02-12-2010 10:38 AM - edited 03-11-2019 10:08 AM
Wondering if any security/firewall guru's out there can shed some light on this. I have an ASA5505 that's acting as my default gateway for all the machines in my network. I have one unmanaged gig switch behind it that has a couple machines connected. For some reason, I can't get any kind of TCP connection to a server. No remote desktop, VNC, file sharing, etc. Ping works fine. It doesn't matter if I have the server plugged directly into the ASA or on the gig switch. Every time I try to connect, it times out and I get these messages in the logs.
What's interesting, is if I disconnect my gig switch from the ASA then try remote desktop, it works fine. Plug it back into the ASA and it breaks. I only have 2 vlans configured on the ASA - one for inside and one for outside. This has been going on for quite a while and has been a royal pain and I figured I'd post up here to see if anyone has suggestions.
I've tried upgrading to new versions on the ASA but that didn't fix the issue and created a couple more problems (not related).
So, any suggestions?
Here are the logs:
Feb 12 2010 10:34:33: %ASA-6-106015: Deny TCP (no connection) from 192.168.117.100/61714 to 192.168.117.104/3389 flags ACK on interface inside
Feb 12 2010 10:34:33: %ASA-6-106015: Deny TCP (no connection) from 192.168.117.100/61714 to 192.168.117.104/3389 flags PSH ACK on interface inside
Feb 12 2010 10:34:33: %ASA-6-106015: Deny TCP (no connection) from 192.168.117.100/61714 to 192.168.117.104/3389 flags PSH ACK on interface inside
Feb 12 2010 10:34:34: %ASA-6-106015: Deny TCP (no connection) from 192.168.117.100/61714 to 192.168.117.104/3389 flags PSH ACK on interface inside
Feb 12 2010 10:34:35: %ASA-6-106015: Deny TCP (no connection) from 192.168.117.100/61714 to 192.168.117.104/3389 flags PSH ACK on interface inside
Feb 12 2010 10:34:36: %ASA-6-106015: Deny TCP (no connection) from 192.168.117.100/61714 to 192.168.117.104/3389 flags ACK on interface inside
Feb 12 2010 10:34:36: %ASA-6-106015: Deny TCP (no connection) from 192.168.117.100/61714 to 192.168.117.104/3389 flags PSH ACK on interface inside
Feb 12 2010 10:34:38: %ASA-6-106015: Deny TCP (no connection) from 192.168.117.100/61714 to 192.168.117.104/3389 flags PSH ACK on interface inside
Feb 12 2010 10:34:40: %ASA-6-106015: Deny TCP (no connection) from 192.168.117.100/61714 to 192.168.117.104/3389 flags PSH ACK on interface inside
Feb 12 2010 10:34:44: %ASA-6-106015: Deny TCP (no connection) from 192.168.117.100/61714 to 192.168.117.104/3389 flags ACK on interface inside
Feb 12 2010 10:34:45: %ASA-6-106015: Deny TCP (no connection) from 192.168.117.100/61714 to 192.168.117.104/3389 flags PSH ACK on interface inside
Here's the config from the ASA:
asa5505# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname asa5505
domain-name default.domain.invalid
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.117.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
speed 100
duplex full
!
