ACLS QUESTION - 2 LAN SEGMENTS - ISSUE

ACLS QUESTION - 2 LAN SEGMENTS - ISSUE
I have a scenario where 2 LAN segments are separated by a router, Admin and Students. There is a DNS server and an EMAIL server on the admin segment. Students should be able to access DNS and EMAIL services (smtp, pop3 and dns). No access to any other traffic. Admin should have full access to the student LAN segment. I managed to implement all the filtering with extended ACLS placed on the router as follows:
access-list 105 permit tcp any any eq smtp
access-list 105 permit tcp any any eq pop3
access-list 105 permit tcp any any eq www
access-list 105 permit udp any host 10.20.0.2 eq 53
access-list 105 deny ip any any
int e1/1
ip access-group 105 in
But for some reason it does not allow any access from the admin segment to the students segment.
EMAIL AND DNS ARE WORKING FINE FROM THE STUDENTS SEGMENT AND PINGS FAIL AS EXPECTED AFTER THE COMMANDS MENTIONED WERE ISSUED.
ADMIN SHOULD BE ABLE TO PING STUDENTS SEGMENTS
AFTER ATTEMPTING MANY TIMES AND DIFFERENT CONFIG I TRIED THE FOLLOWING:
access-list 106 permit ip any any
int e1/0
ip access-group 106 in
I also tried
int e1/1
ip access-group 106 in
BUT ADMIN STILL HAS NO ACCESS TO THE STUDENTS SEGMENTS!!!!!!
WHY NOT?
FEW FELLOWS TRIED IT OUT AS WELL IN PACKET TRACER WITH NO SUCCESSFUL RESULTS...
:S
I WOULD REALLY APPRECIATE SOME HELP ASAP!
THANK YOU IN ADVANCE,
MIGUEL
Posted by WebUser Miguel Pcn

Hi Miguel ,
You issue is the returning packet for the session initiated by the Admin - caused by deny ip any any on access-list 105
For the "ping" from admin to student to work add :
access-list 105 permit any any echo-reply
What kind of access is need it from Admin to Student ?
Dan

Similar Messages

VPN session established but cannot access trusted LAN segment on the ASA

Just a roundup of my Cisco ASA configuration...
1) Configure remote access IPSec VPN
2) Group Policies - vpntesting
3) AES256 SHA DH group 5
4) Configure local user vpntesting
5) Configure dhcp pool - 10.27.165.2 to 10.27.165.128 mask /24
6) open access on outside interface
7) IKE group - vpntesting
A) Did I miss anything?
B) For example, there is a LAN segment - 10.27.40.x/24 on the trusted leg of the Cisco ASA but I can't access it. Do I need to create access lists to allow my VPN session to access the trust LANs?
C) Any good guide for configuring remote access VPN using ASDM?

