Auditing (FGA) action "procedure".

Hi all!

I'll put in place an audit fine-grained in our test database.

I did it for all the tables, no problem.

But I can't understand how to procedures. I want the process of verification and packages in our database to get information, those that are carried out by our application.

Someone knows how to set up an audit of the procedure/package?

--------------------------
This is the syntax for implementing audit table.
Run DBMS_FGA. () ADD_POLICY
object_schema = > 'TRA '.
object_name = > "PERS."
POLICY_NAME = > "PERS."
statement_types = > "SELECT, INSERT, UPDATE, DELETE");

Try with procedure_name AUDIT EXECUTE ON BY SESSION

Tags: Database

Similar Questions

Audit logon in 12 c

Hello
I'm trying to audit the actions of opening of session and closing session and can't seem to get checked logons. No idea what I do wrong?
SQL > select * from v version $;
BANNER CON_ID
-------------------------------------------------------------------------------- ----------
Database Oracle 12 c Enterprise Edition Release 12.1.0.2.0 - 64 bit Production 0
PL/SQL Release 12.1.0.2.0 - Production 0
CORE 12.1.0.2.0 Production 0
AMT for Solaris: Version 12.1.0.2.0 - Production 0
NLSRTL Version 12.1.0.2.0 - Production 0
SQL > select * option $ v where PARAMETER = "unified Audit."
CON_ID PARAMETER VALUE
---------------------------------------------------------------- ----------- ----------
Unified audit REAL 0
SQL > select parameter_value from DBA_AUDIT_MGMT_CONFIG_PARAMS where ParameterName = "AUDIT WRITE MODE."
PARAMETER_VALUE
--------------------------------------------------
IN WRITE-THROUGH MODE
SQL > select * from AUDIT_UNIFIED_ENABLED_POLICIES by user_name.
no selected line
SQL > create audit policy TESTPOL1 of the actions of logon, logoff, alter session;
Audit created policy.
SQL > audit policy TESTPOL1;
Verification succeeded.
SQL > select * from AUDIT_UNIFIED_ENABLED_POLICIES by user_name.
USER_NAME POLICY_NAME ENABLED_ JUICE ISP
--------------- --------------- -------- --- ---
ALL USERS TESTPOL1 BY YES YES
SQL > select object_name, action_name, event_timestamp, audit_type from UNIFIED_AUDIT_TRAIL order by event_timestamp desc;
AUDIT_TYPE EVENT_TIMESTAMP OBJECT_NAME ACTION_NAME
-------------------- ----------------------------------- ------------------------------ -----------------------------------
15.10.15 standard 16:00:09.837162 AUDIT TESTPOL1
15.10.15 standard 16:00:00.666653 CREATE AUDIT POLICY TESTPOL1
15.10.15 standard 15:36:53.721245 RUN DBMS_AUDIT_MGMT
15.10.15 standard 15:27:24.341884 RUN DBMS_AUDIT_MGMT
15.10.15 standard 15:27:01.204268 RUN DBMS_AUDIT_MGMT
Standard 07.10.15 16:51:34.513567 log CLEANING
8 selected lines.
SQL >
... I connect to the database and change my session:
Test1$ > sqlplus user3
SQL * more: Production release 12.1.0.2.0 the game Oct 15 14:01:41 2015
Copyright (c) 1982, 2014, Oracle. All rights reserved.
Enter the password:
Last successful login time: Thursday, October 15, 2015 13:07:25 + 02:00
Connected to:
Database Oracle 12 c Enterprise Edition Release 12.1.0.2.0 - 64 bit Production
With the partitioning, OLAP, Advanced Analytics, Real Application Testing
and Unified audit options
SQL > alter session set nls_date_format = 'yyyy.mm.dd';
Modified session.
SQL > quit
Disconnected from the database Oracle 12 c Enterprise Edition Release 12.1.0.2.0 - 64 bit Production
With the partitioning, OLAP, Advanced Analytics, Real Application Testing
and Unified audit options
Test1$ >
... then check the audit trail:
SQL > /.
AUDIT_TYPE EVENT_TIMESTAMP OBJECT_NAME ACTION_NAME
-------------------- ----------------------------------- ------------------------------ ----------------------
15.10.15 standard 16:01:54.446279 logoff
15.10.15 standard 16:01:50.378333 ALTER SESSION
15.10.15 standard 16:01:44.714527 ALTER SESSION
15.10.15 standard 16:00:09.837162 AUDIT TESTPOL1
15.10.15 standard 16:00:00.666653 CREATE AUDIT POLICY TESTPOL1
15.10.15 standard 15:36:53.721245 RUN DBMS_AUDIT_MGMT
15.10.15 standard 15:27:24.341884 RUN DBMS_AUDIT_MGMT
15.10.15 standard 15:27:01.204268 RUN DBMS_AUDIT_MGMT
Standard 07.10.15 16:51:34.513567 log CLEANING
11 selected lines.
SQL >
Where is the logon event?
Thank you
Julius

Bug 19383839. Patches are available for download.

Tha auditing auditor

Hi all
11.2.0.3
I want to audit all actions by the user "sys" and "system" and all other users with DBA privilege. Above all the action when they delete or truncate the SYS. table AUD $.
I read in the docs that they are checked by default? Is truncating the SYS. $AUD included? y at - it a simple command for this?
Thank you very much
zxy

I think that audit is configured to the default in 11g if you use the DBCA Wizard to create the database. If you create the database manually, I think you will discover that you must set the audit rules yourself. If you are upgrading an existing database in place, I would expect the same rules of audit you had on your old system to be still in force.

HTH - Mark D Powell.

RAW - the procedure input parameter data type
Hello

I created a procedure (Pasted below). Getting error on execution, please help me to overcome the error.

BEGIN

Log ('6B6C6D', 6 August 12 COM ','.) TESt', 'OH', 'TUE', 'NOTRANSACT', '< ACORD > < SignonRq >', '000000E0LN1D000029FNSRRGTest', '000009N1D000029FNJ9OITest');

END;

ERROR

Error report:
ORA-06550: line 3, column 1:
PLS-00306: wrong number or types of arguments in the call to the 'LOG '.
ORA-06550: line 3, column 1:
PL/SQL: Statement ignored
06550 00000 - "line %s, column % s:\n%s".
* Cause: Usually a PL/SQL compilation error.
* Action:

/************************ Procedure *************************/

create or replace PROCEDURE log
/ * Object: StoredProcedure [dbo]. [LogTransactionBegin] Script Date: 06/07/2012 05:37:06 * /.
(
v_GUID IN RAW by DEFAULT NULL,
v_STRT_TM in TIMESTAMP DEFAULT NULL,
v_PRTN_NM IN VARCHAR2 DEFAULT NULL,
v_ST_CD in CHAR NULL by DEFAULT,
v_LN_OF_BUS IN VARCHAR2 DEFAULT NULL,
v_TRN_TYP IN VARCHAR2 DEFAULT NULL,
v_REQ_XML IN XMLTYPE DEFAULT NULL,
v_INNR_RQUID IN VARCHAR2 DEFAULT NULL,
v_OUTR_RQUID IN VARCHAR2 DEFAULT NULL
)
AS
BEGIN
INSERT INTO trn_log
(GIRO_TRN_LOG_ID, STRT_TM, PRTN_NM, ST_CD, LN_OF_BUS, TRN_TYP, REQ_XML, INNR_RQUID, OUTR_RQUID)
VALUES (v_GUID, v_STRT_TM, v_PRTN_NM, v_ST_CD, v_LN_OF_BUS, v_TRN_TYP, v_REQ_XML, v_INNR_RQUID, v_OUTR_RQUID);

END;
Please see the following commented lines:
```
BEGIN

  Log(
    '6B6C6D'                       -- this is not a RAW
  , '06-Aug-12'                    -- this is not a TIMESTAMP
  , 'COM.TESt'
  , 'OH'
  , 'AUT'
  , 'NOTRANSACT'
  , ''            -- this is not an XMLType (not even valid XML)
  , '000000E0LN1D000029FNSRRGTest'
  , '000009N1D000029FNJ9OITest'
  );

END;
```
Use the correct data types and their manufacturers (if necessary).
For example, you can build a RAW from a string with the HEXTORAW() function. An XMLType can be built by the XMLType() constructor or the XMLParse() function, etc.

Establishment of audit for DB production
Hello

I need to have oracle audit put in place for the production database. All DML and DDL privileges are required to be auditied against the application schema.

It is therefore more generalized audit. Everything has a script that I can use for this?

can I exclude the generic application user connection from the application to the database server will be checked in this category?

Thank you
Given that you want to audit SELECT statements, you would need refined auditing (FGA).

Since you need to capture the actual data, you may be able to use FGA to both other DML statements. That will only capture the bind variable values, however, it not generally will allow you to trace the history of a particular line. If you need this kind of story, your options are to write triggers that store historical data in the history tables, use something like Oracle Total Recall , or to use Oracle Workspace Manager.

Since you want the audit trail using the real end user rather than a shared Oracle user account, the best option would be to use the proxy authentication.

Justin

Need help with regard to the audit
Hi all
Im trying to audit the actions of users who access the database.i.e I get requests from users. In the column sqltext from sys.aud$ table im get entries. But the problem is im not getting queries like

Select employee_id in system.employee; (IE queries containing specific attributes to select)

but it is audit queries like

Select * from system.employee;
Select count (*) in the system.employee;
Select count (*) in the system.employee, system.department;

Please help me with this...
Thanx
Hello

As Justin says: maybe you first want to work on the correct schema.
SYS and SYSTEM schema is not "playgrounds".
It is strongly deprecated by Oracle to create or modify objects in the schema these.

Published by: hoek on November 4, 2009 16:34 typo

Audit of the Oracle
Hello

IM review oracle DB and I found that the AUDIT_SYS_OPERATIONS and the AUDIT_TRAIL are not activated, is it possible that they may have some impelementing some King of the verification with triggers system?

Thank you very much and good day?
>
IM review oracle DB and I found that the AUDIT_SYS_OPERATIONS and the AUDIT_TRAIL are not activated, is it possible that they may have some impelementing some King of the verification with triggers system?
>

AUDIT_SYS_OPERATIONS aims to audit the actions as the super user SYS. You can perform all the actions of sys stored in a file owned by root, so that the DBA cannot alter or delete, if this responsibility is separated from the administration of the OS.

A trigger can be controlled by sys, which undermines the objective of the audit of him. A trigger could be used to audit ordinary users, however. But it's maybe better and easier to use standard audit for which, with the parameter bound AUDIT_TRAIL.

Kind regards
Uwe

http://uhesse.WordPress.com

Cannot access ASDM on 5505

I'm new to the forum/discussions so forgive me if this is already posted. I read through various posts and followed troubleshooting in them, but I can not even access ASDM. I deleted the old ASDM versions and upgraded to ASDM 7.1 (1) 52 that shows compatible with ASA 8.2 (1). I am inside a NAT address connected to Eth 0/5, 192.168.1.5/24. I can ping and SSH for the FW but no ASDM. FW going traffic and all the rest works fine. Please notify. Thank you.

JEREMY - ASA # display the worm

Cisco Adaptive Security Appliance Version 8.2 software (1)

Version 7.1 Device Manager (1) 52

JEREMY - ASA # display running asdm

ASDM image disk0: / asdm-711 - 52.bin

don't allow no asdm history

JEREMY - ASA # http see race

Enable http server

http 192.168.1.0 255.255.255.0 inside

JEREMY - ASA # show run

: Saved

:

ASA Version 8.2 (1)

!

JEREMY - ASA host name

enable the OMIT encrypted password

OMIT encrypted passwd

names of

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP 134.121.11.153 255.255.248.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

banner exec

OMIT BANNER STATEMENTS

passive FTP mode

clock timezone PST - 8

clock summer-time recurring PDT

permit same-security-traffic intra-interface

outside_access_in deny ip extended access list a whole

pager lines 24

Enable logging

timestamp of the record

logging asdm-buffer-size 250

logging trap information

asdm of logging of information

forest management - ipaddress outside device id

host of logging out to OMIT

Outside 1500 MTU

Within 1500 MTU

IP verify reverse path to the outside interface

IP audit attack action fall

ICMP unreachable rate-limit 1 burst-size 1

ICMP allow any inside

ASDM image disk0: / asdm-711 - 52.bin

don't allow no asdm history

ARP timeout 14400

Global interface 10 (external)

NAT (inside) 10 192.168.1.0 255.255.255.0

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 134.121.15.254 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

AAA authentication enable LOCAL console

AAA authentication http LOCAL console

LOCAL AAA authentication serial console

the ssh LOCAL console AAA authentication

LOCAL AAA authorization command

LOCAL AAA authorization exec

Enable http server

http 192.168.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Telnet timeout 5

SSH 192.168.0.0 255.255.255.0 inside

SSH 192.168.1.0 255.255.255.0 inside

SSH timeout 10

SSH version 2

Console timeout 0

management-access inside

a basic threat threat detection

threat detection statistics

a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200

NTP server FAILED

Des-sha1 encryption SSL

WebVPN

OMITTED , OMIT encrypted privilege 15 password username

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

inspect the icmp

!

global service-policy global_policy

context of prompt hostname

crashinfo console disable

Cryptochecksum:3c8669ae6960ca4cc206db58ffbf3c21

: end

It is probably the string:

Des-sha1 encryption SSL

This weak encryption algorithm is not compatible with most modern browsers and the current Java releases that depend on ASSISTANT Deputy Ministers. Try adding encryption, for example:

SSL encryption des-sha1 sha1-aes256

Make sure that you first activation 3DES / AES ('see the version' or 'show the activation key' will confirm the feature license is active).

