Airtunes on different subnets - Why not?
I've been googling for the past week in order to try and find out if it is possible to use airtunes on different subnets before I actually buy the device only to find out that it does not satisfy my needs. For various reasons I can not have all my machines into the same subnet.
Searching revealed that because the Airtunes relies on Bonjour which in turn relies onto mDNS (i.e. mullticast) it simply can not be used in two different subnets. I've read that it cannot be done everywhere. I just can't understand the actual reason. Being a network engineer for more than 9 years I find it hard to accept that if both local subnets on my 3640 have multicast routing enabled it still won't do the trick. Can anyone shed some light into this? Unfortunately I still don't own the device so I can not do any tests...
Any help would be much appreciated.
TIA,
GrSpider
Powermac G5 Quad, MB C2D Mac OS X (10.4.9)
GrSpider -
Bonjour (and mDNS) work perfectly well across multiple subnets so long as your router is configured to support (i.e. route) multicast traffic. I use Bonjour on a constant basis across three subnets with both Mac and Windows platforms for a variety of service location purposes (printing, file sharing, streaming media) and have no problems whatsoever.
The AirTunes limitation you're referring to is an Apple policy decision, not a technical issue. It appears they've restricted iTunes<-->Airport streaming media connectivity to connections that originate and terminate on the same subnet. I assume they feel it's a mechanism to help enforce digital rights management.
Just to summarize: I routinely print to my Airport Express units across subnets, and share my iTunes music library to non-AirPort devices on different subnets; I just don't (can't) share my iTunes music library to an Airport Express on a different subnet.
That one limitation aside, they've been a great addition to my network.
FWIW.
Similar Messages
-
I am using both PSE 13 and Lightroom 5. When I use Lightroom as an external editor and save the photo, it shows up in PSE13 as an edited file but does not look any different. Why doesn't it appear edited?
People who have Photoshop, but don't have Lightroom, need ACR so that they can use Raw files. Without ACR they could do nothing with those (they may also like having ACR so that they can work on other kinds of image using the same kinds of adjustments and techniques, as are used with Raw files).
People who have Lightroom, can get access to Raw files regardless whether ACR is present or not. They can use Lightroom on other kinds of image also, using the same methods. LR can pass images directly into Photoshop without passing via ACR (or else does so transparently, which amounts to substantially the same thing).
ACR does not, strictly speaking, even need to be installed for this external editing to happen. In fact, not even PS needs to be - since a different image editor can be used instead, while still retaining the Adobe Raw conversion etc.
Lightroom "subcontracts out" specialised external tasks, in this workflow, but is still your "main contractor": the image is otherwise located, viewed, managed, adjusted/presented and output entirely using LR.
So IMO we can divide image processing into:
operations that involve pixels and layers and layer masks and adjustment layers etc (of the kind done inside Photoshop)
operations that involve parametric edits (of the kind done in ACR where you are not using a Lightroom based workflow; otherwise, done inside Lightroom)
When PS is called in, that's because those tasks are impossible or unsuitable to do in Lightroom. But those tasks can't be done in ACR either - by definition, since LR and ACR have exactly the same image processing "feature set".
Lightroom is irrelevant to the Bridge + ACR + PS workflow. This workflow requires both your PS and your ACR to be current enough, to support your Raw format etc.
ACR and Bridge are irrelevant to the LR + (image editor) workflow. It is in this case, only LR which needs to be current enough to support your Raw format etc.
RP -
Why not make a phone that can hold two different s...
Why not make a phone that can hold two different sim cards ?
11-Jan-2009 10:18 PM
hermandh wrote:
Why not make a phone that can hold two different sim cards ?
I guess time will come...but I don't see the main point of having two sim cards on a phone at the same time?
Knowing the phone won't let this go on, Can you take up two calls at the same time? Probably not.
=) -
Why do I see pictures of a different user but not my own?
Why do I see pictures of a different user but not my own? Opening organizer in Photoshop Elements for the first time, I see pictures of my husband, but pictures in my picture library are not there. I do not want to see my husband's pictures. And he did not give me sharing permission. What can I do?
