Virtual Exchange & NAT'ing

Similar Messages

• How to Properly Protect a Virtualized Exchange Server - Log File Discontinuity When Performing Child Partition Snapshot

  I'm having problems backing up a Hyper-V virtualized Exchange 2007 server with DPM 2012. The guest has one VHD for the OS, and two pass-through volumes, one for logs and one for the databases. I have three protection groups:
  System State - protects only the system state of the mail server, runs at 4AM every morning
  Exchange Databases - protects the Exchange stores, 15 minute syncs with an express full at 6:30PM every day
  VM - Protecting the server hosting the Exchange VM. Does an child partition snapshot backup of the Exchange server guest with an express full at 9:30PM every day
  The problem I'm experiencing is that every time the VM express full completes I start receiving errors on the Exchange Database synchronizations stating that a log file discontinuity was detected. I did some poking around in the logs on the Exchange server
  and sure enough, it looks like the child partition snapshot backup is causing Exchange to truncate the log files even though the logs and databases are on pass-through disks and aren't covered by the child partition snapshot.
  What is the correct way to back up an entire virtualized Exchange server, system state, databases, OS drive and all?

  I just created a new protection group. I added "Backup Using Child Partition Snapshot\MailServer", short-term protection using disk, and automatically create the replica over the network immediately. This new protection group contains only the child partition
  snapshot backup. No Exchange backups of any kind.
  The replica creation begins. Soon after, the following events show up in the Application log:
  =================================
  Log Name:      Application
  Source:        MSExchangeIS
  Date:          10/23/2012 10:41:53 AM
  Event ID:      9818
  Task Category: Exchange VSS Writer
  Level:         Information
  Keywords:      Classic
  User:          N/A
  Computer:      PLYMAIL.mcquay.com
  Description:
  Exchange VSS Writer (instance 7d26282d-5dec-4a73-bf1c-f55d5c1d1ac7) has been called for "CVssIExchWriter::OnPrepareSnapshot".
  =================================
  Log Name:      Application
  Source:        ESE
  Date:          10/23/2012 10:41:53 AM
  Event ID:      2005
  Task Category: ShadowCopy
  Level:         Information
  Keywords:      Classic
  User:          N/A
  Computer:      PLYMAIL.mcquay.com
  Description:
  Information Store (3572) Shadow copy instance 2051 starting. This will be a Full shadow copy.
  =================================
  The events continue on, basically snapshotting all of Exchange. From the DPM side, the total amount of data transferred tells me that even though Exhange is trunctating its logs, nothing is actually being sent to the DPM server. So this snapshot operation
  seems to be superfluous. ~30 minutes later, when my regularly scheduled Exchange job runs, it fails because of a log file discontinuity.
  So, in this case at least, a Hyper-V snapshot backup is definitely causing Exchange to truncate the log files. What can I look at to figure out why this is happening?

• Exchange 2010: Virtualized Exchange 2010 Datacenter Migration

  We have a virtualized Exchange 2010 production implementation that needs to be relocated to a new datacenter. We will be leveraging SAN based replication and VMWare to cutover.
  Some background info:
  3 CAS/HUB servers
  4 Node DAG across 2 sites (3 production Mailbox servers in the site to be migrated, 1 mailbox server will not move and be left in DR)
  Since I need to shutdown 3 mailbox servers in a 4 node DAG, the cluster will go offline and the databases will dismount. I could run a datacenter switchover to preserve service, but I have the OK to take Exchange completely down. 
  Knowing that:
  1) What are the best practices to shutdown and start up all the CAS servers and Mailbox servers (both in prod and DR)?
  2) Should I suspend replication or dismount the databases in advance and prevent them from automatically mounting on boot up?  Is the StartDagServerMaintenance script relevant in this situation?
  Any suggestions on the proper way to go about this is much appreciated.  Thanks for reading.

