orphanc
asked on
Cisco ASA 5510 config problem- traffic getting out but not in!!
Hi this is a new question because the previous one wasn't very thorough!
I have set up and ASA 5510 firewall to replace basic Netgear FVs router- and have tried to mimic the rules it has.
I have set up two outside interfaces, one primary (10mg LES) and one backup adsl interface: config as follows:
: Saved
:
ASA Version 7.2(3)
!
hostname Ciscoasa
domain-name xxx.COM
enable password tq6dfNC3ZlBOcGgY encrypted
names
name 192.168.2.50 Mailstorm description Exchange Server
name 192.168.2.40 Filestorm description File Server
name 192.168.2.35 Seastorm description FTP Server
name 192.168.2.52 Xarios description Xarios Server
name 192.168.2.9 Sonicwall description Sonicwall_VPN
name 192.168.2.64 Graham description Used for Sales Force
name 192.168.2.69 Chrissy description Chrissy's PC
dns-guard
!
interface Ethernet0/0
speed 10
duplex full
nameif OUTSIDE_PRIMARY
security-level 0
ip address 193.x.x.x.250 255.255.255.252
ospf cost 10
!
interface Ethernet0/1
nameif OUTSIDE_BACKUP
security-level 0
ip address 217.x.x.73 255.255.255.248
ospf cost 10
!
interface Ethernet0/2
nameif INSIDE
security-level 100
ip address 192.168.2.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup OUTSIDE_PRIMARY
dns domain-lookup OUTSIDE_BACKUP
dns domain-lookup INSIDE
dns server-group DefaultDNS
domain-name xx.COM
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service xmpp_tls tcp
description Spark
port-object range 5222 5222
object-group service VPN_8008 tcp
port-object range 8008 8008
object-group service atrweb tcp
description ATRWEB
port-object range 8000 8000
object-group service SMTP_allowed tcp
description For exchange mail Delivery
port-object eq smtp
object-group service XARIOS_HTTP tcp
description XARIOS HTTP
port-object range 9090 9090
object-group service XARIOS_HTTP_2 tcp
description XARIOS_HTTP_2
port-object range 9091 9091
object-group network Exchange_Server
description Exchange Server
network-object host Mailstorm
object-group network File_Server
description File_Server
network-object host Filestorm
object-group network TH_DCs
description TH DC's
network-object host Filestorm
network-object host Mailstorm
object-group network Irvine_Local
network-object 192.168.12.0 255.255.255.0
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any object-group xmpp_tls host Filestorm object-group xmpp_tls
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any eq https host Mailstorm eq https
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any object-group SMTP_allowed host Mailstorm object-group SMTP_allowed
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any eq ftp host Seastorm eq ftp
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any eq pptp host Filestorm eq pptp
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any object-group atrweb host Xarios eq www
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any object-group VPN_8008 host Sonicwall eq https
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any eq www host Seastorm eq www
access-list OUTSIDE_PRIMARY_access_in extended permit tcp host 194.159.181.194 eq https host Sonicwall eq https
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any object-group XARIOS_HTTP host Xarios object-group XARIOS_HTTP
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any object-group XARIOS_HTTP_2 host Graham object-group XARIOS_HTTP_2
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any eq imap4 host Mailstorm eq imap4
access-list OUTSIDE_BACKUP_access_in extended permit tcp any object-group xmpp_tls host Filestorm object-group xmpp_tls
access-list OUTSIDE_BACKUP_access_in extended permit tcp any eq https host Mailstorm eq https
access-list OUTSIDE_BACKUP_access_in extended permit tcp any object-group SMTP_allowed host Mailstorm object-group SMTP_allowed
access-list OUTSIDE_BACKUP_access_in extended permit tcp any eq ftp host Seastorm eq ftp
