DHCP in EasyVpn
Hi,
I have a Cisco 1700 doing Easy VPN with a Cisco 7200. When I connect the PC, it doesn`t get ip address. The config in the interface connected to the LAN is:
interface FastEther 0
ip address 172.26.11.1 255.255.255.0
ip helper-address 172.26.80.130
ip helper-address 172.26.64.139
ip virtual-reassembly
ip tcp adjust-mss 1452
crypto ipsec client ezvpn ServerVPNSecure inside
My doubt is if the helper-address is valid in an Easy VPN.
Thank for all
Yes, Ip helper-address is valid in Esay VPN.
Similar Messages
-
Recently I have purchased my first Cisco ISR2 2911 with two WAN ports.
Both of them are used through Policy Based Routing. Traffic filtering is done by Trend-Micro Content Based Security.
Only Remote Access VPN is needed to finish off the configuration.
SmartNet Engineer has been trying to configure it for a month now. For a moment I even had to disconnect one of the links to prove him that one of my ISPs is not maliciously filtering the traffic.
He tried very basic configuration with local DHCP pool and VPN configuration on a physical interface but it would not connect further then the ISR.
So I have returned to original configuration with EasyVPN Virtual-Template interface and internal Microsoft DHCP so I can manage the pool centrally (see config below).
Cisco VPN client gets its IP from the server but Default Gateway IP is exactly the same, is don’t think it is ok.
Currently I can PING internal interface of the ISR from the VPN but not any inside network hosts.
Could you help please because I lost my hope in the SmatNet.
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname c2911
boot-start-marker
boot system flash c2900-universalk9-mz.SPA.152-1.T.bin
boot-end-marker
logging buffered 51200 warnings
enable secret 5 xxxxxxxxxxxxxxxxxxxxx
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
clock timezone London 0 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
no ipv6 cef
no ip source-route
ip domain name firma.com
ip host trps.trendmicro.com 216.104.8.100
ip name-server 10.57.124.42
ip port-map user-protocol--1 port tcp 3389
ip inspect tcp reassembly queue length 64
ip cef
multilink bundle-name authenticated
!parameter-map type urlfpolicy trend cptrendparacatdeny0
allow-mode on
block-page message "The website you have accessed is blocked as per corporate policy"
parameter-map type regex ccp-regex-nonascii
pattern [^\x00-\x80]parameter-map type urlf-glob cplocclassurlfgloburlblock0
pattern *.facebook.comparameter-map type urlf-glob cpaddbnwlocparapermit3
pattern email.btconnect.com
pattern *.email.btconnect.com
pattern *.linkedin.com
parameter-map type trend-global global-param-map
cache-entry-lifetime 48
crypto pki token default removal timeout 0
crypto pki trustpoint Equifax_Secure_CA
revocation-check none
crypto pki trustpoint NetworkSolutions_CA
revocation-check none
crypto pki trustpoint trps1_server
revocation-check none
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name [email protected]
revocation-check crl
crypto pki trustpoint TP-self-signed-2793878619
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2793878619
revocation-check none
crypto pki certificate chain Equifax_Secure_CA
certificate ca 35CF
0D010105
2AA72349
quit
crypto pki certificate chain NetworkSolutions_CA
certificate ca 10EA
308204A6
9505FB0A
quit
crypto pki certificate chain trps1_server
certificate ca 00
30820208
882BFEC3
quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
crypto pki certificate chain TP-self-signed-2619
certificate self-signed 01
3082022B ...
