reverse path
I have the command "ip check path reverse interface outside ' configured on my PIX. According to the documentation, the external interface is protected by checking the source address and prevent attacks of penetration. This essentially means that entering my network packets are checked to see if the dest. There is a network in the routing table? Also, if I apply this to my inner interface, it will check that the source IP address is valid inside the interface?
Just want to double check.
Hello!
Yes.
The investigation period check interface reverse path outside the command statement protects the external interface from the Internet network penetration attacks, while the IP check interface reverse path within the command statement protects the output network interface inside attack users on the internal network.
HTH.
Rgds
Vimal
Tags: Cisco Security
Similar Questions
-
What is the difference between Unicast RPF and Reverse Path Forwarding?
I am confused between Unicast RPF and Reverse Path Forwarding function.
What is the difference between Unicast RPF and Reverse Path Forwarding?
Because they have all two please check the address of the source of each package before sending it to the destination too?
Reverse Path Forwarding is used only when the network want to build a tree shared multicast communication and then we must use Unicast RPF after creation of the shared tree?
The mechanism of the RPF is mainly used to ensure no loop of routing traffic.
As you probably already read, it does by ensuring that his route to the source address of a packet received is accessible via the same interface that the packet is entered in the. Think of the notion of "root port" in STP. all root ports are similar to the root, sunflower follow the Sun. Therefore, it is naturally a loop prevention mechanism.
With multicast traffic, it is quite likely to create multiple loops of routing the nature of 'destination' traffic. For this reason, using a mechanism as the RPF to ensure you are on the "road to the root" (to say) to the source originating multicast traffic. Otherwise if you're not then you either receive this traffic route in a loop, or a suboptimal path.
uRPF works essentially the same way, except that it is done for unicast traffic instead. Now with unicast traffic your flow is from a source and directs to a single destination. Given that, as the fact that you are using a dynamic routing algorithm (which allows to select the path to a destination), you can have loops of your network for unicast traffic flow routing; of course there may be exceptions to pitfalls of configuration route redistribution.
However RPF when it is applied to traffic unicast can add another advantage, and it's verification IP source. That's why we can use it as a security mechanism to ensure that data are from where it is supposed to come.
On the limit of the L2, you then have mechanisms such as guard source IP to ensure that the correct host is not usurpation of their IP address.
By analogy RPF can be used for checking at source for multicast traffic, and it is intrinsically that however, the most important role is so that it can be used to guarantee without loop routing of multicast traffic.
I hope that helped clear things upwards and not confused you any more with all this.
-
ASA5505 SSL AnyConnect VPN and NAT Reverse Path failure
I worked on it for a while and just have not found a solution yet.
I have a Cisco ASA5505 Setup at home and I try to use the AnyConnect VPN client to it. I followed the example of ASA 8.x split Tunnel but still miss me something.
My home network is 10.170.x.x and I install the VPN address to 10.170.13.x pool I have a Windows workstation running at 10.170.0.6, printers 10.170.0.20 and 21 and inside the router itself is 10.170.0.1
I can connect from the outside and am assigned an IP address of 10.170.13.10, but when I try to access network resources via ICMP or open a web page, the newspaper of the ASDM shows a bunch of this:
5. January 27, 2010 | 10: 33:37 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
5. January 27, 2010 | 10: 33:36 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
5. January 27, 2010 | 10: 33: 35 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
5. January 27, 2010 | 10: 33:34 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
5. January 27, 2010 | 10:33:30 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
5. January 27, 2010 | 10: 33:29 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
5. January 27, 2010 | 10: 33:28 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
5. January 27, 2010 | 10: 33:28 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
5. January 27, 2010 | 10:33:23 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
5. January 27, 2010 | 10:33:17 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
5. January 27, 2010 | 10: 33: 13 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
5. January 27, 2010 | 10:33:07 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NATI tried several things with NAT, but were not able to go beyond that. Does anyone mind looking at my config running and help me with this? Thanks a bunch!
-Tim
Couple to check points.
name 10.17.13.0 UFP-VPN-pool looks like it should be the name 10.170.13.0 UFP-VPN-pool
inside_nat0_outbound to access extended list ip allow list zero 255.255.0.0 255.255.255.0 UFP-VPN-pool
Looks like that one
inside_nat0_outbound to list extended ip access list zero UFP-VPN-pool 255.255.255.0 255.255.255.0 allow
-
Check IP unicast reverse path does not
I configured the ip ip verify unicast reverse path on a Cisco 2611 runs code 12.3 (26). IP cef is enabled at level global but disabled using the no command of cef of cache to route ip on all interfaces except the interface WAN face (serial 0/0).
!
interface Serial0/0
Description connected to the internet
bandwidth 768
IP 100.100.20.10 255.255.255.252
Check IP unicast reverse path
no ip redirection
no ip unreachable
no ip proxy-arp
property intellectual accounting-access violations
NAT outside IP
route IP cache flow
no ip mroute-cache
no fair queue
No cdp enable
!
Whenever I reboot the router, it works for awhile, then no longer works. The traffic meter see ip Unicast RPF drop unexpectedly closed escalating after a few minutes and stays where it stopped.
