LDAP routing and DNS combination
for outgoing devilvery is it possible to combine both LDAP Routing and DNS?
IE. to send out abc.com that exist on LDAP, it will be delivered using LDAP Routing and for domain that is not exists on LDAP, use DNS instead.
TIA
If you haven't explicitly enabled it, then SMTP Routes will be used to forward on the mail.
fyi, this is for our outbond delivery (not incoming). This is what I have just tested.
domain.com is in our LDAP, and I'd like to usedns instead of LDAP.routing. domain.com mx records should be somewhere in the internet.
LDAP query test results:
Query: LDAP.routing
Address: [email protected]
Action: reroute
Reroute to recipients: - (host: servers.cbn.net.id)
In smtproutes:
domain.com: usedns
In mail_logs:
Wed Nov 7 18:57:44 2007 Info: LDAP: Reroute query LDAP.routing MID 429897525 RID 0 address [email protected] to [('[email protected]', 'servers.cbn.net.id')]
Wed Nov 7 18:57:44 2007 Info: LDAP: Mailhost query LDAP.routing address [email protected] to servers.cbn.net.id
Wed Nov 7 18:57:44 2007 Info: MID 429897526 ICID 0 RID 0 To:
Although I have already specified to usedns, the message still delivered using LDAP.routing.
Similar Messages
-
ITouch loses router and DNS addresses?
I have had my iTouch for about a week and it connected to my wireless network for the first three days flawlessly. Since that time, it will only connect sporadically and I have noticed that when it doesn't connect, it is because the router and DNS addresses have disappeared in the wireless window in Settings. I can get them back occasionally by renewing lease in this window, but more often than not, renewing lease does not reestablish these addresses.
I reset the iTouch through itunes, but this did not solve the problem.
Additional information. The iTouch has the full signal (maximum number of bars). I am using an airport extreme as my base station. I have three macs that I connect to the wireless network through the base station. I have a few airport expresses that are connected to audio equipment or video game units. All of these continue to work well and have no problem connecting to the wireless network.
Your help/thoughts would be most appreciated.
Message was edited by: tritium11Is your router broadcasting its SSID? If not, try enabling that because the Touch often has a hard time remembering a network if it is hidden. Hiding your SSID is very minimal security, so there's really no point to hiding it.
-
Personal hotspot not getting router and DNS configured
My provider for cellular is "bob" (A1) in Austria.
I want to make my iPad to provide network access via cellular as a personal hotspot.
The network is broadcasted and I can see it at any other device when activating Wi-Fi.
When I connect it times out, the iPad does not provide DNS and router address to the client.
I have also an iPhone5 with the provider "drei" - it works without problem to activate and use the "personal hotspot" provided by the iPhone.
I contacted "bob" - they say there is nothing the provider can do about personal hotspot, it should work, I shall contact Apple support.
Any other experience/advise?Update: I have found that if I connect my iPhone via USB and share the personal hotspot via USB that it works fine. But if I try and share it over wifi, it maybe lasts 5 mins then the blue status bar at the top of the iPhone, flashes on and off and the internet isn't shared.
I have restored my iphone and updated it to 5.1.1, but still get the same!
Can anyone suggest anything? Please help
Thanks
Paul -
E3200 router and DNS issuse with RR
OK so i have purchased the e3200 router to use with my road runner internet. Everything works great all day until about 6pm. then i start getting dns issues, and my modem disconnects for aboput aminutes then it comes back. Ive cloned my mac address on the router, i also went to OpenDNS and changed that on the router hopeing that would work, but no luck today i got disconnected again at 6pm. anythought on why im getting disco'd around the same time every day. My thought is that its the modem directly. but any and all help would be wonderfull thanks all.
Solved!
Go to Solution.If you modem disconnects it's not a problem of the router. Check with your ISP. Probably the modem crashes and reboots...
-
Routing and DNS processes stop - IOS 15.1(4)M9
Hi all,
I have an 1841 router acting as ADSL gateway. It has maxed out RAM and HWIC-1ADSL module installed.
Some time after upgrade from IOS 15.1(4)M6 to IOS 15.1(4)M9 the router started to behave somewhat strange. Every 3-5 days routing process stops, that is if I do "sh run" I get "no ip routing" in configuration which wasn't there before. It appears that config was not edited by anyone either. On top of that router stops resolving DNS. A simple reboot fixes the DNS issue.
I get following in the logs (sh log):
003801: Jan 2 05:39:13.569 AEST: %SYS-3-CPUHOG: Task is running for (2004)msecs, more than (2000)msecs (1/0),process = DNS Server.
-Traceback= 0x63BB1550z 0x63BB1BF8z 0x610C92F8z 0x610C935Cz 0x610CA4FCz 0x61306CC8z 0x61306DD0z 0x61309AD8z 0x6130B11Cz 0x62C873F4z 0x62C873D8z
003802: Jan 2 07:59:53.603 AEST: %SYS-3-CPUHOG: Task is running for (2004)msecs, more than (2000)msecs (1/1),process = DNS Server.
-Traceback= 0x63BC658Cz 0x63BB1530z 0x63BB1BF8z 0x610C92F8z 0x610C93B4z 0x610CA4FCz 0x61306E10z 0x61309AD8z 0x6130B11Cz 0x62C873F4z 0x62C873D8z
Has anybody experienced something like this?
Is this a 15.1(4)M9 issue?Hi Alex,
Based on the above logs Spurious access is an attempt by Cisco IOS software to access memory in a restricted location. An example of system log output for a spurious access is shown below.
