adjustment rule - how to allow internal pc ping external ip address?

I eventuall put in place the PIX501 and everything seems fine except the internal pc cannot ping the DNS server and the external ip address. Still exceeded demand. I allow all outbound icmp traffic and especially udp traffic. I have also allow a part of tcp traffic and reject all others. We have access to the internet but just when ping external IP and DNS, for example, when I ping www.google.com, it can resolve ip from google, but procrastination requst.

What are the rules that I set up to allow internal pc ping external ips?

See you soon

ICMP incoming via the PIX is denied and outgoing ICMP is allowed, but the incoming response is denied by default allowed both it as below:

access-list 200 permit icmp any any echo or echo-reply

Access-group 200 in external interface

Kind regards

Mehrdad Arshad Rad

Tags: Cisco Security

Similar Questions

  • How to allow access to the external network of VPN through PPTP

    Hi guys, this is probably a simple one, but I have not much firewall experience so any help is appreciated.

    We would like to have the opportunity to connect to a private network virtual to a company, we have recently acquired.  When you connect to it directly from the Internet (not), it is accessible.  However, behind our firewall, there is no access.  We use Cisco ASA 8.2 (2)

    Currently, we have an entry as follows:

    PPTP tcp service object-group

    EQ pptp Port object

    inside_access_in list extended access permit tcp any host object_name object-group PPTP

    Please can anyone advise what else are required to complete what I'm not sure of what else is needed?  Basically, we want any device within our network in order to access the VPN through PPTP.

    Your help is appreciated

    Kind regards

    Hi Angelo,.

    It should work when you make a pptp permitted and inspected. But will also Appreciate ACL with your firewall to the PPTP server.

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml#pptpwith

    The above documents helps you better understand.

    Please assess whether the information provided is useful.

    By

    Knockaert

  • Cannot access internet or ping external site names

    I have a problem with a cisco asa 5505

    I'm unable to access the internet from any computer on the local network. I can access the network from outside, in fact I have rdp access to a server that has been installed with it. I can also ping external IP addresses, but no names. Here is the config. For any help or suggestion is appreciated. I'm starting to believe it's a DNS issue?

    : Saved
    :
    ASA Version 8.2 (5)
    !
    My - ASA host name
    domain monsite.fr
    activate the password * encrypted
    passwd * encrypted
    names of
    name description 192.168.10.x Srv - 192.168.10.x server
    name 97.7x.xxx.xx2 outdoor-home
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    interface Vlan1
    nameif inside
    security-level 100
    192.168.10.x 255.255.255.0 IP address
    !
    interface Vlan2
    nameif outside
    security-level 0
    IP outside-host 255.255.255.252
    !
    passive FTP mode
    clock timezone CST - 6
    clock to summer time recurring CDT
    DNS server-group DefaultDNS
    domain monsite.fr
    object-group service rdp tcp
    Description Office remotely
    EQ port 3389 object
    inside_access_in list extended access permit tcp any any eq 3389
    inside_access_in list extended access permit tcp any any eq www
    inside_access_in list extended access permit icmp any one
    inside_access_in list extended access udp allowed any any eq ntp
    outside_access_in list extended access permit tcp any any eq 3389
    outside_access_in list extended access permit icmp any any echo response
    pager lines 24
    asdm of logging of information
    Within 1500 MTU
    Outside 1500 MTU
    ICMP unreachable rate-limit 1 burst-size 1
    don't allow no asdm history
    ARP timeout 14400
    Global 1 interface (outside)
    NAT (inside) 1 192.168.10.0 255.255.255.0
    static (inside, outside) interface tcp 3389 Prov-Srv - 192.168.10.9 3389 netmask 255.255.255.255
    inside_access_in access to the interface inside group
    Access-group outside_access_in in interface outside
    Route outside 0.0.0.0 0.0.0.0 97.7x.xxx.xx1 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    Enable http server
    http 192.168.10.0 255.255.255.0 inside
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    Telnet 192.168.10.0 255.255.255.0 inside
    Telnet timeout 5
    SSH timeout 5
    Console timeout 0

    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    WebVPN
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    !
    global service-policy global_policy
    context of prompt hostname
    no remote anonymous reporting call
    Cryptochecksum:eea8b18bfa5f73b832857913a77486d1
    : end

    you do not allow any DNS traffic leaving your network. Add the following and try again:

     access-list inside_access_in extended permit udp any any eq 53 access-list inside_access_in extended permit tcp any any eq 53

    In general, it was not necessary to allow DNS to the entire internet, only for the DNS servers used by your internal systems.