Industrial property statistics:
RCVD: 35015 total, 346 local destination
format 0 errors, 0 checksum error, 0 number of bad jumps
0 unknown protocol, 17 not a gateway
security failures 0, 0 bad options, 0 with options
Opts: 0 end, nop 0, 0, 0 route open source basic security
timestamp 0, 0 extended security, road record 0
0 stream ID, 0 source route strict, alert 0, cipso 0 0 ump
0 other
Frags: 0 up, 0 time 0 could not back up
0 fragmented, fragments of 0, 0 could not fragment
BCAST: 6 received, 0 envoys
MCAST: 0 a 0 a received, sent
Envoy: 265 generated, 23074 transmitted
Drop: 1 encapsulation failure, 0 pending, 0 without adjacency
120 none route, 467 unicast RPF, 0 forced fall
options 0 denied
Fall: 0 packets with source IP address zero
Fall: 0 packages with inner loop back IP address
Can anyone think of a reason it works for a few seconds after starting, and then stops?
[edit]
I took out the declaration route ip cache flow thought that was up here the problem, but still no change in the meter.
There are several ways you can use for the same purpose, here are some examples:
> LCD
> Policy Based Routing + ACL (two interfaces, scoring on one, deletion via ACL)
> MPF 'drop' keyword
> Black Hole routing (Routes null 0)
> uRPF
Each method has its advantages and disadvantages, ACLs and static routes are difficult to maintain and operate. ACL with the keyword "log" is process switched, making it slower.
Routing black hole works by sending a spoofed traffic (hit the Bogon) to Null0 Null0 being a direct adjacency (sort of the interface) of all routers CEF, it is relatively faster.
uRPF is commonly used with Blackhole triggered remote routing (RTBH). For example, we manage a large organization with several points of entry into the network. Now you know that your network is under attack from back of Source 1.2.3.0/24 with RTBH, all border routers have active uRPF and there is an internal router, known as a 'Router Trigger. You could inject a route in your area of IGP, something like:
IP route 1.2.3.0 255.255.255.0 null0 tag 255
And then all the edge routers would receive this route and with the help of uRPF drop all packets 'source' from the network of the attacker. The process is a little more complicated than that, but I hope you get the idea.
Concerning
Farrukh
-
denied due to failure of reverse path of NAT
I have an ASA5505 (ASDM 7.1 basic licence (3), ASA) 9 () (2) and I am confused about "declined due to the failure of reverse NAT".
My IP pattern is as follows:
INSIDE = 10.0.1.0/24
DMZ =172.16.0.0/24
VPN_Pool = 172.16.20.0/24
PROBLEM: Vpn users can connect to the ASA but can't reach anything on the LAN or DMZ.
TRIAGE: I ran the plotter of package with the following result:
ALB - ASA # packet - trace entry inside tcp 172.16.20.2 1234 172.16.0.2 80
Phase: 1
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 172.16.0.0 255.255.255.0 DMZPhase: 2
Type: NAT
Subtype: volatile
Result: ALLOW
Config:
Additional information:Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:Phase: 4
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional information:Phase: 5
Type: NAT
Subtype: volatile
Result: ALLOW
Config:
Additional information:Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:Phase: 7
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New feed created with id 6415 package sent to the next moduleResult:
input interface: inside
entry status: to the top
entry-line-status: to the top
the output interface: DMZ
the status of the output: to the top
output-line-status: to the top
Action: allow-QUESTION?
The error received is «...» Asymmetrical NAT rules matched for flows forward and backward; Connection for tcp src outside:172.16.20.1/52036(LOCAL\user) DMZ:172.16.0.2/3389 dst refused due to the failure of the path reverse NAT."
What NAT rules I have to apply to allow users access to the LAN/DMZ resources?
Current NAT is the following:
1 (DMZ) to dynamic interface of the DMZ_NET source (outdoor)
translate_hits = 1623, untranslate_hits = 34
Source - origin: 172.16.0.0/27, translated: (MY-real-IP-DELETED) / 21
2 (inside) to the obj_any interface dynamic source (external)
translate_hits = No. 2851, untranslate_hits = 121
Source - origin: 0.0.0.0/0, translated: (MY-real-IP-DELETED) / 21THANKS IN ADVANCE FOR HELP!
The pool of addresses for VPN users must have an exemption for all DMZ NAT or inside networks, they will use. They appear as out of addresses (even if they receive a local private IP address) based on their interface of penetration.
Therefore, without an exemption from costs of NAT, traffic back to them is NATted by one of your two NAT rules above (while incoming traffic was not NATted). So the message of «asymmetric NAT rules» matched to flow forward and backward
Your plotter package them specified as inside and so you have a false positive indication would be given to the movement.
-
Someone knows how to fix this? I can't rebuild the paths (theres too may) and I tried to cut and paste inside to a new path and that has not worked. I think the person who built the original path built large and reverse and then cropped the document flush outside the path. Please see attached jpg for more details. I played a bit with the tool edge refine, but this isn't really what I'm looking for. Thanks in advance.
Select this path with the Selection tool to trace (the black arrow) and in the Options bar, change button to subtract from shape area to add it to the form area
-
Question of failure path reverse NAT
Hello
Using a sense 9.3 3 ASA 5512 - x running. I have Anyconnect VPN configured to PAT the subnet of remote access to one of the inside of the interfaces (because of internal routing restrictions).
For example...
