Virtual Exchange & NAT'ing
A virtual server currently has Exchange installed on it with load balancing on our network. Each NIC has its own IP address and they want one external address for it to NAT to. Looking at our ASA, we can't overlap addresses...meaning I get an error when I try to NAT 2 internal addresses to 1 external. How can this be accomplished?
What version do you have? It can be done with an special configuration on 8.2. If you are in version 8.3 or higher you may want to look at Many to Few NAT configuration.
Mike
Similar Messages
-
I'm having problems backing up a Hyper-V virtualized Exchange 2007 server with DPM 2012. The guest has one VHD for the OS, and two pass-through volumes, one for logs and one for the databases. I have three protection groups:
System State - protects only the system state of the mail server, runs at 4AM every morning
Exchange Databases - protects the Exchange stores, 15 minute syncs with an express full at 6:30PM every day
VM - Protecting the server hosting the Exchange VM. Does an child partition snapshot backup of the Exchange server guest with an express full at 9:30PM every day
The problem I'm experiencing is that every time the VM express full completes I start receiving errors on the Exchange Database synchronizations stating that a log file discontinuity was detected. I did some poking around in the logs on the Exchange server
and sure enough, it looks like the child partition snapshot backup is causing Exchange to truncate the log files even though the logs and databases are on pass-through disks and aren't covered by the child partition snapshot.
What is the correct way to back up an entire virtualized Exchange server, system state, databases, OS drive and all?I just created a new protection group. I added "Backup Using Child Partition Snapshot\MailServer", short-term protection using disk, and automatically create the replica over the network immediately. This new protection group contains only the child partition
snapshot backup. No Exchange backups of any kind.
The replica creation begins. Soon after, the following events show up in the Application log:
=================================
Log Name: Application
Source: MSExchangeIS
Date: 10/23/2012 10:41:53 AM
Event ID: 9818
Task Category: Exchange VSS Writer
Level: Information
Keywords: Classic
User: N/A
Computer: PLYMAIL.mcquay.com
Description:
Exchange VSS Writer (instance 7d26282d-5dec-4a73-bf1c-f55d5c1d1ac7) has been called for "CVssIExchWriter::OnPrepareSnapshot".
=================================
Log Name: Application
Source: ESE
Date: 10/23/2012 10:41:53 AM
Event ID: 2005
Task Category: ShadowCopy
Level: Information
Keywords: Classic
User: N/A
Computer: PLYMAIL.mcquay.com
Description:
Information Store (3572) Shadow copy instance 2051 starting. This will be a Full shadow copy.
=================================
The events continue on, basically snapshotting all of Exchange. From the DPM side, the total amount of data transferred tells me that even though Exhange is trunctating its logs, nothing is actually being sent to the DPM server. So this snapshot operation
seems to be superfluous. ~30 minutes later, when my regularly scheduled Exchange job runs, it fails because of a log file discontinuity.
So, in this case at least, a Hyper-V snapshot backup is definitely causing Exchange to truncate the log files. What can I look at to figure out why this is happening? -
Exchange 2010: Virtualized Exchange 2010 Datacenter Migration
We have a virtualized Exchange 2010 production implementation that needs to be relocated to a new datacenter. We will be leveraging SAN based replication and VMWare to cutover.
Some background info:
3 CAS/HUB servers
4 Node DAG across 2 sites (3 production Mailbox servers in the site to be migrated, 1 mailbox server will not move and be left in DR)
Since I need to shutdown 3 mailbox servers in a 4 node DAG, the cluster will go offline and the databases will dismount. I could run a datacenter switchover to preserve service, but I have the OK to take Exchange completely down.
Knowing that:
1) What are the best practices to shutdown and start up all the CAS servers and Mailbox servers (both in prod and DR)?
2) Should I suspend replication or dismount the databases in advance and prevent them from automatically mounting on boot up? Is the StartDagServerMaintenance script relevant in this situation?
Any suggestions on the proper way to go about this is much appreciated. Thanks for reading.-->1) During the shutdown...would it make sense to turn off the 4th mailbox server in the DAG which is located in our DR site? I'm thinking that leaving the DR mailbox server powered off and powering it up last among the DAG members would prevent
any database copies from being activated in DR.