Do you have two different catalogues (One for you and other one for your husband)
if yes,
In Elements organizer go to File>Manage Catalogs and check if you have any catalogue listed of your name.
if yes, double click on that catalogue and it will open the media on that catalogue. -
Ironport not allowing different subnet using cisco dhcp
Recently i configured new vlan on remote site and directed it to backup link, but strange thing is our wireless clients proxy is working and lan connected pcs proxy is not working,
Ironport is working on default vlan, microsoft dhcp server but i created different vlan and configured dhcp on cisco but it is not allowing access that subnet. using wccp redirect on the interface.
we configured NTLM authentication connecting to AD, the problem is the clients which are different vlan is not in AD, and AD pc in different vlan is working only non AD denied actually we configured guest on authenticaion, and also that subnet is placing remote site and our main site's unknown pcs are accessing throught guest no problem, 2nd thing is main vlan uses MS server 2003 dhcp pool and working non AD users, im using switch own dhcp pool for vlan 200, is it conflict? and when i put ironport ip on IE's proxy setting it is working
How to fix it?Network Side:
---->Cisco 2800-1 (Gre Configured) --> Sat Link-->Cisco 2800-2(Gre Configured)--->
End Users->1-L3-> ---->L3-2(WCCP)---Ironport
---->Cisco 2800-3 (MPLS Configured ) --> Sat Link-->Cisco 2800-4(MPLS Configured)--->
Our network is like this, so through MPLS everything is working fine. The problem is on backup.
End users --> VLAN 1, VLAN 200 and VLAN 1 is default and our AD users, AD users working okay but looks like depending on some operating system Win XP, Win 7 some of them not working, and for VLAN 200 is all unknown pc.
1-L3 doing only routing role.
Cisco 2800-1 and 2800-2 both also configured routing and Gre tunnel.
Cisco 2800-1 Configs
crypto isakmp policy 2
encr 3des
authentication pre-share
crypto isakmp key *** address 10.1.9.254
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile VPN
set transform-set 3DES-SHA
interface Loopback0
ip address 1.2.2.1 255.255.255.252
interface Tunnel0
bandwidth 1024
ip address 10.1.9.250 255.255.255.252
ip mtu 1300
tunnel source 10.2.9.254
tunnel mode ipsec ipv4
tunnel destination 10.1.9.254
tunnel protection ipsec profile VPN
service-policy output QoSTunnel
interface GigabitEthernet0/0
description Connected to Satellite Modem
bandwidth 1024
ip address 10.2.9.254 255.255.255.252
duplex auto
speed auto
interface GigabitEthernet0/1
description Connected to L3-Switch
ip address 10.2.5.253 255.255.255.240
ip nbar protocol-discovery
duplex auto
speed auto
service-policy input block-p2p
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip route 0.0.0.0 0.0.0.0 Tunnel0
ip route 1.2.1.1 255.255.255.255 Tunnel0
ip route 10.1.0.0 255.255.224.0 Tunnel0
ip route 10.1.5.240 255.255.255.240 Tunnel0
ip route 10.1.5.254 255.255.255.255 10.1.5.253
on the WCCP configuration L3-2
sh ip wccp
Global WCCP information:
Router information:
Router Identifier: 192.168.0.1
Protocol Version: 2.0
Service Identifier: web-cache
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 4
Process: 2
CEF: 2
Redirect access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 2970
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
sh ip wccp int
WCCP interface configuration:
Vlan6
Output services: 0
Input services: 1
Mcast services: 0
Exclude In: FALSE
Vlan7
Output services: 0
Input services: 1
Mcast services: 0
Exclude In: FALSE
Vlan8
Output services: 0
Input services: 1
Mcast services: 1
Exclude In: FALSE
interface Vlan6
ip address 10.1.0.254 255.255.224.0
no ip redirects
ip wccp web-cache redirect in
ip access-list standard wccp_grp_list
permit 10.1.7.253 ## Ironport IP ##
ip access-list extended wccp_redir_list
permit tcp 10.1.0.0 0.0.31.255 any eq www
permit tcp 10.2.0.0 0.0.31.255 any eq www
permit tcp 10.2.1.0 0.0.0.255 any eq www ## VLAN 1 Users ##
permit tcp 10.2.11.0 0.0.0.255 any eq www ## VLAN 200 Users ##
and Static routings on L3-2.
On Ironport.
connected NTLM to Domain server
Service Profile Name:
Service:
Standard service ID: 0 web-cache (destination port 80)
wccp_redir_list
Router ip address: 10.1.7.254
Load Balancing : Allow hash and mask
Forwarding method: Allow GRE or L2
Return method: Allow GRE or L2
Default Route : to Router IP
And configured Guest privileged so if unknown pc will connect it should go through Guest privilege.
Global Authentication Settings
Action if Authentication Service Unavailable: Block all traffic if authentication fails
Failed Authentication Handling: Log Guest User by: IP Address
Re-authentication: Disabled
Basic Authentication Token TTL: 18000
Transparent Proxy Mode Authentication Settings
Credential Encryption: Disabled
Redirect Hostname: proxy
Credential Cache Options: Surrogate Timeout: 3600 seconds
Client IP Idle Timeout: 3600 seconds
Cache Size: 8192 entries
User Session Restrictions: Disabled
Secure Authentication Certificate: Common name: IronPort Appliance Demo Certificate
Organization: IronPort Systems, Inc.