Remote subnet: 192.168.10.0/24
Internal subnet: 192.168.1.0/24
Internal interface: 192.168.1.254
All remote access clients behind 192.168.1.254 and it works correctly until I have add a dynamic NAT rule for outbound traffic, then I start to see the errors "reverse path NAT failure" when VPN clients try to access internal resources.
network of the LAN1 object
subnet 192.168.1.0 255.255.255.0
NAT dynamic interface (indoor, outdoor)Is there a way to circumvent this problem, because all the remote access clients are hidden behind the interface address?
Thanks for any help.
Hello
Instead of making nat under Group, have you tried to do globally as:
NAT (inside_101_infrastructure, outside) static dynamic source of destination interface LAN-GROUP ANYCONNECT_VPN_SUBNET ANYCONNECT_VPN_SUBNET
Thank you
PS: Please do not forget to rate and score as good response if this solves your problem
-
Path failure reverse that of NAT
Hello guys,.
We are having a problem between two ASAs Web VPN. These are two test environments, but we need connectivity between the two to move quantities of lare of data from and to. The ASA at Site 1 (ASA 1) running 8.3 code and the ASA at Site 2 executes code 8.2. The VPN is online, but will not reach the traffic. Site 2 can send but not receive and 1 Site can receive but not send. Errors only I got at site 1 and it's below
Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.255.1.100 inside: 172.16.1.20 (type 8, code 0) rejected due to the failure of reverse path of NAT
Site 1 is a dish network. There is an ASA used as gateway, but the local network is simply a flat class B subnet. No VLAN additional routing, only switches back to eachother on the same subnet. Tursted network is 172.16.0.0/16
Site 2 is a little more complex. It has a binding to a 6500 Cisco ASA that hosts a FWSM. Networks that have need to talk the VPN is behind the FWSM and is 10.255.1.0/24. I have attached a diagram. The ASA at Site 2 doesn't have a link on the 10.255.1.0, but it has a road to access the network of 10.255.255.x. Currently 2 ASA can see the 10.255.1.0 network with no problems. We need this 10.255.1.0 network to the 172.16.0.0 network via VPN on Site 1.
When traffic comes from site 2 VPN rises with success, but traffic does not reach. I see newspapers FWSM and ASA showing traffic hitting the two, so I'm confident traffic successfully left Site 2. Site is where I get the above error. When I come from the traffic of the Site 1, I don't see anything on the Site 2 ASA or FWSM. This seems to be a problem on Site A ASAbut's NAT configurations you want that I just post let me know.
Thanks in advance to all those who help!
Hello
You have the crypto_acl of the two extremes? I mean it takes an acl mirrored at both ends and you have the rule no. - nat configured for this?
Tell your site 1: ASA 8.3
access-list extended
allow ip 172.16.0.0 255.255.0.0 10.255.1.0 255.255.255.0 network locallan object
subnet 172.16.0.0 255.255.0.0
network remotelan object
10.255.1.0 subnet 255.255.255.0
NAT (inside, outside) source locallan destination locallan static static remote lan remotelan
Say your site 2: ASA 8.2
access-list extended
allow ip 10.255.1.0 255.255.255.0 172.16.0.0 255.255.0.0 access-list no. - nat extended ip 10.255.1.0 allow 255.255.255.0 172.16.0.0 255.255.0.0
NAT (inside) - access list 0 no - nat
Concerning
Knockaert
-
Reverse the direction of the pasted path?
I have a path on a shape layer and I copy this path in the Position of another layer (so I can animate this layer along the way).
But I need the inversion that moves the stuck position.
So I need instead of the movement object to the right, left right left.
I tried to change the setting of 'Reverse Path Direction' on the path before copy/paste, but who don't seem to do anything.
CC OF 2015
Choose all keys > right click > keyframe assistant > time-reverse keyframe
-
Pitfalls of severity 1, ' Deny check reverse ICMP trace of.
Hello
I have 1.2.0.0/19, but the 1.2.24/whatever is not in use (I did only use the first 24 bit-19 network).
I have not 172.16.0/whatever on any interface.
My wan interface is simply called wan.
These severity 1, I get:
<161>% 1 ASA-106021: refuse check reverse path 172.16.0.3 to 1.2.24.168 on the wan interface ICMP
The router (2821) in front of my ASA removes all the packages coming from 10/8, 172.16/16 and 192.168/16 networks of its Wan, so Im do not know how this can be.
How serious is this is it? What exactly does it mean? How can I know who is doing this so I can prevent it falling into my record?
Hello 3moloz123,
How many times do you get? If this happens often enough, you can make a capture of packets outside your ASA and correspond to all traffic from 172.16.0.3.
If you are certain that no traffic whose source 172.16.0.3 address out of your router, intended for your ASA, having penetrated originally on a different router interface, traffic can be that your ASA with the source address 172.16.0.3, intended for 1.2.24.168, with a MAC of your router, hairpining out of your router, and heading to your ASA. The ASA then drops the package due to the verification of the RPF.
If your router supports the out ACL, you can apply to the interface which faces the ASA. However, it should only be applied temporarily until you can find the real source of the traffic. Have you done an about 172.16.0.3 (or inside your ASA) packet capture to see if 172.16.0.3 is sending traffic to 1.2.24.168?
Thank you
Blayne Dreier
Cisco TAC team climbing
* Please see our Podcasts *.
TAC security show: http://www.cisco.com/go/tacsecuritypodcast
TAC IPS Media Series: https://supportforums.cisco.com/docs/DOC-12758
161> -
Hello
I'm running a problem trying to turn two forms (created using Illustrator).
