WRT310N Problem with subnets
Hi all,
well in my office we just bought 3 new WRT310N so we have all the new laptops connected to the LAN and the Internet.
The problem is:
We have the network 192.168.0.0/24
the routers have the network 192.168.1.0/24
so I did the Setting of 1 router and i have Access to the Internet, I can Ping to any host in 192.168.0.0 but i can´t see the shared folders, the database on FileMaker or MS SQLServer, can´t see the printers, etc, etc, etc.
So I think the problem is with routing coz when i hit "show routing table" i get:
Destination LAN IP Subnet Mask Gateway Interface
192.168.1.0 255.255.255.0 0.0.0.0 LAN & Wireless
192.168.0.0 255.255.255.0 0.0.0.0 Internet (WAN)
0.0.0.0 0.0.0.0 192.168.0.1 Internet (WAN)
So my 192.168.1.0/24 hosts that are in wireless or LAN dont have access to the 192.168.0.0/24 net (or at least I think that).
OK, i tried to add a static route this way:
Destination LAN IP: 192.168.0.0
Subnet Mask: 255.255.255.0
Gateway: 192.168.1.1 (router IP)
Interface: LAN&Wireless
and i get: "Invalid Static Route"
please if someone can give me a hand on how to get this thing working I'll really apreciated.
Thanks
cya
Hi,
I think I solved the problem this way:
I updated the firmware to Version 1.0.06
I asign the Internet port for DHCP (so no cable or connection goes into this port)
then I changed the IP address of the router to 192.168.0.x
then i did all the config for my wireless and security (actually all 3 routers will be used as AP's and all are connected to one of my 2 switches 3Com through their LAN ports)
And now i no longer need to create a route for my LAN because I have Internet and LAN Services
I think with that now I'm fine
Cheers
Message Edited by Ivanoz on 12-15-2008 04:05 AM
Message Edited by Ivanoz on 12-15-2008 04:24 AM
Similar Messages
-
Two Cisco ASA 5505, IPSec Multiple Subnets, Problem with Phase2, DSL
Hi all.
we have following IPSec configuration:
ASA Site 1:
Cisco Adaptive Security Appliance Software Version 9.1(1)
crypto ipsec ikev1 transform-set TSAES esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set TSMD5 esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal PropAES256
access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.28.60.0 255.255.254.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.99.0 255.255.255.0
access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.99.0 255.255.255.0
crypto map CMVPN 5 match address SITE_2
crypto map CMVPN 5 set peer IP_SITE2
crypto map CMVPN 5 set ikev2 ipsec-proposal PropAES256
crypto map CMVPN interface OUTSIDE
route OUTSIDE 172.27.97.0 255.255.255.0 citic-internet-gw 255
route OUTSIDE 172.27.99.0 255.255.255.0 citic-internet-gw 255
tunnel-group IP_SITE2 type ipsec-l2l
tunnel-group IP_SITE2 general-attributes
default-group-policy VPN_S2S_WAN
tunnel-group IP_SITE2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
ASA Site 2:
Cisco Adaptive Security Appliance Software Version 9.1(4)
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.28.60.0 255.255.254.0
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.27.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.22.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.27.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.22.0.0 255.255.0.0
crypto map CMVPN 10 match address SITE_1
crypto map CMVPN 10 match address SITE_1
crypto map CMVPN 10 set peer IP_SITE1
crypto map CMVPN 10 set ikev2 ipsec-proposal IKEV2AES
crypto map CMVPN 10 set reverse-route
crypto map CMVPN interface OUTSIDE
tunnel-group IP_SITE1 type ipsec-l2l
tunnel-group IP_SITE1 general-attributes
default-group-policy VPN_S2S_WAN
tunnel-group IP_SITE1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
We are not able to reach from 172.22.20.x ips 172.27.99.x.
It seems so that the phase2 for this subnet is missing…...... as long as we try to reach from 172.27.99.x any ip in 172.22.20.x.
We are using similar configuration on many sites and it works correctly expect sites with DSL line.
We can exclude problem with NAT,ACL or routing. The connection is working fine as long as “we open all phase 2 manually” . After re-open (idle timeout) the tunnel the problem comes back.
Thanks in advance for your help.
Regards.
Jan
ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2
Session Type: LAN-to-LAN Detailed
Connection : IP ASA Site 2
Index : 3058 IP Addr : IP ASA Site 2
Protocol : IKEv2 IPsec
Encryption : IKEv2: (1)AES256 IPsec: (3)AES256
Hashing : IKEv2: (1)SHA512 IPsec: (3)SHA1
Bytes Tx : 423634 Bytes Rx : 450526
Login Time : 19:59:35 HKT Tue Apr 29 2014
Duration : 1h:50m:45s
IKEv2 Tunnels: 1
IPsec Tunnels: 3
IKEv2:
Tunnel ID : 3058.1
UDP Src Port : 500 UDP Dst Port : 500
Rem Auth Mode: preSharedKeys
Loc Auth Mode: preSharedKeys
Encryption : AES256 Hashing : SHA512
Rekey Int (T): 86400 Seconds Rekey Left(T): 79756 Seconds
PRF : SHA512 D/H Group : 5
Filter Name :
IPv6 Filter :
IPsec:
Tunnel ID : 3058.2
Local Addr : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 22156 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607648 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 312546 Bytes Rx : 361444
Pkts Tx : 3745 Pkts Rx : 3785
IPsec:
Tunnel ID : 3058.3
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 22165 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607952 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 50014 Bytes Rx : 44621
Pkts Tx : 496 Pkts Rx : 503
IPsec:
Tunnel ID : 3058.4
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 22324 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607941 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 61074 Bytes Rx : 44461
Pkts Tx : 402 Pkts Rx : 437
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 6648 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :
.... after ping from 172.27.99.x any ip in 172.22.20.x.
ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2
Session Type: LAN-to-LAN Detailed
Connection : IP ASA Site 2
Index : 3058 IP Addr : IP ASA Site 2
Protocol : IKEv2 IPsec
Encryption : IKEv2: (1)AES256 IPsec: (4)AES256
Hashing : IKEv2: (1)SHA512 IPsec: (4)SHA1
Bytes Tx : 784455 Bytes Rx : 1808965
Login Time : 19:59:35 HKT Tue Apr 29 2014
Duration : 2h:10m:48s
IKEv2 Tunnels: 1
IPsec Tunnels: 4
IKEv2:
Tunnel ID : 3058.1
UDP Src Port : 500 UDP Dst Port : 500
Rem Auth Mode: preSharedKeys
Loc Auth Mode: preSharedKeys
Encryption : AES256 Hashing : SHA512
Rekey Int (T): 86400 Seconds Rekey Left(T): 78553 Seconds
PRF : SHA512 D/H Group : 5
Filter Name :
IPv6 Filter :
IPsec:
Tunnel ID : 3058.2
Local Addr : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 20953 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4606335 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 652492 Bytes Rx : 1705136
Pkts Tx : 7419 Pkts Rx : 7611
IPsec:
Tunnel ID : 3058.3
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 20962 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607942 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 60128 Bytes Rx : 52359
Pkts Tx : 587 Pkts Rx : 594
IPsec:
Tunnel ID : 3058.4
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 21121 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607931 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 70949 Bytes Rx : 50684
Pkts Tx : 475 Pkts Rx : 514
IPsec:
Tunnel ID : 3058.5
Local Addr : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 28767 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4608000 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 961 Bytes Rx : 871
Pkts Tx : 17 Pkts Rx : 14
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 7852 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :Hi,
on 212 is see
tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
tunnel-group 195.xxx.xxx.xxx ipsec-attributes
pre-shared-key
When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.
If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
Regards,
Abaji. -
Problem With PXE Across Subnets
I'm having a problem with PXE across subnets. The workstation boots,
finds the dhcp server, finds the tftp server, downloads linux.1 and
linux.2 with no problem. It is unable to download linux3.tgz, however.
I've tried two different zen servers. I can tftp the file from either
zen server in windows with no problem. I can tftp it from maintenance
mode if I use a workstation as a tftp server. I can tftp it in PXE on
the same subnet with no problems.
A packet trace on the workstation shows that it gets so far into the
download and then begins getting ICMP 'destination unreacable' packets
from the server with the 'port unreachable' flag set.
It sounds as if the server is closing the conversation on that port.
Can anyone shed any light on this for me?
Dave Thomas
Rivercrest Technologies, Inc.Could you send me that trace? I would like to have a quick look
Ron
[email protected]
<[email protected]> wrote in message
news:iNOie.234$[email protected]..
> The source address is the zen server. I'm relatively certain there is
> not routing issue because I can tftp the file from windows with no issues
> etc. Also there are a lot of other services crossing the subnets that
> would fail if there is a routing issue.
>
> The 'port unreachable' flag seems to indicate that the zen server has
> stopped listening on the port that is being used for the transfer.
>
> Dave Thomas
>
> > Where do these ICMP "destination unreacable" come from? could there be a
> > routing issue to get to the imaging server?
> >
> > Ron
> >
> > <[email protected]> wrote in message
> > news:[email protected] oups.com...
> > > I'm having a problem with PXE across subnets. The workstation boots,
> > > finds the dhcp server, finds the tftp server, downloads linux.1 and
> > > linux.2 with no problem. It is unable to download linux3.tgz,
> however.
> > >
> > >
> > > I've tried two different zen servers. I can tftp the file from either
> > > zen server in windows with no problem. I can tftp it from maintenance
> > > mode if I use a workstation as a tftp server. I can tftp it in PXE on
> > > the same subnet with no problems.
> > >
> > > A packet trace on the workstation shows that it gets so far into the
> > > download and then begins getting ICMP 'destination unreacable' packets
> > > from the server with the 'port unreachable' flag set.
> > >
> > > It sounds as if the server is closing the conversation on that port.
> > >
> > > Can anyone shed any light on this for me?
> > >
> > > Dave Thomas
> > > Rivercrest Technologies, Inc.
> > >
> >
> >
> -
Ok so Im having troubles installing my router, Ill just tell you whats what first off to get things out of the way.
The PC in our office was where the router is situated so I had upgraded to the WRT310N Router maybe 6 months ago, it had 1 PC hardwired to it from the basement and a wireless connection to a laptop(so 2 desktop PCs and a laptop). Some minor problems with the wireless connections but I wasnt too concerned as its used in my music studio. Recently the computer in the office had died so thats where the software for the router had been installed, the connection worked fine for the PC downstairs as with the laptop, heres where the trouble comes into play.
So I had decided to install the software for the router on the downstairs PC, as soon as it gets to the "plug it into the wall outlet" screen it sits there then reports that there was a problem with it by either me having my old router hooked up or a "bad gateway(optional or something to that effect)". At first I thought maybe it was because I had set up a static IP and forwarded my ports in the router settings through 192.168.1.1., I then reset it back the factory settings but now Im stuck. I figured maybe I should install the LELA to access the update tab but couldnt.
So now my router is nothing more then $100 paper weight due to myself not finding anything relatable on the forums. I had thought updating my network cards driver...nothing, I downloaded the firmware for the router...I have no idea on what a .bin file is nor are there any instructions on how to install it or waht to do with it, all I could come up with was that it can regonize a connection but theres no internet connection being allowed. Any ideas????
Also my ISP cant do anythingMy ISP is Shaw Cable and I live in Canada, the only thing I can think of is that I had reset it back the factory settings but even out of the box it worked.
-
10.6.8 Printing problem with HP Photosmart premium C310 printer
I hvae a Photosmart Premium C310 printer which is connected wirelessly to my network. I also have a Mac Pro which is connected to the same network by ethernet cable. Up until I updated to OS10.6.8 everything worked fine. After that I found that when I restated the printer I could see it for a short time under the printer list but then it seems to "time out" and I can no longer print to it within a couple of minutes from my Mac Pro. When I restart the printer I can also see its embedded web page again for a few minutes but then it becomes not visble.
I also own a Macbook pro and two iphones and an ipod touch and all these wireless devices have no problem with seeing the printer and printing to it at any time. The Macbook Pro is also updated to 10.6.8 and works fine with this printer.
It would seem that the issue is not with wireless devices but with a wired device printing to this wireless printer even though it is on the same network and on the same subnet mask. All that has changed between working fine last week and not being recognised this week is an update to OS10.6.8
I have restarted the Mac Pro, reinstalled the latest HP software and reset the printers wireless setup but this makes no difference.
