Auditing (FGA) action "procedure".
Hi all!I'll put in place an audit fine-grained in our test database.
I did it for all the tables, no problem.
But I can't understand how to procedures. I want the process of verification and packages in our database to get information, those that are carried out by our application.
Someone knows how to set up an audit of the procedure/package?
--------------------------
This is the syntax for implementing audit table.
Run DBMS_FGA. () ADD_POLICY
object_schema = > 'TRA '.
object_name = > "PERS."
POLICY_NAME = > "PERS."
statement_types = > "SELECT, INSERT, UPDATE, DELETE");
Try with procedure_name AUDIT EXECUTE ON BY SESSION
Tags: Database
Similar Questions
-
Hello
I'm trying to audit the actions of opening of session and closing session and can't seem to get checked logons. No idea what I do wrong?
SQL > select * from v version $;
BANNER CON_ID
-------------------------------------------------------------------------------- ----------
Database Oracle 12 c Enterprise Edition Release 12.1.0.2.0 - 64 bit Production 0
PL/SQL Release 12.1.0.2.0 - Production 0
CORE 12.1.0.2.0 Production 0
AMT for Solaris: Version 12.1.0.2.0 - Production 0
NLSRTL Version 12.1.0.2.0 - Production 0
SQL > select * option $ v where PARAMETER = "unified Audit."
CON_ID PARAMETER VALUE
---------------------------------------------------------------- ----------- ----------
Unified audit REAL 0
SQL > select parameter_value from DBA_AUDIT_MGMT_CONFIG_PARAMS where ParameterName = "AUDIT WRITE MODE."
PARAMETER_VALUE
--------------------------------------------------
IN WRITE-THROUGH MODE
SQL > select * from AUDIT_UNIFIED_ENABLED_POLICIES by user_name.
no selected line
SQL > create audit policy TESTPOL1 of the actions of logon, logoff, alter session;
Audit created policy.
SQL > audit policy TESTPOL1;
Verification succeeded.
SQL > select * from AUDIT_UNIFIED_ENABLED_POLICIES by user_name.
USER_NAME POLICY_NAME ENABLED_ JUICE ISP
--------------- --------------- -------- --- ---
ALL USERS TESTPOL1 BY YES YES
SQL > select object_name, action_name, event_timestamp, audit_type from UNIFIED_AUDIT_TRAIL order by event_timestamp desc;
AUDIT_TYPE EVENT_TIMESTAMP OBJECT_NAME ACTION_NAME
-------------------- ----------------------------------- ------------------------------ -----------------------------------
15.10.15 standard 16:00:09.837162 AUDIT TESTPOL1
15.10.15 standard 16:00:00.666653 CREATE AUDIT POLICY TESTPOL1
15.10.15 standard 15:36:53.721245 RUN DBMS_AUDIT_MGMT
15.10.15 standard 15:27:24.341884 RUN DBMS_AUDIT_MGMT
15.10.15 standard 15:27:01.204268 RUN DBMS_AUDIT_MGMT
Standard 07.10.15 16:51:34.513567 log CLEANING
8 selected lines.
SQL >
... I connect to the database and change my session:
Test1$ > sqlplus user3
SQL * more: Production release 12.1.0.2.0 the game Oct 15 14:01:41 2015
Copyright (c) 1982, 2014, Oracle. All rights reserved.
Enter the password:
Last successful login time: Thursday, October 15, 2015 13:07:25 + 02:00
Connected to:
Database Oracle 12 c Enterprise Edition Release 12.1.0.2.0 - 64 bit Production
With the partitioning, OLAP, Advanced Analytics, Real Application Testing
and Unified audit options
SQL > alter session set nls_date_format = 'yyyy.mm.dd';
Modified session.
SQL > quit
Disconnected from the database Oracle 12 c Enterprise Edition Release 12.1.0.2.0 - 64 bit Production
With the partitioning, OLAP, Advanced Analytics, Real Application Testing
and Unified audit options
Test1$ >
... then check the audit trail:
SQL > /.
AUDIT_TYPE EVENT_TIMESTAMP OBJECT_NAME ACTION_NAME
-------------------- ----------------------------------- ------------------------------ ----------------------
15.10.15 standard 16:01:54.446279 logoff
15.10.15 standard 16:01:50.378333 ALTER SESSION
15.10.15 standard 16:01:44.714527 ALTER SESSION
15.10.15 standard 16:00:09.837162 AUDIT TESTPOL1
15.10.15 standard 16:00:00.666653 CREATE AUDIT POLICY TESTPOL1
15.10.15 standard 15:36:53.721245 RUN DBMS_AUDIT_MGMT
15.10.15 standard 15:27:24.341884 RUN DBMS_AUDIT_MGMT
15.10.15 standard 15:27:01.204268 RUN DBMS_AUDIT_MGMT
Standard 07.10.15 16:51:34.513567 log CLEANING
11 selected lines.
SQL >
Where is the logon event?
Thank you
Julius
Bug 19383839. Patches are available for download.
-
Hi all
11.2.0.3
I want to audit all actions by the user "sys" and "system" and all other users with DBA privilege. Above all the action when they delete or truncate the SYS. table AUD $.
I read in the docs that they are checked by default? Is truncating the SYS. $AUD included? y at - it a simple command for this?
Thank you very much
zxy
I think that audit is configured to the default in 11g if you use the DBCA Wizard to create the database. If you create the database manually, I think you will discover that you must set the audit rules yourself. If you are upgrading an existing database in place, I would expect the same rules of audit you had on your old system to be still in force.
HTH - Mark D Powell.
-
RAW - the procedure input parameter data type
Hello
I created a procedure (Pasted below). Getting error on execution, please help me to overcome the error.
BEGIN
Log ('6B6C6D', 6 August 12 COM ','.) TESt', 'OH', 'TUE', 'NOTRANSACT', '< ACORD > < SignonRq >', '000000E0LN1D000029FNSRRGTest', '000009N1D000029FNJ9OITest');
END;
ERROR
Error report:
ORA-06550: line 3, column 1:
PLS-00306: wrong number or types of arguments in the call to the 'LOG '.
ORA-06550: line 3, column 1:
PL/SQL: Statement ignored
06550 00000 - "line %s, column % s:\n%s".
* Cause: Usually a PL/SQL compilation error.
* Action:
/************************ Procedure *************************/
create or replace PROCEDURE log
/ * Object: StoredProcedure [dbo]. [LogTransactionBegin] Script Date: 06/07/2012 05:37:06 * /.
