Basic N1 SSH config questions...

At the risk of asking remedial questions, are these
actions correct?: 
<li> When generating SSH keys, I am to generate one
set with the ID used to install/owner of the MS
(agent, server, cli)? (i cant remember now if cli
installed w/ the master seerver or not, i think it
did)</li>True for MS/LD/RA as they always run with the same uid. CLI works best, if always invoked as the install owner. If the CLI is invoked as any other user, then there are couple options,
one is to make sure that each user has their ssh keys configured so that the connection from their machine to the MS machine with their ssh credential succeeds.
Another is to configure CLI to always a single identity to connect to the MS. For security reasons, you may want this identity to be different from the MS install owner. If you look at the ssh man page, it allows you to override the default uid and identity file locations through options -l & -i.
Lets say we create a new user spsuser, for CLI authentication.
We can then generate ssh keys for spsuser and put them in this identity file, lets say /home/spsuser/ssh/identity.
We can then configure sps CLI to override the ssh credentials that are used when connecting to the MS as
net.client.parms.1=sshargs=-o|BatchMode yes|-l|spsuser|-i|/home/spsuser/identityThat way CLI will always try to use the same ssh identity regardless of who invokes it. However, since I haven't tested this configuration, I'm not certain if it will work. The one possible issue here is that ssh may complain about the identity file having global read permissions.
>
<li> I am to create a second user and generate keys,
and place this users pub key into the
authorized_keys2 file of the first user (product
install/owner of MS) </li>Nope, the keys always belong to the same user, unless you are overriding the default user to the first user when running ssh as the second user.
>
<li>How do I tell N1 about the existance of this
second user? Is this what pe.defaultUserToRunAs is
for? I cannot find this in the docs. </li>I think you are talking about the CLI here. In this case you'll be running the CLI as the second user, right? In that case all you need to do is to make sure that the second user is able to connect to the MS machine from the CLI machine using ssh, without requiring any user interaction.
>
<li> According to previous postings, root ssh'ing is
required for OSP. This makes no sense to me when the
agent can be owned by a non-root user, yet can
execute native commands with root priv.</li>The ability to run native commands as root is only available when the agent is running as root. Otherwise the plan that tries to run exec native as root will fail if the agent that its running on is not running as root.
>
<li>The docs state that SSH forwarding works
downstream, but can it use loop back to the master
server?</li>Not sure I understand the question. downstream here implies from the machine invoking ssh client to the machine thats running the ssh daemon. I don't think ssh would care if the the ssh daemon was connected to via any IP address or loopback...
>
<li>Why do I see the product use a root shell to CLI
back to the Master server (OSP question)? Should
this be happening?</li>My opinion is that CLI doesn't need to run as root for most of its functionality. The only case where it may need to run as root is when the files that its trying to checkin are only readable by root. However, it may make sense make those file readable by the CLI user instead of running CLI as root in that case. Don't know if it makes sense to have OSP run the CLI as a non-root user instead..
hth,
Aj

Similar Messages

Basic JNDI Lookup Config Question

I have the following in a jndi.properties file:
java.naming.factory.initial=
_ com.evermind.server.ApplicationClientInitialContextFactory
java.naming.provider.url=ormi://localhost/<applicationname>
java.naming.security.principal=admin
java.naming.security.credentials=123
It is expecting what for an <applicationname>?
The name of the client application(The client that invokes my session bean)?
The name of the package where the client exists?
The name fo the database schema?
Any answers?
Thanks,
Jim

Also, is there a way to configure these properties using the Sun App Server 7 in the Sun Studio directly?
Thanks.

Ssh with two or more private keys using ~/.ssh/config read the wrong private key

Hi,
I have created a config file in ~/.ssh/ to be able to connect to remote sites using different private keys per site.
The problem is when I try to connect to any of them ssh reads the wrong private key dispite of the configuration in ~/.ssh/config file.
For example:
Host vps
Hostname x.x.x.x
User guesswho
IdentityFile vps.pk
Host home
Hostname y.y.y.y
User home
IdentityFile home.pk
>ssh -v vps ( connects using home.pk)
>ssh -v -i ~/.ssh/vps.pk ( connects using home.pk)
I tried it on a Ubuntu 10.04.3 LTS using same config file and keys (openssh-server 1:5.3p1-3ubuntu7) and it worked as expected.
Any help would be appreciated.
zcookie