Organizational Unit:
Country: US
Expiration Date:
Basic Constraints: Not Critical
Enable Identity
Name:
(e.g. my IT policy)
Description:
Insert Above:
Membership Definition
Membership is defined by any combination of the following options. All criteria must be met for the policy to take effect.
Define Members by Subnet:
(examples: 10.1.1.1, 10.1.1.0/24, 10.1.1.1-10)
Define Members by Protocol:
All protocols
HTTP/HTTPS Only
Native FTP Only
Define Members by Authentication:
Select a Realm or Sequence:
Select a Scheme: Scheme setting applies to HTTP/HTTPS only.
If a user fails authentication: Support Guest privileges
Authorization of specific users and groups is defined in subsequent policy layers
(see Web Security Manager > Decryption Policies, Routing Policies and Access Policies).
Authentication Surrogate for Transparent Proxy Mode: Surrogate Type:
IP Address
Persistent Cookie
Session Cookie
Explicit Forward Request: Apply same surrogate settings to explicit forward requests
If this option is not selected, no surrogates will be used with explicit forward requests and NTLM credential caching will not be available to these requests.
Advanced
Use the Advanced options to define or edit membership by proxy port, destination (URL Category), or User Agents.
The following advanced membership criteria have been defined:
Proxy Ports: None Selected
URL Categories: None Selected
User Agents: None Selected
Use: NTLMSSP
Identity Policies: Global Group
Settings for Global Policy
Define Members by Authentication: Require authentication
Select a Realm or Sequence: NTLMSSP
Select a Scheme: Scheme setting applies to HTTP/HTTPS only.
If a user fails authentication: Support Guest privileges
Authorization of specific users and groups is defined in subsequent policy layers
(see Web Security Manager > Decryption Policies, Routing Policies and Access Policies).
Authentication Surrogate for Transparent Proxy Mode: Surrogate Type:
IP Address
Persistent Cookie
Session Cookie
Explicit Forward Request: Apply same surrogate settings to explicit forward requests
If this option is not selected, no surrogates will be used with explicit forward requests and NTLM credential caching will not be available to these requests.
But the problem is it is not forwarding Guest privilege and browser stuck when loading . -
WLC4402: same VLAN, different subnet - can it work?
Hi,
I bumped into a interesting issue with WLC4402. Management interface and prod-interface were in a same vlan, but they have different subnets. It seems that "there are two subnets in a same vlan" - 192.168.66.0/24 is defined as primary network in the router and 192.168.72.0/24 as secondary. See the pic attached.
At the moment there is v.4.2.176.0 running and it works. When I tried to upgrade it to v.6.0.199.4 something goes wrong. Controller changed prod-interface port to 0 and I can't change it back to 1 or 2. My best quess is that the WLC is not able to handle this kind of setup...but why is it working at the moment??
Any comments would be most appreciated. Thank you.
-PetriIt's actually a wonder/miracle that someone was able to configure this in the first place, to my opinion.
Maybe it was configured with an old WLC release and survived with the upgrade to 4.2
For sure, this is definitely something that the WLC now prevents you to configure. It's not supposed to work, just an example, if you get layer 2 traffic on that vlan (arp for example), where to reply ? you can't know from which subnet it comes from. So it basically means that you are bridging the 2 subnets together and then why not just giving them the same vlan id then ? effect would be the same.
It's anyway going against the linux routing engine, so I'm still wondering how it was working on 4.2
It was probably bridging vlans and doing some unefficient forwarding without you realizing it. So definitely something you should avoid configuring. -
WDS PXE DHCP, Clients on different subnet
Hello,
We are having a lot of trouble trying to get pxe imaging working from our WDS server on different subnets. We have an existing Zenworking imaging setup working as of right now, but WDS is causing more issues than I care to troubleshoot. I have read
blog after blog, forum post after forum post and everyone says just install it and it works! I guess we have run into some sort of problem that nobody else has.
Enviroment:
2x DC's, Server 2012 R2, both run DNS, 10.5.0.101, 10.5.0.102
1x DHCP Server, 2012 R2, 10.5.0.105
1x WDS Server, 2012 R2, 10.5.0.41
If I put a client on the same subnet as all of the servers it seems to work, except for the fact that it takes a while for the client to get an IP and continue to load wdsnbp.com. I would say around 20-30 seconds. In our zenworks enviroment it takes
no more than 1 second to get an IP. As for the dhcp server itself, clients receive normal dhcp offers instantly. So that part is working properly.