Here are the steps I took: (the problem is in bold)
- Imported two Illustrator files in AE and put them on the timeline in two distinct layers.
- Converted the two forms of vector layers
- Paths of alterations to two shape layers.
- Copy/Pasted the path of Shape1 on the timeline for Shape2.
- Changed 'First Vertex Point' for the two paths so that they are in the corresponding positions.
- After step # 5, morphing between the two railways retained 'twisty - effect' during Interpolation.
I did some research and discovered that the other summits have been numbered probably not elsewhere due to I made them in Illustrator. - To address the problem of summits, I copied the path of Shape2 and stuck in Illustrator, I used the "Reverse Path Direction" tool in the attributes Panel. (To do this, I pasted the path, then you press Command-8, then past the meaning of the path).
- Once the meaning of the path has been reversed, I pasted the path for Shape2 in the timeline for Shape1 and got the desired morph I wanted to (much more natural, non-twisty)
- However, now, the path for Shape2 moves to the upper-left corner of the Composition during Interpolation and I don't know why. I checked and there is no enabled for movement of position keyframes. (Anchor point for path crosses the top left of the computer)
When I try to drag the way back in its normal position, the entire layer is moved.
The problem seems to be solved when I paste the path in a different group in the same layer, however, I still have to manually set the positioning. This workaround is problematic for the project I am working because the forms that I work with several paths. and by dragging each a return to manual position is not accurate, nor it is time-saving. Note: I have not been able to enter values numerically position to solve this problem. He has lived it all physical dragging.)
What is causing the path to move over the Interpolation and how can I prevent it?
I hope I was able to articulate the problems I encounter. Any ideas would be greatly appreciated.
Thanks in advance!
In addition, some other info:
Computer: Macbook Pro 13 retina "(end of 2012)
Processor: 2.9 GHz Intel Core i7Memory: 8 GB 1600 MHz DDR3 (6.5 GB dedicated to active Adobe products)
Graphics card: Intel HD Graphics 4000 1536 MB
Using After Effects CC (13.5.0.347)Thank you, once again!
on the way to Morphing:
to create smoother transitions in the shape on the form, you can use the interpolation of mask - it creates intermediate keyframes between two path keyframes. Read about it here: management and animation of paths form and masks in After Effects . Unfortunately, this is for mask paths and not form. but you're smart - you can copy the path of a mask, do your thing and then paste it back. or maybe you don't have the form anyway. see if it works.
on Offset of the path:
I was able to reproduce the problem. Here's how I see it: when you convert layers have forms Ae, they get some position attributes so that they will be placed in the same position. Note If you click UU you get the changed properties:
When you paste the path of illustrator you paste on a layer that has a lag of transformations and that is why your layer is up there.
This, I do not understand:
"To address the problem of summits, I copied Shape2 path and stuck in Illustrator, I used the"Reverse Path Direction"tool in the attributes Panel. (To do this, I pasted the path, then you press Command-8, then past the meaning of the path). »
you don't need to copy paste EI AI and back when you can copy paste the original layer of AI to Ae. to do this, copy - paste only once. You can copy paste paths of the EI and ch AE too.
Here's my suggested solutions (choose a! not all of them):
1 reverse the way AI - save the file and convert the layer shape again - this way, you have no copy paste the way AI, but only of the Ae.
2 reset the transformations and properties of position for the Group shape. then copy paste will be exactly where is your path.
3. If you don't really need forms, you can work with layer masks and copy paste like crazy to AI without lag
-
Make a linear path to a path of circle
I'm relatively new to Illustrator and trying to figure out how to change a linear object in a circle object. Below, you will see that I have a "River Road" (really just also spaced "waves" on a straigh line) in blue and a circular ring in yellow (crossed out red).
I want to wrap the "River Road" to replace the internal path race red of the donut/circle. [I would also like to make a second version with the 'waves' on the outside of the ring/circle, so help would both be great.] Basically, I want to take an anchor to the end of the path of the 'River' and wrap it around a circular path until it meets the other end anchor.
I tried using effect-> Warp-> Arc, and then copy the path and reflect, however, does not produce the effect of CRA real semicircle (see below).
I read another thread here on the a
but I don't know how to do this without more details than that post of the contours. If anyone knows how to do this with the art brush, I would be grateful orientation.Or any idea for my goal - a doughnut with the waves on the inside edge (and then again on the outer edge).
CommCo,
An Artbrush like a wave will keep the number of ridges and stretched to fit the path, it is applied to.
You can:
(1) create the wave as a continuous path with the correct number of coats of arms;
(2) drag it to the paletee/panel shapes and drop it on the button new brush, just use the default values and name;
(3) select the path (inside/outside), and then click the brush of wave.
If you have ridges on the opposite side of a path, you can either create an another Artbrush checking everywhere, Flip or reverse paths (one way is to use the free reverse script here: http://park12.wakwak.com/~shp/lc/et/en_aics_script.html).
And you can adjust the height of the wave/thickness by changing the weight of the race in the stroke palette/Panel.
-
Cisco 877W DHCP does not automatically fill the Windows/Mac customers with DNS server entries
I have a 877W which was operational on Verizon for about 5 years. It never automatically distributed info DNS server for customers who get DHCP issued IP address. I have to manually enter the DNS entries to each client. What happened to other sites where I've got installed on AT & T as well as 877 unified communications.
Here is the config. Thanks in advance for the help.
Building configuration...
