Configuration of the DMZ at R1213

Hello

I put implement R12 Configuration in a DMZ. We already have an existing instance of R12. Following Doc ID 380490.1 to implement the same, have chosen to proceed with option 2.4 that is to say, "with the help of Reverse Proxies only in the DMZ.

I also talk about Doc ID 726953.1 that is specific to above the application method. Finishing with the configuration.

My confusion is, how to start?

Will I first clone web layer first, and then run adclonectx.pl?

what I need to clone level apps.

Help, please.

Hello

In this scenario, there is no cloning of any level.

You just create a new directory in the $INST_TOP on the server exist for the web virtually outer layer.

Kind regards

Bashar

Tags: Oracle Applications

Similar Questions

Configuration of the DMZ R12
Hi all

I intend to configure the DMZ in my CA.

Application: node 2
Database: 11 GR 2 RAC
OPERATING SYSTEM: AIX 6.1
Application version: R12.1.3
Using 1 Cisco hardware load balancer

Query:
I intend to go for the option "using hardware load balancing with no. external Web tier" I want to put my application server to the outside world.
I intend to create vritual machine in Apps node 1.

for this I need a separate queries or can I use the same load balancer used for internal application servers?
All configuration changes what should I suggest you get out of the team for this configuration of the DMZ network?

Please suggest

Thanks in advance
You can check the Option 2.5: using hardware load balancing with external No. layer Web of MOS note:
Oracle E-Business Suite R12 Configuration in a DMZ [ID 380490.1]

You can also view the part of Cisco for hardware load balancer
Implementation of load balancing across Oracle eBusiness Suite - Documentation specific Load Balancer Hardware [ID 727171.1]
Thank you

Configuration of the DMZ for MS access

I set up a DMZ for a Web server. I'll probably put an RODC in there later, but for now I want to open ports to the domain controller.

I'm a bit new to DMZ and I'm a bit confused.

I put in place services for different ports and then configure the rules of lan/dmz coming out of the demilitarized zone to the domain controller, but I get no connection.

I have the DMZ a 10.0.0.1 / 255.255.240.0
The value 10.0.0.5 Web server / 255.255.255.240.0
Gateway is 10.0.0.1

DNS server on the primary domain controller 192.168.10.1

I opened the ports following services:

Kerberos 88 (TCP, UDP)
Time 123 (UDP)
135 Kerberos authentication (TCP)
LDAP 389
LDAP 445
MS DS 3268 (TCP)
1025-4999 RPC Ports (TCP)

In the rules of the DMZ Lan, for those leaving, should I simply specify the machine side of DMZ DMZ users or do I need to specify the side Lan Lan users too?

Then I need to duplicate these ports in the Incoming, correct?

Any help in pointing to the relevant documentation would be great.

No, you should not need to configure static routes, unless you have something weird going. You can check the network path by adding rules incoming/outgoing ICMP LAN DMZ (ICMP-TYPE-8, to be precise) and ping back and forth between the DC and the Web server (ensuring any intermediate software firewall is disabled). If you can test in both directions, then you know with certainty that none of the static routes are needed.

Configuration of the DMZ and USER-BASE10

Hello

I've been using System DMZ1 variables... 3 and USER-ADDRS1... 5 to identify the different networks. However, I was wondering, what is the difference between the DMZ and USER-BASE10? It is in the name, or they are used in different ways by some aspects of the software?

Kind regards

Matt

There is no difference. They are purely just names. The sensorApp just treats them as variables that can be used to specify filters.

Configuration of the DMZ

Hello
We are now entering the last stage of our program of virtualization by looking at our internal and external DMZ virtualization. I understand that although you can run VirtualCenter on a Windows domain server no it is not the recommended practice. I'm looking for so some guidance on best practices for vSphere guests in two areas.
- Should we run a stand-alone VC in a single box that manages the hosts and guests in each area.
- We should use our internal VC with open appropriate firewall rules to manage the hosts and presenters. (This is my favorite, but do not know if security would allow)
Someone at - it links to best practices for the Organization in a DMZ and happy to share their experiences?
Thank you very much
Graeme