Help the Site VPN Site PIX 501

Hello

I'm pretty new to PIX firewall, so I hope someone here can help me.

I have two PIX and try to create a private network virtual between the two PIX. I posted the configs below.

The problem is that I can ping PIX on a PIX two, but I can't ping the servers behind TWO PIX. On two PIX, I cannot ping PIX ONE or all the servers behind it.

Any advice would be appreciated.

Thank you

PIX 1

6.2 (2) version PIX

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

hostname TMAXWALES

domain ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol they 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol 2000 skinny

names of

inside_outbound_nat0_acl ip 192.168.254.0 access list allow 255.255.255.0 192.1

68.1.0 255.255.255.0

outside_cryptomap_20 ip 192.168.254.0 access list allow 255.255.255.0 192.168.1

.0 255.255.255.0

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

Outside 1500 MTU

Within 1500 MTU

IP address outside of *. *.198.139 255.255.255.248

IP address inside 192.168.254.1 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

location of PDM 192.168.254.10 255.255.255.255 inside

location of PDM 192.168.1.0 255.255.255.0 outside

history of PDM activate

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_outbound_nat0_acl

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

Route outside 0.0.0.0 0.0.0.0 *. * 1.198.137

Timeout xlate 03:00

Timeout conn 0 half-closed 01:00:10: 00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 TR

p 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

AAA-server local LOCAL Protocol

Enable http server

http 192.168.254.10 255.255.255.255 inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

Permitted connection ipsec sysopt

No sysopt route dnat

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

outside_map 20 ipsec-isakmp crypto map

card crypto outside_map 20 match address outside_cryptomap_20

card crypto outside_map 20 peers set *. *.198.138

outside_map crypto 20 card value transform-set ESP-3DES-SHA

outside_map interface card crypto outside

ISAKMP allows outside

ISAKMP key * address *. *.198.138 netmask 255.255.255.255 No.-xauth non - co

Nfig-mode

part of pre authentication ISAKMP policy 20

ISAKMP policy 20 3des encryption

ISAKMP policy 20 chopping sha

20 2 ISAKMP policy group

ISAKMP duration strategy of life 20 86400

Telnet timeout 5

SSH timeout 5

Terminal width 80

PIX 2

6.2 (2) version PIX

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

hostname tmaxbangor

domain ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol they 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol 2000 skinny

names of

permit 192.168.1.0 ip access list inside_outbound_nat0_acl 255.255.255.0 192.168

. 254.0 255.255.255.0

permit 192.168.1.0 ip access list outside_cryptomap_20 255.255.255.0 192.168.254

.0 255.255.255.0

pager lines 24

opening of session

debug logging in buffered memory

interface ethernet0 10baset

interface ethernet1 10full

Outside 1500 MTU

Within 1500 MTU

IP address outside of *. *.198.138 255.255.255.248

IP address inside 192.168.1.1 255.255.255.0

IP verify reverse path to the outside interface

IP verify reverse path inside interface

the IP audit info action alarm reset drop

reset the IP audit attack alarm drop action

location of PDM 192.168.1.0 255.255.255.0 inside

PDM logging 100 information

history of PDM activate

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_outbound_nat0_acl

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

Route outside 0.0.0.0 0.0.0.0 *. * 1.198.137

Timeout xlate 03:00

Timeout conn 0 half-closed 01:00:10: 00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 TR

p 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

AAA-server local LOCAL Protocol

Enable http server

http 192.168.1.0 255.255.255.0 inside

http 192.84.7.111 255.255.255.255 inside

http 192.168.1.10 255.255.255.255 inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

Permitted connection ipsec sysopt

No sysopt route dnat

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

outside_map 20 ipsec-isakmp crypto map

card crypto outside_map 20 match address outside_cryptomap_20

card crypto outside_map 20 peers set *. *.198.139

outside_map crypto 20 card value transform-set ESP-3DES-SHA

outside_map interface card crypto outside

ISAKMP allows outside

ISAKMP key * address *. *.198.139 netmask 255.255.255.255 No.-xauth non - co

Nfig-mode

part of pre authentication ISAKMP policy 20

ISAKMP policy 20 3des encryption

ISAKMP policy 20 chopping sha

20 2 ISAKMP policy group

ISAKMP duration strategy of life 20 86400

Telnet 192.168.1.0 255.255.255.0 inside

Telnet timeout 50

SSH timeout 5

Terminal width 80

Can't see anything obviously wrong with the configs. You have these connected back to back on the same subnet, it looks that it even if you have xxx out IP addresses? If so it's maybe a routing problem, in what they send everything to the default gateway of xxx.x.198.137 rather than to the other.

Try to add a static route to the remote subnet to each PIX that points directly to the peer, so on PIX1 you should have:

Route outside 192.168.1.0 255.255.255.0 xxx.x.198.138

and on PIX2 do:

Route outside 192.168.254.0 255.255.255.0 xxx.x.198.139

and see if that makes a difference. Note that you wouldn't encounter this problem when these two PIX is on separate networks and uses the default gateway for all routing decisions.

If this still fails, run 'debug cryp isa' and ' debug cry ipsec "on the two PIX are trying to build a tunnel again, and then and send us the output.

Also, make sure your tests that you're rattling to a host behind a PIX to a host behind the other PIX, ping PIX to PIX or host because of PIX that won't test your VPN connection.

VPN PPTP and PPPOE CLIENT ON PIX 501

Hello

Can I create a PPTP VPN and a client connection on a PIX 501 with a client to my ISP PPPOE connection. The PPPOE ip is dynamic and the VPN will be a static IP address. They gave me a username and password for VPN and PPPOE. Him also gave me an ip address for the VPN server.

Should that happen, it's that the PPPOE should connect to the VPN to work.

I can only get the PPPOE, but I don't know how to do this with a PPTP VPN set.

Here is my config:

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxx encrypted
passwd xxxxxxx encrypted
hostname neveroff
domain-name neveroff.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list incoming permit icmp any any echo-reply
access-list incoming permit icmp any any source-quench
access-list incoming permit icmp any any unreachable
access-list incoming permit icmp any any time-exceeded
pager lines 24
icmp permit any echo outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
icmp permit any source-quench outside
icmp permit any echo-reply outside
icmp permit any information-reply outside
icmp permit any mask-reply outside
icmp permit any timestamp-reply outside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) tcp interface smtp 192.168.1.201 smtp netmask 255.255.255.255 0 0
access-group incoming in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname xxxxxxxxx
vpdn group pppoex ppp authentication chap
vpdn username xxxxxxxx password xxxxxxxx
dhcpd address 192.168.1.10-192.168.1.41 inside
dhcpd dns 192.168.1.1 168.210.2.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username neveroff password TEnlGTQMwqamBzMn encrypted privilege 2
terminal width 80
Cryptochecksum:c5bfafa70f21ed55cc1b3df377e110bf
: end

Thank you

Etienne

Happy to help and please kindly mark the message as answered if you have not more than other questions. Thank you.