I have couple of issues with my EasyVPN server and Cisco VPN Client on Win7.
1: Sometimes, clients are connected, connection shows established but no traffic or pings can be made to corp network. I might have to do with NAT settings to except VPN traffic from being NATed.
2: VPN Clients don't pick the same IP address from local address pool even though I specified "RECYLE" option.
I would apprecaite if you look at my configuration and advise any mis-config or anything that needs to be corrected.
Thank you so much.
Configuration:
TQI-WN-RT2911#sh run
Building configuration...
Current configuration : 7420 bytes
! Last configuration change at 14:49:13 UTC Fri Oct 12 2012 by admin
! NVRAM config last updated at 14:49:14 UTC Fri Oct 12 2012 by admin
! NVRAM config last updated at 14:49:14 UTC Fri Oct 12 2012 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname TQI-WN-RT2911
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
aaa session-id common
no ipv6 cef
ip source-route
ip cef
ip dhcp remember
ip domain name telquestintl.com
multilink bundle-name authenticated
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-2562258950
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2562258950
revocation-check none
rsakeypair TP-self-signed-2562258950
crypto pki certificate chain TP-self-signed-2562258950
certificate self-signed 01
            quit
license udi pid CISCO2911/K9 sn ##############
redundancy
track 1 ip sla 1 reachability
delay down 10 up 20
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ############## address 173.161.255.###
255.255.255.240
crypto isakmp client configuration group EASY_VPN
key ##############
dns 10.10.0.241 10.0.0.241
domain domain.com
pool EZVPN-POOL
acl VPN+ENVYPTED_TRAFFIC
save-password
max-users 50
max-logins 10
netmask 255.255.255.0
crypto isakmp profile EASY_VPN_IKE_PROFILE1
   match identity group EASY_VPN
   client authentication list default
   isakmp authorization list default
   client configuration address respond
   virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile EASY_VPN_IPSec_PROFILE1
set security-association idle-time 86400
set transform-set ESP-3DES-SHA
set isakmp-profile EASY_VPN_IKE_PROFILE1
crypto map VPN_TUNNEL 10 ipsec-isakmp
description ***TUNNEL-TO-FAIRFIELD***
set peer 173.161.255.241
set transform-set ESP-3DES-SHA
match address 105
interface Loopback1
ip address 10.10.30.1 255.255.255.0
interface Tunnel1
ip address 172.16.0.2 255.255.255.0
ip mtu 1420
tunnel source GigabitEthernet0/0
tunnel destination 173.161.255.241
tunnel path-mtu-discovery
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description Optonline WAN secondary
ip address 108.58.179.### 255.255.255.248 secondary
ip address 108.58.179.### 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map VPN_TUNNEL
interface GigabitEthernet0/1
description T1 WAN Link
ip address 64.7.17.### 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/2
description LAN
ip address 10.10.0.1 255.255.255.0 secondary
ip address 10.10.0.3 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
tunnel mode ipsec ipv4
tunnel protection ipsec profile EASY_VPN_IPSec_PROFILE1
router eigrp 1
network 10.10.0.0 0.0.0.255
network 10.10.30.0 0.0.0.255
network 172.16.0.0 0.0.0.255
router odr
router bgp 100
bgp log-neighbor-changes
ip local pool EZVPN-POOL 10.10.30.51 10.10.30.199 recycle delay
65535
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map OPTIMUM-ISP interface
GigabitEthernet0/0 overload
ip nat inside source route-map T1-ISP interface GigabitEthernet0/1
overload
ip nat inside source static tcp 10.10.0.243 25 108.58.179.### 25
extendable
ip nat inside source static tcp 10.10.0.243 80 108.58.179.### 80
extendable
ip nat inside source static tcp 10.10.0.243 443 108.58.179.### 443
extendable
ip nat inside source static tcp 10.10.0.220 3389 108.58.179.### 3389
extendable
ip nat inside source static tcp 10.10.0.17 12000 108.58.179.###
12000 extendable
ip nat inside source static tcp 10.10.0.16 80 108.58.179.### 80
extendable
ip nat inside source static tcp 10.10.0.16 443 108.58.179.### 443
extendable
ip nat inside source static tcp 10.10.0.16 3389 108.58.179.### 3389
extendable
ip route 0.0.0.0 0.0.0.0 108.58.179.### track 1
ip route 0.0.0.0 0.0.0.0 64.7.17.97 ##
ip access-list extended VPN+ENVYPTED_TRAFFIC
permit ip 10.10.0.0 0.0.0.255 any
permit ip 10.0.0.0 0.0.0.255 any
permit ip 10.10.30.0 0.0.0.255 any
ip sla 1
icmp-echo 108.58.179.### source-interface GigabitEthernet0/0
threshold 100
timeout 200
frequency 3
ip sla schedule 1 life forever start-time now
access-list 1 permit 10.10.0.0 0.0.0.255
access-list 2 permit 10.10.0.0 0.0.0.255
access-list 100 permit ip 10.10.0.0 0.0.0.255 any
access-list 105 remark ***GRE-TRAFFIC TO FAIRFIELD***
access-list 105 permit gre host 108.58.179.### host 173.161.255.###
route-map T1-ISP permit 10
match ip address 100
match interface GigabitEthernet0/1
route-map OPTIMUM-ISP permit 10
match ip address 100
match interface GigabitEthernet0/0
control-plane
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
scheduler allocate 20000 1000
end
TQI-WN-RT2911#

Unreleashed segment issue with SAP schema

Hi All,
We are trying to generate SAP schema in BizTalk 2010 and facing unreleased segment issue and discussed with SAP team whom suggested below ways. We were interacted with MSFT and no hotfix yet. Please guide me.
The provider/external should call IDOCTYPE_READ_COMPLETE in the following way:
- PI_RELEASE = ' ' => last existing segment version is returned
- PI_RELEASE not available in the interface => last released version
Which means: BizTalk needs to ensure the PI_RELEASE is not present in the call of the interface. This will allow pulling the last release version of the IDoc including not released segments.
Thanks, Raja MCTS BizTalk Server 2010, MCC If this answers your question please mark it accordingly

BizTalk does not support unreleased segments for Receive Operations.
As far as I know SAP 'locks' the segment types that have not been released and the LOB adapter of BizTalk cannot properly read those segments.
The SAP team should set a release on the IDOC types and segments you need.
Glenn Colpaert - MCTS BizTalk Server - Blog : http://blog.codit.eu