  -->1) During the shutdown...would it make sense to turn off the 4th mailbox server in the DAG which is located in our DR site? I'm thinking that leaving the DR mailbox server powered off and powering it up last among the DAG members would prevent
  any database copies from being activated in DR. 
  You already have a planned outage. I suggest you shut down the server in DR and start that after starting
  all the 3.
  2) To be able to mount a database in a 4 node DAG, I need to have the file share witness and two mailbox servers available first...correct?  
  Your fileshare witness should be online first otherwise none of your databases will get mounted.
  If your DAG contains odd number of members filesharewitness will be ignored, (even number of DAG members will use filesharewitness)http://blog.credera.com/technology-insights/microsoft-solutions/when-do-dags-need-a-file-share-witness/
  Thanks, MAS
  Please mark as helpful if you find my comment helpful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

• RV320 Additional WAN IP NAT'ing

  Hello, I have an RV 320, my initial IP allocation from my ISP was 38.122.x.x a /30 allocation. Recently I needed to NAT a device so I requested a /29 block from my ISP the new block is 38.79.x.x. The router is fully managed by ISP, they told me that the new /29 block will be configured to route to the original WAN IP of my RV320. I configured a 1to1 NAT and no luck I am unable to remotely connect to the device via the external IP.  Any assistance would be greatly appreciated.

  Jennifer,
  Thanks for the quick reply.
  You were pretty much correct, all I needed to do was create the appropriate NAT map between the Public IP & a DMZ server and also add a new RULE to allow the new public facing services to be available for internet users. This is just the same as setting up NAT'ing on the IP range configured on the Public ASA interface.
  I didn't need to set-up any static arp's or create any routes (default route is already set out via the Public interface). Also no ISP speific set-up was required, so as
  I haven't tried to set-up outbound NAT/PAT yet from the Private interface so I cannot say if that is just as easy.

• NAT'ing firewall Wiki articles gone

  http://wiki.archlinux.org/index.php/NAT'ing_firewall_-_Share_your_broadband_connection
  and
  http://wiki.archlinux.org/index.php/NAT'ing_firewall_-_Adding_advanced_features
  are empty now.
  Can some1 check why those pages are stubs now, couse i need both articles,
  or atleast to give backups if possible, since i set up my home server using those.
  Last edited by Satan666999 (2008-12-30 08:40:40)

  Google cache for the first page:
  http://74.125.77.132/search?q=cache:toh … ient=opera
  No idea why it's off the wiki though, has it got something to do with the ' in NAT'ing?

• LUN config for virtualized Exchange server

  Hi All,
  What would be the preferred LUN congfiguration for a virtualized Exchange server. It will be a 2 server multi-role configuration on a 3 node hyper-v cluster. 1 LUN per database. Exchange servers will not be configured to be highly available. Failover on
  application level.
  1. Present the LUN as an iscsi target to the hyper-v host and create a VHD on it for the Exchange server.
  Benefit: VHDX is flexible
  Drawback: No snapshotting of database via backup app etc.
  2. Present the LUN as a pass-through disk to the Exchange server via the Hyper-v host
  Benefit: no hyper-v overhead?
  Drawback: not flexible
  3. Add a vnic to the Exchange server and configure the iscsi initiator on the exchange server.
  Benefit: no hyper-v overhead 
  Drawback: Little more complex configuration
  Which one is best? I would prefer option 2, but I might miss something?
  Je suis er even nie

  Honestly, it's tough to say which one is the best option, b\c it really depends on you and your environment.  I typically do deployments on Vmware and not Hyper-v as alot of the clients I work with already have VMWare entrentched in their environment,
  but it's really the same concept.  Typically we use option 1, where we let Vmware handle the iSCSI connections to the SAN and we present the storage to the VM as vmdk file.  Option 1 eliminates the complexity and is usually the easiest to configure
  for people and allows for easy administration.  
  Since you mentioned backup snapshots, I would stay away from option 2.  Depending on the method and application you are using for backup passthrough disks can cause issue.  If you were initiating the hardware snapshot from inside the VM I believe
  that would fail with a passthrough disk as well since the guest is not communicating directly to the SAN.
  Option 3 would allow you to take hardware snapshots of the drives that the database reside on and you would do all the management of the device from the SAN level.  This would be the most complicated to set up since you have to zone it out and make
  sure the guest can communicate with the SAN.
  If it was me, I would probably deploy option 1 since that usually seems to be the easiest to manage and configure and in my experience, the less complex you make something, the easier it is to manage.
   