000059: Jan 3 12:27:36.189 AEST: %ALIGN-3-SPURIOUS: Spurious memory access made at 0x631586D4z reading 0x1C
000060: Jan 3 12:27:36.189 AEST: %ALIGN-3-TRACE: -Traceback= 0x631586D4z 0x631768E8z 0x63176998z 0x63177590z 0x631C2438z 0x631C2658z 0x62FE3ED0z 0x62FE4258z
Cause
A spurious access occurs when a process attempts to read from the lowest 16 KB region of memory. This portion of memory is reserved and should never be accessed. A read operation to this region of memory is usually caused when a nonexisting value is returned to a function in the software, or in other words, when a null pointer is passed to a function.
Cisco IOS Software Handling
Depending on the platform, Cisco IOS software handles spurious accesses differently. On platforms where this is possible, the Cisco IOS software code handles these invalid accesses by returning a value of zero and recording the event. If this is not supported on the platform, then the router will crash with a SegV error. Since any spurious access is inappropriate, spurious accesses always point to a bug.
You may also want to have a look at below document.
http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-120-mainline/15103-spuraccess.html
In my opinion I think you are hitting a bug here.
HTH,
Nikhil -
Time Capsule as DHCP Router and DNS server for larger network - too taxing?
Ok, let me say first that I'm no networking expert, but I have tried to learn a decent amount over the years. I haven't got quite gotten o the level of combing router event logs, though I intend to do that as my next step. My question here though is if my overall network strategy is flawed.
My setup at home is one that may be a bit more extensive than most users have:
Cable modem -> Time Capsule -> Multiple gigabit switches (business grade) -> Wired Cat5e throughout the house and 2 Airport Extremes. I don't know how many total wired and wireless clients I have, but it may be between 30 and 40 (only a few are computers with the rest being game systems, networked DVRs, audio streamers, NAS, etc)
At the moment, the Time Capsule only backs up one machine - a MBP (I have external HDDs connected directly to the desktops). I don't use the TC's HDD for anything else. Also, I have the network configured so that the TC handles DHCP addressing and NAT. The Airport Extremes are in bridge mode.
For the most part, everything works very well. Internet speeds are good, audio streaming works well, no problems with TC backups, etc. The only issue I've run into are dropouts when streaming video content on the network from one device to another (not form the internet). Basically, the stream will pause and then an error will pop up on screen saying that there was a network problem. Now, I know that the specific devices themselves may have issues of their own, but since it's happened on more than one system, I'm wondering if there is a common network culprit- expecting the Time Capsule to handle its duties especially while it is doing a backup.
Here are a few thoughts I have:
1 - From a technical standpoint, I don't know if all client to client network traffic goes through the TC. I was thinking that communication could happen between devices on the same switch without having to go up to the TC and then back down, but maybe I'm wrong. If I am wrong, that certainly is a bottleneck right there. I'm not segregating the video streamers to their own subnet on a new router to isolate the traffic. I'm also not sure if the bottleneck is impacted by static vs dynamic IP addressing. IOW, I don't know if setting the devices up with static IPs would change the flow of traffic to not have to go through the TC (just flow across the switch) or not.
2 - Long ago in a different network setup, I had allowed the wireless access points to assign IPs. However, I found that doing so sometimes created problems accessing some of those devices from a computer or device on a different subnet. As such, I switched over to having the router connected to the modem do all the IP addressing. Maybe this is a bad idea given the temporary nature that some devices will hop on and off the network.
3 - Additionally, in the interests of getting better wireless coverage over the whole house, I switched to using 2 airport extremes configured to use the same SSID (so that devices moving around the house wouldn't need to specifically change networks in order to get better signal). I guess I could let one of those 2 handle IP addressing while the other is in bridge mode (pointing to the primary Extreme vs the TC).
4 - Kind of getting back to the TC as the bottleneck, maybe it shouldn't handle network wide DHCP and NAT duties. If TC backups take network priority, such that other kinds of traffic could hiccup, then I probably need to rethink where the TC should exist in the network. Or, maybe it would be enough to just have the stream sensitive components be on their own subnet.
I know there are potentially multiple flaws in my current strategy, so any suggestions or attempts at correcting my assumptions would be helpful.
Thanks!
Jeff
Message was edited by: Rgbyhkr
Message was edited by: RgbyhkrWelcome to the discussions!
1 - Everything goes through the router when it is setup to handle DHCP and NAT
2 - You want your main router, the TC, to handle all DHCP and NAT functions. It will handle up to 250+ connections, so 30-40 devices won't be much of a challenge
3 - Keep both AirPort Extremes in bridge mode to allow the TC to handle the things in #2 above. If you setup an Airport Extreme to give out IP addresses, you'll create a Double NAT issue on your network...which can slow down communications between devices...the thing you are trying to avoid. If you use Xbox live or other interactive services, the online features will not function with a Double NAT on your network.
4 - You want the TC to handle all DHCP and NAT functions as in #2. I assume that you have no single run of CAT5e more than 300 feet.
5 - If you want to create separate sub nets correctly (the AirPorts won't allow you to do this as they are designed for basic home networking), you'll need to look at routers for professional and commercial use, like Cisco.
With as many devices as you have, you may be running out of bandwidth at times. If you only notice the issue during Time Machine backups, and you don't need to backup each hour, take a look at Time Machine Editor to setup backups whenever you like, maybe once a day at 2 AM when things on the network are quiet.
My suggestions are of course opinions. Hopefully you'll receive some other possibly differing views. -
I am new to LDAP and I believe I have everything setup correctly on the server (everything under Open Directory in SA says "Running", logs don't show any errors). However, I can not access the LDAP server from a client machine using Directory Access. I suspect that client machines still can not "see" my LDAP server.
