ACL for the nwebies.

I, unfortunately, don't have the luxury train in Cisco, or read whatever it is thorough. While the IOS manual makes it clear how to create and apply ACLs, I need help about where to apply and how not to cut my all off building when I apply to the border router.

Specifically, I attempt to deny any tcp ports 135-139/netbios and netbios/w2k-445-entering.

I do this on a series router 2600 with IOS 12.2.

Can anyone help me or point me to a useful link?

Thank you.

Robby-

Assuming that your external interface is say, Serial0, you would do the following:

access-list 100 tcp refuse any any beach 135 139

access-list 100 tcp refuse any any eq 445

access ip-list 100 permit a whole

interface Serial0

IP access-group 100 to

If you want to be more precise and more just to block these ports will your specific within the subnet (say it's 100.1.1.0/24), then just replace the 2nd "any" in each line with "100.1.1.0 0.0.0.255.

Remember that some Netbios traffc is UDP, then you want that block too, simply by adding another line of the access list to similar to what I showed you but with "udp" instead of "tcp".

Tags: Cisco Security

Similar Questions

  • 2821 ACL for the range of IP addresses

    We use an old Cisco 2821 on the edge of the internet for the initial incoming traffic filtering.  To try to block some networks of suppliers that are a source of SPAM, we have tried to apply an ACL that included a range of addresses as follows:

    access-list 110 deny host ip 198.20.160.0 0.0.31.255 255.255.255.255

    This command has been shorted to what follows in the running configuration:

    access-list 110 deny host ip 198.20.160.0 all

    The ACL doesn't seem to work, as we have always received spam through on this range.

    Any help is greatly appreciated.

    Thank you for your time.

    Hello

    Your syntax ACL deny only the host 192.20.160.0.

    If you look below

    access-list 110 deny ip host 198.20.160.0 0.0.31.255 255.255.255.255

    You have the source specified as host (198.20.160.0 host)

    destination like any other host (network mask and subnet inalid - 0.0.31.255 255.255.255.255)

    You want to block what subnet or network, gave me a source and destination subnet? . Will be recorrect the ACL

    HTH

    Sandy

  • Something similar to groups of objects, but for the ports? (must be used on an ACL)

    Hello community!

    I'm fairly new, when it comes to firewalls, but I have some experience with routers and switches, so I'm not completely lost.

    Practically, we all know that a group object is a large bucket to throw things and then managing them as a single group, which is very useful for many reasons... so is there something similar that we can use in an ACL for the port?

    Say so, let that I want to allow the following ports:

    • 80
    • 443
    • 25
    • 30500
    • 20500
    • 8080
    • 14600
    • 21
    • 753
    • 22

    And instead of doing something like this:

    dmz_access_in list extended access permit tcp host WEB host EXT - WEB eq 80

    dmz_access_in list extended access permit tcp host WEB host EXT - WEB eq 443

    dmz_access_in list extended access permit tcp host WEB host EXT - WEB eq 25

    dmz_access_in list extended access permit tcp host WEB host EXT - WEB eq 30500

    dmz_access_in list extended access permit tcp host WEB host EXT - WEB eq 20500

    access-list extended dmz_access_in permit tcp host WEB host WEB-EXT eq 8080

    dmz_access_in list extended access permit tcp host WEB host EXT - WEB eq 14600

    dmz_access_in list extended access permit tcp host WEB host EXT - WEB eq 21

    dmz_access_in list extended access permit tcp host WEB host EXT - WEB eq 753

    dmz_access_in list extended access permit tcp host WEB host EXT - WEB eq 22

    do something like:

    dmz_access_in list extended access permit tcp host WEB host WEB-EXT eq PORT_LIST1

    Thank you!!

    PD: Excuse me if some port above are not TCP, if just one example. I just start typing all the numbers that came to my head.

    Hey Rolando,

    On a SAA, you can combine services and protocols based on the source/destination in an object-group service oriented. Your example would look like this:

     object-group service PORT_LIST1 service-object tcp destination range 21 22 service-object tcp destination eq 25 service-object tcp destination eq 80 service-object tcp destination eq 443 service-object tcp destination eq 753 service-object tcp destination eq 8080 service-object tcp-udp destination eq 14600 service-object tcp destination eq 20500 service-object tcp destination eq 30500

    You can create also integrate groups:

     object-group service WEB_PORTS service-object tcp destination eq 80 service-object tcp destination eq 443 object-group service PORT_LIST1 group-object WEB_PORTS service-object ...

    This type of group is going where the Protocol is specified in the ACL:

     access-list dmz_access_in extended permit object-group PORT_LIST1 object HOST object EXT-WEB

  • Counters of ACL for group VPN indicates zero even if there are traffic

    Hi all

    I use a PIX 515E. I defined a remote user VPN, its pool of addresses and also set several ACLs that apply to traffic originating from this address pool of servers on the inside network.

    Does anyone have ideas why the ACL hitcounts remain at zero, even if my remote users always access the servers?

    Thanks for the wisdom!

    Joe

    Joe,

    Your probably using the command "sysopt connection permit-ipsec.

    As quoted in the PIX guide on cisco.com:

    "Use the sysopt connection permit-ipsec command in IPSec configurations to allow IPSec traffic to pass through the PIX firewall without a verification of statements of led command or access-list"

    The list located on the external interface is bypassed by this feature.

  • Problem with the VPN site to site for the two cisco asa 5505

    Starting with cisco asa. I wanted to do a vpn site-to site of cisco. I need help. I can't ping from site A to site B and vice versa.

    Cisco Config asa1

    interface Ethernet0/0
    switchport access vlan 1
    !
    interface Ethernet0/1
    switchport access vlan 2
    !
    interface Vlan1
    nameif outside
    security-level 0
    IP address 172.xxx.xx.4 255.255.240.0
    !
    interface Vlan2
    nameif inside
    security-level 100
    IP 192.168.60.2 255.255.255.0
    !
    passive FTP mode
    network of the Lan_Outside object
    192.168.60.0 subnet 255.255.255.0
    network of the NETWORK_OBJ_192.168.1.0_24 object
    subnet 192.168.1.0 255.255.255.0
    network of the NETWORK_OBJ_192.168.60.0_24 object
    192.168.60.0 subnet 255.255.255.0
    object-group Protocol DM_INLINE_PROTOCOL_1
    ip protocol object
    icmp protocol object
    object-group Protocol DM_INLINE_PROTOCOL_2
    ip protocol object
    icmp protocol object
    object-group Protocol DM_INLINE_PROTOCOL_3
    ip protocol object
    icmp protocol object
    Access extensive list ip 192.168.60.0 Outside_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0
    Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
    Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
    Inside_access_in list extended access allow DM_INLINE_PROTOCOL_2 of object-group a
    network of the Lan_Outside object
    NAT (inside, outside) interface dynamic dns
    Access-group Outside_access_in in interface outside
    Inside_access_in access to the interface inside group
    Route outside 0.0.0.0 0.0.0.0 172.110.xx.1 1
    Timeout xlate 03:00
    Pat-xlate timeout 0:00:30
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    identity of the user by default-domain LOCAL
    AAA authentication http LOCAL console
    Enable http server
    http 192.168.60.0 255.255.255.0 inside
    http 96.xx.xx.222 255.255.255.255 outside
    No snmp server location
    No snmp Server contact
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
    Crypto ipsec ikev2 ipsec-proposal OF
    encryption protocol esp
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 proposal ipsec 3DES
    Esp 3des encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES
    Esp aes encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES192
    Protocol esp encryption aes-192
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 AES256 ipsec-proposal
    Protocol esp encryption aes-256
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec pmtu aging infinite - the security association
    card crypto Outside_map 1 corresponds to the address Outside_cryptomap
    card crypto Outside_map 1 set peer 96.88.75.222
    card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
    Outside_map interface card crypto outside
    trustpool crypto ca policy
    IKEv2 crypto policy 1
    aes-256 encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 10
    aes-192 encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 20
    aes encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 30
    3des encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 40
    the Encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    Crypto ikev2 allow outside
    Crypto ikev1 allow outside
    IKEv1 crypto policy 10
    authentication crack
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 20
    authentication rsa - sig
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 30
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 40
    authentication crack
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 50
    authentication rsa - sig
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 60
    preshared authentication
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 70
    authentication crack
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 80
    authentication rsa - sig
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 90
    preshared authentication
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 100
    authentication crack
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 110
    authentication rsa - sig
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 120
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 130
    authentication crack
    the Encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 140
    authentication rsa - sig
    the Encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 150
    preshared authentication
    the Encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH stricthostkeycheck
    SSH timeout 5
    SSH group dh-Group1-sha1 key exchange
    Console timeout 0
    inside access management