(
v_GUID IN RAW by DEFAULT NULL,
v_STRT_TM in TIMESTAMP DEFAULT NULL,
v_PRTN_NM IN VARCHAR2 DEFAULT NULL,
v_ST_CD in CHAR NULL by DEFAULT,
v_LN_OF_BUS IN VARCHAR2 DEFAULT NULL,
v_TRN_TYP IN VARCHAR2 DEFAULT NULL,
v_REQ_XML IN XMLTYPE DEFAULT NULL,
v_INNR_RQUID IN VARCHAR2 DEFAULT NULL,
v_OUTR_RQUID IN VARCHAR2 DEFAULT NULL
)
AS
BEGIN
INSERT INTO trn_log
(GIRO_TRN_LOG_ID, STRT_TM, PRTN_NM, ST_CD, LN_OF_BUS, TRN_TYP, REQ_XML, INNR_RQUID, OUTR_RQUID)
VALUES (v_GUID, v_STRT_TM, v_PRTN_NM, v_ST_CD, v_LN_OF_BUS, v_TRN_TYP, v_REQ_XML, v_INNR_RQUID, v_OUTR_RQUID);
END;Please see the following commented lines:
BEGIN Log( '6B6C6D' -- this is not a RAW , '06-Aug-12' -- this is not a TIMESTAMP , 'COM.TESt' , 'OH' , 'AUT' , 'NOTRANSACT' , '
' -- this is not an XMLType (not even valid XML) , '000000E0LN1D000029FNSRRGTest' , '000009N1D000029FNJ9OITest' ); END; Use the correct data types and their manufacturers (if necessary).
For example, you can build a RAW from a string with the HEXTORAW() function. An XMLType can be built by the XMLType() constructor or the XMLParse() function, etc. -
Establishment of audit for DB production
Hello
I need to have oracle audit put in place for the production database. All DML and DDL privileges are required to be auditied against the application schema.
It is therefore more generalized audit. Everything has a script that I can use for this?
can I exclude the generic application user connection from the application to the database server will be checked in this category?
Thank youGiven that you want to audit SELECT statements, you would need refined auditing (FGA).
Since you need to capture the actual data, you may be able to use FGA to both other DML statements. That will only capture the bind variable values, however, it not generally will allow you to trace the history of a particular line. If you need this kind of story, your options are to write triggers that store historical data in the history tables, use something like Oracle Total Recall , or to use Oracle Workspace Manager.
Since you want the audit trail using the real end user rather than a shared Oracle user account, the best option would be to use the proxy authentication.
Justin
-
Need help with regard to the audit
Hi all
Im trying to audit the actions of users who access the database.i.e I get requests from users. In the column sqltext from sys.aud$ table im get entries. But the problem is im not getting queries like
Select employee_id in system.employee; (IE queries containing specific attributes to select)
but it is audit queries like
Select * from system.employee;
Select count (*) in the system.employee;
Select count (*) in the system.employee, system.department;
Please help me with this...
ThanxHello
As Justin says: maybe you first want to work on the correct schema.
SYS and SYSTEM schema is not "playgrounds".
It is strongly deprecated by Oracle to create or modify objects in the schema these.Published by: hoek on November 4, 2009 16:34 typo
-
Hello
IM review oracle DB and I found that the AUDIT_SYS_OPERATIONS and the AUDIT_TRAIL are not activated, is it possible that they may have some impelementing some King of the verification with triggers system?
Thank you very much and good day?>
IM review oracle DB and I found that the AUDIT_SYS_OPERATIONS and the AUDIT_TRAIL are not activated, is it possible that they may have some impelementing some King of the verification with triggers system?
>AUDIT_SYS_OPERATIONS aims to audit the actions as the super user SYS. You can perform all the actions of sys stored in a file owned by root, so that the DBA cannot alter or delete, if this responsibility is separated from the administration of the OS.
A trigger can be controlled by sys, which undermines the objective of the audit of him. A trigger could be used to audit ordinary users, however. But it's maybe better and easier to use standard audit for which, with the parameter bound AUDIT_TRAIL.
Kind regards
Uwehttp://uhesse.WordPress.com
-
I'm new to the forum/discussions so forgive me if this is already posted. I read through various posts and followed troubleshooting in them, but I can not even access ASDM. I deleted the old ASDM versions and upgraded to ASDM 7.1 (1) 52 that shows compatible with ASA 8.2 (1). I am inside a NAT address connected to Eth 0/5, 192.168.1.5/24. I can ping and SSH for the FW but no ASDM. FW going traffic and all the rest works fine. Please notify. Thank you.
JEREMY - ASA # display the worm
Cisco Adaptive Security Appliance Version 8.2 software (1)
Version 7.1 Device Manager (1) 52
JEREMY - ASA # display running asdm
ASDM image disk0: / asdm-711 - 52.bin
don't allow no asdm history
JEREMY - ASA # http see race
Enable http server
http 192.168.1.0 255.255.255.0 inside
JEREMY - ASA # show run
: Saved
:
ASA Version 8.2 (1)
!
JEREMY - ASA host name
enable the OMIT encrypted password
OMIT encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 134.121.11.153 255.255.248.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner exec
OMIT BANNER STATEMENTS
passive FTP mode
clock timezone PST - 8
clock summer-time recurring PDT
permit same-security-traffic intra-interface
outside_access_in deny ip extended access list a whole
pager lines 24
Enable logging
timestamp of the record
logging asdm-buffer-size 250
logging trap information
asdm of logging of information
forest management - ipaddress outside device id
host of logging out to OMIT
Outside 1500 MTU
Within 1500 MTU
IP verify reverse path to the outside interface
IP audit attack action fall
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ASDM image disk0: / asdm-711 - 52.bin
don't allow no asdm history
ARP timeout 14400
Global interface 10 (external)
NAT (inside) 10 192.168.1.0 255.255.255.0
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 134.121.15.254 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
AAA authentication enable LOCAL console
AAA authentication http LOCAL console
LOCAL AAA authentication serial console
the ssh LOCAL console AAA authentication
LOCAL AAA authorization command
LOCAL AAA authorization exec
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Telnet timeout 5
SSH 192.168.0.0 255.255.255.0 inside
SSH 192.168.1.0 255.255.255.0 inside
SSH timeout 10
SSH version 2
Console timeout 0
management-access inside
a basic threat threat detection
threat detection statistics
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
NTP server FAILED
Des-sha1 encryption SSL
WebVPN
OMITTED , OMIT encrypted privilege 15 password username
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
crashinfo console disable
Cryptochecksum:3c8669ae6960ca4cc206db58ffbf3c21
: end
It is probably the string:
Des-sha1 encryption SSL
This weak encryption algorithm is not compatible with most modern browsers and the current Java releases that depend on ASSISTANT Deputy Ministers. Try adding encryption, for example:
SSL encryption des-sha1 sha1-aes256
Make sure that you first activation 3DES / AES ('see the version' or 'show the activation key' will confirm the feature license is active).