I believe the issue may be with DNS and I am trying to understand the interaction between DNS and OD, etc. First off, I do not have DNS turned on for my Mac OS X Server since my ISP has always hosted our DNS. Is this a problem? Do I need DNS activated on the same server that I am running this LDAP server? I have tried entering the IP and DNS name on the client server using Directory Access and neither worked.The requirement is that references using your server's Fully Qualified Domain Name look up to its IP Address and its IP Address looks up to its Fully Qualified Domain Name. If your ISP does that for you, and does it correctly, Merry Christmas!
All others must set up their own tiny DNS service to do the lookups. If you are behind an NAT firewall, you can Make Up whatever names you like and look them up locally, because they are invisible from the Internet.
Remember that each workstation must have the address of the DNS available to it. It needs to be configured in the TCP/IP setup or dispensed via DHCP. If you use your own DNS (highly recommended) you must also dispense or configure the next upstream DNS (your ISP's DNS Address).
"An Open Directory master requires properly configured DNS so it can provide single sign-on Kerberos authentication.
Make sure DNS service is configured to resolve fully qualified DNS names and provide corresponding reverse lookups.
DNS must resolve the fully qualified DNS name and provide reverse lookups for the Open Directory master server, all replica servers, and other servers that are members of the Kerberos realm.
You can use the Lookup pane of Network Utility (in /Applications/Utilities/) to do a DNS lookup of a server's DNS name and a reverse lookup of the server's IP address.
For instructions on setting up DNS service, browse Network Services Overview."
-- from Server Admin 10.4 Help: Kerberos is Stopped on an Open Directory Master or Replica
Message was edited by: Grant Bennet-Alder -
I have DHCPand DNS services in a router and I want to install domain controller
Hello
I have a sonic wall router managing the DHCP and DNS services for a my network and wanna keep it doing this.
I have a computer running windows server 2012 standard and installed active directory along with DNS. I also went to the DNS manager of these server and forwarded the DNS addresses of my router. For some reason I'm not able to join a client computer
into the DC.
I got this error:
An Active directory domain controller (AD DC) for the domain "mydomain.ca" could not be contacted.
Is it possible to configure active directory using the DNS and DHCP services of my router? or Am I doing something wrong?
Can somebody helping me with this matter?
Thanks.Hello,
if the DNS server on your router is able to provide all required zones, SRV records and options that the DCs require there is no problem using 3rd party DNS servers.
But I would recommend that you u se the DC as DNS server also and just run the installation during the promotion process.
All clients MUST use the domain internal DNS servers on the NIC NONE else otherwise you will run into trouble. Internet access will be done via the FORWARDERS on the DNS server properties in the DNS management console on the Windows Server.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://blogs.msmvps.com/MWeber
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Twitter: -
The best router / network set up for wireless and wired combined use
Shout out to all wireless experts...
In my home, I have an iBook G4 I would like to 1) link with a wireless capable Brother MFC printer, while simultaneously maintaining the wired connectivity of the iMac already USB connected to same; plus 2) utilize the Internet wirelessly (via the iBook) without adversely affecting the iMac's wired functionality. Make sense?
I have the preinstalled / bundled AirPort Extreme (404.2) and Bluetooth (1.7.5) software, and imagine this is doable, but I wonder...Which router, and specifically, how to (step by step) do this best without incurring unnecessary bells, whistles or expense?
I've heard / read about the Belkin F5D8230-4 (mixed opinions), earlier Belkins, plus was advised that any 802.11 b/g was sufficient, but continue to be uncertain as to which way to go...help...Shout out to all wireless experts...
In my home, I have an iBook G4 I would like to 1)
link with a wireless capable Brother MFC printer,
while simultaneously maintaining the wired
connectivity of the iMac already USB connected to
same; plus 2) utilize the Internet wirelessly (via
the iBook) without adversely affecting the iMac's
wired functionality. Make sense?
I have the preinstalled / bundled AirPort Extreme
(404.2) and Bluetooth (1.7.5) software, and imagine
this is doable, but I wonder...Which router, and
specifically, how to (step by step) do this best
without incurring unnecessary bells, whistles or
expense?
I've heard / read about the Belkin F5D8230-4 (mixed
opinions), earlier Belkins, plus was advised that any
802.11 b/g was sufficient, but continue to be
uncertain as to which way to go...help...
* I neglected to mention (newbie error) that I use (yes, it's tragic) dial-up service...
Does that additional fact change things in terms of the recommendations made?
If so, were I to 'upgrade,' which method (cable, DSL, etc.) is the most efficient, yet least costly?
iBook G4 (1.4 GHz / 1.5 GB) Mac OS X (10.4.7) iMac (9.2); Performa 631CD (Ancient 7.5); MacPlus (Primordial Ooze OS) -
Why doesn't LDAP Priority and Weight change entry in the DNS?
We have two Windows 2008 servers that are Active Directory Domain Controllers. They seem to be configured properly, and are talking to each other.
I want one of the domain controllers to authenticate all of the logins because it's a more powerful box. I want the second DC to take over if the first goes down.
I went into the Registry on the old machine, and created two 32 bit Dword registry keys as follows:
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters.
LdapSrvPriority
and
LdapSrvWeight.
Set these to 5 and 150. Assumed the default on the faster server was 0 and 100, thus making the newer server the default choice for logon authentication.