    dhcpd address 192.168.60.50 - 192.168.60.100 inside
    dhcpd allow inside
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    WebVPN
    AnyConnect essentials
    internal GroupPolicy_96.xx.xx.222 group strategy
    attributes of Group Policy GroupPolicy_96.xx.xx.222
    VPN-tunnel-Protocol ikev1, ikev2
    username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
    tunnel-group 96.xx.xx.222 type ipsec-l2l
    tunnel-group 96.xx.xx.222 General-attributes
    Group - default policy - GroupPolicy_96.xx.xx.222
    96.XX.XX.222 group of tunnel ipsec-attributes
    IKEv1 pre-shared-key *.
    remote control-IKEv2 pre-shared-key authentication *.
    pre-shared-key authentication local IKEv2 *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    inspect the icmp
    inspect the icmp error

    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Cisco ASA 2 config

    interface Ethernet0/0
    switchport access vlan 1
    !
    interface Ethernet0/1
    switchport access vlan 2
    !
    interface Vlan1
    nameif outside
    security-level 0
    IP address 96.xx.xx.222 255.255.255.248
    !
    interface Vlan2
    nameif inside
    security-level 100
    IP 192.168.1.254 255.255.255.0
    !
    passive FTP mode
    permit same-security-traffic inter-interface
    permit same-security-traffic intra-interface
    network of the Lan_Outside object
    subnet 192.168.1.0 255.255.255.0
    network of the NETWORK_OBJ_192.168.60.0_24 object
    192.168.60.0 subnet 255.255.255.0
    network of the NETWORK_OBJ_192.168.1.0_24 object
    subnet 192.168.1.0 255.255.255.0
    object-group Protocol DM_INLINE_PROTOCOL_1
    ip protocol object
    icmp protocol object
    object-group Protocol DM_INLINE_PROTOCOL_2
    ip protocol object
    icmp protocol object
    object-group Protocol DM_INLINE_PROTOCOL_3
    ip protocol object
    icmp protocol object
    object-group Protocol DM_INLINE_PROTOCOL_4
    ip protocol object
    icmp protocol object
    Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_2 of object-group 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
    Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
    Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
    Inside_access_in list extended access allow DM_INLINE_PROTOCOL_4 of object-group a
    pager lines 24
    Enable logging
    asdm of logging of information
    Outside 1500 MTU
    Within 1500 MTU
    no failover
    ICMP unreachable rate-limit 1 burst-size 1
    don't allow no asdm history
    ARP timeout 14400
    no permit-nonconnected arp
    NAT (inside, outside) static source NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.60.0_24 NETWORK_OBJ_192.168.60.0_24 non-proxy-arp-search of route static destination
    !
    network of the Lan_Outside object
    dynamic NAT (all, outside) interface
    Access-group Outside_access_in in interface outside
    Inside_access_in access to the interface inside group
    Route outside 0.0.0.0 0.0.0.0 96.xx.xx.217 1
    Timeout xlate 03:00
    Pat-xlate timeout 0:00:30
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    identity of the user by default-domain LOCAL
    AAA authentication http LOCAL console
    Enable http server
    http 192.168.1.0 255.255.255.0 inside
    http 172.xxx.xx.4 255.255.255.255 outside
    No snmp server location
    No snmp Server contact
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
    Crypto ipsec ikev2 ipsec-proposal OF
    encryption protocol esp
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 proposal ipsec 3DES
    Esp 3des encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES
    Esp aes encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES192
    Protocol esp encryption aes-192
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 AES256 ipsec-proposal
    Protocol esp encryption aes-256
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec pmtu aging infinite - the security association
    card crypto Outside_map 1 corresponds to the address Outside_cryptomap
    card crypto Outside_map 1 set peer 172.110.74.4
    card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
    Outside_map interface card crypto outside
    trustpool crypto ca policy
    IKEv2 crypto policy 1
    aes-256 encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 10
    aes-192 encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 20
    aes encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 30
    3des encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 40
    the Encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    Crypto ikev2 allow outside
    Crypto ikev1 allow outside
    IKEv1 crypto policy 10
    authentication crack
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 20
    authentication rsa - sig
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 30
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 40
    authentication crack
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 50
    authentication rsa - sig
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 60
    preshared authentication
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 70
    authentication crack
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 80
    authentication rsa - sig
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 90
    preshared authentication
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 100
    authentication crack
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 110
    authentication rsa - sig
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 120
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 130
    authentication crack
    the Encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 140
    authentication rsa - sig
    the Encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 150
    preshared authentication
    the Encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH stricthostkeycheck
    SSH timeout 5
    SSH group dh-Group1-sha1 key exchange
    Console timeout 0

    dhcpd address 192.168.1.50 - 192.168.1.100 inside
    dhcpd allow inside
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    WebVPN
    AnyConnect essentials
    internal GroupPolicy_172.xxx.xx.4 group strategy
    attributes of Group Policy GroupPolicy_172.xxx.xx.4
    L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
    username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
    tunnel-group 172.xxx.xx.4 type ipsec-l2l
    tunnel-group 172.xxx.xx.4 General-attributes
    Group - default policy - GroupPolicy_172.xxx.xx.4
    172.xxx.XX.4 group of tunnel ipsec-attributes
    IKEv1 pre-shared-key *.
    remote control-IKEv2 pre-shared-key authentication *.
    pre-shared-key authentication local IKEv2 *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    inspect the icmp
    inspect the icmp error
    inspect the http

    For IKEv2 configuration: (example config, you can change to encryption, group,...)

    -You must add the declaration of exemption nat (see previous answer).

    -set your encryption domain ACLs:

    access-list-TRAFFIC IPSEC allowed extended LOCAL REMOTE - LAN LAN ip

    -Set the Phase 1:

    Crypto ikev2 allow outside
    IKEv2 crypto policy 10
    3des encryption
    the sha md5 integrity
    Group 5
    FRP sha
    second life 86400

    -Set the Phase 2:

    Crypto ipsec ikev2 ipsec IKEV2-PROPOSAL
    Esp aes encryption protocol
    Esp integrity sha-1 protocol

    -set the Group of tunnel

    tunnel-group REMOTE-PUBLIC-IP type ipsec-l2l
    REMOTE-PUBLIC-IP tunnel-group ipsec-attributes
    IKEv2 authentication remote pre-shared-key cisco123


    IKEv2 authentication local pre-shared-key cisco123

    -Define the encryption card

    address for correspondence CRYPTOMAP 10 - TRAFFIC IPSEC crypto map
    card crypto CRYPTOMAP 10 peer set REMOTE-PUBLIC-IP
    card crypto CRYPTOMAP 10 set ipsec ikev2-IKEV2-PROPOSAL
    CRYPTOMAP interface card crypto outside
    crypto isakmp identity address

    On your config, you have all these commands but on your VPN config, you mix ikev1 and ikev2. You have also defined political different ikev2. Just do a bit of cleaning and reached agreement on a 1 strategy for the two site (encryption, hash,...)

    Thank you

  • Downloadable ACLs for users of VPN

    Hello

    I replaced the old pix with ASA (7.2). There were groups configured for the remote VPN users authenticated through the ACS and ACS download a specific ACL for each group to the PIX. After the replacement, users cannot establish the VPN connection. After troubleshooting, I discovered that the downloadable ACLs were not working very well. When I disabled this option the established tunnel. When I get back to the old pix with the same configuration, it works very well with downloadable ACL option. I opened a TAC case and he said the v3.0 ACS (I) are not compatible with the ASA. He did not really convince me and he asked to try to use the option to pair AV. I tried option pair AV with ASA and it did not work also. can you please advice.

