Client access FTP and object-group
Hello
Someone can help, we want to make a group of objects for some of our employees to have access to the FTP server of office
All I want is to create a group of key members of staff can download files from any FTP server but denied anything else
Use us ISA Server for web and ftp access seems never fully work through ISA and so would pass to key personnel
So far, I tried these parameters but always violated user 192.168.2.30?
object-group network access FTP
Host network-object 192.168.2.30
internal access-list allow tcp any object-group FTP eq ftp access
Thank you
Clint
Thank you... mark the post as solved, which can help others... rate replise if found useful.
REDA
Tags: Cisco Security
Similar Questions
-
Access control and security group
Hi all
I need to know about the access control and what data are suitable for the security group and roles if I have the script like this:
i. There are 2 different app namely ARA (96 branches with different types of reports) and TRACS400 (6 branches with different types of reports)
II al ' ARA, users of Branch01 can NOT check Branch02.
III. different report type is measured by Branch01 and Branch02 are different.
IV. in Branch01, there are some reports are Read (Cannot download) only and some reports are read and write (downloadable).
My questions are:
1. from the above scenario, do I need create all the 96 security group and assign it to different leadership roles?
2. How can I control read and write access, as I have tested the READ access the user is still able to download the report.
3. How can I control to branch 01, report Type A is a read and report Type B read and write access?
4. I noticed that if I use the account, the security group can be used be limited to 50 only security groups. Is this good? I may be an application later in the future. These 2 request for test only. But if I do not use the account, there are any number of security groups that can be used?
Appreciate for your help.
Hi aziela
As mentioned by the friends of the forum, it is advisable to have the minimum security group given that its impact on the scalability of the application (rule). Accounts provide the best security solution of dimension view group.
Security group corresponds to the role, role is mapped to the users. The permissions are obtained at the level of role-SG.
Accounts are mapped directly to users. So you can have a precise control at the level of the user (eliminating the abstraction of the role).
All these aspects are impacting performance where rule of thumb is mentioned in the documentation. In general, if a user belongs to many groups and accounts then it will take more time to process the request of content for this user.
w.r.t. prohibiting the read-only users so that they will not be able to download content, there is a setting, please try option mentioned in this link http://docs.oracle.com/cd/E14571_01/doc.1111/e10792/e01_interface001.htm#CACCFHHA
WRT performance calculation, see http://docs.oracle.com/cd/E14571_01/doc.1111/e10792/c03_security003.htm#CSMSP143
Hope this helps
-
all the nodes property objects and objects grouped
Hello
Now position an on my GUI objects in the center of the screen using nodes property. However, I don't want to have to have a node property for each decoration, image and control. Is it possible that I can group all the objects and then use a property node to position them? I tried to use the property node all objects, but none of the clues seem to apply to my group of objects.
Help please!
Thank you very much.
John
p.s. I downloaded my vi test. The graph, the decoration and the exit button have been grouped. control over check.vi to set the object to be moved.
Tabbed pages are a great way to group objects GUI.
Rather than use a decoration,
- use a tab control
- Delete everything except the first tab
- Hide tab
- The value of the proprties of the tab control and control on this page is move, hide, display as well as the tab control.
I hope this helps,
Ben
-
Another problem with the configuration of Cisco VPN Client access VPN Site2site
We have a Cisco ASA 5505 at our CORP. branch I configured the VPN Site2Site to our COLO with a Juniper SRX220h, to another site works well, but when users access the home Cisco VPN client, they cannot ping or SSH through the Site2Site. JTACS contacted and they said it is not on their end, so I tried to contact Cisco TAC, no support. So here I am today, after for the 3 days (including Friday of last week) of searching the Internet for more than 6 hours per day and try different examples of other users. NO LUCK. The VPN client shows the route secure 10.1.0.0
Sorry to post this, but I'm frustrated and boss breathing down my neck to complete it.