Rebooted server. Checked DNS, and it still is reporting 0 100 for both servers, and doing an
echo %LOGONSERVER% on various workstations seems to show that authentication is roundrobining between both servers.
Why aren't these settings sticking? And why weren't they in the registry when I started?ThanksHi,
I tested and DNS record changed as expected.
So please make sure DC you changed point to the DNS that you check. Because there will be some delay before records replicated to another DNS.
You can also check timestamp of the record if it is the latest change.
You can trigger a DNS registration manually:
How To Reregister SRV records of a Domain Controller In DNS Zone
http://support.microsoft.com/kb/556002
Hope this helps. -
Configuring Solaris 8 Sparc w/router and cable modem
I recently purchased a Sun Ultra 10 with Solaris 7
pre-installed. I decided to immediately upgrade to
Solaris 8. The operating system has installed properly
so far.
However, I'm at the point now where I am entering
information to allow Solaris to connect to my network
and thus the Internet, and the combinations I have tried
don't work.
I use a cable modem service with a Netgear RT314
four-port router. It functions in a standard way - the
cable modem is 192.168.0.1 and shows up on my
WinXP PC (in ipconfig /all) as the DNS server and
gateway server. On the PC, for "Connection-specific
DNS suffix", I see nc.rr.com (my ISP).
Solaris 8 wants to know my domain name, as well as
my DNS server. I don't know what domain name to give
it. I have tried nc.rr.com, but when I enter that plus
192.168.0.1 as the DNS server, I end up receiving this
message: ""Unable to find an entry for dchppc3 with the
specified DNS configuration."
I have been afraid to move beyond this point, although
it's possible that it will work properly and just isn't
receiving the confirmation it expects.
Any suggestions would be welcome, either in this forum
or emailed to me. My address is [email protected]
Thanks.I decided to plow ahead with the installation. It works
properly within my local network - I can ping dchp
addresses and view Web files from my local server
using 192.168.0.3 (that machine's dchp address).
However, it can't get to the Internet. So my problem
now is that I can see the router, but can't see the
Internet services that the router provides to the other
computers on my network. Presumably, I need to
alter my DNS settings ... however, on my PCs, I seem
to simply use the router (192.168.0.1) as the DNS, and
it properly passes the request along to my cable modem
provider. Why would this work for the PCs but not for
Solaris 8? Thanks - -
Hello,
We have a 2-way domain trust between a Windows 2003 domain and a 2008 domain. Nearly all works, we can share folder permissions etc but what we can't do on their domain is add a PC on their network that is part of our domain.
The error is:
it can't find the SRV record for _ldap._tcp.dc._msdcs.ukdomain.local.
if they go to their DNS and look at the seconday forward lookup some for ukdomain.local it doesn't show a zone called _msdcs under ukdomain.local instead outside my zone we have a separete zone called _msdcs.gb.vo.local like this:
DC1
----->Forward Lookup Zones
-------->_Msdcs.ukdomain.local
-------->ukdomain.local
I though it should look like this:
DC1
----->Forward Lookup Zones
------->ukdomain.local
--------->_Msdcs
ThanksIf you are on their network can you ping their domain?
If not then you have a DNS, routing, or firewall issue.
Are ports being blocked? For DNS, add a conditional forwarder to point to DNS for the other Domain and do the same on the other side, this will work better in 2008 as it's replicated to the forest.
Testing
Domain Controller Connectivity Using PORTQRY
Protocol and Port
AD and AD DS Usage
Type of traffic
TCP and UDP 389
Directory, Replication, User and Computer Authentication, Group Policy, Trusts
LDAP
TCP 636
Directory, Replication, User and Computer Authentication, Group Policy, Trusts
LDAP SSL
TCP 3268
Directory, Replication, User and Computer Authentication, Group Policy, Trusts
LDAP GC
TCP 3269
Directory, Replication, User and Computer Authentication, Group Policy, Trusts
LDAP GC SSL
TCP and UDP 88
User and Computer Authentication, Forest Level Trusts
Kerberos
TCP and UDP 53
User and Computer Authentication, Name Resolution, Trusts
DNS
TCP and UDP 445
Replication, User and Computer Authentication, Group Policy, Trusts
SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc
TCP 25
Replication
SMTP
TCP 135
Replication
RPC, EPM
TCP Dynamic
Replication, User and Computer Authentication, Group Policy, Trusts
RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS
TCP 5722
File Replication
RPC, DFSR (SYSVOL)
UDP 123
Windows Time, Trusts
Windows Time
TCP and UDP 464
Replication, User and Computer Authentication, Trusts
Kerberos change/set password
UDP Dynamic
Group Policy
DCOM, RPC, EPM
UDP 138
DFS, Group Policy
DFSN, NetLogon, NetBIOS Datagram Service
TCP 9389
AD DS Web Services
SOAP
UDP 67 and UDP 2535
DHCP
Note
DHCP is not a core AD DS service but it is often present in many AD DS deployments.
DHCP, MADCAP
UDP 137
User and Computer Authentication,
NetLogon, NetBIOS Name Resolution
TCP 139
User and Computer Authentication, Replication
DFSN, NetBIOS Session Service, NetLogon
If it answered your question, remember to “Mark as Answer”.
If you found this post helpful, please “Vote as Helpful”.
Postings are provided “AS IS” with no warranties, and confers no rights.
Active Directory: Ultimate Reading Collection
Active Directory Visio Stencils 2013 - Directory Services Visio Stencils
Kelly Bush
It appears that you've copied and posted the chart, with some editing,
from my blog, link posted below. No problem, as long as it helps the poster. :-)
Active Directory Firewall Ports – Let’s Try To Make This Simple
http://blogs.msmvps.com/acefekay/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple/
Also, I would like to add, that for firewall checks, to make sure the ephemeral ports are opened. These are the important random response ports. The ports are dependent on the operating system version.