    Hello

    Check out this point,

    http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCef21184

    In addition, 3.0 is very old, and I guess that in this version, we have "Downloadable PIX ACL" and not "downloadable IP ACL", on ASA download able ACL will work but with "Downloadable IP ACL" but not with "Downloadable PIX ACL".

    Kind regards

    Prem

  • ACL for TFTP traffic

    Hello

    I need access to a different VIRTUAL LAN for TFTP traffic. So I ve created an ACL like this:

    permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 eq tftp

    I add this ACL to source (192.168.30.0) as INCOMING interface.

    The request to the tftp server tftp is established and the tftp server responds with a random port for file transfer.

    Here´s the problem. Because of the random port ACL blocks the transfer of files.

    Any idea?

    Grettings,

    Rouven

    Hi Ganesh,
    

    Windows 2003, on which the tftp server resides, use the range 1025 to 5000 as ephemeral ports. So I´ve decited to use the following acl:
    

    permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 range 1025 5000
    

    permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 eq tftp
    

    This has the drawback you´ve already said. But actually I see no other way to solve the problem.
    

    Thank you for your support!
    

    Greetings,
    

    Rouven

    Hi Rouven,

    As I said earlier, too, we need allow the transfer of data ports for tftp coming dynamically by the client and the server, depending on the traffic flow, try the following ACLs and share results

    permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 eq tftp
    permit udp 192.168.30.0 0.0.0.255 lytic 192.168.40.10 1025-5000

    Hope to help!

    Ganesh.H

    Don't forget to note the useful message

  • Certificate for the hot spot ISE error

    We have just install an ISE Server (Version 1.3.0.876) and that you have set up a hot spot for guest users portal. Everything on the Portal works fine, however! The question that we run is, we installed a public cert signed by a public CA (Starfield CA), but when you can go to the EULA page on the ISE server, they get an error the path of certificate cert becomes not filled. I watch the cert that it gets, and the path contains only the issued cert, not the case there are on it. (I think that cert requests the browser to go to a site to download the latest public certification for the issued cert)

    I can work around this in order to allow this IP address he strikes in the ACL on the WLC, but I would simply like to have deliver ISE cert WITH public cases that's just in case the IP changes, or it is actually hitting a VIP and it comes to be responsive would be.

    Does anyone know how this is done?

    I tried the following:

    From the cert out of ISE, added public certification in the server certificate and added to the ISE, no luck. (I can this is done properly, let me know if this should have worked)

    Added the case public in ISE and self-confidence, no luck with either.

    Let me know! Thank you guys!

    Good job to fix the problem and for taking the time to post back here! (+ 5 from me).

    What is interesting is that the ISE should warn you and automatically restart the server when a new HTTPs certificate is installed. I wonder if this behavior may be changed with the last patch/version. In both cases, glad your problem is solved!

    Now, you must mark the thread as "answered" :)

  • Best practices ACL - on the Internet interface

    I have a question relating to the ACL on an interface oriented routers 'Internet '.

    After reading several whitepapers on the subject, an ACL recommended would typically contain the following instructions.

    In addition, the Cisco SDM automatically generates an ACL externally similar face:

    IP extended INBOUND access list

    permit any any icmp echo

    permit any any icmp echo response

    allow all all unreachable icmp

    deny ip 10.0.0.0 0.255.255.255 everything

    deny ip 172.16.0.0 0.15.255.255 all

    deny ip 192.168.0.0 0.0.255.255 everything

    deny ip 127.0.0.0 0.255.255.255 everything

    refuse the host ip 0.0.0.0 everything

    refuse an entire ip

    !

    So my question is...

    What is the point of lines 4-8 during the last line blocking them anyway?

    I understand that when we discover the ACL there's the number of matches by explicit ACL entry, but in terms of blocking, I don't see the advantage.

    Instead, the following ACL would provide the same benefit and be easier to maintain.

    IP extended INBOUND access list

    permit any any icmp echo

    permit any any icmp echo response

    allow all all unreachable icmp

    refuse an entire ip

    !

    Am I missing something obvious?

    Thanks in advance for the help,

    Kind regards.

    Hello Peter,.

    I believe that when people post these examples, they assume you will put additional instructions forward the "deny ip any any" at the end. There are really a few rules that you must use when you create an Internet facing ACL:

    1 deny incoming traffic from your IP addresses registered to prevent identity theft.

    2 refuse incoming Microsoft LAN traffic (port 445, 137-139, etc)-any legitimate Microsoft LAN traffic should be limited to a VPN.

    3 deny traffic from private addresses or null.

    I'm sure that you realize that packages can be made with the ILO established is enabled and use private addresses (broadcast or unicast) or your addresses as a source to create the undesirable traffic or denial of service attacks. That's why these statements are called separately. You would use before the "permit tcp everything (recorded your IP range), set up" statement.

    Your ACL proposed only allows tcp responses to queries generated internally. Unless you really don't want any UDP traffic, you must include a reflexive access list statement to allow the UDP. I hope also that you have a big server log or only a few hosts on your network - check all tcp traffic will take a little space!

  • Proof of encryption for the DMVPN Tunnel

    I've been setting up VPN for a short time and Im trying to get a better

    understanding of mechanics.

    I configured DMVPN between a router HQ and two branches. Im running eigrp between routers by gre tunnel interfaces. I can see neighbors eigrp via the tunnel which is good. The part is Im trying to understand, I have not created any ACL and I seem to form relationships neighbor eigrp in the tunnels. If I ping or telnet from the HQ router to one of the branches, I assume that Im going through the tunnel and the traffic is encrypted. I would like to be able to prove and to see evidence.

    I have to have ACL is configured to tell the router what to encrypt? Or the fact that the tunnel has a profile applied crypto doesn't take care of it?

    I did a test and telneted from Headquarters to Division 1 to aid private addresses that were sent through the tunnel and then entered the command

    SH crypto ipsec his. My telnet source address is the closure of the router which is 172.22.3.1 I though I'd see 172.22.3.1 or 172.22.1.1 in the out command has turned down and I do not have that make me wonder if the traffic is being encryption. Maybe my configs are incorrect or I need a different show command?

    I have attached my router configs also. If someone could help understand me a little more it would be appreciated.

    Andy

    Lab-HQ-rtr #telnet 172.22.1.1 it's Branch1rtr
    172.22.1.1 by train... Open

    User access audit

    Username: andrewb
    Password:

    Lab-branch1-rtr #sh crypto ipsec his

    Interface: Tunnel0
    Tag crypto map: addr Tunnel0-head-0, local 50.50.50.1

    protégé of the vrf: (none)
    local ident (addr, mask, prot, port): (50.50.50.1/255.255.255.255/47/0) * thought I'd see the src and dst the telnet address *

    Remote ident (addr, mask, prot, port): (50.50.50.3/255.255.255.255/47/0)
    current_peer 50.50.50.3 port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: 14307, #pkts encrypt: 14307, #pkts digest: 14307
    #pkts decaps: 14286, #pkts decrypt: 14286, #pkts check: 14286
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    #send 24, #recv errors 0

    local crypto endpt. : 50.50.50.1, remote Start crypto. : 50.50.50.3
    Path mtu 1500, mtu 1500 ip, ip mtu IDB Serial0/0/0
    current outbound SPI: 0x61D48BA8 (1641319336)

    SAS of the esp on arrival:
    SPI: 0x555FD9F (89521567)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Transport}
    Conn ID: 2037, flow_id: VPN:37 on board, card crypto: head-Tunnel0-0
    calendar of his: service life remaining (k/s) key: (4598507/3044)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0x61D48BA8 (1641319336)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Transport}
    Conn ID: 2038, flow_id: VPN:38 on board, card crypto: head-Tunnel0-0
    calendar of his: service life remaining (k/s) key: (4598507/3033)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    outgoing ah sas:

    outgoing CFP sas:
    Lab-branch1-rtr #.