Now when I try an access the WDS pxe server from a different subnet other than the one that all of the servers are on, noting that I do have the ip helper address setup on our layer 3 switch:
interface Vlan2025
ip address 10.200.20.1 255.255.255.0
ip helper-address 10.5.0.105
ip helper-address 10.5.0.41
It always says failed to receive boot file. But as I said earlier, clients in windows receive dhcp leases from 10.5.0.105 without issue.
Setting the client options in the DHCP server with options 66 and 67 works sortof, but we found that it was unreliable and often finicky. Like having the system repeatedly ask to press f12, and even if you did press f12 it would still ask to press f12
again.
So I continued to do a wirehark packet capture on the port where the device was trying to get the dhcp/pxe info from the DHCP / WDS servers. The first packet here is from the DHCP server and the second is from the WDS server.
Bootstrap Protocol
Message type: Boot Reply (2)
Hardware type: Ethernet (0x01)
Hardware address length: 6
Hops: 0
Transaction ID: 0xd6c565d2
Seconds elapsed: 0
Bootp flags: 0x8000 (Broadcast)
Client IP address: 0.0.0.0 (0.0.0.0)
Your (client) IP address: 10.200.20.117 (10.200.20.117)
Next server IP address: 10.5.0.105 (10.5.0.105)
Relay agent IP address: 10.200.20.1 (10.200.20.1)
Client MAC address: Hewlett-_c5:65:d2 (78:e7:d1:c5:65:d2)
Client hardware address padding: 00000000000000000000
Server host name not given
Boot file name not given
Magic cookie: DHCP
Option: (53) DHCP Message Type
Length: 1
DHCP: Offer (2)
Option: (1) Subnet Mask
Length: 4
Subnet Mask: 255.255.255.0 (255.255.255.0)
Option: (58) Renewal Time Value
Length: 4
Renewal Time Value: (21600s) 6 hours
Option: (59) Rebinding Time Value
Length: 4
Rebinding Time Value: (37800s) 10 hours, 30 minutes
Option: (51) IP Address Lease Time
Length: 4
IP Address Lease Time: (43200s) 12 hours
Option: (54) DHCP Server Identifier
Length: 4
DHCP Server Identifier: 10.5.0.105 (10.5.0.105)
Option: (3) Router
Length: 4
Router: 10.200.20.1 (10.200.20.1)
Option: (6) Domain Name Server
Length: 8
Domain Name Server: 10.5.0.101 (10.5.0.101)
Domain Name Server: 10.5.0.102 (10.5.0.102)
Option: (15) Domain Name
Length: 8
Domain Name: domain.com
Option: (255) End
Option End: 255
Bootstrap Protocol
Message type: Boot Reply (2)
Hardware type: Ethernet (0x01)
Hardware address length: 6
Hops: 0
Transaction ID: 0xd2c565d2
Seconds elapsed: 4
Bootp flags: 0x8000 (Broadcast)
Client IP address: 0.0.0.0 (0.0.0.0)
Your (client) IP address: 0.0.0.0 (0.0.0.0)
Next server IP address: 10.5.0.41 (10.5.0.41)
Relay agent IP address: 10.200.20.1 (10.200.20.1)
Client MAC address: Hewlett-_c5:65:d2 (78:e7:d1:c5:65:d2)
Client hardware address padding: 00000000000000000000
Server host name: wds1.domain.com
Boot file name not given
Magic cookie: DHCP
Option: (54) DHCP Server Identifier
Length: 4
DHCP Server Identifier: 10.5.0.41 (10.5.0.41)
Option: (97) UUID/GUID-based Client Identifier
Length: 17
Client Identifier (UUID): eb8daa31-8e62-11df-bbd8-d1c565d278e7
Option: (60) Vendor class identifier
Length: 9
Vendor class identifier: PXEClient
Option: (53) DHCP Message Type
Length: 1
DHCP: Offer (2)
Option: (255) End
Option End: 255
What I find interesting is that the WDS server is not handing out a boot file name:
"Boot file name not given"
Could this be the reason why we receive the no boot file received error when trying to boot a client into pxe?
The other thing that I noticed was that the WDS server is also responding with the:
" Option: (60) Vendor class identifier
Length: 9
Vendor class identifier: PXEClient
Why would it be responding with this, when the dhcp is on a separate server. Is this option only if you have DHCP and WDS on the same server?