You already have a planned outage. I suggest you shut down the server in DR and start that after starting
all the 3.
2) To be able to mount a database in a 4 node DAG, I need to have the file share witness and two mailbox servers available first...correct?
Your fileshare witness should be online first otherwise none of your databases will get mounted.
If your DAG contains odd number of members filesharewitness will be ignored, (even number of DAG members will use filesharewitness)http://blog.credera.com/technology-insights/microsoft-solutions/when-do-dags-need-a-file-share-witness/
Thanks, MAS
Please mark as helpful if you find my comment helpful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. -
RV320 Additional WAN IP NAT'ing
Hello, I have an RV 320, my initial IP allocation from my ISP was 38.122.x.x a /30 allocation. Recently I needed to NAT a device so I requested a /29 block from my ISP the new block is 38.79.x.x. The router is fully managed by ISP, they told me that the new /29 block will be configured to route to the original WAN IP of my RV320. I configured a 1to1 NAT and no luck I am unable to remotely connect to the device via the external IP. Any assistance would be greatly appreciated.
Jennifer,
Thanks for the quick reply.
You were pretty much correct, all I needed to do was create the appropriate NAT map between the Public IP & a DMZ server and also add a new RULE to allow the new public facing services to be available for internet users. This is just the same as setting up NAT'ing on the IP range configured on the Public ASA interface.
I didn't need to set-up any static arp's or create any routes (default route is already set out via the Public interface). Also no ISP speific set-up was required, so as
I haven't tried to set-up outbound NAT/PAT yet from the Private interface so I cannot say if that is just as easy. -
NAT'ing firewall Wiki articles gone
http://wiki.archlinux.org/index.php/NAT'ing_firewall_-_Share_your_broadband_connection
and
http://wiki.archlinux.org/index.php/NAT'ing_firewall_-_Adding_advanced_features
are empty now.
Can some1 check why those pages are stubs now, couse i need both articles,
or atleast to give backups if possible, since i set up my home server using those.
Last edited by Satan666999 (2008-12-30 08:40:40)Google cache for the first page:
http://74.125.77.132/search?q=cache:toh … ient=opera
No idea why it's off the wiki though, has it got something to do with the ' in NAT'ing? -
LUN config for virtualized Exchange server
Hi All,
What would be the preferred LUN congfiguration for a virtualized Exchange server. It will be a 2 server multi-role configuration on a 3 node hyper-v cluster. 1 LUN per database. Exchange servers will not be configured to be highly available. Failover on
application level.
1. Present the LUN as an iscsi target to the hyper-v host and create a VHD on it for the Exchange server.
Benefit: VHDX is flexible
Drawback: No snapshotting of database via backup app etc.
2. Present the LUN as a pass-through disk to the Exchange server via the Hyper-v host
Benefit: no hyper-v overhead?
Drawback: not flexible
3. Add a vnic to the Exchange server and configure the iscsi initiator on the exchange server.
Benefit: no hyper-v overhead
Drawback: Little more complex configuration
Which one is best? I would prefer option 2, but I might miss something?
Je suis er even nieHonestly, it's tough to say which one is the best option, b\c it really depends on you and your environment. I typically do deployments on Vmware and not Hyper-v as alot of the clients I work with already have VMWare entrentched in their environment,
but it's really the same concept. Typically we use option 1, where we let Vmware handle the iSCSI connections to the SAN and we present the storage to the VM as vmdk file. Option 1 eliminates the complexity and is usually the easiest to configure
for people and allows for easy administration.
Since you mentioned backup snapshots, I would stay away from option 2. Depending on the method and application you are using for backup passthrough disks can cause issue. If you were initiating the hardware snapshot from inside the VM I believe
that would fail with a passthrough disk as well since the guest is not communicating directly to the SAN.
Option 3 would allow you to take hardware snapshots of the drives that the database reside on and you would do all the management of the device from the SAN level. This would be the most complicated to set up since you have to zone it out and make
sure the guest can communicate with the SAN.
