Considerations for an IPSEC tunnel through another IPSEC tunnel
Hi,
I am trying to ipmlement a IPSEC "tunnel through a tunnel" as follows:
ASA-1 ( inside network 10.10.10.0 /24 - outside network 1.1.1.1/30) to ASA-2 (outside network 1.1.1.2/30 - inside network 20.20.20.0/24)
This tunnel is fully functional.
Created a DMZ interface (2.2.2.1/30) on ASA-1
Created a DMZ interface (2.2.2.2/30) on ASA-2
Attached ASA-A outside interface to ASA-1 DMZ interface - inside network 30.30.30.0/24
Attached ASA-B outside interface to ASA-2 DMX interface - inside network 40.40.40.0/24
Created an ACL on ASA-1 and ASA-2 DMZ interfaces allowing ESP,IKE traffic
2nd tunnel not working!
Questions
Should I add the DMZ /30's to the crypto map of ASA-1 and ASA-2 (I did, and it did still not work)
Should there be a route statement for the /30's on ASA-1 and ASA-2, or should the default GW be sufficient?
Any and all help will be appreciated!
Dave
post config for review
Similar Messages
-
How to pass ra vpn subnet traffic through an ipsec tunnel
Dear geeks,
I have two sites lets call it main and dr connected via ipsec site to site vpn from cisco asa to cisco asa at both the ends. I also have Remote access vpn on both the ends to the main site as well as on the dr site.
Now the question is if i connect to the ra vpn to the dr site can i pass the traffic from the ra subnet through the ipsec site to site to the main site so from the ra vpn connected pc i can directly access the servers in the main site also. the ra subnet traffic can it be included in the crypto access-list in the site to site .
is there any drawbacks for this ..
please do let me know if you need more details.
thanks
ManekThis is a common implementation and described in numerous articles - it is often referred to as "hairpinning" or "U-Turn" as the traffic from RA VPN comes in via outside interface and then back out same interface to the peer site.
Three things are generally required:
1. the appropriate access-list entries (referenced by the crypto map associated with the tunnel)
2. NAT exemption for the RA subnet traffic headed to the peer site
3. permitting traffic via same-security-interface.
(You'll generally get better visibility for this sort of question on the VPN forum. You can recategorize your original post via the widget in the top right.) -
GRE tunnel through asa no pptp, l2tp, ipsec
Hello!
can't understand how to configure GRE tunnel through ASA
i have one router with public ip, connected to internet
ASA 8.4 with public ip connected to internet
router with private ip behind ASA.
have only one public ip on ASA with /30 mask
have no crypto
have network behind ASA and PAT for internet users.
can't nat GRE? cause only TCP/UDP nated(?)
with packet-tracer i see flow already created but tunnel doesn't workA "clean" way would be to use a protocol that can be PATted. That could be GRE over IPSec. With that you have the additional benefit that your communication is protected through the internet.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
GRE traffic can not pass through LRT224 IPSec Tunnel
Hi,
We have a trouble when using Cisco Router GRE tunnel plus LRT224 IPSec Gateway-Gateway Tunnel.
We found after reboot, GRE packets can not pass trough LRT224 IPSec tunnel. need to restart serval time then gre will back to normal.
Besides that, GRE keepalive packets can not pass trough LRT224 IPSec Tunnel.
please help. I had tried to upgrade to latest firmware version.
Firmware Version : v1.0.3.09 (Dec 26 2014 14:28:46)
A-END:
interface Tunnel1
ip address 10.216.80.105 255.255.255.252
ip mtu 1400
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1360
ip ospf network point-to-point
ip ospf hello-interval 3
ip ospf cost 10000
tunnel source 10.216.81.2
tunnel destination 10.216.80.90
end
B-END:
interface Tunnel11
ip address 10.216.80.110 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
ip ospf network point-to-point
ip ospf cost 10000
ip ospf hello-interval 3
tunnel source 10.216.80.91
tunnel destination 10.216.81.3
end
CISCO2911 <> LRT224 <> INTERNET <> LRT224 <> CISCO 2621
SanCan you post the results from the below command for the Cisco Routers?
IOS Command: "sh version"
Why not static route without NAT through the LRT224 IPSec VPN?
