Administrative prohibition
Hey people.
I keep getting this error all the time
The server response was: Administrative prohibition
Use the pop-up menu below to try a different outgoing mail server. All messages will use this server until you quit Mail or change your network settings.
Message from: [email protected] <[email protected]>
. sometimes my mail will work other times it wont can you please help me
Thanks Jim.
1. No other user in mydomain.org can send to this DL
2. The DL doesn’t existing in fakedomain.com, only in mydomain.org
3. Yes, we can send to another DL that is in fakedomain.org
More info – the fakedomain.org DL is inside another DL that has a mydomain.org address – group within a group. We’ve replicated the scenario to another domain and it works.
So,
[email protected] has user email addresses in it from fakedomain.org.
[email protected] is inside [email protected] When we send emails to
[email protected], the users in
[email protected] do not receive the message. And there is no sender on the message.
If we put the individual email addresses directly into
[email protected], the end users get the message.
I've contacted the fakedomain.org admin and there isn't much they can do since there is no sender on the message, their Exchange server rejects it.
Clear as mud?
Kent
Kent
Similar Messages
-
An error occurred while sending mail. The mail server responded: Administrative prohibition. Please check the message and try again.
Somtimes it says it spam also......The error message is being generated by your email provider's server. Best to ask them what they do not like about your messages and how to solve the problem.
-
Simple ssh forward administratively prohibited: open failed
I'm trying to use ssh -L on a solaris 10 command line, as follows:
ssh -v -L 1521:dbmachine:1521 login@solaris10machine
This connects to solaris10machine using password authentication and indicates the following (where I've replaced the dbmachine address with <dbmachine>):
debug1: Authentication succeeded (keyboard-interactive)
debug1: Connections to local port 1521 forwarded to remote address <dbmachine>:1521
debug1: Local forwarding listening on ::1 port 1521.
bind: Cannot assign requested address
debug1: Local forwarding listening on 127.0.0.1 port 1521.
Then, when trying to access 127.0.0.1 port 1521, I get the following:
debug1: Connection to port 1521 forwarding to <dbmachine> port 1521 requested.
debug1: fd 9 setting TCP_NODELAY
debug1: channel 2: new [direct-tcpip]
channel 2: open failed: administratively prohibited: open failed
debug1: channel_free: channel 2: direct-tcpip: listening port 1521 for <dbmachine> port 1521, connect from 127.0.0.1 port 63130, nchannels 3
It seems to me that this can't be a problem on the dbmachine (since it is quite happy to receive connections on port 1521). So the problem must be due to a problem on my local solaris 10 machine or the one I'm connecting to. I've read the man files for ssh and ssh_config and can't see what I'm doing wrong. Some web articles talk about putting AllowTcpForwards in ssh_config, but that isn't even documented in the man files, so it must refer to some other version of ssh than the one in Solaris 10. Can anyone help?Oops. I found the sshd_config file, and it had AllowTcpForwarding turned off. Setting it to "yes" fixed the problem.
-
Hi,
I am continuously getting the following error on my DMVPN spoke:
%NHRP-3-PAKERROR: Receive Error Indication from <NHS tunnel IP>, code: administratively prohibited(4), offset: 0, data:
Here are debugs:
054486: Aug 30 00:01:13 DXB: NHRP: Attempting to send packet via DEST <NHS tunnel IP>
054487: Aug 30 00:01:13 DXB: NHRP: Receive Error Indication via Tunnel1 vrf 0, packet size: 128
054488: Aug 30 00:01:13 DXB: (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
054489: Aug 30 00:01:13 DXB: shtl: 4(NSAP), sstl: 0(NSAP)
054490: Aug 30 00:01:13 DXB: pktsz: 128 extoff: 0
054491: Aug 30 00:01:13 DXB: (M) error code: administratively prohibited(4), offset: 0
054492: Aug 30 00:01:13 DXB: src NBMA: <NHS public IP>
054493: Aug 30 00:01:13 DXB: src protocol: <NHS tunnel IP>, dst protocol: <spoke tunnel IP>
054494: Aug 30 00:01:13 DXB: Contents of error packet:
054495: Aug 30 00:01:13 DXB: 00 01 08 00 00 00 00 00 00 FF 00 58 74 68 00 34
054496: Aug 30 00:01:13 DXB: 01 01 04 00 04 04 C8 02 00 00 1B 29 3E A7 F3 52
054497: Aug 30 00:01:13 DXB: AC 12 14 A7 0A 14 5A 13
Any clue as to why these are logs are appearing?All,
Here's a quick blurb from a document I've been working on which helps to explain this specific error message:
An error code of 7 will be returned by the NHS when an error occurs when processing the packet which is not associated with any of the other NHRP error codes. According to RFC2332, triggers for the error code include invalid version numbers, invalid protocol types, and failed checksums. This error is commonly seen if the NHS receives a Resolution Request for an IP address which it does not have an entry for in its NHRP cache. For example, if a DMVPN spoke tries to send traffic to a spoke IP address which is not registered with the hub, the hub will return an NHRP Error Indication with the Protocol Generic Error specified.
To troubleshoot this condition, you should collect the following on both the hub and spoke routers:
show ip nhrp
debug nhrp
debug nhrp packet
Collecting the debugs will show you the exact NHRP packets which are being sent and received, which may give you an indicate as to what is prompted these errors to be return. Keep in mind that the debugs can be quite chatty and significant NHRP traffic may cause the debugs to impact the router performance.
HTH,
Frank -
Finder crashes when connecting to server (10.9.4)
I have been having an issue with my Mac Mini the last few days when it tries to connect to my local server.
The first few times I can access the server normally through Finder, but after a few goes Finder freezes (spinning beach ball on finder - other apps work ok) up completely and needs to be restarted. Once it has restarted and I re-open Finder, it freezes up again completely until I restart my computer. The same applies when I try to access the server from other apps (eg. when adding a photo from the server to something in Chrome).
I have reset PRAM, verified/repaired disk, run CCleaner.
Any solutions to this issue?
Mac Mini mid-2011
Processor 2.5 GHz Intel Core i5
Memory 4 GB 1333 MHz DDR3
Running 10.9.4Sorry...