Here's the matrix:
Ephemeral Ports:
And most of all, the Ephemeral ports, or also known as the “service response ports,” that are required for communications. These ports are dynamically created for session responses for each client
that establishes a session, (no matter what the ‘client’ may be), and not only to Windows, but to Linux and Unix as well. See below in the references section to find out more on what ‘ephemeral’ means.are used only for that session. Once the session has dissolved,
the ports are put back into the pool for reuse. This applies not only to Windows, but to Linux and Unix as well. See below in the references section to find out more on what ‘ephemeral’ means.
TCP & UDP 1025-5000
Window 2003/XP and older
Ephemeral Dynamic Service Response Ports
TCP & UDP 49152-65535
Windows 2008/Vista and newer
Ephemeral Dynamic Service Response Ports
TCP Dynamic Ephemeral
Replication, User and Computer Authentication, Group Policy, Trusts
RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS
UDP Dynamic Ephermeral
Group Policy
DCOM, RPC, EPM
If the scenario is a Mixed-Mode NT4 & Active Directory scenario with NT4 BDCs, then the following must be opened:
TCP & UDP 1024 – 65535
NT4 BDC to Windows 2000 or newer Domain controller PDC-E communications
RPC, LSA RPC, LDAP, LDAP SSL, LDAP GC, LDAP GC SSL, DNS, Kerberos, SMB
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
Site to Site VPN Problems With 2801 Router and ASA 5505
Hello,
I am having some issue setting up a site to site ipsec VPN between a Cisco 2801 router and a Cisco ASA 5505. I was told there was a vpn previously setup with an old hosting provider, but those connections have been servered. Right now I am trying to get the sites to talk to the 2801. Here ere are my current configs, please let me know if you need anything else. Im stumped on this one. Thanks.
IP scheme at SIte A:
IP 172.19.3.x
sub 255.255.255.128
GW 172.19.3.129
Site A Ciscso 2801 Router
Current configuration : 11858 bytes
version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime show-timezone
service password-encryption
hostname router-2801
boot-start-marker
boot-end-marker
logging message-counter syslog
logging buffered 4096
aaa new-model
aaa authentication login userauthen group radius local
aaa authorization network groupauthor local
aaa session-id common
clock timezone est -5
clock summer-time zone recurring last Sun Mar 2:00 1 Sun Nov 2:00
dot11 syslog
ip source-route
ip dhcp excluded-address 172.19.3.129 172.19.3.149
ip dhcp excluded-address 172.19.10.1 172.19.10.253
ip dhcp excluded-address 172.19.3.140
ip dhcp ping timeout 900
ip dhcp pool DHCP
network 172.19.3.128 255.255.255.128
default-router 172.19.3.129
domain-name domain.local
netbios-name-server 172.19.3.7
option 66 ascii 172.19.3.225
dns-server 172.19.3.140 208.67.220.220 208.67.222.222
ip dhcp pool VoiceDHCP
network 172.19.10.0 255.255.255.0
default-router 172.19.10.1
dns-server 208.67.220.220 8.8.8.8
option 66 ascii 172.19.10.2
lease 2
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
no ip domain lookup
ip domain name domain.local
multilink bundle-name authenticated
key chain key1
key 1
key-string 7 06040033484B1B484557
crypto pki trustpoint TP-self-signed-3448656681
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3448bb6681
revocation-check none
rsakeypair TP-self-signed-344bbb56681
crypto pki certificate chain TP-self-signed-3448656681
certificate self-signed 01
3082024F
quit
username admin privilege 15 password 7 F55
archive
log config
hidekeys
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXXX address 209.118.0.1
crypto isakmp key xxxxx address SITE B Public IP
crypto isakmp keepalive 40 5
crypto isakmp nat keepalive 20
crypto isakmp client configuration group IISVPN
key 1nsur3m3
dns 172.19.3.140
wins 172.19.3.140
domain domain.local
pool VPN_Pool
acl 198
crypto isakmp profile IISVPNClient
description VPN clients profile
match identity group IISVPN
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map Dynamic 5
set transform-set myset
set isakmp-profile IISVPNClient
qos pre-classify
crypto map VPN 10 ipsec-isakmp
set peer 209.118.0.1
set peer SITE B Public IP
set transform-set myset
match address 101
qos pre-classify
crypto map VPN 65535 ipsec-isakmp dynamic Dynamic
track 123 ip sla 1 reachability
delay down 15 up 10
class-map match-any VoiceTraffic
match protocol rtp audio
match protocol h323
match protocol rtcp
match access-group name VOIP
match protocol sip
class-map match-any RDP
match access-group 199
policy-map QOS
class VoiceTraffic
bandwidth 512
class RDP
bandwidth 768
policy-map MainQOS
class class-default
shape average 1500000
service-policy QOS
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_INSIDE$
ip address 172.19.3.129 255.255.255.128
ip access-group 100 in
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet0/0.10
description $ETH-VoiceVLAN$$
encapsulation dot1Q 10
ip address 172.19.10.1 255.255.255.0
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
interface FastEthernet0/1
description "Comcast"
ip address PUB IP 255.255.255.248
ip access-group 102 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN
interface Serial0/1/0
description "Verizon LEC Circuit ID: w0w13908 Site ID: U276420-1"
bandwidth 1536
no ip address
encapsulation frame-relay IETF
frame-relay lmi-type ansi
interface Serial0/1/0.1 point-to-point
bandwidth 1536
ip address 152.000.000.18 255.255.255.252
ip access-group 102 in
ip verify unicast reverse-path
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 500 IETF
crypto map VPN
service-policy output MainQOS
interface Serial0/2/0
description "PAETEC 46.HCGS.788446.CV (Verizon ID) / 46.HCGS.3 (PAETEC ID)"
ip address 123.252.123.102 255.255.255.252
ip access-group 102 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