How to spplit different LAN Segment in two ISP Service

Hi Forum
I have a doubt how to implement a new scenario
My customer have a 5520 (with four Interfaces) firewall with the following version:
ASA Version 8.2(5) and his configuration is
interface GigabitEthernet0/1
nameif lan1
security-level 50
ip address 192.168.1.1 255.255.255.0
interface GigabitEthernet0/2
nameif lan2
security-level 100
ip address 192.168.2.1 255.255.255.0
interface GigabitEthernet0/0
description ISP1
nameif outside
security-level 0
ip address a.b.c.252 255.255.255.248
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list Public_access_in extended permit icmp any any
access-list ACL-RED-VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.112.0 255.
access-list ACL-INSIDE-NONAT extended permit ip 192.168.2.0 255.255.255.0 192.168.112.0
icmp permit any outside
icmp permit any inside
global (outside) 1 interface
nat (inside) 0 access-list ACL-INSIDE-NONAT
nat (lan1) 1 192.168.1.0 255.255.255.0
nat (lan2) 1 192.168.2.0 255.255.255.0
static (lan2,outside) tcp a.b.c.253 8080 192.168.2.11 8080 netmask 255.255.255.255
static (lan2,outside) tcp a.b.c.253 8081 192.168.2.13 8081 netmask 255.255.255.255
access-group Public_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 a.b.c.249 1
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
! The rest is omited
So, the LAN's segment (192.168.1.0/24 and 192.168.2.0/24) leave to Internet by outside Interface and also I have set a VPN between our side and the remote LAN site (192.168.112.0/24)
Now, my customer want to add a new LAN Segment (for example 192.168.3.0/24) and has recently purchased a new service of ISP.
He want that this New LAN segment leave by the new ISP Provider and possible a new VPN between this new segment to another side will be appear.
In resumen:
The old configuration is not going to change.
For the new service LAN 192.168.3.0/24 must be go to internet using the seconf ISP service z.y.x.194 255.255.255.248.
What change I must be do in the interface G0/3
I suppose that I must be create subinterface in the interface G0/3, like this.
!   line 1
interface GigabitEthernet0/3
no nameif
no security-level 0
no ip address
no shutdown
! line 2
interface GigabitEthernet0/3.100
vlan 100
nameif lan3
security-level 50
ip address 192.168.3.1 255.255.255.0
! line 3
interface GigabitEthernet0/3.200
vlan 200
nameif outside2
security-level 0
ip address x.y.z.194 255.255.255.248
! line 4
route outside2 0.0.0.0 0.0.0.0 x.y.z.193 250
! line 5
global (outside2) 2 interface
nat (tikary) 2 192.168.3.0 255.255.255.0
! line 6
access-group Public_access_in in interface outside2
Also from the segment 192.168.2.x/24 must to access to other LAN Segment (192.168.1.0/24 and 192.168.3.0/24)
Please correct me, or you have any other reference to observe like a reference.
Regards
ARGB

Hi MikhailovskyVV.
These are the versions of my device:
ASA> show version
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)
I can download the following images "asa913-k8.bin" and "asdm-715.bin"
ASA# dir flash:
Directory of disk0:/
100    -rwx 15390720    11:59:42 Mar 13 2013 asa825-k8.bin
101    -rwx 16280544    15:11:44 Mar 13 2013 asdm-645.bin
102    -rwx 28672       19:00:00 Dec 31 1979 FSCK0000.REC
3      drwx 4096        19:03:10 Dec 31 2002 log
10     drwx 4096        19:03:22 Dec 31 2002 crypto_archive
11     drwx 4096        19:03:24 Dec 31 2002 coredumpinfo
104    -rwx 4096        19:00:00 Dec 31 1979 FSCK0001.REC
105    -rwx 12998641    15:07:10 Mar 13 2013 csd_3.5.2008-k9.pkg
106    drwx 4096        15:07:14 Mar 13 2013 sdesktop
107    -rwx 6487517     15:07:48 Mar 13 2013 anyconnect-macosx-i386-2.5.2014-k9.pkg
108    -rwx 6689498     15:07:56 Mar 13 2013 anyconnect-linux-2.5.2014-k9.pkg
109    -rwx 4678691     15:08:00 Mar 13 2013 anyconnect-win-2.5.2014-k9.pkg
255320064 bytes total (192139264 bytes free)
ASA# show version
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)
Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"
ASA up 1 day 18 hours
Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: GigabitEthernet0/0 : address is e4d3.f112.0e9c, irq 9
1: Ext: GigabitEthernet0/1 : address is e4d3.f112.0e9d, irq 9
2: Ext: GigabitEthernet0/2 : address is e4d3.f112.0e9e, irq 9
3: Ext: GigabitEthernet0/3 : address is e4d3.f112.0e9f, irq 9
4: Ext: Management0/0       : address is e4d3.f112.0ea0, irq 11
5: Int: Not used            : irq 11
6: Int: Not used            : irq 5
Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 150
Inside Hosts                   : Unlimited
Failover                       : Active/Active
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
Security Contexts              : 2
GTP/GPRS                       : Disabled
SSL VPN Peers                  : 2
Total VPN Peers                : 750
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled
This platform has an ASA 5520 VPN Plus license.
Serial Number: JMX171180JB
Running Activation Key: 0xe638dc68 0xf4a83e3e 0xcc129924 0xb180fcc0 0x0b190e9d
Configuration register is 0x1
Configuration last modified by enable_15 at 05:57:50.617 PEST Wed Feb 19 2014
ASA#
Can I upgrade directly from 8.2(5) to 9.1 (I know that actual configuration will be lost and also I know that the syntax configuration is different between the versions, but this is not a problem for me, because I can re-configure it very fast).
My doubt is if exist any other license that will be afected during the upgrade. As you can see exist any other files in the flash memory and some features related to the license appear in the command "show version" and at the final line appear a message "This platform has an ASA 5520 VPN Plus license". My doubt is "after the upgrade (from 8.2 to IOS 9.1) these features will be change, any license will be afected????.
The object final is the following:
I have in this moment three LAN's segment (for example lan1, lan2 and lan3) and two WAN's (isp1 and isp2)
lan1 and lan2 leave for isp1 and exits VPN (site to site) connection between lan1 with different site. It in this moment is operation with any problem.
The problem is the third lan3 because this must be use the second isp2, also this lan3 will be open a VPN with another site. This requirement I can not do it with 8.2 IOS Version. This requirement is like a PBR in router.
The version 9.1 can handle this feature (PBR)
Please let me know
Regards
Andres