VPN PIX 506e to Linksys RV042?

I'm kind of a rookie of Cisco and need help to set up a virtual private network:

I replaced a Netopia R910 with a Linksys RV042. I have set the parameters of the best that I could. I am trying to reconnect the VPN site to site of our network (192.168.0.x private, public xxx.xxx.109.202) to the remote network (xxx.xxx.131.50 192.168.38.x and private, public).

In the Linksys VPN shows connected but no traffic coming. I can't ping anything on the remote subnet.

It worked fine with the R910 and no settings have changed on the PIX, other new pre-shared keys that match.

Here are the PIX config and the RV042 config is attached as an image.

Thank you very much for your help!

Building configuration...

: Saved

:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ************ encrypted

passwd *************** encrypted

hostname pixfirewall

domain-name ciscopix.com

clock timezone PST -8

clock summer-time PDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.1.0 FirstStreet

name 192.168.38.2 Sco

name xxx.xxx.130.94 FirstWan

name 192.168.4.0 Oakurst

name 192.168.7.0 Clovis

name 192.168.3.0 Madera

name 192.168.0.0 TomJ

name xxx.xxx.131.58 FMLFirst

name xxx.xxx.131.22 Integrity

name 192.168.6.0 TJhome

name 192.168.38.10 Server2

name xxx.xxx.117.182 ClovisPublicIP

name xxx.xxx.100.239 OakurstPublicIP

name xxx.xxx.174.185 MaderaPublicIP

name 192.168.38.64 VideoS1

object-group network FMLRemoteOffices

  description Public IP's and Internal Subnets for All Remote Offices

  network-object OakurstPublicIP 255.255.255.255

  network-object MaderaPublicIP 255.255.255.255

  network-object ClovisPublicIP 255.255.255.255

  network-object xxx.xxx.109.202 255.255.255.255

access-list inside_outbound_nat0_acl permit ip 192.168.38.0 255.255.255.0 Clovis 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 192.168.38.0 255.255.255.0 Oakurst 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 192.168.38.0 255.255.255.0 TJhome 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 192.168.38.0 255.255.255.0 Madera 255.255.255.0

access-list inside_outbound_nat0_acl permit ip any host 192.168.38.248

access-list inside_outbound_nat0_acl permit ip any 192.168.38.248 255.255.255.248

access-list outside_access_in permit tcp any host xxx.xxx.131.54 eq https

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in remark Sage e-prescription service 8423

access-list outside_access_in permit tcp any host xxx.xxx.131.54 eq 8423

access-list outside_access_in permit tcp any host xxx.xxx.131.53 eq 1202

access-list outside_access_in permit tcp any host xxx.xxx.131.52 eq 7000

access-list outside_cryptomap_20 permit ip 192.168.38.0 255.255.255.0 Clovis 255.255.255.0

access-list outside_cryptomap_80 permit ip 192.168.38.0 255.255.255.0 Oakurst 255.255.255.0

access-list outside_cryptomap_120 permit ip 192.168.38.0 255.255.255.0 Madera 255.255.255.0

access-list outside_cryptomap_100 permit ip 192.168.38.0 255.255.255.0 TJhome 255.255.255.0

no pager

logging on

icmp permit any echo-reply outside

icmp permit any echo-reply inside

mtu outside 1500

mtu inside 1500

ip address outside xxx.xxx.131.50 255.255.255.248

ip address inside 192.168.38.4 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPNDHCP 192.168.38.248-192.168.38.252

ip local pool DHCP39 192.168.39.1-192.168.39.254

pdm location Integrity 255.255.255.255 outside

pdm location 192.168.38.0 255.255.255.0 inside

pdm location FirstStreet 255.255.255.0 inside

pdm location FirstStreet 255.255.255.0 outside

pdm location Sco 255.255.255.255 inside

pdm location FirstWan 255.255.255.255 outside

pdm location Oakurst 255.255.255.0 outside

pdm location Clovis 255.255.255.0 outside

pdm location TJhome 255.255.255.0 outside

pdm location Madera 255.255.255.0 outside

pdm location TomJ 255.255.255.0 outside

pdm location 0.0.0.0 255.255.255.255 outside

pdm location xxx.xxx.141.217 255.255.255.255 outside

pdm location 192.168.38.111 255.255.255.255 inside

pdm location 192.168.38.3 255.255.255.255 inside

pdm location FMLFirst 255.255.255.255 outside

pdm location xxx.xxx.130.15 255.255.255.255 outside

pdm location 128.0.0.0 128.0.0.0 outside

pdm location xxx.xxx.109.202 255.255.255.255 outside

pdm location Server2 255.255.255.255 inside

pdm location ClovisPublicIP 255.255.255.255 outside

pdm location OakurstPublicIP 255.255.255.255 outside

pdm location MaderaPublicIP 255.255.255.255 outside

pdm location 192.168.38.248 255.255.255.255 outside

pdm location TomJ 255.255.255.0 inside

pdm location VideoS1 255.255.255.255 inside

pdm location 192.168.38.21 255.255.255.255 inside

pdm group FMLRemoteOffices outside

pdm logging debugging 500

no pdm history enable

arp timeout 14400

global (outside) 1 xxx.xxx.131.51

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) xxx.xxx.131.54 Server2 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.131.53 192.168.38.21 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.131.52 VideoS1 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.131.49 1

route inside FirstStreet 255.255.255.0 192.168.38.254 1

timeout xlate 3:00:00

timeout conn 4:00:00 half-closed 2:00:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authentication ssh console LOCAL

http server enable

http Integrity 255.255.255.255 outside

http xxx.xxx.141.217 255.255.255.255 outside

http xxx.xxx.109.202 255.255.255.255 outside

http 192.168.38.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 30 set transform-set ESP-DES-MD5

crypto dynamic-map outside_dyn_map 50 set transform-set ESP-3DES-MD5

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer ClovisPublicIP

crypto map outside_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 80 ipsec-isakmp

crypto map outside_map 80 match address outside_cryptomap_80

crypto map outside_map 80 set peer OakurstPublicIP

crypto map outside_map 80 set transform-set ESP-DES-MD5

crypto map outside_map 100 ipsec-isakmp

crypto map outside_map 100 match address outside_cryptomap_100

crypto map outside_map 100 set peer xxx.xxx.174.234

crypto map outside_map 100 set transform-set ESP-DES-MD5

crypto map outside_map 120 ipsec-isakmp

crypto map outside_map 120 match address outside_cryptomap_120

crypto map outside_map 120 set peer MaderaPublicIP

crypto map outside_map 120 set transform-set ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address xxx.xxx.141.217 netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address ClovisPublicIP netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address xxx.xxx.64.82 netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address xxx.xxx.67.172 netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address OakurstPublicIP netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address xxx.xxx.24.157 netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address xxx.xxx.174.234 netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address xxx.xxx.88.137 netmask 255.255.255.255

isakmp key ******** address MaderaPublicIP netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address xxx.xxx.109.202 netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash md5