passwd 4hxr3f7eODySDiGR encrypted
regex BLOCKED_DOMAIN_1 "facebook"
boot system disk0:/asa802-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface
access-list outside-in extended permit gre any interface outside
access-list outside-in extended permit tcp any interface outside eq 6112
access-list outside-in extended permit tcp any interface outside eq 6113
access-list outside-in extended permit udp any interface outside eq 6113
access-list outside-in extended permit udp any interface outside eq 6112
access-list ccie_splitTunnelAcl standard permit 192.168.117.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.117.0 255.255.255.0 172.30.200.0 255.255.255.0
access-list TRAFFIC_TO_INSPECT_FOR_BLOCKED_DOMAINS extended permit tcp any any eq www
access-list permit-inside extended permit ip any any
pager lines 35
logging enable
logging timestamp
logging list test level debugging class auth
logging list test level debugging class webvpn
logging list test level debugging class svc
logging list test level debugging class ssl
logging buffer-size 25000
logging monitor debugging
logging buffered informational
logging asdm test
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.254.10-192.168.254.50 mask 255.255.255.0
ip local pool ccie 172.30.200.100-172.30.200.150 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 53001 192.168.117.190 53001 netmask 255.255.255.255
static (inside,outside) tcp interface 53002 192.168.117.190 53002 netmask 255.255.255.255
static (inside,outside) tcp interface 53003 192.168.117.190 53003 netmask 255.255.255.255
static (inside,outside) tcp interface 53004 192.168.117.190 53004 netmask 255.255.255.255
static (inside,outside) tcp interface 53005 192.168.117.190 53005 netmask 255.255.255.255
static (inside,outside) tcp interface 53006 192.168.117.190 53006 netmask 255.255.255.255
static (inside,outside) tcp interface 53007 192.168.117.190 53007 netmask 255.255.255.255
static (inside,outside) tcp interface 53008 192.168.117.190 53008 netmask 255.255.255.255
static (inside,outside) tcp interface 53009 192.168.117.190 53009 netmask 255.255.255.255
static (inside,outside) tcp interface 53010 192.168.117.190 53010 netmask 255.255.255.255
static (inside,outside) udp interface 53001 192.168.117.190 53001 netmask 255.255.255.255
static (inside,outside) udp interface 53002 192.168.117.190 53002 netmask 255.255.255.255
static (inside,outside) udp interface 53003 192.168.117.190 53003 netmask 255.255.255.255
static (inside,outside) udp interface 53004 192.168.117.190 53004 netmask 255.255.255.255
static (inside,outside) udp interface 53005 192.168.117.190 53005 netmask 255.255.255.255
static (inside,outside) udp interface 53006 192.168.117.190 53006 netmask 255.255.255.255
static (inside,outside) udp interface 53007 192.168.117.190 53007 netmask 255.255.255.255
static (inside,outside) udp interface 53008 192.168.117.190 53008 netmask 255.255.255.255
static (inside,outside) udp interface 53009 192.168.117.190 53009 netmask 255.255.255.255
static (inside,outside) udp interface 53010 192.168.117.190 53010 netmask 255.255.255.255
static (inside,outside) tcp interface 7006 192.168.117.190 7006 netmask 255.255.255.255
static (inside,outside) udp interface 4000 192.168.117.105 4000 netmask 255.255.255.255
static (inside,outside) tcp interface 4000 192.168.117.105 4000 netmask 255.255.255.255
static (inside,outside) udp interface 6113 192.168.117.190 6113 netmask 255.255.255.255
static (inside,outside) tcp interface 6113 192.168.117.190 6113 netmask 255.255.255.255
static (inside,outside) tcp interface 5910 192.168.117.190 5910 netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.117.190 ftp-data netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.117.190 ftp netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.117.190 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 6112 192.168.117.190 6112 netmask 255.255.255.255
static (inside,outside) udp interface 6112 192.168.117.190 6112 netmask 255.255.255.255
static (inside,outside) tcp interface 3724 192.168.117.190 3724 netmask 255.255.255.255
static (inside,inside) 192.168.117.0 192.168.117.0 netmask 255.255.255.0
access-group outside-in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.117.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn asa5505
subject-name CN=asa5505
no client-types
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 31
308201dc 30820145 a0030201 02020131 300d0609 2a864886 f70d0101 04050030
34311530 13060355 0403130c 6368697a 7a6c652d 6d616e67 311b3019 06092a86
4886f70d 01090216 0c636869 7a7a6c65 2d6d616e 67301e17 0d303730 38323130
39333935 365a170d 31373038 31383039 33393536 5a303431 15301306 03550403
130c6368 697a7a6c 652d6d61 6e67311b 30190609 2a864886 f70d0109 02160c63
68697a7a 6c652d6d 616e6730 819f300d 06092a86 4886f70d 01010105 0003818d
00308189 02818100 923774fe 98c78cfb ede74ee5 e35aebbf 3a74ad4e d580f12c
0176630a 54d2eb6d 07c27fa2 04bf3454 0c239b61 23e5aa5e be2a9854 f57124d4
368b829b 0e97fa3f a6d8cfc0 a005e776 475a450f 85a956d4 ed4c0921 e2a01321
c005b047 a868fae8 c514dc2e 5c95c936 11a9ca2a c296f2e9 2dc956e1 e68e4ff5
0834e2f6 035e9ebd 02030100 01300d06 092a8648 86f70d01 01040500 03818100
43e03900 b03a1a1c a38883a3 8877c9f1 98e8df32 b09987da 09688d17 f3d6dc72
b320f2d6 cd995a7f 3fa71639 c1a79631 eab95788 9c500882 a02bafb8 a9a18dff
05a7d67c 4ce6bf5f 4ecb75ec 890fcc3d 2d25e13e c1d199c6 569b42f3 e28b80f1
db2f4ccb 1199285a 92693ed8 d09862a4 a5208cdd 15fead17 220a2829 4bc5bb6d
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 192.168.117.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 60
console timeout 0
dhcpd dns 68.87.77.130 68.87.72.130
dhcpd auto_config outside
!