My question is do I have to create a separate private key from my imac or can I just copy the private key from my macbook?
Do you have to create separate private keys? No, but there are reasons why you might want to.
The biggest one is the fact that if any key is compromised, they are all compromised (since they are the same). Say, for example, your MacBook is lost or stolen. You really should consider disabling the MacBook's key from authorized_keys to prevent the finder/thief from getting into your server. If that one key is shared by multiple hosts, though, you're going to lock out all the other hosts as well, even though they haven't been affected.
Having separate keys per client lets you nix just the key for the MacBook (or whichever machine) without impacting the other machines' ability to connect.
Other than the trivial amount of work it takes to create a private key there's really no overhead in having unique keys per client machine. If, however, you really want them to be the same, knock yourself out

A few post config questions on new setup

Hi Group,
Just a few post config questions.
First, how can I confirm my controller is in fact associating properly with an NTP server? On a typically cisco product, I could just do a 'show ntp associations' or a 'show ntp status'. I cannot see a way to confirm this on the gui or command line.
Second, on my guest network with web-auth, if one were to choose to not use https for web-auth and instead use unsecure http, would that be possible and if so where in the gui?
Thanks.

The third field is from a WLC running v7.4 not v7.2. I usually would install a 3rd party certificate, but what eles you can try is issue this command on from the CLI. It had issues working with certain code versions, but you might as well give it a try.
config network web-auth secureweb disable
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"

Workshop Weblogic config questions

I'm using Oracle Workshop for WebLogic 10.3 and I'm hoping someone can answer some setup/config questions.
When I double click on the server (WebLogic Server v10.3 at localhost) a window opens with various settings that manage how workshop and weblogic work together.
Under "Startup & Deployment" I have the following turned on:
Launch WebLogic server in Eclipse console
Always start WebLogic Server in debug mode
Ignore project compilation errors when publishing (I have this turned on because of errors in a portal project, the errors aren't inmportant, and don't prevent the project form running)
Run stand-alone web module directly from workspace
So, first question, with these settings I was able to quickly switch to debug mode, with out restarting the server, now the server restarts whenever I turn debugging on. What have I done that has stopped this working correctly? How can I get it to start debugging without a full restart?
next question, what happens if I turn on "Start WebLogic Server in Express Mode"? As far as I can tell nothing happens.
Lastly, under "Automatic Publishing" I have it set to "Never publish automatically", if I choose another setting workshop essentially freezes because it's constantly publishing. So whenever I make a change, even in a jsp, I need to remove the project, then re-add it to see my changes in the browser. This is frustrating, not just because it takes 8 or 9 minutes (8 or 9 MINUTES!!!), but because the project doesn't run properly until it is redeployed. You'd think that if it needs to be re-deployed, then none of my changes should matter on the server until it is re-deployed.
So, my question is, Is there any way to get this re-deployment to happen faster?
Thanks for any and all help

Well, in my experience performance is not bad as you experienced. Is it locally connected server or remotely connected server? If it is a remote server, network issue could cause this latency issue.
Is performance better if you run the server without enabling debug mode? If yes, probably you can also review any break points set.
You could also try out the following options
1) Run workshop with -clean option, by opening command prompt and navigating to workshop_home\'workshop.exe -clean'
2) Untick the option 'Launch WebLogic server in Eclipse console' and start server which would enable server to start on command prompt
3) This would enable you to take multiple thread dumps (cutl +Break) on the server console output, while performance is very bad, to see where threads are halt.

Re: PLM4P v6003 Config Question: Any way to configure UGM Notifications?

After reading:
PLM4P v6003 Config Question: Any way to configure UGM Notifications?
This is one of the requirements from me as well. We always wanted to customize emails sent not only for UGM but also for other modules. We wanted to conveysome message to approvers. But it seems this is still not possible. Is this functionality on road-map of AgielP4P product management?

Currently, the subject and body of emails can be customized to an extent, as they are translations that can be overridden. The translations have some placeholder fields that get populated by the system, but you are limited to those placeholder fields. The upcoming release will give you full control of the email body and subject lines, for GSM and SCRM emails, as well as Supplier Rep emails.

Redundant FWSM Config Question

Hello All,
I'm going to be configuring failover with FWSMs for our 6500 at my job and I have a config question. There is one current 6500 chassis with 2 FWSMs installed. They are both online but currently since failover isn't setup, only one FWSM is actually active. My question is since we are using mutiple contexts where do I setup the failover interface, and do I need to configure failover on every single vlan on the FWSM? We have over 10 contexts each with 2-3 interfaces on them, so do I need a failover IP for every vlan that exists on every context? Also, does the failover config get setup on the admin or system context? Any help would be greatly appreciated, and thank you so much in advance!