Current configuration: 7987 bytes
!
version 12.4
no service button
tcp KeepAlive-component snap-in service
a tcp-KeepAlive-quick service
horodateurs service debug datetime localtime show-timezone msec
Log service timestamps datetime localtime show-timezone msec
encryption password service
sequence numbers service
!
Cod of hostname
!
boot-start-marker
boot-end-marker
!
logging buffered debugging 51200
recording console critical
enable secret 5 jSwA $1$ $ 3B5lJNqm0ewh
!
AAA new-model
!
!
AAA authentication local-to-remote login
local remote of the AAA authorization network
!
AAA - the id of the joint session
!
resources policy
!
PCTime-6 timezone clock
PCTime of summer time clock day April 6, 2003 02:00 October 26, 2003 02:00
IP subnet zero
IP cef
No dhcp use connected vrf ip
DHCP excluded-address IP 192.168.7.1 192.168.7.19
DHCP excluded-address IP 192.168.7.70 192.168.7.254
!
IP dhcp pool sdm-pool1
import all
network 192.168.7.0 255.255.255.0
router by default - 192.168.7.1
DNS-server 68.238.96.12 68.238.112.12
!
!
inspect the IP name DEFAULT100 cuseeme
inspect the IP name DEFAULT100 ftp
inspect the IP h323 DEFAULT100 name
inspect the IP icmp DEFAULT100 name
inspect the IP name DEFAULT100 netshow
inspect the IP rcmd DEFAULT100 name
inspect the IP name DEFAULT100 realaudio
inspect the name DEFAULT100 rtsp IP
inspect the IP name DEFAULT100 esmtp
inspect the IP name DEFAULT100 sqlnet
inspect the name DEFAULT100 streamworks IP
inspect the name DEFAULT100 tftp IP
inspect the tcp IP DEFAULT100 name
inspect the IP udp DEFAULT100 name
inspect the name DEFAULT100 vdolive IP
synwait-time of tcp IP 10
IP domain name cods.com
name of the IP-server 68.238.96.12
name of the IP-server 68.238.112.12
property intellectual ssh time 60
property intellectual ssh authentication-2 retries
!
!
Crypto pki trustpoint TP-self-signed-437228204
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 437228204
revocation checking no
rsakeypair TP-self-signed-437228204
!
!
TP-self-signed-437228204 crypto pki certificate chain
certificate self-signed 01
30820254 308201BD A0030201 02992101 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031325 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 30312E30
69666963 34333732 32383230 34301E17 303731 30313632 33333131 0D 6174652D
395A170D 2E302C06 1325494F 03550403 32303031 30313030 30303030 5A 303031
532D 5365 6C662D53 69676E65 4365 72746966 69636174 652 3433 37323238 642D
06092A 86 4886F70D 01010105 32303430 819F300D 00308189 02818100 0003818D
BF73E16C 24A3FB0B A44C83C8 45ACEC75 163C2F0A 87836F7F A43FEB72 0EF26AFA
C7F35ED6 CBCC6853 5E82B0A6 1FD8020B F3630023 AB30B870 B3155EE6 86988910
4ACF5121 1CBFF4DC B705DF1E 5D0D698F 06493 D 3DD8D036 42 FE450D21 E26A4DAF
CE6BA806 81A9F451 0246698E DA7B49E3 160F115C E1104FA9 31FA3C15 CD 782 279
02030100 01A37E30 7C300F06 03551 D 13 0101FF04 05300301 01FF3029 0603551D
20821E63 11042230 6F64732E 6F666472 63697479 6E677370 69707069 72696E67
732E636F 6D301F06 23 04183016 24 D 77493 80142FA3 03551D 52CF7094 B847B6EB
1385E2E5 0F3A301D 0603551D 0E041604 142FA324 D7749352 CF7094B8 47B6EB13
85E2E50F 3A300D06 092 HAS 8648 01040500 03818100 076EE499 12F46D79 86F70D01
375B7EA6 C9279DA4 B32723B5 908C9FB8 D42CB978 BB24A8FE 73579A3D CA 5130, 87
B7716644 7E13710D C6E6360C D0A36F7B F62540E2 0C33523B E50396B9 2EF66FA7
56519E62 E55EAF3C E1D9BEC9 3AE67B59 75E61F06 B649E90A 2798F755 7A020F0A
F8BDABFA 1EE37B6A A918560D DA45AD70 801BC66E 94D1468E
quit smoking
username privilege 15 secret $5 1jgO$sGD@#l4yTtLtYoEZbh/Wl steal551.
!
!
door-key crypto vpn_ddaus
pre-shared key address 0.0.0.0 0.0.0.0 - key stealthfortyfor5
door-key crypto vpn_rmlfk
address of pre-shared-key 205.30.134.22 key stealthfortyfor5
!
crypto ISAKMP policy 10
md5 hash
preshared authentication
Group 2
!
crypto ISAKMP policy 30
BA 3des
preshared authentication
Group 2
invalid-spi-recovery crypto ISAKMP
ISAKMP crypto keepalive 20
!
Configuration group isakmp crypto VPNRemote client
key ConnectNow45
pool ippool
ISAKMP crypto vpnclient profile
VPNRemote identity group match
client authentication list for / remote
Remote ISAKMP authorization list
client configuration address respond
Crypto isakmp CODS_DDAUS profile
key ring vpn_ddaus
function identity address 0.0.0.0
Crypto isakmp CODS_RMLFK profile
key ring vpn_rmlfk
function identity address 205.30.134.22 255.255.255.255
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
vpnclient Set isakmp-profile
Crypto-map dynamic dynmap 12
Set transform-set RIGHT
CODS_DDAUS Set isakmp-profile
!