tcp:
61269 packets sent
14501 data packets (5423429 bytes)
457 data packets (298568 bytes) retransmitted
0 resends initiated by MTU discovery
34229 ack-only packets (284 delayed)
0 URG only packets
0 window probe packets
8915 window update packets
3181 control packets
0 data packets sent after flow control
0 checksummed in software
0 segments (0 bytes) over IPv4
0 segments (0 bytes) over IPv6
66665 packets received
15538 acks (for 5408457 bytes)
1286 duplicate acks
0 acks for unsent data
46049 packets (49418889 bytes) received in-sequence
233 completely duplicate packets (175429 bytes)
0 old duplicate packets
1 packet with some dup. data (996 bytes duped)
6329 out-of-order packets (8815198 bytes)
0 packets (0 bytes) of data after window
0 window probes
70 window update packets
166 packets received after close
0 bad resets
0 discarded for bad checksums
0 checksummed in software
0 segments (0 bytes) over IPv4
0 segments (0 bytes) over IPv6
0 discarded for bad header offset fields
0 discarded because packet too short
1604 connection requests
50 connection accepts
0 bad connection attempts
0 listen queue overflows
1622 connections established (including accepts)
1613 connections closed (including 48 drops)
37 connections updated cached RTT on close
37 connections updated cached RTT variance on close
15 connections updated cached ssthresh on close
0 embryonic connections dropped
15554 segments updated rtt (of 13699 attempts)
544 retransmit timeouts
20 connections dropped by rexmit timeout
0 connections dropped after retransmitting FIN
2 persist timeouts
0 connections dropped by persist timeout
0 keepalive timeouts
0 keepalive probes sent
0 connections dropped by keepalive
2887 correct ACK header predictions
40214 correct data packet header predictions
79 SACK recovery episodes
43 segment rexmits in SACK recovery episodes
39243 byte rexmits in SACK recovery episodes
256 SACK options (SACK blocks) received
6226 SACK options (SACK blocks) sent
0 SACK scoreboard overflow
0 LRO coalesced packets
0 times LRO flow table was full
0 collisions in LRO flow table
0 times LRO coalesced 2 packets
0 times LRO coalesced 3 or 4 packets
0 times LRO coalesced 5 or more packets
3 limited transmits done
106 early retransmits done
20 times cumulative ack advanced along with SACK
udp:
6116 datagrams received
0 with incomplete header
0 with bad data length field
0 with bad checksum
0 with no checksum
0 checksummed in software
0 datagrams (0 bytes) over IPv4
0 datagrams (0 bytes) over IPv6
41 dropped due to no socket
2230 broadcast/multicast datagrams undelivered
0 times multicast source filter matched
0 dropped due to full socket buffers
0 not for hashed pcb
3845 delivered
994 datagrams output
69 checksummed in software
0 datagrams (0 bytes) over IPv4
69 datagrams (11318 bytes) over IPv6
ip:
72011 total packets received
0 bad header checksums
0 headers (0 bytes) checksummed in software
0 with size smaller than minimum
0 with data size < data length
3522 with data size > data length
0 packets forced to software checksum
0 with ip length > max ip packet size
0 with header length < data size
0 with data length < header length
0 with bad options
0 with incorrect version number
0 fragments received
0 dropped (dup or out of space)
0 dropped after timeout
0 reassembled ok
71997 packets for this host
14 packets for unknown/unsupported protocol
0 packets forwarded (0 packets fast forwarded)
0 packets not forwardable
0 packets received for unknown multicast group
0 redirects sent
62678 packets sent from this host
0 packets sent with fabricated ip header
0 output packets dropped due to no bufs, etc.
0 output packets discarded due to no route
0 output datagrams fragmented
0 fragments created
0 datagrams that can't be fragmented
0 tunneling packets that can't find gif
0 datagrams with bad address in header
0 packets dropped due to no bufs for control data
71 headers (1428 bytes) checksummed in software
icmp:
41 calls to icmp_error
0 errors not generated 'cuz old message was icmp
Output histogram:
destination unreachable: 41
0 messages with bad code fields
0 messages < minimum length
0 bad checksums
0 messages with bad length
0 multicast echo requests ignored
0 multicast timestamp requests ignored
Input histogram:
destination unreachable: 14
0 message responses generated
ICMP address mask responses are disabled
igmp:
0 messages received
0 messages received with too few bytes
0 messages received with wrong TTL
0 messages received with bad checksum
0 V1/V2 membership queries received
0 V3 membership queries received
0 membership queries received with invalid field(s)
0 general queries received
0 group queries received
0 group-source queries received
0 group-source queries dropped
0 membership reports received
0 membership reports received with invalid field(s)
0 membership reports received for groups to which we belong
0 V3 reports received without Router Alert
2 membership reports sent
ipsec:
0 inbound packets processed successfully
0 inbound packets violated process security policy
0 inbound packets with no SA available
0 invalid inbound packets
0 inbound packets failed due to insufficient memory
0 inbound packets failed getting SPI
0 inbound packets failed on AH replay check
0 inbound packets failed on ESP replay check
0 inbound packets considered authentic
0 inbound packets failed on authentication
0 outbound packets processed successfully
0 outbound packets violated process security policy
0 outbound packets with no SA available
0 invalid outbound packets
0 outbound packets failed due to insufficient memory
0 outbound packets with no route
arp:
5 ARP requests sent
9 ARP replies sent
0 ARP announcements sent
98 ARP requests received
6 ARP replies received
104 total ARP packets received
0 ARP conflict probes sent
0 invalid ARP resolve requests
0 total packets dropped due to lack of memory
3 total packets dropped due to no ARP entry
0 total packets dropped during ARP entry removal
12 ARP entries timed out
0 Duplicate IPs seen
ip6:
793 total packets received
0 with size smaller than minimum
0 with data size < data length
0 with data size > data length
0 packets forced to software checksum
0 with bad options
0 with incorrect version number
0 fragments received
0 dropped (dup or out of space)
0 dropped after timeout
0 exceeded limit
0 reassembled ok
784 packets for this host
0 packets forwarded
0 packets not forwardable
0 redirects sent
0 multicast packets which we don't join
0 packets whose headers are not continuous
0 tunneling packets that can't find gif
0 packets discarded due to too may headers
0 forward cache hit
0 forward cache miss
0 packets dropped due to no bufs for control data
126 packets sent from this host
0 packets sent with fabricated ip header
0 output packets dropped due to no bufs, etc.
4145 output packets discarded due to no route
0 output datagrams fragmented
0 fragments created
0 datagrams that can't be fragmented
0 packets that violated scope rules
Input histogram:
TCP: 22
UDP: 762
ICMP6: 9
Mbuf statistics:
507 one mbuf
two or more mbuf:
lo0= 69
217 one ext mbuf
0 two or more ext mbuf
0 failures of source address selection
icmp6:
0 calls to icmp_error
0 errors not generated because old message was icmp error or so
0 errors not generated because rate limitation
Output histogram:
router solicitation: 4
neighbor solicitation: 4
neighbor advertisement: 4
MLDv2 listener report: 7
0 messages with bad code fields
0 messages < minimum length
0 bad checksums
0 messages with bad length
Input histogram:
neighbor solicitation: 3
neighbor advertisement: 6
Histogram of error messages to be generated:
0 no route
0 administratively prohibited
0 beyond scope
0 address unreachable
0 port unreachable
0 packet too big
0 time exceed transit
0 time exceed reassembly
0 erroneous header field
0 unrecognized next header
0 unrecognized option
0 redirect
0 unknown
0 message responses generated
0 messages with too many ND options
0 messages with bad ND options
0 bad neighbor solicitation messages
3 bad neighbor advertisement messages
0 bad router solicitation messages
0 bad router advertisement messages
0 bad redirect messages
0 path MTU changes
ipsec6:
0 inbound packets processed successfully
0 inbound packets violated process security policy
0 inbound packets with no SA available
0 invalid inbound packets
0 inbound packets failed due to insufficient memory
0 inbound packets failed getting SPI
0 inbound packets failed on AH replay check
0 inbound packets failed on ESP replay check
0 inbound packets considered authentic
0 inbound packets failed on authentication
0 outbound packets processed successfully
0 outbound packets violated process security policy
0 outbound packets with no SA available
0 invalid outbound packets
0 outbound packets failed due to insufficient memory
0 outbound packets with no route
rip6:
0 messages received
0 checksum calcurations on inbound
0 messages with bad checksum
0 messages dropped due to no socket
0 multicast messages dropped due to no socket
0 messages dropped due to full socket buffers
0 delivered
0 datagrams output
pfkey:
0 requests sent to userland
0 bytes sent to userland
0 messages with invalid length field
0 messages with invalid version field
0 messages with invalid message type field
0 messages too short
0 messages with memory allocation failure
0 messages with duplicate extension
0 messages with invalid extension type
0 messages with invalid sa type
0 messages with invalid address extension
0 requests sent from userland
0 bytes sent from userland
0 messages toward single socket
0 messages toward all sockets
0 messages toward registered sockets
0 messages with memory allocation failure -
NAT overload is not working when i configure Double NAT for VPN
I have Cisco 2921 router with OS version 15.1(4)M1.