Hi John.
Failover config goes in the system context. For the data interfaces in each context, you will need a primary and a standby IP i.e. 2 IP's per VLAN. Once failover happens, the secondary FWSM will assume the active role and the secondary FWSM will take over the Primary IP address thus making the failover process transparent to end users.
HTH.
Regards
Zubair

SCCM 2012 application portal: config questions

Hi,
We have setup SCCM 2012 application portal correctly and it's working fine.
However some config questions:
-can we change the name of the configuration portal? Now its servername/CMApplicationCatalog ... what's not userfriendly.
We'd like it to be applicationportal.ourcompany.com. Howto achieve that?
-can we customize layout in a supported way (we could change html pages but after an upgrade of SCCM they would/could be erased)?
-how does flexera (adminstudio?) plugs in into this. I've read this entry
http://helpnet.installshield.com/appportal2014/Content/helplibrary/AP_CreatingCatItemSCCM.htm but what's the big picture here? Anybody using this? What are the advantages?
J.
Jan Hoedt

We want to offer software center for overview of mandatory installs, application catalog for optional software.
On our companies portal, we can then set a link which directs to the application portal. User can then install optional software from there.
My current config works http://applicationportal.ourcompany.com/ goes to the sccm-server but not to the url below.
That would be http://applicationportal.ourcompany.com/CMApplicationCatalog/#/SoftwareLibrary/AppListPageView.xaml
how can I make sure the application portal shows up when this link is opened?
It sounds like you want to perform a URL rewrite?
http://www.iis.net/learn/extensions/url-rewrite-module/creating-rewrite-rules-for-the-url-rewrite-module
You should test this to see if it's what you want - I may have misunderstood your question.
Also, I wouldn't host this module on your AppCatalog server, I'd host the rewrite module elsewhere.
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

Basic struts config question

Hi,
What does the "input" attribute of the struts-config.xml do?
Thanks

Check out the [url http://struts.apache.org/dtds/struts-config_1_2.dtd]struts-config dtd[ur;]. It documents each of the attributes/tags you can use in the xml file.
     input           Module-relative path of the action or other resource to
                     which control should be returned if a validation error is
                     encountered. Valid only when "name" is specified. Required
                     if "name" is specified and the input bean returns
                     validation errors. Optional if "name" is specified and the
                     input bean does not return validation errors.Simply put, it specifes the jsp page to return control to when validation fails - ie return you to the input screen, display errors and let you correct them.
Cheers,
evnafets

Aironet 1231G basic config question

Hi, we have an Aironet 1231G with IOS 12.3(8) and we have enabled DHCP service with two VLANs, one for management (VLAN1) and another one (VLAN 2) for user IP addressing. We do everything by the config guide book (subinterfaces on both dot11 and FastEthernet etc.) however we want DHCP enabled server on AP to allocate IP addresses to clients on VLAN 2 once requested.
We have noticed that all is fine if we want AP to allocate IPs on management VLAN 1, it does not work when we try to do it for VLAN 2; however we want different VLAN for management and different VLAN for users.
We have also tried on sub-int F0.2 to configure an IP address with no success though since DHCP does NOT allocate IP addresses on VLAN 2, is there some sort of config trick that we are missing or is it something that can not be done on AP? Please note that we have it working with DHCP server enabled on a router and connected via sub-int to AP, in this case air interface dot11 allocates succesfully IP addressing for user VLAN 2.
Any ideas, any help will be really appreciated,
Thanks a lot
Tony

change the dhcp scope and the interface vlan2 ip addressing it will allocate an address in a new range.

Basic flashback config question

I have an Oracle database (10.2.0.4.0 on Linux) installation that I have inherited. A user deleted some data and I attempted to recover it. There were backups and archive log files in the FRA, but when I queried about flashback status I got:
select flashback_on from v$database;
FLASHBACK_ON
NO
1 row selected (0.06 seconds)With that config set to "no" that means I can not use flashback to recover lost data. It must be set to yes before the failure occurs in order to use flashback to recover afterwards. Do I have that right?