Just curious why did you use LRT224's for the Site to Site VPN instead of the Cisco Routers?
Please remember to Kudo those that help you.
Linksys
Communities Technical Support -
SRP547W Multiple IPSec policies through single IKE policy
I am trying to create a VPN between an SRP547W and a Cisco IOS router, in this case a UC540.I am running firmware 1.2.4 (003) Jan 11 2012
Now I can do this with an SRP527W and many other routers successfully. Including other IOS routers 1801, 1941 etc.
The issue I have is on the SRP547W I cannot create more than one IPSec Policy through a single IKE policy. I require this to route multiple vlans to our remote site.
When I try to add an additional IPSec Policy I am give the error "IKE policy has been used by other IPSec policy"
This is possible to do on the SRP527W with latest firmware. I have tried rolling back to earlier firmware but instead I am given an error about overlap.
Latest release note for this firmware suggest this issue was already resolved.
Any help much appreciated.Hello Matthew,
Sorry to hear you are having difficulty.
I was able to test this on firmware 1.02.01 and get the overlap error that you mention. I resolved it by choosing "IP address & subnet mask" in the local selection field. When I used "IP Address" I received the same error unless I changed the IP address to something (other that the one used in the first policy) under the local traffic selection then it allowed a succesful submission. The remote traffic selector or ip address doesn't not have any bearing on the error.
Are you using the same local IP address for each IPSec policy and if you are, try changing the local IP selector to IP+Subnet mask. Also as a reminder, the number of IPSec policies is based on bandwidth limitations and most often no more that 2 site-to-site tunnels can connect at a single time.
Please let me know if this helps.
Best regards,
Wesley S.
Cisco SBSC -
I have a third party firewall behind a Cisco ASA. The Cisco ASA is doing PAT as there are no other IP addresses available. The third party firewall is attempting to build an IPSec tunnel to another firewall. The IPSec tunnel is not coming up. When I do a capture on the Cisco ASA firewall I see traffic hit the inside interface and leave the outside interface. I then see the reply traffic return and hit the outside interface of my Cisco ASA but it is not being allowed to pass through to the inside interface.I have enabled NAT-T on the thrid party firewall but it still does not get the reply traffic becuase it gets stopped at the Cisco ASA.
Any thoughts?Is your third party FW attached directly to your ASA? If not, do you have a route to that device on your ASA?
Please perform a packet-tracer to see why the return traffic is not reaching the third party FW..
packet-tracer input outside udp 500 500 detail
If the packet-tracer shows traffic going through successfully, perhaps it is your third party FW that is blocking the traffic?
Please reply with packet-tracer results.
Kind Regards,
Kevin
**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster. -
IPSEC Tunnel Protection and per-tunnel QOS shaping doesnt do any shaping.
I am having a small brain implosion as to why this will not work.
I have tried the QOS policy on the tunnel interfaces and on the ATM interface. No shaping occurs. The interfaces transmit at their leisure.
Please can someone having a better day than me tell me what I am doing wrong?
Below is the relevant (and standard) config. without the service-policy command applied anywhere. Any help appreciated.
class-map match-any APPSERVERS
match access-group name TERMINALSERVERS
class-map match-any VOICE
match protocol sip
match protocol rtp
match dscp ef
policy-map QOSPOLICY
class VOICE
priority 100
class APPSERVERS
bandwidth percent 33
class class-default
fair-queue 16
policy-map TUNNEL
class class-default
shape average 350000
service-policy QOSPOLICY
interface Tunnel0
bandwidth 350
ip address 172.20.58.2 255.255.255.0
ip mtu 1420
load-interval 30
qos pre-classify
tunnel source Dialer0
tunnel destination X.X.X.X
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile IPSECPROFILE
interface Tunnel1
bandwidth 350
ip address 172.21.58.2 255.255.255.0
ip mtu 1420
load-interval 30
delay 58000
qos pre-classify
tunnel source Dialer0
tunnel destination Y.Y.Y.Y
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile IPSECPROFILE
interface ATM0/0/0
no ip address
load-interval 30
no atm ilmi-keepalive
interface ATM0/0/0.1 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface Dialer0
bandwidth 400
ip address negotiated
Thanks,
PaulHi mate,
This is an 1841 with 12.4 (20) but Ive tried it on 15.1 on a 1941 also. I get some measure of traffic reduction but I cannot fathom what it is actually doing.