CORP netowrk 192.168.1.0
IP VPN 192.168.12.0 pool
Colo 10.1.0.0 internal ip address
Also, here's an example of my config ASA
: Saved
:
ASA Version 8.2 (1)
!
hostname lwchsasa
names of
name 10.1.0.1 colo
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
backup interface Vlan12
nameif outside_pri
security-level 0
IP 64.20.30.170 255.255.255.248
!
interface Vlan12
nameif backup
security-level 0
IP 173.165.159.241 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 12
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
object-group network NY
object-network 192.168.100.0 255.255.255.0
BSRO-3387 tcp service object-group
port-object eq 3387
BSRO-3388 tcp service object-group
port-object eq 3388
BSRO-3389 tcp service object-group
EQ port 3389 object
object-group service tcp OpenAtrium
port-object eq 8100
object-group service Proxy tcp
port-object eq 982
VOIP10K - 20K udp service object-group
10000 20000 object-port Beach
the clientvpn object-group network
object-network 192.168.12.0 255.255.255.0
APEX-SSL tcp service object-group
Description of Apex Dashboard Service
port-object eq 8586
object-group network CHS-Colo
object-network 10.1.0.0 255.255.255.0
the DM_INLINE_NETWORK_1 object-group network
object-network 192.168.1.0 255.255.255.0
host of the object-Network 64.20.30.170
object-group service DM_INLINE_SERVICE_1
the purpose of the ip service
ICMP service object
service-object icmp traceroute
the purpose of the service tcp - udp eq www
the tcp eq ftp service object
the purpose of the tcp eq ftp service - data
the eq sqlnet tcp service object
EQ-ssh tcp service object
the purpose of the service udp eq www
the eq tftp udp service object
object-group service DM_INLINE_SERVICE_2
the purpose of the ip service
ICMP service object
EQ-ssh tcp service object
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 clientvpn object-group
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 object-group NY
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 object-group CHS-Colo
inside_nat0_outbound list of allowed ip extended access any 192.168.12.0 255.255.255.0
outside_pri_1_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 object-group NY
outside_pri_access_in list extended access permit tcp any interface outside_pri eq www
outside_pri_access_in list extended access permit tcp any outside_pri eq https interface
outside_pri_access_in list extended access permit tcp any interface outside_pri eq 8100
outside_pri_access_in list extended access permit tcp any outside_pri eq idle ssh interface
outside_pri_access_in list extended access permit icmp any any echo response
outside_pri_access_in list extended access permit icmp any any source-quench
outside_pri_access_in list extended access allow all unreachable icmp
outside_pri_access_in list extended access permit icmp any one time exceed
outside_pri_access_in list extended access permit tcp any 64.20.30.168 255.255.255.248 eq 8586
levelwingVPN_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
levelwingVPN_splitTunnelAcl list standard access allowed 10.1.0.0 255.255.255.0
outside_pri_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 object-group CHS-Colo
backup_nat0_outbound list extended access allowed object-group DM_INLINE_NETWORK_1 192.168.12.0 ip 255.255.255.0
outside_pri_cryptomap_1 list extended access allow DM_INLINE_SERVICE_2 of object-group 192.168.1.0 255.255.255.0 10.1.0.0 255.255.255.0
outside_19_cryptomap to access extended list ip 192.168.12.0 allow 255.255.255.0 10.1.0.0 255.255.255.0
inside_nat0_outbound_1 to access ip 192.168.1.0 scope list allow 255.255.255.0 object-group CHS-Colo
VPN-Corp-Colo extended access list permits object-group DM_INLINE_SERVICE_1 192.168.12.0 255.255.255.0 10.1.0.0 255.255.255.0
Note to OUTSIDE-NAT0 NAT0 customer VPN remote site access-list
OUTSIDE-NAT0 192.168.12.0 ip extended access list allow 255.255.255.0 10.1.0.0 255.255.255.0
L2LVPN to access extended list ip 192.168.12.0 allow 255.255.255.0 10.1.0.0 255.255.255.0