• Out of Memory Exception on Virtual Exchange 2013

  I am having an issue with my Exchange 2013 server having multiple OutOfMemory Errors.  I am receiving these errors for Event ID 1026 Source .Net Runtime, Event ID 1325 Source ASP.NET, Event ID 4999 Source MSExchange Common, and Event ID  1106 Source
  MSEchange ActiveSync. I am also receiving an Application error Event ID 1000. Exchange is running on a virtual machine with 16 GB of memory.  Any help or suggestions will be greatly appreciated. Below is the error message from Event ID 1106. 
  --- Exception start --- Exception type: System.OutOfMemoryException Exception message: Exception of type 'System.OutOfMemoryException' was thrown. Exception level: 0 Exception stack trace: at Microsoft.Exchange.Data.Storage.GenericListData`2.DeserializeData(BinaryReader
  reader, ComponentDataPool componentDataPool) at Microsoft.Exchange.AirSync.DeviceBehaviorData.DeserializeData(BinaryReader reader, ComponentDataPool componentDataPool) at Microsoft.Exchange.Data.Storage.DerivedData`1.DeserializeData(BinaryReader reader, ComponentDataPool
  componentDataPool) at Microsoft.Exchange.Data.Storage.GenericListData`1.DeserializeData(BinaryReader reader, ComponentDataPool componentDataPool) at Microsoft.Exchange.Data.Storage.GenericDictionaryData`3.DeserializeData(BinaryReader reader, ComponentDataPool
  componentDataPool) at Microsoft.Exchange.Data.Storage.SyncState.DeserializeSyncStateTable(Int64 idxTable) at Microsoft.Exchange.Data.Storage.SyncState.Deserialize(PropertyDefinition property) at Microsoft.Exchange.Data.Storage.SyncState.Load(Boolean reloadFromBackend,
  PropertyDefinition[] additionalPropsToLoad) at Microsoft.Exchange.Data.Storage.SyncState..ctor(SyncStateStorage syncStateStorage, StoreObject storeObject, SyncStateInfo syncStateInfo, Boolean syncStateIsNew) at Microsoft.Exchange.Data.Storage.CustomSyncState.GetSyncState(SyncStateStorage
  syncStateStorage, Folder syncStateParentFolder, SyncStateInfo syncStateInfo, StoreObjectId storeObjectId) at Microsoft.Exchange.Data.Storage.SyncStateStorage.GetCustomSyncState(SyncStateInfo syncStateInfo) at Microsoft.Exchange.AirSync.GlobalInfo.LoadFromMailbox(MailboxSession
  mailboxSession, SyncStateStorage syncStateStorage, ProtocolLogger protocolLogger) at Microsoft.Exchange.AirSync.Command.OpenSyncStorage(Boolean shouldOpenGlobalSyncState, Boolean shouldUseBudget) at Microsoft.Exchange.AirSync.Command.WorkerThread() --- Exception
  end ---

  Hello,
  According to the error, the memory is not enough.
  Please describe your environment and post the detailed event information.
  Besides, I recommend you use Server Role Requirements Calculator to calculate memory and CPU.
  Here is an article for your reference.
  http://blogs.technet.com/b/exchange/archive/2013/05/14/released-exchange-2013-server-role-requirements-calculator.aspx
  Cara Chen
  TechNet Community Support