Any help would be appreciated as there has been too much time already spent on getting nowhere.
Thanks,
Dan.Dan,
10 months later and not one reply... I'm having the same issue, did you ever figure this out? DHCP server is my Cisco Switch, WDS/PXE is on another network. The WDS and PXE is working fine as I can do so from the same network as the WDS/PXE
server. I can also get the WDS/PXE to work if I have a MS DHCP server on a different network and populate the option 66 and option 67. I cannot get this to work using Cisco ip helper-address for some reason.
Thanks, -
Streaming music on different subnet
I've got a fairly basic network setup. I'm using adsl with a cisco 837 router. My isp has assigned me 16 static ip addresses. I've got a local dhcp server which hands out a range of ip's that have been provisioned to me via my isp which are used for workstations (laptops, desktops, et al), with the remaining staticly assigned (servers for example).
diagram;
telco=] 837/router -> switch -> devices
Everything is connected directly to the switch, except for wireless clients.
Now, to keep myself from running out of the 16 assigned ip addresses, I've setup a seperate subnet for devices which won't need contact with the internet world.
Those devices I've put under 10.1.0.0 of which I've given my airport express a 10.1.0.0 address.
Under iTunes on my iMac the airport express is listed in the drop-down box, when I select it, it sits forever stating it's connecting to the airport express.
On the other hand iTunes running on my laptop running windows does not present the drop-down box.
Is there any way to correct this, without having to give the airport express a public (non 10.x.x.x) ip address?You have given the AE an IP address for a network,
not a device on that network based on a standard
subnet mask. Each network has two unassignable
numbers, the IP address of the network, and
broadcast. Try 10.1.0.1 for your AE.
I was just giving an example of the network configuration, the ip address of the AE is not actually 10.1.0.0 but 10.1.0.4.
If you want
devices on different subnets to have access, they
need to at least be on the same network, and then
alter the subnet mask for them so both subnets appear
on the same network.
They are on the same network, in the sense that I can talk to a 10.1.0.x address from one of my public ip addresses and vice versa. The only difference is 10.1.0.x cannot talk to anything wan side where machines/devices with a public address can.
Devices assigned with the
public network IPs will be difficult to configure, so
they see the private non-routable network, but I
think it can be done???? I would try another
scheme.... give the AE one of the static IPs and then
NAT with it. Then it would be a Gateway to the
computers behind it for the others in your public
range.... but that's just me . Hope that helps.
I am not looking to setting up NAT. I already have a gateway, the cisco 837 router. I already have a wireless access point which I recently mounted. Thus, I'm not needing any of the wifi capabilities of the AE, but just the airtunes facilities to local machines running on my lan.
Just to reclarify, I have an ip range in the 217.155.6.x block, and to keep myself from using all of the ips in that block, I'm using 10.1.x.x addresses (non-traversable) for the remaining bits that don't require wan side communication.
Michael -
Question:-
I created an Apple ID using my ISP Email when I registered at the Store/Apple Support Communities/iTunes/Face Time or other portal and it does not work in iChat. Why Not ?
Answer:-
For a Name to work in iChat it has to be an Valid AIM screen Name.
Only Apple IDs from the @mac.com ending names registered here and the Mobileme (@Me.com ending) names are Valid with the AIM service as well as being Apple IDs
(I am still working on info about registering with iCloud at the moment but if this does give you an @Me.com email it may well be a valid AIM name as well)
NOTES:-
The @mac.com page works by linking an external (Non Apple) email with a @mac.com name.
This External Email cannot be one linked to an Existing Apple ID (you have to use a second email or register at AIM )
The options at AIM are to use your existing email or create new name and link the existing only for Password recovery
MobileMe (@me.com ending names) were valid Emails addresses, Apple IDs AND a Valid AIM Screen Name
@mac.com names look like emails but are only Apple IDs and iChat/AIM Valid Screen Names.
The AIM registration page seems to be pushing you to register [email protected] This is relatively new and I have not followed through the pages to find out if it a valid AIM email (Previously you could register a name without an @whatever.com suffix)
8:16 PM Friday; June 10, 2011
Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"
G4/1GhzDual MDD (Leopard 10.5.8)
MacBookPro 2Gb( 10.6.7)
Mac OS X (10.6.7),
"Limit the Logs to the Bits above Binary Images." No, SeriouslyQuestion:-
So I have my current [email protected] email in iChat as I thought as I had linked that to an Apple ID it was a Valid iChat Name. It keeps coming up with a UserName or Password Invalid message. What do I do next ?
Answer:-
Open iChat
Go to the Menu under the iChat name in the Menu Bar and then Preferences and then Accounts in the new window.
