Configuration of the DMZ at R1213
Hello
I put implement R12 Configuration in a DMZ. We already have an existing instance of R12. Following Doc ID 380490.1 to implement the same, have chosen to proceed with option 2.4 that is to say, "with the help of Reverse Proxies only in the DMZ.
I also talk about Doc ID 726953.1 that is specific to above the application method. Finishing with the configuration.
My confusion is, how to start?
Will I first clone web layer first, and then run adclonectx.pl?
what I need to clone level apps.
Help, please.
Hello
In this scenario, there is no cloning of any level.
You just create a new directory in the $INST_TOP on the server exist for the web virtually outer layer.
Kind regards
Bashar
Tags: Oracle Applications
Similar Questions
-
Hi all
I intend to configure the DMZ in my CA.
Application: node 2
Database: 11 GR 2 RAC
OPERATING SYSTEM: AIX 6.1
Application version: R12.1.3
Using 1 Cisco hardware load balancer
Query:
I intend to go for the option "using hardware load balancing with no. external Web tier" I want to put my application server to the outside world.
I intend to create vritual machine in Apps node 1.
for this I need a separate queries or can I use the same load balancer used for internal application servers?
All configuration changes what should I suggest you get out of the team for this configuration of the DMZ network?
Please suggest
Thanks in advanceYou can check the Option 2.5: using hardware load balancing with external No. layer Web of MOS note:
Oracle E-Business Suite R12 Configuration in a DMZ [ID 380490.1]You can also view the part of Cisco for hardware load balancer
Implementation of load balancing across Oracle eBusiness Suite - Documentation specific Load Balancer Hardware [ID 727171.1]
Thank you -
Configuration of the DMZ for MS access
I set up a DMZ for a Web server. I'll probably put an RODC in there later, but for now I want to open ports to the domain controller.
I'm a bit new to DMZ and I'm a bit confused.
I put in place services for different ports and then configure the rules of lan/dmz coming out of the demilitarized zone to the domain controller, but I get no connection.
I have the DMZ a 10.0.0.1 / 255.255.240.0
The value 10.0.0.5 Web server / 255.255.255.240.0
Gateway is 10.0.0.1DNS server on the primary domain controller 192.168.10.1
I opened the ports following services:
Kerberos 88 (TCP, UDP)
Time 123 (UDP)
135 Kerberos authentication (TCP)
LDAP 389
LDAP 445
MS DS 3268 (TCP)
1025-4999 RPC Ports (TCP)In the rules of the DMZ Lan, for those leaving, should I simply specify the machine side of DMZ DMZ users or do I need to specify the side Lan Lan users too?
Then I need to duplicate these ports in the Incoming, correct?
Any help in pointing to the relevant documentation would be great.
No, you should not need to configure static routes, unless you have something weird going. You can check the network path by adding rules incoming/outgoing ICMP LAN DMZ (ICMP-TYPE-8, to be precise) and ping back and forth between the DC and the Web server (ensuring any intermediate software firewall is disabled). If you can test in both directions, then you know with certainty that none of the static routes are needed.
-
Configuration of the DMZ and USER-BASE10
Hello
I've been using System DMZ1 variables... 3 and USER-ADDRS1... 5 to identify the different networks. However, I was wondering, what is the difference between the DMZ and USER-BASE10? It is in the name, or they are used in different ways by some aspects of the software?
Kind regards
Matt
There is no difference. They are purely just names. The sensorApp just treats them as variables that can be used to specify filters.
-
Hello
We are now entering the last stage of our program of virtualization by looking at our internal and external DMZ virtualization. I understand that although you can run VirtualCenter on a Windows domain server no it is not the recommended practice. I'm looking for so some guidance on best practices for vSphere guests in two areas.
- Should we run a stand-alone VC in a single box that manages the hosts and guests in each area.
- We should use our internal VC with open appropriate firewall rules to manage the hosts and presenters. (This is my favorite, but do not know if security would allow)
Someone at - it links to best practices for the Organization in a DMZ and happy to share their experiences?
Thank you very much
Graeme
Check the below:
http://www.VMware.com/files/PDF/dmz_virtualization_vmware_infra_wp.PDF
- Should we run a stand-alone VC in a single box that manages the hosts and guests in each area.
-
Required patches for the DMZ Configuration
Hello
We have implemented of applications 11.5.10.2 Oracle. (New implementation and not upgraded)
We implement iSupport referring to Note: 287176.1-(Configuration of the DMZ with Oracle E-Business Suite 11i) and I want to know if I need to apply patch 3942483 -AUTOCONFIG SUPPORT FOR REVERSE PROXY, firewall DMZ CONFIGURATION AND URL (PHASE 1)?