• Problem with nat-ing on asa 5505

  i have the asa5505 with asa8.4.2 and asdm 6.4.5. i use this asa5505 for connecting my network 192.168.0.0/24 with network 10.15.100.0/24. my wan port of asa5505 on network 10.13.74.0/24, lan port is on 192.168.0.0./24. this configuration worked ok until my isp changed router on address 10.13.74.1. i nat-ed on asa5505, i puted access policy and i had access network 10.15.100.0/24. but now i can't. the users from network can access devices on addresses 192.168.0.20 and 192.168.0.22 but i can't access the network 10.15.100.0/24. my configuration of asa5505 is:
  Result of the command: "show runn": Saved:ASA Version 8.4(2) !hostname ciscoasaenable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1 nameif inside security-level 100 ip address 192.168.0.17 255.255.255.0 !interface Vlan2 nameif outside security-level 0 ip address 10.13.74.33 255.255.255.0 !ftp mode passiveobject network obj_any subnet 0.0.0.0 0.0.0.0object network server host 192.168.0.20object network sharepointdri host 192.168.0.22object network paragraflex host 192.168.0.20object network dri.local subnet 192.168.0.0 255.255.255.0object service ParagrafLex1 service tcp source eq 6190 description Odlazniobject service paragraf service tcp destination eq 6190 description dolazniobject network nonat host 192.168.0.20object network lokalnamreza range 192.168.0.1 192.168.0.254object network natnetwork subnet 192.168.0.0 255.255.255.0object network natmreze subnet 192.168.0.0 255.255.255.0object-group service DM_INLINE_SERVICE_2 service-object ip service-object icmp echo-reply service-object tcp object-group service DM_INLINE_SERVICE_1 service-object icmp echo-reply service-object tcp service-object ip service-object tcp destination eq domain service-object tcp destination eq ldap service-object object ParagrafLex1 object-group service DM_INLINE_SERVICE_8 service-object ip service-object tcp service-object icmp echo-replyobject-group service DM_INLINE_SERVICE_3 service-object tcp service-object tcp destination eq domain service-object tcp destination eq ldap object-group service DM_INLINE_SERVICE_4 service-object tcp service-object icmp echo-replyobject-group protocol DM_INLINE_PROTOCOL_2 protocol-object udp protocol-object tcpobject-group protocol TCPUDP protocol-object udp protocol-object tcpobject-group service DM_INLINE_SERVICE_5 service-object ip service-object icmp echo-replyobject-group protocol DM_INLINE_PROTOCOL_1 protocol-object ip protocol-object tcpobject-group service DM_INLINE_SERVICE_6 service-object ip service-object tcp service-object icmp echo-reply service-object icmp service-object tcp destination eq https object-group service DM_INLINE_SERVICE_7 service-object ip service-object tcp service-object icmp echo-reply service-object tcp destination eq https object-group network DM_INLINE_NETWORK_1 network-object 10.13.74.0 255.255.255.0 network-object 10.15.100.0 255.255.255.0object-group service DM_INLINE_SERVICE_9 service-object tcp-udp service-object tcp destination eq https service-object tcp destination eq domain object-group service DM_INLINE_SERVICE_10 service-object ip service-object tcp service-object icmp echo-replyobject-group service DM_INLINE_SERVICE_11 service-object ip service-object tcp service-object icmp echo-replyaccess-list nonat extended permit object-group DM_INLINE_SERVICE_8 192.168.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 access-list inside_access_out extended permit object-group DM_INLINE_SERVICE_6 any any access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 object dri.local 10.15.100.0 255.255.255.0 access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_7 any any access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_3 object dri.local 10.13.74.0 255.255.255.0 access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_4 any any access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_3 192.168.0.0 255.255.255.0 10.13.74.0 255.255.255.0 access-list outside_access_in_1 extended permit object paragraf any object server access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_1 any object server access-list outside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_1 any object sharepointdri access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_10 object natmreze any access-list outside_access_out extended permit object-group DM_INLINE_SERVICE_9 any any access-list outside_access_out extended permit object-group DM_INLINE_SERVICE_11 object natmreze 10.15.100.0 255.255.255.0 pager lines 24logging asdm informationalmtu inside 1500mtu outside 1500icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp outside 10.13.74.1 000d.bd64.a8e2 arp timeout 14400!object network server nat (inside,outside) static 10.13.74.34 dnsobject network sharepointdri nat (any,any) static 10.13.74.39object network nonat nat (inside,outside) static 192.168.0.20object network natmreze nat (any,any) static 10.13.74.42 dnsaccess-group inside_access_in in interface insideaccess-group inside_access_out out interface insideaccess-group outside_access_in_1 in interface outsideaccess-group outside_access_out out interface outsideroute outside 0.0.0.0 0.0.0.0 10.13.74.1 1route outside 10.15.100.0 255.255.255.0 10.13.74.1 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyuser-identity default-domain LOCALhttp server enablehttp 192.168.0.0 255.255.255.0 insideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart warmstarttelnet timeout 5ssh timeout 5console timeout 0dhcpd auto_config outside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters  message-length maximum client auto  message-length maximum 512policy-map type inspect ftp paragraf parameterspolicy-map global_policy class inspection_default  inspect dns   inspect icmp   inspect ip-options   inspect netbios   inspect tftp   inspect h323 h225   inspect h323 ras !service-policy global_policy globalprompt hostname context state priority domain no call-home reporting anonymousCryptochecksum:61572938ed01b1c7447e43fcb2df4bc8: end
  what i do? plz help me?
  thanks