    Lab-HQ-rtr #sh ip route
    C 50.50.50.0 is directly connected, Serial0/0/0
    172.22.0.0/16 is variably divided into subnets, 4 subnets, 2 masks
    C 172.22.3.1/32 is directly connected, Loopback0
    D 172.22.2.1/32 [90/2944000] via 192.168.254.2, 21:18:04, Tunnel0
    D 172.22.1.1/32 [90/2944000] via 192.168.254.1, 21:19, Tunnel0
    D 172.22.64.32/27 [90/2816256] via 192.168.254.2, 21:18:04, Tunnel0
    [90/2816256] via 192.168.254.1, 21:18:04, Tunnel0
    10.0.0.0/24 is divided into subnets, 5 subnets
    D 10.10.10.0 [90/2816256] via 192.168.254.1, 21:19, Tunnel0
    D 10.10.20.0 [90/2816256] via 192.168.254.1, 21:19, Tunnel0
    D 10.10.30.0 [90/2816256] via 192.168.254.2, 21:18:04, Tunnel0
    D 10.10.40.0 [90/2816256] via 192.168.254.2, 21:18:04, Tunnel0
    D 10.10.50.0 [90/2816256] via 192.168.254.1, 21:19:02, Tunnel0
    C 192.168.254.0/24 is directly connected, Tunnel0
    C 192.168.1.0/24 is directly connected, FastEthernet0/0

    IPv4 Crypto ISAKMP Security Association
    status of DST CBC State conn-id slot
    50.50.50.3 50.50.50.2 QM_IDLE 1002 ASSETS 0
    50.50.50.3 50.50.50.1 QM_IDLE 1001 ASSETS 0

    Hi Andy,.

    DMVPN will use routing to control this traffic will be encrypted. You can add ACLs as the regular crypto-plan to specify the traffic of interest, but which is not must have.

    When the traffic leaving the router, it will do the routing research first; If the next hop points on your tunnel interface and the traffic is encapsulated and encrypted; If the next hop points to another interface, the traffic will leave the router without encryption.

    ISAKMP SAs are built between your tunnel end points, as see you in the output of "show isakmp crypto his." You can check the traffic was encrypted or not by looking at the
    #pkts program: 14307, #pkts encrypt: 14307, #pkts digest: 14307
    #pkts decaps: 14286, #pkts decrypt: 14286, #pkts check: 14286

    If you really want to see the package, you can EXTEND it to a monitor station traffic.

    HTH,

    Lei Tian

  • The ACL of the NAC GuestUser

    I installation of the NAC for role based on the user assignment of VLAN deployed as OOB VG L2. I have a default access, authentication and configuration of VLAN user. The user VLANis for comments. Thus, a guest opens it broswer and the customer is prompted to enter credentials. Credentials are accepted. The browser refreshes IP and I get a "... limited connectivity. 169.254.etc... ». I get this error when I apply ACL below the interface ' user vlan "(i.e. ip access-group 110 in), when the ACL is not assign everything works fine and the comments can roam my entire internal network. My DHCP/DNS is on the 10.0.0.0 network. Anyone have any ideas why I get this error?

    access-list 110 deny ip 192.168.41.0 0.0.0.255 10.0.0.0 0.255.255.255

    access-list 110 deny ip 192.168.41.0 0.0.0.255 172.16.0.0 0.15.255.255

    access-list 110 permit ip 192.168.41.0 0.0.0.255 192.168.41.0 0.0.0.255

    access-list 110 deny ip 192.168.41.0 0.0.0.255 192.168.0.0 0.0.255.255

    access-list 110 permit ip 192.168.41.0 0.0.0.255 any

    Hi there-

    What Vlan and the property is intellectual property the guest user when he experiences the web page contestant powers?

    What vlan and IP do you want comments to have once the client authenticates as a guest?

    My first thought is that your ACL denies requests DHCP and DNS request, since you mention the DHCP and DNS are on the 10.0.0.0/8 network.

    thxs

    Peter

  • Downloadable ACLs for users?

    Hi all

    5.4 ACS, I need ACL customized for users.

    My scenario:

    There is a way to use some "downloadable ACL" profile of permission but I want to set specific ACLs for some exceptions. For example: the user A and user B obtain permission profile 'X '. But user B is not allowed to access a host. This 'refusal rule' I will configure with custom in the internal user store attributes.

    Is this possible? How can I implement this rule?

    Best regards

    Stefan

    Hello

    You can do this by following these steps:

    1. define a user attribute of Dictionary defined under the Administration of the system > dictionary > identity > internal users call him what you want and make sure that the value is a string

    2. create the DACL in the objects of the Authority appointed under section of the political elements

    3. under the user account you will see now one filed for the dictionary name you call in step 1, make sure that the domain is the DACL, that you created in step 2

    4. create your dynamic authorization under "common tasks" defined profile as the decline of the low DACL select internal users and set the value to the attribute that you created in step 1.

    5 card authorization policy to the access policy using the conditions that will give you these results.

    6 test and you should have what you are looking for.

    Thank you

    Tarik Admani
    * Please note the useful messages *.

  • need help for the VPN connection

    Hi guys

    can you help with that?

    I installed a VPN connection, but the tunnel shows that status: upward and the protocol description: down.

    debugging is turned on and displays following-

    ITS has applications pending (xx.xx.xx.xx local port 500, xx.xx.xx.xx remote port 500)

    DEC 20 02:39:26.762: ISAKMP: (2142): sitting IDLE. From QM immediately (QM_IDLE)

    02:39:26.762 20 Dec: ISAKMP: (2142): start Quick Mode Exchange, M - ID 3357871564

    02:39:26.762 20 Dec: ISAKMP: (2142): initiator QM gets spi

    DEC 20 02:39:26.762: ISAKMP: (2142): Pack xx.xx.xx.xx my_port 500 peer_port 500 (I) sending QM_IDLE

    02:39:26.762 20 Dec: ISAKMP: (2142): sending a packet IPv4 IKE.

    02:39:26.762 20 Dec: ISAKMP: (2142): entrance, node 3357871564 = IKE_MESG_INTERNAL, IKE_INIT_QM

    02:39:26.762 20 Dec: ISAKMP: (2142): former State = new State IKE_QM_READY = IKE_QM_I_QM1

    02:39:26.794 20 Dec: ISAKMP (2142): packet received from xx.xx.xx.xx dport 500 sport Global 500 (I) QM_IDLE

    02:39:26.794 20 Dec: ISAKMP: node set-419503660 to QM_IDLE

    DEC 20 02:39:26.794: ISAKMP: (2142): HASH payload processing. Message ID = 3875463636

    DEC 20 02:39:26.794: ISAKMP: (2142): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 3

    SPI 2561284360, message ID = 3875463636, a = 0x87D0CFC8

    DEC 20 02:39:26.794: ISAKMP: (2142): removal of spi 2561284360 message ID = 3357871564

    02:39:26.794 20 Dec: ISAKMP: (2142): node-937095732 error suppression REAL reason "remove larval.

    02:39:26.794 20 Dec: ISAKMP: (2142): node-419503660 error suppression FALSE reason 'informational (en) State 1.

    02:39:26.794 20 Dec: ISAKMP: (2142): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

    02:39:26.794 20 Dec: ISAKMP: (2142): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

    02:39:46.798 20 Dec: ISAKMP: (2142): purge the node-1177810765

    02:39:46.798 20 Dec: ISAKMP: (2142): purge the node-138734109

    02:39:56.763 20 Dec: % s-6-IPACCESSLOGRL: the rate limited or missed 2 sachets of access list record

    DEC 20 02:39:56.763: IPSEC (key_engine): request timer shot: count = 2,.

    local (identity) = xx.xx.xx.xx:0, distance = xx.xx.xx.xx:0,

    local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),

    remote_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4)

    the config is following.

    crypto ISAKMP policy 10

    BA 3des

    preshared authentication

    Group 2

    ISAKMP crypto key xxxxxx address xx.xx.xx.xx

    !

    !

    Crypto ipsec transform-set esp-3des esp-sha-hmac vpnset

    transport mode

    !

    Crypto ipsec tech profile

    Set transform-set vpnset

    !

    !

    my-map 20 ipsec-isakmp crypto map

    defined peer xx.xx.xx.xx

    Set transform-set vpnset

    match address 155

    Hello

    As for your question, you can have more than 1 card crypto on the interface.

    However, you can use the same card encryption for several strategies. You can change the ma-card to vpnmap.
    In this way the two are enabled on the same interface, with one having a higher priority than the other.