pager lines 24
Enable logging
debug logging in buffered memory
exploitation forest asdm warnings
record of the rate-limit unlimited level 4
destination of exports flow inside 192.168.1.1 2055
timeout-rate flow-export model 1
Within 1500 MTU
outside_pri MTU 1500
backup of MTU 1500
local pool LVCHSVPN 192.168.12.100 - 192.168.12.254 255.255.255.0 IP mask
no failover
ICMP unreachable rate-limit 100 burst-size 5
ICMP allow any inside
ICMP allow any outside_pri
don't allow no asdm history
ARP timeout 14400
NAT-control
interface of global (outside_pri) 1
Global 1 interface (backup)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 0 inside_nat0_outbound_1 list of outdoor access
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (outside_pri) 0-list of access OUTSIDE-NAT0
backup_nat0_outbound (backup) NAT 0 access list
static TCP (inside outside_pri) interface https 192.168.1.45 https netmask 255.255.255.255 dns
static TCP (inside outside_pri) interface 192.168.1.45 www www netmask 255.255.255.255 dns
static TCP (inside outside_pri) interface 8586 192.168.1.45 8586 netmask 255.255.255.255 dns
static (inside, inside) tcp interface 8100 192.168.1.45 8100 netmask 255.255.255.255 dns
Access-group outside_pri_access_in in the outside_pri interface
Route 0.0.0.0 outside_pri 0.0.0.0 64.20.30.169 1 track 1
Backup route 0.0.0.0 0.0.0.0 173.165.159.246 254
Timeout xlate 03:00
Conn Timeout 0:00:00 half-closed 0:30:00 udp icmp from 01:00 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 01:00 uauth uauth absolute inactivity from 01:00
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
AAA authentication enable LOCAL console
AAA authentication http LOCAL console
the ssh LOCAL console AAA authentication
http server enable 981
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside_pri
http 0.0.0.0 0.0.0.0 backup
SNMP server group Authentication_Only v3 auth
SNMP-server host inside 192.168.1.47 survey community lwmedia version 2 c
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Sysopt connection tcpmss 1200
monitor SLA 123
type echo protocol ipIcmpEcho 216.59.44.220 interface outside_pri
Annex ALS life monitor 123 to always start-time now
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set esp-3des-sha1 esp-3des esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto ipsec df - bit clear-df outside_pri
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto outside_pri_map 1 match address outside_pri_1_cryptomap
card crypto outside_pri_map 1 set pfs
peer set card crypto outside_pri_map 1 50.75.217.246
card crypto outside_pri_map 1 set of transformation-ESP-AES-256-MD5
card crypto outside_pri_map 2 match address outside_pri_cryptomap
peer set card crypto outside_pri_map 2 216.59.44.220
card crypto outside_pri_map 2 the value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
86400 seconds, duration of life card crypto outside_pri_map 2 set security-association
card crypto outside_pri_map 3 match address outside_pri_cryptomap_1
peer set card crypto outside_pri_map 3 216.59.44.220
outside_pri_map crypto map 3 the value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_pri_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
card crypto outside_pri_map interface outside_pri
crypto isakmp identity address
ISAKMP crypto enable outside_pri
crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 10
preshared authentication
the Encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
aes-256 encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 50
preshared authentication
aes encryption
md5 hash
Group 2
life 86400
!
track 1 rtr 123 accessibility
Telnet timeout 5
SSH 192.168.1.0 255.255.255.0 inside
SSH timeout 5
Console timeout 0
management-access inside
dhcpd auto_config outside_pri
!
dhcpd address 192.168.1.51 - 192.168.1.245 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
rental contract interface 86400 dhcpd inside
dhcpd field LM inside interface
dhcpd allow inside
!