Commonly written as iChat > Preferences > Accounts as directions/actions to take.
If it displays with a Yellow running name in the list you have a choice.
Either register it at AIM (I would use a different password to the ISP Login) and then change the password only in iChat (It may take you to confirm any Confirmation email from AIM first) in iChat > Preferences > Accounts
Or you register a new Name at AIM (Or at @mac.com) and enter that (details below)
If you have a Blue Globe name (@mac.com) that will not Login the chances are that it the password that is the issue.
Apple lets you create longer passwords than can be used with the AIM Servers.
Change the Password at iForgot to no more than 16 characters.
Then change the password in iChat as details above.
Adding a new Account/Screen Name in iChat (that is valid with the AIM servers)
Open iChat if not launched.
Go to iChat Menu > Preferences > Accounts
Click the Add ( + ) Button at the bottom of the list.
Choose in the top item drop down either @Mac.com or AIM depending on what you registered
Add the name (with @mac.com the software will add the @mac.com bit)
Add in the password. (If you don't add it now iChat will ask you each time you open it)
Click Done.
The Buddy List should open (New Window)
The Accounts part of the Preferences should now have the new name and you should be looking at the details.
You can add something in the Description line which will then title the Buddy List (Useful when you have two or more names) and make it show up as that in the iChat Menu > Accounts and the Window Menu of iChat when logged in.
You can then highlight any other Account/Screen Name you don't want to use and use the Minus ( - ) Button to delete it.
8:39 PM Friday; June 10, 2011
Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"
G4/1GhzDual MDD (Leopard 10.5.8)
MacBookPro 2Gb( 10.6.7)
Mac OS X (10.6.7),
"Limit the Logs to the Bits above Binary Images." No, Seriously -
ASA 5505: VPN Access to Different Subnets
Hi All-
I'm trying to figure out how to configure our ASA so that remote users can have VPN access to two different subnets (office LAN and phone LAN). Currently, I have 3 VLANs setup -- VLAN 1 (inside), VLAN 2 (outside), VLAN 13 (phone LAN). Essentially, remote users should be able to access their PC (192.168.1.0 /24) and also access the office phone system (192.168.254.0 /24). Is this even possible? Below is the configurations on our ASA,
Thanks in advance:
ASA Version 8.2(5)
names
name 10.0.1.0 Net-10
name 20.0.1.0 Net-20
name 192.168.254.0 phones
name 192.168.254.250 PBX
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 13
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.98 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address X.X.139.79 255.255.255.224
interface Vlan3
no nameif
security-level 50
ip address 192.168.5.1 255.255.255.0
interface Vlan13
nameif phones
security-level 100
ip address 192.168.254.200 255.255.255.0
ftp mode passive
object-group service RDP tcp
port-object eq 3389
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp eq ssh
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 192.168.1.0 255.255.255.0
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 phones 255.255.255.0
access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list inside_access_in extended permit ip any any
access-list Split_Tunnel_List standard permit Net-10 255.255.255.224
access-list phones_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host Mac any
pager lines 24
logging enable
logging timestamp
logging monitor errors
logging history errors
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu phones 1500
ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 1 interface
global (phones) 20 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 access-list vpn_nat_inside outside
nat (phones) 0 access-list phones_nat0_outbound
nat (phones) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.139.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=pas-asa.null
keypair pasvpnkey
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
vpn-sessiondb max-session-limit 10
telnet timeout 5
ssh 192.168.1.100 255.255.255.255 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh Mac 255.255.255.255 outside
ssh timeout 60
console timeout 0
dhcpd auto_config inside
dhcpd address 192.168.1.222-192.168.1.223 inside
dhcpd dns 64.238.96.12 66.180.96.12 interface inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
wins-server none
dns-server value 64.238.96.12 66.180.96.12
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
ipv6-vpn-filter none
vpn-tunnel-protocol svc
group-lock value PAS-SSL-VPN
default-domain none
vlan none
nac-settings none
webvpn
svc mtu 1200
svc keepalive 60
svc dpd-interval client none
svc dpd-interval gateway none
svc compression none
group-policy DfltGrpPolicy attributes
dns-server value 64.238.96.12 66.180.96.12
vpn-tunnel-protocol IPSec svc webvpn
tunnel-group DefaultRAGroup general-attributes
address-pool SSLClientPool-10
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group PAS-SSL-VPN type remote-access
tunnel-group PAS-SSL-VPN general-attributes
address-pool SSLClientPool-10
default-group-policy SSLClientPolicy
tunnel-group PAS-SSL-VPN webvpn-attributes
group-alias PAS_VPN enable
group-url https://X.X.139.79/PAS_VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymousHi Jouni-
Yes, with the current configs remote users only have access to the 'inside' LAN (192.168.1.0). The digital PBX on the 'phone' LAN (192.168.254.0) is not reachable through their VPN session.