D1DC12
quit
license udi pid CISCO2911/K9 sn XXXXXXXX
username xxxx privilege 15 secret 5 xxxx
redundancy
track 10 ip sla 1 reachability
delay down 15 up 15
track 20 ip sla 2 reachability
delay down 15 up 15
class-map type inspect match-all sdm-nat-user-protocol--1-2
match access-group 103
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 104
match protocol http
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type urlfilter match-any cpaddbnwlocclasspermit3
match server-domain urlf-glob cpaddbnwlocparapermit3
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type urlfilter match-any cplocclassurlblock0
match server-domain urlf-glob cplocclassurlfgloburlblock0
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type urlfilter trend match-any cptrendclasscatdeny0
match url category Adult-Mature-Content
match url category Gambling
match url category Marijuana
match url category Nudity
match url category Pornography
match url category Violence-hate-racism
match url category Alcohol-Tobacco
match url category Chat-Instant-Messaging
match url category Cult-Occult
match url category For-Kids
match url category Games
match url category Gay-Lesbian
match url category Illegal-Drugs
match url category Sex-education
match url category Weapons
match url category Illegal-Questionable
match url category Intimate-apparel-swimsuit
match url category Peer-to-Peer
match url category Personals-Dating
match url category Proxy-Avoidance
match url category Social-Networking
match url category Spam
match url category Tasteless
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type urlfilter trend match-any cptrendclassrepdeny0
match url reputation ADWARE
match url reputation DIALER
match url reputation DISEASE-VECTOR
match url reputation HACKING
match url reputation PASSWORD-CRACKING-APPLICATIONS
match url reputation PHISHING
match url reputation POTENTIALLY-MALICIOUS-SOFTWARE
match url reputation SPYWARE
match url reputation VIRUS-ACCOMPLICE
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 102
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-user-protocol--1-2
inspect
class class-default
drop
policy-map type inspect urlfilter cppolicymap-1
parameter type urlfpolicy trend cptrendparacatdeny0
class type urlfilter cpaddbnwlocclasspermit3
allow
log
class type urlfilter cplocclassurlblock0
reset
log
class type urlfilter trend cptrendclasscatdeny0
reset
log
class type urlfilter trend cptrendclassrepdeny0
reset
log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
service-policy urlfilter cppolicymap-1
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class class-default
drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
crypto logging ezvpn
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group GROUPPOLICY1
key xxxxxxx
dns 10.57.124.42 10.57.124.159
domain firma.com
dhcp server 10.57.124.159
crypto isakmp profile ciscocp-ike-profile-1
match identity group GROUPPOLICY1
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 28800
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description *** LAN INTERFACE ***$FW_INSIDE$
ip address 10.57.124.254 255.255.254.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip policy route-map PBR
duplex auto
speed auto
interface GigabitEthernet0/1
description *** LINK TO BT ***$FW_OUTSIDE$$ETH-WAN$
ip address 1.1.1.210 255.255.255.240
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
interface GigabitEthernet0/2
description *** LINK TO BE ***$FW_OUTSIDE$$ETH-WAN$
ip address 2.2.2.154 255.255.252.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/2
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
ip forward-protocol nd
ip http server
ip http secure-server
ip flow-top-talkers
top 4
sort-by bytes
cache-timeout 600000
ip dns server
ip nat inside source static tcp 10.57.124.92 3389 interface GigabitEthernet0/1 3389
ip nat inside source static tcp 10.57.124.48 80 interface GigabitEthernet0/1 80
ip nat inside source route-map ISP1 interface GigabitEthernet0/1 overload
ip nat inside source route-map ISP2 interface GigabitEthernet0/2 overload
ip route 0.0.0.0 0.0.0.0 1.1.1.209 track 10
ip route 0.0.0.0 0.0.0.0 2.2.2.1 track 20
ip route 216.104.8.100 255.255.255.255 2.2.2.1
ip access-list extended NATTRANSLATE
remark DO NOT NAT VPN
deny ip 10.57.124.0 0.0.1.255 10.57.124.0 0.0.1.255
permit ip 10.57.124.0 0.0.1.255 any
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
ip sla 1
icmp-echo 1.1.1.209
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 2.2.2.1
frequency 5
ip sla schedule 2 life forever start-time now
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.57.124.0 0.0.1.255
access-list 10 permit 10.57.124.0 0.0.1.255
access-list 100 deny ip 10.57.124.0 0.0.1.255 213.123.26.0 0.0.1.255
access-list 100 deny ip 10.57.124.0 0.0.1.255 host 194.72.6.57
access-list 100 deny ip 10.57.124.0 0.0.1.255 host 194.73.82.242
access-list 100 deny ip host 10.57.124.48 any
access-list 100 deny ip host 10.57.124.92 any
access-list 100 permit ip any any
access-list 101 permit ip any any
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip host 255.255.255.255 any
access-list 102 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip 2.2.2.0 0.0.3.255 any
access-list 102 permit ip 1.1.1.208 0.0.0.15 any
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip host a.a.a.140 host 10.57.124.92
access-list 103 permit ip host b.b.b.114.248 host 10.57.124.92
access-list 103 permit ip host c.c.c.202 host 10.57.124.92
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 10.57.124.48
route-map PBR permit 10
match ip address 100
set ip next-hop verify-availability 2.2.2.1 1 track 20
route-map PBR permit 30
match ip address 101
set ip next-hop verify-availability 1.1.1.209 2 track 10
route-map ISP2 permit 10
match ip address NATTRANSLATE
match interface GigabitEthernet0/2
route-map ISP1 permit 10
match ip address NATTRANSLATE
match interface GigabitEthernet0/1
control-plane
banner login ^CCThis system is the property of company ...