  Please do this, and let me know how it goes
  no access-list nonat extended permit object-group DM_INLINE_SERVICE_8 192.168.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
  no access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_3 object dri.local 10.13.74.0 255.255.255.0
  no access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_4 any any
  no access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_3 192.168.0.0 255.255.255.0 10.13.74.0 255.255.255.0
  access-list inside_access_in line 1 permit ip 192.168.0.0 255.255.255.0 any
  access-list outside_access_in_1 line 1 permit ip any 192.168.0.0 255.255.255.0
  no object network nonat
  no access-group inside_access_out out interface inside
  no access-group outside_access_out out interface outside
  no route outside 10.15.100.0 255.255.255.0 10.13.74.1 1

• Need some help with a fundamental concept of nat'ing/routing

  I have the following code on an ASA5500 pair with very down-level code. 7.1.2.
  Here is a snippet of the ruleset:
  interface GigabitEthernet0/1.40
  description Production Servers Network
  vlan 40
  nameif Production
  security-level 40
  ip address 172.20.0.1 255.255.0.0 standby 172.20.0.2
  access-list no-nat extended permit ip 192.168.3.0 255.255.255.0 192.168.20.0 255.255.255.0
  access-list no-nat extended permit ip 172.20.0.0 255.255.0.0 192.168.20.0 255.255.255.0
  nat (Production) 0 access-list no-nat
  Am I correct in believing all traffic sourced from the 192.168.3.0 and 172.20.0.0 networks  coming in via the Production interface will NOT be Nat'ed.
  My next question is will that traffic be routed through that interface Production using  the original IP addresses, or will that traffic NOT be routed anywhere?
  I don't want that traffic to be routed, but am concerned since these access list commands permit IP traffic between the networks, this traffic will be routed.

  Thanks for responses, but they confuse me more.
  It is not your answers causing my confusion, but the firewall rules I am trying to apply to this.
  From what you are saying, traffic WILL flow from the 192.168.3.0 network to the 192.168.20.0 network, flowing through the Production interface. It won't be Nat'ed, but it will route because the access list explicitly allows IP traffic sourced  from the 192.168.3.0 network to reach the 192.168.20.0 network.
  However, this is not what is currently happening in the networks, as far as I have been told.
  Let me add more lines of code to the problem, and give my interpretation, and you can tell me where I am going wrong.
  1. There is no access list explictly associated with the Production interface, as can be seen through the definition in my first post.
  2. More complete code:
  object-group network network_vpn
  description VPN IP's
  network-object 192.168.2.0 255.255.255.0
  network-object 192.168.3.0 255.255.255.0
  access-list no-nat extended permit ip 192.168.20.0 255.255.255.0 172.20.0.0 255.255.0.0
  access-list no-nat extended permit ip object-group network_vpn 172.20.0.0 255.255.0.0
  access-list no-nat extended permit ip object-group network_vpn 192.168.20.0 255.255.255.0
  access-list no-nat extended permit ip 172.20.0.0 255.255.0.0 192.168.20.0 255.255.255.0
  access-list no-nat extended permit ip 192.168.2.0  255.255.255.0 172.20.0.0 255.255.0.0
  access-list no-nat extended permit ip 192.168.0.0 255.255.0.0 172.20.0.0 255.255.0.0
  access-list no-nat extended permit ip 172.20.0.0 255.255.0.0 192.168.0.0 255.255.0.0
  access-list no-nat extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list no-nat extended permit ip 172.20.0.0 255.255.0.0 192.168.2.0 255.255.255.0
  access-list no-nat extended permit ip 192.168.3.0 255.255.255.0 172.20.0.0 255.255.0.0
  access-list no-nat extended permit ip 192.168.3.0 255.255.255.0 192.168.20.0 255.255.255.0
  access-list no-nat extended permit ip 192.168.2.0 255.255.255.0 192.168.20.0 255.255.255.0
  nat (Production) 0 access-list no-nat
  nat (Production) 0 access-list Production_nat0_inbound outside
  nat (Production) 1 172.20.0.0 255.255.0.0
  Use the 3rd last line in the access-list no-nat commands as an example.
  As I envision this, if I have a network sourced as 192.168.3.0, coming in through the Production interface, IP traffic can reach the 172.20.0.0 network, albeit through not NAT'ed, but with the original IP addreses, assuming routing is configured between these networks? I guess my related question would be is routing not implictly turned on between these networks?
  3. Also, I think several lines of this access rule are redundant, given the network object covers the 192.168.2.0 and 192.168.3.0 networks.