access-list OUTSIDE_BACKUP_access_in extended permit tcp any eq pptp host Filestorm eq pptp
access-list OUTSIDE_BACKUP_access_in extended permit tcp any object-group atrweb host Xarios eq www
access-list OUTSIDE_BACKUP_access_in extended permit tcp any object-group VPN_8008 host Sonicwall eq https
access-list OUTSIDE_BACKUP_access_in extended permit tcp any eq www host Seastorm eq www
access-list OUTSIDE_BACKUP_access_in extended permit tcp any object-group XARIOS_HTTP host Xarios object-group XARIOS_HTTP
access-list OUTSIDE_BACKUP_access_in extended permit tcp any object-group XARIOS_HTTP_2 host Graham object-group XARIOS_HTTP_2
access-list OUTSIDE_BACKUP_access_in extended permit tcp any eq imap4 host Mailstorm eq imap4
access-list INSIDE_access_in extended permit ip any any
access-list OUTSIDE_PRIMARY_1_cryptoma p extended permit ip any any
pager lines 24
logging enable
logging asdm informational
logging host INSIDE Chrissy 6/1470
mtu OUTSIDE_PRIMARY 1500
mtu OUTSIDE_BACKUP 1500
mtu INSIDE 1500
mtu management 1500
no failover
monitor-interface OUTSIDE_PRIMARY
monitor-interface OUTSIDE_BACKUP
monitor-interface INSIDE
monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
icmp permit any INSIDE
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE_PRIMARY) 1 interface
global (OUTSIDE_BACKUP) 1 interface
global (INSIDE) 1 interface
nat (INSIDE) 1 192.168.2.0 255.255.255.0
static (INSIDE,OUTSIDE_PRIMARY) 193.x.x.250 192.168.2.1 netmask 255.255.255.255
access-group OUTSIDE_PRIMARY_access_in in interface OUTSIDE_PRIMARY
access-group OUTSIDE_BACKUP_access_in in interface OUTSIDE_BACKUP
access-group INSIDE_access_in in interface INSIDE
route OUTSIDE_PRIMARY 0.0.0.0 0.0.0.0 193.x.x.249 1 track 1
route OUTSIDE_BACKUP 0.0.0.0 0.0.0.0 217.x.x.78 10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 195.112.2.19 255.255.255.255 OUTSIDE_PRIMARY
http 195.112.2.19 255.255.255.255 OUTSIDE_BACKUP
http 192.168.2.5 255.255.255.255 INSIDE
http 192.168.1.0 255.255.255.0 management
http Chrissy 255.255.255.255 INSIDE
http 192.168.2.68 255.255.255.255 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 193.195.216.249 interface OUTSIDE_PRIMARY
num-packets 4
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto isakmp enable OUTSIDE_PRIMARY
crypto isakmp enable OUTSIDE_BACKUP
crypto isakmp enable INSIDE
!
track 1 rtr 123 reachability
telnet timeout 5
ssh 195.112.2.19 255.255.255.255 OUTSIDE_PRIMARY
ssh 195.112.2.19 255.255.255.255 OUTSIDE_BACKUP
ssh 192.168.2.68 255.255.255.255 INSIDE
ssh Chrissy 255.255.255.255 INSIDE
ssh 192.168.2.5 255.255.255.255 INSIDE
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth enable
group-lock none
pfs enable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-t imeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconne ct enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
username admin password Zn1g.2LlcLd5BGRL encrypted privilege 15
tunnel-group 12.35.202.180 type ipsec-l2l
tunnel-group 12.35.202.180 ipsec-attributes
pre-shared-key *
smtp-server 192.168.2.50
prompt hostname context
Cryptochecksum:d8f254e85fd f9371c70f3 0438917333 7
: end
asdm image disk0:/asdm-523.bin
no asdm history enable
In short after much deliberation I can get out on the internet fine on the OUTSIDE_PRIMARY- I can ping the internet the GW out, but not the interface IP- this is fine though as icmp not allowed by default. On a piblic connection I can ping it, but I can't get in to from outside in what so ever. From my limited knowledge, I have set up the outside_in rules as needed and the inisde_in rules to permit any any.
A friend said I shouldn't have to configure the outside_outgoing rules- as high to low security on inerfaces is automatically allowed.
So, as nothing gets in I think I am missing something that should be quite obvious- a nat or route???I know it denies but default but I need some traffic allowe in.
Any ideas?
Thanks in advance!