    Some other improvements to your config:

    (1) If you configure icmp-inspection, you can remove the ACE that allows to echo-replys unconditionally in your network:

     policy-map global_policy class inspection_default inspect icmp no access-list outside_access_in extended permit icmp any any echo-reply

    (2) the outside AS to WHAT RDP could focus a little bit more:

     access-list outside_access_in extended permit tcp any host 97.7x.xxx.xx2 eq 3389

  • Cisco ACS 5.3 - How only allow specific ad groups you want to connect

    Someone can help me to understand what I have wrong or missing?

    I have configured three specific AD groups, Admin, storage and HelpDesk, with their own sets of commands.

    It seems to work fine, but everyone can connect to any, but they can't do anything other than exit.

    My goal is to only allows don't not to open a session that is, do not part of the three AD groups that I've specified with the respective command sets.

    All connections to hit the Admin account, even if the id in the AD isn't in this ad group.  I've got something screwed up.

    Check your authorization rules, make sure that the default rule is not allowed. Group mapping is only the mapping of the internal groups of the ACS ad groups, we need to verify your authorization rules to see what strategies they users strike, you can reset the number of accesses and a test to see what policy is to allow access.

    Thank you

    Tarik Admani
    * Please note the useful messages *.

  • How to allow my new iMac desktop computer to download previous purchases on the iTunes Store?

    How to allow my new iMac desktop computer to download previous purchases on the iTunes Store? I transferred all of my information from my old Mac Mini to my new iMac, retina 4K, 21.5 - inch desktop computer via my Apple, WiFi, and Migration Wizard. My complete music in iTunes library is available and visible, but when I try to play the music of the song or artist I have the following message: "You must allow this computer from the Store menu until you can download previous purchases."  I allowed off my old Mac Mini and an even more ancient PC of my iTunes account page.  Please notify.

    On your new machine > iTunes > main menu > account > permissions > authorize this computer?

  • How to allow access to all users of the connection on my computer?

    How to allow access to all users of the connection on my computer?

    Your question is hard to understand.  I interpret as:

    "How to allow all the users on my computer to access some files or folders?

    The answer depends somewhat on the question of whether you have XP Pro or XP Home, but a general answer is found the following article.

    "How to use file sharing Simple to share files in Windows XP"
      <>http://support.Microsoft.com/kb/304040 >

    Click on "level 3: files in shared documents available to local users"

    HTH,
    JW

  • How to allow only .gov Web sites on Windows XP using the installation of the broad-band

    How to allow websites .gov only on Windows XP. Use BSNL broadband. Made of internet sharing in LAN.

    Concerning

    Maton

    Hi Matt,

    This forum is for MSE who cannot restrict access of Web site you want.

    One of the possible methods that comes to mind uses the Parental http://www.windows-help-central.com/parental-controls-in-windows-xp.html may control with Windows Live Family Safety http://explore.live.com/windows-live-family-safety?os=other (according to the version of XP and whether or not you have a workgroup or domain LAN).  When you set up, allow *.gov, but reject all other types you can imagine (I don't think there is a way to allow only .gov, but you can exclude most if not all of the other busiest - check domain name registrars to get a list of options).  If you use a domain, way to go would be with a custom domain group policy to restrict access on all of the network (except perhaps the server or individuals of special category in Active Directory if you want).

    If that is not the case, and I think it might, please repost your question in the following forum to get the expert assistance you need: http://answers.microsoft.com/en-us/windows/forum/windows_xp-networking?page=1&tab=all.

    I hope this helps.

    Good luck!

  • How to allow access to a local area network behind the cisco vpn client

    Hi, my question is about how to allow access to a local area network behind the cisco vpn client

    With the help of:

    • Cisco 5500 Series Adaptive Security Appliance (ASA) that is running version 8.2 software
    • Cisco VPN Client version 5.0 software

    Cisco VPN client allows to inject a local routes in the routing table Cisco ASA?

    Thank you.

    Hi Vladimir,.

    Unfortunately this is not a supported feature if you connect through the VPN Client. With VPN Client, that the VPN Client can access the VPN Client LAN host/local machine, not host from the local network to business as customer VPN is not designed for access from the local company network, but to the local corporate network.

    If you want to access from your local business to your LAN network, you need to configure LAN-to-LAN tunnel.

  • How to allow a user to save a form completed (and now unmodifiable) created in Adobe Acrobat DC?