I have an Oracle database (10.2.0.4.0 on Linux) installation that I have inherited. A user deleted some data and I attempted to recover it. There were backups and archive log files in the FRA, but when I queried about flashback status I got:
With that config set to "no" that means I can not use flashback to recover lost data. It must be set to yes before the failure occurs in order to use flashback to recover afterwards. Do I have that right?Are you sure that you have committed the deleted data, if not you can rollback.
If your retention is not enough big, however you disabled FLASHBACK, you cant get it.
But there is a big procedure, if it is really critical, if your database is running in archivelog mode, Restore database in any test server, recover database before deleting rows, Take an export of the table and import into this database.
Edited by: CKPT on Jun 20, 2011 7:15 PM

Basic Server Config question: Restricting user access to files & folders

I am in the process of locating a good Apple Server consultant in south florida, but in the meantime I want to educate myself on what we have.
We now have an XServe in our office, running 10.6 Server. We intend to use it as a File Server, and we want to set it up in such a way that we can specify which individual users have access to each directory.
As a 100% beginner, where would you suggest I start in understanding how do this? Or even, which Help resource I should look at to begin learning. I imagine that our senario is a very simple one. I'd appreciate any help or suggestions from anyone out there.

Hi
These for starters:
http://manuals.info.apple.com/enUS/FileServerAdminv10.6.pdf
http://manuals.info.apple.com/enUS/UserMgmtv10.6.pdf
http://manuals.info.apple.com/enUS/NetworkSvcsv10.6.pdf
For the rest:
http://support.apple.com/manuals/#serversandenterprisesoftware
Tony

ASA5505 NAT CONFIG QUESTION? OPEN STATIC IP

8.2
HI ALL
Here is my scenerio and I have worked on this with TAC support over the last month, we finally made progress by getting our ISP to activate the 5 static IPs but here is my issue.
basically we have a VOIP phone that is "remote". This phone needs to come through the Public IP to an internal address of 192.168.10.57.
We tried only allowing certain "ports" to pass, such as SIP, RTP> but the remote phone still cannot reach the phone server at 192.168.10.57
So
I want to open it completely as this phone pc is the ONLY device on that public IP.
so my 2 questions are.
what do i need to config as a rule/ command to make this happen. were I want the public IP of 50.x.x.x to corelate directly and openly to the internal of 192.168.10.57?
Also what is the command to allow the public IP to be pingable? so i can just confirm that it is reachable. I know at the very end we turned it off with a sort of ICMP command.
Thank you all for your time and help. if you need more info please ask.

Thank you very much for your help.
I applied
access-list out-in extended permit icmp any host 50.x.x.x
and now i can ping TY
But,
I applied
static (inside,outside) 50.245.59.98 192.168.10.57 netmask 255.255.255.255
ANd got this error:
ciscoasa(config)# static (inside,outside) 50.245.59.98 192.168.10.57 netmask 2$
ERROR: mapped-address conflict with existing static
inside:192.168.10.57 to outside:50.245.59.98 netmask 255.255.255.255
I just want this port "wide open" to see if the remote phone will connect to it.
here is my edited SH RUN
ASA Version 8.2(1)
hostname ciscoasa
enable password PfdcbR/f90Mel1yp encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 50.X.X.X 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
banner login
banner login &
banner login ~
banner login ***********Warning*******
banner login
banner login ^
ftp mode passive
access-list out-in extended permit tcp any host 50.X.X.X eq 3462
access-list out-in extended permit tcp any host 50.X.X.X eq sip
access-list out-in extended permit tcp any host 40.X.X.X eq ftp-data
access-list out-in extended permit tcp any host 40.X.X.X eq ftp
access-list out-in extended permit icmp any host 50.X.X.X
access-list split standard permit 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.169.169.0 255.255.255.0
access-list FTP remark Allow
access-list FTP extended permit tcp any eq ftp any eq ftp
access-list FTP extended permit tcp any any eq ftp-data
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ippool 192.169.169.1-192.169.169.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface ftp 192.168.10.2 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.10.2 ftp-data netmask 255.255.255.255
static (inside,outside) 50.X.X.X 192.168.10.57 netmask 255.255.255.255
access-group out-in in interface outside
route outside 0.0.0.0 0.0.0.0 50.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection timewait
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.10.50-192.168.10.100 inside
dhcpd dns 75.75.75.75 75.75.76.76 interface inside
dhcpd lease 86400 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-dart-win-2.5.3041-k9.pkg 1
svc enable
port-forward rdpfromsslvpn 5050 50.X.X.X 5050 remote desktop server from ssl vpn
tunnel-group-list enable
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
banner value *****************************WARNING**********************************
banner value Access Beyond This Point Requires Prior Authorization from your Network Administrator
banner value ****************************************************************************
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
webvpn
url-list none
svc ask enable default webvpn
username aalmonte password m7vzxUlfTDi05gS6 encrypted privilege 0
username aalmonte attributes
vpn-group-policy RemoteAccess
username mmaccormack password IWIdkIPCDtg4CmHR encrypted privilege 0
username mmaccormack attributes
vpn-group-policy RemoteAccess
username lmaccormack password qRsbIpdvRgZhIVS/ encrypted privilege 0
username lmaccormack attributes
vpn-group-policy RemoteAccess
username admin password V8ctuy0OtxmDU4HD encrypted privilege 15
username rdirkee password mHVkPntgw4LQyh.U encrypted
username rdirkee attributes
service-type remote-access
username wmaccormack password AhNi5Rk6JFlHU9Fy encrypted privilege 0
username wmaccormack attributes
vpn-group-policy RemoteAccess
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
username rickg password 46/GVMAZTuz4ywzs encrypted privilege 0
username rickg attributes
vpn-group-policy RemoteAccess
service-type remote-access
username jgoucher password fMhOfzHeEB1lu9z6 encrypted privilege 0
username jgoucher attributes
vpn-group-policy RemoteAccess
username smaccormack password LCkB1kwdtIbPmtQK encrypted privilege 0
username smaccormack attributes
vpn-group-policy RemoteAccess
username rmaccormack password JG98o0q2ozZeYYrv encrypted privilege 0
username rmaccormack attributes
vpn-group-policy RemoteAccess
username bmaccormack password JTx67mnIFw62G6kx encrypted privilege 0
username bmaccormack attributes
vpn-group-policy RemoteAccess
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool ippool
default-group-policy RemoteAccess
tunnel-group RemoteAccess webvpn-attributes
group-alias RemoteAccess enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
service-policy global_policy global
prompt hostname context
TYVM

1941W config question

Hi,
I've been fiddling with this 1941W for about about 20 hours so far. This is just going to serve as a replacement for linksys 610N. The ethernet from the cable modem goes into GE0/0 and clients should be able to connect to the internet via 2.4 wireless. I'm using the CLI. This is my first ever Cisco IOS product that I need to configure so if you can tell me the exact commands I need to fix this I would be eternally grateful.
I've copied a config from another discussion that is similar to what I need. I'm able to get wireless clients to connect to the SSID and authenticate. But they can't get onto the internet. From the client I can ping 192.168.2.1 (the AP gateway?) but not 192.198.1.1 (the gateway of my upstream internet. I know this is a local ip, I'm setting this up underneath another router for now and not conencting directly to the cable modem so as not to disrupt service). I don't really care about the wired lan. I see it there in the config on GigabitEthernet0/1, but can take it or leave it.
Also can you tell me how to get rid of vlan5? It's a product of tinkering and I can't find how to delete it.
r#show version
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.0(1)M4, RELEASE SOFTWARE (fc1)
r#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
Wlan-GigabitEthernet0/0    unassigned      YES unset up                    up
GigabitEthernet0/0         192.168.1.30    YES NVRAM up                    up
wlan-ap0                   10.1.1.1        YES NVRAM up                    up
GigabitEthernet0/1         10.55.55.1      YES NVRAM down                  down
NVI0                       unassigned      YES unset administratively down down
Vlan1                      192.168.2.1     YES NVRAM up                    up
Vlan5                      unassigned      YES NVRAM administratively down down
r#show running-config
Building configuration...
Current configuration : 6054 bytes
! Last configuration change at 02:52:35 UTC Wed Jul 27 2011 by admin
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname r
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
enable secret 5 $1$sNyGf$tMfp9XasdfasdfvbWsT2WfdsfyXaJMfcnUF.
enable password mypass
no aaa new-model
service-module wlan-ap 0 bootimage autonomous
no ipv6 cef
ip source-route
no ip routing
no ip cef
ip dhcp excluded-address 192.168.2.1 192.168.2.10
ip dhcp pool LAN-POOL
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1
   dns-server 10.55.55.82
   lease 7
ip domain name yourdomain.com
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-394307973
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-394307973
revocation-check none
rsakeypair TP-self-signed-394307973
crypto pki certificate chain TP-self-signed-394307973
certificate self-signed 01
30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33393433 30373937 33301E17 0D313130 37323632 33353534
375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3339 34333037
39373330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
F7D779BD 4E946976 915CE8F8 D972165A 5D0D4120 BAF4C71F 50DB77D6 0B0C54E6
90BACA60 EED7033C B151973D 5B8038DA B697ADA2 FEE71376 349E6626 86C050F7
A9B19B51 41A5BFB5 2DE7E7C2 B774FB38 910E9230 A9FF96B4 2F38DF36 1B50573F
6A564BCD 6C81348C 68ED1846 59B87173 37CDBEA8 649743CD AB231650 D12EEE07
02030100 01A37230 70300F06 03551D13 0101FF04 05300301 01FF301D 0603551D
11041630 14821265 73632E79 6F757264 6F6D6169 6E2E636F 6D301F06 03551D23
04183016 8014B11F 647EE6F7 D91C556F 1C9404D7 952B15C1 1C00301D 0603551D
0E041604 14B11F64 7EE6F7D9 1C556F1C 9404D795 2B15C11C 00300D06 092A8648
86F70D01 01040500 03818100 EE8C655D 6A57745D 52E3F795 66FD7D99 5F09BC89
7E0003BB 0281BC00 60B0A418 24CCD1BA AD9BA32D 47DE11FC F466000B 6FAF6700