-----------------------------------------------------------------------^C
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 xxxxx
logging synchronous
transport input all
scheduler allocate 20000 1000
ntp update-calendar
ntp server 0.europe.pool.ntp.org source GigabitEthernet0/2
ntp server uk.pool.ntp.org prefer source GigabitEthernet0/2
endProblem fixed.
VPN traffic has to be removed from both access lists 100 and 101 so it is not directed to a physical interface. 101 had ‘allow any’ statement and in consequence even that there was an injected route for EasyVPN clients it would not be chosen over Policy Based Routing. -
SRX Using DHCP on UNTRUST (BRANCH)-- Connected to Static VTI Cisco Router (HQ)
Good morning Gentlemen, I need some advice. I am primarily a cisco IOS chap, but have recently been delving into some JUNOS action.
I cannot find an example on the Juniper Forums/Documentation or the Cisco Forums/Documentation to my specific Issue.
Firstly, I am not interested in Policy Based VPNs. I do not know if it is possible to use a DHCP assigned public address on remote device with a "static VTI" - when using IKE identities. However as Phase one is up, I think the issue is more to do with Phase2 proposals when not explicitly defining a Tunnel destination.
In the scenario I am trying to sort now, I have an SRX-100 device, that gets its public address from a DHCP server.
I have back at the HQ, a cisco router.
The Cisco router has various VTI tunnels out to other branch devices, that are smaller Cisco routers. These VTI tunnels are working fine - note all using static Public IP's
I have my phase1 up fine, (from both sides' perspective) and am sending a local-identity hostname instead of a defining a destination address on the Tunnel on the cisco side.
JUNIPER
Index State Initiator cookie Responder cookie Mode Remote Address
5048723 UP 41ee08a4a0fde661 517176fea0f23989 Aggressive 4.4.4.4
CISCO
IPv4 Crypto ISAKMP SA
dst src state conn-id status
4.4.4.4 1.1.1.1 QM_IDLE 1110 ACTIVE NICK-SRX-ISAKMP-PROFILE
A working VTI tunnel has an SA of : (cisco perspecive)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
I have tried sending this as the proxy-id on the Juniper to no avail.
The error is still :
*Jun 6 10:20:07.244: ISAKMP1110):atts are acceptable.
IPSec policy invalidated proposal with error 64
*Jun 6 10:20:07.244: ISAKMP1110): phase 2 SA policy not acceptable!
The IPSEC transform-Set attributes are accepted though,
transform 0, ESP_3DES
*Jun 6 10:20:07.244: ISAKMP: attributes in transform:
*Jun 6 10:20:07.244: ISAKMP: authenticator is HMAC-SHA
*Jun 6 10:20:07.244: ISAKMP: SA life type in seconds
*Jun 6 10:20:07.244: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
*Jun 6 10:20:07.244: ISAKMP: SA life type in kilobytes
*Jun 6 10:20:07.244: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jun 6 10:20:07.244: ISAKMP: encaps is 1 (Tunnel)
*Jun 6 10:20:07.244: ISAKMP1110):atts are acceptable.
So it is something to do with the SA/Proxy ID's being sent.
here is the Juniper Config:
proposal IKE-SHA-AES128-DH2 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 86400;
policy IKE-POLICY-HQ {
mode aggressive;
proposals IKE-SHA-AES128-DH2;
pre-shared-key ascii-text "secretkey";
gateway IKE-GATEWAY {
ike-policy IKE-POLICY-HQ;
address 4.4.4.4;
local-identity hostname knuckles.net;
external-interface fe-0/0/0.0;
proposal HQ-IPSEC-PROPOSAL {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
lifetime-kilobytes 4608000;
policy HQ-IPSEC-POLICY {
proposals HQ-IPSEC-PROPOSAL;
vpn ROUTE-BASED-VPN-TO-HQ {
bind-interface st0.0;
ike {
gateway IKE-GATEWAY;
ipsec-policy HQ-IPSEC-POLICY;
establish-tunnels immediately;
st0 {
unit 0 {
family inet {
address 10.1.1.2/30;
CISCO SIDE:
crypto isakmp policy 2
encr aes
authentication pre-share
group 2
crypto keyring NICK-SRX
pre-shared-key hostname knuckles.net key secretkey
crypto isakmp profile NICK-SRX-ISAKMP-PROFILE
keyring default
keyring NICK-SRX
match identity host knuckles.net
initiate mode aggressive
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec profile NICK-SRX-IPSEC-PROFILE
set transform-set ESP-3DES-SHA
set isakmp-profile NICK-SRX-ISAKMP-PROFILE
interface Tunnel1
description HQ to NC-SRX
ip address 10.1.1.1 255.255.255.252
tunnel source 4.4.4.4
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile NICK-SRX-IPSEC-PROFILE
FYI - If I use the Provider given DHCP address on the Cisco Tunnel config, as a destination - the tunnel comes up immediately....So ' thinking this may be a limitation of static VTI. I have not tested the IKE identity on a remote cisco router also using VTI yet.