If it was me, I would probably deploy option 1 since that usually seems to be the easiest to manage and configure and in my experience, the less complex you make something, the easier it is to manage.
-
Out of Memory Exception on Virtual Exchange 2013
I am having an issue with my Exchange 2013 server having multiple OutOfMemory Errors. I am receiving these errors for Event ID 1026 Source .Net Runtime, Event ID 1325 Source ASP.NET, Event ID 4999 Source MSExchange Common, and Event ID 1106 Source
MSEchange ActiveSync. I am also receiving an Application error Event ID 1000. Exchange is running on a virtual machine with 16 GB of memory. Any help or suggestions will be greatly appreciated. Below is the error message from Event ID 1106.
--- Exception start --- Exception type: System.OutOfMemoryException Exception message: Exception of type 'System.OutOfMemoryException' was thrown. Exception level: 0 Exception stack trace: at Microsoft.Exchange.Data.Storage.GenericListData`2.DeserializeData(BinaryReader
reader, ComponentDataPool componentDataPool) at Microsoft.Exchange.AirSync.DeviceBehaviorData.DeserializeData(BinaryReader reader, ComponentDataPool componentDataPool) at Microsoft.Exchange.Data.Storage.DerivedData`1.DeserializeData(BinaryReader reader, ComponentDataPool
componentDataPool) at Microsoft.Exchange.Data.Storage.GenericListData`1.DeserializeData(BinaryReader reader, ComponentDataPool componentDataPool) at Microsoft.Exchange.Data.Storage.GenericDictionaryData`3.DeserializeData(BinaryReader reader, ComponentDataPool
componentDataPool) at Microsoft.Exchange.Data.Storage.SyncState.DeserializeSyncStateTable(Int64 idxTable) at Microsoft.Exchange.Data.Storage.SyncState.Deserialize(PropertyDefinition property) at Microsoft.Exchange.Data.Storage.SyncState.Load(Boolean reloadFromBackend,
PropertyDefinition[] additionalPropsToLoad) at Microsoft.Exchange.Data.Storage.SyncState..ctor(SyncStateStorage syncStateStorage, StoreObject storeObject, SyncStateInfo syncStateInfo, Boolean syncStateIsNew) at Microsoft.Exchange.Data.Storage.CustomSyncState.GetSyncState(SyncStateStorage
syncStateStorage, Folder syncStateParentFolder, SyncStateInfo syncStateInfo, StoreObjectId storeObjectId) at Microsoft.Exchange.Data.Storage.SyncStateStorage.GetCustomSyncState(SyncStateInfo syncStateInfo) at Microsoft.Exchange.AirSync.GlobalInfo.LoadFromMailbox(MailboxSession
mailboxSession, SyncStateStorage syncStateStorage, ProtocolLogger protocolLogger) at Microsoft.Exchange.AirSync.Command.OpenSyncStorage(Boolean shouldOpenGlobalSyncState, Boolean shouldUseBudget) at Microsoft.Exchange.AirSync.Command.WorkerThread() --- Exception
end ---Hello,
According to the error, the memory is not enough.
Please describe your environment and post the detailed event information.
Besides, I recommend you use Server Role Requirements Calculator to calculate memory and CPU.
Here is an article for your reference.