a basic threat threat detection
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
a statistical threat detection host number rate 2
no statistical threat detection tcp-interception
WebVPN
port 980
allow inside
Select outside_pri
enable SVC
attributes of Group Policy DfltGrpPolicy
VPN-idle-timeout no
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
internal GroupPolicy2 group strategy
attributes of Group Policy GroupPolicy2
Protocol-tunnel-VPN IPSec svc
internal levelwingVPN group policy
attributes of the strategy of group levelwingVPN
Protocol-tunnel-VPN IPSec svc webvpn
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list levelwingVPN_splitTunnelAcl
username password encrypted Z74.JN3DGMNlP0H2 privilege 0 aard
aard attribute username
VPN-group-policy levelwingVPN
type of remote access service
rcossentino 4UpCXRA6T2ysRRdE encrypted password username
username rcossentino attributes
VPN-group-policy levelwingVPN
type of remote access service
bcherok evwBWqKKwrlABAUp encrypted password username
username bcherok attributes
VPN-group-policy levelwingVPN
type of remote access service
rscott nIOnWcZCACUWjgaP encrypted password privilege 0 username
rscott username attributes
VPN-group-policy levelwingVPN
sryan 47u/nJvfm6kprQDs password encrypted username
sryan username attributes
VPN-group-policy levelwingVPN
type of nas-prompt service
username, password cbruch a8R5NwL5Cz/LFzRm encrypted privilege 0
username cbruch attributes
VPN-group-policy levelwingVPN
type of remote access service
apellegrino yy2aM21dV/11h7fR password encrypted username
username apellegrino attributes
VPN-group-policy levelwingVPN
type of remote access service
username rtuttle encrypted password privilege 0 79ROD7fRw5C4.l5
username rtuttle attributes
VPN-group-policy levelwingVPN
username privilege 15 encrypted password vJFHerTwBy8dRiyW levelwingadmin
username password nbrothers Amjc/rm5PYhoysB5 encrypted privilege 0
username nbrothers attributes
VPN-group-policy levelwingVPN
clong z.yb0Oc09oP3/mXV encrypted password username
clong attributes username
VPN-group-policy levelwingVPN
type of remote access service
username, password finance 9TxE6jWN/Di4eZ8w encrypted privilege 0
username attributes finance
VPN-group-policy levelwingVPN
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
type of remote access service
IPSec-attributes tunnel-group DefaultL2LGroup
Disable ISAKMP keepalive
tunnel-group 50.75.217.246 type ipsec-l2l
IPSec-attributes tunnel-group 50.75.217.246
pre-shared-key *.
Disable ISAKMP keepalive
type tunnel-group levelwingVPN remote access
tunnel-group levelwingVPN General-attributes
address LVCHSVPN pool
Group Policy - by default-levelwingVPN
levelwingVPN group of tunnel ipsec-attributes
pre-shared-key *.
tunnel-group 216.59.44.221 type ipsec-l2l
IPSec-attributes tunnel-group 216.59.44.221
pre-shared-key *.
tunnel-group 216.59.44.220 type ipsec-l2l
IPSec-attributes tunnel-group 216.59.44.220
pre-shared-key *.
Disable ISAKMP keepalive
!
!
!
Policy-map global_policy
!
context of prompt hostname
Cryptochecksum:ed7f4451c98151b759d24a7d4387935b
: end
Hello
It seems to me that you've covered most of the things.
You however not "said" Configuring VPN L2L that traffic between the pool of VPN and network camp should be in tunnel
outside_pri_cryptomap to access extended list ip 192.168.12.0 allow 255.255.255.0 object-group CHS-Colo
Although naturally the remote end must also the corresponding configurations for users of VPN clients be able to pass traffic to the site of the camp.
-Jouni
-
SKIP Procotol and Protocol-groups of objects
Hello all, there
We are trying to migrate from Checkpoint to PIX on 7.0.4. Hit a bit of a problem:
PIX allows the creation of groups of objects of different types. I am trying to create a group (called "test-group"), and it must contain the protocols I need it. Here is the ah, esp, and SKIP.
However, only ah and esp are present. Is it possible to create JUMP?
Any help much appreciated.
Kind regards
Gary
I think that you should use the protocol number (57?):
the object-group Protocol test
Protocol-object 57
-
For TMS Win2008 Server and SQL Server client access licenses?
Where, I read that the TMSXE interface requires a CAL on the Exchange Server. What I can't seem to locate is all information about client access licenses how are required to Win2008 R2 Server Standard Edition and SQL Server 2008 R2 Standard. Is there a reference document that I'm missing with this information. It seems that according to Microsofts definitions, you might need a CAL by user device and/or managed web that connects to the web interface.
Can someone clarify the situation?
