ACS Database Replication over VPN with overlapping Network Addresses

Similar Messages

• Site to Site VPN with Overlapping network and other network Access..

  Hi all,
  i need to setup a site to site Tunnel to a remote site. My remote site got the network which has overlapped with one of our network(192.168.10.0/24) in my site. remote site dont need to access this network(192.168.10.0/24) in my site ,but they have to access other networks (192.168.x.0)
  i have prepared the below configuration ,relevant to nat to achiev the goal. Appreciate help to verify and help to achive this...
  i have attached one rough diagram also..
  Mysite
  access-list acl-httsamorocco extended permit ip 192.168.73.0 255.255.255.0 192.168.74.0 255.255.255.0
  access-list nonat extended permit ip 192.168.x.0 255.255.255.0 192.168.74.0 255.255.255.0
  access-list policy-nat extended permit ip 192.168.10.0 255.255.255.0 192.168.74.0 255.255.255.0
  static (inside,outside) 192.168.73.0  access-list policy-nat
  Remote Site
  access-list policy-nat extended permit ip 192.168.10.0 255.255.255.0 192.168.73.0 255.255.255.0
  static (inside,outside) 192.168.74.0  access-list policy-nat
  Thanks in Advance..
  Shanil

  It has to be configured on both sides.
  X and Y are unused networks in this example: Site A has to hide 172.16.1.0/24 behind X when communicating to Y, site B has to hide 172.16.1.0/24 behind Y when communicating to X. The users in site A have to use Y as a destination, users in site B have to use X as destination. To make it usable for the users you should include the destinations in the DNS so that they never need the destination-IP.
  On the ASA you describe the communication 172.16.1.0/24 -> Y with an access-list and add that ACL to your static-command. You find an example here:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• Site-to-ste VPN with overlapped subnet.

  Hi Friends
  I have to set up site to site VPN with overlapped network ASA 5540 and checkpoint   what is the best parctice to achive tis goal
  Thanks in advance

  It has to be configured on both sides.
  X and Y are unused networks in this example: Site A has to hide 172.16.1.0/24 behind X when communicating to Y, site B has to hide 172.16.1.0/24 behind Y when communicating to X. The users in site A have to use Y as a destination, users in site B have to use X as destination. To make it usable for the users you should include the destinations in the DNS so that they never need the destination-IP.
  On the ASA you describe the communication 172.16.1.0/24 -> Y with an access-list and add that ACL to your static-command. You find an example here:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• Router to Router VPN with Overlapping internal networks

  Hello Experts,
  One quick question. How do I configure a Router to Router VPN with overlapping internal networks???
  Both of my internal networks have ip address of 192.168.10.0 and 192.168.10.0
  Any link or config will be appreciated. I've been looking but no luck.
  Thanks,
  Randall

  Randall,
  Please refer the below URL for configuration details:
  Configuring an IPSec Tunnel Between Routers with Duplicate LAN Subnets
  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml
  Let me know if it helps.
  Regards,
  Arul
  ** Please rate all helpful posts **

• ACS Database Replication

  I have 2 ACS server
  - ACS Appliance(v4.0)
  - ACS Server fo Window(v3.0)
  I want to design Primary ACS Appliance and Secondary ACS for Window
  I know the method For ACS Database replication
  Thanks
  cheolhyeon

  Hello Hanwu
  Please send a the screenshot of replication page from primary server.
  thanks
  Devashree

• Are mutliple database calls really significant with a network call for a web API?

  At one of my employers, we worked on a REST (but it also applies to SOAP) API. The client, which is the application UI, would make calls over the web (LAN in typical production deployments) to the API. The API would make calls to the database.
  One theme that recurs in our discussions is performance: some people on the team believe that you should not have multiple database calls (usually reads) from a single API call because of performance; you should optimize them so that each API call has only
  (exactly) one database call.
  But is that really important? Consider that the UI has to make a network call to the API; that's pretty big (order of magnitude of milliseconds). Databases are optimized to keep things in memory and execute reads very, very quickly (eg. SQL Server loads and
  keeps everything in RAM and consumes almost all your free RAM if it can).
  TLDR: Is it really significant to worry about multiple database calls when we are already making a network call over the LAN? If so, why?
  To be clear, I'm talking about order of magnitude -- I know that it depends on specifics (machine hardware, choice of API and DB, etc.) If I have a call that takes O(milliseconds), does optimizing for DB calls that take an order of magnitude less, actually
  matter? Or is there more to the problem than this?
  Edit: for posterity, I think it's quite ridiculous to make claims that we need to improve performance by combining database calls under these circumstances -- especially
  with a lack of profiling. However, it's not my decision whether we do this or not; I want to know what the rationale is behind thinking this is a correct way of optimizing web API calls.