Is this a similar issue to what others have been reporting about a bug with printing under 10.6.8 or possibly something else. Any help here would be appreciated as I have no way of printing from my Mac Pro right now.Pengtao, I have plugged my Macbook Pro into the network (with Airport off) and I can no longer reach the Photosmart printer. Remove the cable and go wireless and the Macbook Pro can reach the printer again. I have installed the photosmart printer software under Windows 7 using Parallels on my Mac Pro and have no problems finding the Photosmart printer from it.
To make matters worse I have bought a new Laserjet M1536 today and install it on my network. Again I get the same issues. I can print to it from any wireless device on the network but cannot reach it on any wired device on the network.Switch the printer off and on and I can see it and print to it for about a minute then it becomes "offline" to my Mac Pro
Given that it works fine under Windows 7 from a Mac Pro I have to conclude that the issue must be OSX 10.6.8 and nothing else as everything worked fine before the upgrade. I have turned all device off and on , checked all cable connections and also uninstalled and reinstalled all printer drivers on the Mac Pro and cannot get it working. Any advice you may have that may solve the problem beyond it being an OSX issue will be greatly welcomed. -
Problems with IP Phones registration to CUCME on SG200-50P
Problems with IP Phones registration to CUCME on SG200-50P
System setup:
- Router Cisco 2811 with IOS 12.4(24)T5 Advanced IP Services, CUCME 7.1, DHCP Server
with HWIC-4ESW
- Switches:
- old - SLM224P
- new - SG200-50P (SLM2048PT), OS v1.3.2.02
- IP Phones 7911 and 7931, OS v8.4.2
One VLAN (for desktops and IP Phones) and one IP subnet, no voice VLAN.
Network diagram:
C2811---HWIC-4ESW---SWITCH---IPPhones
Problem description:
1. In the old setup with SLM224P everything works fine.
Connected phones almost immediately (1-2 sec. after power up) get ip address, configuration and registers to CUCME.
2. When switch is changed to new SG200-50G:
- ip phones get their ip address and tftp configuration very slowly - about 10-20 seconds
- ip phones cant register to CUCME at all. On the router with SCCP debugging turned on there is no sing of registration attempt
- after reconnecting the old SLM224P situation backs to normal
Things that have been checked or tried without success:
- ports speed and duplex auto, correct detection - although not tested with manual settings
- CDP/LLDP on/off
- smartport mode auto and most static settings, also with disabled smartport
- power cycle / reset
- spanning tree and port security settings
- solutions from that post - https://supportforums.cisco.com/thread/2232161
None of the above methods worked.
The only action that allowed ip phones to register was changing smartport role to static IPPhone + Desktop.
After that when phone was disconnected and then reconnected the problem exists again - no registration (IP Phone status DECEASED in CUCME). Same with power cycle/reset.
Please advice.
Thanks in advance.1 - You have created the voice vlan?
Nope, flat network, one ip subnet (10 hosts and 10 phones)
2 - Have you set a phone on an untagged access port for the voice vlan to see if it works?
Yep, phones are connected to untagged access ports of the one and only vlan
3 - Have you tried to set the auto voice vlan on the switch so it dynamically assigns the role for ip phone + desktop?
Not sure about auto voice vlan setting, although there was no triggers to AVV - no static voice vlan, no CDP/VSDP advertisements of voice vlan.
We've tested static and auto smartport roles (independently of auto voice vlan feature) with successful auto-detection.
The switch was pretty much in default out-of-the-box config (beside management parameters).
4 - When rebooting the switch, you did ensure to save the start up to running config?
Yes, running to startup
5 - Have you manually set spanning tree PORT FAST for the phone ports?
No, we haven't tested that. But portfast should be set automatically for the desktop and ip phone smartport roles. -
Problem with ASA 5505 VPN config
Hi to all,
I have a problem with ASA 5505 remote access vpn. I have site-to-site VPN and I need that my VPN clients can access IP subnets that I have behind site-to-site VPN. All that I have tried I get and error to my log “Flow is a loopback”.
So what I need : for example I need that vpn client with ip 10.0.0.1 can go to 192.168.1.2
My config:
access-list Test_splitTunnelAcl standard permit host 10.0.2.3
access-list Test_splitTunnelAcl standard permit host 10.0.2.4
access-list Test_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list nonat_outside extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
ip local pool VPN_Client_Pool2 10.0.0.1-10.0.0.200 mask 255.255.255.0
nat (outside) 0 access-list nonat_outside
nat (outside) 1 10.0.0.0 255.255.255.0
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Test_splitTunnelAcl
Site-to-Site:
crypto map outside_map 3 set peer 195.233.x.x
access-list outside_3_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_4
object-group network DM_INLINE_NETWORK_2
network-object 10.0.2.0 255.255.255.0
network-object 10.0.3.0 255.255.255.0
object-group network DM_INLINE_NETWORK_4
network-object host 192.168.2.70
network-object host 192.168.3.55
network-object 192.168.1.0 255.255.255.0
I hope that someone can post an answer and solve my problemA few things are required:
1) You don't need the following 2 lines, so it can be removed:
nat (outside) 0 access-list nonat_outside
nat (outside) 1 10.0.0.0 255.255.255.0
2) On the ASA, you need to configure:
same-security-traffic permit intra-interface
3) Object group: DM_INLINE_NETWORK_2 needs to include 10.0.0.0/24
4) On the remote lan-to-lan end, the crypto ACL also needs to include 10.0.0.0/24 as the destination subnet.
5) The NAT exemption (NONAT) on the remote lan-to-lan end also needs to include 10.0.0.0/24 as the destination subnet.