encapsulation ppp
crypto map VPN
service-policy output MainQOS
ip local pool VPN_Pool 172.20.3.130 172.20.3.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 50.00.000.110 track 123
ip route 0.0.0.0 0.0.0.0 111.252.237.000 254
ip route 122.112.197.20 255.255.255.255 209.252.237.101
ip route 208.67.220.220 255.255.255.255 50.78.233.110
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 20
sort-by bytes
ip nat inside source route-map COMCAST interface FastEthernet0/1 overload
ip nat inside source route-map PAETEC interface Serial0/2/0 overload
ip nat inside source route-map VERIZON interface Serial0/1/0.1 overload
ip nat inside source static tcp 172.19.3.140 21 PUB IP 21 extendable
ip access-list extended VOIP
permit ip 172.20.3.0 0.0.0.127 host 172.19.3.190
permit ip host 172.19.3.190 172.20.3.0 0.0.0.127
ip radius source-interface FastEthernet0/0
ip sla 1
icmp-echo 000.67.220.220 source-interface FastEthernet0/1
timeout 10000
frequency 15
ip sla schedule 1 life forever start-time now
access-list 23 permit 172.19.3.0 0.0.0.127
access-list 23 permit 172.19.3.128 0.0.0.127
access-list 23 permit 173.189.251.192 0.0.0.63
access-list 23 permit 107.0.197.0 0.0.0.63
access-list 23 permit 173.163.157.32 0.0.0.15
access-list 23 permit 72.55.33.0 0.0.0.255
access-list 23 permit 172.19.5.0 0.0.0.63
access-list 100 remark "Outgoing Traffic"
access-list 100 deny ip 67.128.87.156 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit tcp host 172.19.3.190 any eq smtp
access-list 100 permit tcp host 172.19.3.137 any eq smtp
access-list 100 permit tcp any host 66.251.35.131 eq smtp
access-list 100 permit tcp any host 173.201.193.101 eq smtp
access-list 100 permit ip any any
access-list 100 permit tcp any any eq ftp
access-list 101 remark "Interesting VPN Traffic"
access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 101 permit ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq ftp-data
access-list 102 remark "Inbound Access"
access-list 102 permit udp any host 152.179.53.18 eq non500-isakmp
access-list 102 permit udp any host 152.179.53.18 eq isakmp
access-list 102 permit esp any host 152.179.53.18
access-list 102 permit ahp any host 152.179.53.18
access-list 102 permit udp any host 209.000.000.102 eq non500-isakmp
access-list 102 permit udp any host 209.000.000.102 eq isakmp
access-list 102 permit esp any host 209.000.000.102
access-list 102 permit ahp any host 209.000.000.102
access-list 102 permit udp any host PUB IP eq non500-isakmp
access-list 102 permit udp any host PUB IP eq isakmp
access-list 102 permit esp any host PUB IP
access-list 102 permit ahp any host PUB IP
access-list 102 permit ip 72.55.33.0 0.0.0.255 any
access-list 102 permit ip 107.0.197.0 0.0.0.63 any
access-list 102 deny ip 172.19.3.128 0.0.0.127 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 permit icmp any any
access-list 102 deny ip any any log
access-list 102 permit tcp any host 172.19.3.140 eq ftp
access-list 102 permit tcp any host 172.19.3.140 eq ftp-data established
access-list 102 permit udp any host SITE B Public IP eq non500-isakmp
access-list 102 permit udp any host SITE B Public IP eq isakmp
access-list 102 permit esp any host SITE B Public IP
access-list 102 permit ahp any host SITE B Public IP
access-list 110 remark "Outbound NAT Rule"
access-list 110 remark "Deny VPN Traffic NAT"
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
access-list 110 deny ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
access-list 110 deny ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 110 permit ip 172.19.3.128 0.0.0.127 any
access-list 110 permit ip 172.19.10.0 0.0.0.255 any
access-list 198 remark "Networks for IISVPN Client"
access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 199 permit tcp any any eq 3389
route-map PAETEC permit 10
match ip address 110
match interface Serial0/2/0
route-map COMCAST permit 10
match ip address 110
match interface FastEthernet0/1
route-map VERIZON permit 10
match ip address 110
match interface Serial0/1/0.1
snmp-server community 123 RO
radius-server host 172.19.3.7 auth-port 1645 acct-port 1646 key 7 000000000000000
control-plane
line con 0
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
scheduler allocate 20000 1000
ntp server 128.118.25.3
ntp server 217.150.242.8
end
IP scheme at site B:
ip 172.19.5.x
sub 255.255.255.292
gw 172.19.5.65
Cisco ASA 5505 at Site B
ASA Version 8.2(5)
hostname ASA5505
domain-name domain.com
enable password b04DSH2HQqXwS8wi encrypted
passwd b04DSH2HQqXwS8wi encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.19.5.65 255.255.255.192
interface Vlan2
nameif outside
security-level 0
ip address SITE B public IP 255.255.255.224
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone est -5
clock summer-time zone recurring last Sun Mar 2:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name iis-usa.com
same-security-traffic permit intra-interface
object-group network old hosting provider
network-object 72.55.34.64 255.255.255.192
network-object 72.55.33.0 255.255.255.0
network-object 173.189.251.192 255.255.255.192
network-object 173.163.157.32 255.255.255.240
network-object 66.11.1.64 255.255.255.192
network-object 107.0.197.0 255.255.255.192
object-group network old hosting provider
network-object host 172.19.250.10
network-object host 172.19.250.11
access-list 100 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
access-list 100 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
access-list 10 extended deny ip 0.0.0.0 255.0.0.0 any
access-list 10 extended deny ip 127.0.0.0 255.0.0.0 any
access-list 10 extended deny ip 169.254.0.0 255.255.0.0 any
access-list 10 extended deny ip 172.16.0.0 255.255.0.0 any
access-list 10 extended deny ip 224.0.0.0 224.0.0.0 any