  But is that really important? Consider that the UI has to make a network call to the API; that's pretty big (order of magnitude of milliseconds). Databases are optimized to keep things in memory
  and execute reads very, very quickly (eg. SQL Server loads and keeps everything in RAM and consumes almost all your free RAM if it can).
  The Logic
  In theory, you are correct. However, there are a few flaws with this rationale:
  From what you stated, it's unclear if you actually tested / profiled your app. In other words, do you actually know that
  the network transfers from the app to the API are the slowest component? Because that is intuitive, it is easy to assume that it is. However, when discussing performance, you should never assume. At my employer, I am the performance lead. When I first joined,
  people kept talking about CDN's, replication, etc. based on intuition about what the bottlenecks must be. Turns out, our biggest performance problems were poorly performing database queries.
  You are saying that because databases are good at retrieving data, that the database is necessarily running at peak performance, is being used optimally, and there is nothing that can be done
  to improve it. In other words, databases are designed to be fast, so I should never have to worry about it. Another dangerous line of thinking. That's like saying a car is meant to move quickly, so I don't need to change the oil.
  This way of thinking assumes a single process at a time, or put another way, no concurrency. It assumes that one request cannot influence another request's performance. Resources are shared,
  such as disk I/O, network bandwidth, connection pools, memory, CPU cycles, etc. Therefore, reducing one database call's use of a shared resource can prevent it from causing other requests to slow down. When I first joined my current employer, management believed
  that tuning a 3 second database query was a waste of time. 3 seconds is so little, why waste time on it? Wouldn't we be better off with a CDN or compression or something else? But if I can make a 3 second query run in 1 second, say by adding an index, that
  is 2/3 less blocking, 2/3 less time spent occupying a thread, and more importantly, less data read from disk, which means less data flushed out of the in-RAM cache.
  The Theory
  There is a common conception that software performance is simply about speed.
  From a purely speed perspective, you are right. A system is only as fast as its slowest component. If you have profiled your code and found that the Internet is the slowest component, then everything else is obviously not the slowest part.
  However, given the above, I hope you can see how resource contention, lack of indexing, poorly written code, etc. can create surprising differences in performance.
  The Assumptions
  One last thing. You mentioned that a database call should be cheap compared to a network call from the app to the API. But you also mentioned that the app and the API servers are in the same LAN. Therefore, aren't both of them comparable as network calls? In
  other words, why are you assuming that the API transfer is orders of magnitude slower than the database transfer when they both have the same available bandwidth? Of course the protocols and data structures are different, I get that, but I dispute the assumption
  that they are orders of magnitude different.
  Where it gets murkey
  This whole question is about "multiple" versus "single" database calls. But it's unclear how many are multiple. Because of what I said above, as a general rule of thumb, I recommend making as few database calls as necessary. But that is
  only a rule of thumb.
  Here is why:
  Databases are great at reading data. They are storage engines. However, your business logic lives in your application. If you make a rule that every API call results in exactly one database call, then your business logic may end up in the database. Maybe that
  is ok. A lot of systems do that. But some don't. It's about flexibility.
  Sometimes to achieve good decoupling, you want to have 2 database calls separated. For example, perhaps every HTTP request is routed through a generic security filter which validates from the DB that the user has the right access rights. If they do, proceed
  to execute the appropriate function for that URL. That function may interact with the database.
  Calling the database in a loop. This is why I asked how many is multiple. In the example above, you would have 2 database calls. 2 is fine. 3 may be fine. N is not fine. If you call the database in a loop, you have now made performance linear, which means it
  will take longer the more that is in the loop's input. So categorically saying that the API network time is the slowest completely overlooks anomalies like 1% of your traffic taking a long time due to a not-yet-discovered loop that calls the database 10,000
  times.
  Sometimes there are things your app is better at, like some complex calculations. You may need to read some data from the database, do some calculations, then based on the results, pass a parameter to a second database call (maybe to write some results). If
  you combine those into a single call (like a stored procedure) just for the sake of only calling the database once, you have forced yourself to use the database for something which the app server might be better at.
  Load balancing: You have 1 database (presumably) and multiple load balanced application servers. Therefore, the more work the app does and the less the database does, the easier it is to scale because it's generally easier to add an app server than setup database
  replication. Based on the previous bullet point, it may make sense to run a SQL query, then do all the calculations in the application, which is distributed across multiple servers, and then write the results when finished. This could give better throughput
  (even if the overall transaction time is the same).
  TL;DR
  TLDR: Is it really significant to worry about multiple database calls when we are already making a network call over the LAN? If so, why?
  Yes, but only to a certain extent. You should try to minimize the number of database calls when practical, but don't combine calls which have nothing to do with each other just for the sake of combining them. Also, avoid calling the database in a loop at all
  costs.