http://blogs.technet.com/b/exchange/archive/2013/05/14/released-exchange-2013-server-role-requirements-calculator.aspx
Cara Chen
TechNet Community Support -
Problem with nat-ing on asa 5505
i have the asa5505 with asa8.4.2 and asdm 6.4.5. i use this asa5505 for connecting my network 192.168.0.0/24 with network 10.15.100.0/24. my wan port of asa5505 on network 10.13.74.0/24, lan port is on 192.168.0.0./24. this configuration worked ok until my isp changed router on address 10.13.74.1. i nat-ed on asa5505, i puted access policy and i had access network 10.15.100.0/24. but now i can't. the users from network can access devices on addresses 192.168.0.20 and 192.168.0.22 but i can't access the network 10.15.100.0/24. my configuration of asa5505 is:
Result of the command: "show runn": Saved:ASA Version 8.4(2) !hostname ciscoasaenable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1 nameif inside security-level 100 ip address 192.168.0.17 255.255.255.0 !interface Vlan2 nameif outside security-level 0 ip address 10.13.74.33 255.255.255.0 !ftp mode passiveobject network obj_any subnet 0.0.0.0 0.0.0.0object network server host 192.168.0.20object network sharepointdri host 192.168.0.22object network paragraflex host 192.168.0.20object network dri.local subnet 192.168.0.0 255.255.255.0object service ParagrafLex1 service tcp source eq 6190 description Odlazniobject service paragraf service tcp destination eq 6190 description dolazniobject network nonat host 192.168.0.20object network lokalnamreza range 192.168.0.1 192.168.0.254object network natnetwork subnet 192.168.0.0 255.255.255.0object network natmreze subnet 192.168.0.0 255.255.255.0object-group service DM_INLINE_SERVICE_2 service-object ip service-object icmp echo-reply service-object tcp object-group service DM_INLINE_SERVICE_1 service-object icmp echo-reply service-object tcp service-object ip service-object tcp destination eq domain service-object tcp destination eq ldap service-object object ParagrafLex1 object-group service DM_INLINE_SERVICE_8 service-object ip service-object tcp service-object icmp echo-replyobject-group service DM_INLINE_SERVICE_3 service-object tcp service-object tcp destination eq domain service-object tcp destination eq ldap object-group service DM_INLINE_SERVICE_4 service-object tcp service-object icmp echo-replyobject-group protocol DM_INLINE_PROTOCOL_2 protocol-object udp protocol-object tcpobject-group protocol TCPUDP protocol-object udp protocol-object tcpobject-group service DM_INLINE_SERVICE_5 service-object ip service-object icmp echo-replyobject-group protocol DM_INLINE_PROTOCOL_1 protocol-object ip protocol-object tcpobject-group service DM_INLINE_SERVICE_6 service-object ip service-object tcp service-object icmp echo-reply service-object icmp service-object tcp destination eq https object-group service DM_INLINE_SERVICE_7 service-object ip service-object tcp service-object icmp echo-reply service-object tcp destination eq https object-group network DM_INLINE_NETWORK_1 network-object 10.13.74.0 255.255.255.0 network-object 10.15.100.0 255.255.255.0object-group service DM_INLINE_SERVICE_9 service-object tcp-udp service-object tcp destination eq https service-object tcp destination eq domain object-group service DM_INLINE_SERVICE_10 service-object ip service-object tcp service-object icmp echo-replyobject-group service DM_INLINE_SERVICE_11 service-object ip service-object tcp service-object icmp echo-replyaccess-list nonat extended permit object-group DM_INLINE_SERVICE_8 192.168.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 access-list inside_access_out extended permit object-group DM_INLINE_SERVICE_6 any any access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 object dri.local 10.15.100.0 255.255.255.0 access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_7 any any access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_3 object dri.local 10.13.74.0 255.255.255.0 access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_4 any any access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_3 192.168.0.0 255.255.255.0 10.13.74.0 255.255.255.0 access-list outside_access_in_1 extended permit object paragraf any object server access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_1 any object server access-list outside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_1 any object sharepointdri access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_10 object natmreze any access-list outside_access_out extended permit object-group DM_INLINE_SERVICE_9 any any access-list outside_access_out extended permit object-group DM_INLINE_SERVICE_11 object natmreze 10.15.100.0 255.255.255.0 pager lines 24logging asdm informationalmtu inside 1500mtu outside 1500icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp outside 10.13.74.1 000d.bd64.a8e2 arp timeout 14400!object network server nat (inside,outside) static 10.13.74.34 dnsobject network sharepointdri nat (any,any) static 10.13.74.39object network nonat nat (inside,outside) static 192.168.0.20object network natmreze nat (any,any) static 10.13.74.42 dnsaccess-group inside_access_in in interface insideaccess-group inside_access_out out interface insideaccess-group outside_access_in_1 in interface outsideaccess-group outside_access_out out interface outsideroute outside 0.0.0.0 0.0.0.0 10.13.74.1 1route outside 10.15.100.0 255.255.255.0 10.13.74.1 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyuser-identity default-domain LOCALhttp server enablehttp 192.168.0.0 255.255.255.0 insideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart warmstarttelnet timeout 5ssh timeout 5console timeout 0dhcpd auto_config outside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512policy-map type inspect ftp paragraf parameterspolicy-map global_policy class inspection_default inspect dns inspect icmp inspect ip-options inspect netbios inspect tftp inspect h323 h225 inspect h323 ras !service-policy global_policy globalprompt hostname context state priority domain no call-home reporting anonymousCryptochecksum:61572938ed01b1c7447e43fcb2df4bc8: end
what i do? plz help me?