Hope that will resolve your problem. -
HELP!! asa 5505 8.4(5) problem with port forwarding-smtp
Hi I am having a big problem with port forwarding on my asa. I am trying to forward smtp through the asa to my mail server.
my mail server ip is 10.0.0.2 and my outside interface is 80.80.80.80 , the ASA is setup with pppoe (I get internet access no problem and that seems fine)
When I run a trace i get "(ACL-Drop) - flow is deied by configured rule"
below is my config file , any help would be appreciated
Result of the command: "show running-config"
: Saved
ASA Version 8.4(5)
hostname ciscoasa
domain-name domain.local
enable password mXa5sNUu4rCZ.t5y encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ISPDsl
ip address 80.80.80.80 255.255.255.255 pppoe setroute
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Server_SMTP
host 10.0.0.2
access-list outside_access_in extended permit tcp any object server_SMTP eq smtp
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
object network server_SMTP
nat (inside,outside) static interface service tcp smtp smtp
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group ISP request dialout pppoe
vpdn group ISP localname [email protected]
vpdn group ISP ppp authentication chap
vpdn username [email protected] password *****
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c5570d7ddffd46c528a76e515e65f366
: endHi Jennifer
I have removed that nat line as suggested but still no joy.
here is my current config
Result of the command: "show running-config"
: Saved
ASA Version 8.4(5)
hostname ciscoasa
domain-name domain.local
enable password mXa5sNUu4rCZ.t5y encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ISP
ip address 80.80.80.80 255.255.255.255 pppoe setroute
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Server_Mail
host 10.0.0.2
access-list outside_access_in extended permit tcp any object Server_Mail eq smtp
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
object network Server_Mail
nat (inside,outside) static interface service tcp smtp smtp
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group ISP request dialout pppoe
vpdn group ISP localname [email protected]
vpdn group ISP ppp authentication chap
vpdn username [email protected] password *****
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f3bd954d1f9499595aab4f9da8c15795
: end
also here is the packet trace
and my acl
Thanks -
Cisco ASA 5505 - problem with ssh, icmp on OUTSIDE interface
Hi all,
I have a very strange problem with OUTSIDE interface and remote ssh. Well, I have followed documentation and configure remote access for ssh like this [1.]. If I want to connect from internet to OUTSIDE interface [2.] get no response and in log I can see this message [3.]. I really do not understand why is ssh connection dropped by OUTSIDE access-list [4.]? If I understand documentation correctly there is no impact for remote mangement/access like icmp, ssh, http(s) by interface access-list. So, why?
When I try ssh connection form internal network to INSIDE interface everything works fine and I can log in to ASA. If I try allow ssh in OUTSIDE access-list still no success and a get this message [5.]? It is strange, isn't?
The same problem with icmp if I want to "ping" OUTSIDE interface from internet a get thish message in log [6.] and configuration for ICMP like this [7.].
Full ASA config is in attachment.
Can anybody help how to fix it and explain what is exactly wrong.Thanks.
Regards,
Karel
[1.]
ssh stricthostkeycheck
ssh 10.0.0.0 255.255.255.0 INSIDE
ssh 0.0.0.0 0.0.0.0 OUTSIDE
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
ASA-FW01# show ssh
Timeout: 60 minutes
Version allowed: 2
10.0.0.0 255.255.255.0 INSIDE
0.0.0.0 0.0.0.0 OUTSIDE
[2.]
ASA-FW01# show nameif
Interface Name Security
Vlan10 INSIDE 100
Vlan20 EXT-VLAN20 0
Vlan30 EXT-WIFI-VLAN30 10
Vlan100 OUTSIDE 0
ASA-FW01# show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Vlan10 INSIDE 10.0.0.1 255.255.255.0 CONFIG
Vlan20 EXT-VLAN20 10.0.1.1 255.255.255.0 CONFIG
Vlan30 EXT-WIFI-VLAN30 10.0.2.1 255.255.255.0 CONFIG
Vlan100 OUTSIDE 85.71.188.158 255.255.255.255 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
Vlan10 INSIDE 10.0.0.1 255.255.255.0 CONFIG
Vlan20 EXT-VLAN20 10.0.1.1 255.255.255.0 CONFIG
Vlan30 EXT-WIFI-VLAN30 10.0.2.1 255.255.255.0 CONFIG
Vlan100 OUTSIDE 85.71.188.158 255.255.255.255 CONFIG
ASA-FW01# show interface OUTSIDE detail
Interface Vlan100 "OUTSIDE", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
Description: >>VLAN pro pripojeni do internetu<<
MAC address f44e.05d0.6c17, MTU 1480
IP address 85.71.188.158, subnet mask 255.255.255.255
Traffic Statistics for "OUTSIDE":
90008 packets input, 10328084 bytes
60609 packets output, 13240078 bytes
1213 packets dropped
1 minute input rate 15 pkts/sec, 994 bytes/sec
[3.]
Jan 13 2015 06:45:30 ASA-FW01 : %ASA-6-106100: access-list OUTSIDE denied tcp OUTSIDE/193.86.236.70(46085) -> OUTSIDE/85.71.188.158(22) hit-cnt 1 first hit [0xb74026ad, 0x0]
[4.]
access-list OUTSIDE remark =======================================================================================
access-list OUTSIDE extended permit icmp any any echo-reply
access-list OUTSIDE extended deny ip any any log
access-group OUTSIDE in interface OUTSIDE
[5.]
Jan 12 2015 23:00:46 ASA-FW01 : %ASA-2-106016: Deny IP spoof from (193.86.236.70) to 85.71.188.158 on interface OUTSIDE
[6.]
Jan 13 2015 06:51:16 ASA-FW01 : %ASA-4-400014: IDS:2004 ICMP echo request from 193.86.236.70 to 85.71.188.158 on interface OUTSIDE
[7.]
icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.0.0.0 255.0.0.0 INSIDE
icmp permit 10.0.0.0 255.0.0.0 EXT-WIFI-VLAN30
icmp permit any OUTSIDEYou're right that the ACL should not affect otherwise allowed communications to the interface address.
Try disabling the ip audit feature on your outside interface.
no ip audit interface OUTSIDE AP_OUTSIDE_INFO
no ip audit interface OUTSIDE AP_OUTSIDE_ATTACK -
Problem with Itunes 9.1 on Windows 7
Hi all
Problem with the 9.1 version of itunes. I download the update and everything went ok and till i reboot the pc and gave me this messages. "Apple sync notifier "The program can't start corefundation.dll missing from this computer".
Trying to fix the problem i uninstall itunes, Quick, apple application device, apple mobile device, and software update and reboot the pc and reinstall everything. This time everything went right and no more message but now if i click to open itunes it not runs and safari is making my computer slow and it freeze for seconds.
Any idea what could be my problem?Same problem here. Running the iTunes network diagnostic doesn't enlighten me: it tells me that connectivity to the iTunes store is fine. My firewall tells me that when iTunes starts it attempts to connect to "http://wpad/wpad.dat" which of course fails because the unqualified domain name gets my local domain added to it (and I don't have a host called ipad on my network).
Here's the report; in case it helps Apple figure out what's wrong:
Microsoft Windows XP Professional Service Pack 3 (Build 2600)
Hewlett-Packard HP Compaq 2710p (434566R)
iTunes 9.1.0.79
QuickTime 7.6.6
FairPlay 1.7.16
Apple Application Support 1.2.1
iPod Updater Library 9.0d11
CD Driver 2.2.0.1
CD Driver DLL 2.1.1.1
Apple Mobile Device 3.0.0.102
Apple Mobile Device Driver not found.
Bonjour 2.0.0.34 (214.3)
iTunes Serial Number [DELETED]
Current user is an administrator.
The current local date and time is 2010-04-01 16:05:14.
iTunes is not running in safe mode.
Video Display Information
Mobile Intel(R) 965 Express Chipset Family
Mobile Intel(R) 965 Express Chipset Family
** External Plug-ins Information **
No external plug-ins installed.
The drive D: MATSHITA DVD-RAM UJ-844S Rev 1.00 is a USB 2 device.
iPodService 9.1.0.79 is currently running.
iTunesHelper 9.1.0.79 is currently running.
Apple Mobile Device service 3.0.0.0 is currently running.
** Network Connectivity Tests **
Network Adapter Information
Adapter Name: {0487F0A0-2F5C-4615-B484-2E0EA6294BAC}
Description: Intel(R) Wireless WiFi Link 4965AGN - Packet Scheduler Miniport
IP Address: 0.0.0.0
Subnet Mask: 0.0.0.0
Default Gateway:
DHCP Enabled: Yes
DHCP Server: 10.10.1.1
Lease Obtained: Wed Mar 31 21:11:15 2010
Lease Expires: Thu Apr 01 09:11:15 2010
DNS Servers: 10.10.1.1
10.10.1.1
Adapter Name: {95041341-AD4D-4047-9219-4730035AFD21}
Description: Intel(R) 82566MM Gigabit Network Connection - Packet Scheduler Miniport
IP Address: 10.10.1.14
Subnet Mask: 255.255.255.0
Default Gateway: 10.10.1.1
DHCP Enabled: Yes
DHCP Server: 10.10.1.1
Lease Obtained: Thu Apr 01 15:41:19 2010
Lease Expires: Fri Apr 02 03:41:19 2010
DNS Servers: 10.10.1.1
10.10.1.1
Active Connection: LAN Connection
Connected: Yes
Online: Yes
Using Modem: No
Using LAN: Yes
Using Proxy: No
SSL 3.0 Support: Enabled
TLS 1.0 Support: Enabled
Firewall Information
Windows Firewall is off.
Connection attempt to Apple web site was successful.
Connection attempt to iTunes Store was successful.
Secure connection attempt to iTunes Store was successful.
Secure connection attempt to iPhone activation server was successful.
Last successful store access was 2010-03-12 14:22:25. -
Problem with login on(ERROR 10061)
hie all i'm having a problem with logging on to the system,. everything else installed ok and is working fine. i think its my connection to the server, i used Ms loopback.. help on the configuration especially in the windows folder(system32/drivers/etc/hosts)..
Plus i'm getting this windows report after the GUI error connection ERROR disp+work.exe failed.
Edited by: Daniel T nehanda on Jul 16, 2008 10:13 PMi'm using XP SP2
and the Netweaver is SAP Netweaver7.0 ABAP Trial
hosts info 10.10.10.10 localhost
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator>ipconfig/all
Windows IP Configuration
Host Name . . . . . . . . . . . . : tt-2565535e5bc6
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Loopback Adapter
Physical Address. . . . . . . . . : 02-00-4C-4F-4F-50
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.10.10.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
C:\Documents and Settings\Administrator>
Edited by: Daniel T nehanda on Jul 17, 2008 8:22 PM -
Still having problems with VPN access
Hello!
I am having problems with my VPN clients getting access to the networks over a MPLS infrastruture. I can reach these resources form my Core network (172.17.1.0/24) and my Wifi (172.17.100.0/24) but not from my VPN network (172.17.200.0/24). From the VPN I can reach the Wifi network (which is behind a router) and the rule that allows that also allows access to the other networks but for some reason it is not working.
When I ping inside the core network from VPN I can connect and get responses. When I ping to the Wifi network, I can get responses and connect to resources there. A tracert to the wifi network shows it hitting the core switch (a 3750 stack) @ 172.17.1.1, then the Wifi router (172.17.1.3) and then the host. A tracert to a resource on the MPLS network from the VPN shows a single entry (the destination host) and then 29 time outs but will not ping that resource nor connect.
I've posted all the info I can think of below. Any help appreciated.
*** Here is a tracert from a core network machine to the resource we need on the MPLS:
C:\Windows\system32>tracert 10.2.0.125
Tracing route to **************** [10.2.0.125]
over a maximum of 30 hops:
1 1 ms <1 ms <1 ms 172.17.1.1
2 1 ms <1 ms <1 ms 172.17.1.10
3 5 ms 5 ms 5 ms 192.168.0.13
4 31 ms 30 ms 31 ms 192.168.0.5
5 29 ms 30 ms 29 ms 192.168.0.6
6 29 ms 29 ms 29 ms 192.168.20.4
7 29 ms 29 ms 29 ms RV-TPA-CRMPROD [10.2.0.125]
Trace complete.
172.17.1.10 is the mpls router.
**** Here is the routing table (sh ip route) from the 3750 @ 172.17.1.1
Gateway of last resort is 172.17.1.2 to network 0.0.0.0
S 192.168.30.0/24 [1/0] via 172.17.1.10
172.17.0.0/24 is subnetted, 3 subnets
S 172.17.200.0 [1/0] via 172.17.1.2
C 172.17.1.0 is directly connected, Vlan20
S 172.17.100.0 [1/0] via 172.17.1.3
172.18.0.0/24 is subnetted, 1 subnets
S 172.18.1.0 [1/0] via 172.17.1.10
S 192.168.11.0/24 [1/0] via 172.17.1.10
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
S 10.2.0.0/24 [1/0] via 172.17.1.10
S 10.10.10.0/24 [1/0] via 172.17.1.10
S 10.20.0.0/24 [1/0] via 172.17.1.10
S 10.3.0.128/25 [1/0] via 172.17.1.10
S 192.168.1.0/24 [1/0] via 172.17.1.10
S* 0.0.0.0/0 [1/0] via 172.17.1.2
*** Here is the firewall config (5510):
ASA Version 8.4(1)
hostname RVGW
domain-name ************
enable password b5aqRk/6.KRmypWW encrypted
passwd 1ems91jznlfZHhfU encrypted
names
interface Ethernet0/0
nameif Outside
security-level 10
ip address 5.29.79.10 255.255.255.248
interface Ethernet0/1
nameif Inside
security-level 100
ip address 172.17.1.2 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 172.19.1.1 255.255.255.0
management-only
banner login RedV GW
ftp mode passive
dns server-group DefaultDNS
domain-name RedVector.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network WiFi
subnet 172.17.100.0 255.255.255.0
description WiFi
object network inside-net
subnet 172.17.1.0 255.255.255.0
object network NOSPAM
host 172.17.1.60
object network BH2
host 172.17.1.60
object network EX2
host 172.17.1.61
description Internal Exchange / Outbound SMTP
object network Mail2
host 5.29.79.11
description Ext EX2
object network NETWORK_OBJ_172.17.1.240_28
subnet 172.17.1.240 255.255.255.240
object network NETWORK_OBJ_172.17.200.0_24
subnet 172.17.200.0 255.255.255.0
object network VPN-CLIENT
subnet 172.17.200.0 255.255.255.0
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_1
network-object object BH2
network-object object NOSPAM
object-group network VPN-CLIENT-PAT-SOURCE
description VPN-CLIENT-PAT-SOURCE
network-object object VPN-CLIENT
object-group network LAN-NETWORKS
network-object 10.10.10.0 255.255.255.0
network-object 10.2.0.0 255.255.255.0
network-object 10.3.0.0 255.255.255.0
network-object 172.17.100.0 255.255.255.0
network-object 172.18.1.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
network-object 192.168.30.0 255.255.255.0
object-group network VPN-POOL
network-object 172.17.200.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
access-list Outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq smtp
access-list Outside_access_in extended permit tcp any object BH2 object-group DM_INLINE_TCP_1
access-list global_mpc extended permit ip any any
access-list Inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
pager lines 24
logging enable
logging asdm informational
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination Inside 172.17.1.52 9996
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool VPN 172.17.1.240-172.17.1.250 mask 255.255.255.0
ip local pool VPN2 172.17.200.100-172.17.200.200 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (Inside,Outside) source static EX2 Mail2
nat (Inside,Outside) source static any any destination static NETWORK_OBJ_172.17.1.240_28 NETWORK_OBJ_172.17.1.240_28
nat (Inside,Outside) source static any any destination static NETWORK_OBJ_172.17.200.0_24 NETWORK_OBJ_172.17.200.0_24
nat (Inside,Outside) source static inside-net inside-net destination static NETWORK_OBJ_172.17.1.240_28 NETWORK_OBJ_172.17.1.240_28
nat (Inside,Outside) source static LAN-NETWORKS LAN-NETWORKS destination static VPN-POOL VPN-POOL
object network inside-net
nat (Inside,Outside) dynamic interface
object network NOSPAM
nat (Inside,Outside) static 5.29.79.12
nat (Outside,Outside) after-auto source dynamic VPN-CLIENT-PAT-SOURCE interface
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 5.29.79.9 1
route Inside 10.2.0.0 255.255.255.0 172.17.1.1 1
route Inside 10.3.0.0 255.255.255.128 172.17.1.1 1
route Inside 10.10.10.0 255.255.255.0 172.17.1.1 1
route Inside 172.17.100.0 255.255.255.0 172.17.1.3 1
route Inside 172.18.1.0 255.255.255.0 172.17.1.1 1
route Inside 192.168.1.0 255.255.255.0 172.17.1.1 1
route Inside 192.168.11.0 255.255.255.0 172.17.1.1 1
route Inside 192.168.30.0 255.255.255.0 172.17.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RedVec protocol ldap
aaa-server RedVec (Inside) host 172.17.1.41
ldap-base-dn DC=adrs1,DC=net
ldap-group-base-dn DC=adrs,DC=net
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Hanna\, Roger,OU=Humans,OU=WPLAdministrator,DC=adrs1,DC=net
server-type microsoft
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.17.1.0 255.255.255.0 Inside
http 24.32.208.223 255.255.255.255 Outside
snmp-server host Inside 172.17.1.52 community *****
snmp-server location Server Room 3010
snmp-server contact Roger Hanna
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto ikev1 enable Outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
telnet 172.17.1.0 255.255.255.0 Inside
telnet timeout 5
ssh 172.17.1.0 255.255.255.0 Inside
ssh timeout 5
console timeout 0
dhcpd address 172.17.1.100-172.17.1.200 Inside
dhcpd dns 172.17.1.41 172.17.1.42 interface Inside
dhcpd lease 100000 interface Inside
dhcpd domain adrs1.net interface Inside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy RedV internal
group-policy RedV attributes
wins-server value 172.17.1.41
dns-server value 172.17.1.41 172.17.1.42
vpn-tunnel-protocol ikev1
default-domain value ADRS1.NET
group-policy RedV_1 internal
group-policy RedV_1 attributes
wins-server value 172.17.1.41
dns-server value 172.17.1.41 172.17.1.42
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
default-domain value adrs1.net
username rparker password FnbvAdOZxk4r40E5 encrypted privilege 15
username rparker attributes
vpn-group-policy RedV
username mhale password 2reWKpsLC5em3o1P encrypted privilege 0
username mhale attributes
vpn-group-policy RedV
username dcoletto password g53yRiEqpcYkSyYS encrypted privilege 0
username dcoletto attributes
vpn-group-policy RedV
username rhanna password Pd3E3vqnGmV84Ds2 encrypted privilege 15
username rhanna attributes
vpn-group-policy RedV
tunnel-group RedV type remote-access
tunnel-group RedV general-attributes
address-pool VPN2
authentication-server-group RedVec
default-group-policy RedV
tunnel-group RedV ipsec-attributes
ikev1 pre-shared-key *****
class-map global-class
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
class global-class
flow-export event-type all destination 172.17.1.52
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:202ad58ba009fb24cbd119ed6d7237a9Hi Roger,
I bet you already checked it, but does the MPLS end router has route to VPN client subnet 172.17.200.x (or default) pointing to core rtr)?
Also, if the MPLS link has any /30 subnet assigned, you may need to include that as well in Object group LAN-NETWORKS.
Thx
MS -
WLC 2504 problems with one IP address range
I am having an interesting issue configuring a new 2504.
How it is setup:
Port 1 management with vlan tagging on vlan 111
Port 2 trunking with ap-manager2 on vlan 3, 102 on vlan 102 (Not ap-manager), and 1001 on vlan 1001.
All of the vlans have distinctive and unique IP ranges. Vlan 111 is running 172.16.128 /20, 102 is 172.19.252 /23 and vlan 1001 should be running 172.17 /16.
Here is my problem. I can setup all of the dynamic interfaces on the appropriate ip ranges, but for some reason when I configure the 1001 vlan dynamic interface with the /16 address space, I lose connectivity to the GUI managment interface. I have to go in through the CLI and remove the interface or change the IP range. I have tried other /16 address space on that vlan and do not have a problem with them. the 172.17 space appears to be the only one that will not work.
I have attached the config from the controller (Minus some site specific stuff like the SNMP community and wpa stuff.) The config is using a 172.20 /16 right now on the 1001 interface so that I could get into the controller and download the config. It should be 172.17 /16. The acutal IP info should be 172.17.4.253 255.255.0.0 172.17.0.254
My computer is on the 1001 vlan and I have verified the IP is not in use and am using the same subnet, gateway etc as I am trying to configure the wlc with.
Switch config:
Port 1 is plugged into g0/2 with the following config
interface GigabitEthernet0/2
switchport trunk allowed vlan 1,3,102,111,1001
switchport mode trunk
spanning-tree portfast
Port 2 is plugged into fa0/47 and just has switchport mode trunk.
How can I get the interface to work with the proper IP range for vlan 1001?I finally had a chance to fiddle around with this issue again and have some more information on the problem. It appears to not be an issue with the IP address, but rather with the VLAN. The 172.17.0.0/16 subnet is on VLAN 1001 which it appears the WLC does not care for. This problem is repeatable on the following versions of code that I have tried:
7.0.220.0
7.1.91.0
7.4.110.0 (Not in use for production until we upgrade from WCS to Prime.)
Any thoughts? Moving the 1001 VLAN to another number would be a HUGE undertaking so if there is not an answer within the firmware on the WLC, I will have to bridge two VLANs with bpdufilter enabled... Not my first choice for sure... -
Airport wifi problems with uverse and gigabit switch resolved
I think there is a bug in airport firmware 7.6 with how spanning tree works in addition to problems with the Uverse router. Having an Airport with a uverse 2wire 3801 and gigabit switch will not work. Putting the extreme in NAT mode with DMZ plus behind the uverse resolved the problem.
Network configuration:
Uverse 2wire 3801 router
3801 provides prioritization for upstream traffic so skype and VoIP work better when doing a lot of stuff on Internet
Airport extreme firmware 7.6
two airport express 802.11n hardwired to extreme. Set up in bridge mode. All access points have same SSID "create a network" to enable roaming. Ignore anything to do with extending a network. firmware 7.6
two gigabit switches
Netgear GS608 - 8 port gigabit switch
Trendnet TEG-S80g - 8 port gigabit switch
100BT 5 port switch - did not figure into problem
Three Uverse set top boxes wired on Ethernet. They have to be wire directly to the 2wire box to work correctly. See: http://forums.att.com/t5/Features-and-How-To/At-amp-t-U-Verse-modem-setup-Airpor t-Extreme/td-p/2300785
However, you need to be careful to place your own PCs and other internet devices on the network created by your gear (airport extreme in your case), but keep AT&T's set top boxes for the IPTV services IN FRONT of your own router - so they remain on AT&T's provided network.
So it would work like this ...
Network 1: 2wire RG (4 lan ports) -> Any Set tops, and to the WAN port on your AirportExtreme
Network 2: Airport Extreme LAN ports -> to any computers or internet devices (but not AT&T set top boxes).
The RG prioritizes the traffic for your Uverse Voice and your Uverse TV ahead of internet data traffic, as it rationalizes data heading out of your home. If you place your own equipment in that equation (like putting AT&T set top boxes behind your Airport Extreme) the performance and function of your AT&T set top boxes could really flake out on you.
Symptom:
Everything would be working fine, then intermittently all my wifi access points would stop working. ~6,000 ms latency, dropped packets. Ethernet worked fine. Here is an example of my macbook pinging the extreme when associated with the extreme over wifi with a strong signal.
ping: sendto: Host is down
Request timeout for icmp_seq 23
Request timeout for icmp_seq 24
64 bytes from 192.168.1.64: icmp_seq=25 ttl=255 time=267.051 ms
Request timeout for icmp_seq 26
Request timeout for icmp_seq 27
Request timeout for icmp_seq 28
64 bytes from 192.168.1.64: icmp_seq=26 ttl=255 time=3402.599 ms
Request timeout for icmp_seq 30
Request timeout for icmp_seq 31
Request timeout for icmp_seq 32
64 bytes from 192.168.1.64: icmp_seq=30 ttl=255 time=3060.673 ms
64 bytes from 192.168.1.64: icmp_seq=34 ttl=255 time=24.115 ms
64 bytes from 192.168.1.64: icmp_seq=35 ttl=255 time=31.056 ms
64 bytes from 192.168.1.64: icmp_seq=36 ttl=255 time=39.828 ms
Root cause:
It looks like the 2wire 2801 router has a problem with spanning tree when interoperating with gigabit switches and airports. There is interplay with the airport.
I did not have this problem until the 7.6 airport firmware. I had been using the Netgear hub for about a year with the extreme in bridge mode. I added the Trendnet hub and upgraded airport firmware at the same time which made fault isolation difficult.