I have set up and ASA 5510 firewall to replace basic Netgear FVs router- and have tried to mimic the rules it has.
I have set up two outside interfaces, one primary (10mg LES) and one backup adsl interface: config as follows:
: Saved
:
ASA Version 7.2(3)
!
hostname Ciscoasa
domain-name xxx.COM
enable password tq6dfNC3ZlBOcGgY encrypted
names
name 192.168.2.50 Mailstorm description Exchange Server
name 192.168.2.40 Filestorm description File Server
name 192.168.2.35 Seastorm description FTP Server
name 192.168.2.52 Xarios description Xarios Server
name 192.168.2.9 Sonicwall description Sonicwall_VPN
name 192.168.2.64 Graham description Used for Sales Force
name 192.168.2.69 Chrissy description Chrissy's PC
dns-guard
!
interface Ethernet0/0
speed 10
duplex full
nameif OUTSIDE_PRIMARY
security-level 0
ip address 193.x.x.x.250 255.255.255.252
ospf cost 10
!
interface Ethernet0/1
nameif OUTSIDE_BACKUP
security-level 0
ip address 217.x.x.73 255.255.255.248
ospf cost 10
!
interface Ethernet0/2
nameif INSIDE
security-level 100
ip address 192.168.2.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup OUTSIDE_PRIMARY
dns domain-lookup OUTSIDE_BACKUP
dns domain-lookup INSIDE
dns server-group DefaultDNS
domain-name xx.COM
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service xmpp_tls tcp
description Spark
port-object range 5222 5222
object-group service VPN_8008 tcp
port-object range 8008 8008
object-group service atrweb tcp
description ATRWEB
port-object range 8000 8000
object-group service SMTP_allowed tcp
description For exchange mail Delivery
port-object eq smtp
object-group service XARIOS_HTTP tcp
description XARIOS HTTP
port-object range 9090 9090
object-group service XARIOS_HTTP_2 tcp
description XARIOS_HTTP_2
port-object range 9091 9091
object-group network Exchange_Server
description Exchange Server
network-object host Mailstorm
object-group network File_Server
description File_Server
network-object host Filestorm
object-group network TH_DCs
description TH DC's
network-object host Filestorm
network-object host Mailstorm
object-group network Irvine_Local
network-object 192.168.12.0 255.255.255.0
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any object-group xmpp_tls host Filestorm object-group xmpp_tls
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any eq https host Mailstorm eq https
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any object-group SMTP_allowed host Mailstorm object-group SMTP_allowed
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any eq ftp host Seastorm eq ftp
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any eq pptp host Filestorm eq pptp
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any object-group atrweb host Xarios eq www
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any object-group VPN_8008 host Sonicwall eq https
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any eq www host Seastorm eq www
access-list OUTSIDE_PRIMARY_access_in extended permit tcp host 194.159.181.194 eq https host Sonicwall eq https
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any object-group XARIOS_HTTP host Xarios object-group XARIOS_HTTP
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any object-group XARIOS_HTTP_2 host Graham object-group XARIOS_HTTP_2
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any eq imap4 host Mailstorm eq imap4
access-list OUTSIDE_BACKUP_access_in extended permit tcp any object-group xmpp_tls host Filestorm object-group xmpp_tls
access-list OUTSIDE_BACKUP_access_in extended permit tcp any eq https host Mailstorm eq https
access-list OUTSIDE_BACKUP_access_in extended permit tcp any object-group SMTP_allowed host Mailstorm object-group SMTP_allowed
access-list OUTSIDE_BACKUP_access_in extended permit tcp any eq ftp host Seastorm eq ftp
access-list OUTSIDE_BACKUP_access_in extended permit tcp any eq pptp host Filestorm eq pptp
access-list OUTSIDE_BACKUP_access_in extended permit tcp any object-group atrweb host Xarios eq www