• (semi-urgent) RVS4000 and multiple (same port) NAT'ing

  Hello -
  I have a client who has one Internet connection and 2 different internal SMTP servers.  Is there a way to NAT public mail/SMTP to each one?  We have two public IPs.
  Thanks

  Hello Jeff,
  Unfortunately the RVS4000 does not support One to One NAT. This restricts the router to only being able to use one of the IP addresses you have.
  If you are intrested in a router that supports this feature, I recommend one of the following:
  RV042
  RV120W
  RV220W

• Nat'ing Lan subnet

  I have a tunnel created and I need to NAT the local network 192.168.1.0/24 to 172.31.196.0/24 to the destination IP, let's say (2.2.2.2)
  code version is 821
  name 2.2.2.2 External_IP
  name 172.31.196.0 Local_xlated
  I thought the statement would look like nat (inside,outside) inside-network Local_xlated static destination External_IP

  eluciasa(config)# packet-tracer input inside tcp 192.168.1.6 53 8.8.8.8 53
  Phase: 1
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  MAC Access list
  Phase: 2
  Type: FLOW-LOOKUP
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Found no matching flow, creating a new flow
  Phase: 3
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   0.0.0.0         0.0.0.0         outside
  Phase: 4
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 5
  Type: NAT
  Subtype: host-limits
  Result: ALLOW
  Config:
  static (inside,outside) MC_Local_xlated  access-list L2LVPN-POLICYNAT
    match ip inside 192.168.1.0 255.255.255.0 outside host External_IP
      static translation to MC_Local_xlated
      translate_hits = 0, untranslate_hits = 0
  Additional Information:
  Phase: 6
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  nat (inside) 1 0.0.0.0 0.0.0.0
    match ip inside any outside any
      dynamic translation to pool 1 (External_IP [Interface PAT])
      translate_hits = 24686918, untranslate_hits = 1904674
  Additional Information:
  Dynamic translate EluciMX01/53 to External_IP/356 using netmask 255.255.255.255
  Phase: 7
  Type: HOST-LIMIT
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 8
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 9
  Type: FLOW-CREATION
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 32668832, packet dispatched to next module
  Result:
  input-interface: inside
  input-status: up
  input-line-status: up
  output-interface: outside
  output-status: up
  output-line-status: up
  Action: allow
  eluciasa(config)#

• Core roles installed on one virtual server for roughly 200-300 mailboxes using Exchange 2010?

  For a customer who is looking at keeping costs down, they are wondering whether setting up a virtualized Exchange 2010 server with all the core roles installed would be possible.  So the mailbox, CAS and hub all on one virtual slice. 
  The customer has around 200-300 mailboxes. 
  I know that its hard to give a guess for sizing, but I was wondering if a 4 core, 16 GB RAM build on Server 2012 would be sufficient, with the storage obvioulsy being SAN.  I know this is dependant upon mailbox size and usage, but I don't have those
  numbers unfortunately.  Would the 4/16 build be sufficient?  Too much?
  Any further information around this would be great.  Thanks.

  Hello,
  I recommend you use Exchange 2010 Server Role Requirements Calculator to design your environment.
  A blog for your reference.
  http://blogs.technet.com/b/exchange/archive/2009/11/09/3408737.aspx
  If you have any feedback on our support, please click
  here
  Cara Chen
  TechNet Community Support