AD_BUGS shows 5478710,4709948 are applied.
It does not not clearly note if this fix is needed or not (287176.1)
Rgds,
ThiruTrapani,
If you are already on 11.5.10.2 AND you (Patch 4709948 - T2K (FND) AUTOCONFIG MODEL CUMULATIVE PATCH M (APRIL 2006)) or later applied, then this patch is not required.
-
OSB does not work with the DMZ
Hi all
I have a DMZ set up our network infra. But after that our web service is not running.
We address two ip, which are public (x.x.x.x) and of the OSB (y.y.y.y).
This is my config to hosts:
Our web service endpoint url is:127.0.0.1 localhost.localdomain localhost y.y.y.y osb-domain osb-domain.mn
I am getting following error:<WL5G3N0:service name="demoSOAPQSService"> <WL5G3N0:port binding="WL5G3N1:demoSOAP" name="demoSOAPQSPort"> <WL5G3N2:address location="http://osb-domain:7001/OSB_Project/demo/ProxyService/demo"/> </WL5G3N0:port> </WL5G3N0:service>
It works with the Console of the OSB web service test. But it does not the client application (ip x.x.x.x).Exception in thread "main" com.sun.xml.ws.client.ClientTransportException: HTTP transport error: java.net.ConnectException: Connection refused: connect at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:138) at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:187) at com.sun.xml.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:124) at com.sun.xml.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:121) at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:866) at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:815) at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:778) at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:680) at com.sun.xml.ws.client.Stub.process(Stub.java:272) at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:153) at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:115) at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:95) at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:136) at $Proxy29.hello(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at weblogic.wsee.jaxws.spi.ClientInstanceInvocationHandler.invoke(ClientInstanceInvocationHandler.java:84) at $Proxy30.hello(Unknown Source) at a.RegisterUsersWSPortClient.main(RegisterUsersWSPortClient.java:13) Caused by: java.net.ConnectException: Connection refused: connect at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:351) at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:213) at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:200) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:366) at java.net.Socket.connect(Socket.java:529) at java.net.Socket.connect(Socket.java:478) at sun.net.NetworkClient.doConnect(NetworkClient.java:163) at sun.net.www.http.HttpClient.openServer(HttpClient.java:394) at sun.net.www.http.HttpClient.openServer(HttpClient.java:529) at sun.net.www.http.HttpClient.<init>(HttpClient.java:233) at sun.net.www.http.HttpClient.New(HttpClient.java:306) at sun.net.www.http.HttpClient.New(HttpClient.java:323) at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:970) at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:911) at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:836) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1014) at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:126) ... 20 more
He was working before the configuration of the DMZ.
Are there any other requirements?
ARO
EBAHi Abe,
That's great. Because the problem is resolved, do you mind marking the question as answered? :)
Kind regards
Fabio. -
Port number of the DMZ URL mask
Hello
I just finished the configuration of the DMZ node to irecruitment for a client module. I followed Doc Id 380490.1 for installation. The external URL for the customer is of the form http:// < hostname >: < port >/OA_HTML/IrcVisitor.jsp. Now, because of security concerns the customer wants to hide the port number of the URL and post it on the internet for the registration of external candidates. How do I remove the port number of the URL and post the URL as /OA_HTML/IrcVisitor.jsp or http:// < hostname > < hostname > http:// / IrcVisitor.jsp.
Concerning
NavasHello
Please see these documents.
Note: 578001.1 - how to configure Apache in R12 (10.1.3) listening on a Port Limited)<>
Note: 356080.1 - how to run Apache on Port 80 in Apps 11i]Thank you
Hussein -
Implementation EBS in the DMZ configuration
Hello
I have a few questions about implementing EBS in the DMZ:
1 - when to choose the web option external only (Figure 4 in document 380490.1) to be in the DMZ, this external web communicate with internal DB directly or through the inner layer of Middle?
2. when choosing this option (external web), if the middle tier internal was down, this affects the external web features? Maybe this question is related to the first as well
3. in Option external Web, I do all the changes made in the application by developers at the internal intermediate again in the external web?
4 - What are the things to do mannualy in extrnal web, if it is made other than patching web internally?
my last Question,
Is there a solution certified in the DMZ, where I can implement only thin web (HTTP only containing only services not HTTP/OC4J) but not the proxy reverse?