    So if a package came from inside, the first crypto ACL interface is checked and then the next and so on. The first match found is chosen for the IPsec negotioation.

  • Adding a firewall for the MC FW which is located on the outside area

    Hi all

    Is it possible to add a firewall for the FW MC that is located on the external interface of the firewall? If so, what commands do you need on the firewall?

    Thank you and best regards,

    Hello

    In principle might be possible, what need the VMS Svr (FW MC) is a communication channel to the target, the outside Firewall (firewall EXTERNAL) device.

    You can try the following, to confrm.

    Your topology/flow very probably as follows:

    inside intf: EXTERNAL Firewall: ouside intf<->INTERNET CLOUD<->internet router<->router internet<->outside intf:PERIMETER Firewall: inside intf<->VMS:FW MC

    A. for the EXTERNAL firewall, configure:

    1 activate https & ssh access to/from the server of virtual machines. Access to the Svr VMS must be via a public IP address that mapped to the firewall's PERIMETER server.

    2. open access HTTPS & ssh (tcp 443 & 22). SSH may be optional, but you can activate it as well. HTTPS is required to communicate with the virtual Svr computers.

    Enable http server

    255.255.255.255 out http

    2. for ssh, generate a key for the firewall. The condition is as follows:

    -set the host name: "abc123 hostname.

    -define the domain name: "domain name xyz".

    -generate the key: "ca generate rsa key. The button of the module is between 512 and 768, 1024, 2048

    -Save the key: "ca save all."

    B. for the PERIMETER firewall, configure:

    1 static machines card virtual FW MC Svr to address external public IP for firewall mgt traffic

    public static xx.xx.xx.10 (Interior, exterior) aa.aa.aa.50 netmask 255.255.255.255

    2. open the ACLs on the external interface to the public IP address of external firewalls VM FW MC

    outside permit tcp host yy.yy.yy.100 host xx.xx.xx.10 eq https access list

    access-list outside allow host yy.yy.yy.100 host xx.xx.xx.10 eq ssh tcp

    outside access-group in external interface

    * yy.yy.yy.100 is an EXTERNAL firewall outside interface IP

    3. by default, the configuration of the VMS OPR statically with a public IP address, it should be able to go internet. But if you have ACLs on the inside interface, you need to enable access to the EXTERNAL firewall via https and ssh (tcp 443 & 22).

    inside permit tcp host xx.xx.xx.100 host yy.yy.yy.10 eq https access list

    access-list inside allow host xx.xx.xx.100 host yy.yy.yy.10 eq ssh tcp

    group-access to the Interior in the interface inside

    Also, enable/add ICMP on the two outside & inside to test accessibility for both devices. If you have ACLs on internet router, make sure that you allow the two firewall EXTERNAL and VMS Svr pass-through.

    It is a purely theoretical Setup. It may not work or need some changes.

    Rgds,

    AK

  • Jdev 12.2.1: oracle.jbo.ExprSecurityException: Houston-25152: calling the constructor for the class oracle.jbo.server.SequenceImpl is not allowed.

    Hi experts,

    I've migrated a 12.1.3 to 12.2.1 project and I get this exception:

    oracle.jbo.JboException: JBO-29114 ADFContext is not setup to process messages for this exception. Use the exception stack trace and error code to investigate the root cause of this exception. Root cause error code is JBO-29000. Error message parameters are {0=org.codehaus.groovy.control.MultipleCompilationErrorsException, 1=startup failed:
General error during semantic analysis: JBO-25152: Calling the constructor for class oracle.jbo.server.SequenceImpl is not permitted.