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

vpngroup FMLREASYVPN address-pool VPNDHCP

vpngroup FMLREASYVPN dns-server 192.168.38.3

vpngroup FMLREASYVPN idle-time 1800

vpngroup FMLREASYVPN password ********

vpngroup Brevium address-pool VPNDHCP

vpngroup Brevium dns-server 192.168.38.3

vpngroup Brevium idle-time 1800

vpngroup Brevium password ********

telnet 192.168.38.0 255.255.255.0 inside

telnet TomJ 255.255.255.0 inside

telnet timeout 5

ssh Integrity 255.255.255.255 outside

ssh 99.15.109.202 255.255.255.255 outside

ssh timeout 5

management-access inside

console timeout 0

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication chap

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto

vpdn group PPTP-VPDN-GROUP client configuration address local VPNDHCP

vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.38.3

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn username admin password *********

vpdn username tonette password *********

vpdn username rosie password *********

vpdn username cts password *********

vpdn username MaderaFMLR password *********

vpdn username ruth password *********

vpdn username fogg password *********

vpdn username lanier password *********

vpdn username lanier2 password *********

vpdn username justin password *********

vpdn username mike password *********

vpdn username heather password *********

vpdn username Brevium password *********

vpdn username jeremiah password *********

vpdn enable outside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

username admin password *************** encrypted privilege 15

terminal width 80

Cryptochecksum:******************************

: end

[OK]

NAT exemption, you must add the following:

inside_outbound_nat0_acl ip 192.168.38.0 access list allow TomJ 255.255.255.0 255.255.255.0

PIX does not allow packets loarge

I can ping with l - 992, but fail with-l 993.

Ping 172.16.17.1 with 992 bytes of data:

Reply from 172.16.17.1: bytes = 992 time = 1ms TTL = 254

Reply from 172.16.17.1: bytes = 992 time = 1ms TTL = 254

Reply from 172.16.17.1: bytes = 992 time = 1ms TTL = 254

Reply from 172.16.17.1: bytes = 992 time = 1ms TTL = 254

Ping statistics for 172.16.17.1:

Packets: Sent = 4, received = 4, lost = 0 (0% loss),

Time approximate round trip in milli-seconds:

Minimum = 1ms, Maximum = 1ms, average = 1ms

Ping 172.16.17.1 with 993 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 172.16.17.1:

Packets: Sent = 4, received = 0, lost = 4 (100% loss),

I also see that attached to the devices in the DMZ are taken excessively long time.

The MTU size on all interfaces is always the default value of 1500.

Hi Jimmysturn:

Which is likely happened here is that you have ID political attack linked to your external interface with the action 'drop' or 'reset' all packages that match the signature in the category of the attack.

Signature 2151 (large ICMP) will drop packets hit the PIX off interface or those who pass through the PIX outside interface when you ping with large packet size (+ 993 bytes):

From your post, you must have had the following policy of IDS on your PIX:

IP audit name attackpolicy attack action fall

(or

IP audit name attackpolicy action fall attack alarm

or

attack IP audit name attackpolicy raz action alarm

or both)

If you want to ping with big package, there are several things you can do:

(1) remove the policy of "attackpolicy" completely from your external interface. It will turn off all of the IDS signatures in the category of the attack.

Carefully look at this and see if it's what you want to do.

To achieve the above, issue the following command:

"no interface verification ip outside of attackpolicy"

(2) turn off the signature 2151 by running the command:

"disable signature verification ip 2151.

That would disable only the big signing of ICMP attack while leaving the other signatures of attacks in the category of GIS attack ON.

(3) set signature action to open a session (a syslog server or the internal buffer) large ICMP packets instead of dropping. Again, this should be determined carefully as option 1.

To achieve the above goal, issue the following command:

IP audit alarm action name attackpolicy attack

It will be useful.

Please indicate the position accordingly if you find it useful.

Sincerely,

Binh

Could not locate the next hop for ICMP outside:10.60.30.111/1 to inside:10.89.30.41/0 routing

ASA 5505 Split tunneling stopped working when upgraded to 8.3 (1) 8.4 (3).

A user has to connect to the old device of 8.3 (1) that they could access all of our subnets: 10.1.0.0/16, 10.33.0.0/16, 10.89.0.0/16, 10.60.0.0/16

but now, they can't and in the newspapers, I see just

6 October 31, 2012 08:17:59 110003 10.60.30.111 1 10.89.30.41 0 routing cannot locate the next hop for ICMP to outside:10.60.30.111/1 to inside:10.89.30.41/0

any tips? I almost tried everything. the running configuration is:

: Saved

:

ASA Version 8.4 (3)

!

host name asa

names of

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

IP 10.60.70.1 255.255.0.0

!

interface Vlan2

nameif outside

security-level 0

IP 80.90.98.217 255.255.255.248

!