In the lab with the 1841 and a flat shaper I get this:
policy-map SHAPE
class class-default
shape average 600000
interface Tunnel0
bandwidth 700
service-policy output SHAPE
R1#sh policy-map int
Tunnel0
Service-policy output: SHAPE
Class-map: class-default (match-any)
18664 packets, 26423115 bytes
30 second offered rate 452000 bps, drop rate 0 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 45/0/0
(pkts output/bytes output) 18659/27808530
shape (average) cir 600000, bc 2400, be 2400
target shape rate 600000
R1#sh policy-map int
Tunnel0
Service-policy output: SHAPE
Class-map: class-default (match-any)
19044 packets, 26964413 bytes
30 second offered rate 451000 bps, drop rate 0 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 45/0/0
(pkts output/bytes output) 19039/28378426
shape (average) cir 600000, bc 2400, be 2400
target shape rate 600000
It just holds the data rate around 450 kbps. ??
Here are the types of results I get when the HQoS is applied to the Tunnel interface in the lab:
policy-map QOS
class IP2
drop
class IP3
priority 300
class class-default
policy-map TUNNEL
class class-default
shape average 600000
service-policy QOS
interface Tunnel0
bandwidth 700
service-policy output TUNNEL
R1#sh policy-map int
Tunnel0
Service-policy output: TUNNEL
Class-map: class-default (match-any)
14843 packets, 20884436 bytes
30 second offered rate 362000 bps, drop rate 75000 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/3942/0
(pkts output/bytes output) 14009/15858326
shape (average) cir 600000, bc 2400, be 2400
target shape rate 600000
Service-policy : QOS
queue stats for all priority classes:
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/3942/0
(pkts output/bytes output) 6464/9540288
Class-map: IP2 (match-all)
385 packets, 533940 bytes
30 second offered rate 28000 bps, drop rate 28000 bps
Match: access-group 102
drop
Class-map: IP3 (match-all)
10411 packets, 14628188 bytes
30 second offered rate 191000 bps, drop rate 75000 bps
Match: access-group 103
Priority: 300 kbps, burst bytes 7500, b/w exceed drops: 3942
Class-map: class-default (match-any)
4047 packets, 5722308 bytes
30 second offered rate 143000 bps, drop rate 0 bps
Match: any
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 7545/6318038
This is after 10 minutes of running transfers to all endpoints to utilise the classes in the policy.
So why dont we see shaping that moves towards the configured values?
Thanks. -
Does the airport extreme base support ipsec pass-through for the Cisco VPN client?
ie Can I create a VPN from a workstation connected to the base?
Thanks.Hello dweldon. Welcome to the Apple Discussions!
Try the following...
802.11n AirPort Extreme Base Station (AEBSn) – Cisco VPN Setup
- Run the Admin Utility
- Click on Internet
- Click on DHCP
- Add a DHCP reservation for the IP address that is assigned to the machine you are connecting via VPN
- Click on NAT
- Check the option Enable Default Host At and enter the IP Address that you made a reservation for in the previous step.
- Click on Advanced (Main menu at top)
- Click on Ports
- Click the add button (bottom left)
- Service=DO NOT CHANGE
- Public UDP Port(s) = 1723,1701
- Public TCP Port(s) = BLANK
- Private IP address = Use address from Step 4
- Private UDP Port(s) = 1723,1701
- Private TCP Port(s) = BLANK
- Click Continue
- Give your setup a name, like Cisco VPN (call it what you want)
- Click DONE
- Click UPDATE -
Here is example code for HTTPS Tunneling through proxy(400 Lines of code
Here is the source for Https Tunneling that I have gotten working. It is based on Pua Yeow Cheong's JavaWorld Tip 111. Thanks to David Lord for providing the final breakthrough that I needed.
I have posted it here for anyone who wishes to use it. If you find any bugs, or write any improvements, please tack them onto the end of this thread.