• ASA 5505 9.1(2) NAT/return traffic problems

  As part of an office move we upgraded our ASA to 9.1(2) and have been having what seem to be NAT problems with some services ever since. These problems manifest themselves with return traffic. For example, network time sync (NTP, port 123) works fine from the ASA, but hosts on the inside network cannot access external NTP servers (ntpq -pe shows all servers stuck in .INIT. status), creating problems with drifting clocks. Services like XBox Live also do not work; the XBox device can contact the internet, but return traffic from the service never gets back to the device.
  For NTP specifically, I've tried allowing NTP 123 through the firewall, but it doesn't help. Conceptually, this should not be required since an inside host is initiating the connection and the NAT rules "should" allow the return packets. To further muddy the waters around NTP, a Linux VM CAN get NTP if it's network adapter is in NAT mode (so it's NAT'ing through the host workstation, then through the Cisco) but CAN NOT get NTP if the adapter is running in bridged mode (so the VM is talking directly to the ASA as if it were just another machine on the inside network).
  I've stripped down the ASA config to the basics level, but still can't get this resolved. The main symptom of the problem is that if I disable the access-list rules around ICMP, I'll see lots of ICMP warnings in the ASA logs, which seems to indicate that there are traffic problems communiating with the inside hosts. I've narrowed the problem down to the ASA since replacing the device with a simple Netgear consumer-grade "firewall" lets all this traffic flow just fine.
  Network is extremely basic:
  DHCP ASSIGNED IP from ISP <----------> ASA <-----------------> inside (192.168.50.X)
                                                                    ^
                                                                   |----------------------- guest vlan (10.0.1.X)
  show running-config:
  Result of the command: "show running-config"
  : Saved
  ASA Version 9.1(2)
  hostname border
  domain-name mydomain.com
  enable password aaa encrypted
  passwd bbb encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  switchport trunk allowed vlan 1,3
  switchport trunk native vlan 1
  switchport mode trunk
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.50.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Vlan3
  nameif Guest-VLAN
  security-level 10
  ip address 10.0.1.1 255.255.255.0
  boot system disk0:/asa912-k8.bin
  boot system disk0:/asa911-k8.bin
  boot system disk0:/asa831-k8.bin
  ftp mode passive
  clock timezone EST -5
  clock summer-time EDT recurring
  dns domain-lookup outside
  dns server-group DefaultDNS
  name-server 208.104.2.36
  domain-name domain
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 0.0.0.0 255.255.255.0
  object network Guest-WLAN
  subnet 0.0.0.0 255.255.255.0
  description Interent access for guest Wireless
  object network xbox-nat-tcp3074
  host 192.168.50.54
  object network xbox-nat-udp3074
  host 192.168.50.54
  object network xbox-nat-udp88
  host 192.168.50.54
  object service xbox-live-88
  service udp destination eq 88
  object network xbox
  host 192.168.50.54
  object network obj-inside
  subnet 192.168.50.0 255.255.255.0
  object network obj-xbox
  host 192.168.50.54
  object network plex-server
  host 192.168.50.5
  object network ubuntu-server
  host 192.168.50.5
  description Ubuntu Linux Server
  object network ntp
  host 192.168.50.5
  object network plex
  host 192.168.50.5
  object network INTERNET
  subnet 0.0.0.0 0.0.0.0
  object-group service xbox-live-3074 tcp-udp
  port-object eq 3074
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group service plex-server-32400 tcp
  description Plex Media Server
  port-object eq 32400
  access-list outside_access_in extended permit object-group TCPUDP any object xbox object-group xbox-live-3074 log alerts
  access-list outside_access_in extended permit object xbox-live-88 any object xbox log alerts
  access-list outside_access_in extended permit tcp any any eq echo
  access-list outside_access_in remark Plex Live access
  access-list outside_access_in extended permit tcp any object plex-server object-group plex-server-32400
  access-list outside_access_in extended permit icmp any any time-exceeded
  access-list outside_access_in extended permit icmp any any unreachable
  access-list outside_access_in extended permit icmp any any echo-reply
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu Guest-VLAN 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-713.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  object network xbox-nat-tcp3074
  nat (inside,outside) static interface service tcp 3074 3074
  object network xbox-nat-udp3074
  nat (inside,outside) static interface service udp 3074 3074
  object network xbox-nat-udp88
  nat (inside,outside) static interface service udp 88 88
  object network plex
  nat (inside,outside) static interface service tcp 32400 32400
  object network INTERNET
  nat (inside,outside) dynamic interface
  nat (Guest-VLAN,outside) after-auto source dynamic any interface
  access-group outside_access_in in interface outside
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  no user-identity enable
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication telnet console LOCAL
  http server enable
  http 192.168.50.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpoint _SmartCallHome_ServerCA
  crl configure
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment self
  subject-name CN=border
  crl configure
  crypto ca trustpool policy
  crypto ca certificate chain _SmartCallHome_ServerCA
  certificate ca xxxx
    quit
  crypto ca certificate chain ASDM_TrustPoint0
  certificate xxxx
    quit
  crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
  telnet timeout 5
  ssh 192.168.50.0 255.255.255.0 inside
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  vpn-addr-assign local reuse-delay 60
  dhcp-client client-id interface outside
  dhcpd auto_config outside
  dhcpd address 192.168.50.5-192.168.50.132 inside
  dhcpd address 10.0.1.50-10.0.1.100 Guest-VLAN
  dhcpd dns 208.104.244.45 208.104.2.36 interface Guest-VLAN
  dhcpd lease 86400 interface Guest-VLAN
  dhcpd enable Guest-VLAN
  threat-detection basic-threat
  threat-detection scanning-threat shun except ip-address 192.168.50.0 255.255.255.0
  threat-detection statistics
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ntp server 152.19.240.5 source outside prefer
  ssl trust-point ASDM_TrustPoint0 outside
  username xxx password xxx/ encrypted privilege 15
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  service call-home
  call-home reporting anonymous
  call-home
  contact-email-addr [email protected]
  profile CiscoTAC-1
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  hpm topN enable
  Cryptochecksum:xxx
  : end