thanksPlease do this, and let me know how it goes
no access-list nonat extended permit object-group DM_INLINE_SERVICE_8 192.168.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
no access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_3 object dri.local 10.13.74.0 255.255.255.0
no access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_4 any any
no access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_3 192.168.0.0 255.255.255.0 10.13.74.0 255.255.255.0
access-list inside_access_in line 1 permit ip 192.168.0.0 255.255.255.0 any
access-list outside_access_in_1 line 1 permit ip any 192.168.0.0 255.255.255.0
no object network nonat
no access-group inside_access_out out interface inside
no access-group outside_access_out out interface outside
no route outside 10.15.100.0 255.255.255.0 10.13.74.1 1 -
Need some help with a fundamental concept of nat'ing/routing
I have the following code on an ASA5500 pair with very down-level code. 7.1.2.
Here is a snippet of the ruleset:
interface GigabitEthernet0/1.40
description Production Servers Network
vlan 40
nameif Production
security-level 40
ip address 172.20.0.1 255.255.0.0 standby 172.20.0.2
access-list no-nat extended permit ip 192.168.3.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list no-nat extended permit ip 172.20.0.0 255.255.0.0 192.168.20.0 255.255.255.0
nat (Production) 0 access-list no-nat
Am I correct in believing all traffic sourced from the 192.168.3.0 and 172.20.0.0 networks coming in via the Production interface will NOT be Nat'ed.
My next question is will that traffic be routed through that interface Production using the original IP addresses, or will that traffic NOT be routed anywhere?
I don't want that traffic to be routed, but am concerned since these access list commands permit IP traffic between the networks, this traffic will be routed.Thanks for responses, but they confuse me more.
It is not your answers causing my confusion, but the firewall rules I am trying to apply to this.
From what you are saying, traffic WILL flow from the 192.168.3.0 network to the 192.168.20.0 network, flowing through the Production interface. It won't be Nat'ed, but it will route because the access list explicitly allows IP traffic sourced from the 192.168.3.0 network to reach the 192.168.20.0 network.
However, this is not what is currently happening in the networks, as far as I have been told.
Let me add more lines of code to the problem, and give my interpretation, and you can tell me where I am going wrong.
1. There is no access list explictly associated with the Production interface, as can be seen through the definition in my first post.
2. More complete code:
object-group network network_vpn
description VPN IP's
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
access-list no-nat extended permit ip 192.168.20.0 255.255.255.0 172.20.0.0 255.255.0.0
access-list no-nat extended permit ip object-group network_vpn 172.20.0.0 255.255.0.0
access-list no-nat extended permit ip object-group network_vpn 192.168.20.0 255.255.255.0
access-list no-nat extended permit ip 172.20.0.0 255.255.0.0 192.168.20.0 255.255.255.0
access-list no-nat extended permit ip 192.168.2.0 255.255.255.0 172.20.0.0 255.255.0.0
access-list no-nat extended permit ip 192.168.0.0 255.255.0.0 172.20.0.0 255.255.0.0
access-list no-nat extended permit ip 172.20.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list no-nat extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list no-nat extended permit ip 172.20.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list no-nat extended permit ip 192.168.3.0 255.255.255.0 172.20.0.0 255.255.0.0
access-list no-nat extended permit ip 192.168.3.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list no-nat extended permit ip 192.168.2.0 255.255.255.0 192.168.20.0 255.255.255.0
nat (Production) 0 access-list no-nat
nat (Production) 0 access-list Production_nat0_inbound outside
nat (Production) 1 172.20.0.0 255.255.0.0
Use the 3rd last line in the access-list no-nat commands as an example.