I have been trying to tackle this problem for quite some time, so I hope this helps a few of you out there.
Lots of Luck,
nightmask.
<----- Begin Copy and Paste -------->
import java.net.*;
import java.io.*;
import java.security.*;
import sun.misc.BASE64Encoder;
import javax.net.*;
import javax.net.ssl.*;
* This example is based on JavaWorld Tip 111. Thanks to Pua Yeow Cheong for writing it.
* It tunnels through a proxy using the Https protocol.
* Thanks go to David Lord in the java forums for figuring out the main problem with Tip 111
* PLEASE NOTE: You need to have the JSSE 1.0.2 jars installed for this to work
* Downloads contents of a URL, using Proxy Tunneling and Basic Authentication
public class URLReader {
* The main program for the URLReader class
public static void main(String[] args) throws Exception {
//set up strings for use in app. Change these to your own settings
String proxyPassword = "password";
String proxyUsername = "username";
String proxyHost = "myproxy.com";
String proxyPort = "3128";
String connectionURL = "https://www.verisign.com";
//set up system properties to indicate we are using a proxy
System.setProperty("https.proxyHost", proxyHost);
System.setProperty("https.proxyPort", proxyPort);
System.setProperty("proxyHost", proxyHost);
System.setProperty("proxyPort", proxyPort);
System.setProperty("proxySet", "true");
System.setProperty("http.proxyHost", proxyHost);
System.setProperty("http.proxyPort", proxyPort);
System.setProperty("http.proxySet", "true");
//set up handler for jsse
System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
java.security.Provider prov = new com.sun.net.ssl.internal.ssl.Provider();
Security.addProvider(prov);
//create the connection
URL myURL = new URL(connectionURL);
URLConnection myConnection = myURL.openConnection();
if (myConnection instanceof com.sun.net.ssl.HttpsURLConnection) {
((com.sun.net.ssl.HttpsURLConnection) myConnection).setSSLSocketFactory(new SSLTunnelSocketFactory(System.getProperty("proxyHost"), System.getProperty("proxyPort")));
myConnection.setDoInput(true);
myConnection.setDoOutput(true);
BufferedReader in;
try {
System.err.println("opening Input stream1");
in = new BufferedReader(
new InputStreamReader(
myConnection.getInputStream()));
String inputLine;
System.err.println("Input stream is Open1");
while ((inputLine = in.readLine()) != null) {
System.err.println(inputLine);
in.close();
System.err.println("Input stream is Closed1");
} catch (Exception e) {
e.printStackTrace(System.err);
String tmp = e.getMessage().toLowerCase().trim();
System.err.println("tmp *" + tmp + "*");
if (tmp.indexOf("http") > -1) {
//http error message to be parsed
tmp = tmp.substring(tmp.indexOf("http")).trim();
System.err.println("tmp *" + tmp + "*");
tmp = tmp.substring(8).trim();
System.err.println("tmp *" + tmp + "*");
if (tmp.startsWith("407")) {
//proxy authentication required
myURL = new URL(connectionURL);
myConnection = myURL.openConnection();
if (myConnection instanceof com.sun.net.ssl.HttpsURLConnection) {
((com.sun.net.ssl.HttpsURLConnection) myConnection).setSSLSocketFactory(new SSLTunnelSocketFactory(System.getProperty("proxyHost"), System.getProperty("proxyPort"), proxyUsername, proxyPassword));
myConnection.setDoInput(true);
myConnection.setDoOutput(true);
try {
System.err.println("opening Input stream 2");
in = new BufferedReader(
new InputStreamReader(
myConnection.getInputStream()));
String inputLine;
System.err.println("Input stream is Open 2");
while ((inputLine = in.readLine()) != null) {
System.out.println(inputLine);
in.close();
System.err.println("Input stream is closed 2");
} catch (Exception ex) {
System.err.println(ex.getMessage());
ex.printStackTrace(System.err);
* SSLSocket used to tunnel through a proxy
class SSLTunnelSocketFactory extends SSLSocketFactory {
private String tunnelHost;
private int tunnelPort;
private SSLSocketFactory dfactory;
private String tunnelPassword;
private String tunnelUserName;
private boolean socketConnected = false;
private int falsecount = 0;
* Constructor for the SSLTunnelSocketFactory object
*@param proxyHost The url of the proxy host