passive FTP mode

clock timezone GMT 0

DNS lookup field inside

DNS domain-lookup outside

permit same-security-traffic intra-interface

network obj_any object

subnet 0.0.0.0 0.0.0.0

network of the NETWORK_OBJ_10.33.0.0_16 object

10.33.0.0 subnet 255.255.0.0

network of the NETWORK_OBJ_10.60.0.0_16 object

10.60.0.0 subnet 255.255.0.0

network of the NETWORK_OBJ_10.89.0.0_16 object

10.89.0.0 subnet 255.255.0.0

network of the NETWORK_OBJ_10.1.0.0_16 object

10.1.0.0 subnet 255.255.0.0

network tetPC object

Home 10.60.10.1

test description

network of the NETWORK_OBJ_10.60.30.0_24 object

10.60.30.0 subnet 255.255.255.0

network of the NETWORK_OBJ_10.60.30.64_26 object

255.255.255.192 subnet 10.60.30.64

the SSH server object network

Home 10.60.20.6

network of the SSH_public object

network ftp_public object

Home 80.90.98.218

rdp network object

Home 10.60.10.4

ftp_server network object

Home 10.60.20.2

network ssh_public object

Home 80.90.98.218

Service FTP object

tcp destination eq 12 service

network of the NETWORK_OBJ_10.60.20.3 object

Home 10.60.20.3

network of the NETWORK_OBJ_10.60.40.192_26 object

255.255.255.192 subnet 10.60.40.192

network of the NETWORK_OBJ_10.60.10.10 object

Home 10.60.10.10

network of the NETWORK_OBJ_10.60.20.2 object

Home 10.60.20.2

network of the NETWORK_OBJ_10.60.20.21 object

Home 10.60.20.21

network of the NETWORK_OBJ_10.60.20.4 object

Home 10.60.20.4

network of the NETWORK_OBJ_10.60.20.5 object

Home 10.60.20.5

network of the NETWORK_OBJ_10.60.20.6 object

Home 10.60.20.6

network of the NETWORK_OBJ_10.60.20.7 object

Home 10.60.20.7

network of the NETWORK_OBJ_10.60.20.29 object

Home 10.60.20.29

service port_tomcat object

Beach service tcp 8080 8082 source

network of the TBSF object

172.16.252.0 subnet 255.255.255.0

the e-mail server object network

Home 10.33.10.2

Mail server description

service object HTTPS

tcp source eq https service

test network object

network access_web_mail object

Home 10.60.50.251

network downtown_Interface_host object

Home 10.60.50.1

Downtown host Interface description

service of the Oracle_port object

tcp source eq sqlnet service

network of the NETWORK_OBJ_10.60.50.248_29 object

subnet 10.60.50.248 255.255.255.248

network of the NETWORK_OBJ_10.60.50.1 object

Home 10.60.50.1

network of the NETWORK_OBJ_10.60.50.0_28 object

subnet 10.60.50.0 255.255.255.240

brisel network object

10.191.191.0 subnet 255.255.255.0

network of the NETWORK_OBJ_10.191.191.0_24 object

10.191.191.0 subnet 255.255.255.0

network of the NETWORK_OBJ_10.60.60.0_24 object

10.60.60.0 subnet 255.255.255.0

object-group service TCS_Service_Group

Description this group of Services offered is for the CLD's Clients

port_tomcat service-object

HTTPS_ACCESS tcp service object-group

EQ object of the https port

the DM_INLINE_NETWORK_1 object-group network

object-network 10.1.0.0 255.255.0.0

network-object 10.33.0.0 255.255.0.0

network-object 10.60.0.0 255.255.0.0

network-object 10.89.0.0 255.255.0.0

allow outside_1_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 10.33.0.0 255.255.0.0

allow outside_2_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 10.89.0.0 255.255.0.0

outside_3_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 allow 10.1.0.0 255.255.0.0

OUTSIDE_IN list extended access permit icmp any one time exceed

OUTSIDE_IN list extended access allow all unreachable icmp

OUTSIDE_IN list extended access permit icmp any any echo response

OUTSIDE_IN list extended access permit icmp any any source-quench

OUTSIDE_IN list extended access permitted tcp 194.2.20.0 255.255.255.0 host 80.90.98.220 eq smtp

OUTSIDE_IN list extended access permit tcp host 194.25.12.0 host 80.90.98.220 eq smtp

OUTSIDE_IN list extended access allow icmp 80.90.98.222 host 80.90.98.217

OUTSIDE_IN list extended access permit tcp host 162.162.4.1 host 80.90.98.220 eq smtp

OUTSIDE_IN list extended access permit tcp host 98.85.125.2 host 80.90.98.221 eq ssh

Standard access list OAKDCAcl allow 10.60.0.0 255.255.0.0

Standard access list OAKDCAcl allow 10.33.0.0 255.255.0.0

access-list OAKDCAcl note backoffice

Standard access list OAKDCAcl allow 10.89.0.0 255.255.0.0

access-list OAKDCAcl note maint

OAKDCAcl list standard access allowed 10.1.0.0 255.255.0.0

access-list allowed standard osgd host 10.60.20.4

access-list allowed standard osgd host 10.60.20.5

access-list allowed standard osgd host 10.60.20.7

standard access list testOAK_splitTunnelAcl allow 10.60.0.0 255.255.0.0

list access allowed extended snmp udp any eq snmptrap everything

list of access allowed extended snmp udp any any eq snmp

downtown_splitTunnelAcl list standard access allowed host 10.60.20.29

webMailACL list standard access allowed host 10.33.10.2

access-list standard HBSC allowed host 10.60.30.107

access-list standard HBSC deny 10.33.0.0 255.255.0.0

access-list standard HBSC deny 10.89.0.0 255.255.0.0

allow outside_4_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 10.191.191.0 255.255.255.0

OAK-remote_splitTunnelAcl-list of allowed access standard 10.1.0.0 255.255.0.0

OAK-remote_splitTunnelAcl-list of allowed access standard 10.33.0.0 255.255.0.0

OAK-remote_splitTunnelAcl-list of allowed access standard 10.60.0.0 255.255.0.0

OAK-remote_splitTunnelAcl-list of allowed access standard 10.89.0.0 255.255.0.0

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

mask 10.60.30.110 - 10.60.30.150 255.255.0.0 IP local pool OAKPRD_pool

IP local pool mail_sddress_pool 10.60.50.251 - 10.60.50.255 mask 255.255.0.0

test 10.60.50.1 mask 255.255.255.255 IP local pool

IP local pool ipad 10.60.30.90 - 10.60.30.99 mask 255.255.0.0

mask 10.60.40.200 - 10.60.40.250 255.255.255.0 IP local pool TCS_pool

local pool OSGD_POOL 10.60.50.2 - 10.60.50.10 255.255.0.0 IP mask

mask 10.60.60.0 - 10.60.60.255 255.255.0.0 IP local pool OAK_pool

IP verify reverse path inside interface

IP verify reverse path to the outside interface

IP audit alarm action name ThreatDetection attack

verification of IP within the ThreatDetection interface

interface IP outside the ThreatDetection check

no failover

ICMP unreachable rate-limit 1 burst-size 1

ICMP allow any inside

ICMP allow any echo inside

ICMP allow any echo outdoors

enable ASDM history

ARP timeout 14400

NAT (inside, outside) static static source NETWORK_OBJ_10.33.0.0_16 destination NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.33.0.0_16

NAT (inside, outside) static static source NETWORK_OBJ_10.89.0.0_16 destination NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.89.0.0_16

NAT (inside, outside) static static source NETWORK_OBJ_10.1.0.0_16 destination NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.1.0.0_16

NAT (inside, outside) static source all all NETWORK_OBJ_10.60.30.0_24 of NETWORK_OBJ_10.60.30.0_24 static destination

NAT (inside, outside) static source all all NETWORK_OBJ_10.60.30.64_26 of NETWORK_OBJ_10.60.30.64_26 static destination

NAT (inside, outside) static static source NETWORK_OBJ_10.60.40.192_26 destination NETWORK_OBJ_10.60.20.29 NETWORK_OBJ_10.60.20.29 NETWORK_OBJ_10.60.40.192_26 any port_tomcat service

NAT (inside, outside) static source any destination of all public static NETWORK_OBJ_10.60.50.1 NETWORK_OBJ_10.60.50.1

NAT (inside, outside) static static source NETWORK_OBJ_10.60.50.248_29 destination MailServer MailServer NETWORK_OBJ_10.60.50.248_29

NAT (inside, outside) static source all all NETWORK_OBJ_10.60.50.0_28 of NETWORK_OBJ_10.60.50.0_28 static destination

NAT (inside, outside) static static source NETWORK_OBJ_10.191.191.0_24 destination NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.191.191.0_24

NAT (inside, outside) static source DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_10.60.60.0_24 NETWORK_OBJ_10.60.60.0_24 non-proxy-arp-search of route static destination

!

network obj_any object

NAT dynamic interface (indoor, outdoor)

Route outside 0.0.0.0 0.0.0.0 80.90.98.222 1

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

Enable http server

http 192.168.1.0 255.255.255.0 inside

http 10.60.10.10 255.255.255.255 inside

http 10.33.30.33 255.255.255.255 inside

http 10.60.30.33 255.255.255.255 inside

SNMP-server host within the 10.33.30.108 community * version 2 c

SNMP-server host within the 10.89.70.30 community *.

No snmp server location

No snmp Server contact

Community SNMP-server

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA ikev1

transport mode encryption ipsec transform-set TRANS_ESP_3DES_SHA ikev1

Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set lux_trans_set ikev1 aes - esp esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

card crypto outside_map 1 match address outside_1_cryptomap

peer set card crypto outside_map 1 84.51.31.173

card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1

card crypto outside_map 2 match address outside_2_cryptomap

peer set card crypto outside_map 2 98.85.125.2

card crypto outside_map 2 set transform-set ESP-3DES-SHA ikev1

card crypto outside_map 3 match address outside_3_cryptomap

peer set card crypto outside_map 3 220.79.236.146

card crypto outside_map 3 set transform-set ESP-3DES-SHA ikev1

card crypto 4 correspondence address outside_4_cryptomap outside_map

card crypto outside_map 4 set pfs

peer set card crypto outside_map 4 159.146.232.122

card crypto 4 ikev1 transform-set lux_trans_set set outside_map

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

Crypto ikev1 allow outside

IKEv1 crypto policy 5

preshared authentication

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 20

preshared authentication

aes-256 encryption

sha hash

Group 5

life 86400

IKEv1 crypto policy 30

preshared authentication

3des encryption

sha hash

Group 2

lifetime 28800

IKEv1 crypto policy 50

preshared authentication

aes encryption

sha hash

Group 1

life 86400

IKEv1 crypto policy 70

preshared authentication

aes encryption

sha hash

Group 5

life 86400

Telnet 10.60.10.10 255.255.255.255 inside

Telnet 10.60.10.1 255.255.255.255 inside

Telnet 10.60.10.5 255.255.255.255 inside

Telnet 10.60.30.33 255.255.255.255 inside

Telnet 10.33.30.33 255.255.255.255 inside

Telnet timeout 30

SSH 10.60.10.5 255.255.255.255 inside

SSH 10.60.10.10 255.255.255.255 inside

SSH 10.60.10.3 255.255.255.255 inside

SSH timeout 5

Console timeout 0

dhcpd outside auto_config

!

dhcpd dns 155.2.10.20 155.2.10.50 interface inside

dhcpd auto_config outside interface inside

!

a basic threat threat detection

length 3600 scanning-threat shun threat detection

threat detection statistics

a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200

TFTP server inside 10.60.10.10 configs/config1

WebVPN

internal testTG group policy

attributes of the strategy of group testTG

value of 155.2.10.20 DNS server 155.2.10.50

Ikev1 VPN-tunnel-Protocol

internal DefaultRAGroup_1 group strategy

attributes of Group Policy DefaultRAGroup_1

value of 155.2.10.20 DNS server 155.2.10.50

Protocol-tunnel-VPN l2tp ipsec

internal TcsTG group strategy

attributes of Group Policy TcsTG

VPN-idle-timeout 20

VPN-session-timeout 120

Ikev1 VPN-tunnel-Protocol

IPSec-udp disable

IPSec-udp-port 10000

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list testOAK_splitTunnelAcl

the address value TCS_pool pools

internal downtown_interfaceTG group policy

attributes of the strategy of group downtown_interfaceTG

value of 155.2.10.20 DNS server 155.2.10.50

Ikev1 VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list downtown_splitTunnelAcl

internal HBSCTG group policy

HBSCTG group policy attributes

value of 155.2.10.20 DNS server 155.2.10.50

Ikev1 VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value HBSC

internal OSGD group policy

OSGD group policy attributes

value of 155.2.10.20 DNS server 155.2.10.50

VPN-session-timeout no

Ikev1 VPN-tunnel-Protocol

group-lock value OSGD

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list testOAK_splitTunnelAcl

internal OAKDC group policy

OAKDC group policy attributes

Ikev1 VPN-tunnel-Protocol

value of group-lock OAKDC

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list OAKDCAcl

Disable dhcp Intercept 255.255.0.0

the address value OAKPRD_pool pools

internal mailTG group policy

attributes of the strategy of group mailTG

value of 155.2.10.20 DNS server 155.2.10.50

Ikev1 VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list webMailACL

internal OAK-distance group strategy

attributes of OAK Group Policy / remote

value of 155.2.10.20 DNS server 155.2.10.50

Ikev1 VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value OAK-remote_splitTunnelAcl

VPN-group-policy OAKDC

type of nas-prompt service

attributes global-tunnel-group DefaultRAGroup

address pool OAKPRD_pool

ipad address pool

Group Policy - by default-DefaultRAGroup_1

IPSec-attributes tunnel-group DefaultRAGroup

IKEv1 pre-shared-key *.

tunnel-group 84.51.31.173 type ipsec-l2l

IPSec-attributes tunnel-group 84.51.31.173

IKEv1 pre-shared-key *.

tunnel-group 98.85.125.2 type ipsec-l2l

IPSec-attributes tunnel-group 98.85.125.2

IKEv1 pre-shared-key *.

tunnel-group 220.79.236.146 type ipsec-l2l

IPSec-attributes tunnel-group 220.79.236.146

IKEv1 pre-shared-key *.

type tunnel-group OAKDC remote access

attributes global-tunnel-group OAKDC

address pool OAKPRD_pool

Group Policy - by default-OAKDC

IPSec-attributes tunnel-group OAKDC

IKEv1 pre-shared-key *.

type tunnel-group TcsTG remote access

attributes global-tunnel-group TcsTG

address pool TCS_pool

Group Policy - by default-TcsTG

IPSec-attributes tunnel-group TcsTG

IKEv1 pre-shared-key *.

type tunnel-group downtown_interfaceTG remote access

tunnel-group downtown_interfaceTG General-attributes

test of the address pool

Group Policy - by default-downtown_interfaceTG

downtown_interfaceTG group of tunnel ipsec-attributes

IKEv1 pre-shared-key *.

type tunnel-group TunnelGroup1 remote access

type tunnel-group mailTG remote access

tunnel-group mailTG General-attributes

address mail_sddress_pool pool

Group Policy - by default-mailTG

mailTG group of tunnel ipsec-attributes

IKEv1 pre-shared-key *.