• VPN with 2 network cards - vpn clients cannot see LAN.

  Problem: When a VPN client connects they can only access the server and not any LAN computers. Unable to even ping the LAN computers. The VPN client machine connects via PPTP and receives the appropriate IP address but the subnet mask field is blank. The router is being set to 192.168.1.2
  Here's my network setup:
  en0: (external) IP: 192.168.1.2 and is connected to aDSL modem (192.168.1.1)
  en1: (internal net) IP: 192.168.2.1
  The internal en1 network range is: 192.168.2.2 - 192.168.2.25
  The VPN range being handed out is: 192.168.2.26 - 192.168.2.30
  VPN client machines are able to fully interact with the server, just cannot reach any LAN computers.
  Any ideas??
  XServe Mac OS X (10.4.9) Various Intel laptops and G5/G4 Lan machines
  XServe   Mac OS X (10.4.9)   Various Intel laptops and G5/G4 Lan machines

  >The network address at the vpn client location is not 192.168.2.0/24. The vpn client has a public IP.
  So you're saying that your client system has a 192.168.2.x address, and that's also the address range you're using behind the VPN?
  That won't work.
  You now have two 192.168.2.x networks - one local to the client and one over the VPN.
  Normal routing rules dictate that the local connection wil always take priority over the remote connection, so the client will look on the local LAN for anything in the 192.168.2.x range, completely ignoring the VPN.
  If you think about it, your machine is told that it has two paths to get to anything in the 192.168.2.x network, either directly connected, or across the VPN connection. Given teh choice, which one do you think you'd take?
  The only real solution here is to use a different subnet at each end of the link - either change the client network to something else, or change the internal corp network. If you don't do that you'll have to set up host-based routes (one per system over the VPN) that overrides the local routing table (assuming that's even possible... I'd have to think about it).

• ACS Database Replication between SE and Windows

  I currently have 2 Windows ACS servers (4.0.1.27) in production and replicating databases. I also have a solution engine (appliance) running 4.1.4.13.7. I plan to upgrade the Windows ACS servers to 4.1.4.13.7 (same as the SE). I know that the software versions have to match for replication to work. Recently, I received conflicting information about database replication. I was told that a ACS SE (solution engine 1113) can not replicate to a Windows ACS server, even if the software versions match. Before I change my production environment, I thought would seek out additional input.

  Yes, you can replication acs windows with acs appliance. It works fine.
  Regards,
  ~JG

• ASA 5505 Site-to-Site VPN with multiple networks

  Hi,
  I have 2 Cisco ASAs 5505 in the different places with a created connection Site-to-Site VPN. It’s working fine in the networks where they are (10.1.1.0/24 and 10.2.1.0/24 respectively).
  Additionally to the ASA1 are connected two subnets: 10.1.2.0/24 and 10.1.3.0/24 and the ASA2 is connected to one subnet: 10.2.2.0/24
  A problem is when I’m trying to get to a host in the subnet behind the ASA2 from the subnet behind the ASA1  and vice versa.
  Any help would be greatly appreciated.

  It's all about the crypto ACL. You have to combine all networks behind ASA1 with all networks behind ASA2. You can use object-groups for that to handle it. What's the config of your crypto ACL?
  Sent from Cisco Technical Support iPad App

• Lion Server VPN with 2 networks

  I hope someone has come across a similar problem to what I have had.
  I am having great difficulty trying to configure our OSX Lion Server (7.4) VPN service. The configuration I am trying to reach is one where we have an external IP for the server itself. A VPN configuration where we can use the external IP to get onto the VPN. When successfully on the VPN we would like to route through internal the network for all VPN traffic. We are having difficulty with the source routing so all traffic when successfully authenticated onto the VPN goes via VLAN0.
  I have used the guide:
  http://macminicolo.net/lionservervpn
  When on the VPN all internal network services should be available. But it seems to take the gateway of the public interface for all routing. I have tried adding routing entries with no luck
  Open to suggestion on how we can get this to successfully work. Thanks in advance.