Thank you d ' attribute
Without some such configuration is not possible - which is the reason for not using a reverse proxy?
HTH
Srini -
Out-of-Band management on the servers in the DMZ
Hi, I have four PC7048s in my DMZ. External, internal making face and 2 separate demilitarized. Everything is good. All workers.
Since they are demilitarized I want only their route between them and thus in position off http, Https, Telnet, and SSH management so that they cannot be managed remotely from the DMZ subnets.
I then plugged the OOB interfaces in my internal management switch and VLAN them accordingly. Very well, now I can ping my OOB interfaces on all four. But I can't manage them because I have disabled SSH, HTTPS, HTTP and Telnet
If I allow them (just SSH and HTTPS) I am now able to manage the switches of the DMZ on the IPs DMZ subnet
I thought that the point of the OOB was so this does not happen and there is isolation? If I have to spend globally on HTTPS and SSH, then they are not really well isolated (I understand that OOB traffic cannot talk to IN-Band etc. - is the fact that I turn on a global configuration for remote OOB service)
Am I missing something?
Thank you
Your results are correct. To lock the management more far I suggest looking to implement ACLs. With the ACL you can permit/deny access to various management services.
Page 1471, guide the user passes over these commands.
FTP.Dell.com/.../PowerConnect-7048r_Reference%20Guide_en-US.pdf
Thank you
-
RV042 impossible to disable the DMZ Host
All trying to configure my RV042, I "turned on" the DMZ host feature (under Configuration > DMZ Host) by entering the address LAN IP of one of our machines. I think now that I don't want to actually on. According to the help page (and also the manual), he says:
"Enter the IP address of the network device you want to use as a host DMZ." Otherwise, enter a zero (0.0.0.0) to disable the DMZ host.
So I try to enter the address 0.0.0.0, and it gives me an error:
What I am doing wrong? The instructions are just incorrect? Is there a way to disable this option?
If the LAN subnet is 192.168.1.x/24, you might want to try instead of 0.0.0.0 192.168.1.0 to disable DMZ Host.
-
second Web server on the DMZ not visible outside
With the help of a PIX 515e
I have several Web servers in the DMZ, the first web server and the mail server are set up with the port mapping for the PIX outside IP address of the interface.
The second and third (inside interface) of the Web servers are configured with static mappings and access lists.
I can see the first n the mail very good server webserver, but I can not see servers in second or third.
What have I done wrong?
I suggest you analysze traffic with the command to 'capture' PIX and sniff traffic on the DMZ and outside traffic.
Check if packets arrive to the external interface, if it reaches the web server and is at - it a response.
example of
IP access-list 120 allow any HOST 207.236.60.35
capture the access-list 120 vpncap OUTSIDE interface
See the access-list 120 retail vpncap capture
or
https://PIX-IP-address/capture/vpncap [/pcap]
To remove the capture:
No vpncap capture
sincerely
Patrick
-
To access the servers in the DMZ
People:
I have a PIX 515E and I need to access a SQL Server that is inside the network... I don't know if I should activate NAT on the demilitarized zone to be able to 'see' the servers inside...
I tried a
> static (dmz, inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
to activate servers on the DMZ for access within the network without translation... but I can't create a static to a low security to a high security interface...
I wonder if anyone has the same configuration problem?
should I try to activate NAT on the DMZ also?
It's my current setup!
Thank you very much!