Check the below:

http://www.VMware.com/files/PDF/dmz_virtualization_vmware_infra_wp.PDF

http://blogs.VMware.com/Networking/2009/07/designing-a-DMZ-on-vSphere-4-using-the-Cisco-Nexus-1000V-virtual-switch.html

Required patches for the DMZ Configuration
Hello

We have implemented of applications 11.5.10.2 Oracle. (New implementation and not upgraded)

We implement iSupport referring to Note: 287176.1-(Configuration of the DMZ with Oracle E-Business Suite 11i) and I want to know if I need to apply patch 3942483 -AUTOCONFIG SUPPORT FOR REVERSE PROXY, firewall DMZ CONFIGURATION AND URL (PHASE 1)?

AD_BUGS shows 5478710,4709948 are applied.

It does not not clearly note if this fix is needed or not (287176.1)

Rgds,
Thiru
Trapani,

If you are already on 11.5.10.2 AND you (Patch 4709948 - T2K (FND) AUTOCONFIG MODEL CUMULATIVE PATCH M (APRIL 2006)) or later applied, then this patch is not required.

OSB does not work with the DMZ

Hi all

I have a DMZ set up our network infra. But after that our web service is not running.

We address two ip, which are public (x.x.x.x) and of the OSB (y.y.y.y).

This is my config to hosts:

127.0.0.1 localhost.localdomain localhost
y.y.y.y     osb-domain    osb-domain.mn

Our web service endpoint url is:

<WL5G3N0:service name="demoSOAPQSService">
<WL5G3N0:port binding="WL5G3N1:demoSOAP" name="demoSOAPQSPort">
<WL5G3N2:address location="http://osb-domain:7001/OSB_Project/demo/ProxyService/demo"/>
</WL5G3N0:port>
</WL5G3N0:service>

I am getting following error:

Exception in thread "main" com.sun.xml.ws.client.ClientTransportException: HTTP transport error: java.net.ConnectException: Connection refused: connect
     at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:138)
     at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:187)
     at com.sun.xml.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:124)
     at com.sun.xml.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:121)
     at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:866)
     at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:815)
     at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:778)
     at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:680)
     at com.sun.xml.ws.client.Stub.process(Stub.java:272)
     at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:153)
     at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:115)
     at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:95)
     at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:136)
     at $Proxy29.hello(Unknown Source)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:597)
     at weblogic.wsee.jaxws.spi.ClientInstanceInvocationHandler.invoke(ClientInstanceInvocationHandler.java:84)
     at $Proxy30.hello(Unknown Source)
     at a.RegisterUsersWSPortClient.main(RegisterUsersWSPortClient.java:13)
Caused by: java.net.ConnectException: Connection refused: connect
     at java.net.PlainSocketImpl.socketConnect(Native Method)
     at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:351)
     at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:213)
     at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:200)
     at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:366)
     at java.net.Socket.connect(Socket.java:529)
     at java.net.Socket.connect(Socket.java:478)
     at sun.net.NetworkClient.doConnect(NetworkClient.java:163)
     at sun.net.www.http.HttpClient.openServer(HttpClient.java:394)
     at sun.net.www.http.HttpClient.openServer(HttpClient.java:529)
     at sun.net.www.http.HttpClient.<init>(HttpClient.java:233)
     at sun.net.www.http.HttpClient.New(HttpClient.java:306)
     at sun.net.www.http.HttpClient.New(HttpClient.java:323)
     at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:970)
     at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:911)
     at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:836)
     at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1014)
     at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:126)
     ... 20 more

It works with the Console of the OSB web service test. But it does not the client application (ip x.x.x.x).

He was working before the configuration of the DMZ.

Are there any other requirements?

ARO
EBA

Hi Abe,

That's great. Because the problem is resolved, do you mind marking the question as answered? :)

Kind regards
Fabio.

Port number of the DMZ URL mask
Hello

I just finished the configuration of the DMZ node to irecruitment for a client module. I followed Doc Id 380490.1 for installation. The external URL for the customer is of the form http:// < hostname >: < port >/OA_HTML/IrcVisitor.jsp. Now, because of security concerns the customer wants to hide the port number of the URL and post it on the internet for the registration of external candidates. How do I remove the port number of the URL and post the URL as /OA_HTML/IrcVisitor.jsp or http:// < hostname > < hostname > http:// / IrcVisitor.jsp.