!
MYmap 1 ipsec-isakmp crypto map
defined by peer 205.30.134.22
Set transform-set RIGHT
CODS_RMLFK Set isakmp-profile
match address CODS_to_RMFLK
map mymap 65535-isakmp ipsec crypto dynamic dynmap
!
Bridge IRB
!
!
interface Loopback10
IP 1.1.1.1 255.255.255.0
!
ATM0 interface
no ip address
route IP cache flow
No atm ilmi-keepalive
DSL-automatic operation mode
!
point-to-point interface ATM0.1
Description $FW_OUTSIDE$ $ES_WAN$
Check IP unicast reverse path
inspect the DEFAULT100 over IP
NAT outside IP
IP virtual-reassembly
PVC 0/35
aal5snap encapsulation
!
Bridge-Group 2
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
no ip-cache cef route
no ip route cache
!
encryption vlan 1 tkip encryption mode
!
SSID tsunami
VLAN 1
open authentication
authentication wpa key management
Comments-mode
WPA - psk ascii 7 14231A0E01053324363F363B36150E050B08585E
!
base speed - 1.0 2.0 basic basic-5, 5 6.0 9.0 basic-11, 0 12.0 18.0 24.0 36.0 48.0 54.0
root of station-role
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route cache
no link-status of snmp trap
No cdp enable
Bridge-Group 1
Bridge-group subscriber-loop-control 1
Bridge-Group 1 covering-disabled people
Bridge-Group 1 block-unknown-source
No source of bridge-Group 1-learning
unicast bridge-Group 1-floods
!
interface Vlan1
Description $ETH - SW - LAUNCH, INTF-INFO-HWIC $$ $4ESW $FW_INSIDE$
no ip address
IP tcp adjust-mss 1452
Bridge-Group 1
!
interface BVI1
Description $ES_LAN$ $FW_INSIDE$
192.168.7.1 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
route IP cache flow
IP tcp adjust-mss 1412
!
interface control2
IP 70.14.49.134 255.255.255.0
NAT outside IP
IP virtual-reassembly
crypto mymap map
!
local pool IP 10.10.10.1 ippool 10.10.10.254
IP classless
IP route 0.0.0.0 0.0.0.0 70.14.49.1
!
IP http server
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
overload of IP nat inside source list 133 interface control2
!
CODS_to_RMFLK extended IP access list
IP 192.168.7.0 allow 0.0.0.255 192.168.1.0 0.0.0.255
!
recording of debug trap
access-list 1 permit 192.168.7.0 0.0.0.255
access-list 100 remark self-generated by the configuration of the firewall Cisco SDM Express
Access-list 100 = 1 SDM_ACL category note
access-list 100 deny ip 70.14.49.0 0.0.0.255 any
access-list 100 deny ip 255.255.255.255 host everything
access-list 100 deny ip 127.0.0.0 0.255.255.255 everything
access ip-list 100 permit a whole
access-list 101 permit ip 192.168.7.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 133 deny ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 133 deny ip 192.168.7.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 133 deny ip 192.168.7.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 133 deny ip 192.168.7.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 133 allow ip 192.168.7.0 0.0.0.255 any
not run cdp
mymap permit 10 route map
corresponds to the IP 111
set ip next-hop 1.1.1.2
!
!
control plan
!
Bridge Protocol ieee 1
1 channel ip bridge
Bridge Protocol ieee 2
IP road bridge 2
connection of the banner ^ CAuthorized access only!
Unplug IMMEDIATELY if you are not an authorized user. ^ C
!
Line con 0
no activation of the modem
telnet output transport
line to 0
telnet output transport
line vty 0 4
privilege level 15
transport input telnet ssh
!
max-task-time 5000 Planner
Scheduler allocate 4000 1000
Scheduler interval 500
endHello
Can you try to remove the IMPORT ALL of the dhcp pool
RES
PaulSent by Cisco Support technique iPad App
-
We have Cisco 2800 to each of our four locations that are managed by our ISP. We had problems with them, I got them to send me the configuration files of one of them, but nothing jumps out to me.
You must disable TCP Window Scaling/tuning on all our Machines 7/Server Windows 2012 (by running netsh interface tcp set global autotuning = disabled in the command line)
If we have not this is very slow to load even a Web page and cannot download a file (even something as small as 2 MB). Mobile devices have no hope to work on our network now because of this. This isn't a question on our XP remaning machines bit, but I think that XP did not use Window Scaling is the reason.
Any ideas what could be causing this? I intend to replace it soon with our own routers, because they do not want to configure the secondary interfaces for our VLAN, but in the meantime I need this job.
Thanks in advanced for any help.
Here is the Config with Sensative information deleted
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname REMOVED
!
boot-start-marker
boot-end-marker
!
logging buffered 8192 debugging
no logging console
enable secret REMOVED
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-REMOVED
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-REMOVED
revocation-check none
rsakeypair TP-self-signed-REMOVED
!
!
crypto pki certificate chain TP-self-signed-REMOVED
certificate self-signed 01
REMOVED
quit
!
class-map match-all VOIP
match access-group 120
!