  Hi,
  Configuration seems fine.
  With regards to the ICMP, you could also add this
  class inspection_default
    inspect icmp error
  I would probably start by trying out some other software level on the ASA
  Maybe some 8.4(x) software or 9.0(x) software. See if it some bug perhaps.
  One option is ofcourse to capture traffic directly on the ASA or on the hosts behind the ASA. And go through the information with Wireshark.
  - Jouni

• Exchange, EAS, iPhones, TMG, and random desync's

  We're running Exchange 2010 SP1 RU5 and Forefront TMG 2010 in our environment, and we have a few users (maybe 5-7) who use iOS devices.  It seems as if only a couple of them have intermittent problems (everyone is on AT&T) with connections.  Seemingly randomly, some users will disconnect and lose the ability to synchronize email for a while.  Usually a reboot of the device will fix the problem.
  This sounds a lot like a network connectivity issue to me.  I'm wondering if TMG, and all the wonder that it does to try and force network connections to behave, is causing iPhones and iPads to be unable to synchronize properly.
  Microsoft's explanation of this phenomenon is that it has to do with NAT'ing that the wireless company does on cellular towers and IP addresses changes, but I'm not 100% sure that's exactly the issue.
  Anyone else been through this problem?

  Hello Chris,
  The affected users may be members of too many groups causing their user tokens to be larger than the maximum allowed size. Compare group membership of a problem with a successful user.
  Also, compare the Security permissions on the active directory account as well. (Specifically inheritable permissions)
  Exchange ActiveSync Returned an HTTP 500 Error - Remote Connectivity Analyzer
  http://technet.microsoft.com/en-us/library/dd439375(EXCHG.80).aspx
  How to troubleshoot server ActiveSync HTTP error codes
  http://support.microsoft.com/?kbid=330463
  Hope this helps,
  Kevin Ca - MSFT

• Virtual IP Relocated

  Hi Guys,
  Quick question - I hope !
  I have recently seen the following three critical alerts:
  on Target abc2 CRS resource ora.scan3.vip was relocated to abc2
  on Target abc2 CRS resource ora.scan2.vip was relocated to abc2
  on Target abc1 CRS resource ora.scan1.vip was relocated to abc1
  I have googled and googled this but can't find out if this is in fact a potential train smash or if I need to relocate them back.
  We did have a failure last week and everything failed over but when the failed node was restarted ASM did not start automatically, when it was manually started these alerts appeared.
  The set up is:
  2 node 11gr2  RAC install on Windows 2008 64bit with ASM.
  3 SCAN listeners split over the two nodes
  If there is anything else config wise please let me know.
  Thanks in advance.
  Tim

  pilog wrote:
  Or to boil it down to the question: Is there a feature for a sqlnet connection like "-b" for ssh ?Nope. Cannot recall ever seeing such an option. On the server side that feature is obviously available to bind tcp end points to specific IPs.
  Why exactly do you need this feature on the client side? I do not understand the "+the client connects using changing IP addresses, although the application is having a single and constant virtual IP. This requires more open conenctions on the FW between DB and client than necessary+" problem you've stated.
  If the client opens 2 connections to the database, then that will be 2 connections via the firewall. As the private port of the client will differ for each connection and thus make the connection unique.
  Now whether those 2 client connection use IP1 or IP2 on the client for binding, will not matter - as 2 distinct connections will be created irrespective.
  If for some reason you want from the firewall or db server see these inbound client connections as minimal IP sources - then you can do this by using a single IP for all inbound connection by NAT'ing.
  You put down a NAT firewall (using iptables for example) and simply rewrite inbound IP headers for tcp packets on 1521 to the NAT IP and forward the packet to the firewall/db server.
  That server will see a single client IP only for all incoming traffic. Works pretty well for Oracle as the client connection string includes the client hostname/hostid - so you can still in Oracle see which session is from which client, despite all these sessions having the same source IP.