Concerning

Navas
Hello

Please see these documents.

Note: 578001.1 - how to configure Apache in R12 (10.1.3) listening on a Port Limited)<>
Note: 356080.1 - how to run Apache on Port 80 in Apps 11i]

Thank you
Hussein

Implementation EBS in the DMZ configuration

Hello
I have a few questions about implementing EBS in the DMZ:
1 - when to choose the web option external only (Figure 4 in document 380490.1) to be in the DMZ, this external web communicate with internal DB directly or through the inner layer of Middle?
2. when choosing this option (external web), if the middle tier internal was down, this affects the external web features? Maybe this question is related to the first as well
3. in Option external Web, I do all the changes made in the application by developers at the internal intermediate again in the external web?
4 - What are the things to do mannualy in extrnal web, if it is made other than patching web internally?
my last Question,
Is there a solution certified in the DMZ, where I can implement only thin web (HTTP only containing only services not HTTP/OC4J) but not the proxy reverse?
Thank you d ' attribute

Without some such configuration is not possible - which is the reason for not using a reverse proxy?

HTH
Srini

Out-of-Band management on the servers in the DMZ

Hi, I have four PC7048s in my DMZ. External, internal making face and 2 separate demilitarized. Everything is good. All workers.

Since they are demilitarized I want only their route between them and thus in position off http, Https, Telnet, and SSH management so that they cannot be managed remotely from the DMZ subnets.

I then plugged the OOB interfaces in my internal management switch and VLAN them accordingly. Very well, now I can ping my OOB interfaces on all four. But I can't manage them because I have disabled SSH, HTTPS, HTTP and Telnet

If I allow them (just SSH and HTTPS) I am now able to manage the switches of the DMZ on the IPs DMZ subnet

I thought that the point of the OOB was so this does not happen and there is isolation? If I have to spend globally on HTTPS and SSH, then they are not really well isolated (I understand that OOB traffic cannot talk to IN-Band etc. - is the fact that I turn on a global configuration for remote OOB service)

Am I missing something?

Thank you

Your results are correct. To lock the management more far I suggest looking to implement ACLs. With the ACL you can permit/deny access to various management services.

Page 1471, guide the user passes over these commands.

FTP.Dell.com/.../PowerConnect-7048r_Reference%20Guide_en-US.pdf

Thank you

RV042 impossible to disable the DMZ Host

All trying to configure my RV042, I "turned on" the DMZ host feature (under Configuration > DMZ Host) by entering the address LAN IP of one of our machines. I think now that I don't want to actually on. According to the help page (and also the manual), he says:

"Enter the IP address of the network device you want to use as a host DMZ." Otherwise, enter a zero (0.0.0.0) to disable the DMZ host.

So I try to enter the address 0.0.0.0, and it gives me an error:

What I am doing wrong? The instructions are just incorrect? Is there a way to disable this option?

If the LAN subnet is 192.168.1.x/24, you might want to try instead of 0.0.0.0 192.168.1.0 to disable DMZ Host.

second Web server on the DMZ not visible outside

With the help of a PIX 515e

I have several Web servers in the DMZ, the first web server and the mail server are set up with the port mapping for the PIX outside IP address of the interface.

The second and third (inside interface) of the Web servers are configured with static mappings and access lists.

I can see the first n the mail very good server webserver, but I can not see servers in second or third.

What have I done wrong?

I suggest you analysze traffic with the command to 'capture' PIX and sniff traffic on the DMZ and outside traffic.

Check if packets arrive to the external interface, if it reaches the web server and is at - it a response.

example of

IP access-list 120 allow any HOST 207.236.60.35

capture the access-list 120 vpncap OUTSIDE interface

See the access-list 120 retail vpncap capture

or

https://PIX-IP-address/capture/vpncap [/pcap]

To remove the capture:

No vpncap capture

sincerely

Patrick

To access the servers in the DMZ

People:

I have a PIX 515E and I need to access a SQL Server that is inside the network... I don't know if I should activate NAT on the demilitarized zone to be able to 'see' the servers inside...