access-list OUTSIDE_BACKUP_access_in extended permit tcp any object-group VPN_8008 host Sonicwall eq https
access-list OUTSIDE_BACKUP_access_in extended permit tcp any eq www host Seastorm eq www
access-list OUTSIDE_BACKUP_access_in extended permit tcp any object-group XARIOS_HTTP host Xarios object-group XARIOS_HTTP
access-list OUTSIDE_BACKUP_access_in extended permit tcp any object-group XARIOS_HTTP_2 host Graham object-group XARIOS_HTTP_2
access-list OUTSIDE_BACKUP_access_in extended permit tcp any eq imap4 host Mailstorm eq imap4
access-list INSIDE_access_in extended permit ip any any
access-list OUTSIDE_PRIMARY_1_cryptoma
pager lines 24
logging enable
logging asdm informational
logging host INSIDE Chrissy 6/1470
mtu OUTSIDE_PRIMARY 1500
mtu OUTSIDE_BACKUP 1500
mtu INSIDE 1500
mtu management 1500
no failover
monitor-interface OUTSIDE_PRIMARY
monitor-interface OUTSIDE_BACKUP
monitor-interface INSIDE
monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
icmp permit any INSIDE
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE_PRIMARY) 1 interface
global (OUTSIDE_BACKUP) 1 interface
global (INSIDE) 1 interface
nat (INSIDE) 1 192.168.2.0 255.255.255.0
static (INSIDE,OUTSIDE_PRIMARY) 193.x.x.250 192.168.2.1 netmask 255.255.255.255
access-group OUTSIDE_PRIMARY_access_in in interface OUTSIDE_PRIMARY
access-group OUTSIDE_BACKUP_access_in in interface OUTSIDE_BACKUP
access-group INSIDE_access_in in interface INSIDE
route OUTSIDE_PRIMARY 0.0.0.0 0.0.0.0 193.x.x.249 1 track 1
route OUTSIDE_BACKUP 0.0.0.0 0.0.0.0 217.x.x.78 10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 195.112.2.19 255.255.255.255 OUTSIDE_PRIMARY
http 195.112.2.19 255.255.255.255 OUTSIDE_BACKUP
http 192.168.2.5 255.255.255.255 INSIDE
http 192.168.1.0 255.255.255.0 management
http Chrissy 255.255.255.255 INSIDE
http 192.168.2.68 255.255.255.255 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 193.195.216.249 interface OUTSIDE_PRIMARY
num-packets 4
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto isakmp enable OUTSIDE_PRIMARY
crypto isakmp enable OUTSIDE_BACKUP
crypto isakmp enable INSIDE
!
track 1 rtr 123 reachability
telnet timeout 5
ssh 195.112.2.19 255.255.255.255 OUTSIDE_PRIMARY
ssh 195.112.2.19 255.255.255.255 OUTSIDE_BACKUP
ssh 192.168.2.68 255.255.255.255 INSIDE
ssh Chrissy 255.255.255.255 INSIDE
ssh 192.168.2.5 255.255.255.255 INSIDE
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth enable
group-lock none
pfs enable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication
user-authentication disable
user-authentication-idle-t
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconne
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
username admin password Zn1g.2LlcLd5BGRL encrypted privilege 15
tunnel-group 12.35.202.180 type ipsec-l2l
tunnel-group 12.35.202.180 ipsec-attributes
pre-shared-key *
smtp-server 192.168.2.50
prompt hostname context
Cryptochecksum:d8f254e85fd
: end
asdm image disk0:/asdm-523.bin
no asdm history enable
In short after much deliberation I can get out on the internet fine on the OUTSIDE_PRIMARY- I can ping the internet the GW out, but not the interface IP- this is fine though as icmp not allowed by default. On a piblic connection I can ping it, but I can't get in to from outside in what so ever. From my limited knowledge, I have set up the outside_in rules as needed and the inisde_in rules to permit any any.
A friend said I shouldn't have to configure the outside_outgoing rules- as high to low security on inerfaces is automatically allowed.
So, as nothing gets in I think I am missing something that should be quite obvious- a nat or route???I know it denies but default but I need some traffic allowe in.
Any ideas?
Thanks in advance!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Exactly the answer! Thanks for everything- your solution was worth every point. :)
Glad to assist...
ASKER
Thanks for everything- your solution was worth every point.