  I am having a similar if not the same problem.  What happens when you log in with the VPN is that instead of giving a proper route the the VPN network, a second "default route is added".
  Internet:
  Destination        Gateway            Flags        Refs      Use   Netif Expire
  default            172.16.200.1       UGSc          166        0     en0
  default            172.16.150.109     UGScI           0        0    ppp0
  69.27.134.89       172.16.200.1       UGHS            0        0     en0
  127                127.0.0.1          UCS             0        0     lo0
  127.0.0.1          127.0.0.1          UH              3       22     lo0
  169.254            link#4             UCS             0        0     en0
  172.16.150/23      ppp0               USc             1        0    ppp0
  172.16.150.109     172.16.150.5       UH              1        0    ppp0
  172.16.200/23      link#4             UCS             5        0     en0
  172.16.200.1       a0:21:b7:60:b:4e   UHLWIi        167      109     en0    845
  172.16.200.11      b8:ac:6f:ff:b6:66  UHLWIi          0      202     en0   1200
  172.16.200.20      127.0.0.1          UHS             0        0     lo0
  172.16.200.54      d8:30:62:6a:4f:4b  UHLWIi          0        0     en0    881
  172.16.201.255     ff:ff:ff:ff:ff:ff  UHLWbI          0       32     en0
  I can add a manual route using:
  route add 172.16.0.0/23 172.16.150.9  and everything works fine.  But if you disconnect the VPN and reconnect you also have to re-enter the route,
  BTW.... works fine from my Win7 PC.

• About Secure ACS Database Replication configure

  hi
       I have INSTALL the acs and the ACS DATABASE HAS replicated complete.
  but when I made some change ,the primary ACS has generate *.csv file.
  this file can replicated to the secondary ACS.
       THANKS

  Can you please clarify your issue? The post is not clear.
  Regards

• Single Corporate SSID + Single Guest SSID across 200 sites over VPN with Flex Connect

  We have two main sites (East Building as DR + West Building as BDR) + 100 remote sites / all connection between the sites based on VPN / OSPF
  East building has 1 WLC 5508 with a license of 500 AP
  West building has 1 WLC 5508 with a license of 500 AP
  50 remote sites in East
  Each East remote site have 5 AP (AIR-LAP1142N + AIR-CAP2602I)
  Total AP in all the 50 remote site in East is 250 AP
  50 remote site in West
  Each West remote site have 5 AP (AIR-LAP1142N + AIR-CAP2602I)
  Total AP in all the 50 remote site in West is 250 AP
  Hardware available are:
  2 * WLC 5508
  2 * ACS 5.2
  Most of the switches that connect to the AP are 2960G
  All the AP are
  AIR-LAP1142N-E-K9
  AIR-CAP2602I-E-K9
  Requirements in Brief:-
  1 SSID for Internal user across all the sites
  1 SSID for Guest user across all the sites
  All IP for all the sites based on their local subnet
  All the remote sites need to be Flex connect
  The 2 WLC need to configure as failover
  Requirements in Details:-
  One Corporate ABC-SSID for all the sites
  One Guest ABC-SSID for all the sites
  The WLC in East building is the primary which control all the East remote site (250 AP)
  The WLC in West building is the secondary which control all the West remote site (250 AP)
  A fail over between the two WLC as below:
  If the WLC in east fail then all the AP in east (250 AP) will connect to WLC in West
  If the WLC in West fail then all the AP in west (250 AP) will connect to WLC in East
  Each Remote site behaving as Flex connect to reduce the overhead over the WAN/VPN
  Each site must have their own AP groups for the ease of management
  All the AP MGMT IP based on their local subnet
  Each remote site, West building, and East building must obtain their IP based on their local VLAN Example:- site-1 in East:
  Corporate ABC-SSID take 10.204.0.0/24
  Guest ABC-SSID take 192.168.0.0/24
  Example:- site-2 in East:
  Corporate ABC-SSID take 10.204.1.0/24
  Guest ABC-SSID take 192.168.1.0/24
  Example:- site-3 in East:
  Corporate ABC-SSID take 10.204.2/24
  Guest ABC-SSID take 192.168.2.0/24
  And so on…….
  Example:- site-1 in West:
  Corporate ABC-SSID take 10.204.100.0/24
  Guest ABC-SSID take 192.168.100.0/24
  Example:- site-2 in West:
  Corporate ABC-SSID take 10.204.101.0/24
  Guest ABC-SSID take 192.168.101.0/24
  Example:- site-3 in West:
  Corporate ABC-SSID take 10.204.102.0/24
  Guest ABC-SSID take 192.168.102.0/24
  And so on…….
  Reference that I found
  https://supportforums.cisco.com/thread/2039215
  Expert I'm really stuck here, so please any help will do.
  Thanks in advance