I tried a

> static (dmz, inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

to activate servers on the DMZ for access within the network without translation... but I can't create a static to a low security to a high security interface...

I wonder if anyone has the same configuration problem?

should I try to activate NAT on the DMZ also?

It's my current setup!

Thank you very much!

Luis

-------------------------------------------

PIX Version 6.1 (2)

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

nameif dmz security10 ethernet2

access-list 100 permit tcp any host 200.200.200.37 eq smtp

access-list 100 permit tcp any host 200.200.200.37 eq pop3

access list 100 permit tcp any host 200.200.200.37 EQ field

access-list 100 permit udp any host 200.200.200.37 EQ field

access-list 100 permit tcp any host 200.200.200.35 eq www

access-list 100 permit tcp any host 200.200.200.35 eq 443

access-list 100 permit tcp any host 200.200.200.36 eq www

access-list 100 permit tcp any host 200.200.200.36 eq 443

access-list 100 permit icmp any one

access-list 100 permit tcp any host 200.200.200.35 eq ftp

access-list 100 permit tcp any host 200.200.200.36 eq ftp

access-list 100 permit tcp any host 200.200.200.36 eq 3389

access-list 100 permit tcp any host 200.200.200.35 eq 3389

access list 100 permit tcp any host 200.200.200.36 EQ field

access-list 100 permit udp any host 200.200.200.36 EQ field

access-list 100 permit tcp any host 200.200.200.38 eq www

access-list 100 permit tcp any host 200.200.200.38 eq 443

access-list 100 permit tcp any host 200.200.200.38 eq 3389

access-list 100 permit tcp any host 200.200.200.37 eq www

access-list 100 permit tcp any host 200.200.200.38 eq 1547

access-list 100 permit tcp any host 200.200.200.39 eq 3389

access-list 100 permit tcp any host 200.200.200.39 eq ftp

access-list 100 permit tcp any host 200.200.200.39 eq 1433

IP outdoor 200.200.200.34 255.255.255.224

IP address inside 192.168.1.1 255.255.255.0

IP dmz 192.168.2.1 255.255.255.0

Global (outside) 1 200.200.200.45 - 200.200.200.61 netmask 255.255.255.224

Global (outside) 1 200.200.200.62 netmask 255.255.255.224

NAT (inside) 1 192.168.1.0 255.255.255.0 0 0

alias (inside) 192.168.1.2 200.200.200.38 255.255.255.255

alias (inside) 200.200.200.36 192.168.2.11 255.255.255.255

alias (inside) 200.200.200.35 192.168.2.10 255.255.255.255

alias (inside) 200.200.200.37 192.168.2.12 255.255.255.255

static (dmz, external) 200.200.200.36 192.168.2.11 netmask 255.255.255.255 0 0

static (dmz, external) 200.200.200.35 192.168.2.10 netmask 255.255.255.255 0 0

public static 200.200.200.38 (inside, outside) 192.168.1.2 mask subnet 255.255.255.255 0 0

public static 200.200.200.39 (Interior, exterior) 192.168.1.186 netmask 255.255.255.255 0 0

static (inside, dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0

static (dmz, external) 200.200.200.37 192.168.2.12 netmask 255.255.255.255 0 0

Access-group 100 in external interface

Route outside 0.0.0.0 0.0.0.0 200.200.200.33 1

Did you apply an access list to allow traffic from the dmz to the inside interface?

Also, try to be specific with the server you are trying to provide access to the.

static (inside, dmz) xx.xx.xx.xx xx.xx.xx.xx 255.255.255.255 netmask (where two groups of xx.xx.xx.xx represent your address of sql server)

Then add the following list of access

access-list 101 permit tcp any host xx.xx.xx.xx eq sql (again, xx.xx.xx.xx is sql server)

Access-group 101 in the dmz interface

(test you can do initially access list permit all traffic instead of just sql, then tighten it to the top when you are sure that the static command works)

Hope that helps. Allowing less than an interface on a security interface traffic higher security is carried out with controls static and ACL (or ducts), so you seem to be on the right track.