e.g.
interface Tunnel1
description HQ to NC-SRX
ip address 10.1.1.1 255.255.255.252
tunnel source 4.4.4.4
tunnel mode ipsec ipv4
tunnel destination 1.1.1.1
tunnel protection ipsec profile NICK-SRX-IPSEC-PROFILE
So I guess my question is Is this possible using a static VTI?
What does this comand do - does it turn on dynamic VTI (all that virtual-template business)- or just tell the tunnel to expect and IKE identity?
tunnel destination dynamic
Does Dynamic VTI work with Different Vendors, and if so how can you control what VRF is assigned to the tunnels - I will need in the future multiple VRF's for each branch device, some using DHCP public addresses.
The VTI design guide does not mention Identity IKE for branch sites without using dynamic VTI.
I would like to avoid using the whole easyVPN / dynamic VTI, as I need to use multiple VRF;s on the endpoints.Perhaps this fellow has cracked it - is this the only way ???
https://supportforums.cisco.com/document/58076/dynamic-ip-dynamic-ip-ipsec-vpn-tunnel -
Multiple EasyVPN Remote sites using NEM
I am installing 2 ASA 5505s at home offices with dynamic IPs. The EasyVPN server is a ASA585x. I am using the 5505s in NEM mode. I configured a unique DHCP scope on each 5505. I have a dynamic crpto map on the server. I configured unique tunnel groups, group policies and usernames for each site on the server.
This seems to work fine.
Is it normal to configure unique tunnel groups, group policies and usernames for each remote site?Hi,
I would say yes, since you have full control over each connection profile and group-policy. Usually one single connection profile and group-policy represent one single point of failure.
You could use the same username as long as you allow enough simultaneous logins with the "vpn-simultaneous-login" command under the group-policy settings.
Portu.
Please rate any helpful posts -
Configuring SR520's EasyVPN with CCA
I have four SR 520's that I am working with. I want one to be an EasyVPN server connected to a (Nortel) phone system. I then want the other three to be clients to plug remote IP phones or workstations into to access the office network. I have read through the docs on the site and have some questions about this scenario.
I have read that you can do this with the CCA tool, and I have actually used CCA to provision one router as server, the other as client. I have xauthed and seen that the tunnel is established. However, I wasn't really able to ping through the tunnel to, say, a laptop on the other side. So, what type of IP addressing scheme do I need to implement. Do I leave the 192.168.75.0/Vlan 75 on both client and server, or do I need create a different network on the client? Is there a way that I can turn DHCP off on the client and pull one of the IP's from the Server's pool?
I guess I don't know what I should expect to see from using CCA to configure this. I thought I could do this but clearly need help.
Thanks.Take a look at the remote teleworker implementation guide at below:
http://www.cisco.com/web/partners/sell/smb/products/sbcs.html#~4
check the application note for adding Remote Workers.
The 2 items to change would be the remote LAN address to be unique per site and also in the guide replace the UC500 device as the server as your SR520. FYI we have not tested with Nortel phone systems so not sure if the remote teleworker would work or you need site to site VPN (different than EasyVPN) which is something we are targeting with the next CCA release. -
Airport can no longer get DHCP address
Hello,
I'm at the point of dumping the airport base station in the trash, but thought I would try this first.
I have broadband internet service. It worked - until mid morning today. Suddenly it will not work. The base station (old one, white - snow?), though set for DHCP, now defaults to a self-addressed 169... address. I have tried:
- powering off the base station, the cable modem, powering up one at a time, etc etc. Internet provider (insight, IL) says they don't know why the apple base station is unable to renew the DHCP lease.
- The Airport Admin Utility is set to Ethernet, using DHCP. There is no "renew DHCP lease" button there, but I have switched it to connect using modem and then switched backed to Ethernet, hit Update, and back comes Using DHCP ... with a 169.254 address.