oracle.jbo.ExprSecurityException: JBO-25152: Calling the constructor for class oracle.jbo.server.SequenceImpl is not permitted.
  at oracle.jbo.script.InternalSecurityPolicyEnforcer.checkConstructor(InternalSecurityPolicyEnforcer.java:308)
  at oracle.jbo.script.ExprASTScanningVisitor.visitConstructorCallExpression(ExprASTScanningVisitor.java:137)
  at org.codehaus.groovy.ast.expr.ConstructorCallExpression.visit(ConstructorCallExpression.java:44)
  at org.codehaus.groovy.ast.CodeVisitorSupport.visitListOfExpressions(CodeVisitorSupport.java:273)
  at org.codehaus.groovy.ast.CodeVisitorSupport.visitTupleExpression(CodeVisitorSupport.java:178)
  at org.codehaus.groovy.ast.expr.TupleExpression.visit(TupleExpression.java:76)
  at org.codehaus.groovy.ast.CodeVisitorSupport.visitMethodCallExpression(CodeVisitorSupport.java:131)
  at oracle.jbo.script.ExprASTScanningVisitor.visitMethodCallExpression(ExprASTScanningVisitor.java:152)
  at org.codehaus.groovy.ast.expr.MethodCallExpression.visit(MethodCallExpression.java:64)
  at org.codehaus.groovy.ast.CodeVisitorSupport.visitListOfExpressions(CodeVisitorSupport.java:273)
  at org.codehaus.groovy.ast.CodeVisitorSupport.visitTupleExpression(CodeVisitorSupport.java:178)
  at org.codehaus.groovy.ast.expr.TupleExpression.visit(TupleExpression.java:76)
  at org.codehaus.groovy.ast.CodeVisitorSupport.visitMethodCallExpression(CodeVisitorSupport.java:131)
  at oracle.jbo.script.ExprASTScanningVisitor.visitMethodCallExpression(ExprASTScanningVisitor.java:172)
  at org.codehaus.groovy.ast.expr.MethodCallExpression.visit(MethodCallExpression.java:64)
  at org.codehaus.groovy.ast.CodeVisitorSupport.visitExpressionStatement(CodeVisitorSupport.java:69)
  at org.codehaus.groovy.ast.ClassCodeVisitorSupport.visitExpressionStatement(ClassCodeVisitorSupport.java:193)
  at org.codehaus.groovy.ast.stmt.ExpressionStatement.visit(ExpressionStatement.java:40)
  at org.codehaus.groovy.ast.CodeVisitorSupport.visitBlockStatement(CodeVisitorSupport.java:35)
  at org.codehaus.groovy.ast.ClassCodeVisitorSupport.visitBlockStatement(ClassCodeVisitorSupport.java:163)
  at org.codehaus.groovy.ast.stmt.BlockStatement.visit(BlockStatement.java:69)
  at oracle.jbo.script.ExprASTScan.visit(ExprASTScan.java:77)
  at sun.reflect.GeneratedMethodAccessor445.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
  at java.lang.reflect.Method.invoke(Method.java:497)
  at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite$PojoCachedMethodSite.invoke(PojoMetaMethodSite.java:189)
  at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite.call(PojoMetaMethodSite.java:53)
  at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:45)
  at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite.call(PojoMetaMethodSite.java:55)
  at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:120)
  at org.codehaus.groovy.control.customizers.ASTTransformationCustomizer.call(ASTTransformationCustomizer.groovy:292)
  at org.codehaus.groovy.control.CompilationUnit.applyToPrimaryClassNodes(CompilationUnit.java:1047)
  at org.codehaus.groovy.control.CompilationUnit.doPhaseOperation(CompilationUnit.java:583)
  at org.codehaus.groovy.control.CompilationUnit.processPhaseOperations(CompilationUnit.java:561)
  at org.codehaus.groovy.control.CompilationUnit.compile(CompilationUnit.java:538)
  at groovy.lang.GroovyClassLoader.doParseClass(GroovyClassLoader.java:286)
  at groovy.lang.GroovyClassLoader.parseClass(GroovyClassLoader.java:259)
  at groovy.lang.GroovyShell.parseClass(GroovyShell.java:674)
  at groovy.lang.GroovyShell.parse(GroovyShell.java:686)
  at oracle.jbo.ExprEval$6.run(ExprEval.java:1699)
  at oracle.jbo.ExprEval$6.run(ExprEval.java:1696)
  at java.security.AccessController.doPrivileged(Native Method)
  at oracle.jbo.ExprEval.parse(ExprEval.java:1695)
  at oracle.jbo.ExprEval.parseScript(ExprEval.java:1631)
  at oracle.jbo.ExprEval.findScript(ExprEval.java:1235)
  at oracle.jbo.ExprEval.doEvaluate(ExprEval.java:2120)
  at oracle.jbo.ExprEval.evaluateForRow(ExprEval.java:1791)
  at oracle.jbo.ExprEval.evaluateForRow(ExprEval.java:1778)
  at oracle.jbo.server.ViewObjectImpl.createViewAccessorRS(ViewObjectImpl.java:18026)
  at oracle.jbo.server.ViewRowImpl.createViewAccessorRS(ViewRowImpl.java:2872)
  at oracle.adf.model.bean.DCDataRow.createViewAccessorRS(DCDataRow.java:452)
  at oracle.jbo.server.ViewRowImpl.createViewAccessorRS(ViewRowImpl.java:2880)
  at oracle.jbo.server.ViewRowStorage.getAttributeInternal(ViewRowStorage.java:2091)
  at oracle.jbo.server.ViewRowImpl.getAttributeValue(ViewRowImpl.java:2126)
  at oracle.jbo.server.ViewRowImpl.getAttributeInternal(ViewRowImpl.java:920)
  at oracle.jbo.server.ProgrammaticViewRowImpl.getAttributeInternalDelegation(ProgrammaticViewRowImpl.java:406)
  at oracle.adf.model.bean.DCDataRow.getAttributeInternal(DCDataRow.java:279)
  at oracle.adf.model.bean.DCCriteriaValueRowImpl.getAttributeInternal(DCCriteriaValueRowImpl.java:247)
  at oracle.jbo.server.ViewRowImpl.getAttrInvokeAccessor(ViewRowImpl.java:1008)
  at oracle.jbo.server.ViewRowImpl.getAttribute(ViewRowImpl.java:956)
  at oracle.jbo.server.ViewRowImpl.findOrCreateViewAccessorRS(ViewRowImpl.java:2813)
  at oracle.jbo.server.ViewRowImpl.getListBindingRSI(ViewRowImpl.java:2732)
  at oracle.adf.model.bean.DCCriteriaValueRowImpl.lookupListBinding(DCCriteriaValueRowImpl.java:79)
  at oracle.jbo.server.ApplicationModuleImpl.internalGetListBindingRSI(ApplicationModuleImpl.java:10032)
  at oracle.jbo.server.ApplicationModuleImpl.getListBindingRSI(ApplicationModuleImpl.java:10008)
  at oracle.adf.model.bc4j.DCJboDataControl.internalGetListRSI(DCJboDataControl.java:2526)
  at oracle.adf.model.bc4j.DCJboDataControl.getListBindingRSI(DCJboDataControl.java:2495)
  at oracle.jbo.uicli.binding.JUCtrlListBinding.initFromServerBinding(JUCtrlListBinding.java:639)
  at oracle.jbo.uicli.binding.JUSearchBindingCustomizer.findOrCreateLovBinding(JUSearchBindingCustomizer.java:1846)
  at oracle.adfinternal.view.faces.model.binding.FacesCtrlSearchBinding$AdfAttributeDescriptor._getInternalModel(FacesCtrlSearchBinding.java:4106)
  at oracle.adfinternal.view.faces.model.binding.FacesCtrlSearchBinding$AdfAttributeDescriptor.getModel(FacesCtrlSearchBinding.java:3949)
  at oracle.adfinternal.view.faces.renderkit.rich.table.TableFilterUtils.createfilterFieldFromAttributeCriterion(TableFilterUtils.java:73)
  at oracle.adfinternal.view.faces.renderkit.rich.table.BaseColumnRenderer._renderModelDrivenFilterField(BaseColumnRenderer.java:2133)
  at oracle.adfinternal.view.faces.renderkit.rich.table.BaseColumnRenderer._renderFilterField(BaseColumnRenderer.java:2094)
  at oracle.adfinternal.view.faces.renderkit.rich.table.BaseColumnRenderer.renderColumnFilterCell(BaseColumnRenderer.java:1385)
  at oracle.adfinternal.view.faces.renderkit.rich.table.BaseColumnRenderer.encodeAll(BaseColumnRenderer.java:169)
  at oracle.adf.view.rich.render.RichRenderer.encodeAll(RichRenderer.java:1650)
  at org.apache.myfaces.trinidad.render.CoreRenderer.encodeEnd(CoreRenderer.java:538)
  at org.apache.myfaces.trinidad.component.UIXComponentBase.encodeEnd(UIXComponentBase.java:1230)
  at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1863)
  at org.apache.myfaces.trinidad.render.CoreRenderer.encodeChild(CoreRenderer.java:660)
  at oracle.adfinternal.view.faces.renderkit.rich.table.BaseTableRenderer.access$3300(BaseTableRenderer.java:80)
  at oracle.adfinternal.view.faces.renderkit.rich.table.BaseTableRenderer$FlattenedColumnEncoder.processComponent(BaseTableRenderer.java:3273)
  at oracle.adfinternal.view.faces.renderkit.rich.table.BaseTableRenderer$FlattenedColumnEncoder.processComponent(BaseTableRenderer.java:3240)
  at org.apache.myfaces.trinidad.component.UIXComponent.processFlattenedChildren(UIXComponent.java:198)
  at org.apache.myfaces.trinidad.component.UIXComponent.processFlattenedChildren(UIXComponent.java:330)
  at org.apache.myfaces.trinidad.component.UIXComponent.encodeFlattenedChildren(UIXComponent.java:295)
  at oracle.adfinternal.view.faces.renderkit.rich.table.BaseTableRenderer.encodeFlattenedColumn(BaseTableRenderer.java:3019)
  at oracle.adfinternal.view.faces.renderkit.rich.table.BaseTableRenderer.encodeFlattenedColumn(BaseTableRenderer.java:3003)
  at oracle.adfinternal.view.faces.renderkit.rich.TableRenderer._renderFilterRow(TableRenderer.java:2756)
  at oracle.adfinternal.view.faces.renderkit.rich.TableRenderer._renderColumnHeaderTable(TableRenderer.java:2283)
  at oracle.adfinternal.view.faces.renderkit.rich.TableRenderer._renderColumnHeader(TableRenderer.java:2062)
  at oracle.adfinternal.view.faces.renderkit.rich.TableRenderer.encodeAll(TableRenderer.java:819)
  at oracle.adf.view.rich.render.RichRenderer.encodeAll(RichRenderer.java:1650)
  at org.apache.myfaces.trinidad.render.CoreRenderer.encodeEnd(CoreRenderer.java:538)
  at org.apache.myfaces.trinidad.component.UIXComponentBase.encodeEnd(UIXComponentBase.java:1230)
  at org.apache.myfaces.trinidad.component.UIXCollection.encodeEnd(UIXCollection.java:686)
  at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1863)
  at org.apache.myfaces.trinidad.render.CoreRenderer.encodeChild(CoreRenderer.java:660)
  at oracle.adfinternal.view.faces.renderkit.rich.PanelStretchLayoutRenderer.encodeCenterFacet(PanelStretchLayoutRenderer.java:878)
  at oracle.adfinternal.view.faces.renderkit.rich.PanelStretchLayoutRenderer._encodeCenterPane(PanelStretchLayoutRenderer.java:1299)
  at oracle.adfinternal.view.faces.renderkit.rich.PanelStretchLayoutRenderer._encodeMiddlePanes(PanelStretchLayoutRenderer.java:350)
  at oracle.adfinternal.view.faces.renderkit.rich.PanelStretchLayoutRenderer.encodeAll(PanelStretchLayoutRenderer.java:315)
  at oracle.adf.view.rich.render.RichRenderer.delegateRenderer(RichRenderer.java:1906)
  at oracle.adfinternal.view.faces.renderkit.rich.PanelCollectionRenderer.access$1200(PanelCollectionRenderer.java:100)
  at oracle.adfinternal.view.faces.renderkit.rich.PanelCollectionRenderer$PanelCollectionHelper._renderStretchedContent(PanelCollectionRenderer.java:818)
  at oracle.adfinternal.view.faces.renderkit.rich.PanelCollectionRenderer$PanelCollectionHelper._encodeAll(PanelCollectionRenderer.java:953)
  at oracle.adfinternal.view.faces.renderkit.rich.PanelCollectionRenderer$PanelCollectionHelper.access$600(PanelCollectionRenderer.java:635)
  at oracle.adfinternal.view.faces.renderkit.rich.PanelCollectionRenderer.encodeAll(PanelCollectionRenderer.java:496)
  at oracle.adf.view.rich.render.RichRenderer.encodeAll(RichRenderer.java:1650)
  at org.apache.myfaces.trinidad.render.CoreRenderer.encodeEnd(CoreRenderer.java:538)
  at org.apache.myfaces.trinidad.component.UIXComponentBase.encodeEnd(UIXComponentBase.java:1230)
  at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1863)
  at org.apache.myfaces.trinidad.render.CoreRenderer.encodeChild(CoreRenderer.java:660)
  at oracle.adf.view.rich.render.RichRenderer.encodeStretchedChild(RichRenderer.java:2417)
  at oracle.adfinternal.view.faces.renderkit.rich.PanelHeaderRenderer.access$500(PanelHeaderRenderer.java:47)
  at oracle.adfinternal.view.faces.renderkit.rich.PanelHeaderRenderer$ChildEncoderCallback.processComponent(PanelHeaderRenderer.java:1702)
  at oracle.adfinternal.view.faces.renderkit.rich.PanelHeaderRenderer$ChildEncoderCallback.processComponent(PanelHeaderRenderer.java:1685)
  at org.apache.myfaces.trinidad.component.UIXComponent.processFlattenedChildren(UIXComponent.java:198)
  at org.apache.myfaces.trinidad.component.UIXComponent.processFlattenedChildren(UIXComponent.java:330)
  at org.apache.myfaces.trinidad.component.UIXComponent.encodeFlattenedChildren(UIXComponent.java:295)
  at oracle.adfinternal.view.faces.renderkit.rich.PanelHeaderRenderer.renderChildrenAfterHelpAndInfo(PanelHeaderRenderer.java:733)
  at oracle.adfinternal.view.faces.renderkit.rich.PanelHeaderRenderer._renderContentCell(PanelHeaderRenderer.java:1350)
  at oracle.adfinternal.view.faces.renderkit.rich.PanelHeaderRenderer.renderContentRow(PanelHeaderRenderer.java:656)
  at oracle.adfinternal.view.faces.renderkit.rich.PanelHeaderRenderer.encodeAll(PanelHeaderRenderer.java:325)
  at oracle.adf.view.rich.render.RichRenderer.encodeAll(RichRenderer.java:1650)