~ rls

CSA on servers in the DMZ

Hello

I'll install csa agent on servers of DMZ. Since there is no access to the Management Center in the DMZ, access is not permitted from internal dmz, only MC (internal) can access servers. I know that the CSA can record events on the computer, the MC will be able to get back them?

Except for a hint of polling sending, the MC is not initialize the connection for update of policy officers and events download. Agents are configured with a polling interval (default is 10 minutes), the Agent makes the connection with the MC via port 5401, and if it is not available try 443.

For your Agents work correctly with the MC, your DMZ must allow your dmz servers to connect to your internal port 5401 or 443 MC (I prefer 443).

Just add an ACL on your firewall so that the dmz servers can connect to only this server MC. Then you can create a rule to network access control so only the Cisco Security Agent can access the IP address of the MC on port 443.

In this way even if the attacker has exceeded all the other rules of the csa and used the server dmz as a breakpoint for more attack, they must kill the agent first, before they could get to the MC. And if that wasn't enough, you can create a rule of access control data to the Agent installed on the MC itself, which will send you an email if the root of the https:// is accessible.

Need help with the configuration of the Site with crossed on Cisco ASA5510 8.2 IPSec VPN Client (1)

Need urgent help in the configuration of the Client VPN IPSec Site with crossed on Cisco ASA5510 - 8.2 (1).

Here is the presentation:

There are two leased lines for Internet access - a route 1.1.1.1 and 2.2.2.2, the latter being the default Standard, old East for backup.

I was able to configure the Client VPN IPSec Site

(1) with access to the outside so that the internal network (172.16.0.0/24) behind the asa

(2) with Split tunnel with simultaneous assess internal LAN and Internet on the outside.

But I was not able to make the tradiotional model Hairpinng to work in this scenario.

I followed every possible suggestions made on this subject in many topics of Discussion but still no luck. Can someone help me here please?

Here is the race-Conf with Normal Client to Site IPSec VPN configured with no access boarding:

LIMITATION: Cannot boot into any other image ios for unavoidable reasons, must use 8.2 (1)

race-conf - Site VPN Customer normal work without internet access/split tunnel
: ASA Version 8.2 (1) ! ciscoasa hostname domain cisco.campus.com enable the encrypted password xxxxxxxxxxxxxx XXXXXXXXXXXXXX encrypted passwd names of ! interface GigabitEthernet0/0 nameif outside internet1 security-level 0 IP 1.1.1.1 255.255.255.240 ! interface GigabitEthernet0/1 nameif outside internet2 security-level 0 IP address 2.2.2.2 255.255.255.224 ! interface GigabitEthernet0/2 nameif dmz interface security-level 0 IP 10.0.1.1 255.255.255.0 ! interface GigabitEthernet0/3 nameif campus-lan security-level 0 IP 172.16.0.1 255.255.0.0 ! interface Management0/0 nameif CSC-MGMT security-level 100 the IP 10.0.0.4 address 255.255.255.0 ! boot system Disk0: / asa821 - k8.bin boot system Disk0: / asa843 - k8.bin passive FTP mode DNS server-group DefaultDNS domain cisco.campus.com permit same-security-traffic inter-interface permit same-security-traffic intra-interface object-group network cmps-lan the object-group CSC - ip network object-group network www-Interior object-group network www-outside object-group service tcp-80 object-group service udp-53 object-group service https object-group service pop3 object-group service smtp object-group service tcp80 object-group service http-s object-group service pop3-110 object-group service smtp25 object-group service udp53 object-group service ssh object-group service tcp-port port udp-object-group service object-group service ftp object-group service ftp - data object-group network csc1-ip object-group service all-tcp-udp access list INTERNET1-IN extended permit ip host 1.2.2.2 2.2.2.3 access-list extended SCC-OUT permit ip host 10.0.0.5 everything list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq www list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any https eq list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq ssh list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 no matter what eq ftp list of access CAMPUS-LAN extended permitted udp 172.16.0.0 255.255.0.0 no matter what eq field list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq smtp list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq pop3 access CAMPUS-wide LAN ip allowed list a whole access-list CSC - acl note scan web and mail traffic access-list CSC - acl extended permit tcp any any eq smtp access-list CSC - acl extended permit tcp any any eq pop3 access-list CSC - acl note scan web and mail traffic access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq 993 access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq imap4 access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq 465