Overlapping lan segments S2S tunnels (the other end)

Is there any way to policy nat incoming vpn S2S tunnel traffic? I know we can policy nat out going to send traffic over a tunnel as something else...
e.g.
my firewall
LAN segment 192.168.10.0/24
1st external firewall with s2s tunnel #1 back to my firewall
LAN 10.10.10.0/24
2nd external firewall with s2s tunnel #2 back to my firewall
LAN 10.10.10.0/24
if no changes can be made to the 1st and 2nd external firewall meaning we cannot get to at leat
one of them so they policy nat out as another subnet....is there any thing we can do
on the "my firewall" ? (any incoming nat policy options or routes over the tunnel peer ip or something or the other???)
and this would be cisco asa's, all three at least.
thank you!

hi, i looked at the document and thank you for responding! my scenario would be a little bit different though wherein we have another pix say "pix-C" which in the pdf would also be using 10.1.0.0/24
we couldn't make a 2nd policy nat for pix-C. we couldnt have a 2nd source and destination ACL used for a 2nd policy map as the pix A would not know which access-list to use...
i know another option is public ip to public ip's for the site to site but that isnt always an option.
So going by the pdf you attached what if there was also a pix-C that is also using 10.1.0.0/24 and we cannot make configuration changes on pix-B or pix-C just only on pix-A ...is there anyway we can have the two site to sites A to B and A to C even though B and C both have 10.1.0.0/24 ?

CCNA - ACL question

Hi,
I'm studying for the CCNA 640-801 exam and in some study materials there is the following ACL question and I don't understand why the answer is what it is. I was hoping someone in here could help with explaining why. Thanks.
Router1-s0--------s0-Router2-s0--------s0-Router3
___|________________|_______________|____
PCA through PCF all seem to be connected to a common backbone. All three routers appear to also be connected to the same backbone as the PCs. Router1 conects to Router2 which connects to Router3.
PCA - 5.1.1.8/24
PCB - 5.1.1.10/24
PCC - 5.1.2.10/24
PCD - 5.1.2.20/24
PCE - 5.1.3.8/24
PCF - 5.1.3.10/24
You're the systems administrator at Cisco, and you create the following access control lists.
access-list 101 deny tcp 5.1.1.10 0.0.0.0 5.1.3.0 0.0.0.255 eq telnet
access-list 101 permit any any
You then enter the command "ip access-group 101 in" to apply access control list
101 to router1's e0 interface.
Which of the following Telnet sessions will be blocked as a result of your access
lists? (Select all that apply)
A. Telnet sessions from host A to host 5.1.1.10
B. Telnet sessions from host A to host 5.1.3.10
C. Telnet sessions from host B to host 5.1.2.10
D. Telnet sessions from host B to host 5.1.3.8
E. Telnet sessions from host C to host 5.1.3.10
F. Telnet sessions from host F to host 5.1.1.10
Answer D & F
I understand answer D, that is straight forward and easy to understand however I don't understand answer F. The ACL statement, 'access-list 101 deny tcp 5.1.1.10 0.0.0.0' specifically has the source host listed which is not PCF. I would think only addresses matching the source address in the ACL should be blocked. Thanks to anyone who can help.