-
Help the Site VPN Site PIX 501
Hello
I'm pretty new to PIX firewall, so I hope someone here can help me.
I have two PIX and try to create a private network virtual between the two PIX. I posted the configs below.
The problem is that I can ping PIX on a PIX two, but I can't ping the servers behind TWO PIX. On two PIX, I cannot ping PIX ONE or all the servers behind it.
Any advice would be appreciated.
Thank you
PIX 1
6.2 (2) version PIX
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
hostname TMAXWALES
domain ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol 2000 skinny
names of
inside_outbound_nat0_acl ip 192.168.254.0 access list allow 255.255.255.0 192.1
68.1.0 255.255.255.0
outside_cryptomap_20 ip 192.168.254.0 access list allow 255.255.255.0 192.168.1
.0 255.255.255.0
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
Outside 1500 MTU
Within 1500 MTU
IP address outside of *. *.198.139 255.255.255.248
IP address inside 192.168.254.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
location of PDM 192.168.254.10 255.255.255.255 inside
location of PDM 192.168.1.0 255.255.255.0 outside
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Route outside 0.0.0.0 0.0.0.0 *. * 1.198.137
Timeout xlate 03:00
Timeout conn 0 half-closed 01:00:10: 00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 TR
p 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
Enable http server
http 192.168.254.10 255.255.255.255 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
No sysopt route dnat
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
outside_map 20 ipsec-isakmp crypto map
card crypto outside_map 20 match address outside_cryptomap_20
card crypto outside_map 20 peers set *. *.198.138
outside_map crypto 20 card value transform-set ESP-3DES-SHA
outside_map interface card crypto outside
ISAKMP allows outside
ISAKMP key * address *. *.198.138 netmask 255.255.255.255 No.-xauth non - co
Nfig-mode
part of pre authentication ISAKMP policy 20
ISAKMP policy 20 3des encryption
ISAKMP policy 20 chopping sha
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
Telnet timeout 5
SSH timeout 5
Terminal width 80
PIX 2
6.2 (2) version PIX
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
hostname tmaxbangor
domain ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol 2000 skinny
names of
permit 192.168.1.0 ip access list inside_outbound_nat0_acl 255.255.255.0 192.168
. 254.0 255.255.255.0
permit 192.168.1.0 ip access list outside_cryptomap_20 255.255.255.0 192.168.254
.0 255.255.255.0
pager lines 24
opening of session
debug logging in buffered memory
interface ethernet0 10baset
interface ethernet1 10full
Outside 1500 MTU
Within 1500 MTU
IP address outside of *. *.198.138 255.255.255.248
IP address inside 192.168.1.1 255.255.255.0
IP verify reverse path to the outside interface
IP verify reverse path inside interface
the IP audit info action alarm reset drop
reset the IP audit attack alarm drop action
location of PDM 192.168.1.0 255.255.255.0 inside
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Route outside 0.0.0.0 0.0.0.0 *. * 1.198.137
Timeout xlate 03:00
Timeout conn 0 half-closed 01:00:10: 00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 TR
p 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 192.84.7.111 255.255.255.255 inside
http 192.168.1.10 255.255.255.255 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
No sysopt route dnat
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
outside_map 20 ipsec-isakmp crypto map
card crypto outside_map 20 match address outside_cryptomap_20
card crypto outside_map 20 peers set *. *.198.139
outside_map crypto 20 card value transform-set ESP-3DES-SHA
outside_map interface card crypto outside
ISAKMP allows outside
ISAKMP key * address *. *.198.139 netmask 255.255.255.255 No.-xauth non - co
Nfig-mode
part of pre authentication ISAKMP policy 20
ISAKMP policy 20 3des encryption
ISAKMP policy 20 chopping sha
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
Telnet 192.168.1.0 255.255.255.0 inside
Telnet timeout 50
SSH timeout 5
Terminal width 80
Can't see anything obviously wrong with the configs. You have these connected back to back on the same subnet, it looks that it even if you have xxx out IP addresses? If so it's maybe a routing problem, in what they send everything to the default gateway of xxx.x.198.137 rather than to the other.
Try to add a static route to the remote subnet to each PIX that points directly to the peer, so on PIX1 you should have:
Route outside 192.168.1.0 255.255.255.0 xxx.x.198.138
and on PIX2 do:
Route outside 192.168.254.0 255.255.255.0 xxx.x.198.139
and see if that makes a difference. Note that you wouldn't encounter this problem when these two PIX is on separate networks and uses the default gateway for all routing decisions.
If this still fails, run 'debug cryp isa' and ' debug cry ipsec "on the two PIX are trying to build a tunnel again, and then and send us the output.
Also, make sure your tests that you're rattling to a host behind a PIX to a host behind the other PIX, ping PIX to PIX or host because of PIX that won't test your VPN connection.
-
VPN PPTP and PPPOE CLIENT ON PIX 501
Hello
Can I create a PPTP VPN and a client connection on a PIX 501 with a client to my ISP PPPOE connection. The PPPOE ip is dynamic and the VPN will be a static IP address. They gave me a username and password for VPN and PPPOE. Him also gave me an ip address for the VPN server.
Should that happen, it's that the PPPOE should connect to the VPN to work.
I can only get the PPPOE, but I don't know how to do this with a PPTP VPN set.
Here is my config:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxx encrypted
passwd xxxxxxx encrypted
hostname neveroff
domain-name neveroff.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list incoming permit icmp any any echo-reply
access-list incoming permit icmp any any source-quench
access-list incoming permit icmp any any unreachable
access-list incoming permit icmp any any time-exceeded
pager lines 24
icmp permit any echo outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
icmp permit any source-quench outside
icmp permit any echo-reply outside
icmp permit any information-reply outside
icmp permit any mask-reply outside
icmp permit any timestamp-reply outside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) tcp interface smtp 192.168.1.201 smtp netmask 255.255.255.255 0 0
access-group incoming in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname xxxxxxxxx
vpdn group pppoex ppp authentication chap
vpdn username xxxxxxxx password xxxxxxxx
dhcpd address 192.168.1.10-192.168.1.41 inside
dhcpd dns 192.168.1.1 168.210.2.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username neveroff password TEnlGTQMwqamBzMn encrypted privilege 2
terminal width 80
Cryptochecksum:c5bfafa70f21ed55cc1b3df377e110bf
: end
Thank you
Etienne
Happy to help and please kindly mark the message as answered if you have not more than other questions. Thank you.