  at org.apache.myfaces.trinidad.render.CoreRenderer.encodeEnd(CoreRenderer.java:538)
  at org.apache.myfaces.trinidad.component.UIXComponentBase.encodeEnd(UIXComponentBase.java:1230)
  at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1863)
  at org.apache.myfaces.trinidad.render.CoreRenderer.encodeChild(CoreRenderer.java:660)
  at oracle.adf.view.rich.render.RichRenderer.encodeStretchedChild(RichRenderer.java:2417)
  at oracle.adfinternal.view.faces.renderkit.rich.ShowDetailItemRenderer.access$500(ShowDetailItemRenderer.java:40)
  at oracle.adfinternal.view.faces.renderkit.rich.ShowDetailItemRenderer$ChildEncoderCallback.processComponent(ShowDetailItemRenderer.java:663)
  at oracle.adfinternal.view.faces.renderkit.rich.ShowDetailItemRenderer$ChildEncoderCallback.processComponent(ShowDetailItemRenderer.java:646)
  at org.apache.myfaces.trinidad.component.UIXComponent.processFlattenedChildren(UIXComponent.java:198)
  at org.apache.myfaces.trinidad.component.UIXComponent.processFlattenedChildren(UIXComponent.java:330)
  at org.apache.myfaces.trinidad.component.UIXComponent.encodeFlattenedChildren(UIXComponent.java:295)
  at oracle.adfinternal.view.faces.renderkit.rich.ShowDetailItemRenderer._encodeChildren(ShowDetailItemRenderer.java:583)
  at oracle.adfinternal.view.faces.renderkit.rich.ShowDetailItemRenderer.encodeAll(ShowDetailItemRenderer.java:127)
  at oracle.adf.view.rich.render.RichRenderer.encodeAll(RichRenderer.java:1650)
  at org.apache.myfaces.trinidad.render.CoreRenderer.encodeEnd(CoreRenderer.java:538)
  at org.apache.myfaces.trinidad.component.UIXComponentBase.encodeEnd(UIXComponentBase.java:1230)
  at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1863)
  at org.apache.myfaces.trinidad.render.CoreRenderer.encodeChild(CoreRenderer.java:660)
  at oracle.adf.view.rich.render.RichRenderer.encodeStretchedChild(RichRenderer.java:2417)
  at oracle.adfinternal.view.faces.renderkit.rich.ShowOneContainerRenderer.access$600(ShowOneContainerRenderer.java:42)
  at oracle.adfinternal.view.faces.renderkit.rich.ShowOneContainerRenderer$BodyEncoderCallback.processComponent(ShowOneContainerRenderer.java:471)
  at oracle.adfinternal.view.faces.renderkit.rich.ShowOneContainerRenderer$BodyEncoderCallback.processComponent(ShowOneContainerRenderer.java:404)
  at org.apache.myfaces.trinidad.component.UIXComponent.processFlattenedChildren(UIXComponent.java:198)
  at org.apache.myfaces.trinidad.component.UIXComponent.processFlattenedChildren(UIXComponent.java:330)
  at org.apache.myfaces.trinidad.component.UIXComponent.encodeFlattenedChildren(UIXComponent.java:295)
  at oracle.adfinternal.view.faces.renderkit.rich.ShowOneContainerRenderer.encodeShowDetailItems(ShowOneContainerRenderer.java:361)
  at oracle.adfinternal.view.faces.renderkit.rich.PanelTabBaseRenderer._renderTabBody(PanelTabBaseRenderer.java:949)
  at oracle.adfinternal.view.faces.renderkit.rich.PanelTabBaseRenderer.encodeAll(PanelTabBaseRenderer.java:258)
  at oracle.adf.view.rich.render.RichRenderer.encodeAll(RichRenderer.java:1650)
  at org.apache.myfaces.trinidad.render.CoreRenderer.encodeEnd(CoreRenderer.java:538)
  at org.apache.myfaces.trinidad.component.UIXComponentBase.encodeEnd(UIXComponentBase.java:1230)
  at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1863)
  at org.apache.myfaces.trinidad.render.CoreRenderer.encodeChild(CoreRenderer.java:660)
  at oracle.adfinternal.view.faces.renderkit.rich.PanelStretchLayoutRenderer.encodeCenterFacet(PanelStretchLayoutRenderer.java:878)
  at oracle.adfinternal.view.faces.renderkit.rich.PanelStretchLayoutRenderer._encodeCenterPane(PanelStretchLayoutRenderer.java:1299)
  at oracle.adfinternal.view.faces.renderkit.rich.PanelStretchLayoutRenderer._encodeMiddlePanes(PanelStretchLayoutRenderer.java:350)
  at oracle.adfinternal.view.faces.renderkit.rich.PanelStretchLayoutRenderer.encodeAll(PanelStretchLayoutRenderer.java:315)
  at oracle.adf.view.rich.render.RichRenderer.encodeAll(RichRenderer.java:1650)
  at org.apache.myfaces.trinidad.render.CoreRenderer.encodeEnd(CoreRenderer.java:538)
  at org.apache.myfaces.trinidad.component.UIXComponentBase.encodeEnd(UIXComponentBase.java:1230)
  at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1863)
  at oracle.adfinternal.view.faces.taglib.region.IncludeTag$FacetWrapper.encodeAll(IncludeTag.java:568)
  at org.apache.myfaces.trinidad.render.CoreRenderer.encodeChild(CoreRenderer.java:660)
  at oracle.adfinternal.view.faces.renderkit.rich.PanelStretchLayoutRenderer.encodeCenterFacet(PanelStretchLayoutRenderer.java:878)
  at oracle.adfinternal.view.faces.renderkit.rich.PanelStretchLayoutRenderer._encodeCenterPane(PanelStretchLayoutRenderer.java:1299)
  at oracle.adfinternal.view.faces.renderkit.rich.PanelStretchLayoutRenderer._encodeMiddlePanes(PanelStretchLayoutRenderer.java:350)
  at oracle.adfinternal.view.faces.renderkit.rich.PanelStretchLayoutRenderer.encodeAll(PanelStretchLayoutRenderer.java:315)
  at oracle.adf.view.rich.render.RichRenderer.encodeAll(RichRenderer.java:1650)
  at org.apache.myfaces.trinidad.render.CoreRenderer.encodeEnd(CoreRenderer.java:538)
  at org.apache.myfaces.trinidad.component.UIXComponentBase.encodeEnd(UIXComponentBase.java:1230)
  at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1863)
  at org.apache.myfaces.trinidad.render.CoreRenderer.encodeChild(CoreRenderer.java:660)
  at org.apache.myfaces.trinidad.render.CoreRenderer.encodeAllChildren(CoreRenderer.java:677)
  at oracle.adf.view.rich.render.RichRenderer.encodeAllChildrenInContext(RichRenderer.java:3284)
  at oracle.adfinternal.view.faces.renderkit.rich.PageTemplateRenderer.encodeAll(PageTemplateRenderer.java:68)
  at oracle.adf.view.rich.render.RichRenderer.encodeAll(RichRenderer.java:1650)
  at org.apache.myfaces.trinidad.render.CoreRenderer.encodeEnd(CoreRenderer.java:538)
  at org.apache.myfaces.trinidad.component.UIXComponentBase.encodeEnd(UIXComponentBase.java:1230)
  at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1863)
  at org.apache.myfaces.trinidad.render.CoreRenderer.encodeChild(CoreRenderer.java:660)
  at org.apache.myfaces.trinidad.render.CoreRenderer.encodeAllChildren(CoreRenderer.java:677)
  at oracle.adf.view.rich.render.RichRenderer.encodeAllChildrenInContext(RichRenderer.java:3284)
  at oracle.adfinternal.view.faces.renderkit.rich.FormRenderer.encodeAll(FormRenderer.java:275)
  at oracle.adf.view.rich.render.RichRenderer.encodeAll(RichRenderer.java:1650)
  at org.apache.myfaces.trinidad.render.CoreRenderer.encodeEnd(CoreRenderer.java:538)
  at org.apache.myfaces.trinidad.component.UIXComponentBase.encodeEnd(UIXComponentBase.java:1230)
  at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1863)
  at org.apache.myfaces.trinidad.render.CoreRenderer.encodeChild(CoreRenderer.java:660)
  at org.apache.myfaces.trinidad.render.CoreRenderer.encodeAllChildren(CoreRenderer.java:677)
  at oracle.adf.view.rich.render.RichRenderer.encodeAllChildrenInContext(RichRenderer.java:3284)
  at oracle.adfinternal.view.faces.renderkit.rich.DocumentRenderer.encodeAll(DocumentRenderer.java:1428)
  at oracle.adf.view.rich.render.RichRenderer.encodeAll(RichRenderer.java:1650)
  at org.apache.myfaces.trinidad.render.CoreRenderer.encodeEnd(CoreRenderer.java:538)
  at org.apache.myfaces.trinidad.component.UIXComponentBase.encodeEnd(UIXComponentBase.java:1230)
  at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1863)
  at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1859)
  at oracle.adfinternal.view.faces.component.AdfViewRoot.encodeAll(AdfViewRoot.java:102)
  at com.sun.faces.application.view.JspViewHandlingStrategy.doRenderView(JspViewHandlingStrategy.java:431)
  at com.sun.faces.application.view.JspViewHandlingStrategy.renderView(JspViewHandlingStrategy.java:232)
  at org.apache.myfaces.trinidad.view.ViewDeclarationLanguageWrapper.renderView(ViewDeclarationLanguageWrapper.java:101)
  at org.apache.myfaces.trinidad.view.ViewDeclarationLanguageWrapper.renderView(ViewDeclarationLanguageWrapper.java:101)
  at org.apache.myfaces.trinidadinternal.application.ViewDeclarationLanguageFactoryImpl$ChangeApplyingVDLWrapper.renderView(ViewDeclarationLanguageFactoryImpl.java:338)
  at com.sun.faces.application.view.MultiViewHandler.renderView(MultiViewHandler.java:134)
  at javax.faces.application.ViewHandlerWrapper.renderView(ViewHandlerWrapper.java:337)
  at org.apache.myfaces.trinidadinternal.application.ViewHandlerImpl.renderView(ViewHandlerImpl.java:170)
  at oracle.adfinternal.view.faces.lifecycle.ResponseRenderManager.runRenderView(ResponseRenderManager.java:52)
  at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._renderResponse(LifecycleImpl.java:1228)
  at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executeRenderResponse(LifecycleImpl.java:1040)
  at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:332)
  at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:254)
  at javax.faces.webapp.FacesServlet.service(FacesServlet.java:651)
  at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:286)
  at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:260)
  at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:137)
  at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:350)
  at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:25)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78)
  at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:194)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78)
  at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:105)
  at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:529)
  at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60)
  at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:529)
  at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:354)
  at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:232)
  at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78)
  at oracle.adf.library.webapp.LibraryFilter.doFilter(LibraryFilter.java:166)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78)
  at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:141)
  at java.security.AccessController.doPrivileged(Native Method)
  at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)
  at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:649)
  at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:124)
  at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:232)
  at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:94)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78)
  at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:224)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78)
  at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:32)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78)
  at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3654)
  at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3620)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:326)
  at weblogic.security.service.SecurityManager.runAsForUserCode(SecurityManager.java:196)
  at weblogic.servlet.provider.WlsSecurityProvider.runAsForUserCode(WlsSecurityProvider.java:203)
  at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:71)
  at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2423)
  at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2280)
  at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2258)
  at weblogic.servlet.internal.ServletRequestImpl.runInternal(ServletRequestImpl.java:1626)
  at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1586)
  at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:270)
  at weblogic.invocation.ComponentInvocationContextManager._runAs(ComponentInvocationContextManager.java:348)
  at weblogic.invocation.ComponentInvocationContextManager.runAs(ComponentInvocationContextManager.java:333)
  at weblogic.work.LivePartitionUtility.doRunWorkUnderContext(LivePartitionUtility.java:54)
  at weblogic.work.PartitionUtility.runWorkUnderContext(PartitionUtility.java:41)
  at weblogic.work.SelfTuningWorkManagerImpl.runWorkUnderContext(SelfTuningWorkManagerImpl.java:617)
  at weblogic.work.ExecuteThread.execute(ExecuteThread.java:397)
  at weblogic.work.ExecuteThread.run(ExecuteThread.java:346)