F6A21244 835077D3 AA406B4D 0A015188 31B41849 108E4EA4 BD0AE37B 8FC01C7B
E73B15DC 0DE85FF0 FFC53EBA 649734A8 E516C964 EC20EF18 7D0E20A0 D4E4D380
5715EAE1 83D5CBD8 66E40E05
        quit
license udi pid CISCO1941W-A/K9 sn FTX1515036G
hw-module ism 0
username admin privilege 15 secret 5 $1$..Cus$DSjh9d7PTf7uv0sgbMKdg2CqfOh0
bridge irb
interface Wlan-GigabitEthernet0/0
description Internal switch interface connecting to the embedded AP
no mop enabled
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 192.168.1.30 255.255.255.0
ip access-group to-lan in
ip nat outside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
interface wlan-ap0
description Service module interface to manage the embedded AP
ip address 10.1.1.1 255.255.255.0
no ip route-cache
arp timeout 0
no mop enabled
no mop sysid
interface GigabitEthernet0/1
ip address 10.55.55.1 255.255.255.0
ip access-group from-lan in
ip nat inside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
no mop enabled
interface Vlan1
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
interface Vlan5
no ip address
no ip route-cache
shutdown
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip access-list extended nat-list
permit ip 10.55.55.0 0.0.0.255 any
permit tcp 192.168.2.0 0.0.0.255 any
access-list 23 permit 10.10.10.0 0.0.0.7
control-plane
banner exec ^C
line con 0
login local
line aux 0
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
access-class 23 in
privilege level 15
password mypass
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
password mypass
login local
transport input telnet ssh
scheduler allocate 20000 1000
end
#AP config
ap#show running-config
Building configuration...
Current configuration : 2171 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
enable secret 5 $1$RniV$NsdWWgfecyjGhf2UR7f2ri7hjugZ1
no aaa new-model
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1 192.168.2.10
ip dhcp pool LAN-POOL
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1
   dns-server 208.67.222.222
   lease 7
dot11 syslog
dot11 ssid wmttdub02
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 010307174859545C72
username Cisco password 7 1531021F0725
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 1 mode ciphers tkip
ssid wmttdub02
antenna gain 0
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root access-point
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
antenna gain 0
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 192.168.2.2 255.255.255.0
no ip route-cache
ip default-gateway 192.168.2.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
line con 0
no activation-character
line vty 0 4
login local
end

SOLUTION:
It was not entirely a nat issue. There was no ip route set up. (Note: I set GigabitEthernet0/0 to use dhcp since the configuration shown above).   The final solution required these entries:
interface wlan-ap0
ip unnumbered vlan 1
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
access-list 101 permit ip 192.168.2.0 0.0.0.255 any

SSL VPN Full and Split Tunnel Config Question

I am Beta testing SSLVPN on an IOS router. The question I have is this:
Is it possiable to have slit and full tunnel configs. It seems that once you create your context and default profile that is all you have either split or full. The books say you can use Radius and assign different profiles but, I would like to give the users a choice (like in the VPN3000 .pcf) of either split or full depending on where they are working from.

The below is an example using the ASA - but the principle remains the same:-
http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a0080975e83.shtml
HTH>

Basic N1 SSH config questions...

Similar Messages

Maybe you are looking for