    How to allow a user to save their form to fill out (that I created in Adobe Acrobat DC) so that the fields are more editable when they return the form by e-mail?

    If you submit a script, ASP.net server (see example below), you can merge and/or "Flatten" the form of PDF with iTextSharp for .NET platforms. You can also flatten the PDF with iText JAVA platform. You can also create Adobe's JavaScript action button validate before submitting it to an email that goes through the fields, making them 'read-only '; but, the ReadOnly property can easily be retroconcu.

    Note: Submission to a script on the server also side bypasses software email client side and send the request using an SMTP account.

    See the #3 example:

    www.pdfemail.NET/examples/

  • How to allow multiple devices to my account from adobe digital editions?

    How to allow multiple devices to my account from adobe digital editions?

    Maximum, you can allow up to six devices. More information about the authorization of the device please refer to http://www.adobe.com/products/digital-editions/faq.html and

    Editions http://KB.Datalogics.com/articles/FAQ/FAQ-on-activations-in-Adobe-RMSDK-and-Adobe-Digital-? retURL = % 2Fapex % 2FknowledgeProduct %3 Fc % 3DActivation & popup = false & lang = en_US

  • How to allow connect to user only from specified ip addresses?

    Hello.
    How to allow connect to user only from specified ip addresses?
    For example,.
    User1 can connect only from 192.168.1.10
    User2 can only connect from 192.168.1.11
    and etc...
    Thank you.

    Web says:

    CREATE OR REPLACE TRIGGER "A1_AFTER_LOGON" AFTER LOGON ON DATABASE BEGIN
IF UPPER(SYS_CONTEXT('USERENV','IP_ADDRESS')) <> '192.168.1.10' THEN

HOW TO FORBID ACCESS ????

END IF;
END;
ALTER TRIGGER "A1_AFTER_LOGON" ENABLE

    How to deny access?

    Check the blog post that I've provided above

    RAISE_APPLICATION_ERROR(-20000, 'You don't have permission to login!');

  • How to add an external IP address to a split tunnel?

    Hello

    I've set up VPN access on my ASA box as customers use a split tunnel so that only on our internal network traffic through the tunnel. Now, I need to add an external IP address to this tunnel. Is this possible, and if so, how can I achieve that? Just add the address to the list of tunnel network does not; If I do this, the client cannot connect to the external address at all.

    Can anyone help?

    Cheers, Georg.

    Hello

    Will need to see some configurations.

    Usually incoming VPN traffic bypasses ACL interface. If you have the default setting, you will need to allow traffic to the pool/subnet VPN server. Unless of course the server already has a rule that allows traffic to a "some" source address.

    Also a likely problem may be your NAT configuration.

    The local IP address of the server the public IP address is included in the current NAT0 configurations for the VPN connection? If yes then which will probably cause problems for connections to its public IP address. Traffic could be abandoned due to a RPF NAT audit that basically checks the NAT that corresponds to the traffic in the opposite direction.

    Therefore to confirm the above things, or share configurations, then we can do it.

    To my knowledge by adding the address IP of the Split tunnel should naturally also be taken.

    EDIT: The number of the station 6000

    -Jouni

  • My ASA cannot ping the lan address

    I use ASA built ezvpn.   I can access the ASA and ping inside port address successfully.    But in my ping to the address of interconnection 10.100.255.2 window7 cant.     I don't know how to solve the problem.  If all goes well, can help me. Thank you...

    set it up

    ASA5520 # sh run

    : Saved

    :

    ASA Version 7.2 (3)

    !

    asa5520-host name

    sxng domain name

    activate the encrypted password of DOAXe2w/ilkXwCIz

    names of

    DNS-guard

    !

    interface GigabitEthernet0/0

    nameif outside

    security-level 0

    IP x.x.x.x 255.255.255.248

    !

    interface GigabitEthernet0/1

    nameif inside

    security-level 100

    IP 10.100.255.254 255.255.255.0

    !

    interface GigabitEthernet0/2

    nameif dmz

    security-level 50

    IP x.x.x.x 255.255.255.0

    !

    interface GigabitEthernet0/3

    nameif wireless

    security-level 10

    IP x.x.x.x 255.255.255.0

    !

    interface Management0/0

    Shutdown

    nameif management

    security-level 100

    IP 192.168.1.1 255.255.255.0

    management only

    !