*@param proxyPort the port of the proxy
public SSLTunnelSocketFactory(String proxyHost, String proxyPort) {
System.err.println("creating Socket Factory");
tunnelHost = proxyHost;
tunnelPort = Integer.parseInt(proxyPort);
dfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
* Constructor for the SSLTunnelSocketFactory object
*@param proxyHost The url of the proxy host
*@param proxyPort the port of the proxy
*@param proxyUserName username for authenticating with the proxy
*@param proxyPassword password for authenticating with the proxy
public SSLTunnelSocketFactory(String proxyHost, String proxyPort, String proxyUserName, String proxyPassword) {
System.err.println("creating Socket Factory with password/username");
tunnelHost = proxyHost;
tunnelPort = Integer.parseInt(proxyPort);
tunnelUserName = proxyUserName;
tunnelPassword = proxyPassword;
dfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
* Sets the proxyUserName attribute of the SSLTunnelSocketFactory object
*@param proxyUserName The new proxyUserName value
public void setProxyUserName(String proxyUserName) {
tunnelUserName = proxyUserName;
* Sets the proxyPassword attribute of the SSLTunnelSocketFactory object
*@param proxyPassword The new proxyPassword value
public void setProxyPassword(String proxyPassword) {
tunnelPassword = proxyPassword;
* Gets the supportedCipherSuites attribute of the SSLTunnelSocketFactory
* object
*@return The supportedCipherSuites value
public String[] getSupportedCipherSuites() {
return dfactory.getSupportedCipherSuites();
* Gets the defaultCipherSuites attribute of the SSLTunnelSocketFactory
* object
*@return The defaultCipherSuites value
public String[] getDefaultCipherSuites() {
return dfactory.getDefaultCipherSuites();
* Gets the socketConnected attribute of the SSLTunnelSocketFactory object
*@return The socketConnected value
public synchronized boolean getSocketConnected() {
return socketConnected;
* Creates a new SSL Tunneled Socket
*@param s Ignored
*@param host destination host
*@param port destination port
*@param autoClose wether to close the socket automaticly
*@return proxy tunneled socket
*@exception IOException raised by an IO error
*@exception UnknownHostException raised when the host is unknown
public Socket createSocket(Socket s, String host, int port, boolean autoClose)
throws IOException, UnknownHostException {
Socket tunnel = new Socket(tunnelHost, tunnelPort);
doTunnelHandshake(tunnel, host, port);
SSLSocket result = (SSLSocket) dfactory.createSocket(tunnel, host, port, autoClose);
result.addHandshakeCompletedListener(
new HandshakeCompletedListener() {
public void handshakeCompleted(HandshakeCompletedEvent event) {
System.out.println("Handshake Finished!");
System.out.println("\t CipherSuite :" + event.getCipherSuite());
System.out.println("\t SessionId: " + event.getSession());
System.out.println("\t PeerHost: " + event.getSession().getPeerHost());
setSocketConnected(true);
// thanks to David Lord in the java forums for figuring out this line is the problem
// result.startHandshake(); //this line is the bug which stops Tip111 from working correctly
return result;
* Creates a new SSL Tunneled Socket
*@param host destination host
*@param port destination port
*@return tunneled SSL Socket
*@exception IOException raised by IO error
*@exception UnknownHostException raised when the host is unknown
public Socket createSocket(String host, int port)
throws IOException, UnknownHostException {
return createSocket(null, host, port, true);
* Creates a new SSL Tunneled Socket
*@param host Destination Host
*@param port Destination Port
*@param clientHost Ignored
*@param clientPort Ignored
*@return SSL Tunneled Socket
*@exception IOException Raised when IO error occurs
*@exception UnknownHostException Raised when the destination host is
* unknown
public Socket createSocket(String host, int port, InetAddress clientHost,
int clientPort)
throws IOException, UnknownHostException {
return createSocket(null, host, port, true);
* Creates a new SSL Tunneled Socket
*@param host destination host
*@param port destination port
*@return tunneled SSL Socket