- I can connect through the cable modem with my powerbook without a problem. The address starts with 74.134.
I take it the self-assigned IP means there was a timeout or the airport was otherwise unable to get what it considered a valid IP.
Is the base station toast?
Should I buy a router and hook it to that? Seems redundant, with my setup (two laptops, one desktop connected to base station LAN port)
I've spent several hours reading (via direct connect to the cable modem) and trying different wiring / reset combinations, and have about had it. Any thoughts most welcome.
Thanks,
BrianIt is a long while since I tried Google Toolbar, I am not sure what it changes. But I would not expect it to totally remove your options to use the ordinary toolbars.
■ Try
* press the''' alt '''key on the keyboard, that may return the menu bar
* once you have the menubar '''View -> Toolbars ->''' and select which you need
* you may also use View-> Toolbars -> Customise and drag items back or use the restore default set option.
* right clicking on the toolbars also gets you to the customise and show toolbars options
■ have a look at [[Back and forward or other toolbar items are missing]]
PS
I hope you do not need to resort to editing registry settings, the firefox 'dragons' in prefs are user friendly compared with Windows registry. Messing up firefox prefs only really affects firefox normally; whereas errors in a registry edit may prevent you from even booting the computer. -
HP LaserJet P1606dn loses their IP address in DHCP mode
Hi,
We are currently encountering what seems to us to be a strange behavior with the HP LaserJet P1606dn printer. The behavior is that, while in DHCP mode, when it goes into sleep mode, it loses its IP address.
It shouldn't be bad because it should wake up when something is sent to it and get back its IP address, but it doesn't. It get stuck in the printing queue and we need to do an "ipconfig/ flushdns" on the appropriate server so it get back its address. This is kinda annoying because we can't even desactivate this sleep mode function, the best we can do is put it to 1 hour which is temporary because it still gonna loses its IP address anyway.
I have searched all over the net for an answer to our problem and the closest one I have find is one on HP forum where the P1606dn loses its IP address in manual mode and switch to DHCP. Even though it wasn't our exact problem, the recommanded solution was to update the 1606dn firmware, which we did. It sadly hasn't solve our problem. At least, we aren't forced to do a flushdns everytime this time and we can force it to print by printing the configuration page...
An other thing we have found is that, it always or well, very often create a second entry in the inversed zone of the dns with an IP adress it won't even use... It is probably important to note that when the printers loses its ip address, the information of the ipv4, the dns and the rest of the address are all 0.0.0.0.
It seems to me that when the printers enters in sleep mode, it loses its ip address so it can save energy, which would be a good thing, but then, it cannot get back its ip address and well, its like the printers says to himself "well, I am lost and I don't know where I am neither at which address I live but hey, it's ok, everything is just fine."
Our configuration :
Windows 7 professional 64 bit on users end
Windows server 2008 r2 enterprise
The printer is connected in LAN
Anyone has stumbled accross a problem like this before with this model?
Thank youThese settings are for setting up your wireless printer to stay connected to your router, keep wireless devices better connected and makes your router secure and hack proof.
1. Set a static IP in the printer (click here) outside the DHCP range of the router (check your manual).
This is for Linksys routers but can be used for all routers. Verify your DHCP range and change this
first if needed. More Wireless Printing help is here.
2. Verify in the printer that 'Auto Off' is disabled. Use the Embedded Web Server (EWS) by going to the
printers IP address in your browsers address bar, click Settings Tab/Auto Off. Or use the Printer
Assistant, Printer Home Page (EWS).
3. If the printer supports and has IPv6 enabled, turn off IPv6 in the printer.
4. If needed and you assigned a static IP address, try using 8.8.8.8 for the Manual DNS server and
8.8.4.4 preferred DNS server.
In the router: (Refer to your router manual for information)
5. Use a fixed wireless channel like 1, 6 or 11, never 'auto', try channel 1 first then the rest.
6. Set router to 20Mhz only, or 145Mbps depending on router.
7. Always use WPA2-AES (Personal) encryption, but you can try ‘mixed’ mode.
8. Disable WPS and never use it and disable UPnP for the routers security. Nobody can hack your
system now and helps with wireless connectivity (if you want to know why, search the web).
9. If you have a dual band router (2.4Ghz and 5.0Ghz bands), make sure the SSID’s are NOT the same,
they must be different for all bands, even for any Guest networks.
10. SSID broadcast must be enabled.
11. Save all settings. Power off both, wait 2 mins. Power on router wait 2 mins.
12. Power on printer and verify it reconnects to router.
Windows 7/8/8.1 Is Network Discovery on or off?