Per you recommendation, I removed the following configs from my ASA:
global (phones) 20 interface
... removing this configuration didn't make a difference -- I was still able to ping the inside LAN, but not the phone LAN.
global (inside) 10 interface
nat (outside) 10 access-list vpn_nat_inside outside
.... removing these two configurations caused the inside LAN to be unreachable. The phone LAN was not reachable, either. So, I put the '10' configurations back.
The ASDM syslog is showing the following when I try to ping the PBX (192.168.254.250) through the VPN session:
"portmap translation creation failed for icmp src outside:10.0.1.1 dest phones:PBX (type 8, code 0)"
What do you think?
Thanks! -
Can ARD 3 now share a screen across 2 different subnets
We have one central office. Clients access that office via a VPN. We can then share our screen with them as we work on a proof of a project.
It's a great solution, however, we can't with ARD 2.2 get it to work with two clients at once over the VPN.
An old Kbase article said that it wasn't possible to route screen sharing to two different subnets in the 2.2 version. But rather required all clients be on the same subnet.
Does anyone know or have the ability to test to see if this is different is 3.0. I'm hopeful that it is, as I can no longer find the old Kbase article saying that it wasn't possible.
Thanks,
GregStill no reply as to if this was resolved. I'm not so much worried about the move on the client side. As once we upgrade we have the luxury of upgrading everyone at once. I think that will be a smooth process.
However, our motivation to upgrade is dependant on wether or not the ability to route traffice over multiple subents is fixed or not. So we'll wait and see. If anyone can easily test this. I'd love to know. Sounds like a few other people are hoping to hear something as well.
Thanks in advance,
Greg -
WRV200 IPSEC VPN to a remote site with 2 different subnets
Hi,
My old WRV54G had no problem with this! I'm trying to connect an IPSEC tunnel back to a router at my main office, there are two Subnets there 192.168.0.0/24 and 10.171.131.0/24. In my old router I would set up two tunnels to the same gateway with different subnets and everything would work fine.
When I do this with the WRV200 both tunnels come up but in the view of the VPN status they both have the remote network listed as 192.168.0.0 /24 and I can't seem to get them both to work. If I delete the 192.168.0.0/24 tunnel (tunnel #A) and just use the tunnel#B I can connect to the 10 network.
Anyone been able to get this working?Hi,
Ok, so the first thing you will have to think about is the encryption domain of the existing L2L VPN. Since your aim is to publish a Web server from another site through a L2L VPN connections you have to consider what the source addresses for the Web server connections can be?
It might be that you would need to have the source address for the L2L VPN in DC1 as "any" and naturally on DC2 the destination would be "any".
Though in that case it would probably cause problems if the Web server would need to use the DC2 Internet connections for something. This is because we would have now defined that traffic from the Web server to "any" destination IP address should be tunneled to the L2L VPN.
One other option might be that you actually configure DC1 site so that all incoming traffic from the Internet towards the 111.111.111.111 will have their source address translated to a single IP address (to be decided) before entering the L2L VPN. This would eliminate the need to use the "any" in the L2L VPN configurations because the Web server would see all connections come from a single IP address and therefore would not cause problems for the DC2 Web server IF it needs to access or be accessed through the local DC2 Internet connection.
Judging by your examples it would seem that you are using a 8.2 or older software level. Would you be willing to share some current configurations (with masked public IP addresses) or should I just give you some example configurations?
Most important ones would naturally be current NAT configurations and configuration related to the L2L VPN connection.
- Jouni -
Hi,
I use a couple of different programs when working with ID3 tags. With one it uses the CDDB to autotag the songs. The other I use for cleaning up tags when needed, or use it to rename files for songs based on the tags.
What I'm wondering is why iTunes couldn't incorporate something similar to look up track info? I know you can do it when importing a CD using iTunes, but why not for mp3s that you get elsewhere? Is it just because iTunes only wants you to get music you buy from them, thus they make it hard?
Just wondering and wanted others' opinions.
Thanks,
ipod the sheriff (but I didn't shoot the mp3s)This is not a problem with iTunes. If you're dealing with AIFF or WAV files, then little if any metadata will/can be preserved. Apple Lossless, AAC and MP3 all retain metadata when transferring to another computer, providing the other computer is running iTunes or otherwise using software capable of reading the necessary metadata.