1 error
}

    In 2014, I created this thread with a similar problem: Jdev 12.1.3: Houston-25152: calling the constructor for the class oracle.jbo.server.SequenceImpl is not allowed (WITH HR TEST... )

    It would be the same question, I would need a way to determine which EO is the cause, so I could change trustMode = "of trust".


    The strange here is that the application works very well before the migration.

    Kind regards

    Jose.

    I found the problem. I'm oracle.jbo.server.SequenceImpl in the original Version mistakenly.

    Thank you for all your help.

Maybe you are looking for

  • you replace the batteries in trackpad apple 2

    I can't find a way to open this thing... they are implying the rechargeable battery lasts forever in the TrackPad 2?

  • HD DVD - ROM driver is missing or corrupt on Satellite A200-s 23

    Hi, recently I bought my Toshiba Satellite A200-23 s and now it says that the HD DVD-ROM driver is missing or currupted. The system can not see DVD - ROM. My laptop is still under warranty, but perhaps I can fix it somehow? I found the list of driver

  • Can HopeHow I clear (programmatically) a XY graph

    I hope it's a simple question.  How no one erases a XY Chart at the beginning of a program?

  • Service Portmap to ONCRPC on WEC7

    Hello I would use Windows Embedded Compact 7 (WEC7). Can we install or configure the Portmap service for ONCRPC (Open Network Computing Remote Procedure Call) on WEC7? Thank you very much.

  • Internet disconnects after 5 minutes

    Hi I was using my PC for a long time. I went for the weekend, and when I came back, I got a problem.  Every 5 minutes or so internet stops working.  There is no notification that a cable has been disconnected.  When I type something in the address ba