernel panicking when I powered it down the other day...did I mention this was 3 weeks old?). After installing Boot Camp which I will never do
-
There is a screen clicking problem in my iPhone 5c..what should I do?
There is a glass clicking problem in phone 5c ..I got it replaced once... But the replaced iPhone also has started the problem now...what should I do now?
-
Sort F4 values in BEX variable screen
Hi , Does anyone know how to sort F4 value help in BEX variable selection screen. This query has come up time and again in SDn and there seems to be no proper reply to this. If anyone has worked on this do let me know. Thanks, Vaishnavi
-
Screen Changes With Full Screen Playback Over HDMI
Any one know if this is the best way to report a flash issue to the development team? Home Theater PC connected to a Sony Bravia Television via HDMI Issue is that when the Flash content is played back on full screen, the Television flickers and disp
-
Inconsistent port configuration on SP2 (ms/db is 3600 or 3610 ?)
Hi All, Inconsistent port configuration on SP2 (ms/db is 3600 or 3610 ?) Dear All, There seems to be an inconsistency in the port configuration on the SP2 that could possibly explain why Tradelink (LN) sometimes is not able to connect to SP2. - the s