As I envision this, if I have a network sourced as 192.168.3.0, coming in through the Production interface, IP traffic can reach the 172.20.0.0 network, albeit through not NAT'ed, but with the original IP addreses, assuming routing is configured between these networks? I guess my related question would be is routing not implictly turned on between these networks?
3. Also, I think several lines of this access rule are redundant, given the network object covers the 192.168.2.0 and 192.168.3.0 networks. -
(semi-urgent) RVS4000 and multiple (same port) NAT'ing
Hello -
I have a client who has one Internet connection and 2 different internal SMTP servers. Is there a way to NAT public mail/SMTP to each one? We have two public IPs.
ThanksHello Jeff,
Unfortunately the RVS4000 does not support One to One NAT. This restricts the router to only being able to use one of the IP addresses you have.
If you are intrested in a router that supports this feature, I recommend one of the following:
RV042
RV120W
RV220W -
I have a tunnel created and I need to NAT the local network 192.168.1.0/24 to 172.31.196.0/24 to the destination IP, let's say (2.2.2.2)
code version is 821
name 2.2.2.2 External_IP
name 172.31.196.0 Local_xlated
I thought the statement would look like nat (inside,outside) inside-network Local_xlated static destination External_IPeluciasa(config)# packet-tracer input inside tcp 192.168.1.6 53 8.8.8.8 53
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) MC_Local_xlated access-list L2LVPN-POLICYNAT
match ip inside 192.168.1.0 255.255.255.0 outside host External_IP
static translation to MC_Local_xlated
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (External_IP [Interface PAT])
translate_hits = 24686918, untranslate_hits = 1904674
Additional Information:
Dynamic translate EluciMX01/53 to External_IP/356 using netmask 255.255.255.255
Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 32668832, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
eluciasa(config)# -
Core roles installed on one virtual server for roughly 200-300 mailboxes using Exchange 2010?
For a customer who is looking at keeping costs down, they are wondering whether setting up a virtualized Exchange 2010 server with all the core roles installed would be possible. So the mailbox, CAS and hub all on one virtual slice.
The customer has around 200-300 mailboxes.
I know that its hard to give a guess for sizing, but I was wondering if a 4 core, 16 GB RAM build on Server 2012 would be sufficient, with the storage obvioulsy being SAN. I know this is dependant upon mailbox size and usage, but I don't have those
numbers unfortunately. Would the 4/16 build be sufficient? Too much?
Any further information around this would be great. Thanks.Hello,
I recommend you use Exchange 2010 Server Role Requirements Calculator to design your environment.
A blog for your reference.
http://blogs.technet.com/b/exchange/archive/2009/11/09/3408737.aspx
If you have any feedback on our support, please click
here
Cara Chen
TechNet Community Support -
ASA 5505 9.1(2) NAT/return traffic problems
As part of an office move we upgraded our ASA to 9.1(2) and have been having what seem to be NAT problems with some services ever since. These problems manifest themselves with return traffic. For example, network time sync (NTP, port 123) works fine from the ASA, but hosts on the inside network cannot access external NTP servers (ntpq -pe shows all servers stuck in .INIT. status), creating problems with drifting clocks. Services like XBox Live also do not work; the XBox device can contact the internet, but return traffic from the service never gets back to the device.
For NTP specifically, I've tried allowing NTP 123 through the firewall, but it doesn't help. Conceptually, this should not be required since an inside host is initiating the connection and the NAT rules "should" allow the return packets. To further muddy the waters around NTP, a Linux VM CAN get NTP if it's network adapter is in NAT mode (so it's NAT'ing through the host workstation, then through the Cisco) but CAN NOT get NTP if the adapter is running in bridged mode (so the VM is talking directly to the ASA as if it were just another machine on the inside network).
I've stripped down the ASA config to the basics level, but still can't get this resolved. The main symptom of the problem is that if I disable the access-list rules around ICMP, I'll see lots of ICMP warnings in the ASA logs, which seems to indicate that there are traffic problems communiating with the inside hosts. I've narrowed the problem down to the ASA since replacing the device with a simple Netgear consumer-grade "firewall" lets all this traffic flow just fine.