Problem recreation:
Set up airport expresses hard wired to extreme
Connect gigabit switch anywhere to network
Everything OK
Dettach one computer from wifi then reattach, then all wifi stops working. It takes a few seconds for the problem to propagate.
Ethernet still works fine
Problem Resolution:
Connect to 2wire with ethernet
Set 2wire route to have subnet as 192.168.2.x
Set extreme in NAT mode behind 2wire. It will complain about double NAT. Override the warning. Set the subnet to 192.168.1.x so you don't have to change any static IP addresses. Note that 2wire uses 192.168.1.254 as default route whereas airport uses 192.168.1.1.
I set DHCP to start at .10 to leave the lower addresses for assigning static IP addresses to computers I want to expose outside the firewall.
Go into firewall settings. Select airport extreme. Select the bottom setting which is "DMZ Plus". When you go into the airport extreme settings, you will now see that it has the uverse public IP address on its WAN port. NAT port mappings work fine on the extreme behind the 2wire router.Keeping this very short here is a summary of the actual problem and solution to allow your Apple Airport Extreme to run in Bridge mode on the same subnet as your uVerse settop boxes (if your Layer 2 switch is configurable).
Devices: Uverse, Cisco SG300, and Airport Extreme
uVerse uses Multicast to broadcast video streams between the uVerse network to the settop box, and from settop box to settop box.
X number of Multicast Groups are created based on X number of settop boxes you have. You can see the multicast definitions by logging into the webinterface of the iNid. Each settop box is a member and can choose to display a broadcasted TV stream or not.
Multicast membership is setup by the use of ICMP messages for IPv4 (MLD for IPv6). Each of the settop boxes become members of each others multicast group by reporting up to the iNid (MultiCast Proxy).
In an ideal world a layer 2 switch will track these memberships and only forward a broadcast packet to the ports on the switch to which the settop boxes are connected to. The switch would do these via snooping on the ICMP packets. Most switches by default do not do this by default and simply forward the broadcast packett out every one of it's switch ports.
Here in lies the problem. Problem is that the Apple AES doesn’t do ICMP snooping / filtering and floods the wireless network with these broadcast streams.
In order to fix this you must turn on ICMP snooping and filtering on the switch (or buy a switch that does this). I have a Cisco SG300 and list out the configuration below.
Other notes:
Ensure that all Media renderers (settop boxes) and servers are wired directly off the switch and not attached to any of the Airport Express ports. This way no media transverses the Airport (only control point traffic goes through the WiFi - which is fine). Obviously if the IGMP snooping switch sees any client requesting Multicast streaming traffic on the same port as the WAP, it will add that Multicast address to the forwarding table for that port, and then, yes it could get flooded.
Remember, you need to allow some Multicast traffic through your WAP to allow UPnP discovery to work (assuming that you will be using Wireless control points.)
Read the Multicast chapter in the SG 300 switch Admin Guide as it explains things very well.
Setting up multicast on the SG300s using the WebUI:
1. Multicast/Properties/
Tick enable Bridge Multicast Filtering Status for VLAN 1, and
set the Forwarding Method to IP Group Address for both IPv4 & IPv6.
2. Multicast/ IGMP snooping/
Tick enable IGMP snooping status then select and edit the entry and ensure that IGMP querier status is ticked.
It's essential for IGMP snooping to work that there must be at least one active IGMP querier on the network - if more than one is enabled, they will carry out an "election" to decide which one should be active (normally the one with the lowest IP address.)
3. Multicast Router Port
Set whichever port that is connected to the uVerse iNid to Status which means that it the uVerse router connected to this port is the Multicast Router
4. Multicast/ Unregistered Multicast
set all ports to Filtering. (The default is Forwarding.)
There are a lot of other variables within all the above - the defaults are OK, you should probably leave them alone!
In the config file you would then expect to see the above appearing as something like this:
ip igmp snooping
ip igmp snooping vlan 1
ip igmp snooping vlan 1 immediate-leave
interface vlan 1
bridge multicast mode ipv4-group
bridge multicast ipv6 mode ip-group
interface range gi1-10
bridge multicast unregistered filtering
ip igmp snooping vlan 1 querier
ip igmp snooping vlan 1 querier address <IP-Addr> -
Hello
I have a big problem with my Xsan Admin.
Yesterday by mistake my configuration of xsan admin from Application
Support are gone.
Only config files from /Library/Filesystems/Xsan/config survive, but
without one client in config.plist
Now i cant mount any clients or controllers from Xsan Admin, even when
i set to connect to existing san.
From terminal i run two volumes locally on MDC.
I also try to add i client in Xsan Admin and its work, but not full
fuctionally. Only thing i can do now, i can mount on client volumes
using terminal and command:
sudo mkdir /Volumes/volumename
sudo mount_acfs volumename /Volumes/volumename
But its still dont work, because on some cleints i receive info
"Cannot mount. License authorization failure"Have you allowed email to be sent/relayed from your local LAN / subnet ?
Maybe you are looking for
-
IPhone will no longer sync with Google calendar
3 days ago my IPhone 4 stopped syncing with Google Calendar. I'm not aware of making any changes. I've done homework & and followed these steps: -- Synced with ITunes: not syncing with ICloud; not syncing calendar -- redone the Google Mobile setup pr
-
Can i create separate articles from 1 inDesign document?
I have a 120 page proposal that I would like to have the separate sections in that document show up in the TOC on ACV on my tablet, without splitting up the document as it's paginated and I don't want to lose that or have to rework it. Possible?
-
2.1.1 Will Not Run At All
When Aperture 2.1.1 initially came out I installed it, but it immediately crashed every time I tried to start it up. So, I went back to 2.1. I thought I would try to update again tonight, but this time I repaired the permissions immediately before an
-
Canon HV30 has an option for shooting in "DV Wide", which I'm assuming is just DV at 16:9. However, I cannot find good info on this after searching quite a bit. If I shoot "DV Wide" what do I want to set my FCE Easy Setup to be for the capture? Seems
-
Sony HXRNX70U Importing Problems.
I have a 2010 Imac Intel Core i3, OSX 10.8.5. We have a small business editing film and have never had a problem importing footage from any camera before. We are using my friends Sony NXCAM 70U. We plug the ac adapter power supply into the wall, hook