the router is configured for NAT overload and working fine, i have site to site VPN tunnel with peer with normal NAT translation. now we need to configure Double NAT on the VPN tunnel as we need to free the subnet on peer network. for double nat i use 3.2.21.x - 3.2.23.x / 24 network and apply following command
Double NAT translation
ip nat inside source static network 192.168.10.0 3.2.21.0 /24 no-alias
ip nat inside source static network 192.168.20.0 3.2.22.0/24 no-alias
ip nat inside source static network 192.168.30.0 3.2.23.0 /24 no-alias
Nonat
access-list 101 deny ip 3.2.21.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 101 deny ip 3.2.22.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 101 deny ip 3.2.23.0 0.0.0.255 3.2.1.0 0.0.0.255
VPN encrypted traffic over the tunnel
access-list 115 permit ip 3.2.21.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 115 permit ip 3.2.22.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 115 permit ip 3.2.23.0 0.0.0.255 3.2.1.0 0.0.0.255
Problem:
as soon as i apply Double NAT translation command the NAT overload stop working and client cannot reach to the internet
the router partial configuration is as below
REACH-R01(config)#do sh run
Building configuration...
Current configuration : 19233 bytes
! Last configuration change at 09:56:45 MST Tue Jan 29 2013 by admin
! NVRAM config last updated at 13:57:54 MST Wed Jan 30 2013
! NVRAM config last updated at 13:57:54 MST Wed Jan 30 2013
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname REACH-R01
boot-start-marker
boot-end-marker
card type t1 0 0
logging buffered 51200 warnings
no aaa new-model
clock timezone MST -7 0
clock summer-time MST recurring
network-clock-participate wic 0
network-clock-select 1 T1 0/0/0
no ipv6 cef
ip source-route
ip cef
ip dhcp excluded-address 192.168.20.1 192.168.20.99
ip dhcp excluded-address 192.168.20.250 192.168.20.255
ip dhcp pool CISCO_PHONES
network 192.168.20.0 255.255.255.0
default-router 192.168.20.254
option 150 ip 192.168.20.254
no ip domain lookup
ip domain name reach.local
ip inspect name ethernetin ftp timeout 3600
ip inspect name ethernetin h323 timeout 3600
ip inspect name ethernetin http timeout 3600
ip inspect name ethernetin rcmd timeout 3600
ip inspect name ethernetin realaudio timeout 3600
ip inspect name ethernetin smtp timeout 3600
ip inspect name ethernetin sqlnet timeout 3600
ip inspect name ethernetin streamworks timeout 3600
ip inspect name ethernetin tcp timeout 3600
ip inspect name ethernetin tftp timeout 30
ip inspect name ethernetin udp timeout 15
ip inspect name ethernetin vdolive timeout 3600
multilink bundle-name authenticated
isdn switch-type primary-ni
trunk group PRI
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-3180627716
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3180627716
revocation-check none
rsakeypair TP-self-signed-3180627716
voice-card 0
dsp services dspfarm
voice service voip
allow-connections sip to sip
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
sip
voice translation-rule 1
rule 5 /^7804981231/ /401/
voice translation-rule 2
rule 5 // /7804981231/
voice translation-profile DID_INBOUND
translate called 1
voice translation-profile DID_OUTBOUND
translate calling 2
license udi pid CISCO2911/K9 sn FGL1540114P
license accept end user agreement
license boot module c2900 technology-package securityk9
hw-module ism 0
hw-module pvdm 0/0
username test test
redundancy
controller T1 0/0/0
cablelength long 0db
pri-group timeslots 1-6,24
no ip ftp passive
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key P@ssw0rd address 33.33.33.33 no-xauth
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
crypto map VPN-TUNNEL 1 ipsec-isakmp
description COMPUGEN
set peer 33.33.33.33
set transform-set ESP-AES256-SHA
match address 115
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description Outside Interface To the Internet
ip address dhcp
ip access-group outside_access_in in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map VPN-TUNNEL
interface ISM0/0
ip unnumbered GigabitEthernet0/1.20
service-module ip address 192.168.20.2 255.255.255.0
!Application: CUE Running on ISM
service-module ip default-gateway 192.168.20.254
interface GigabitEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1.10
description VLAN 10 DATA VLAN
encapsulation dot1Q 10
ip address 192.168.10.254 255.255.255.0
ip nat inside
ip inspect ethernetin in
ip virtual-reassembly in
interface GigabitEthernet0/1.20
description VLAN 20 VOICE VLAN
encapsulation dot1Q 20
ip address 192.168.20.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.30
description VLAN 30 WIRELESS VLAN
encapsulation dot1Q 30
ip address 192.168.30.254 255.255.255.0
ip nat inside
ip inspect ethernetin in
ip virtual-reassembly in
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
interface ISM0/1
description Internal switch interface connected to Internal Service Module
no ip address
interface Serial0/0/0:23
no ip address
encapsulation hdlc
isdn switch-type primary-ni
isdn incoming-voice voice
trunk-group PRI
no cdp enable
interface Vlan1
no ip address
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip http path flash:CME8.6/GUI
ip nat inside source static tcp 192.168.10.10 443 interface GigabitEthernet0/0 443
ip nat inside source static tcp 192.168.10.10 25 interface GigabitEthernet0/0 25
ip nat inside source static tcp 192.168.10.10 1723 interface GigabitEthernet0/0 1723
ip nat inside source static tcp 192.168.10.10 3389 interface GigabitEthernet0/0 3389
ip nat inside source static tcp 192.168.10.10 123 interface GigabitEthernet0/0 123
ip nat inside source static tcp 192.168.10.10 987 interface GigabitEthernet0/0 987
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 75.152.248.1
ip route 0.0.0.0 0.0.0.0 75.152.248.1 254
ip route 0.0.0.0 0.0.0.0 205.206.0.1 254
ip route 192.168.20.2 255.255.255.255 ISM0/0
ip access-list extended outside_access_in
permit udp any any eq bootps
permit udp any any eq bootpc
permit tcp any host 22.22.22.22 eq 1723
permit tcp any host 22.22.22.22 eq 3389
permit tcp any host 22.22.22.22 eq smtp
permit tcp any host 22.22.22.22 eq 443
permit tcp any host 22.22.22.22 eq domain
permit udp any host 22.22.22.22 eq domain
permit tcp any host 22.22.22.22 eq 123
permit icmp any host 22.22.22.22 unreachable
permit icmp any host 22.22.22.22 echo-reply
permit icmp any host 22.22.22.22 packet-too-big
permit icmp any host 22.22.22.22 time-exceeded
permit icmp any host 22.22.22.22 traceroute
permit icmp any host 22.22.22.22 administratively-prohibited
permit icmp any host 22.22.22.22 echo
permit tcp any host 22.22.22.22 eq 987
permit tcp any host 22.22.22.22 eq 47
permit gre any host 22.22.22.22
permit udp any host 22.22.22.22 eq isakmp
permit esp any host 22.22.22.22
access-list 23 permit any
access-list 101 deny ip 192.168.20.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 101 deny ip 192.168.30.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 101 deny ip 192.168.10.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 101 deny ip 3.2.21.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 101 deny ip 3.2.22.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 101 deny ip 3.2.23.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 101 permit ip 192.168.20.0 0.0.0.255 any
access-list 101 permit ip 192.168.30.0 0.0.0.255 any
access-list 110 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
access-list 115 permit ip 3.2.21.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 115 permit ip 3.2.22.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 115 permit ip 3.2.23.0 0.0.0.255 3.2.1.0 0.0.0.255
Solution: Support forums teamI have the same problem also. Restarting isn't helping and the auto lock/unlock button is on. Plus a couple of time when I turn it on it is asking if I want to power off. That is when I push the button on the front to wake it up. Not the power button on top. I have an IPAd 2. Worked fine before the update.