dhcpd address 192.168.117.100-192.168.117.131 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics
!
class-map type regex match-any CLASS_MAP_BLOCKED_DOMAIN_LIST
match regex BLOCKED_DOMAIN_1
class-map type inspect http match-all CLASS_MAP_DEFINE_TRAFFIC_TO_INSPECT
match request header host regex class CLASS_MAP_BLOCKED_DOMAIN_LIST
class-map CLASS_MAP_HTTP_TRAFFIC
match access-list TRAFFIC_TO_INSPECT_FOR_BLOCKED_DOMAINS
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect http POLICY_MAP_HTTP_INSPECTION
parameters
class CLASS_MAP_DEFINE_TRAFFIC_TO_INSPECT
drop-connection log
policy-map POLICY_MAP_OUTSIDE_INTERFACE
class CLASS_MAP_HTTP_TRAFFIC
inspect http POLICY_MAP_HTTP_INSPECTION
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
policy-map gobal_policy
class inspection_default
inspect icmp
policy-map global_default
class inspection_default
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:27656cfe6474bf2063cf822141a9c0d0
: end
asa5505#
02-12-2010 12:47 PM
Hi,
Not sure why you're having this problem, but just a few comments:
Why do you have the following two commands on the ASA:
global (inside) 1 interface
static (inside,inside) 192.168.117.0 192.168.117.0 netmask 255.255.255.0
Also, try the Packet Tracer utility either from ASDM or from CLI to check the path of the packets and that will let know which process on the ASA is dropping the TCP connection.
Let me know.
Federico.
02-12-2010 01:31 PM
The static command was old config from when I had some other devices on another subnet. Can't remember why I added it to be honest. As far as the global command goes, I'm not sure why I have that in there either.
So I checked the packet tracer on the ASDM and here's what I got with the static command.
packet input inside tcp 192.168.117.100 61714 192.168.117.104 3389
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,inside) 192.168.117.0 192.168.117.0 netmask 255.255.255.0
match ip inside 192.168.117.0 255.255.255.0 inside any
static translation to 192.168.117.0
translate_hits = 1, untranslate_hits = 1
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.117.0/0 to 192.168.117.0/0 using netmask 255.255.255.0
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,inside) 192.168.117.0 192.168.117.0 netmask 255.255.255.0
match ip inside 192.168.117.0 255.255.255.0 inside any
static translation to 192.168.117.0
translate_hits = 1, untranslate_hits = 1
Additional Information:
Static translate 192.168.117.0/0 to 192.168.117.0/0 using netmask 255.255.255.0
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,inside) 192.168.117.0 192.168.117.0 netmask 255.255.255.0
match ip inside 192.168.117.0 255.255.255.0 inside any
static translation to 192.168.117.0
translate_hits = 1, untranslate_hits = 1
Additional Information:
Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,inside) 192.168.117.0 192.168.117.0 netmask 255.255.255.0
match ip inside 192.168.117.0 255.255.255.0 inside any
static translation to 192.168.117.0
translate_hits = 1, untranslate_hits = 1
Additional Information:
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,inside) 192.168.117.0 192.168.117.0 netmask 255.255.255.0
match ip inside 192.168.117.0 255.255.255.0 inside any
static translation to 192.168.117.0
translate_hits = 1, untranslate_hits = 1
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1196852, packet dispatched to next module
Phase: 12
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.117.104 using egress ifc inside
adjacency Active
next-hop mac address 001f.d0d1.1c0a hits 25
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
And without the static command:
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.117.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (192.168.117.1 [Interface PAT])
translate_hits = 4, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.117.100/61714 to 192.168.117.1/1027 using netmask 255.255.255.255
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (192.168.117.1 [Interface PAT])
translate_hits = 4, untranslate_hits = 0
Additional Information:
Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (192.168.117.1 [Interface PAT])
translate_hits = 4, untranslate_hits = 0
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
02-12-2010 01:36 PM
In the ASDM Packet Tracer I'm getting an error that says:
(sp-security-failed) Slowpath security checks failed
And the packets are dropped.