-
VPN PIX 506e to Linksys RV042?
I'm kind of a rookie of Cisco and need help to set up a virtual private network:
I replaced a Netopia R910 with a Linksys RV042. I have set the parameters of the best that I could. I am trying to reconnect the VPN site to site of our network (192.168.0.x private, public xxx.xxx.109.202) to the remote network (xxx.xxx.131.50 192.168.38.x and private, public).
In the Linksys VPN shows connected but no traffic coming. I can't ping anything on the remote subnet.
It worked fine with the R910 and no settings have changed on the PIX, other new pre-shared keys that match.
Here are the PIX config and the RV042 config is attached as an image.
Thank you very much for your help!
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ************ encrypted
passwd *************** encrypted
hostname pixfirewall
domain-name ciscopix.com
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.0 FirstStreet
name 192.168.38.2 Sco
name xxx.xxx.130.94 FirstWan
name 192.168.4.0 Oakurst
name 192.168.7.0 Clovis
name 192.168.3.0 Madera
name 192.168.0.0 TomJ
name xxx.xxx.131.58 FMLFirst
name xxx.xxx.131.22 Integrity
name 192.168.6.0 TJhome
name 192.168.38.10 Server2
name xxx.xxx.117.182 ClovisPublicIP
name xxx.xxx.100.239 OakurstPublicIP
name xxx.xxx.174.185 MaderaPublicIP
name 192.168.38.64 VideoS1
object-group network FMLRemoteOffices
description Public IP's and Internal Subnets for All Remote Offices
network-object OakurstPublicIP 255.255.255.255
network-object MaderaPublicIP 255.255.255.255
network-object ClovisPublicIP 255.255.255.255
network-object xxx.xxx.109.202 255.255.255.255
access-list inside_outbound_nat0_acl permit ip 192.168.38.0 255.255.255.0 Clovis 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.38.0 255.255.255.0 Oakurst 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.38.0 255.255.255.0 TJhome 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.38.0 255.255.255.0 Madera 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any host 192.168.38.248
access-list inside_outbound_nat0_acl permit ip any 192.168.38.248 255.255.255.248
access-list outside_access_in permit tcp any host xxx.xxx.131.54 eq https
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in remark Sage e-prescription service 8423
access-list outside_access_in permit tcp any host xxx.xxx.131.54 eq 8423
access-list outside_access_in permit tcp any host xxx.xxx.131.53 eq 1202
access-list outside_access_in permit tcp any host xxx.xxx.131.52 eq 7000
access-list outside_cryptomap_20 permit ip 192.168.38.0 255.255.255.0 Clovis 255.255.255.0
access-list outside_cryptomap_80 permit ip 192.168.38.0 255.255.255.0 Oakurst 255.255.255.0
access-list outside_cryptomap_120 permit ip 192.168.38.0 255.255.255.0 Madera 255.255.255.0
access-list outside_cryptomap_100 permit ip 192.168.38.0 255.255.255.0 TJhome 255.255.255.0
no pager
logging on
icmp permit any echo-reply outside
icmp permit any echo-reply inside
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.131.50 255.255.255.248
ip address inside 192.168.38.4 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNDHCP 192.168.38.248-192.168.38.252
ip local pool DHCP39 192.168.39.1-192.168.39.254
pdm location Integrity 255.255.255.255 outside
pdm location 192.168.38.0 255.255.255.0 inside
pdm location FirstStreet 255.255.255.0 inside
pdm location FirstStreet 255.255.255.0 outside
pdm location Sco 255.255.255.255 inside
pdm location FirstWan 255.255.255.255 outside
pdm location Oakurst 255.255.255.0 outside
pdm location Clovis 255.255.255.0 outside
pdm location TJhome 255.255.255.0 outside
pdm location Madera 255.255.255.0 outside
pdm location TomJ 255.255.255.0 outside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location xxx.xxx.141.217 255.255.255.255 outside
pdm location 192.168.38.111 255.255.255.255 inside
pdm location 192.168.38.3 255.255.255.255 inside
pdm location FMLFirst 255.255.255.255 outside
pdm location xxx.xxx.130.15 255.255.255.255 outside
pdm location 128.0.0.0 128.0.0.0 outside
pdm location xxx.xxx.109.202 255.255.255.255 outside
pdm location Server2 255.255.255.255 inside
pdm location ClovisPublicIP 255.255.255.255 outside
pdm location OakurstPublicIP 255.255.255.255 outside
pdm location MaderaPublicIP 255.255.255.255 outside
pdm location 192.168.38.248 255.255.255.255 outside
pdm location TomJ 255.255.255.0 inside
pdm location VideoS1 255.255.255.255 inside
pdm location 192.168.38.21 255.255.255.255 inside
pdm group FMLRemoteOffices outside
pdm logging debugging 500
no pdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.131.51
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xxx.xxx.131.54 Server2 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.131.53 192.168.38.21 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.131.52 VideoS1 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.131.49 1
route inside FirstStreet 255.255.255.0 192.168.38.254 1
timeout xlate 3:00:00
timeout conn 4:00:00 half-closed 2:00:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http Integrity 255.255.255.255 outside
http xxx.xxx.141.217 255.255.255.255 outside
http xxx.xxx.109.202 255.255.255.255 outside
http 192.168.38.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 30 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 50 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer ClovisPublicIP
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 80 ipsec-isakmp
crypto map outside_map 80 match address outside_cryptomap_80
crypto map outside_map 80 set peer OakurstPublicIP
crypto map outside_map 80 set transform-set ESP-DES-MD5
crypto map outside_map 100 ipsec-isakmp
crypto map outside_map 100 match address outside_cryptomap_100
crypto map outside_map 100 set peer xxx.xxx.174.234
crypto map outside_map 100 set transform-set ESP-DES-MD5
crypto map outside_map 120 ipsec-isakmp
crypto map outside_map 120 match address outside_cryptomap_120
crypto map outside_map 120 set peer MaderaPublicIP
crypto map outside_map 120 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.141.217 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address ClovisPublicIP netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address xxx.xxx.64.82 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address xxx.xxx.67.172 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address OakurstPublicIP netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address xxx.xxx.24.157 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address xxx.xxx.174.234 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address xxx.xxx.88.137 netmask 255.255.255.255
isakmp key ******** address MaderaPublicIP netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address xxx.xxx.109.202 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup FMLREASYVPN address-pool VPNDHCP
vpngroup FMLREASYVPN dns-server 192.168.38.3
vpngroup FMLREASYVPN idle-time 1800
vpngroup FMLREASYVPN password ********
vpngroup Brevium address-pool VPNDHCP
vpngroup Brevium dns-server 192.168.38.3
vpngroup Brevium idle-time 1800
vpngroup Brevium password ********
telnet 192.168.38.0 255.255.255.0 inside
telnet TomJ 255.255.255.0 inside
telnet timeout 5
ssh Integrity 255.255.255.255 outside
ssh 99.15.109.202 255.255.255.255 outside
ssh timeout 5
management-access inside
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local VPNDHCP
vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.38.3
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username admin password *********
vpdn username tonette password *********
vpdn username rosie password *********
vpdn username cts password *********
vpdn username MaderaFMLR password *********
vpdn username ruth password *********
vpdn username fogg password *********
vpdn username lanier password *********
vpdn username lanier2 password *********
vpdn username justin password *********
vpdn username mike password *********
vpdn username heather password *********
vpdn username Brevium password *********
vpdn username jeremiah password *********
vpdn enable outside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username admin password *************** encrypted privilege 15
terminal width 80
Cryptochecksum:******************************
: end
[OK]
NAT exemption, you must add the following:
inside_outbound_nat0_acl ip 192.168.38.0 access list allow TomJ 255.255.255.0 255.255.255.0
-
PIX does not allow packets loarge
I can ping with l - 992, but fail with-l 993.