-
RA VPN into ASA5505 behind C871 Router with one public IP address
Hello,
I have a network like below for testing remote access VPN to ASA5505 behind C871 router with one public IP address.
PC1 (with VPN client)----Internet-----Modem----C871------ASA5505------PC2
The public IP address is assigned to the outside interface of the C871. The C871 forwards incoming traffic UDP 500, 4500, and esp to the outside interface of the ASA that has a private IP address. The PC1 can establish a secure tunnel to the ASA. However, it is not able to ping or access PC2. PC2 is also not able to ping PC1. The PC1 encrypts packets to PC2 but the ASA does not to PC1. Maybe a NAT problem? I understand removing C871 and just use ASA makes VPN much simpler and easier, but I like to understand why it is not working with the current setup and learn how to troubleshoot and fix it. Here's the running config for the C871 and ASA. Thanks in advance for your help!C871:
version 15.0
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
hostname router
boot-start-marker
boot-end-marker
enable password 7 xxxx
aaa new-model
aaa session-id common
clock timezone UTC -8
clock summer-time PDT recurring
dot11 syslog
ip source-route
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.2
ip dhcp pool dhcp-vlan2
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
ip cef
ip domain name xxxx.local
no ipv6 cef
multilink bundle-name authenticated
password encryption aes
username xxxx password 7 xxxx
ip ssh version 2
interface FastEthernet0
switchport mode trunk
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description WAN Interface
ip address 1.1.1.2 255.255.255.252
ip access-group wna-in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
interface Vlan1
no ip address
interface Vlan2
description LAN-192.168.2
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Vlan10
description router-asa
ip address 10.10.10.1 255.255.255.252
ip nat inside
ip virtual-reassembly
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list nat-pat interface FastEthernet4 overload
ip nat inside source static 10.10.10.1 interface FastEthernet4
ip nat inside source static udp 10.10.10.2 500 interface FastEthernet4 500
ip nat inside source static udp 10.10.10.2 4500 interface FastEthernet4 4500
ip nat inside source static esp 10.10.10.2 interface FastEthernet4
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.10.10.0 255.255.255.252 10.10.10.2
ip route 192.168.2.0 255.255.255.0 10.10.10.2
ip access-list standard ssh
permit 0.0.0.0 255.255.255.0 log
permit any log
ip access-list extended nat-pat
deny ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended wan-in
deny ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.255.0.0 0.0.255.255 any
deny ip 255.0.0.0 0.255.255.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip host 0.0.0.0 any
deny icmp any any fragments log
permit tcp any any established
permit icmp any any net-unreachable
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any packet-too-big
permit icmp any any administratively-prohibited
permit icmp any any source-quench
permit icmp any any ttl-exceeded
permit icmp any any echo-reply
deny ip any any log
control-plane
line con 0
exec-timeout 0 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
access-class ssh in
exec-timeout 5 0
logging synchronous
transport input ssh
scheduler max-task-time 5000
end
ASA:
ASA Version 9.1(2)
hostname asa
domain-name xxxx.local
enable password xxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd xxxx encrypted
names
ip local pool vpn-pool 192.168.100.10-192.168.100.35 mask 255.255.255.0
interface Ethernet0/0
switchport trunk allowed vlan 2,10
switchport mode trunk
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan2
nameif inside
security-level 100
ip address 192.168.2.2 255.255.255.0
interface Vlan10
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.252
ftp mode passive
clock timezone UTC -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name xxxx.local
object network vlan2-mapped
subnet 192.168.2.0 255.255.255.0
object network vlan2-real
subnet 192.168.2.0 255.255.255.0
object network vpn-192.168.100.0
subnet 192.168.100.0 255.255.255.224
object network lan-192.168.2.0
subnet 192.168.2.0 255.255.255.0
access-list no-nat-in extended permit ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list vpn-split extended permit ip 192.168.2.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static lan-192.168.2.0 lan-192.168.2.0 destination static vpn-192.168.100.0 vpn-192.168.100.0 no-proxy-arp route-lookup
object network vlan2-real
nat (inside,outside) static vlan2-mapped
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 10.10.10.1 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 inside
ssh 10.10.10.1 255.255.255.255 outside
ssh timeout 20
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy vpn internal
group-policy vpn attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-split
default-domain value xxxx.local
username xxxx password xxxx encrypted privilege 15
tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
address-pool vpn-pool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
ikev1 pre-shared-key xxxx
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:40c05c90210242a42b7dbfe9bda79ce2
: endHi,
I think, that you want control all outbound traffic from the LAN to the outside by ASA.
I suggest some modifications as shown below.
C871:
interface Vlan2
description LAN-192.168.2
ip address 192.168.2.2 255.255.255.0
no ip nat inside
no ip proxy-arp
ip virtual-reassembly
ip access-list extended nat-pat
no deny ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
no permit ip 192.168.2.0 0.0.0.255 any
deny ip 192.168.2.0 0.0.0.255 any
permit ip 10.10.10.0 0.0.0.255 any
ASA 5505:
interface Vlan2
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
Try them out and response.
Best regards,
MB -
Router connected to cable modem by Ethernet port cannot get IP address from DHCP.