Riley
I have an issue with their solution and an issue with your solution.
I think that the major flaw in their solution is putting the access-group on the serial interface as an inbound filter. As an inbound filter on the serial 192.168.1.1 or 192.168.118.0 would be the source address and their access list has it as the destination. Putting the access list as inbound on Ethernet 0 is effective. Putting it also on serial 1 adds no effectiveness. I am not clear whether they were again trying to point out the possibility of preventing telnet by denying the response traffic. But you can not do both in one access list which is limited to 3 statements.
Another (small) issue with their access list is in the second line:
access-list 101 deny tcp any 192.168.118.0 0.0.0.0 eq 23
The mask is for a specific host but 192.168.118.0 is not a host. It is the network/subnet address and no legitimate traffic will ever have that as a source address.
The main issue in your access list is the placement of "eq 23". You have it coming before the source address and the "eq port" comes after an address specification (after either the source or after the destination) and not before both of the addresses. Also if your access list is inbound on interface Ethernet 0 then telnet traffic to router 1 will have port 23 (telnet) as the destination port.
There is an apparent difference between your list and their list but it does not matter. You specify 192.168.134.0/24 as the source address and they specify any as the source address. Since the network explanation indicates that 192.168.134.0 is the only network behind E 0 the effect of the access lists does not change between the two source address specifications.
I agree with Kevin that there does not appear to be a lot of effective proof reading of this material. I have taught Cisco classes and I have written training material and I appreciate that this is difficult to do. But it is highly unfortunate and lowers the credibility of the material (and their source) when these kinds of mistakes are apparent.
HTH
Rick

Adding a new LAN segment

Hi,
Currently I only have 1 Cisco 2600 router, which connects serially to a leased line device, with an Ethernet port that connects to my LAN.
Currently, I would like to add a new LAN segment (different network) to my LAN.
My idea is to get a new Cisco router that has 1 serial interface (connects to the old 2600 router ) and 2 Ethernet interfaces (connects to the old LAN segment and the new LAN segment respectively). However, my old router does not have anymore serial port.
What can I do to solve this? Any input is welcomed

Hi,
I am Rajesh Sindhu.
If your LAN is logically in multiple segments then to solve your situation we can have two sub interfaces on eth port of router. then we have to add both ports in static routes also.
this way we can route traffic in between both LAN segments as well as towards WAN also.
If your second LAN is also on different physical segment then we have to uplink that aggregation nearest to point of interconnection in between router and LAN say on directly connected switch on router.
Please update if i am not correct.
[email protected]
Thanks & Regards

Question about spinning ball issues and OS reinstall.

I have a late 2008 white MacBook running Lion. A while back I was having problems with the spinning beach ball appearing anytime I tried to change between apps or websites. I had tried the command+r on bootup, terminal, passwordreset tip to repair the permissions and ACLs. It fixed the issue for a day or two, but that is all. I ended up making the decision to back up my information and reinstall the software. Somehow after the reinstall when I went to restore my data I ended up with two separate user accounts (one was the backup). It really is a pain in the butt to have to switch back and forth between accounts when I need to look for an old file.
Anyway, I am having the same problem again. I never had an issue with my MacBook until I installed Lion. I've gone into the boot menu twice so far today to repair the permissions and ACLs and now I need to do it again. I want to try another OS reinstall, but I was wondering if anyone knew of a way to merge the two user accounts first so that I don't end up with two or three accounts after everything is said and done. I've tried to figure it out myself, but I've not had much luck.

Yeah, I've used the repair utility in the recovery menu. Sometimes when I repair the disk and run it a couple of times I find that the second time there will be even more errors than before.
That sounds like your doing repair permissions. There are certain permissions that will always show when you repair permissions, and are not an error. See this Apple note listing them.
A repair disk, which is different than repairing permissions, should not yield any error messages. If it does, you have an issue(s) that needs to be fixed. You should go back and do a repair disk. It should give you some statistics then tell you everything is OK, or give you error message(s).
Part of your spinning beach ball problem may be your 2GB of memory. Consider upgrading using either OWC or Crucial memory, both which work well in macs. A 4GB upgrade (2 x 2GB) can run $20 to $60.