Ping 172.16.17.1 with 992 bytes of data:
Reply from 172.16.17.1: bytes = 992 time = 1ms TTL = 254
Reply from 172.16.17.1: bytes = 992 time = 1ms TTL = 254
Reply from 172.16.17.1: bytes = 992 time = 1ms TTL = 254
Reply from 172.16.17.1: bytes = 992 time = 1ms TTL = 254
Ping statistics for 172.16.17.1:
Packets: Sent = 4, received = 4, lost = 0 (0% loss),
Time approximate round trip in milli-seconds:
Minimum = 1ms, Maximum = 1ms, average = 1ms
Ping 172.16.17.1 with 993 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 172.16.17.1:
Packets: Sent = 4, received = 0, lost = 4 (100% loss),
I also see that attached to the devices in the DMZ are taken excessively long time.
The MTU size on all interfaces is always the default value of 1500.
Hi Jimmysturn:
Which is likely happened here is that you have ID political attack linked to your external interface with the action 'drop' or 'reset' all packages that match the signature in the category of the attack.
Signature 2151 (large ICMP) will drop packets hit the PIX off interface or those who pass through the PIX outside interface when you ping with large packet size (+ 993 bytes):
From your post, you must have had the following policy of IDS on your PIX:
IP audit name attackpolicy attack action fall
(or
IP audit name attackpolicy action fall attack alarm
or
attack IP audit name attackpolicy raz action alarm
or both)
If you want to ping with big package, there are several things you can do:
(1) remove the policy of "attackpolicy" completely from your external interface. It will turn off all of the IDS signatures in the category of the attack.
Carefully look at this and see if it's what you want to do.
To achieve the above, issue the following command:
"no interface verification ip outside of attackpolicy"
(2) turn off the signature 2151 by running the command:
"disable signature verification ip 2151.
That would disable only the big signing of ICMP attack while leaving the other signatures of attacks in the category of GIS attack ON.
(3) set signature action to open a session (a syslog server or the internal buffer) large ICMP packets instead of dropping. Again, this should be determined carefully as option 1.
To achieve the above goal, issue the following command:
IP audit alarm action name attackpolicy attack
It will be useful.
Please indicate the position accordingly if you find it useful.
Sincerely,
Binh
-
ASA 5505 Split tunneling stopped working when upgraded to 8.3 (1) 8.4 (3).
A user has to connect to the old device of 8.3 (1) that they could access all of our subnets: 10.1.0.0/16, 10.33.0.0/16, 10.89.0.0/16, 10.60.0.0/16
but now, they can't and in the newspapers, I see just
6 October 31, 2012 08:17:59 110003 10.60.30.111 1 10.89.30.41 0 routing cannot locate the next hop for ICMP to outside:10.60.30.111/1 to inside:10.89.30.41/0
any tips? I almost tried everything. the running configuration is:
: Saved
:
ASA Version 8.4 (3)
!
host name asa
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 10.60.70.1 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
IP 80.90.98.217 255.255.255.248
!
passive FTP mode
clock timezone GMT 0
DNS lookup field inside
DNS domain-lookup outside
permit same-security-traffic intra-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the NETWORK_OBJ_10.33.0.0_16 object
10.33.0.0 subnet 255.255.0.0
network of the NETWORK_OBJ_10.60.0.0_16 object
10.60.0.0 subnet 255.255.0.0
network of the NETWORK_OBJ_10.89.0.0_16 object
10.89.0.0 subnet 255.255.0.0
network of the NETWORK_OBJ_10.1.0.0_16 object
10.1.0.0 subnet 255.255.0.0
network tetPC object
Home 10.60.10.1
test description
network of the NETWORK_OBJ_10.60.30.0_24 object
10.60.30.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.60.30.64_26 object
255.255.255.192 subnet 10.60.30.64
the SSH server object network
Home 10.60.20.6
network of the SSH_public object
network ftp_public object
Home 80.90.98.218
rdp network object
Home 10.60.10.4
ftp_server network object
Home 10.60.20.2
network ssh_public object
Home 80.90.98.218
Service FTP object
tcp destination eq 12 service
network of the NETWORK_OBJ_10.60.20.3 object
Home 10.60.20.3
network of the NETWORK_OBJ_10.60.40.192_26 object
255.255.255.192 subnet 10.60.40.192
network of the NETWORK_OBJ_10.60.10.10 object
Home 10.60.10.10
network of the NETWORK_OBJ_10.60.20.2 object
Home 10.60.20.2
network of the NETWORK_OBJ_10.60.20.21 object
Home 10.60.20.21
network of the NETWORK_OBJ_10.60.20.4 object
Home 10.60.20.4
network of the NETWORK_OBJ_10.60.20.5 object
Home 10.60.20.5
network of the NETWORK_OBJ_10.60.20.6 object
Home 10.60.20.6
network of the NETWORK_OBJ_10.60.20.7 object
Home 10.60.20.7
network of the NETWORK_OBJ_10.60.20.29 object
Home 10.60.20.29
service port_tomcat object
Beach service tcp 8080 8082 source
network of the TBSF object
172.16.252.0 subnet 255.255.255.0
the e-mail server object network
Home 10.33.10.2
Mail server description
service object HTTPS
tcp source eq https service
test network object
network access_web_mail object
Home 10.60.50.251
network downtown_Interface_host object
Home 10.60.50.1
Downtown host Interface description
service of the Oracle_port object
tcp source eq sqlnet service
network of the NETWORK_OBJ_10.60.50.248_29 object
subnet 10.60.50.248 255.255.255.248
network of the NETWORK_OBJ_10.60.50.1 object
Home 10.60.50.1
network of the NETWORK_OBJ_10.60.50.0_28 object
subnet 10.60.50.0 255.255.255.240
brisel network object
10.191.191.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.191.191.0_24 object
10.191.191.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.60.60.0_24 object