02-12-2010 01:38 PM
My question now is...
Why are you trying to reach 192.168.117.104 on port 3389 from 192.168.117.100?
I mean... both IPs are on the same subnet? That means on the same interface of the ASA.
So when traffic flows between these two addresses, those packets should not flow through the ASA.
I though you were accessing internal servers from the outside interface of the ASA, isn't it?
Federico.
02-12-2010 01:50 PM
I'm trying to remote desktop into my server (port 3389) so I don't have to run downstairs to work on it. I'm also trying to get my other PC's on the network to be able to access file shares using \\192.168.117.104\shared.
But yea the problem is, for whatever reason, the ASA is picking up those TCP packets and dropping them. Both machines are on the inside network plugged into my gig switch so there's no reason whatsoever that the ASA should even care about them. I mentioned earlier that when I disconnect my gig switch from the ASA I can access everything perfectly fine. I have to have something in the config that's causing this to freak out.
02-12-2010 01:59 PM
Hi Jake
You mentioned " when I disconnect my gig switch from the ASA I can access everything perfectly fine"..
can you give us a schematic as how this is connected ?
Is the gig switch only on layer 2 forwarding packets to the ASA, or layer 3 ?
Do you have any layer 3 SVI on this switch ?
What is the default gateway of the PC's & Servers .. make sure they are they same.. and what is the client IP address from which you are trying ?
what is the destination server IP address?
Raj
02-12-2010 02:10 PM
The switch is just layer 2. The default gateway for everything is the ASA, 192.168.117.1. I'm trying to connect from the PC (192.168.117.100) to the server (192.168.117.104). Basically no TCP or UDP packets work. I've tested TFTP, DNS, Remote desktop, file sharing, etc. All blocked by the ASA.
02-12-2010 02:16 PM
Jack..
Thanks for the info...
Im still not sure why the traffic has to pass through ASA in this case ? Are the subnet masks the same on the client and the server ?
Can you login to the gig switch and look at the mac-address table for the server MAC ? and see if the MAC addresses are learnt on the rigth ports ? does the gig switch have a layer 3 SVI for management on the same network ? show arp and see if they have the right MACs ?
Thanks & Regards
Raj
02-12-2010 02:21 PM
I'm not sure why the traffic is passing through the ASA either...it's pretty weird.
The PC and server are getting their IP though DHCP so the subnet masks are correct.
The switch is unmanaged and I have no way of getting MAC info from it. I used to have the server and PC plugged directly into the ASA on different ports and had the same problem. I just recently added this switch thinking this would fix the issue but it's still here.
02-12-2010 02:30 PM
Are you able to ping the server locally, and able to see its ARP on the local PC ?
C:\Documents and Settings\>arp -a
Do you have any other lower end manageable cisco switch to test this connection ? What is the make/model of the existing gig switch ?
Raj
02-12-2010 04:21 PM
As it was mentioned... there's no reason for traffic between the PC and the server to go through the ASA
(unless the switch are sending the frames to the ASA for some reason).
I think the problem is the unmanaged switch.
You mentioned that when the PC and the Server where connected directly to different ports on the ASA you had the same problem?
If you have both PC and server connected each one to an interface on the ASA directly, they should have an IP address on different subnets.
So, I see two ways to go....
1. Replace or check the switch to see if there's a problem with it.
2. Connect both devices directly to the ASA and we check the configuration in this scenario because it should not fail (if configured correctly).
Thanks,
Federico.
02-16-2010 08:48 AM
The 5505 has 8 ports on it. One outside, on vlan 2, and the rest are all inside, on vlan 1.
Anyway, thanks for all the replies. Part of the problem was my computer not having "Netbios over TCPIP" enabled under services. As soon as I turned that on, I was able to connect to the server. With it turned off, I can't and the traffic hits the firewall and is blocked.
I also tested with my computer and the server plugged into 2 different ports on the firewall and had the same results. With Netbios over TCPIP turned off, I wasn't able to connect. I turn it on, and it works.
02-16-2010 10:04 AM
Glad you fix it.
Please rate the threat so other people could find the solution to the same problem more easily.
Federico.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: