Associating NAT with a specific network service definition... how?

Similar Messages

• Any kind of bandwith limiting or priority for specific network services ?

  I tried IPQoS to limit the bandwith for a ftp-service. This is very well documented in the IPQoS Administration Guide, but it seems to have no effect at all in my lan. The ftp-transfer still consumes all
  available bandwith and any other interactive traffic like ssh is slow as hell. I think this is due to the fact that i do not have a diffserv capable router. Is it correct that IPQoS in Solaris 9 only marks packages but don't do anything else ?
  My kstat output says:
  "kstat -m tokenmt"
  module: tokenmt instance: 10
  name: tokenmt statistics class: meterftp
  crtime 171043.6888275
  epackets 0
  green_bits 369888
  green_packets 196
  red_bits 205079496
  red_packets 18160
  snaptime 174628.7017885
  yellow_bits 0
  yellow_packets 0
  Nearly all packets are marked red and the target for red packets is markAF31 with dscp_map{0-63:26}.
  Strange to see that "kstat -m dscpmk" shows no results at all. This is possible a bug or not well
  documented in the IPQoS Administration Guide.
  Is there any (other) way to priorize interactive traffic or limit/shape the bandwith for specific services without additional Hardware in my network ?

  You may have already resolved your problem, but here is what I've been using -- I'm just recently (like two days ago) trying IPQoS.
  As you can see from my code I really restricted bandwith so I could see the reaction, and tested with a specific machine so it wouldn't mess with other stuff. Turn on ftp hash and watch it crawl. I've only tested outgoing so far, but will also test incoming.
  We are not using DiffServ on our routers, so I just drop 'red' packets. I'm using yellow just to play and get stats.
  Am looking for tools to read the flowacct data when I came across your post.
  good luck!
  fmt_version 1.0
  # TEST configuration
  # Monitor and gather ftp statistics from pilasvp101 (only)
  # this host: ssrv194bw (163.241.195.249)
  # this host: pilasrp101 (163.241.205.147)
  # remote hosts: pilasvp101 (163.241.195.240)
  action {
  module ipgpc
  name ipgpc.classify
  params {
  global_stats TRUE
  class {
  name ftp_traffic
  enable_stats TRUE
  next_action meter_ftp
  filter {
  name ftp_in
  sport ftp
  saddr 163.241.195.240
  direction LOCAL_IN
  ip_version V4
  class ftp_traffic
  filter {
  name ftp_data_in
  sport ftp-data
  saddr 163.241.195.240
  direction LOCAL_IN
  ip_version V4
  class ftp_traffic
  filter {
  name ftp_out
  dport ftp
  daddr 163.241.195.240
  direction LOCAL_OUT
  ip_version V4
  class ftp_traffic
  filter {
  name ftp_data_out
  dport ftp-data
  daddr 163.241.195.240
  direction LOCAL_OUT
  ip_version V4
  class ftp_traffic
  # 10 Mbps, or 10000000 bits per second.
  # 100 Mbps, or 100000000 bits per second.
  # 1000 Mbps, or 1000000000 bits per second.
  # USED BELOW:
  # committed_rate - 100000 bits per second = 0.10 Mbps.
  # committed_burst - 100000 bits per second = 0.10 Mbps.
  # peak_rate - 150000 bits per second = 0.15 Mbps.
  # peak_burst - 150000 bits per second = 0.15 Mbps.
  # committed_rate - allowable transmission rate
  # committed_burst - allowable burst size. Defines how many outgoing packets
  # of a particular class can pass onto the network at the
  # committed rate.
  # peak_rate - peak rate in bits per second
  # peak_burst - peak or excess burst size in bits. The peak burst parameter
  # grants to a traffic class a peak-burst size that exceeds
  # the committed rate.
  # color_aware - turns on color-aware mode for tokenmt, which expects the
  # bits to have already been modified for DSCP
  # color_map - defines an integer array that maps DSCP values to
  # green, yellow, or red.
  # red_action - action to take when traffic flow exceeds peak rate
  # yellow_action - the packet causes the flow to exceed its committed_rate
  # but not its peak rate (committed_burst). This must be used
  # if 'peak_rate' is defined.
  # green_action - action to take for conforming traffic flow
  # global_stats - enable metering stats for the class
  action {
  module tokenmt
  name meter_ftp
  params {
  global_stats TRUE
  committed_rate 100000
  committed_burst 100000
  peak_rate 150000
  peak_burst 150000
  red_action_name red_accounting
  yellow_action_name yellow_accounting
  green_action_name green_accounting
  color_aware FALSE
  # timer - scanning interval in milliseconds (default 15 seconds)
  # timout - a flow "times-out" when its packets are no longer seen
  # by the IPQoS system in milliseconds (default 60 seconds)
  # max_limit - maximum number of entries a flow table can contain
  action {
  module flowacct
  name red_accounting
  params {
  global_stats TRUE
  timer 10000
  timeout 10000
  max_limit 2048
  next_action drop
  action {
  module flowacct
  name yellow_accounting
  params {
  global_stats TRUE
  timer 10000
  timeout 10000
  max_limit 2048
  next_action continue
  action {
  module flowacct
  name green_accounting
  params {
  global_stats TRUE
  timer 10000
  timeout 10000
  max_limit 2048
  next_action continue
  }

• Destination NAT with a specific origin ASA 8.2

  Hello Everyone,
  I need configure destination NAT in my ASA 8.2 version only for a specific origin.
  Today, the network 10.84.25.0/24 access the web server with IP 172.17.3.150, i need nat the IP 172.17.3.150 to 10.96.202.10 only for
  10.84.25.0/24 network.
  How i can configure this in  8.2 version?
  Tks!

  Hi,
  I am not quite sure how the setup is on your ASA currently but the following configuration option came to mind
  Interfaces "dmz" and "inside"
  10.84.25.0/24 = "inside" network
  172.17.3.150 = "dmz" server real IP
  10.96.202.10 = "dmz" server mapped IP
  access-list DMZ-SERVER-POLICYNAT remark Policy NAT for DMZ Server
  access-list DMZ-SERVER-POLICYNAT permit ip host 172.17.3.150 10.84.25.0 255.255.255.0
  static (dmz,inside) 10.96.202.10 access-list DMZ-SERVER-POLICYNAT
  Hope this helps
  - Jouni

• Query to list computers with a specific network printer using sccm 2007

  Hi to all,
  I really need help to  create a report taht lists  all the computers which have a network printer "MAXXX" installed.I would like to do it using sccm 2007.
  Thank you in advance for your help.
  Regards,
  Stephane.

  CM07 does not collect this information, Printers are a user setting and therefore you will need to create a script to inventory the printer for each user then you can have CM07 collect & report on them.
  Garth Jones | My blogs: Enhansoft and
  Old Blog site | Twitter:
  @GarthMJ

• Mapping with multiple adaptive web service model-how to map?

  sorry, i´ve posted this two times....sorry
  Edited by: Anna_von_Landsberg on Jan 5, 2011 8:32 PM

  Hi Bhargava,
  thank you for your effort.
  The node structure of web service looks like this:
  NewAWS2Model
  -Context
  Number
  NameFirst
  NameLast
  Street
  HouseNo
  PostCode
  City
  -NewOperartion
  In
  -Request_NewOperation
  ---NewOperation
  ---Response
  -Response_NewOperation
  This web service give no response back. He just starts the BPM Process. Everything works well, except for passing ALL values of the parameters in Context: Number, Name, Street...
  When I have two streets, I want that two streets will be saved in parameter street and so on...
  Additionally, here is the method  created by application for this web service:
  public void initRequest_NewOperation( )  {
      //@@begin initRequest_NewOperation()
      //$$begin Service Controller1(-482113598)
  com.sap.demo.changedataportaldc.wd.models.newaws2model.NewAWS2Model newAWS2ModelModel = createAndMapModelInstance_0("com.sap.demo.changedataportaldc.wd.models.newaws2model.NewAWS2Model");
          com.sap.demo.changedataportaldc.wd.models.newaws2model.Request_NewOperation request_NewOperation = wdContext.nodeRequest_NewOperation().createAndAddRequest_NewOperationElement().modelObject();
          com.sap.demo.changedataportaldc.wd.models.newaws2model.NewOperation newOperation = new com.sap.demo.changedataportaldc.wd.models.newaws2model.NewOperation(newAWS2ModelModel);
          request_NewOperation.setNewOperation(newOperation);
          com.sap.demo.changedataportaldc.wd.models.newaws2model.Context in = new com.sap.demo.changedataportaldc.wd.models.newaws2model.Context(newAWS2ModelModel);
          newOperation.setIn(in);
          com.sap.demo.changedataportaldc.wd.models.newaws2model.Response_NewOperation response_1 = new com.sap.demo.changedataportaldc.wd.models.newaws2model.Response_NewOperation(newAWS2ModelModel);
          request_NewOperation.setResponse(response_1);
  I hope this are the inforamtion you need? Or is there something else?
  Thank you very much
  best regards
  Anna

• Limited network service profile using zonecfg

  Is there a zonecfg command that will set a local zone up with the limited network service profile (e.g. disable all remote access services except ssh)?    In the process of creating scripts to create zones using  zonecfg -f zonecfg_command_file, and would like to include this in the zonecfg_command_file  if possible.   Already know how to setup this profile manually after the zone has been installed and pre booting it.
  Thanks,

  Hi Mohammad,
  1. To utilize the KVM, you need to configure the IP management pool - from which the IP addresses are automatically taken from. All IP addresses in the management IP pool must be in the same subnet as the IP address of the fabric interconnect.
  2. If you shut down the blade (that has a service profile associated to it) and move the blade to another slot, the service profile will NOT follow the blade. The service profile will have an configuration error saying that the server resource is unavailable. The blade in the new slot will come up as unassociated.
  Hope this helps to clarify.
  Thanks,
  Michael

• SharePoint Designer 2013 (2010 Platform Workflow) - How can I create a new list item with a SPECIFIC content type?

  In SharePoint 2010 I created workflows that used the 'Create list Item' Action, which then set the Content Type ID (so I could create documents of various types in a document library). 
  We just switched to the SharePoint 2013 platform, and now the drop down for Content Type ID is blank in all of the workflows that are still using the SharePoint 2010 platform.  Is there any way to create a list item with specific content
  type?  Even if I could just input a string into that field instead of using this blank drop-down.  Please help! 

  Hi Sarah,
  According to your description, my understanding is that you cannot create a new list item with a specific content type using SharePoint 2010 Platform Workflow.
  I tested the same scenario in my environment, and the Create List Item worked fine with the specific content type.
  How did you create the content type?
  Please check if the content type is added to the list/library the workflow associated with.
  Best regards.
  Thanks
  Victoria Xia
  TechNet Community Support

• Many of the times my Iphone 5s shows "No Service" in the specific network area, but if the same sim card is used with other mobiles in the same network area, it shows good network.. i did restore but still not working.. please help me..

  My Iphone 5s shows "No Service" in the specific network area, but if the same sim card is used with other mobiles in the same network area, it shows good network.. i did restore,change sim card, reset all the settings but still not working... please help me..

  Please do not double post a subject. Iphone 5S  I answered your other thread.

• Many of the times my Iphone 3G 16GB shows "No Service" in the specific network area, but if the same sim card is used with other mobile handset in the same network area its shows full network, Is this a Iphone 3G Handset problem or is network

  Many of the times my Iphone 3G 16GB shows "No Service" in the specific network area, but if the same sim card is used with other mobile handset in the same network area its shows full network, Is this a Iphone 3G Handset problem or is it a problem with network service provider for iphone in india with Airtel.

  Try to reset Network setting thru (Setting/General/Reset/Reset Network Setting - after clicking on it the phone will ask to reboot)
  According to my R&D I have experienced that one must reset the network each time when we r at home or in office or other places, the phone after resetting the network setting acquires the area specific network setting n works well, try it & if any other solution do let me known
  Calling up customer care did not help me, they do keep us in a loop with the same old answeres that “Our technical team is working on it & WILL GET BACK TO u” leaving us with no solution at the end
  Try what I suggest think to will help u

• I want to use Back to my mac. When I try to turn it on, it says "Back to My Mac may be slow because more than one device on your network is providing network services.   Turn off NAT and DHCP on one of the devices and try again." How do I fix this?

  Not sure if I am doing this right. This is my first time in the support community.
  I imagine what I put in my heading was supposed to go in here.
  I want to use Back to my mac. When I try to turn it on, it says "Back to my mac may be slow because more than one device on your network is providing network services. Turn off NAT and DHCP on one of the devices and try again. See the documentation that came with your device for information about turning off network services"
  Does anyone know how I do this? I contacted my ISP (Telus in Canada) and they did not know anything (not that they usually do).

  Why do ISPs insist upon making things so difficult for their customers?
  If you cannot get them to understand that you would prefer to use your own router over their piece of cheap junk, perhaps the information in the following will be useful:
  http://keithbalomben.wordpress.com/2012/03/29/telus-actiontec-v1000h-hacks-and-i nformation/
  Scroll down to DHCP Settings
  You will need to log in with proper "technician" credentials. They are provided in the above link as
  Username: tech
  Password: t3lu5tv
  ... but these may or may not work. Try it, and if you cannot get anywhere at least now you know what to ask Telus to do in return for your business.

• HT1178 I bought Time Capsule specifically to back up my computer at work. Only my computer. I completed the steps the best of my knowledge but I got the message, "This device & its network services will be temporarily unavailable. Are you sure you want to

  I bought Time Capsule specifically to back up my computer at work. Only my computer. There are many computers within my department. I completed the steps the best of my knowledge but was unsure of which option to click. I clicked "I want to create a new wireless network". At the onset the instructions said I needed to connect with an ethernet cable, which I did. But I have no desire to connect to the internet, print from it, or have others access. I did deselect guest options, and I did put in passwords. But at the end of the process I got the message, "This device & its network services will be temporarily unavailable. Are you sure you want to continue."
  I was worried this would shut me down and I wouldn't be able to continue to work. I don't necessarily need to connect wirelessly. It is connected via ethernet cable from machine to device.
  Can you advise me how to continue? Did I choose the wrong options?

  I bought an external hard drive called "Seagate Backup Plus" From the Apple store to back up everything on my computer and anything new on my computer. It came with Time Machine. The external hard drive disk had 1 or 2 Terabytes. Time Machine says "next backup: When disk is connected." "Oldest backup: July 2, 2014." & Also "Latest back July, 2."

• I have placed my SIM card into my iphone 5c and have confirmed co with my cellular network provider.However despite numerous reboots I am still getting "No Service" in the top left corner. Please advise

  I have placed my SIM card into my iphone 5c and have confirmed co with my cellular network provider.However despite numerous reboots I am still getting "No Service" in the top left corner. Please advise

  Contact the carrier and troubleshoot the issue.

• How to know the forms associated with a specific transaction

  Hi..
  Can anyone please suggest me how to know the forms associated with a specific transaction.
  For Example In Finance module.
  I came to know from SDN the form associated with F.64 as F140_acc_stat_01.
  But i need the steps how to track the form name.
  Regards..
  Vinodh

  Hi,
  1.We cann't find the forms associated with a specific transaction.
  2.But,based on requirement we can go for the form selection.
  3.Suppose in account payable and receivable , we have different forms like customer statement, Dunning and Chek form etc.
  4.The functional people can find the form name in SPRO and give the details of the requirement.
    5.If u have the output type or formname u can go for the TNAPR and  TTXFP tables and u can search for the respect object.
  6.For FI u can directly find in the SPRO, by searching it with the form name.
  Regards,
  If helpful reward with points(Don't forget).

• Network Service Order Causing Conflict with Private DNS on Local Network

  I'm currently working on deploying a Snow Leopard Server-based setup for a university student-run television station, using a Mac mini Server. Because our university's own networking infrastructure is somewhat wonky and restrictive, I have recently networked our station's six other computers and the Mac mini Server together through wired Ethernet, using an AirPort Base Station as a router along with some D-Link Ethernet switches.
  As a result, our computers are networked together on their own network completely independently from our university's network, but because this wired network has no internet access, all of our computers connect to our university's wi-fi network over AirPort for internet access.
  I've set up Snow Leopard Server with a private DNS name "atvserver.private" and am intending to use this server internally for file sharing, directory services, and Wiki Server (and possibly Podcast Server). However, because of the service order in Network Preferences, if our client computers are set to give AirPort priority, then they can connect to the internet, but cannot connect to the server's private DNS. On the other hand, if our client computers are set to give Ethernet priority, they can connect to the server, but lose their internet connection.
  The only solutions that I can think of are:
  1) Bridge the university's internet connection on our private wired network (but the university will not allow us to do this because it violates their security policies), or
  2) Come up with some way to bypass the networking service order so that "atvserver.private" goes to the Ethernet network, while everything else goes to the public internet over AirPort.
  Any ideas on how to solve this problem?

  What's the ip range an subnet for the university network
  The issue has nothing to do with the IP addresses/subnets in use. It's about DNS resolution.
  Fortunately the solution is simple.
  Configure the DNS server on the SLS with the zone(s) for your private LAN.
  Enable DNS forwarders with the IP addresses of your university's DNS servers.
  Point your clients to your SLS for DNS service.
  Now all DNS requests from these clients will go to your server. For zones this server is responsible for (i.e. your private LAN) the server will reply, for all other lookups it will refer to your university's DNS servers for resolution.
  In this way your clients can resolve your private zones, the university's zones and public DNS hostnames. Problem solved

• GRE Tunnel/NAT with multiple subnets and interfaces

  So, I am not sure if we are trying to accomplish too many things at once and what we are attempting to do is not possible or if we are missing something in our configurations...
  Here is the situation...
  We are migrating some equipment between datacenters.  The equipment only a has a /27 worth of IP space assigned to it so we cannot simply "move" the IP space to the new datacenter.  Further because we have several VPNs terminated in the old IP space that originate from devices we do not directly control and are essential in continuing to provide service, it was/is difficult to magically update some DNS entries and change IP addresses overnight.  The last twist in this puzzle is that at the new datacenter, we will deploying some new equipment that will be in a separate subnet (with a separate Windows AD structure) but sharing the new public IP space we have in the new datacenter.
  We thought using a GRE tunnel, some trunks, and a bunch of NATs would make the whole process easy and we tested ti in a lab and everything SEEMED to work.  However, when we performed the move we ran into an odd issue that we were unable to figure out and had to go back to a failsafe configuration that has the essentials up and running, but the environment is not running in an ideal way for us to gradually transition as we would like.
  Essentially what we had/have and how it was configured is as follows:
  Site A
  Edge Router - x.x.x.x /24 BGP announcement
  x.x.x.y/27 that is within the /24 that we need at site b
  GRE tunnel configuration
  interface tunnel0
    ip address 10.x.x.1 255.255.255.252
    tunnel source <router edge IP>
    tunnel destination <site b router edge ip>
    keepalive 10 3
  static route for site a public ip to bring it to site b via GRE tunnel
  ip route x.x.x.y 255.255.255.224 10.x.x.2
  Site B
  Edge Router - y.y.y.y /24 BGP announcement
  Similar GRE tunnel configuration (tunnel comes out and works so don't think issue is here)
  2 Vlans (1 for site a ip space, 1 for site b ip space)
  int vlan 50
  ip address x.x.x.1 /27
  int vlan 51
  ip address y.y.y.129 /25
  Trunk port for the VLANs going down to an ASA
  int g1/1
    swi mode trunk
    swi trunk native vlan 51
    swi tru all vlan 50,51
    swi tru en dot1q
  Then on the ASA, I have 2 physical interfaces for 4 logical interfaces (outside, outsideold, inside, insideold)
  int e0/0
   nameif outside
   sec 0
   ip address y.y.y.130 /25
  int e0/0.50
   nameif outsideold
   sec 0
   ip address x.x.x.2 /27
   vlan 51
  int e0/1
    nameif inside
    sec 100
    ip address 192.168.y.1 /24
  int e0/1.60
    nameif insideold
    sec 100
    ip address 192.168.x.1 /24
    vlan 60
  A static route using the new ip space on the native outside interface...
  route 0 0 y.y.y.129
  And then I have some nat rules which is where I think things go a little haywire...
  object network obj-y.y.y.0-24
    subnet y.y.y.0 255.255.255.0
   nat (inside,outside) dynamic interface
  object network obj-x.x.x.0-24
    subnet x.x.x.0 255.255.255.0
   nat (insideold,outside) dynamic interface
  object network obj-y.y.y.135-160
    range y.y.y.135 y.y.y.160
  object network obj-192.168.y.135-160
    range 192.168.y.135 192.168.y.160
    nat (inside,outside) static obj-y.y.y.135-160
  object network obj-x.x.x.10-20
    range x.x.x.10 x.x.x.20
  object network obj-192.168.x.10-20
    range 192.168.x.10 192.168.x.20
    nat (insideold,outsideold) static obj-x.x.x.10-20
  From some debugging and looking at packet-tracer, I found out I left out the below which was needed to properly nat traffic as it leaves the outside interface (when the default sends the traffic)
  object network obj-192.168.x.10-20-2
    range 192.168.x.10 192.168.x.20
    nat (insideold,outside) static obj-x.x.x.10-20
  There are / were a bunch of other nat exemptions for the VPNs and specific external routes to ensure all vpn traffic exited the "outsideold" interface which is where all the existing tunnels were terminated.
  Everything appeared to be working great as all the VPN tunnels came up perfectly as expected and traffic appeared to be flowing, except for some of the most important traffic.  The following was what was observed:
  1.  Any traffic using the dynamic NAT (ie...a machine with IP x.x.x.200 or y.y.y.20) would connect to the internet perfectly and work fine using the "new interface ip".
  2.  Any traffic in the "new range" using a one to one nat worked perfectly (ie y.y.y.140).  Internet would work etc and nat translation would properly occur and everything could connect fine as expected.
  3.  ICMP packets to "old ip range" flowed perfectly fine to one to one nat IP (ie I could ping x.x.x.20 from outside) and likelise I could ping anywhere on the internet from a machine with a static natted ip.
  4.  Heres the butt...no traffic other than ICMP would reach these machines with static ips.  Same range, same subnet as ones using the dynamic port translation that worked perfectly.  Do not understand why this was / is the case and this is what I am seeking a solution to.  I have attempted the following troubleshooting steps without success:
  A. Confirmed MTU size was not an issue with the GRE tunnel.  2 methods, one plugging to edge router and using the "outsideold" ip space works perfectly and 2 if I assign outsideold ip space to "outside" interface, everything nats fine.
  B. Ran packet-tracer, all results show "allow" as if I should be seeing the packets.
  C. Confirmed local windows machine firewall was off and not blocking anything.
  D. Reviewed logs and observed SYN timeouts and TCP teardowns as if the firewall is not getting a response and this is where I am stumped.  There is no path around the firewall so asymmetric routing should not be an issue and if that was the problem it should not work when the "outsideold" ip space is assigned and natted from the "outside" interface, but it does.  Packet-tracer shows proper nat translations occurring and there is definitely proper routing along the path for stuff to return to the network or ICMP would not work (IE I can ping www.google.com but not open the web page).
  So what simple piece of the nat configuration am I overlooking because I cannot possible wrap my head around it being anything else.
  Any suggestions / lessons would be greatly appreciated.

  is this still a problem?