I should perhaps point out that passing along your music files to friends is usually in violation of applicable laws and regulations, unless you own full rights to the music. -
How to map two different subnets to one SSID
Hi Experts ,
we have two offices in same city at different location however we are planning to bring both the office at same location.
Now lets say site A has controller 5508 configured with 24 AP's with 10.10.10.x subnet for internal SSID and Site B which is shifting to Site A campus has different subnet ( 10.10.20.x ) for same SSID.
Site B has no controller since they had connection with H-reap and they were using different subnet for internal SSID ( 10.10.20.x ) .....
Now i need to add their AP's in Site A controller which will be extended wireless LAN however we would like to keep same subnet ( 10.10.20.x ) what Site B has for wireless clients which is really confusing me ....
I have already client subnet for site A with 10.10.10.x /24 subnet and nearly 200 users are already using this wireless client subnet....
How do i add their ( Site B ) subnet / 10.10.20.x with same SSID configured which is globally only one SSID ?
limitations :
I can not create new SSID for site B since same will be broadcasting even in Site A AP's
Is this possible to map one more subnet of site B to existing SSID with already different subnet ( 10.10.10.x ) ?
Your suggestions will be really helpful for me to go ahead and understand in better manner ...Well first off, you need to bring that subnet over to site a without breaking any routing. Once you do that then sites B subnet will have a different vlan than site A of course. Now with both subnets working in site A, you create a dynamic interface on the WLC for that new subnet. Create an AP group for both sites, you can name it by vlan or by any name you want. Now in the ap group for site A, you define what SSID's you want and map the vlan to that ap groups. Then add sites A AP's to that group. You do this also for site B's AP's and map the SSID to the new subnet you brought over and move the AP's to that group. The APs from site B would have to be setup in local mode not hreap.
Makes sense
Sent from Cisco Technical Support iPhone App -
MRER - Error - different tax coutries not permited in one document
Dear Expert,
I am facing problem while processing MRER transacation, System is throwing the error message - Different tax countries not permited in one document.
I am trying to post w.r.t the PO/ Material document, My PO type is Distributed release order ( Return PO)
But when i tried to post the same document through MIRO transaction( Credit memo) , i can able to post successfuly without any error.
I have checked following things for ERS( evaluated receipt settlement).
Creating PO & GR trough Idoc, no manual creation.
1. Vendor master is marked for ERS.
2. ERS is active in PO.
3.For me Vendor is belong to Poland(PL), Comapany code is : Germany(DE) , and Plant is Hungery(HU).
4.in FTXP for a country DE(Germany) reporting courty has been defined as "HU" Hungery & for Hungary(HU) there is not any reporting courty defined.
5.Tax code which is mantained is available for both HU, DE,
6.plant is active as a abord plant.
I hope all these setting are OK, if any thing is wrong please guide me.
Requested all of you please guide me , what is going wrong while processing the MRER / MRRL transaction.
or is there any standard SAP note is there for such scenarios & that i have to implement, if yes , it will be greate help if i will get the SAP notes.
Appreciated your ernest help on above.
Thanks & Regards
Omhi
The system issues this error message if different tax codes are used with different reporting countries (T007A-LSTML) in the billing document and this billing document also generates a customer line item.
Different reporting countries are required for the 'Plants abroad' function. However, the plants abroad billing document does not generate a customer line item, which is why the system does not issue this error message in this case.
plz check the tax code and counties
Maybe you are looking for
-
How to add a service account in SQL Server to display the "Service Account Name" and "Display Name"
Can someone help with steps on how to add the following in SQL Server 2012 environments?<o:p></o:p> "Service Account Name" and "Display Name"<o:p></o:p> Your help will be greatly appreciated.<o:p></o:p> leonie6214
-
Hello for some reason when I click on the App Store icon on my iPad it sends me to the US version not the UK where I live! I have no idea how to switch this back so that I can update my apps etc All help welcomed
-
Itunes won't open unless I disconnect the network/internet, why?
My Itunes won't open (after clicking the icon and seeing it running in task manager) until I disconnect the internet connection. How do I fix this? I have the latest version of Itunes and Quicktime installed.
-
Keyboard cleaning after a spill
A couple days ago, flying back to school a flight attendant knocked over my apple juice onto my keyboard. I quickly shut it off, turned it upside down to let it drain out, and then used damp napkins to try to get all of it out. I waited a while, turn
-
Hi, I have got SQL 2005 Developer edition running and Websphere 6.1 installed, however when I run the LC configuration manager, at the steps where it tests the connection to websphere server, I get the following error: Failed to run JACL scripts. Doe