TSeries LAN connection issues across fibre link

I have some LAN connection issues when getting dhcp or even assigning static ip to T61 laptop. Doesn't get dhcp ip settings dynamic and if given staitc, can't ping any system on network nor can systems ping it. DHCP is at main site and this laptop is at remote site. Link between sites is fibre. All other systems at remote site where is laptop get their DHCP settings as normal. If I bring laptop from remote site to main site and plug in cable it gets DHCP normal but not at remote site, it doesnt get it, so i know the LAN adapter is good. What is wrong?, what across WAN link it preventing it? seeing that all other systems at remote site get their settings well. Thanks in advance.
Message Edited by ansa on 06-01-2009 03:36 PM
Message Edited by ansa on 06-01-2009 04:14 PM

I was able to resolve the problem. "The following CLI commands have been added to allow devices that do not understand the controller's proxy Address Resolution Protocol (ARP) response without a minimum packet size of 60 bytes to communicate with the controller: show advanced dot11-padding, config advanced dot11-padding enable"

2 AD Site LAN Segment of DAG

Hi All,
I have the below setup of DAG already in place….
AD site:                         NDC
SDC
DNS :                            DNS1    (10.0.0.1)
DNS1 (10.0.1.1)
Mailbox servers:             NMBX1 (10.0.0.2)            SMBX1 (10.0.1.2)
                                     NMBX2 (10.0.0.3)
SMBX2 (10.0.1.3)
Subnet Mask : 255.255.252.0 (for all above 4 nodes)
Default Gateway : 10.0.0.4 (for all above 4 nodes)
DAG name : DAG1.domain.com which is stretched between two sites (NDC and SDC)
DAG IP address : 10.0.0.5
As per my understanding this is a single LAN segment which has stretched to both site.
Problem : Considering the site resilience scenario, when I tried to add another IP address (10.0.1.5) in DAG, it added….but it not updated in Failover Cluster manager > Cluster core resources.
There it is showing a single IP address 10.0.0.5
As per me it is not showing because of a single LAN segment.
Thanks in advance NKumar

As I said above, do not try to modify your Exchange DAG in the Failover Cluster Manager - you
will break things if you "succeed".
What information do you get when you run the following command in the Exchange shell?
Get-DatabaseAvailabilityGroup | Fl name, DatabaseAvailabilityGroupIpAddresses
If you see two IP addresses displayed in the DatabaseAvailabilityGroupIpAddresses field, your DAG will be able to use that second IP address - even in Failover Cluster Manager doesn't see it, the DAG will be able to use it. You will probably need to
add a second DNS record so other systems can use it, but the DAG will already have it available.