access-list 10 extended permit icmp any any echo-reply
access-list 10 extended permit icmp any any time-exceeded
access-list 10 extended permit icmp any any unreachable
access-list 10 extended permit icmp any any traceroute
access-list 10 extended permit icmp any any source-quench
access-list 10 extended permit icmp any any
access-list 10 extended permit tcp object-group old hosting provider any eq 3389
access-list 10 extended permit tcp any any eq https
access-list 10 extended permit tcp any any eq www
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.0 255.255.255.128
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
pager lines 24
logging enable
logging timestamp
logging console emergencies
logging monitor emergencies
logging buffered warnings
logging trap debugging
logging history debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ip audit name jab attack action alarm drop reset
ip audit name probe info action alarm drop reset
ip audit interface outside probe
ip audit interface outside jab
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
icmp unreachable rate-limit 1 burst-size 1
icmp permit 75.150.169.48 255.255.255.240 outside
icmp permit 72.44.134.16 255.255.255.240 outside
icmp permit 72.55.33.0 255.255.255.0 outside
icmp permit any outside
icmp permit 173.163.157.32 255.255.255.240 outside
icmp permit 107.0.197.0 255.255.255.192 outside
icmp permit 66.11.1.64 255.255.255.192 outside
icmp deny any outside
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 10 in interface outside
route outside 0.0.0.0 0.0.0.0 174.78.151.225 1
timeout xlate 3:00:00
timeout conn 24:00:00 half-closed 0:10:00 udp 0:10:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 24:00:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http 107.0.197.0 255.255.255.192 outside
http 66.11.1.64 255.255.255.192 outside
snmp-server host outside 107.0.197.29 community *****
snmp-server host outside 107.0.197.30 community *****
snmp-server host inside 172.19.250.10 community *****
snmp-server host outside 172.19.250.10 community *****
snmp-server host inside 172.19.250.11 community *****
snmp-server host outside 172.19.250.11 community *****
snmp-server host outside 68.82.122.239 community *****
snmp-server host outside 72.55.33.37 community *****
snmp-server host outside 72.55.33.38 community *****
snmp-server host outside 75.150.169.50 community *****
snmp-server host outside 75.150.169.51 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPNMAP 10 match address 110
crypto map VPNMAP 10 set peer 72.00.00.7 old vpn public ip Site B Public IP
crypto map VPNMAP 10 set transform-set ESP-3DES-MD5
crypto map VPNMAP 10 set security-association lifetime seconds 86400
crypto map VPNMAP 10 set security-association lifetime kilobytes 4608000
crypto map VPNMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 172.19.5.64 255.255.255.192 inside
telnet 172.19.3.0 255.255.255.128 outside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
dhcpd dns 172.19.3.140
dhcpd wins 172.19.3.140
dhcpd ping_timeout 750
dhcpd domain iis-usa.com
dhcpd address 172.19.5.80-172.19.5.111 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection scanning-threat shun except object-group old hosting provider
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 128.118.25.3 source outside
ntp server 217.150.242.8 source outside
tunnel-group 72.00.00.7 type ipsec-l2l
tunnel-group 72.00.00.7 ipsec-attributes
pre-shared-key *****
tunnel-group old vpn public ip type ipsec-l2l
tunnel-group old vpn public ip ipsec-attributes
pre-shared-key *****
tunnel-group SITE A Public IP type ipsec-l2l
tunnel-group SITE A Public IP ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect pptp
inspect sip
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:
: endI have removed the old "set peer" and have added:
IOS router:
access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.65
ASA fw:
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
on the router I have also added;
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
Here is my acl :
access-list 110 remark "Outbound NAT Rule"
access-list 110 remark "Deny VPN Traffic NAT"
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
access-list 110 deny ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
access-list 110 deny ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 110 permit ip 172.19.3.128 0.0.0.127 any
access-list 110 permit ip 172.19.10.0 0.0.0.255 any
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
access-list 198 remark "Networks for IISVPN Client"
access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
Still no ping tothe other site. -
[SOLVED] Problem with Iptables and DNS-resolving
So I'm changing my iptables default policy from ALLOW to DROP, and are tightening up the rules too.
However, I'm having troubles with allowing DNS-queries, while keeping things as locked down as possible.
/etc/resolv.conf
domain home
nameserver 192.168.1.1
Relevant rules:
# Allow HTTP
$CMD -A OUTPUT -o wlan0 -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
$CMD -A INPUT -i wlan0 -p tcp --dport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Allow HTTPS
$CMD -A OUTPUT -o wlan0 -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
$CMD -A INPUT -i wlan0 -p tcp --dport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# DNS-related rules
$CMD -A INPUT -i wlan0 -s 192.168.1.1 -p tcp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
$CMD -A INPUT -i wlan0 -s 192.168.1.1 -p udp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
$CMD -A OUTPUT -o wlan0 -d 192.168.1.1 -p tcp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
$CMD -A OUTPUT -o wlan0 -d 192.168.1.1 -p udp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
What am I missing here?