I have an ethernet cable on Fa0/0 connecting my 1841 router to my cable modem. The issue is that the router cannot obtain an IP address via DHCP when I have the "ACL-OUTSIDE-IN" ACL applied inbound on the Fa0/0 interface. I tried to allow all BOOTP and BOOTPS traffic in my ACL, but still no luck. I really don't want to run the router without a simple ACL firewall and connect it to the internet. When I take off the ACL off of Fa0/0, the router is able to get an IP address via DHCP.
Router#sh run
Building configuration...
Current configuration : 10736 bytes
! Last configuration change at 18:14:42 MST Fri Nov 16 2012 by matt.chan
version 12.4
service nagle
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
hostname Router
boot-start-marker
boot system flash:c1841-advipservicesk9-mz.124-25f.bin
boot-end-marker
logging count
logging userinfo
logging buffered 1048576 informational
enable secret 5 <removed>
aaa new-model
aaa authentication login AUTH-LOCAL local-case
aaa session-id unique
memory-size iomem 25
clock timezone MST -7
ip cef
ip nbar pdlm flash:directconnect.pdlm
ip nbar pdlm flash:citrix.pdlm
ip nbar pdlm flash:bittorrent.pdlm
ip nbar custom steam destination udp range 27000 27030
ip nbar custom rdp destination tcp range 3389 3391 55402
ip domain lookup source-interface FastEthernet0/0
ip name-server 8.8.8.8
ip inspect name fa0/0_inspect_ou icmp router-traffic timeout 10
ip inspect name fa0/0_inspect_ou ftp timeout 300
ip inspect name fa0/0_inspect_ou udp router-traffic timeout 120
ip inspect name fa0/0_inspect_ou tcp router-traffic timeout 300
login block-for 60 attempts 4 within 60
login quiet-mode access-class ACL-ACCESS-QUIET
password encryption aes
crypto pki trustpoint TP-self-signed-1755372391
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1755372391
revocation-check none
rsakeypair TP-self-signed-1755372391
crypto pki certificate chain TP-self-signed-1755372391
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31373535 33373233 3931301E 170D3132 31313137 30313130
35325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 37353533
37323339 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D53F 9EB5B123 3103A4D5 82E786F7 F91C2DE5 9E409A22 80AF78F6 812F624A
89FE9103 73C4AAAB 13FF880D F628607D 6888AC49 18BEDD77 778F0DB1 F9A796E9
E92717CD 6DD19450 5066620A 91278C33 E38349EA 92B8C671 80761609 0AC46E6F
2C8C6BCF ABC7E1F7 A64BD28C C85477FE B23F8A7C 555ECDF9 CE461B8D 6C017370
0ED70203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
551D1104 0B300982 074E5543 4C455553 301F0603 551D2304 18301680 146CA2E0
936C651F E2ED4DCD D7025FF3 2AB029E0 95301D06 03551D0E 04160414 6CA2E093
6C651FE2 ED4DCDD7 025FF32A B029E095 300D0609 2A864886 F70D0101 04050003
8181004A AFA4D07C 1424DE0E EF3F17F2 BB1EA63B CB17C13D 1AEA31A1 BAB6AF77
DB6EA8A2 2117DCD1 5530A18C 3618D568 CC7EF520 E039ACBD DA906352 BB7E51BD
0954490C B2AB30C2 FBBE4738 C214BE1C CB63FFEA BAFC46E0 3DC419EE 714B9ABD
144A21E3 3E54C103 FF47FAF1 412FE5C4 59ACD1FE FD72356B C8DC04C3 E2EDF275 45954C
quit
username <removed secret 5 <removed>
ip ssh maxstartups 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh port 2226 rotary 1
ip ssh version 2
class-map match-all Zuri-YouTube-Class
match access-group name NAT-Pool-Zuri-WLAN
match protocol http host "*youtube.com*"
policy-map PMAP-QOS-VTI-IN
description QOS FOR TU0
class class-default
shape peak 1512000
policy-map PMAP-QOS-VTI-OUT
description QOS FOR TU0
class class-default
shape peak 512000
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
lifetime 43200
crypto isakmp key 6 <removed> address <removed>
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 5 periodic
crypto ipsec transform-set EDGE-TS ah-sha-hmac esp-aes 256
crypto ipsec profile EDGE
set security-association lifetime kilobytes 256000
set transform-set EDGE-TS
set pfs group5
interface Loopback0
no ip address
interface Tunnel0
description "VTI Link"
bandwidth 4000
ip address 172.20.0.2 255.255.255.0
ip mtu 1400
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1360
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 12090011003E5A0C0F186E752220211B4A
keepalive 10 5
tunnel source FastEthernet0/0
tunnel destination <removed>
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile EDGE
service-policy output PMAP-QOS-VTI-OUT
hold-queue 75 out
interface FastEthernet0/0
description "Link to ISP"
bandwidth 4000
ip address dhcp
ip access-group ACL-OUTSIDE-IN in
no ip proxy-arp
ip nbar protocol-discovery
ip nat outside
ip inspect fa0/0_inspect_ou out
ip virtual-reassembly
ip ospf cost 1
duplex auto
speed auto
no keepalive
no cdp enable
interface FastEthernet0/1
description "Link to LAN"
ip address 172.16.0.1 255.255.255.248
ip access-group ACL-INSIDE-IN in
no ip proxy-arp
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
ip ospf cost 1
ip ospf priority 255
duplex auto
speed auto
no keepalive
router ospf 1
log-adjacency-changes
redistribute static subnets
passive-interface default
no passive-interface Tunnel0
network 172.20.0.0 0.0.0.3 area 0
ip forward-protocol nd
ip route 10.0.0.0 255.0.0.0 Null0 name "Class A Private"
ip route 172.16.0.0 255.240.0.0 Null0 name "Class B Private"
ip route 172.17.0.0 255.255.0.0 FastEthernet0/1 172.16.0.2 name "Home WLAN"
ip route 172.19.73.31 255.255.255.255 Null0
ip route 172.27.0.0 255.255.0.0 Tunnel0 172.20.0.1 name "IPsec GRE Tunnel"
ip route 192.168.0.0 255.255.0.0 Null0 name "Class C Private"
ip route 192.168.0.0 255.255.255.0 Tunnel0 172.20.0.1 name "VLAN 70"
ip route 192.168.100.1 255.255.255.255 FastEthernet0/0 70.162.0.1 permanent name "CABLE MODEM MANAGEMENT"
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 dhcp 253
ip dns server
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat translation tcp-timeout 300
ip nat translation udp-timeout 120
ip nat translation max-entries 2048
ip nat inside source list ACL-NAT-172.16.0.0/29 interface FastEthernet0/0 overload
ip nat inside source list ACL-NAT-MANAGEMENT interface FastEthernet0/0 overload
ip nat inside source static tcp 172.16.0.4 22 interface FastEthernet0/0 2227
ip nat inside source static tcp 172.16.0.5 3389 interface FastEthernet0/0 3391
ip nat inside source static tcp 172.16.0.3 3389 interface FastEthernet0/0 3390
ip nat inside source static tcp 172.16.0.4 80 interface FastEthernet0/0 8084
ip access-list standard ACL-ACCESS-QUIET
permit 216.161.180.16
permit 172.16.0.0 0.1.255.255
permit 172.27.0.0 0.0.127.255
permit 172.20.0.0 0.0.0.3
ip access-list standard ACL-NAT-172.16.0.0/29
permit 172.16.0.0 0.0.0.7
ip access-list standard ACL-NAT-172.17.0.0/24