Control Panel/Network and Internet/Network and Sharing Center/Advanced sharing settings.
Under Home or Work (current profile) / Network Discovery.
Select "Turn on network discovery" and save changes.
Say thanks by clicking the Kudos Thumbs Up to the right in the post.
If my post resolved your problem, please mark it as an Accepted Solution ...
I worked for HP but now I'm retired! -
ISE 1.2 - Multiple NICs/Load Balancing for DHCP Probe
Hello guys
Just prepping an ISE 1.2 patch 8 setup in our organization. I am going for the virtual appliances with multiple NICs. It will be a distributed deployment with 4 x PSNs behind a load balancer and there is no requirement for wireless or guest user at the moment. I've got 2 points I will like to get some guidance on:
Our DC has a dedicated mgmt network and I plan to IP the gig0 interface of the PANs, MNTs and PSNs from this subnet. All device admin, clustering, config replication, etc will be over this interface. However, RADIUS/probe/other user traffic to the ISE PSNs will be over the gig1 interface which will be addressed from another L3 network. Is this a supported configuration in ISE?
I intend to use the DHCP probe as part of device profiling and will ideally like to have just an additional ip helper to add to our switch SVI config. Also, it will appear that WLCs can only be configured for 2 DHCP servers for a given network so another consideration for when we bringing our WLAN in scope. We however use ACE load balancers within our DC and from what I have read, they do not support DHCP load balancing. Are there any workarounds to using the DHCP probe with multiple PSNs without having to add each node as an ip helper/DHCP server on the NADs?
Thanks in advance
SayreHello Sayre-
For Question #1:
Management is restricted to GigabitEthernet 0 and that cannot be changed so you should be good there
You can configure Radius and Profiling to be enabled on other interfaces
Even though you are not using guest services yet, you can dedicate an interface just for that. As a result, you can separate guest traffic completely from your production network
Take a look at this link for more info:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_c-ports.html
For Question #2
If you are using a Cisco WLC and running code 7.4 and newer you don't need to mess with the IP helper configurations.
The controller can be configured to act as a collector for client profiling and interact with the DHCP thread along with the RADIUS accounting task that is running on the controller. The controller receives a copy of the DHCP request packet sent from the DHCP thread and parses the DHCP packet for two options:
–Option 12—HostName of the client
–Option 60—The Vendor Class Identifier
After this information is gathered from the DHCP_REQUEST packet, a message is formed by the controller with these option fields and is sent to the RADIUS accounting thread, which is in turn transmitted to the ISE in the form of an interim accounting message.
Both DHCP and HTTP profiling settings are located under the "Advanced" configuration tab in the WLC
On the other hand, you can also use Anycast for profiling. You can check out some of Cisco Live's sessions for more info on that. Here is one that is from a couple of years (There are more recent ones that are available as well):
http://www.alcatron.net/Cisco%20Live%202013%20Melbourne/Cisco%20Live%20Content/Security/BRKSEC-3040%20%20Advanced%20ISE%20and%20Secure%20Access%20Deployment.pdf
I hope this helps!
Thank you for rating helpful posts! -
I want to understand the differences in the way you can reserve a static address for a device on the network. I had previously set the device itself to an address and then reserved it with DHCP Client ID, which I thought was just the devices static addresss. I'm not sure if this was in fact correct or just happend to work. I know what a MAC address is, but I'm not really sure what the DHCP Client ID is. So it would be great if someone could clarify it, and the difference between reserving address by MAC Address or DHCP Client ID.
A MAC address is a unique identification consisting of letters and numbers in a form that looks like this:
xx:xx:xx:xx:xx:xx
Every network device has a MAC address, which can be found on a label on the bottom or back of the device. Apple calls this the Ethernet ID.
A DHCP Client ID is an optional name that you can assign to a device. For example, on your Mac....
Open System Preferences (gear icon on the dock)
Open Network
Click on Ethernet
Click Advanced at the lower right
You may be able to edit the DHCP Client ID here....for example.....you could enter MJ500's MacBook in the space provided. That would be the Client ID of your Mac. -
WRE54G and WAP54G DHCP Problem
Hi,
Please can someone help me.
Current setup:-
Cisco ASA 5505 with DHCP Server enabled on the inside interface.
Linksys WAP54G cabled directly into the above interface on the Cisco ASA.
Linksys WRE54G with a wireless connection to the above access point using the same SSID and Channel.
When connecting my laptop to the linksys access point, the laptop obtains an IP address allocated from the Cisco ASA and works perfectly.