    2KFQnbNIdI.2KYOU encrypted passwd

    Disk0: / pix723.bin starting system

    passive FTP mode

    DNS server-group DefaultDNS

    sxng domain name

    dmz_access_in of access allowed any ip an extended list

    dmz_access_in list extended access permit icmp any one

    tunnel of splitting allowed access list standard 10.0.0.0 255.0.0.0

    inside_nat0_outbound list of allowed ip extended access all 10.100.254.0 255.255.255.0

    inside_nat0_outbound to access ip 10.0.0.0 scope list allow 255.0.0.0 10.100.254.0 255.255.255.0

    outside_cryptomap_dyn_20 list of allowed ip extended access all 10.100.254.0 255.255.255.0

    acl_out list extended access permit icmp any one

    acl_out list extended access permit tcp any host x.x.x.x eq www

    acl_out list extended access permit tcp any host x.x.x.x eq 9000

    acl_out list extended access permit udp any host x.x.x.x eq 9000

    ........

    ......

    acl_out allowed ip extended access list any 10.1.1.0 255.255.255.0

    inside_access_in list extended access permitted tcp 10.1.10.0 255.255.255.0 any eq 5000

    acl_inside of access allowed any ip an extended list

    acl_inside list extended access permit icmp any one

    wireless_access_in of access allowed any ip an extended list

    wireless_access_in list extended access permit icmp any one

    pager lines 24

    Enable logging

    timestamp of the record

    emergency list vpn-event logging level

    log message 109001-109028 vpn-event list

    log message 113001-113019 vpn-event list

    exploitation forest-size of the buffer 5000

    information recording console

    debug logging in buffered memory

    recording of debug trap

    asdm of logging of information

    Outside 1500 MTU

    Within 1500 MTU

    MTU 1500 dmz

    MTU 1500 wireless

    management of MTU 1500

    IP local pool vpnpool 10.100.254.1 - 10.100.254.250 mask 255.255.255.0

    no failover

    ICMP unreachable rate-limit 1 burst-size 1

    ICMP allow all outside

    ICMP allow any inside

    ASDM image disk0: / asdm - 507.bin

    don't allow no asdm history

    ARP timeout 14400

    Global (outside) 1 x.x.x.x

    Global (dmz) 1 10.100.253.101 - 10.100.253.200 netmask 255.255.255.0

    Global (wireless) 1 172.16.255.101 - 172.16.255.200 netmask 255.255.255.0

    NAT (inside) 0-list of access inside_nat0_outbound

    NAT (inside) 1 10.1.1.14 255.255.255.255

    NAT (inside) 1 10.1.13.100 255.255.255.255

    NAT (wireless) 1 172.16.0.0 255.255.0.0

    static (dmz, outside) tcp x.x.x.x www 10.100.253.1 www netmask 255.255.255.255

    .......

    .........

    static (inside, dmz) 10.1.1.11 10.1.1.11 netmask 255.255.255.255

    static (inside, dmz) 10.1.1.16 10.1.1.16 netmask 255.255.255.255

    static (dmz, external) 10.100.253.20 x.x.x.x 255.255.255.255 netmask

    static (dmz, external) 10.100.253.32 x.x.x.x 255.255.255.255 netmask

    Access-group acl_out in interface outside

    acl_inside access to the interface inside group

    Access-group interface inside acl_inside

    Access-group dmz_access_in in dmz interface

    Route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

    Route inside 10.0.0.0 255.0.0.0 10.100.255.1 1

    Route inside 10.0.0.0 255.0.0.0 10.100.255.2 1

    Route wireless 172.16.0.0 255.255.0.0 172.16.255.1 1

    !

    router ospf 1

    255.255.255.255 network 10.67.180.0 area 0

    network 0.0.0.0 0.0.0.0 area 1

    Journal-adj-changes

    !

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout, uauth 0:05:00 absolute

    the ssh LOCAL console AAA authentication

    Enable http server

    http 192.168.1.0 255.255.255.0 management

    http 10.0.0.0 255.0.0.0 inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

    Crypto outside-dyn-map Dynamics-plan 20 reverse-drive value

    map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

    outside_map interface card crypto outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 1

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    Crypto isakmp nat-traversal 20

    Telnet 0.0.0.0 0.0.0.0 outdoors

    Telnet 10.0.0.0 255.0.0.0 inside

    Telnet 10.100.0.0 255.255.0.0 inside

    Telnet 10.100.255.0 255.255.255.0 inside

    Telnet 0.0.0.0 0.0.0.0 wireless

    Telnet timeout 10

    SSH 0.0.0.0 0.0.0.0 outdoors

    SSH timeout 30

    Console timeout 0

    dhcpd x.x.x.x dns

    !

    management of 192.168.1.2 - dhcpd address 192.168.1.254

    enable dhcpd management

    !