*@exception IOException raised when IO error occurs
public Socket createSocket(InetAddress host, int port)
throws IOException {
return createSocket(null, host.getHostName(), port, true);
* Creates a new SSL Tunneled Socket
*@param address destination host
*@param port destination port
*@param clientAddress ignored
*@param clientPort ignored
*@return tunneled SSL Socket
*@exception IOException raised when IO exception occurs
public Socket createSocket(InetAddress address, int port,
InetAddress clientAddress, int clientPort)
throws IOException {
return createSocket(null, address.getHostName(), port, true);
* Sets the socketConnected attribute of the SSLTunnelSocketFactory object
*@param b The new socketConnected value
private synchronized void setSocketConnected(boolean b) {
socketConnected = b;
* Description of the Method
*@param tunnel tunnel socket
*@param host destination host
*@param port destination port
*@exception IOException raised when an IO error occurs
private void doTunnelHandshake(Socket tunnel, String host, int port) throws IOException {
OutputStream out = tunnel.getOutputStream();
//generate connection string
String msg = "CONNECT " + host + ":" + port + " HTTP/1.0\n"
+ "User-Agent: "
+ sun.net.www.protocol.http.HttpURLConnection.userAgent;
if (tunnelUserName != null && tunnelPassword != null) {
//add basic authentication header for the proxy
sun.misc.BASE64Encoder enc = new sun.misc.BASE64Encoder();
String encodedPassword = enc.encode((tunnelUserName + ":" + tunnelPassword).getBytes());
msg = msg + "\nProxy-Authorization: Basic " + encodedPassword;
msg = msg + "\nContent-Length: 0";
msg = msg + "\nPragma: no-cache";
msg = msg + "\r\n\r\n";
System.err.println(msg);
byte b[];
try {
//we really do want ASCII7 as the http protocol doesnt change with locale
b = msg.getBytes("ASCII7");
} catch (UnsupportedEncodingException ignored) {
//If ASCII7 isn't there, something is seriously wrong!
b = msg.getBytes();
out.write(b);
out.flush();
byte reply[] = new byte[200];
int replyLen = 0;
int newlinesSeen = 0;
boolean headerDone = false;
InputStream in = tunnel.getInputStream();
boolean error = false;
while (newlinesSeen < 2) {
int i = in.read();
if (i < 0) {
throw new IOException("Unexpected EOF from Proxy");
if (i == '\n') {
headerDone = true;
++newlinesSeen;
} else
if (i != '\r') {
newlinesSeen = 0;
if (!headerDone && replyLen < reply.length) {
reply[replyLen++] = (byte) i;
//convert byte array to string
String replyStr;
try {
replyStr = new String(reply, 0, replyLen, "ASCII7");
} catch (UnsupportedEncodingException ignored) {
replyStr = new String(reply, 0, replyLen);
//we check for connection established because our proxy returns http/1.1 instead of 1.0
if (replyStr.toLowerCase().indexOf("200 connection established") == -1) {
System.err.println(replyStr);
throw new IOException("Unable to tunnel through " + tunnelHost + ":" + tunnelPort + ". Proxy returns\"" + replyStr + "\"");
//tunneling hanshake was successful
}<----- End Copy and Paste -------->BTW, if you are using an implementation in which
the http/https implementation recognises
the java.net.Authenticator properly, you can use
that framework to do basic/digest authentication.
I think Sun's JDK 1.4 supports both basic
and digest for both proxies and the actual end
site you connect via http/https, but I haven't
tested it to be sure. I know it works
with http/basic at the end host.
Today's Ob hack:
import java.net.*;
import java.io.*;
class MyAuth extends Authenticator {
protected PasswordAuthentication getPasswordAuthentication() {
System.out.println("The realm '" + getRequestingPrompt() +
"' at '" + getRequestingHost() + ":" + getRequestingPort() +
"'\n" + "using " + getRequestingProtocol() + " is requesting " +
getRequestingScheme().toUpperCase() + " authentication.");
System.out.println("");
System.out.println("What should we send them? Let's send them ...");
System.out.println("");
return new PasswordAuthentication("username", "password".toCharArray()); }
public class MyURL {
public static void main(String[] args) throws Exception {
// set to the authenticator you want to use.