permit 172.17.0.0 0.0.0.255
ip access-list standard ACL-NAT-172.17.1.0/24
permit 172.17.1.0 0.0.0.255
ip access-list standard ACL-SNMP
permit 172.16.0.4
ip access-list extended ACL-CRY-MAP
ip access-list extended ACL-INSIDE-IN
deny ip host 172.16.0.2 172.27.0.0 0.0.127.255
deny ip host 172.16.0.2 172.20.0.0 0.0.0.3
permit ip 172.17.0.0 0.0.0.255 any
permit ip 172.16.0.0 0.0.0.7 any
permit ip 172.17.1.0 0.0.0.255 any
ip access-list extended ACL-NAT-MANAGEMENT
permit tcp host 172.27.10.11 eq 3389 host 72.166.77.196
ip access-list extended ACL-OUTSIDE-IN
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
permit tcp any any range 3390 3391
permit udp any any eq bootpc
permit udp any any eq bootps
permit tcp any any range 2226 2228
permit tcp any any range 8081 8084
permit icmp any any echo
permit icmp any any net-unreachable
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any parameter-problem
permit icmp any any packet-too-big
permit icmp any any administratively-prohibited
permit icmp any any source-quench
permit icmp any any ttl-exceeded
deny icmp any any
deny ip any any
ip access-list log-update threshold 10
logging history informational
logging trap debugging
logging 172.17.228.17
logging 172.17.228.10
control-plane
line con 0
exec-timeout 15 0
privilege level 15
logging synchronous
login authentication AUTH-LOCAL
line aux 0
login authentication AUTH-LOCAL
line vty 0 4
exec-timeout 60 0
privilege level 15
logging synchronous
login authentication AUTH-LOCAL
rotary 1
transport input ssh
scheduler allocate 20000 1000
ntp clock-period 17178311
ntp source FastEthernet0/0
ntp server 148.167.132.201
endHi Matt,
Try adding below line
ip access-list extended ACL-OUTSIDE-IN
permit udp any eq bootpc any eq bootps
Regards
Najaf
Please rate when applicable or helpful !!! -
Using ssh as an http proxy on Arch [SOLVED]
I read this article and would like to use a friend's debian box as a www proxy. I ssh'ed into it using the following command from my Arch box:
$ ssh user@ip -D 8000
As I understand it, his box is now acting as a SOCKS-type (pseudo)server. I configured firefox to use 'localhost' and port '8000' as a proxy but can't connect to any websites. I tried switching between SOCKS4 and SOCKS5 but with no effect. Is there a setting somewhere on my Arch box that would disallow this behavior (something in /etc/hosts.deny or the like)?
I know this works, because I did it before I started using Arch back when I had Ubuntu installed.
Thanks in advance!
Last edited by graysky (2009-07-30 21:06:04)Thanks for the quick reply. I got it working:
$ ssh -D 8000 user@host
Now, in firefox, only add 127.0.0.1 to your SOCKS proxy line (and the correct port number). Now check the SOCKS4 radio box and clear the IP addy from the other proxy boxes. This works for me now, although I get the following error in the ssh window (but it still functions):
channel 4: open failed: administratively prohibited: open failed -
X forwarding suddenly failing over ssh
Hi,
I have an Ultra 20 running solaris 10, and recently started using the patch manager thingy to update my machine automatically. Well, one of those patches botched X11 forwarding over ssh, with the following error message delivered to the client:
==================
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
connect /tmp/.X11-unix/X0: Not a directory
X connection to localhost:10.0 broken (explicit kill or server shutdown).
==================
Looking at this file, i see this:
==================
pwd/tmp/.X11-unix
ls -FCltotal 0
srwxrwxrwx 1 root root 0 Oct 12 19:31 X0=
==================
Which looks more or less correct for a socket. (doing just a plain "ls" returns "X0", and not "X0=").
When run in debug mode, sshd gives this:
==================
debug1: X11 connection requested.
debug1: channel 3: new [X11 connection from ::1 port 33274]
channel 3: open failed: administratively prohibited: open failed
debug1: channel 3: free: X11 connection from ::1 port 33274, nchannels 4
==================
This was working perfectly for a long time, and I don't even know which patch it was that caused the problem.
Help! I can't stand developing with VI any more! Must run xemacs...
Thanks,
BenHello.
With my old computer I managed to display this screen on a Windows X client using XDM. On my new machine I did not manage this because dtgreet does not work on remote machines when having installed the latest patches.
Using SSH it is not possible to show this screen at all.
If it was possible with another version of dtgreet you had to log-in as "root" using SSH (it would not work with another user) which is a problem because SSH typically denies root access.
The question is: Why do you wish to show this display on the remote machine? Maybe there is a better way to archieve the goal you actually want.
Martin -
Loosing X ... 'Error: cannot open display: localhost:11.0'
Hello, I hope some may be able to help me finding a solution to this X related problem.
Before Lion everything worked as expected.
From a terminal I
ssh -X user@linuxbox
and it work as expected... all the X application come back to my Mac.
but after a while (generaly not long ... about 5 to 10 min)
I cannot launch any X application anymore.
within my Terminal I get "Error: cannot open display: localhost:11.0"
and on the linuxbox side I get " sshd[xxxx]: channel 4: open failed: administratively prohibited: open failed"
Running 10.7.1. fully updated (from my 10.6.8 Mac I do not have this problem
... and never had)
Thanks in advance for your help
PhS'arch' is set as the alias for localhost. I never entered 'arch' anyway, that's just what the error said.
e: I tried ssh-ing into a X session on another laptop running an Ubuntu live CD. I can ssh into it normally, but when I run 'xinit -e ssh -XCT [email protected] gnome-session -- :1' it just starts a new X session on ctrl+alt+F8 using my startx file, rather than the one on the other computer.
Last edited by Yes (2008-07-11 19:17:28) -
Cisco 1811W stopped allowing wireless connection of domain laptops
I have a Cisco 1811W that after several years in service suddenly stopped allowing any wireless connection to laptops on the domain. It allows hard wired connections and devices that are just using the wireless hot spot like iPads and Iphones but not devices on the domain. These same laptops connect wirelessly without issue at our other facilities which use the same hardware.
Here is the config file...
Here is the config file of the router in question...
router#show run
Building configuration...