Hello world
So should put the closure of this thread, I have now clarified what follows when it comes to TMS and MS licenses:
Users and administrators to connect to TMS authenticate AD, the server that hosts the TMS must be allowed to support authenticated connections. Don't authenticate TMS Managed/configure with AD devices via the web server. As a result, and as managed devices does not authenticate against IIS with AD login, these types of connections don't require licenses. Only users who connect to the Web site would be.
The issue of Exchange and SQL are similar, that is, authenticated connections how are made?
Of MSDS, all connections to SQL server use the same authenticated account, by default uses a SQL login. Web site users are not authenticated to SQL Server. Therefore, and in the case of an external SQL Server, this would be equal to one.
When communicating with Exchange, all connections are through a unique service account. Created for managed systems the mailboxes are not connected by users or MSDS for normal operation. As a result, and as with an external SQL Server, this would be also equal to one.
Hope that clarifies completely now
Rgds,
Dale
-
Hello
I need to get the list of all hosts and its groups of belonging to the vcenter folder level.
1. I created a view giving the extension point: vsphere.core.folder.monitorViews.
2. After this step, I wrote the constraint as in my class of mediator,
var ListConstraint:Constraint =
QuerySpecUtil.createConstraintForRelationship ( _contextObject, 'childEntity');
I was expecting a list of all child entities such as hosts, dc, cluster... But I have only the immediate child object which is only the Datacenter as my result.
Is it possible to get all hosts and vCenter folder level Clusters because I need the entire list to vCenter (highest level).
Other info:
Object file has only two properties:
1 childEntity - list of entities
2 childType in-kind folder ('Virtual Machine', 'Data center'...)
Is it possible to write a constraint specifying which list of childEntities I need using childType in.
Example: Make Me childEntities that has a 'Host' and 'Cluster' childType but childType in doesn't have these two types.
In addition, at this level, I could see the 'Associated objects' tab which has all the information I need, such as Clusters and Cluster tab hosts and host tab respectively.
So, I think its possible to get this list to vCenter folder level.
I have attached a screenshot representing the need. Kindly ignore the Conventions of naming in there since I edited the example comes with the sdk program.
Query:
1. How can I get the host and Cluster (table of relationship) list to vCenter folder level or even at the level of the vise.global.view?
2. once I get this list, is it possible for me to manipulate that list and send the new list to IU?
3. is there another way to do the same thing without the help of model classes and mediator?
Pointers to this will be very useful.
It is not possible to obtain all hosts a folder specific vCenter from a single query Data Manager. You need to get the list of centers of data first and then get a list of data center hosts.
It is best to make these repeated requests to the java level and return only the list that you want to the user interface.
You can get all the objects in the host of the system with a simple query using a constraint with targetType = 'HostSystem', but you will need to eliminate those from other vCenter servers. See how this chassis example queries all hosts the Java later in the getHosts() method: samples/chassis-app/chassisRackVSphere-service/src/main/java/com/vmware/samples/chassisRackVSphere/ChassisRackVSphereDataAdapter.java
Another option is to use the vSphere Web Services SDK to browse vCenter. See the vSphere management forum for help on these APIs. See this plugin of the sample using this SDK
samples/vsphereviews/vsphere-wssdk-provider/src/main/java/com/vmware/samples/wssdkprovider/VmDataProviderImpl.java
-
The groups C3750G and object based ACL
Hi all
East of the groups of objects based ACL Supportepar C3750G switches? I found nothing on the web site of Cisco on this subject.
Hi All,
Is Object Groups based ACLs supported on C3750G switches? I could not find anything on the Cisco web site about this.
Hello
Check out the link on the subject below Group ACL, it is supported with 12.4 (20) T realease but I do not think that it is supported with cisco 3750G switch series, what I see navigator in cisco. Hope Uncle helps!
So useful note valauble post
Ganesh.H
-
Privileges of access and object privileges
Version: 10 gr 2 and more
I'm a bit confused about the differences between system and object privileges.
Documentation
System privilege is the right to perform a particular action, or to perform an action of objects of a particular type schema. For example, the privileges to create storage areas and remove rows from the table in a database are system privileges.