!
policy-map VOIP
class VOIP
priority 1000
class class-default
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key REMOVED address 0.0.0.0 0.0.0.0
no crypto isakmp ccm
!
!
crypto ipsec transform-set VPN esp-aes 256 esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set VPN
!
crypto ipsec profile SDM_Profile2
set transform-set VPN
!
!
!
!
!
interface Tunnel0
description $FW_INSIDE$
bandwidth 3000
ip address 10.10.200.1 255.255.255.0
ip access-group 101 in
no ip redirects
ip mtu 1400
ip nhrp authentication VPN
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1360
ip ospf network broadcast
ip ospf priority 20
delay 10
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile SDM_Profile1
!
interface Null0
no ip unreachables
!
interface Loopback0
ip address 192.168.210.1 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
!
interface FastEthernet0/0
description $FW_INSIDE$
ip address 10.10.100.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip policy route-map server-nat
duplex auto
speed auto
no mop enabled
service-policy output VOIP
!
interface FastEthernet0/1
description $FW_OUTSIDE$
ip address IP REMOVED NETMASK REMOVED
ip access-group 102 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
load-interval 30
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1/0
load-interval 30
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
router ospf 100
log-adjacency-changes
passive-interface FastEthernet0/0
passive-interface FastEthernet0/1
passive-interface FastEthernet0/1/0
network 10.10.100.0 0.0.0.255 area 0
network 10.10.200.0 0.0.0.255 area 0
network 10.10.201.0 0.0.0.255 area 0
network 192.168.210.1 0.0.0.0 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 REMOVED
ip route REMOVED NETMASK REMOVED
ip route REMOVED NETMASK REMOVED
ip route REMOVED NETMASK REMOVED
!
ip flow-capture ip-id
ip flow-capture mac-addresses
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 30000
!
ip http server
ip http authentication local
ip http secure-server
ip nat pool nat REMOVED netmask REMOVED
ip nat inside source list 150 interface FastEthernet0/1 overload
!
access-list 100 deny ip 10.10.200.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 deny ip 10.10.201.0 0.0.0.255 any
access-list 101 remark Tunnel ACL
access-list 101 deny ip REMOVED 0.0.0.7 any log
access-list 101 deny ip host 255.255.255.255 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 permit ip 10.10.100.0 0.0.0.255 10.10.110.0 0.0.0.255 log
access-list 101 permit ip 10.10.100.0 0.0.0.255 10.10.120.0 0.0.0.255 log
access-list 101 permit ip 10.10.100.0 0.0.0.255 10.10.130.0 0.0.0.255 log
access-list 101 permit ip host 10.10.100.10 any log
access-list 101 permit ip host 10.10.100.12 any log
access-list 101 permit ip host 10.10.100.20 any log
access-list 101 permit ip host 10.10.100.21 any log
access-list 101 permit ip host 10.10.100.45 any log
access-list 101 permit ip any host 10.10.100.10 log
access-list 101 permit ip any host 10.10.100.12 log
access-list 101 permit ip any host 10.10.100.20 log
access-list 101 permit ip any host 10.10.100.21 log
access-list 101 permit ip any host 10.10.100.45 log
access-list 101 permit ospf any any
access-list 101 permit icmp any any
access-list 101 deny ip 10.10.100.0 0.0.0.255 any log
access-list 101 permit ip 10.10.110.0 0.0.0.255 10.10.100.0 0.0.0.255
access-list 101 permit ip 10.10.120.0 0.0.0.255 10.10.100.0 0.0.0.255
access-list 101 permit ip 10.10.130.0 0.0.0.255 10.10.100.0 0.0.0.255
access-list 102 remark Outside ACL
access-list 102 permit tcp host REMOVED host REMOVED eq 22
access-list 102 permit tcp REMOVED 0.0.0.15 host REMOVED eq 22
access-list 102 permit udp any host REMOVED eq non500-isakmp
access-list 102 permit udp any host REMOVED eq isakmp
access-list 102 permit esp any host REMOVED
access-list 102 permit ahp any host REMOVED
access-list 102 permit gre any host REMOVED
access-list 102 permit icmp any host REMOVED echo-reply
access-list 102 permit icmp any host REMOVED time-exceeded
access-list 102 permit icmp any host REMOVED unreachable
access-list 102 permit ip any host 10.10.100.10
access-list 102 permit ip any host 10.10.100.12
access-list 102 permit ip any host 10.10.100.20
access-list 102 permit ip any host 10.10.100.21
access-list 102 permit ip any host 10.10.100.45
access-list 102 deny ip 10.10.100.0 0.0.0.255 any
access-list 102 deny ip 10.10.200.0 0.0.0.255 any
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 103 permit ip REMOVED 0.0.0.15 any
access-list 103 permit ip 10.10.200.0 0.0.0.255 any
access-list 103 permit ip 10.10.100.0 0.0.0.255 any
access-list 103 permit ip 10.10.110.0 0.0.0.255 any
access-list 103 permit ip 10.10.120.0 0.0.0.255 any
access-list 103 permit ip 10.10.130.0 0.0.0.255 any
access-list 110 deny ip host 10.10.100.12 10.10.110.0 0.0.0.255
access-list 110 deny ip host 10.10.100.12 10.10.130.0 0.0.0.255
access-list 110 deny ip host 10.10.100.10 10.10.110.0 0.0.0.255
access-list 110 deny ip host 10.10.100.10 10.10.130.0 0.0.0.255
access-list 110 deny ip host 10.10.100.20 10.10.110.0 0.0.0.255
access-list 110 deny ip host 10.10.100.20 10.10.130.0 0.0.0.255
access-list 110 deny ip host 10.10.100.21 10.10.110.0 0.0.0.255
access-list 110 deny ip host 10.10.100.21 10.10.130.0 0.0.0.255
access-list 110 deny ip host 10.10.100.45 10.10.110.0 0.0.0.255