race-conf - Site VPN Customer normal work without internet access/split tunnel

ASA Version 8.2 (1)

ciscoasa hostname

domain cisco.campus.com

enable the encrypted password xxxxxxxxxxxxxx

XXXXXXXXXXXXXX encrypted passwd

names of

interface GigabitEthernet0/0

nameif outside internet1

security-level 0

IP 1.1.1.1 255.255.255.240

interface GigabitEthernet0/1

nameif outside internet2

security-level 0

IP address 2.2.2.2 255.255.255.224

interface GigabitEthernet0/2

nameif dmz interface

security-level 0

IP 10.0.1.1 255.255.255.0

interface GigabitEthernet0/3

nameif campus-lan

security-level 0

IP 172.16.0.1 255.255.0.0

interface Management0/0

nameif CSC-MGMT

security-level 100

the IP 10.0.0.4 address 255.255.255.0

boot system Disk0: / asa821 - k8.bin

boot system Disk0: / asa843 - k8.bin

passive FTP mode

DNS server-group DefaultDNS

domain cisco.campus.com

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

object-group network cmps-lan

the object-group CSC - ip network

object-group network www-Interior

object-group network www-outside

object-group service tcp-80

object-group service udp-53

object-group service https

object-group service pop3

object-group service smtp

object-group service tcp80

object-group service http-s

object-group service pop3-110

object-group service smtp25

object-group service udp53

object-group service ssh

object-group service tcp-port

port udp-object-group service

object-group service ftp

object-group service ftp - data

object-group network csc1-ip

object-group service all-tcp-udp

access list INTERNET1-IN extended permit ip host 1.2.2.2 2.2.2.3

access-list extended SCC-OUT permit ip host 10.0.0.5 everything

list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq www

list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any https eq

list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq ssh

list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 no matter what eq ftp

list of access CAMPUS-LAN extended permitted udp 172.16.0.0 255.255.0.0 no matter what eq field

list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq smtp

list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq pop3

access CAMPUS-wide LAN ip allowed list a whole

access-list CSC - acl note scan web and mail traffic

access-list CSC - acl extended permit tcp any any eq smtp

access-list CSC - acl extended permit tcp any any eq pop3

access-list CSC - acl note scan web and mail traffic

access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq 993

access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq imap4

access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq 465

access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq www

access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq https

access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq smtp

access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq pop3

access-list extended INTERNET2-IN permit ip any host 1.1.1.2

access-list sheep extended ip 172.16.0.0 allow 255.255.0.0 172.16.0.0 255.255.0.0

access list DNS-inspect extended permit tcp any any eq field

access list DNS-inspect extended permit udp any any eq field

access-list extended capin permit ip host 172.16.1.234 all

access-list extended capin permit ip host 172.16.1.52 all

access-list extended capin permit ip any host 172.16.1.52

Capin list extended access permit ip host 172.16.0.82 172.16.0.61

Capin list extended access permit ip host 172.16.0.61 172.16.0.82

access-list extended capout permit ip host 2.2.2.2 everything

access-list extended capout permit ip any host 2.2.2.2

Access campus-lan_nat0_outbound extended ip 172.16.0.0 list allow 255.255.0.0 192.168.150.0 255.255.255.0