Routing Experts please help with below LAN routing issue with NAT

Hello Experts,
I have a weird situation and requirement.
The existing setup is -
We have email/ticketing server hosted in the LAN which is reachable on the publicly NAT'ed IP with respective port numbers of 89 & 443. We have LAN & servers on the same subnet. The internet is with public DHCP IP assigned by ISP (/29). We use linksys router GUI for NAT settings (attached).We are using the same public IP for the server NAT & user NAT.
We tried to refresh our network by separating the subnets for LAN users & servers. We used the Cisco 3845 router to create sub-interfaces in the LAN and configure respective subnets. Now both user subnet and server subnet are connecting to the Internet with same public IP (static NAT for servers & dynamic for users). We can connect to the server IP from the Internet and it resolves fine. However user LAN subnet cannot connect to the server if we try the URL. Users can access the Internet fine.
Please find attached short diagram and below configuration and please give your inputs to solve this.
Cisco 3845 router
access-list 1 permit 10.155.60.0 0.0.0.255
access-list 2 permit 10.155.61.0 0.0.0.255
access-list 3 permit 10.155.62.0 0.0.0.255
ip nat inside source list 1 int g0/0 overload
ip nat inside source list 2 int g0/0 overload
ip nat inside source list 3 int g0/0 overload
int g0/0
ip add 8.8.8.8 255.255.255.248
ip nat outside
no shut
int g0/1
description Trunk-to-Switch
no shut
int g0/1.60
description User vlan
ip add 10.155.60.1 255.255.255.0
encapsulation dot1q 60
ip nat inside
int g0/1.62
description Server vlan
ip add 10.155.62.1 255.255.255.0
encapsulation dot1q 62
ip nat inside
exit
aaa new-model
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authorization network vpn_group_ml_1 local
aaa session-id common
acl 120
max-users 10
exit
!access-list 120 remark ==[Cisco VPN Users]==
access-list 120 permit ip any host 192.168.0.10
access-list 120 permit ip any host 192.168.0.11
access-list 120 permit ip any host 192.168.0.12
access-list 120 permit ip any host 192.168.0.13
access-list 120 permit ip any host 192.168.0.14
access-list 120 permit ip any host 192.168.0.15
access-list 120 permit ip any host 192.168.0.16
access-list 120 permit ip any host 192.168.0.17
access-list 120 permit ip any host 192.168.0.18
access-list 120 permit ip any host 192.168.0.19
no access-list 100
access-list 100 remark [Deny NAT for VPN Clients]=-
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.10
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.11
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.12
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.13
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.14
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.15
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.16
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.17
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.18
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.19
access-list 100 remark
access-list 100 remark -=[Internet NAT Service]=-
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
exit
ip nat inside source static tcp 10.155.62.55 21 8.8.8.8 21
ip nat inside source static tcp 10.155.62.55 88 8.8.8.8 88
ip nat inside source static udp 10.155.62.55 88 8.8.8.8 88
ip nat inside source static tcp 10.155.62.84 3389 8.8.8.8 3389
ip nat inside source static udp 10.155.62.84 3389 8.8.8.8 3389
ip nat inside source static tcp 10.155.62.98 80 8.8.8.8 80
ip nat inside source static udp 10.155.62.98 80 8.8.8.8 80
ip nat inside source static tcp 10.155.62.98 443 8.8.8.8 443
ip nat inside source static udp 10.155.62.98 443 8.8.8.8 443
ip nat inside source static tcp 10.155.62.98 25 8.8.8.8 25
ip nat inside source static udp 10.155.62.98 25 8.8.8.8 25
ip nat inside source static tcp 10.155.62.84 8080 8.8.8.8 89
ip nat inside source static udp 10.155.62.84 8080 8.8.8.8 89
ip nat inside source static tcp 10.155.62.84 9005 8.8.8.8 9005
ip nat inside source static udp 10.155.62.84 9005 8.8.8.8 9005
ip nat inside source static tcp 10.155.62.84 135 8.8.8.8 135
ip nat inside source static udp 10.155.62.84 135 8.8.8.8 135
ip nat inside source static tcp 10.155.62.84 139 8.8.8.8 139
ip nat inside source static udp 10.155.62.84 139 8.8.8.8 139
ip nat inside source static tcp 10.155.62.84 445 8.8.8.8 445
ip nat inside source static udp 10.155.62.84 445 8.8.8.8 445
ip nat inside source static tcp 10.155.62.84 90 8.8.8.8 465
ip nat inside source static udp 10.155.62.84 90 8.8.8.8 465
ip nat inside source static tcp 10.155.62.143 3381 8.8.8.8 3381
ip nat inside source static udp 10.155.62.143 3381 8.8.8.8 3381
ip nat inside source static tcp 10.155.62.46 8081 8.8.8.8 91
ip nat inside source static udp 10.155.62.46 8081 8.8.8.8 91
ip http server
ip http authentication local
no ip http secure-server
ip http path flash:/cme-gui-7.1.0.1
file privilege 0
telephony-service
dn-webedit
time-webedit
transport input ssh
line con 0
line vty 0 15
login local
ntp server ntp.first2know.net
clock timezone gmt 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
ntp update-calendar
ntp master
=========================================================================================================================================
Cisco 3750 Config;
vlan 60
name User
vlan 61
name Voice
vlan 62
name Server
exit
interface g1/0/1
description Trunk-to-Router
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast trunk
interface vlan 60
description User Vlan
ip add 10.155.60.2 255.255.255.0
interface vlan 61
description Voice Vlan
ip add 10.155.61.2 255.255.255.0
interface vlan 62
description Server Vlan
ip add 10.155.62.2 255.255.255.0
service dhcp
ip dhcp pool Users
network 10.155.60.0 255.255.255.0
default-router 10.155.60.1
dns server 4.2.2.2
ip dhcp pool Voice
network 10.155.61.0 255.255.255.0
dns server 4.2.2.2
exit
ip dhcp excluded-address 10.155.60.1 10.155.60.2 10.155.60.3
ip dhcp excluded-address 10.155.61.1 10.155.61.2
interface range g1/0/2 - 1/0/21
switchport mode access
switchport access vlan 60
switchport access vlan 61
exit
exit
interface range g1/0/22 - 1/0/26
switchport mode access
switchport access vlan 62
exit
Thanks,
Deepak

One more thing I should clarify the route I am putting into the 10.10.1.9 server is
route add 10.1.6.0 mask 255.255.255.0 10.10.1.250 which tells the server to bypass the ASA and go directly to the ISP router.(then i can successfully tracert everything). The big question here is how to make the inside ASA connection 10.10.1.1 to force all traffic to 10.10.1.250.
Thanks in advance.

ACL Question in Weblogic

Hi,
From the Weblogic document, it mentioned that the ACL only work on file Realms.
Can it apply to directory like http://www.bea.com/*.
Here is what I need to do:
For http://www.bea.com:7001 is free to access,
for http://www.bea.com:7001/administrator or http://www.bea.com:7001/test can
only be access from certain IP arrange or VPN.
Can it be done by Weblogic? or I need to build my own http proxy?
Furthermore, I saw that Weblogic also support UNIX Security Realm, does I means
that I can allow only defined UNIX user to access certain directory ot files?
btw, I am using Weblogic 6.1.
Thanks a lot!!