When adding the WRE range extender into the mix and connecting my laptop via the extender the laptop fails to obtain an IP address. The extender is connecting to the AP ok, it has 2 blue lights and i get a strong signal.
I have carried out packet captures on both my laptop and the inside interface of the CISCO ASA. The capture on my laptop shows DHCP discovery packets leaving my wireless interface, however, i receive no acknowledgement. when i run the same capture on the Cisco ASA i see the discovery packet hit the interface and a subsequent dhcp offer packet leave the interface, however, the offer packet does not reach the laptop when connecting via the extender.
Can anyone kindly offer any advise that doesnt involve throwing the extender in the bin!!?
ThanksThe WRE54G is connected after the WAP.
The router's IP is 10.10.10.254 and is configured to allocate DHCP addresses within this range.
The AP's management IP is 10.10.10.1 and the gateway is 10.10.10.254 (router address).
The Extender's management IP is 10.10.10.2 and the gateway is 10.10.10.254 (router address).
When connecting to the wireless network via the AP, it connects and receives an address.
When connecting to the wireless network via the extender, it connects but does not receive a DHCP address. Signal is strong and the extender shows both blue lights.
Message Edited by marchingontogether on 02-03-2010 06:31 AM -
Question regarding Airport and DHCP settings
I currently had a Dlink 624 router that just died. I need to get a new wifi router and was looking at the airport extreme base station...
the question I have is with Dlink my dhcp is set to send out 192.168.0.xxx to my network. The apple is 10.0.0.xxx I believe. Can you change the airport extreme base station to 192.168.0.1? and serve 192.168.0.xxx across the network? The issue I have is I have other wifi devices that are already preset to accept the 192.168.0.xxx.AirPort Extreme Base Station Setup (AEBS) w/High-Speed Cable Modem
Modem/Router Power ReCycling
- Power-off the Cable modem, AEBS, & computer(s). (If possible, leave the modem off overnight.)
- Power-on the Cable modem; Wait at least 30 minutes.
- Power-on the AEBS; Wait at least 5 minutes.
- Power-on the computer(s)
Perform a "hard" reset of the AEBS.
- (ref: http://docs.info.apple.com/article.html?artnum=107451)
Setup the AEBS
With the network components powered down, set up the AEBS, using the AirPort Admin Utility, connect your computer directly (using an Ethernet cable) to the LAN port of the AEBS, and then, try these settings:
AirPort tab
- Base Station Name: <whatever you wish or use the default>
- AirPort Network Name: <whatever you wish or use the default>
- Create a closed network (unchecked)
- Wireless Security: Not enabled
- Channel: Automatic
- Mode: 802.11b/g Compatible
Internet tab
- Connect Using: Ethernet
- Configure: Using DHCP
- WAN Ethernet Port: Automatic
Network tab
- Distribute IP addresses (checked)
- Share a single IP address (using DHCP & NAT) (enabled)
- Use 192.168.0.1 addressing -
I recently had to replace my DSL router. My provider, Earthlink, walked me through the setup and I do have internet access if I connect directly to my Mac. When I tried to use my time capsule, it would not work. The Earthlink tech said I needed to reconfigure my time capsule to DHCP mode. I tried the set up manual and could not make sense of it. My 90 free service is long gone.
and the text in the router mode box came up DHCP and NAT, but the lettering was in a lighter shade than elsewhere and I could not open the drop down box.
You would have had to change some other settings on the AirPort to be able make changes in the drop down Router Mode box.
Your AirPort is already configured as Earthlink suggests.
Try powering off the entire network...all devices....in any order you want
Wait a few minutes
Start the Earthlink modem first and let it run 2-3 minutes by itself
Start the Time Capsule and let it run a full minute
Keep starting other devices the same way until everything is powered back up
Check the network
If still no improvement, I think you need to let Earthlink know that you have done as they asked, and ask for more steps to try.
Hopefully, another Earthlink user will see this post and offer any special information or tips that only they would know. -
How do i use my own dhcp server with airport extreme
I just bought an airport extreme and I'm trying to replace my linksys router and another access point.
I have my own dhcp/dns server and I want to continue using it. So far, I was not able to find the way to use NAT without DHCP (like I'm doing now with my current setup).
I want to give the device another chance before I return it to the store. Is there anything I can do?
ThanksI thought that you could figure out the answer for yourself, but if you need more confirmation.....the choices/options that you need do not exist on an AirPort router.
Cisco or Netgear might be brands to look at. Good luck in your quest. -
How do I access router setup page if the router DHCP service is disabled?