CREATE A TABLE
for example: GRANT CREATE ANY TABLE to SCOTT
is a system privilege
and CREATE TABLE
for example: GRANT CREATE TABLE to SCOTT
is a privilege object
Right?The CREATE ANY TABLE and CREATE TABLE are two System privileges.
Think of system privileges and privileges pertaining to a particular instance of an object.
Grant for example SELECT on a specific table is a privilege object because it applies to a particular object based on the grant statement. However, grant select ANY TABLE is a system privilege because it is a privilege that allows you to issue selects against all tables.
You can find a list of the privileges system and object here.
HTH!
-
IPSec site to site VPN cisco VPN client routing problem and
Hello
I'm really stuck with the configuration of ipsec site to site vpn (hub to spoke, multiple rays) with cisco vpn remote client access to this vpn.
The problem is with remote access - cisco vpn client access - I can communicate with hub lan - but I need also communication of all lans speaks of the cisco vpn client.
There are on the shelves, there is no material used cisco - routers DLINK.
Someone told me that it is possible to use NAT to translate remote access IP-lan-HUB customers and thus allow communication - but I'm unable to set up and operate.
Can someone help me please?
Thank you
Peter
RAYS - not cisco devices / another provider
Cisco 1841 HSEC HUB:
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
ISAKMP crypto key x xx address no.-xauth
!
the group x crypto isakmp client configuration
x key
pool vpnclientpool
ACL 190
include-local-lan
!
86400 seconds, duration of life crypto ipsec security association
Crypto ipsec transform-set esp-3des esp-sha-hmac 1cisco
!
Crypto-map dynamic dynmap 10
Set transform-set 1cisco
!
card crypto ETH0 client authentication list userauthen
card crypto isakmp authorization list groupauthor ETH0
client configuration address card crypto ETH0 answer
ETH0 1 ipsec-isakmp crypto map
set peer x
Set transform-set 1cisco
PFS group2 Set
match address 180
card ETH0 10-isakmp ipsec crypto dynamic dynmap
!
!
interface FastEthernet0/1
Description $ES_WAN$
card crypto ETH0
!
IP local pool vpnclientpool 192.168.200.100 192.168.200.150
!
!
overload of IP nat inside source list LOCAL interface FastEthernet0/1
!
IP access-list extended LOCAL
deny ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255
IP 192.168.7.0 allow 0.0.0.255 any
!
access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255
!
How the DLINK has been configured for traffic between the site to site VPN subnets? You are able to add multiple remote subnets on DLINK? If you can, then you must add the pool of Client VPN subnet.
Alternatively, if you cannot add multiple subnet on DLINK router, you can change the pool of Client VPN 192.168.6.0/24, and on the crypto ACL between the site to site VPN, you must edit the 180 existing ACL
DE:
access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 180 allow ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255
TO:
access-list 180 allow ip 192.168.6.0 0.0.1.255 192.168.1.0 0.0.0.255
Also change the ACL 190 split tunnel:
DE:
access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255
TO:
access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
Finally, replace the remote subnet 192.168.7.0/255.255.255.0 192.168.6.0/255.255.254.0 DLINK.
Hope that helps.
-
Configure NAT for object-group 8.3
I'm working on a project to simplify our routing by NAT'ing the IP address of our clients VPN S2S. Currently, the we have a bunch of roads pointing to different destinations that are created by the VPN S2S. I wish that NAT all these destinations in a single subnet IP address, but a question about the configuration.
As you can see, we are not currently NAT'ing anything:
***************************************************************************************************************************************************************
NAT (inside, outside) static source OUR_HOSTS OUR_HOSTS THEIR_HOSTS THEIR_HOSTS non-proxy-arp-search of route static destination
the OUR_HOSTS object-group network
network-object VIP1
network-object VIP2
the VIP1 object network
Home 10.200.125.32
the VIP2 object network
Home 10.200.120.32
the THEIR_HOSTS object-group network
host of the object-Network 192.168.15.100
host of the object-Network 192.168.15.130
host of the object-Network 192.168.15.15
********************************************************************************************************************************************************************
What I would do is NAT THEIR_HOSTS to a 10.200.192.x/24 address. I have NAT can do those at one address and Surchargez the NAT or must it be an address for each of these 3 hosts? I'm very well be it. According to which would be easier to do, please point me in the right direction.