Authenticator.setDefault(new myAuth());
URL url =
new URL("http://www.some.com/something_protected/index.htm");
BufferedReader in = new BufferedReader(
new InputStreamReader(
url.openStream()));
String inputLine;
while ((inputLine = in.readLine()) != null) {
System.out.println(inputLine);
in.close(); -
IPSec pass-through in IOS router
Is there any command need to enable IPSec pass-through on 2800 router?
Assuming there are no ACLs on the interfaces, no. If there are ACL's on the interface(s) then you will need to allow it through via the ACL.
HTH and please rate. -
Cannot establish site-site vpn tunnel through ASA 9.1(2)
Hi,
We use ASA 9.1(2) to filter traffic in/out of our organisation. A dept within the organisation also have a firewall. They want to establish a site-site VPN tunnel with a remote firewall. We have allowed full access between the public address of the dept firewall and the remote firewall and full access between the remote firewall address and the dept firewall address . We do not use NAT.
The site-site VPN tunnel fails to establish.
The dept sysadmin has requested that we enable IPSec Passthrough. From my reading this will not make any difference as we allow full access between the firewalls in both directions. Is that correct?
Has anyone encountered issues with ASA 9.1(2) interfering with site-site tunnels?
Regards>The dept sysadmin has requested that we enable IPSec Passthrough. From my reading this will not make any difference as we allow full access between the firewalls in both directions. Is that correct?
Yes, in that case, no IPsec-pass-through is needed. All you need is (in both directions):
UDP/500
UDP/4500 (also if you don't use NAT, the remote gateway could be located behind a NAT gateway)
IP/50
for testing ICMP/Echo
If you allowed full IP-access between these two endpoints, it is more than enough.
When they start testing, do you see a connection on your ASA. There should be at least UDP/500 traffic.
Can the two gateways ping each other? -
HTTP-Tunneling through Apache Plug-in
Hello,
has anybody experience with HTTP-Tunneling of requests to a WLS
4.5.1SP13 through an Apache-Webserver?
I'm not able to configure the apache plug-in from weblogic to act as a
reverse proxy for requests coming from a
Java Client Application.
Any Hints available?
Remo"Jong Lee" <[email protected]> wrote in message
news:3a4a9efa$[email protected]..
>
Remo Schnidrig <[email protected]> wrote:
Hello Jong,
HTTP tunneling will append ".tun" to your request.
For apache, you can use "MatchExpression" to proxy the mime type.
i.e: add the following line to your httpd.conf
MatchExpression *.tunThat is functioning. Thank you very much.
Another question:
What about HTTPS-Tunneling through an Apache-Server?
How can I get everything through?
Thank you
Remo
We don't support https from the bridge to the server yet.
JongWhat about using HTTPS-Tunneling between our Java client and the WLS
Stronghold plug-in and HTTP-Tunneling between the plug-in and the WLS?
If this is possible, how do I have to setup the stronghold?
Remo -
Which packets go through the VPN tunnel
Guys,
I've just added a external server ip address to go through our vpn tunnel and then out the remote site internet connection.
How can I check that this is the path the packet is taking?
If I do a tracert then I can't see the path?
ThanksWell, you could either monitor your logs on your VPN device (whatever that may be - not specified), as long as you have the appropriate logging level.
For a traceroute, assuming there's a routing device on the other end of the tunnel you would traverse, you should be able to see the last hop on your end being your VPN device, and then the router or the destination host, as the next hop (and that would indicate you're 'in' the tunnel).
A third option, and more challenging, is having a packet sniffer that knows the PSK, or has the ability to decrypt the session, and analyze the traffic from Wireshark or another packet analysis tool.
HTH!
-Chris -
ISO consideration for calculation of MRP per Safetystock adds more demand
Hi Planning experts,
Internal Sales order consideration for aggregate demand which uses for Safetystock calculation based on MRP Planned percentage safety stock adds more demand in the warehouse.
We have ASCP Plan where X1 warehouse procures material from X2 Inventory organization through ISO created from Plan, after transfer Planned order releases from X2 and We have Safety stock calculated based on MRP percentage method in individual warehouses.