Luis
-------------------------------------------
PIX Version 6.1 (2)
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
nameif dmz security10 ethernet2
access-list 100 permit tcp any host 200.200.200.37 eq smtp
access-list 100 permit tcp any host 200.200.200.37 eq pop3
access list 100 permit tcp any host 200.200.200.37 EQ field
access-list 100 permit udp any host 200.200.200.37 EQ field
access-list 100 permit tcp any host 200.200.200.35 eq www
access-list 100 permit tcp any host 200.200.200.35 eq 443
access-list 100 permit tcp any host 200.200.200.36 eq www
access-list 100 permit tcp any host 200.200.200.36 eq 443
access-list 100 permit icmp any one
access-list 100 permit tcp any host 200.200.200.35 eq ftp
access-list 100 permit tcp any host 200.200.200.36 eq ftp
access-list 100 permit tcp any host 200.200.200.36 eq 3389
access-list 100 permit tcp any host 200.200.200.35 eq 3389
access list 100 permit tcp any host 200.200.200.36 EQ field
access-list 100 permit udp any host 200.200.200.36 EQ field
access-list 100 permit tcp any host 200.200.200.38 eq www
access-list 100 permit tcp any host 200.200.200.38 eq 443
access-list 100 permit tcp any host 200.200.200.38 eq 3389
access-list 100 permit tcp any host 200.200.200.37 eq www
access-list 100 permit tcp any host 200.200.200.38 eq 1547
access-list 100 permit tcp any host 200.200.200.39 eq 3389
access-list 100 permit tcp any host 200.200.200.39 eq ftp
access-list 100 permit tcp any host 200.200.200.39 eq 1433
IP outdoor 200.200.200.34 255.255.255.224
IP address inside 192.168.1.1 255.255.255.0
IP dmz 192.168.2.1 255.255.255.0
Global (outside) 1 200.200.200.45 - 200.200.200.61 netmask 255.255.255.224
Global (outside) 1 200.200.200.62 netmask 255.255.255.224
NAT (inside) 1 192.168.1.0 255.255.255.0 0 0
alias (inside) 192.168.1.2 200.200.200.38 255.255.255.255
alias (inside) 200.200.200.36 192.168.2.11 255.255.255.255
alias (inside) 200.200.200.35 192.168.2.10 255.255.255.255
alias (inside) 200.200.200.37 192.168.2.12 255.255.255.255
static (dmz, external) 200.200.200.36 192.168.2.11 netmask 255.255.255.255 0 0
static (dmz, external) 200.200.200.35 192.168.2.10 netmask 255.255.255.255 0 0
public static 200.200.200.38 (inside, outside) 192.168.1.2 mask subnet 255.255.255.255 0 0
public static 200.200.200.39 (Interior, exterior) 192.168.1.186 netmask 255.255.255.255 0 0
static (inside, dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
static (dmz, external) 200.200.200.37 192.168.2.12 netmask 255.255.255.255 0 0
Access-group 100 in external interface
Route outside 0.0.0.0 0.0.0.0 200.200.200.33 1
Did you apply an access list to allow traffic from the dmz to the inside interface?
Also, try to be specific with the server you are trying to provide access to the.
static (inside, dmz) xx.xx.xx.xx xx.xx.xx.xx 255.255.255.255 netmask (where two groups of xx.xx.xx.xx represent your address of sql server)
Then add the following list of access
access-list 101 permit tcp any host xx.xx.xx.xx eq sql (again, xx.xx.xx.xx is sql server)
Access-group 101 in the dmz interface
(test you can do initially access list permit all traffic instead of just sql, then tighten it to the top when you are sure that the static command works)
Hope that helps. Allowing less than an interface on a security interface traffic higher security is carried out with controls static and ACL (or ducts), so you seem to be on the right track.
~ rls
-
Hello
I'll install csa agent on servers of DMZ. Since there is no access to the Management Center in the DMZ, access is not permitted from internal dmz, only MC (internal) can access servers. I know that the CSA can record events on the computer, the MC will be able to get back them?
Except for a hint of polling sending, the MC is not initialize the connection for update of policy officers and events download. Agents are configured with a polling interval (default is 10 minutes), the Agent makes the connection with the MC via port 5401, and if it is not available try 443.
For your Agents work correctly with the MC, your DMZ must allow your dmz servers to connect to your internal port 5401 or 443 MC (I prefer 443).
Just add an ACL on your firewall so that the dmz servers can connect to only this server MC. Then you can create a rule to network access control so only the Cisco Security Agent can access the IP address of the MC on port 443.
In this way even if the attacker has exceeded all the other rules of the csa and used the server dmz as a breakpoint for more attack, they must kill the agent first, before they could get to the MC. And if that wasn't enough, you can create a rule of access control data to the Agent installed on the MC itself, which will send you an email if the root of the https:// is accessible.
-
Need urgent help in the configuration of the Client VPN IPSec Site with crossed on Cisco ASA5510 - 8.2 (1).
Here is the presentation:
There are two leased lines for Internet access - a route 1.1.1.1 and 2.2.2.2, the latter being the default Standard, old East for backup.
I was able to configure the Client VPN IPSec Site
(1) with access to the outside so that the internal network (172.16.0.0/24) behind the asa
(2) with Split tunnel with simultaneous assess internal LAN and Internet on the outside.
But I was not able to make the tradiotional model Hairpinng to work in this scenario.
I followed every possible suggestions made on this subject in many topics of Discussion but still no luck. Can someone help me here please?