Thank you!
Hello
Else seems fine, but the ' object-group ' after the 'static destination' are the wrong way.
First of all must be the ' object-group ' that contains the NAT IP address and the second the ' object-group ' holding real / IP address of the destination host.
-Jouni
-
Hi all
recentry I had some problems with my router 892 and maybe I can find the answer here.
I have two groups of network object:
object-group network net1
192.168.1.0 255.255.255.0
the object-group net2 network
192.168.2.0 255.255.255.0
Two ACLs:
acl-net12 extended IP access list
permit ip object-group net1 net2 object-group
acl-net12-new extended IP access list
ip permit 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
A single card encryption:
card crypto ipsec vpn 1 isakmp
Network2 description
defined peer xx.xx.xx.xx
Set security-association second life 28800
the value of the transform-set 3des-sha
match address acl-net12
When the address for correspondence is set to acl-net12, I can't ping my router on the external interface and tunnel works very badly (15-20% packet loss).
If I change my address for correspondence of the acl-net12 to acl-net12 - new then I can ping my router on external if interface and vpn works well.
I also have an acl (located on the external interface) allowing the ping, but it seems that this does not work when the acl-net12 is used on a card encryption
outside_acl extended IP access list
Note leave ping
permit any any icmp echo
permit any any icmp echo response
What I am doing wrong?
Maybe someone can help me.
Thank you.
On my final tests with groups of crypto-acl objects, is that the content has been changed to "permit ip any any" which is usually not a desired configuration. I guess it's a bug or a feature that is not yet implemented.
Until that which is fixed, you must configure VPN without groups of objects. BTW: IOS-version are you running? I don't a not test it with the new versions-15, 2.
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
Objective is that the anyconnect user must select group-alias, so that when a user enters his username and password he must go to his political group and tunnel-group specific. as I removed this command in webvpn 'no tunnel-group-list don't enable '. This I can not connect (user does not authenticate).
1 - my question is why his past does not?
Solution:
If I keep only a single tunnel-group by default and make several group policies and assign to each user with his specific group policy that it works. in user attribute means I have only question following the commands it works, but if I put "group-lock value test-tunnel" that it did not identify.
Please explain why.
WebVPN
allow outside
limit the cache-fs 50
SVC disk0:/anyconnect-win-3.0.10055-k9.pkg 1 image
enable SVC
internal strategy of group test-gp
attributes of the strategy of group test-gp
VPN-tunnel-Protocol svc webvpn
the address value test-pool pools
username, password test test
username test attributes
VPN-tunnel-Protocol svc
group-lock value test-tunnel
Strategy Group-VPN-test-gp
tunnel-group test-tunnel type remote access
attributes global-tunnel-group test-tunnel
Group Policy - by default-test-gp
tunnel-group test-tunnel webvpn-attributes
allow group-url https://192.168.168.2/test
Yes, you have the right solution. You only need to create 1 group of tunnel and multiple group policy. Under the attribute of the user, you re then group policy of vpn that you want the user assigned too.
You can also authenticate users against AD and configure ldap attribute map to map the user to a specific group policy automatically.
Here is an example of configuration if you happen to have the AD and will authenticate against AD:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
Hope that helps.
-
Dreamweaver to SFBC (FTP and other gripes)
I 'get' the potential benefits of moving to the Dreamweaver CFB. I watched all the videos and read the manual, and I love the integration with Flex.
BUT
It seems that very little attention was put into the FTP and synchronization tools...
Ideally:
I want to set the FTP address for each project destination (at the moment even if he asks me from the subdirectory, it shows me the root of higher level and I have to go down every time to the destination I want to download)
I don't want to see or have capacity on my default edit remote files.
Accidents happen and I would have preferred that the bitterness locally.
Accidental deletion of a directory remotely could be disastrous.
When the FTP client is busy, the rest of the IDE falls asleep. Dreamweaver this sorted there are two versions.