When I had DSL, my WRT54G was my DHCP master for my home network. When I got AT&T U-Verse, their "gateway" became the DHCP master and also the wireless access point. But the signal was not strong enough where I wanted to use it, so I hooked up the WRT54G again. I discovered that if I connected the U-Verse gateway to the "Internet" port on the WRT54G Linksys, then my home network was split in two, which I did not want. The WRT54G access point is physically somewhat distant from my wired computer, so I wanted to keep the U-Verse gateway as the DHCP master. (The U-Verse gateway is a router with four "computer" ports but no "Internet" port.)
I followed instructions on the Linksys web site, and using my wi-fi connected computer I re-programmed the WRT54G to be "Disabled" as a DHCP server. Then I powered down and physically connected the U-Verse gateway to a "Computer" port on the WRT54G. This solved my problem: my distant wi-fi computer now has a good signal, and both computers "see" each other.
However, now I seem to have lost access to the WRT54G setup "web page." Is it possible to access the innards of the WRT54G when its DHCP service is disabled? Or would I have to reset the device to factory configuration and start all over if I wanted to make any tweaks?You can still access the router's web configuration pages even if the internal DHCP server is disabled and it is connected via a LAN Ethernet port to your upstream router.
Did you reserve and IP addresses on the Uverse router for static IPs?
If you did, assign one of these to the Linksys router (LAN) and you will be able to access it from your LAN. Since you are not using the WAN port, the Linksys router will not pull an IP from the Uverse router. You are using the device as a switch. -
Oracle10g Installation problem on Linux with DHCP IP
Hi,
I am new to Oracle Products, I have tried to install Oracle 10G on Linux with DHCP IP.
I got the following warning while installing even though I have loopback interface configured.
Checking Network Configuration requirements ...
Check complete. The overall result of this check is: Failed <<<<
Problem: The install has detected that the primary IP address of the system is DHCP-assigned.
Recommendation: Oracle supports installations on systems with DHCP-assigned public IP addresses. However, the primary network interface on the system should be configured with a static IP address in order for the Oracle Software to function properly. See the Installation Guide for more details on installing the software on systems configured with DHCP.
Please help me in resolving this problem or Can I ignore this message?
My Server Configurations:
[root@SQAESMRH5 Oracle_Install_Errors]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:12:3F:79:FA:2C
inet addr:10.10.121.61 Bcast:10.10.121.2 Mask:255.255.255.0
inet6 addr: fe80::212:3fff:fe79:fa2c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:20751998 errors:0 dropped:0 overruns:0 frame:0
TX packets:19278549 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2150795393 (2.0 GiB) TX bytes:438232502 (417.9 MiB)
Interrupt:177
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:12383146 errors:0 dropped:0 overruns:0 frame:0
TX packets:12383146 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1965045834 (1.8 GiB) TX bytes:1965045834 (1.8 GiB)
[root@SQAESMRH5 Oracle_Install_Errors]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
#::1 localhost6.localdomain6 localhost6
127.0.0.1 localhost.localdomain localhost
#::1 localhost6.localdomain6 localhost6
[root@SQAESMRH5 Oracle_Install_Errors]#This warning means it is not recommended to install Oracle 10g on a DHCP assigned IP address. It could work, but you won't be able to configure Enterprise Manager, since this tool requires a fixed IP address. If possible, have the IP address fixed.
~ Madrid
http://hrivera99.blogspot.com/
Maybe you are looking for
-
I have a table where I have 4 columns, and lets for example 3 of them have NULL values. How do I query the table where only ALL 3 columns are NULL, and not when only 1 are null. It seems simple
-
Is it possible to create a computer stack in doc?
Is it possible to create a stack for my computer, "Christopher's MacBook Pro", in the dock? I'd like to see the 3 items below in a stack. Thanks.
-
Limit on deleting members from workspace
Hello, I wanted to know if there is a limit on how many members that can be deleted at once from a dimension in a classic planning application. I know that there is a parameter in the outline load utility that would delete the entire dimension and wo
-
Can i use SDXC card as an external hard drive?
I have a mid 2011 macbook air with 4GB of space. I have to constantly delete things off of my mac because i do not have enough space. I see that i have a SDXC card slot on my macbook i was wondering could i buy a 32gb SDXC card and use it like an ext
-
Hi, If you are using Forte as 2-tier tools, there shouldn't be any problem in using select ... for update. The sql is actually passed through to your back-end database. So everything should work the same, provided that every user has his own database