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    Policy-map global_policy

    class inspection_default

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the netbios

    inspect the rsh

    inspect the rtsp

    inspect the skinny

    inspect esmtp

    inspect sqlnet

    inspect sunrpc

    inspect the tftp

    inspect the sip

    inspect xdmcp

    inspect the icmp

    !

    global service-policy global_policy

    internal sxnggroup group policy

    attributes of the strategy of group sxnggroup

    value of server DNS 202.99.192.68

    enable IP-comp

    Split-tunnel-policy tunnelspecified

    Split-tunnel-network-list value split tunnel

    username password sxtrq Y6cwK1wOhbhJ6YI / encrypted

    maboai R6eu6P1iKIwFIFjS username encrypted password

    winet FwZ0ghxvIpXOepvf username encrypted password

    tunnel-group sxnggroup type ipsec-ra

    tunnel-group sxnggroup General-attributes

    address vpnpool pool

    Group Policy - by default-sxnggroup

    sxnggroup group of tunnel ipsec-attributes

    pre-shared-key *.

    context of prompt hostname

    Cryptochecksum:119ae137eef5ed97d38b4e2f90ed46d7

    : end

    ASA5520 # route sh

    Code: C - connected, S - static, RIP, M - mobile - IGRP, R - I, B - BGP

    D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone

    N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2

    E1 - OSPF external type 1, E2 - external OSPF of type 2, E - EGP

    i - IS - L1 - IS - IS level 1, L2 - IS - IS IS level 2, AI - IS inter zone

    * - candidate by default, U - static route by user, o - ODR

    P periodical downloaded static route

    Gateway of last resort is 202.97.158.177 to network 0.0.0.0

    C x.x.x.x 255.255.255.248 is directly connected to the outside of the

    C 172.16.255.0 255.255.255.0 is directly connected, wireless

    S 172.16.0.0 255.255.0.0 [1/0] via 172.16.255.1, wireless

    S 10.0.0.0 255.0.0.0 [1/0] via 10.100.255.1, inside

    [1/0] via 10.100.255.2, inside

    C 10.100.255.0 255.255.255.0 is directly connected to the inside

    S 10.100.254.2 255.255.255.255 [1/0] via x.x.x.x, outdoor

    C 10.100.253.0 255.255.255.0 is directly connected, dmz

    S * 0.0.0.0 0.0.0.0 [1/0] via x.x.x.x, outdoor

    ASA5520 # sh arp

    outside 00d0.d0c6.9181 x.x.x.x

    outside 00d0.d0c6.9181 x.x.x.x

    outside 224.0.0.5 0100.5e00.0005

    inside 224.0.0.5 0100.5e00.0005

    inside the 10.100.255.1 0000.0c07.acff

    inside the 10.100.255.2 001c.b0cb.5ec0

    DMZ 10.100.253.20 60a4.4c23.3032

    DMZ 224.0.0.5 0100.5e00.0005

    DMZ 10.100.253.1 001a.6436.6df6

    224.0.0.5 wireless 0100.5e00.0005

    Wireless 172.16.255.1 0026.98c6.41c8

    Try to use the "crypto ipsec to show his ' command to watch the program and decaps packages, I hope this isn't too fast increment. You should be able to see the two increase when you successfully and only one side increase when it fails. Check both sides of the vpn, and this should give you an idea where the problem is. If the program packages are multiplying on the ASA local to your PC Win7 and Decaps multiply on the ASA Remote and the program is not so, then the question is with packets from the remote side. I hope this will help you determine the location of the problem and then you can focus your search here.

  • LRT224 redirection port internal port different external

    Port forwarding seems to work flawlessly - but I need to route allows you to say external port 940 to internal port 1005.

    On most routers, you choose this in the "service" module or the module "port forward" - but I can't seem to find anything to indicate that the IP address is internal.

    How to do this?

    / Ulrik

    Click management services under Configuration > Configuration > Port Address Translation.

  • How my HP8620 come with one e-mail address? How can it be reversed and deleted

    I don't want an e-mail addreww for my printer how the ILO can be removed...

    Hello

    The printer email address is for ePrint, if you do not want to use ePrint you can access your connected HP account and don't allow you to send to her address, then no one can send anything to it. You need a day.

    Kind regards.

Maybe you are looking for