Hi Jon,
Your issue should be raised with BEA support. With regard to your second isssue:
"and this be included in the documentation outlining the
responsibilities for implementing a custom realm."
You should raise this as an enhancement either via the support channels or via
[email protected]
Kind Regards,
Richard Wallace.
Senior Developer Relations Engineer.
BEA Support.
"Jon Wilmoth" <[email protected]> wrote:
I've implemented a custom realm on wl6.1 sp1 which extends the LDAPv2
realm
(implementing the ManageableRealm interface) for users and groups and
delegates to a rdbms delegate for aclentry management. I read an earlier
post about revoking a permission which requires a custom realm to augment
the weblogic.security.acl.AclImpl class. My question is similar in nature.
In a situation where a positive AclEntry needs to be changed to a negative
entry, what are the requirements imposed on the custom realm implementer?
Do I need to worry about the checkPermission call on the Acl implementation?
On the AclEntry implementation? Is there a BEA recommended path similar
to
that for revoking permissions?
I would also recommend that the BEA responses to the revoking permissions
post and this be included in the documentation outlining the
responsibilities for implementing a custom realm.
Thanks!
Jon
Jon Wilmoth
Software Architect
eSage Group
(206) 264-5675 (Voice & Fax)
[email protected]
http://www.esagegroup.com

Vlan/ACL question

I am in the process of getting my guest access set up on my network and I have a couple of questions.
1) On my L3 switch I currently have the switch port with the command line of switchport access vlan 2 for my current wireless network. I am looking to add vlan 3 for the guest wireless access. Should I add/change that line to switchport trunk allow vlan 2,3 for each port I have my APs plugged into?
2) I am having issues with my ACLs. All I want my guest vlan to do is go to the internet, nothing more. Is it better to place this ACL on the WCL, L3 switch or ASA? When I try it on the WLC, even when I deny ICMP both ways, I am still able to ping and I do have the ACL applied to the interface.
Thanks,
Jim

If your ap are in local mode you won't Ned ti change the port as the traffic is ingress/egress at the WLC. So long as VLAN 3 is allowed there it will be fine.
As for the ACL, I'd put it on the Layer 3 interface of the switch/router.
Steve
Sent from Cisco Technical Support iPhone App

LAN connection issue

Hello-
Enjoying my new K330, but do have one issue; Upon first boot, the LAN (built-in) will not connect.
After a reboot, it will then connect. I have installed latest driver, but I still have to disable/ enable
the LAN to get it to 'wake up'.
Any ideas/ suggestions? THANKS!

It might be an issue with drivers, I suggest you to uninstall the LAN driver from the device manager and then install the driver from the below mentioned web link according to your Operating System.
Windows 7 32-bit: http://consumersupport.lenovo.com/in/en/driversdownloads/Drivers_Show_4002.html
Windows 7 64-bit: http://consumersupport.lenovo.com/in/en/driversdownloads/Drivers_Show_4003.html
Windows XP: http://consumersupport.lenovo.com/in/en/driversdownloads/Drivers_Show_4090.html
Also update the BIOS from the below mentioned web link.
http://consumersupport.lenovo.com/in/en/driversdownloads/Drivers_Show_4140.html
Please check the issue after reinstall the drivers and update the BIOS.
Regards,
Harish
Did someone help you today? Press the star on the left to thank them with a Kudo!
If you find a post helpful and it answers your question, please mark it as an "Accepted Solution".! This will help the rest of the Community with similar issues identify the verified solution and benefit from it.
Follow @LenovoForums on Twitter!

2008 imac - beachball lock ups and no-boot 'question mark in file' issue

Firstly apologies am new to this forum.. am happy imac user (2008) but recently my imac is freezing in use and/or failing to boot on startup; the grey screen showing for a bit and then a file with a question mark in it. This now happens frequently and I find my self having to wait hours before my mac will boot. I have looked through forum responses and tried disk repair utility, but that showed no problems other than repairing a few permissions - also downloaded and run EtreCheck - but again nothing obvious, although I'll readily concede I don't really know what I looking for. Before I sadly head off on a long journey to a Genius Bar appointment maybe for a new hard drive?? Can anyone suggest anything please - all advice welcome. Thank you

Hi triffiid,
I'm sorry to hear about the issues you've been having with your Mac. If you are currently booting to a grey screen with a flashing question mark, you may find the troubleshooting steps outlined in the following article helpful (apologies if you have already seen it):
Mac OS X: Gray screen appears during startup
http://support.apple.com/kb/ts2570
Regards,
- Brenden

ACLS QUESTION - 2 LAN SEGMENTS - ISSUE

Similar Messages

Maybe you are looking for