Network is extremely basic:
DHCP ASSIGNED IP from ISP <----------> ASA <-----------------> inside (192.168.50.X)
^
|----------------------- guest vlan (10.0.1.X)
show running-config:
Result of the command: "show running-config"
: Saved
ASA Version 9.1(2)
hostname border
domain-name mydomain.com
enable password aaa encrypted
passwd bbb encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport trunk allowed vlan 1,3
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.50.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
nameif Guest-VLAN
security-level 10
ip address 10.0.1.1 255.255.255.0
boot system disk0:/asa912-k8.bin
boot system disk0:/asa911-k8.bin
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.104.2.36
domain-name domain
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 255.255.255.0
object network Guest-WLAN
subnet 0.0.0.0 255.255.255.0
description Interent access for guest Wireless
object network xbox-nat-tcp3074
host 192.168.50.54
object network xbox-nat-udp3074
host 192.168.50.54
object network xbox-nat-udp88
host 192.168.50.54
object service xbox-live-88
service udp destination eq 88
object network xbox
host 192.168.50.54
object network obj-inside
subnet 192.168.50.0 255.255.255.0
object network obj-xbox
host 192.168.50.54
object network plex-server
host 192.168.50.5
object network ubuntu-server
host 192.168.50.5
description Ubuntu Linux Server
object network ntp
host 192.168.50.5
object network plex
host 192.168.50.5
object network INTERNET
subnet 0.0.0.0 0.0.0.0
object-group service xbox-live-3074 tcp-udp
port-object eq 3074
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service plex-server-32400 tcp
description Plex Media Server
port-object eq 32400
access-list outside_access_in extended permit object-group TCPUDP any object xbox object-group xbox-live-3074 log alerts
access-list outside_access_in extended permit object xbox-live-88 any object xbox log alerts
access-list outside_access_in extended permit tcp any any eq echo
access-list outside_access_in remark Plex Live access
access-list outside_access_in extended permit tcp any object plex-server object-group plex-server-32400
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Guest-VLAN 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network xbox-nat-tcp3074
nat (inside,outside) static interface service tcp 3074 3074
object network xbox-nat-udp3074
nat (inside,outside) static interface service udp 3074 3074
object network xbox-nat-udp88
nat (inside,outside) static interface service udp 88 88
object network plex
nat (inside,outside) static interface service tcp 32400 32400
object network INTERNET
nat (inside,outside) dynamic interface
nat (Guest-VLAN,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no user-identity enable
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=border
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca xxxx
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate xxxx
quit
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpn-addr-assign local reuse-delay 60
dhcp-client client-id interface outside
dhcpd auto_config outside
dhcpd address 192.168.50.5-192.168.50.132 inside
dhcpd address 10.0.1.50-10.0.1.100 Guest-VLAN
dhcpd dns 208.104.244.45 208.104.2.36 interface Guest-VLAN
dhcpd lease 86400 interface Guest-VLAN
dhcpd enable Guest-VLAN
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 192.168.50.0 255.255.255.0
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 152.19.240.5 source outside prefer
ssl trust-point ASDM_TrustPoint0 outside
username xxx password xxx/ encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
prompt hostname context
service call-home
call-home reporting anonymous
call-home
contact-email-addr [email protected]
profile CiscoTAC-1
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:xxx
: endHi,
Configuration seems fine.
With regards to the ICMP, you could also add this
class inspection_default
inspect icmp error
I would probably start by trying out some other software level on the ASA
Maybe some 8.4(x) software or 9.0(x) software. See if it some bug perhaps.
One option is ofcourse to capture traffic directly on the ASA or on the hosts behind the ASA. And go through the information with Wireshark.
- Jouni -
Exchange, EAS, iPhones, TMG, and random desync's
We're running Exchange 2010 SP1 RU5 and Forefront TMG 2010 in our environment, and we have a few users (maybe 5-7) who use iOS devices. It seems as if only a couple of them have intermittent problems (everyone is on AT&T) with connections. Seemingly randomly, some users will disconnect and lose the ability to synchronize email for a while. Usually a reboot of the device will fix the problem.