10.60.60.0 subnet 255.255.255.0
object-group service TCS_Service_Group
Description this group of Services offered is for the CLD's Clients
port_tomcat service-object
HTTPS_ACCESS tcp service object-group
EQ object of the https port
the DM_INLINE_NETWORK_1 object-group network
object-network 10.1.0.0 255.255.0.0
network-object 10.33.0.0 255.255.0.0
network-object 10.60.0.0 255.255.0.0
network-object 10.89.0.0 255.255.0.0
allow outside_1_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 10.33.0.0 255.255.0.0
allow outside_2_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 10.89.0.0 255.255.0.0
outside_3_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 allow 10.1.0.0 255.255.0.0
OUTSIDE_IN list extended access permit icmp any one time exceed
OUTSIDE_IN list extended access allow all unreachable icmp
OUTSIDE_IN list extended access permit icmp any any echo response
OUTSIDE_IN list extended access permit icmp any any source-quench
OUTSIDE_IN list extended access permitted tcp 194.2.20.0 255.255.255.0 host 80.90.98.220 eq smtp
OUTSIDE_IN list extended access permit tcp host 194.25.12.0 host 80.90.98.220 eq smtp
OUTSIDE_IN list extended access allow icmp 80.90.98.222 host 80.90.98.217
OUTSIDE_IN list extended access permit tcp host 162.162.4.1 host 80.90.98.220 eq smtp
OUTSIDE_IN list extended access permit tcp host 98.85.125.2 host 80.90.98.221 eq ssh
Standard access list OAKDCAcl allow 10.60.0.0 255.255.0.0
Standard access list OAKDCAcl allow 10.33.0.0 255.255.0.0
access-list OAKDCAcl note backoffice
Standard access list OAKDCAcl allow 10.89.0.0 255.255.0.0
access-list OAKDCAcl note maint
OAKDCAcl list standard access allowed 10.1.0.0 255.255.0.0
access-list allowed standard osgd host 10.60.20.4
access-list allowed standard osgd host 10.60.20.5
access-list allowed standard osgd host 10.60.20.7
standard access list testOAK_splitTunnelAcl allow 10.60.0.0 255.255.0.0
list access allowed extended snmp udp any eq snmptrap everything
list of access allowed extended snmp udp any any eq snmp
downtown_splitTunnelAcl list standard access allowed host 10.60.20.29
webMailACL list standard access allowed host 10.33.10.2
access-list standard HBSC allowed host 10.60.30.107
access-list standard HBSC deny 10.33.0.0 255.255.0.0
access-list standard HBSC deny 10.89.0.0 255.255.0.0
allow outside_4_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 10.191.191.0 255.255.255.0
OAK-remote_splitTunnelAcl-list of allowed access standard 10.1.0.0 255.255.0.0
OAK-remote_splitTunnelAcl-list of allowed access standard 10.33.0.0 255.255.0.0
OAK-remote_splitTunnelAcl-list of allowed access standard 10.60.0.0 255.255.0.0
OAK-remote_splitTunnelAcl-list of allowed access standard 10.89.0.0 255.255.0.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
mask 10.60.30.110 - 10.60.30.150 255.255.0.0 IP local pool OAKPRD_pool
IP local pool mail_sddress_pool 10.60.50.251 - 10.60.50.255 mask 255.255.0.0
test 10.60.50.1 mask 255.255.255.255 IP local pool
IP local pool ipad 10.60.30.90 - 10.60.30.99 mask 255.255.0.0
mask 10.60.40.200 - 10.60.40.250 255.255.255.0 IP local pool TCS_pool
local pool OSGD_POOL 10.60.50.2 - 10.60.50.10 255.255.0.0 IP mask
mask 10.60.60.0 - 10.60.60.255 255.255.0.0 IP local pool OAK_pool
IP verify reverse path inside interface
IP verify reverse path to the outside interface
IP audit alarm action name ThreatDetection attack
verification of IP within the ThreatDetection interface
interface IP outside the ThreatDetection check
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow any echo inside
ICMP allow any echo outdoors
enable ASDM history
ARP timeout 14400
NAT (inside, outside) static static source NETWORK_OBJ_10.33.0.0_16 destination NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.33.0.0_16
NAT (inside, outside) static static source NETWORK_OBJ_10.89.0.0_16 destination NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.89.0.0_16
NAT (inside, outside) static static source NETWORK_OBJ_10.1.0.0_16 destination NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.1.0.0_16
NAT (inside, outside) static source all all NETWORK_OBJ_10.60.30.0_24 of NETWORK_OBJ_10.60.30.0_24 static destination
NAT (inside, outside) static source all all NETWORK_OBJ_10.60.30.64_26 of NETWORK_OBJ_10.60.30.64_26 static destination
NAT (inside, outside) static static source NETWORK_OBJ_10.60.40.192_26 destination NETWORK_OBJ_10.60.20.29 NETWORK_OBJ_10.60.20.29 NETWORK_OBJ_10.60.40.192_26 any port_tomcat service
NAT (inside, outside) static source any destination of all public static NETWORK_OBJ_10.60.50.1 NETWORK_OBJ_10.60.50.1
NAT (inside, outside) static static source NETWORK_OBJ_10.60.50.248_29 destination MailServer MailServer NETWORK_OBJ_10.60.50.248_29
NAT (inside, outside) static source all all NETWORK_OBJ_10.60.50.0_28 of NETWORK_OBJ_10.60.50.0_28 static destination
NAT (inside, outside) static static source NETWORK_OBJ_10.191.191.0_24 destination NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.191.191.0_24
NAT (inside, outside) static source DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_10.60.60.0_24 NETWORK_OBJ_10.60.60.0_24 non-proxy-arp-search of route static destination
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
Route outside 0.0.0.0 0.0.0.0 80.90.98.222 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 10.60.10.10 255.255.255.255 inside
http 10.33.30.33 255.255.255.255 inside
http 10.60.30.33 255.255.255.255 inside
SNMP-server host within the 10.33.30.108 community * version 2 c
SNMP-server host within the 10.89.70.30 community *.