Here is the race-Conf with Normal Client to Site IPSec VPN configured with no access boarding:
LIMITATION: Cannot boot into any other image ios for unavoidable reasons, must use 8.2 (1)
race-conf - Site VPN Customer normal work without internet access/split tunnel
:
ASA Version 8.2 (1)
!
ciscoasa hostname
domain cisco.campus.com
enable the encrypted password xxxxxxxxxxxxxx
XXXXXXXXXXXXXX encrypted passwd
names of
!
interface GigabitEthernet0/0
nameif outside internet1
security-level 0
IP 1.1.1.1 255.255.255.240
!
interface GigabitEthernet0/1
nameif outside internet2
security-level 0
IP address 2.2.2.2 255.255.255.224
!
interface GigabitEthernet0/2
nameif dmz interface
security-level 0
IP 10.0.1.1 255.255.255.0
!
interface GigabitEthernet0/3
nameif campus-lan
security-level 0
IP 172.16.0.1 255.255.0.0
!
interface Management0/0
nameif CSC-MGMT
security-level 100
the IP 10.0.0.4 address 255.255.255.0
!
boot system Disk0: / asa821 - k8.bin
boot system Disk0: / asa843 - k8.bin
passive FTP mode
DNS server-group DefaultDNS
domain cisco.campus.com
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
object-group network cmps-lan
the object-group CSC - ip network
object-group network www-Interior
object-group network www-outside
object-group service tcp-80
object-group service udp-53
object-group service https
object-group service pop3
object-group service smtp
object-group service tcp80
object-group service http-s
object-group service pop3-110
object-group service smtp25
object-group service udp53
object-group service ssh
object-group service tcp-port
port udp-object-group service
object-group service ftp
object-group service ftp - data
object-group network csc1-ip
object-group service all-tcp-udp
access list INTERNET1-IN extended permit ip host 1.2.2.2 2.2.2.3
access-list extended SCC-OUT permit ip host 10.0.0.5 everything
list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq www
list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any https eq
list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq ssh
list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 no matter what eq ftp
list of access CAMPUS-LAN extended permitted udp 172.16.0.0 255.255.0.0 no matter what eq field
list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq smtp
list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq pop3
access CAMPUS-wide LAN ip allowed list a whole
access-list CSC - acl note scan web and mail traffic
access-list CSC - acl extended permit tcp any any eq smtp
access-list CSC - acl extended permit tcp any any eq pop3
access-list CSC - acl note scan web and mail traffic
access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq 993
access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq imap4
access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq 465
access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq www
access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq https
access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq smtp
access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq pop3
access-list extended INTERNET2-IN permit ip any host 1.1.1.2
access-list sheep extended ip 172.16.0.0 allow 255.255.0.0 172.16.0.0 255.255.0.0
access list DNS-inspect extended permit tcp any any eq field
access list DNS-inspect extended permit udp any any eq field
access-list extended capin permit ip host 172.16.1.234 all
access-list extended capin permit ip host 172.16.1.52 all
access-list extended capin permit ip any host 172.16.1.52
Capin list extended access permit ip host 172.16.0.82 172.16.0.61
Capin list extended access permit ip host 172.16.0.61 172.16.0.82
access-list extended capout permit ip host 2.2.2.2 everything
access-list extended capout permit ip any host 2.2.2.2
Access campus-lan_nat0_outbound extended ip 172.16.0.0 list allow 255.255.0.0 192.168.150.0 255.255.255.0
pager lines 24
Enable logging
debug logging in buffered memory
asdm of logging of information
Internet1-outside of MTU 1500
Internet2-outside of MTU 1500
interface-dmz MTU 1500
Campus-lan of MTU 1500
MTU 1500 CSC-MGMT
IP local pool 192.168.150.2 - 192.168.150.250 mask 255.255.255.0 vpnpool1
IP check path reverse interface internet2-outside
IP check path reverse interface interface-dmz
IP check path opposite campus-lan interface
IP check path reverse interface CSC-MGMT
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
interface of global (internet1-outside) 1
interface of global (internet2-outside) 1
NAT (campus-lan) 0-campus-lan_nat0_outbound access list
NAT (campus-lan) 1 0.0.0.0 0.0.0.0
NAT (CSC-MGMT) 1 10.0.0.5 255.255.255.255
static (CSC-MGMT, internet2-outside) 2.2.2.3 10.0.0.5 netmask 255.255.255.255
Access-group INTERNET2-IN interface internet1-outside
group-access INTERNET1-IN interface internet2-outside