access-list 110 deny ip host 10.10.100.45 10.10.130.0 0.0.0.255
access-list 110 permit ip host 10.10.100.12 any
access-list 110 permit ip host 10.10.100.10 any
access-list 110 permit ip host 10.10.100.20 any
access-list 110 permit ip host 10.10.100.21 any
access-list 110 permit ip host 10.10.100.45 any
access-list 120 permit udp any any eq 5060
access-list 150 deny ip host 10.10.100.10 any
access-list 150 deny ip host 10.10.100.12 any
access-list 150 deny tcp host 10.10.100.20 any eq 3389
access-list 150 deny ip host 10.10.100.21 any
access-list 150 deny tcp host 10.10.100.45 any eq 22
access-list 150 deny tcp host 10.10.100.45 any eq 443
access-list 150 deny udp host 10.10.100.45 any eq 5060
access-list 150 deny udp host 10.10.100.45 any range 10000 10500
access-list 150 deny ip 10.10.110.0 0.0.0.255 any
access-list 150 deny ip 10.10.120.0 0.0.0.255 any
access-list 150 deny ip 10.10.130.0 0.0.0.255 any
access-list 150 permit ip 10.10.100.0 0.0.0.255 any
!
route-map server-nat permit 10
match ip address 110
set ip next-hop 10.10.200.3
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
banner motd ^CC
<@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>
Authorized access only
<@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>
Disconnect IMEDIATELY if you are not an authorized user !
^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class 103 in
privilege level 15
login local
transport input ssh
line vty 5 15
access-class 103 in
privilege level 15
login local
transport input ssh
!
end
Hello Jason,
you will find articles from may saying that MS AutoFix feature does not work well with some firewall stateful inspection and/or VPN.
At CSC, I found another interesting:
https://supportforums.Cisco.com/thread/2169557
Maybe Joseph joins this discussion later with some new or additional information.
Best regards
Rolf
-
Hi all
We hope that you do very well. I checked the other questions, but unfortunately, I have found nothing to do with my request. I'm just a newbie here. So, I really would appreciate if Pros help me here. Thank you!
That is the problem. I've implemented an ASA 5505 VPN. I've set up two local networks (one that is directly connected to where I'm sitting and the other that I have connected to my local network by adding static route) where I ran this firewall. Now I want to access to two local networks of 'Outside' interface of ASA 5505.
I can easily access the local network which is in my place but I can't access it when I come through VPN. Whereas, I ping the other ASA 5505 network and there is no problem. So far I have troubleshooted, I found that 'Failure of reverse path of NAT' is the error when I try to access the network by connecting via VPN
Now, if you understand the scenario, I just need to know what is there that miss me.
Your help will be very appreciated.Thank you!
Kind regards
AliI apologize if I wasn't clear enough. To access resources across VPN, we must ensure that the traffic is exempt from nat.
1 - assign any user who tries to connect VPN VPN 10.10.10.0_24 POOL.
Yes, assign a VPN pool for different then 192.168.x.x or 10.10.x.x subnet so that it doesn't interfere with your current IP address.2 - Add a NAT which will translate this IP address of 10.10.10.0_24 to the IP 192.168.11.0_24.
There is no need to translate IP addresses. We have just enough for more later translate them or nat exempt these as follows:NAT (inside, outside) source obj_internal destination obj_internal static static obj_remote obj_remote non-proxy-arp-search to itinerary
This order States that translate obj_internal to obj_internal when it needs to access obj_remote. It is by essence, free translation or nat exempt.
3. I should add an another NAT which will address 11.0 to 192.168.10.0 address.
I hope this helps.
Kind regards
Dinesh MoudgilPS Please rate helpful messages.
Maybe you are looking for
-
-What the iphone is compatible with Wind Mobile to the Canada?
I called wind mobile and they couldn't give me a definitive answer on the question of whether the iphone would BE compatible with my plan. Anyone know if this phone is compatible with windmobile in the Canada?
-
Disk hard strong LenovoEmc px4 - 300 d
I have a strange problem with the px4 - 300 d. When it is configured with a storage pool with no volume, it is very quiet. But as soon as I create a volume, it starts to make a very steady and strong, clicking noise from the hard drive. It's as if it
-
No card its audio-not detected
not found audio data! I tried all the items listed on this forum. I've went utube and tried. I scanned and updated all the utensils of soft and hard. always on the red x and no sound. at one point, I had a message that was detected no sound card! som
-
I use windows 7 pro, try to connect to a PPTP VPN, but I get an error 628 when I try to connect (it happens to "register your computer on the network" before the error message). The VPN is configured exactly as it is on my XP laptop... the computer
-
Problem with translations of date DG4MSQL
Hi allI have successfully connected to a SQL Server through DG4MSQL database. However, when I choose any one of the remote tables SQL, all date values are returned as symbols. I guess it's a question of character. Here is some background info:Orac