pager lines 24

Enable logging

debug logging in buffered memory

asdm of logging of information

Internet1-outside of MTU 1500

Internet2-outside of MTU 1500

interface-dmz MTU 1500

Campus-lan of MTU 1500

MTU 1500 CSC-MGMT

IP local pool 192.168.150.2 - 192.168.150.250 mask 255.255.255.0 vpnpool1

IP check path reverse interface internet2-outside

IP check path reverse interface interface-dmz

IP check path opposite campus-lan interface

IP check path reverse interface CSC-MGMT

no failover

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 621.bin

don't allow no asdm history

ARP timeout 14400

interface of global (internet1-outside) 1

interface of global (internet2-outside) 1

NAT (campus-lan) 0-campus-lan_nat0_outbound access list

NAT (campus-lan) 1 0.0.0.0 0.0.0.0

NAT (CSC-MGMT) 1 10.0.0.5 255.255.255.255

static (CSC-MGMT, internet2-outside) 2.2.2.3 10.0.0.5 netmask 255.255.255.255

Access-group INTERNET2-IN interface internet1-outside

group-access INTERNET1-IN interface internet2-outside

group-access CAMPUS-LAN in campus-lan interface

CSC-OUT access-group in SCC-MGMT interface

Internet2-outside route 0.0.0.0 0.0.0.0 2.2.2.5 1

Route internet1-outside 0.0.0.0 0.0.0.0 1.1.1.5 2

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

the ssh LOCAL console AAA authentication

AAA authentication enable LOCAL console

Enable http server

http 10.0.0.2 255.255.255.255 CSC-MGMT

http 10.0.0.8 255.255.255.255 CSC-MGMT

HTTP 1.2.2.2 255.255.255.255 internet2-outside

HTTP 1.2.2.2 255.255.255.255 internet1-outside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs set group5

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

Crypto map internet2-outside_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

crypto internet2-outside_map outside internet2 network interface card

Crypto ca trustpoint _SmartCallHome_ServerCA

Configure CRL

Crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca xyzxyzxyzyxzxyzxyzxyzxxyzyxzyxzy

a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

a67a897as a67a897as a67a897as a67a897as a67a897as

quit smoking

ISAKMP crypto enable internet2-outside

crypto ISAKMP policy 10

preshared authentication

aes encryption

md5 hash

Group 2

life 86400

Telnet 10.0.0.2 255.255.255.255 CSC-MGMT

Telnet 10.0.0.8 255.255.255.255 CSC-MGMT

Telnet timeout 5

SSH 1.2.3.3 255.255.255.240 internet1-outside

SSH 1.2.2.2 255.255.255.255 internet1-outside

SSH 1.2.2.2 255.255.255.255 internet2-outside

SSH timeout 5

Console timeout 0

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal VPN_TG_1 group policy

VPN_TG_1 group policy attributes

Protocol-tunnel-VPN IPSec

username ssochelpdesk encrypted password privilege 15 xxxxxxxxxxxxxx

privilege of encrypted password username administrator 15 xxxxxxxxxxxxxx

username vpnuser1 encrypted password privilege 0 xxxxxxxxxxxxxx

username vpnuser1 attributes

VPN-group-policy VPN_TG_1

type tunnel-group VPN_TG_1 remote access

attributes global-tunnel-group VPN_TG_1

address vpnpool1 pool

Group Policy - by default-VPN_TG_1

IPSec-attributes tunnel-group VPN_TG_1

pre-shared-key *.

class-map cmap-DNS

matches the access list DNS-inspect

CCS-class class-map

corresponds to the CSC - acl access list

type of policy-card inspect dns preset_dns_map

parameters

message-length maximum 512

Policy-map global_policy

CCS category

CSC help

cmap-DNS class

inspect the preset_dns_map dns

global service-policy global_policy

context of prompt hostname

Cryptochecksum: y0y0y0y0y0y0y0y0y0y0y0y0y0y

: end

Adding dynamic NAT for 192.168.150.0/24 on the external interface works, or works the sysopt connection permit VPN

Please tell what to do here, to pin all of the traffic Internet from VPN Clients.

That is, that I need clients connected via VPN tunnel, when connected to the internet, should have their addresses IP NAT'ted against the address of outside internet2 network 2.2.2.2 interface, as it happens for the customers of Campus (172.16.0.0/16)

I am well aware of all involved in here, so please be elaborative in your answers. Please let me know if you need more information about this configuration to respond to my request.

Thank you & best regards

MAXS

Hello

If possible, I'd like to see that a TCP connection attempt (e.g. http://www.google.com) in the ASDM logging of the VPN Client when you set up the dynamic NAT for the VPN Pool also.

I'll try also the command "packet - trace" on the SAA, while the VPN Client is connected to the ASA.

The command format is

packet-tracer intput tcp

That should tell what the SAA for this kind of package entering its "input" interface

Still can not see something wrong with the configuration (other than the statement of "nat" missing Dynamics PAT)

-Jouni

Configuration of the DMZ at R1213

Similar Questions

Maybe you are looking for