Since ISO considered for aggregated demand to safety stock, and acts as a individual demand for Plan adds of more demand to the plan and recommending additional Planned order supplies by ASCP engine.
Procurement rule: X2 --->X1through ISO recommended by Plan
Steps to Reproduce :
Goto ISCP Responsibility > Advanced Supply CHain Planner >Workbench > Open Plan > query PWB data for X1 warehouse for any item which is procuring from X2 org for ex:Item: Y1 , verify the safety stock for this item in X1 and verify the ISO created from X2 through early Planned order releases from Plan, so there is additional demand equals to ISO qty observed, where ISO qty not required to be considered for aggregated demand used for MRP Planned percentage safety stock calculation for item:Y1.
Need to exclude ISO qty for MRP Planned safety stock calculation, please let us know how to exclude ISO for safety stock calculation, so additional supply will not be recommended by ASCP.
Please let me know, if u have any idea how to crack this issue.
Regards,
Kumar
Edited by: user9093449 on Mar 2, 2010 3:14 PM-->What is the shortcut to change location type in APO?
Report /SAPAPO/CHECK_LOCATION_TYPE can be used to change location type (say from 1001 to 1002 or vice-versa)
can you check if this works - cos i think you need to use/SAPAPO/CHANGE_LOCTYPE
--> Can SAP APO be used as a stand-alone solution?
*of course, as a stand-alone planning solution it can be !!
and the connected executed system, which need not be ECC, is to give a well rounded solution
there are organizations that have APO alone and integrate to other execution systems, and there are companies that have implemented APO first and R3 later. there are companies that just need planning and dont have to execute it (transport planning and demand planning)*
-->How to copy a Process Chain?
To copy a process chain to another process chain, goto the Process Chain you want to copy and then type copy in the tool tar
also... if you dropdown on the toolbad under process chain you have a copy option... but this looks cool -
Dont think RMi is HTTP tunneling through proxy firewall
Hi Guys,
Does anyone know how to monitor if RMI is using the option toHTTP tunnel through a proxy ???
Many of clients sit behind firewalls/proxies that enable HTTP only. I thought RMI would, as a default, use HTTP tunneling POST, RESPONSe methods to get through, but it does not.
Would that case be insted of using Naming.lokup("RMIServer"); that i should use
Registry reg = LocateRegistry.getResgistry(serverAddress, serverPort);
reg.lookup("RMIServer");
Any help would be greatly appreciated.RMI doesn't have an option like that. Sockets do, and you get it for any socket including RMI by setting socksProxyHost and socksProxyPort.
The RMI HTTP tunnelling thing happens when there is an HTTP server at the server side. which redirects the request to an RMI server via rmi-cgi.cgi or the RMI servlet. It's automatic, as a fallback, and you can enforce its use via a system property which you can find in the Javadoc Guide to Features/Remote Method Invocation/Useful java.rmi system properties.
Maybe you are looking for
-
Adding multiple slides with images from iPhoto
OK you use to be able to simply drag and drop 25 images in the right column and it creates a slide for each image, I am in v6.3 and it is not allowing me to do that anymore. How you insert multiple images and each on their own slide, I have 600 imag
-
my dell pc is in the wireless mode but my fax is connected to house phone. How to I connect to 2 so I can send and receive fax
-
Exchange rate difference is not coming
Dear proffessionals, 1) I have created the PO with Ex.rate 35.65 ,not fixed 2)GR Completed for the Po. 3) While parking an Invoice in MIR7 wrt PO,and entered the Clearing date as 3 months back date.I am getting only K & S but not "M'. 4) Materia
-
When entering passcode on my iPad Air the first tap makes no sound
I have the iPad air. When keying in my passcode the first number never has the keyboard click sound yet the next three do. I use a 4 digit code. I have changed the passcode and the same issue on a different number. First tap has no sound. Checked set
-
Using iTune songs as ringtones problem?
Hi all, my very first post and no doubt its been asked a million times but I did a quick search and couldn't find it so hence my question! I have over 200 songs in my iTunes that I used to put on my iPod Shuffle. I upgraded my Blackberry Bold to an i