Last edited by graph (2012-03-20 18:36:23)Gcool wrote:I'm assuming you just want to allow that box to surf the net?
Yepyep. Sorry for not mentioning that.
192.168.1.1 is my router, and when I'm disabling the firewall, everything is working perfectly. This is with 192.168.1.1 as nameserver in /etc/resolv.conf.
I tried changing my rules to your rules, but I still can't get it to work.
The following is the output while I'm connecting to www.xkcd.com using elinks:
Output of tcpdump -n '(port 80 or 443 or 53)'
without iptables running: pastebin.com
with iptables running: pastebin.com
It seems to me that DNS is working properly, and that iptables is blocking port 80, right?
Last edited by graph (2012-03-20 08:20:44) -
Unable to access gateway and DNS via VPN (L2TP) with Snow Leopard Server
Summary:
After rebooting my VPN server, i am able to establish a VPN (L2TP) connection from outside my private network. I am able to connect (ping, SSH, …) the gateway only until the first client disconnects. Then i can perfectly access all the other computers of the private network, but i cannot access the private IP address of the gateway.
Additionally, during my first VPN connection, my DNS server, which is on the same server, is not working properly with VPN. I can access it with the public IP address of my gateway. I can access it from inside my private network. A port scan indicates me that the port 53 is open, but a dig returns me a timeout.
Configuration:
Cluster of 19 Xserve3.1 - Snow Leopard Server 10.6.2
Private network 192.168.1.0/255.255.255.0 -> domain name: cluster
-> 1 controller, which act as a gateway for the cluster private network, with the following services activated:
DHCP, DNS, firewall (allowing all incoming traffic for each groups for test purposes), NAT, VPN, OpenDirectory, web, software update, AFP, NFS and Xgrid controller.
en0: fixed public IP address -> controller.example.com
en1: 192.168.1.254 -> controller.cluster
-> 18 agents with AFP and Xgrid agent activated:
en1: 192.168.1.x -> nodex.cluster with x between 1 and 18
VPN (L2TP) server distributes IP addresses between 192.168.1.201 and 192.168.1.210 (-> vpn1.cluster to vpn10.cluster). Client informations contain the private network DNS server informations (192.168.1.254, search domain: cluster).
_*Detailed problem description:*_
After rebooting the Xserve, my VPN server works fine except for the DNS. My client receives the correct informations:
Configure IPv4: Using PPP
IPv4 address: 192.168.1.201
Subnet Mask:
Router: 192.168.1.254
DNS: 192.168.1.254
Search domain: cluster
From my VPN client, i can ping all the Xserve of my cluster (192.168.1.1 to 18 and 192.168.1.254). If i have a look in Server Admin > Settings > Network, i have three interfaces listed: en0, en1 and ppp0 of family IPv4 with address 192.168.1.254 and DNS name controller.cluster.
The DNS server returns me timeouts when i try to do a dig from my VPN client even if i am able to access it directly from a computer inside or outside my private network.
After i disconnect, i can see in Server Admin that the IP address of my ppp0 interface has switch to my public IP address.
Then i can always establish a VPN (L2TP) connection, but the client receives the following informations:
Configure IPv4: Using PPP
IPv4 address: 192.168.1.202
Subnet Mask:
Router: (Public IP address of my VPN server)
DNS: 192.168.1.254
Search domain: cluster
From my VPN client, i can access all the other computers of my network (192.168.1.1 to 192.168.1.18) but when i ping my gateway (192.168.1.254), it returns me timeouts.
I have two "lazy" solutions to this problem: 1) Configure VPN and DNS servers on two differents Xserve, 2) Put the public IP address of my gateway as DNS server address, but none of these solutions are acceptable for me…
Any help is welcome!!!I would suggest taking a look at:
server admin:vpn:settings:client information:network route definitions.
as I understand your setup it should be something like
192.168.1.0 255.255.255.0 private.
at least as a start. I just got done troubleshooting a similar issue but via two subnets:
http://discussions.apple.com/thread.jspa?threadID=2292827&tstart=0
Maybe you are looking for
-
How do I force shutdown my computer. I am hoping by rebooting I will be able to clear this problem
-
FTP issues on Mac OS X Server 10.6.4
This is my first server ever working with so you'll have to bear with me I just set up the server with FTP and all is well, but I have a few issues: 1. When connecting to the FTP server on a Windows machine with my standard FTP program or in the Fire
-
Translation from CS5 to Cloud doesn't work correct, navi and linked images are broken.
Translation from CS5 to Cloud doesn't work correct, <navi> and linked images are broken. The data of CS5 was created at another PC. I installed Cloud version into two different PC. One has had the site data since dreamweaver CS5 and it works correct
-
Custom Afaria Client not getting installed on IOS devices
Hello, I am using Afaria SP4 in my organization with no hotfix applied I have created a custom Afaria Client App for IOS devices. I am succesfully able to enroll my IOS devices and install the custom app during enrollment,when i am trying to hit the
-
My nano stops playing mp3s randomly.
It pauses itself somewhere between 3 and 30 minutes of playback (i'm estimating). It plays uninterrupted when the speaker is used. This led me to think its a headphone jack problem. But it also plays uninterrupted when the radio is used with headphon