type tunnel-group testTG remote access

tunnel-group testTG General-attributes

address mail_sddress_pool pool

Group Policy - by default-testTG

testTG group of tunnel ipsec-attributes

IKEv1 pre-shared-key *.

type tunnel-group OSGD remote access

tunnel-group OSGD General-attributes

address OSGD_POOL pool

strategy-group-by default OSGD

tunnel-group OSGD ipsec-attributes

IKEv1 pre-shared-key *.

type tunnel-group HBSCTG remote access

attributes global-tunnel-group HBSCTG

address OSGD_POOL pool

Group Policy - by default-HBSCTG

IPSec-attributes tunnel-group HBSCTG

IKEv1 pre-shared-key *.

tunnel-group 159.146.232.122 type ipsec-l2l

IPSec-attributes tunnel-group 159.146.232.122

IKEv1 pre-shared-key *.

tunnel-group OAK type remote access / remote

attributes global-tunnel-group OAK / remote

address pool OAK_pool

Group Policy - by default-OAK-remote control

IPSec-attributes tunnel-group OAK / remote

IKEv1 pre-shared-key *.

!

!

!

Policy-map global_policy

!

context of prompt hostname

no remote anonymous reporting call

HPM topN enable

: end

enable ASDM history

Hi David,

I see that you have:

allow outside_2_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 10.89.0.0 255.255.0.0

So, please make the following changes:

network object obj - 10.60.30.0

10.60.30.0 subnet 255.255.255.0

!

Route outside 10.60.30.0 255.255.255.0 80.90.98.222

Route outside 10.89.0.0 255.255.0.0 80.90.98.222

NAT (outside, outside) 1 source static obj - 10.60.30.0 obj - 10.60.30.0 static destination NETWORK_OBJ_10.89.0.0_16 NETWORK_OBJ_10.89.0.0_16 non-proxy-arp-search to itinerary

HTH

Portu.

Please note all useful posts

Post edited by: Javier Portuguez

How to disable verification for specific user

Hi all
On our setting of database audit db is expanded, and verification information was resident on system tablespace.
For some reason we allow audit to the specific user.
VERIFICATION BY TOMMY BY ACCESS;
CHECK DELETE THE TABLE, INSERT TABLE, SELECT THE TABLE, UPDATE TABLE BY TOMMY BY ACCESS;
AUDIT EXECUTE ANY PROCEDURE OF TOMMY BY ACCESS;
He wrote too much information and we want to disable this check for tommy. But we want to do without restarting database because our running System 7/24.
We allow audit for tommy without rebooting, but we can't turn it off without restarting.
NOAUDIT ALL BY TOMMY;
NOAUDIT DELETE THE TABLE, INSERT TABLE, SELECT TABLE, TABLE UPDATE BY TOMMY;
NOAUDIT PERFORM ANY PROCEDURE OF TOMMY;
There is no error but it steel writes too much information, please help how we can disable it without reboot?

2790572 wrote:

Hi all

On our setting of database audit db is expanded, and verification information was resident on system tablespace.

For some reason we allow audit to the specific user.

VERIFICATION BY TOMMY BY ACCESS;

CHECK DELETE THE TABLE, INSERT TABLE, SELECT THE TABLE, UPDATE TABLE BY TOMMY BY ACCESS;

AUDIT EXECUTE ANY PROCEDURE OF TOMMY BY ACCESS;

He wrote too much information and we want to disable this check for tommy. But we want to do without restarting database because our running System 7/24.

We allow audit for tommy without rebooting, but we can't turn it off without restarting.

NOAUDIT ALL BY TOMMY;

NOAUDIT DELETE THE TABLE, INSERT TABLE, SELECT TABLE, TABLE UPDATE BY TOMMY;

NOAUDIT PERFORM ANY PROCEDURE OF TOMMY;

There is no error but it steel writes too much information, please help how we can disable it without reboot?

The change applies only to new sessions opened by TOMMY.

So at a minimum all existing sessions belonging to TOMMY need to be terminated.

Tip to avoid the keys during the page load?

APEX: Request Express 4.2.6.00.03
I have two or three "intentionally" pages slow and heavy and end-users fortunately repeatedly press buttons and harmless error messages.
I would avoid the situation of "remail" and have the "error messages" in trying to repost.
Good tips to do just that, I hope that Oracle Apex those compatible upwards?
1.) page attribute, indicates 'small wheel' until this that totally made?
I would avoid the 3331 error when the page is defined as "NO page to prevent it being published" or avoid the message concerning the violation of page protection then repost is allowed.
For example show "spinning wheel" or "progress bar" which blocks of keys user?
2.) or have this 'small wheel' specific to the region, as well as the region's "spinner" up to full charge.
3.) or how to display the buttons placed on the page after the 'big jobs are done?
4.) or some other method?
rgrds Paavo

Paavo wrote:

Actually, it's the question - if we leave the decision of development which approach to take:

-make all the shares of dynamics of buttons and everything for example plsql anonymous to be driven by the dynamic action procedures of instead of making procedures plsql after send this page

- or do the submission page process (pre era dyn-action method apex) and no dynamic action with plsql code button

The apex is basically PL/SQL.

So in order to generate a page of Apex, PL/SQL code should be run. To update a report region, code PL/SQL must be executed. To deal with the elements on a web page to the update/insert/delete of data in the database, PL/SQL code must be executed. Etc.

This code can be executed in 2 ways.

Submit the entire page, the flow of the Apex engine. He built a whole new page. This page is sent to the browser to replace the content of the existing window and make any new content in this browser window.

Use Ajax (Javascript calls) to call the flow of the Apex (aka action/process dynamics) engine. It creates a response (XML, HTML, JSON, etc.). This response is returned, and Javascript is used to treat this response and update objects (e.g. add/update / refresh in the DOM) of the page.

The two ways are necessary as

(a) we want to send a new page to the web browser sometimes

(b) you want to update an existing web page in the web browser by moments

So it is not a matter of choice in one direction. The two are concerned. Both are needed to create Web 2.0 with rich and interactive interfaces type applications.

I'm just afraid after accidentally 2 similar submit deals plsql firing - dynamic action and one in present it after Treaty.

It's a question of developer and development life cycle.

It comes down to knowledge. Find out what are the differences between the page layouts and dynamic actions. And when to use one that to achieve the goal at hand.

Lets say that we have to report slow query and report region which takes time to load. But this report is not required for the end user and it could continue by pressing the buttons during the loading of that specific region is always.

Press the buttons to do what? And why the user would click the buttons when the report data are not yet ready for display?

The Javascript engine doesn't have a thread model Posix/Windows type. By default, its calls are non-blocking and use events. See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/EventLoop for more details.

This isn't exactly a walk in the Park to treatment systems simultaneous good design. And it's true in Javascript too.

Auditing (FGA) action "procedure".

Similar Questions

Maybe you are looking for