No snmp server location
No snmp Server contact
Community SNMP-server
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA ikev1
transport mode encryption ipsec transform-set TRANS_ESP_3DES_SHA ikev1
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set lux_trans_set ikev1 aes - esp esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto outside_map 1 match address outside_1_cryptomap
peer set card crypto outside_map 1 84.51.31.173
card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1
card crypto outside_map 2 match address outside_2_cryptomap
peer set card crypto outside_map 2 98.85.125.2
card crypto outside_map 2 set transform-set ESP-3DES-SHA ikev1
card crypto outside_map 3 match address outside_3_cryptomap
peer set card crypto outside_map 3 220.79.236.146
card crypto outside_map 3 set transform-set ESP-3DES-SHA ikev1
card crypto 4 correspondence address outside_4_cryptomap outside_map
card crypto outside_map 4 set pfs
peer set card crypto outside_map 4 159.146.232.122
card crypto 4 ikev1 transform-set lux_trans_set set outside_map
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ikev1 allow outside
IKEv1 crypto policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400
IKEv1 crypto policy 30
preshared authentication
3des encryption
sha hash
Group 2
lifetime 28800
IKEv1 crypto policy 50
preshared authentication
aes encryption
sha hash
Group 1
life 86400
IKEv1 crypto policy 70
preshared authentication
aes encryption
sha hash
Group 5
life 86400
Telnet 10.60.10.10 255.255.255.255 inside
Telnet 10.60.10.1 255.255.255.255 inside
Telnet 10.60.10.5 255.255.255.255 inside
Telnet 10.60.30.33 255.255.255.255 inside
Telnet 10.33.30.33 255.255.255.255 inside
Telnet timeout 30
SSH 10.60.10.5 255.255.255.255 inside
SSH 10.60.10.10 255.255.255.255 inside
SSH 10.60.10.3 255.255.255.255 inside
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
dhcpd dns 155.2.10.20 155.2.10.50 interface inside
dhcpd auto_config outside interface inside
!
a basic threat threat detection
length 3600 scanning-threat shun threat detection
threat detection statistics
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
TFTP server inside 10.60.10.10 configs/config1
WebVPN
internal testTG group policy
attributes of the strategy of group testTG
value of 155.2.10.20 DNS server 155.2.10.50
Ikev1 VPN-tunnel-Protocol
internal DefaultRAGroup_1 group strategy
attributes of Group Policy DefaultRAGroup_1
value of 155.2.10.20 DNS server 155.2.10.50
Protocol-tunnel-VPN l2tp ipsec
internal TcsTG group strategy
attributes of Group Policy TcsTG
VPN-idle-timeout 20
VPN-session-timeout 120
Ikev1 VPN-tunnel-Protocol
IPSec-udp disable
IPSec-udp-port 10000
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list testOAK_splitTunnelAcl
the address value TCS_pool pools
internal downtown_interfaceTG group policy
attributes of the strategy of group downtown_interfaceTG
value of 155.2.10.20 DNS server 155.2.10.50
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list downtown_splitTunnelAcl
internal HBSCTG group policy
HBSCTG group policy attributes
value of 155.2.10.20 DNS server 155.2.10.50
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value HBSC
internal OSGD group policy
OSGD group policy attributes
value of 155.2.10.20 DNS server 155.2.10.50
VPN-session-timeout no
Ikev1 VPN-tunnel-Protocol
group-lock value OSGD
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list testOAK_splitTunnelAcl
internal OAKDC group policy
OAKDC group policy attributes
Ikev1 VPN-tunnel-Protocol
value of group-lock OAKDC
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list OAKDCAcl
Disable dhcp Intercept 255.255.0.0
the address value OAKPRD_pool pools
internal mailTG group policy
attributes of the strategy of group mailTG
value of 155.2.10.20 DNS server 155.2.10.50
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list webMailACL
internal OAK-distance group strategy
attributes of OAK Group Policy / remote
value of 155.2.10.20 DNS server 155.2.10.50
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value OAK-remote_splitTunnelAcl
VPN-group-policy OAKDC
type of nas-prompt service
attributes global-tunnel-group DefaultRAGroup
address pool OAKPRD_pool
ipad address pool
Group Policy - by default-DefaultRAGroup_1
IPSec-attributes tunnel-group DefaultRAGroup
IKEv1 pre-shared-key *.
tunnel-group 84.51.31.173 type ipsec-l2l
IPSec-attributes tunnel-group 84.51.31.173
IKEv1 pre-shared-key *.
tunnel-group 98.85.125.2 type ipsec-l2l
IPSec-attributes tunnel-group 98.85.125.2
IKEv1 pre-shared-key *.
tunnel-group 220.79.236.146 type ipsec-l2l
IPSec-attributes tunnel-group 220.79.236.146
IKEv1 pre-shared-key *.
type tunnel-group OAKDC remote access
attributes global-tunnel-group OAKDC
address pool OAKPRD_pool
Group Policy - by default-OAKDC
IPSec-attributes tunnel-group OAKDC
IKEv1 pre-shared-key *.
type tunnel-group TcsTG remote access
attributes global-tunnel-group TcsTG
address pool TCS_pool
Group Policy - by default-TcsTG
IPSec-attributes tunnel-group TcsTG
IKEv1 pre-shared-key *.
type tunnel-group downtown_interfaceTG remote access
tunnel-group downtown_interfaceTG General-attributes
test of the address pool
Group Policy - by default-downtown_interfaceTG
downtown_interfaceTG group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
type tunnel-group TunnelGroup1 remote access
type tunnel-group mailTG remote access
tunnel-group mailTG General-attributes
address mail_sddress_pool pool
Group Policy - by default-mailTG
mailTG group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
type tunnel-group testTG remote access
tunnel-group testTG General-attributes
address mail_sddress_pool pool
Group Policy - by default-testTG
testTG group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
type tunnel-group OSGD remote access
tunnel-group OSGD General-attributes
address OSGD_POOL pool
strategy-group-by default OSGD
tunnel-group OSGD ipsec-attributes
IKEv1 pre-shared-key *.
type tunnel-group HBSCTG remote access
attributes global-tunnel-group HBSCTG
address OSGD_POOL pool
Group Policy - by default-HBSCTG
IPSec-attributes tunnel-group HBSCTG
IKEv1 pre-shared-key *.
tunnel-group 159.146.232.122 type ipsec-l2l
IPSec-attributes tunnel-group 159.146.232.122
IKEv1 pre-shared-key *.
tunnel-group OAK type remote access / remote
attributes global-tunnel-group OAK / remote
address pool OAK_pool
Group Policy - by default-OAK-remote control
IPSec-attributes tunnel-group OAK / remote
IKEv1 pre-shared-key *.