It seems that no way to stop the interaction with the remote server.
So, up to what these questions (fairly basic) back in order. I ill probably use FB to playing with CF9 and return to Dreamweaver to use their robust FTP tools. (which leaves just me with the version control issues now that I have to put my sources FB files in the wwwroot in my local server). Once again a real pain!
All the world is these problems - or worked out how to get around them?
R8_UK
R8_UK, I hear your concerns, and they are quite common. I hope I can answer
(and solve) some of them here for you.
First of all, I use the FTP feature all the time and he never makes the IDE
"sleep". You can enable the display of progress (window > show)
view > other > General > progress). It will tell you what is happening in the FTP
the processes are running. It will include also other processes past in the
Editor in Chief. You might be surprised to find something else causing the "sleeps" you
sense.
As you say "it shows me the root of higher level and I have to drill."
"to every time to the destination I want to download", again I have not
not have this problem. Are you not only made a mistake to implement the
FTP connection? Of course, change them are difficult. Go to the
Display of the file, and you will see what connections FTP (FTP or SFTP)
you did.
Or do you mean that you use the view of the files and that is when opening which
He did you get off? Well, you don't need to do. You can
instead connect your project to an FTP connection (whether in the project
Properties and its section synchronization, or just with a right-click
anywhere in the project and select Synchronize > create new synchronize
Connection).
If you do this, then it also solves a common complaint I've heard of some,
that it is complicated to transfer FTP in CFBuilder. Well, I just like it should
Click on the file (or space of the editor to download the file, I am working
on, such as after the change and test locally), then choose
Synchronize > download. Bang, done.
There is also a more evolved "synchronize" feature that allows you to do more
(including by comparing the contents of a local file remotely, that comes)
in really practical). There is a still more advanced in interface
Window > overview > other > HTML Standard views > synchronize Explorer. The last two
closer than two tiles local/remote management interface
the files than some expected for the DW.
Of course, different people have different needs for FTP access. You have
say you want to edit the file directly on the remote server. I hope
what I share above you help. But those who do not like to edit on the remote control
(indeed, at their own risk) server will moan that they wish that they have
do this simple manual effort to download it again: they want to save
load. I don't know if we can ever than waiting in a local
project in Eclipse. It goes right against the grain of the best development
practices and this is an area where it is maybe a good thing if the IDE
a goodbye that grows.
So far, however, they can indeed use file display, which provides
direct access to a remote server and its files. With this, you open the
remote file in the IDE, and when you save it, he pushed immediately to the
Server.
Hope this helps you (and others) with your dismay with SFBC
and FTP. Come on in, the water's fine. (But I grant you that it is a parent
statement. If you're still not sold, keep stressing your concerns.)
/Charlie
-
I can't get mail and news groups to appear only a specific folder
When I registered Thunderbird tonight I usually see the folder mail and news groups. Unfortunately, only a specific folder opens and I'm unable to click the windows tab and select this option. I restarted. Close Thunderbird and it does not work. Strange thing is that it works fine on my old old PC home computer. It's my Mac laptop which is problematic. Can you please help? I have important files that I need access ASAP.
Hello
To better help you with your question, please provide us with a screenshot. If you need help to create a screenshot, please see How to make a screenshot of my problem?
Once you have done so, attach the file to screen shot saved to your post on the forum by clicking on the button Browse... under the box to post your reply . This will help us to visualize the problem.
Thank you!
Maybe you are looking for
-
lack jsd.dll popup on several icons on my desktop
lack jsd.dll popup on several icons on my desktop
-
both disk cleanu & lock-up @ last execution stage of restoration system
-
I am unable to turn on 32-bit, only appear to have 64 bit and cannot use my adobe flash. Help, please. What should I do?
-
I tried to connect to the desktop of my PC software, but it can not connect it. So what I do I plug my BB remove the battery and plug in the back, but still the flashing to keep but not turn on and keep restarting. When I connect my BB to desktop sof
-
Hello, around December I bought about 8 computers with Windows 7 and I get a parse error, similar to that I have provided below when I install some programs. I am able to install most programs, but have tried to install the following programs and whe