group-access CAMPUS-LAN in campus-lan interface
CSC-OUT access-group in SCC-MGMT interface
Internet2-outside route 0.0.0.0 0.0.0.0 2.2.2.5 1
Route internet1-outside 0.0.0.0 0.0.0.0 1.1.1.5 2
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
AAA authentication enable LOCAL console
Enable http server
http 10.0.0.2 255.255.255.255 CSC-MGMT
http 10.0.0.8 255.255.255.255 CSC-MGMT
HTTP 1.2.2.2 255.255.255.255 internet2-outside
HTTP 1.2.2.2 255.255.255.255 internet1-outside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs set group5
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
Crypto map internet2-outside_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
crypto internet2-outside_map outside internet2 network interface card
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
Crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca xyzxyzxyzyxzxyzxyzxyzxxyzyxzyxzy
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as
quit smoking
ISAKMP crypto enable internet2-outside
crypto ISAKMP policy 10
preshared authentication
aes encryption
md5 hash
Group 2
life 86400
Telnet 10.0.0.2 255.255.255.255 CSC-MGMT
Telnet 10.0.0.8 255.255.255.255 CSC-MGMT
Telnet timeout 5
SSH 1.2.3.3 255.255.255.240 internet1-outside
SSH 1.2.2.2 255.255.255.255 internet1-outside
SSH 1.2.2.2 255.255.255.255 internet2-outside
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal VPN_TG_1 group policy
VPN_TG_1 group policy attributes
Protocol-tunnel-VPN IPSec
username ssochelpdesk encrypted password privilege 15 xxxxxxxxxxxxxx
privilege of encrypted password username administrator 15 xxxxxxxxxxxxxx
username vpnuser1 encrypted password privilege 0 xxxxxxxxxxxxxx
username vpnuser1 attributes
VPN-group-policy VPN_TG_1
type tunnel-group VPN_TG_1 remote access
attributes global-tunnel-group VPN_TG_1
address vpnpool1 pool
Group Policy - by default-VPN_TG_1
IPSec-attributes tunnel-group VPN_TG_1
pre-shared-key *.
!
class-map cmap-DNS
matches the access list DNS-inspect
CCS-class class-map
corresponds to the CSC - acl access list
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
CCS category
CSC help
cmap-DNS class
inspect the preset_dns_map dns
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum: y0y0y0y0y0y0y0y0y0y0y0y0y0y
: end
Adding dynamic NAT for 192.168.150.0/24 on the external interface works, or works the sysopt connection permit VPN
Please tell what to do here, to pin all of the traffic Internet from VPN Clients.
That is, that I need clients connected via VPN tunnel, when connected to the internet, should have their addresses IP NAT'ted against the address of outside internet2 network 2.2.2.2 interface, as it happens for the customers of Campus (172.16.0.0/16)
I am well aware of all involved in here, so please be elaborative in your answers. Please let me know if you need more information about this configuration to respond to my request.
Thank you & best regards
MAXS
Hello
If possible, I'd like to see that a TCP connection attempt (e.g. http://www.google.com) in the ASDM logging of the VPN Client when you set up the dynamic NAT for the VPN Pool also.
I'll try also the command "packet - trace" on the SAA, while the VPN Client is connected to the ASA.
The command format is
packet-tracer intput tcp
That should tell what the SAA for this kind of package entering its "input" interface
Still can not see something wrong with the configuration (other than the statement of "nat" missing Dynamics PAT)
-Jouni
Maybe you are looking for
-
Satellite L20 giving 8 LED flashes
Hey there, I have a Satellite L20-100 here that does no post at all.I tried to take out the battery, memory and disk hard but still no luck. The power led blinks 8 times when I press the switch however. Anyone know what this could mean? TIA.
-
How can I get the Mahjong Titans on Windows Vista Basic? Or one of the games that come on Vista Premium?
-
New laptop will not shut down or restart completely
I have very recently (last week) got a new laptop Acer Aspire E 15 Touch, but I can't seem to stop or restart it.The first time I stopped it it close normally, but since I closed it down to do updates (110) there will be no more. I'm going to stop it
-
recovery of recently deleted programs
I accidentally deleted my control panel audio programs. My speakers and headphones plugged into my computer will play is no longer songs on itunes or Youtube videos. I need to recover them or know how to get new audio. For Windows XP. Thank you
-
Is there a way to distinguish constraint not null null, out-of-line one online?
Dear maters,Could you please help me to answer the question: How can we distinguish non-null online constraints (non-null column option) not null out-of-line ones (constraints, defined at the table level)? Below is an example of what I mean.Create a