Current configuration : 11776 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone year
service password-encryption
hostname xxx
boot-start-marker
boot-end-marker
logging message-counter syslog
logging buffered 4096
no logging console
enable secret 5 xxxx
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
crypto pki trustpoint TP-self-signed-1083484987
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1083484987
revocation-check none
rsakeypair TP-self-signed-xxxx
dot11 syslog
dot11 ssid xxxx
vlan 44
authentication open
authentication key-management wpa
wpa-psk ascii 7
dot11 ssid xxxx
vlan 144
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address xxx.xxx.xxx.xxx
ip dhcp excluded-address xxx.xxx.xxx.xxx
ip dhcp excluded-address xxx.xxx.xxx.xxx
ip dhcp pool xxx-LAN
networkxxx.xxx.xxx.xxx 255.255.255.0
domain-name xxxx
dns-server xxx.xxx.xxx.xxx
default-router xxx.xxx.xxx.xxx
lease 0 2
ip dhcp pool VLAN44
network xxx.xxx.xxx.xxx 255.255.255.0
default-router xxx.xxx.xxx.xxx
domain-name xxxx
dns-server xxx.xxx.xxx.xxx
lease 4
ip dhcp pool VLAN144
network xxx.xxx.xxx.xxx 255.255.255.0
default-router xxx.xxx.xxx.xxx
domain-name xxxx
dns-server 12.127.16.67 12.127.16.68
lease 4
ip cef
ip domain name xxxx
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
ip inspect tcp reassembly queue length 24
ip inspect name IPFW tcp timeout 3600
ip inspect name IPFW udp timeout 15
ip inspect name IPFW ftp
ip inspect name IPFW realaudio
ip inspect name IPFW smtp
ip inspect name IPFW h323
ip inspect name IPFW ftps
ip inspect name IPFW http
ip inspect name IPFW https
ip inspect name IPFW icmp
ip inspect name IPFW imap
ip inspect name IPFW imaps
ip inspect name IPFW irc
ip inspect name IPFW ircs
ip inspect name IPFW ntp
ip inspect name IPFW pop3
ip inspect name IPFW pop3s
ip inspect name IPFW radius
ip inspect name IPFW sip
ip inspect name IPFW sip-tls
ip inspect name IPFW ssh
ip inspect name IPFW telnet
ip inspect name IPFW telnets
ip inspect name IPFW vdolive
ip inspect name IPFW webster
ip inspect name IPFW dns
no ipv6 cef
multilink bundle-name authenticated
password encryption aes
file prompt quiet
username admin password n
username laneadmin password n
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key 5122662533fedcbabcdef address 12.97.225.232
crypto isakmp key 5122662533fedcbabcdef address 12.97.224.120
crypto isakmp key 5122662533fedcbabcdef address 12.97.225.152
crypto isakmp key 5122662533fedcbabcdef address 12.97.230.154
crypto isakmp key 5122662533fedcbabcdef address 12.97.225.226
crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES256-SHA-LZO esp-aes 256 esp-sha-hmac comp-lzs
crypto ipsec df-bit clear
crypto ipsec profile SITE-to-SITE-DMVPN-Profile
set transform-set ESP-AES256-SHA
crypto ipsec client ezvpn ezvpn-client
connect auto
mode client
xauth userid mode interactive
archive
log config
logging enable
notify syslog contenttype plaintext
hidekeys
path scp://cisco:wrs-.o#d8Au8M@fs00/$h-$t
write-memory
ip ssh version 2
bridge irb
interface Loopback0
ip address 1.1.1.5 255.255.255.252
interface Tunnel0
ip address xxx.xxx.xxx.xxx 255.255.255.0
no ip redirects
ip nhrp map xxx.xxx.xxx.xxx 12.97.230.154
ip nhrp map multicast 12.97.230.154
ip nhrp map xxx.xxx.xxx.xxx 12.97.225.226
ip nhrp map multicast 12.97.225.226
ip nhrp network-id 1
ip nhrp nhs xxx.xxx.xxx.xxx
ip nhrp nhs xxx.xxx.xxx.xxx
tunnel source 12.97.225.234
tunnel mode gre multipoint
tunnel protection ipsec profile SITE-to-SITE-DMVPN-Profile
interface Dot11Radio0
no ip address
no dot11 extension aironet
encryption vlan 44 mode ciphers tkip
encryption vlan 144 mode ciphers tkip
ssid XXXX
ssid XXX-guest
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2437
station-role root
no cdp enable
interface Dot11Radio0.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 subscriber-loop-control
bridge-group 44 spanning-disabled
bridge-group 44 block-unknown-source
no bridge-group 44 source-learning
no bridge-group 44 unicast-flooding
interface Dot11Radio0.144
encapsulation dot1Q 144
bridge-group 144
bridge-group 144 subscriber-loop-control
bridge-group 144 spanning-disabled
bridge-group 144 block-unknown-source
no bridge-group 144 source-learning
no bridge-group 144 unicast-flooding
interface Dot11Radio1
no ip address
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
interface FastEthernet0
description 604 AT&T static IP
ip address 12.97.225.234 255.255.255.248
ip access-group IPFW-ACL-outside-A in
no ip redirects
no ip proxy-arp
ip nat outside
ip inspect IPFW out
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
interface FastEthernet2
switchport access vlan 4
spanning-tree portfast
interface FastEthernet3
description phone system
switchport access vlan 4
spanning-tree portfast
interface FastEthernet4
switchport access vlan 4
spanning-tree portfast
interface FastEthernet5
switchport access vlan 4
spanning-tree portfast
interface FastEthernet6
switchport access vlan 4
spanning-tree portfast
interface FastEthernet7
switchport access vlan 4
spanning-tree portfast
interface FastEthernet8
switchport access vlan 4
spanning-tree portfast
interface FastEthernet9
description switchport uplink
switchport access vlan 4
interface Vlan1
no ip address
interface Vlan4
ip address xxx.xxx.xxx.xxx 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1200
ip policy route-map NONAT-LAN
interface Vlan5
no ip address
interface Vlan10
no ip address
interface Vlan44
description nnn private WLAN
no ip address
ip nat inside
ip virtual-reassembly
ip policy route-map NONAT-LAN
bridge-group 44
bridge-group 44 spanning-disabled
interface Vlan144
description nnn Guest WLAN
no ip address
ip nat inside
ip virtual-reassembly
ip policy route-map NONAT-LAN
bridge-group 144
bridge-group 144 spanning-disabled
interface Async1
no ip address
encapsulation slip
interface BVI44
description Bridge to nnn private WLAN
ip address xxx.xxx.xxx.xxx 255.255.255.0
ip nat inside
ip virtual-reassembly
interface BVI144
description Bridge to nnn Guest WLAN
ip address xxx.xxx.xxx.xxx 255.255.255.0
ip nat inside
ip virtual-reassembly
router eigrp 1
network xxx.xxx.xxx.xxx
network xxx.xxx.xxx.xxx
no auto-summary
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 12.97.225.233
no ip http server
no ip http secure-server
ip nat inside source list NAT-ACL interface FastEthernet0 overload
ip nat inside source static tcp xxx.xxx.xxx.xxx 22 interface FastEthernet0 22222
ip nat inside source route-map NO-NAT interface FastEthernet0 overload
ip access-list standard VTY-ACL
permit 192.168.0.0 0.0.63.255
ip access-list extended IPFW-ACL-outside
permit udp any any eq isakmp
permit udp any eq isakmp any
permit esp any any
permit tcp any host 12.97.225.234 eq 23232
permit icmp any any administratively-prohibited
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any traceroute
deny ip any any
ip access-list extended IPFW-ACL-outside-A
permit tcp any host 12.97.225.234 eq 22222
permit udp any any eq isakmp
permit udp any eq isakmp any
permit esp any any
permit tcp any host 12.97.225.234 eq 23232
permit icmp any any administratively-prohibited
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any traceroute
deny ip any any
ip access-list extended NAT-ACL
deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
deny ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255
deny ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 any
deny ip 192.168.44.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.44.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 192.168.44.0 0.0.0.255 192.168.3.0 0.0.0.255
deny ip 192.168.44.0 0.0.0.255 192.168.0.0 0.0.0.255
deny ip 192.168.44.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.44.0 0.0.0.255 any
deny ip 192.168.144.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.144.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 192.168.144.0 0.0.0.255 192.168.3.0 0.0.0.255
deny ip 192.168.144.0 0.0.0.255 192.168.0.0 0.0.0.255
deny ip 192.168.144.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.144.0 0.0.0.255 any
ip access-list extended NONAT-LAN-RETURNING-ACL
permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.44.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.44.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.44.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.44.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.144.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.144.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.144.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.144.0 0.0.0.255 192.168.0.0 0.0.0.255
ip access-list extended VTY-ACL-A
deny ip 192.168.160.0 0.0.0.255 any
permit ip 192.168.44.0 0.0.0.255 any
permit ip 192.168.144.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
permit ip 192.168.3.0 0.0.0.255 any
permit ip 192.168.4.0 0.0.0.255 any
permit ip 192.168.5.0 0.0.0.255 any
permit tcp any any eq 22
deny ip any any
logging trap notifications
logging source-interface Vlan5
logging 192.168.0.225
route-map NONAT-LAN permit 10
match ip address NONAT-LAN-RETURNING-ACL
set interface Loopback0
route-map NO-NAT permit 10
match ip address NAT-ACL
snmp-server community XXXsnmppub RO
control-plane
bridge 44 route ip
bridge 144 route ip
banner login ^C
Unauthorized access is prohibited and will be monitored and prosecuted.