!
!
!
Policy-map global_policy
!
context of prompt hostname
no remote anonymous reporting call
HPM topN enable
: end
enable ASDM history
Hi David,
I see that you have:
allow outside_2_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 10.89.0.0 255.255.0.0
So, please make the following changes:
network object obj - 10.60.30.0
10.60.30.0 subnet 255.255.255.0
!
Route outside 10.60.30.0 255.255.255.0 80.90.98.222
Route outside 10.89.0.0 255.255.0.0 80.90.98.222
NAT (outside, outside) 1 source static obj - 10.60.30.0 obj - 10.60.30.0 static destination NETWORK_OBJ_10.89.0.0_16 NETWORK_OBJ_10.89.0.0_16 non-proxy-arp-search to itinerary
HTH
Portu.
Please note all useful posts
Post edited by: Javier Portuguez
-
How to disable verification for specific user
Hi all
On our setting of database audit db is expanded, and verification information was resident on system tablespace.
For some reason we allow audit to the specific user.
VERIFICATION BY TOMMY BY ACCESS;
CHECK DELETE THE TABLE, INSERT TABLE, SELECT THE TABLE, UPDATE TABLE BY TOMMY BY ACCESS;
AUDIT EXECUTE ANY PROCEDURE OF TOMMY BY ACCESS;
He wrote too much information and we want to disable this check for tommy. But we want to do without restarting database because our running System 7/24.
We allow audit for tommy without rebooting, but we can't turn it off without restarting.
NOAUDIT ALL BY TOMMY;
NOAUDIT DELETE THE TABLE, INSERT TABLE, SELECT TABLE, TABLE UPDATE BY TOMMY;
NOAUDIT PERFORM ANY PROCEDURE OF TOMMY;
There is no error but it steel writes too much information, please help how we can disable it without reboot?
2790572 wrote:
Hi all
On our setting of database audit db is expanded, and verification information was resident on system tablespace.
For some reason we allow audit to the specific user.
VERIFICATION BY TOMMY BY ACCESS;
CHECK DELETE THE TABLE, INSERT TABLE, SELECT THE TABLE, UPDATE TABLE BY TOMMY BY ACCESS;
AUDIT EXECUTE ANY PROCEDURE OF TOMMY BY ACCESS;
He wrote too much information and we want to disable this check for tommy. But we want to do without restarting database because our running System 7/24.
We allow audit for tommy without rebooting, but we can't turn it off without restarting.
NOAUDIT ALL BY TOMMY;
NOAUDIT DELETE THE TABLE, INSERT TABLE, SELECT TABLE, TABLE UPDATE BY TOMMY;
NOAUDIT PERFORM ANY PROCEDURE OF TOMMY;
There is no error but it steel writes too much information, please help how we can disable it without reboot?
The change applies only to new sessions opened by TOMMY.
So at a minimum all existing sessions belonging to TOMMY need to be terminated.
-
Tip to avoid the keys during the page load?
APEX: Request Express 4.2.6.00.03
I have two or three "intentionally" pages slow and heavy and end-users fortunately repeatedly press buttons and harmless error messages.
I would avoid the situation of "remail" and have the "error messages" in trying to repost.
Good tips to do just that, I hope that Oracle Apex those compatible upwards?
1.) page attribute, indicates 'small wheel' until this that totally made?
I would avoid the 3331 error when the page is defined as "NO page to prevent it being published" or avoid the message concerning the violation of page protection then repost is allowed.
For example show "spinning wheel" or "progress bar" which blocks of keys user?
2.) or have this 'small wheel' specific to the region, as well as the region's "spinner" up to full charge.
3.) or how to display the buttons placed on the page after the 'big jobs are done?
4.) or some other method?
rgrds Paavo
Paavo wrote:
Actually, it's the question - if we leave the decision of development which approach to take:
-make all the shares of dynamics of buttons and everything for example plsql anonymous to be driven by the dynamic action procedures of instead of making procedures plsql after send this page
- or do the submission page process (pre era dyn-action method apex) and no dynamic action with plsql code button
The apex is basically PL/SQL.
So in order to generate a page of Apex, PL/SQL code should be run. To update a report region, code PL/SQL must be executed. To deal with the elements on a web page to the update/insert/delete of data in the database, PL/SQL code must be executed. Etc.
This code can be executed in 2 ways.
Submit the entire page, the flow of the Apex engine. He built a whole new page. This page is sent to the browser to replace the content of the existing window and make any new content in this browser window.
Use Ajax (Javascript calls) to call the flow of the Apex (aka action/process dynamics) engine. It creates a response (XML, HTML, JSON, etc.). This response is returned, and Javascript is used to treat this response and update objects (e.g. add/update / refresh in the DOM) of the page.
The two ways are necessary as
(a) we want to send a new page to the web browser sometimes
(b) you want to update an existing web page in the web browser by moments
So it is not a matter of choice in one direction. The two are concerned. Both are needed to create Web 2.0 with rich and interactive interfaces type applications.
I'm just afraid after accidentally 2 similar submit deals plsql firing - dynamic action and one in present it after Treaty.
It's a question of developer and development life cycle.
It comes down to knowledge. Find out what are the differences between the page layouts and dynamic actions. And when to use one that to achieve the goal at hand.
Lets say that we have to report slow query and report region which takes time to load. But this report is not required for the end user and it could continue by pressing the buttons during the loading of that specific region is always.
Press the buttons to do what? And why the user would click the buttons when the report data are not yet ready for display?
The Javascript engine doesn't have a thread model Posix/Windows type. By default, its calls are non-blocking and use events. See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/EventLoop for more details.
This isn't exactly a walk in the Park to treatment systems simultaneous good design. And it's true in Javascript too.
Maybe you are looking for
-
How do I get my browers back up after hiding them? back This has happened Just once or twice is tonight
-
Update drivers and install software recovery disk!
Hello Thanks in advance... I bought a computer hp laptop with windows vista home installed with the software by default. and at this time there, I created recovery disks. Now, I have to update my system to Windows 7 Ultimate. After installing Windows
-
original title: DEP DEP SUCK SUCK DEP SUCK How can I disable it forever? You ruined my IE.
-
need code hyperlink...
Please can someone help me make a simple hyperlink in the blackberry application? I just want to code simple hyperlink from one page to another page... Sorry if my English is bad...
-
ActiveSync and Windows 8 will work together?
I have a PDA (HP iPaq) with Windows Mobile 6 Classic (CE OS 5.2.1616). I just bought a new computer with Windows 8 OS. I want to sync it with Outlook 2003. Versions of ActiveSync will work with Win8?