  What are you stuck on? What you have mentioned is possible.
  When you setup FlexConnect and also when AP's night failover, you need to make sure that the WLAN ID are in the same order in bother WLC's. also the AP Groups have the same information and have the same AP Group names and WLAN to vlan mapping. So as long as the WLC's are configured exactly the same except for IP addresses and hostname a, failover for FlexConnect will work fine.
  Now the FlexConnect WLAN to vlan mapping is done on the access point itself. So each AP will have to configured. AP Groups will not help here as you can really just create one since you will have the same WLAN's broadcasting at each site. You can make is simple though:) and this is a good tip.....
  If all your vlans are the same in every site including your DR and BDR, then the WLAN to vlan mapping will use the vlan if you have specified in the the WLAN under the I terrace mapping. So if in your corporate WLAN it is mapped to I terrace vlan 100, all you FlexConnect AP's will have that mapping set to vlan 100. If your guest at WLAN is mapped to vlan 999 interface on the WLC then the FlexConnect WLAN to vlan mapping for the guest will be set to vlan 999.
  Now if you have different vlan id's for each site or it might be the same for some and not the others, well you will have to tough each AP and configure the WLAN to vlan mapping.
  The WLAN to vlan mapping appears only when you have enabled FlexConnect local swit hung in the WLAN and you have the access point in FlexConnect mode.
  Sent from Cisco Technical Support iPhone App

• SMB Extremely Slow over VPN With Windows Server 2003

  Hello everyone,
  I finally convinced another person at my law firm to switch to a MacBook Pro. In preparation, I am attempting to fix any compatibility problems that would put off this new user. Unfortunately, our IT guy recently switched us to a Sonicwall SSL-VPN 200. I can connect to our server through the VPN client with no problems and I can mount our internal file server, but the connection is incredibly slow. My initial reaction was that it must be a problem with Windows Server 2003 and SMB, but I was previously able to connect to and operate on our VPN through our old Fortinet (ipsec) device with no problems. Simply put, directory switching, file moving, etc. are all now incredibly slow over the VPN. Help!

  Full support for SMB signing did not appear until Samba 3.0.2 released in 2004. Mac OS X 10.5 (Leopard) supports SMB signing. Previous versions require either disabling SMB signing server-side, using a third party SMB client, using the command-line smbclient program, or updating samba yourself.

• VPN with overlapping addresses

  Hi
  An ISP need to make VPN tunnels to four Costumers, so they can get data from a common server placed at the ISP.
  Costumer A, B & C is working well, but the new Costumer D are using same private Network as the ISP, an will not accept to change their Network, neither they will accept to put some NAT in their Router.
  They already NAT their private Network range to an official Network.
  ISP are using a Cisco 1841 Router for the project, but are ready to change to a PIX firewall or a VPN 3005 Concentrator if that’s what’s needed.
  Could any kind person please help me with this scenario.
  I have published the scenario in graphics here: http://www.z28.dk/vpn.htm
  The configuration I’m using for now can be found at: http://www.z28.dk/conf.htm
  Best regards
  R.B.P.

  I can help with the 3005 setup if you decide to go that route.
  You will need to add 2 network list entries under Configuration>Policy Management>Traffic Management>Network Lists.
  You will need to configure a local and remote address. The local will be one of the public ip's for the site.(Provided by your ISP)The remote will be the device you are connecting to on the other end.
  You will also need to add a Nat Lan to Lan rule under Configuration>Policy Management>Traffic Management>Nat>Lan to Lan.
  Use a static Nat type. The rest will look similar to my example.
  Source(Local address)Translated(Public Ip Address used in the network local list)Remote(Ip address of the device on the other end)
  Now just create an Ipsec lan to lan tunnel. You will need to agree with the ISP on des type and auth type. Use you local and remote networks you created earlier.

• Database Replication over the internet through firewall

  We installed database link between two Oracle databases. Does anybody know on whitch TCP port it communicate ? I know only about port 1521. Problem is that we have firewall between computers and we need to enable Oracle communication between them.

  I think SQL*Net uses port 1525.