This sounds a lot like a network connectivity issue to me. I'm wondering if TMG, and all the wonder that it does to try and force network connections to behave, is causing iPhones and iPads to be unable to synchronize properly.
Microsoft's explanation of this phenomenon is that it has to do with NAT'ing that the wireless company does on cellular towers and IP addresses changes, but I'm not 100% sure that's exactly the issue.
Anyone else been through this problem?Hello Chris,
The affected users may be members of too many groups causing their user tokens to be larger than the maximum allowed size. Compare group membership of a problem with a successful user.
Also, compare the Security permissions on the active directory account as well. (Specifically inheritable permissions)
Exchange ActiveSync Returned an HTTP 500 Error - Remote Connectivity Analyzer
http://technet.microsoft.com/en-us/library/dd439375(EXCHG.80).aspx
How to troubleshoot server ActiveSync HTTP error codes
http://support.microsoft.com/?kbid=330463
Hope this helps,
Kevin Ca - MSFT -
Hi Guys,
Quick question - I hope !
I have recently seen the following three critical alerts:
on Target abc2 CRS resource ora.scan3.vip was relocated to abc2
on Target abc2 CRS resource ora.scan2.vip was relocated to abc2
on Target abc1 CRS resource ora.scan1.vip was relocated to abc1
I have googled and googled this but can't find out if this is in fact a potential train smash or if I need to relocate them back.
We did have a failure last week and everything failed over but when the failed node was restarted ASM did not start automatically, when it was manually started these alerts appeared.
The set up is:
2 node 11gr2 RAC install on Windows 2008 64bit with ASM.
3 SCAN listeners split over the two nodes
If there is anything else config wise please let me know.
Thanks in advance.
Timpilog wrote:
Or to boil it down to the question: Is there a feature for a sqlnet connection like "-b" for ssh ?Nope. Cannot recall ever seeing such an option. On the server side that feature is obviously available to bind tcp end points to specific IPs.
Why exactly do you need this feature on the client side? I do not understand the "+the client connects using changing IP addresses, although the application is having a single and constant virtual IP. This requires more open conenctions on the FW between DB and client than necessary+" problem you've stated.
If the client opens 2 connections to the database, then that will be 2 connections via the firewall. As the private port of the client will differ for each connection and thus make the connection unique.
Now whether those 2 client connection use IP1 or IP2 on the client for binding, will not matter - as 2 distinct connections will be created irrespective.
If for some reason you want from the firewall or db server see these inbound client connections as minimal IP sources - then you can do this by using a single IP for all inbound connection by NAT'ing.
You put down a NAT firewall (using iptables for example) and simply rewrite inbound IP headers for tcp packets on 1521 to the NAT IP and forward the packet to the firewall/db server.
That server will see a single client IP only for all incoming traffic. Works pretty well for Oracle as the client connection string includes the client hostname/hostid - so you can still in Oracle see which session is from which client, despite all these sessions having the same source IP.
Maybe you are looking for
-
Embedding SWF file into an Indesign document and later export as PDF
Hi to everybody, I am searching now since 3 days for good solution of my problem. First I wanna tell you that the problem is not just to convert a swf-file into a pdf. I did this many times with all animations, page flip and stuff.My situation is th
-
Abstract Class can't be instantiated
Hi I'm getting the following error messages while compiling. Does any one have any idea how to get RID of it? ERROR MESSAGES: EditableHeaderTableExample2.java:48: inner class EditableHeaderTableExample2. MyComboRenderer is an abstract class. It can't
-
Record missing in file in Proxy to file interface
I am using proxy to file , in which i am using i have header , header_tax, and line, everything is fine , even i have checked the mesage monitoriing and component monitoring , i am getting all the data. but in the file generated i am getting only one
-
Where can i find SAP B1 Connector in SAP Crystal Reports 2013 and how can i connect to it.
-
How do I embed downloadable mp3 in iWeb?
Hello, I want to enbed some downloable mp3's on my web-page created in iWeb. As I see it I can only drag the files on to the page but then they are transformed in Quicktime Player links to be listened to while on the page, NOT downloadable. I have be