If you are not explicitly authorized to access this device, you must
disconnect now.
^C
banner motd ^C
Unauthorized access is prohibited and will be monitored and prosecuted.
If you are not explicitly authorized to access this device, you must
disconnect now.
^C
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
access-class VTY-ACL-A in
password 7 nnn
transport input ssh
line vty 5 15
webvpn gateway webgateway
ssl trustpoint TP-self-signed-1083484987
no inservice
webvpn gateway sslvpn.xxx
hostname www.nnn
ssl trustpoint TP-self-signed-1083484987
inservice
end
router#It was a two fold problem. There is another stronger Wi-Fi signal that exists at the facility from another entity on a different domain that the two laptops were trying to associate to in lieu of the network signal from our 1811. This could only be seen while watching the Intel wireless Proset app NOT the Windows wireless management app. Then by deleting all other old Wi-Fi networks listed in the Intel Proset app except ours it connected. Also set devices to never connect to the other signal. This was not an issue when I brought the laptop to another faciIity without a competing Wi-Fi signal becuase they would connect using the strongest and ONLY Wi-Fi network signal which was ours.
-
Hey all. I need to find code for Director to access G-Mail. I
want to be able to recieve and send mail. And then take those
e-mails and take information from them and use it in the shockwave
file. Is there anyway I can do this?I tryed the example from adobe but i can't get it to work.
They say it doesnt need usedID or password, but with or without it
i keep getting the message "Server Message: 550 Administrative
prohibition"
The full log is:
quote:
ConnectToNetServer sent to server
ConnectToNetServer successful
HELO message sent to server
MAIL FROM message sent to server
RCPT TO message sent to server
DATA message sent to server
Message content sent to server
Server Message: 550 Administrative prohibition
Can anyone help me on this one? -
Simple firewall implementation
Hello,
I'm pretty new to the cisco product and want to setup a simple firewall.
I found some exampels but can't get it to work.
For now we are using Cisco routers 88x and 89x series.
When I activate te script I the remote connection to the router is lost, although I have put an permit rule for ssh.
The script is the following:
ip inspect name Firewall tcp
ip inspect name Firewall udp
ip inspect name Firewall rtsp
ip inspect name Firewall h323
ip inspect name Firewall netshow
ip inspect name Firewall ftp
ip inspect name Firewall ssh
ip access-list extended Allow-IN
permit eigrp any any
permit icmp any 192.168.2.0 0.0.0.255 echo-reply
permit icmp any 192.168.2.0 0.0.0.255 unreachable
permit icmp any 192.168.2.0 0.0.0.255 administratively-prohibited
permit icmp any 192.168.2.0 0.0.0.255 packet-too-big
permit icmp any 192.168.2.0 0.0.0.255 echo
permit icmp any 192.168.2.0 0.0.0.255 time-exceeded
permit tcp any 192.168.2.0 0.0.0.255 eq 22
deny ip any any
interface Vlan1
ip inspect Firewall in
interface Dialer1
ip access-group Allow-IN in
Can anyone tell me what I'm doing wrong here?
And a second question, can I use for the ip inspect also port numbers or must I always use a service name?
Thank you,
//EdwinHello,
I have tested this.
I couldn't add the router-traffic to the ip inspect rule for ssh but could add it to the ip inspect rule with tcp.
I tested this option but unfortunatly the connection was closed again as soon the rules were applied to the interfaces.
Maybe I did it wrong or it doesn't work.
//Edwin -
I can't send emails using multiuser Xtra, keep getting the
same error:
quote:
ConnectToNetServer sent to server
ConnectToNetServer successful
HELO message sent to server
MAIL FROM message sent to server
RCPT TO message sent to server
DATA message sent to server
Message content sent to server
Server Message: 550 Administrative prohibition
I'm using the sample movie from adobe ->
http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=tn_14182
Can anyone help me on this one?I know this is an OLD post, but I'd really be interested in the code to send attachments as well.
If anyone can supply this code, please contact me: whairston<at>logicaloperators<dot>com
Thanks
Maybe you are looking for
-
cant update apps on my mac or iphone4. asks for password for another account i had on a dell notebook. either i forgot the pass word or its not taking it . i can download apps and music. how can i update apps on my mac and iphone 4?
-
Unable to get Phone Dialer working
Hello everyone, I have setup a brand new client. And I am unable to get the dialer working correctly. I have followed the directions here: Re: The Top10 most frequently asked questions and answers (FAQ) January 2009 - Telephony service is started - W
-
Restrict creation of customers according to account group and sales area.
Hey Guys, I have this scenario wherein we have to restrict the creation of customers according to the sales area and account group. Here is an example. Suppose I have a domestic customer say D01. Account group that I am using for this domestic custom
-
How to catch due Items for open Items for vendors
hello everybody, How to catch due open Items amounts for vendors for 0-30 30-60 60-90 regards Mave
-
Create Sip account in cca and use it with spa phones
Hi, How can we create sip account on a uc560 ? Regards, Sent from Cisco Technical Support Android App