How to enable source routing on outgoing packets?
Hi all
Perhaps some of you can help me with this. I recently read http://enclaveforensics.com/Blog/files/ … 8d9-5.html about loose source routing, and would like to do the experiment myself in an isolated network dedicated for testing purposes.
I know how to filter source routed traffic with firewalls (ip-tables), but have no idea of how to enable either loose or strict source routing in the ip-headers for those packets i'm sending out. Maybe there are some kind of setting in some configuration-file? Or are we talking the source code of an application? Kernel compilation setting? Please let me know, if you know how to do it.
And also please notice this: I've got no malicious intentions. I will only perform this in an isolated network dedicated for testing purposes. So please do not accuse me for beeing a cracker/hacker/whatever...
Thankyou
the best way to actually enable it system-wide is to use mangle table of iptables to manually enable the ipv4 options and adding the routing info with each packet, on the other hand, you can create a program with python's scapy that does LSRR and SSRR.
Last edited by Sin.citadel (2010-07-01 12:00:07)
Similar Messages
-
How to enable vibration when an Outgoing call is a...
How to enable vibration when an Outgoing call is answered.
Any chance Nokia can update the device with such feature i used to have it on my HTC HD7 really goodHi Bakkal,
Welcome to the forum!
May we know the model of your device? We appreciate your feedback; however, this feature is not present on Nokia devices. If you're using a Nokia Lumia phone, you can post your suggestion here:
http://windowsphone.uservoice.com/forums/101801-feature-suggestions
Let us know if you have another concern. Hope this helps. -
How to Enable IP Accounting or capture packets in Cisco ASA 5510 (8.2)
Hi All,
How to Enable IP Accounting or capture packets in Cisco ASA 5510 (8.2)
Thanks
RoopeshHi Roopesh,
Please go through this document for detailed documentation on captures:
https://supportforums.cisco.com/docs/DOC-17814
Hope that helps.
Thanks,
Varun Rao
Security Team,
Cisco TAC -
RRAS - Server 2012 Core - How to enable 'LAN Routing'
Hi,
how can i enable 'LAN Routing' on a Server core with RRAS Role installed via command line?
In GUI it's just 'Enable' -> Custom -> LAN-Routing. How can i do the same via command line (powershell or cmd)?
Thank you!Ok, solved it myself. (Don't know why i always solve a Problem as soon as i make a post in Forums ;D)
Set-NetIPInterface -Forwarding Enabled
so for enable Forwarding on all Adapters:
Get-NetAdapter | Set-NetIPInterface -Forwarding Enabled -
How to enable ospf routing protocol using onePK API
hi,
I am new to CIsco routers. I want to enable a routing protocol using OnePk API. is it possible to do so?
Thanks in advanceHey @ajeni0001,
So far, there is not any document related to enabing OSPF using onePK.
As soon as I get something in the web I'll let you know.
Rgrds,
Martin, IT Specialist -
What is IP source Route ?
Please let me know what is IP source Route and why is it disable for security purpose.
Thanks in advanceHello Nitin,
Cisco routers normally accept and process source routes. Unless a network depends on it, source routing should be disabled.
Source routing is a technique whereby the sender of a packet can specify the route that a packet should take through the network. As a packet travels through the network, each router will examine the destination IP address and choose the next hop to forward the packet to. In source routing, the "source" (i.e., the sender) makes some or all of these decisions.
Reason for disabling: Attackers can use source routing to probe the network by forcing packets into specific parts of the network. Using source routing, an attacker can collect information about a network's topology, or other information that could be useful in performing an attack. During an attack, an attacker could use source routing to direct packets to bypass existing security restrictions.
Remedy:
Use the 'no ip source-route' command to disable IP source routing on the router. Refer to your router documentation for specific instructions.
Regards,
Mohit -
Hi all
This is probably not directly related to IronPort, but I'm sure you guys might be able to help.
We installed an IronPort applicane a few months ago and everything works great. Unfortunately, we forward the mails to our internal sendmail server which has to be reachable from the Internet for some legacy stuff. The sendmail box in conjunction with IronPort (smarthost) seems to enable source routing of email addresses, rendering the box an open relay.
Is there a way to drop all source routed e-mails at sendmail? Based on what I read, IronPort does drop source routed e-mails anyway.
thx
retoYou will need to disable the loose_relay_check option in Sendmail. This option turns off the default behavior of rechecking recipients using the % addressing. For example, if the recipient address is user%site@othersite, the default behavior without the loose_relay_check option is that Sendmail will check if any @othersite is an allowed relay host specified in either class R macro or the access db file. If a site is an allowed relay host, the check_rcpt ruleset strips @othersite and checks user@site for relaying. Sendmail does not recheck user@site if loose_relay_check option is set to ON.
-
Routing outgoing packets over multiple interfaces?
I have two network interfaces (eth0 and eth1) with separate IP addresses on the same subnet. All outgoing traffic uses eth0 regardless of the interface the incoming traffic came in on.
I assume the outgoing packets still have the correct source IP address (not always eth0's), and I'd like the packets to go out on the interface with the corresponding IP address.
I think I have half the solution to my problem:
http://www.novell.com/support/viewConte … Id=7000318
The other half is that my IPs are dynamic, so ddclient could change my IPs and then the routing would be invalid.
Last edited by MindlessXD (2009-02-10 07:06:16)Setup custom route tables to be used depending on the iptables conntrack marks below
ip route flush table 1
ip rule del fwmark 101 table 1
ip route add table 1 default via <ETH0 IP ADDRESS>
ip rule add fwmark 101 table 1
ip route flush table 2
ip rule del fwmark 102 table 2
ip route add table 2 default via <ETH1 IP ADDRESS>
ip rule add fwmark 102 table 2
I'm not 100% sure if you can add a route via the interfaces IP address. This code has been modified from a box using 2 different ISP's so they have different upstream routers. You might need to replace the 'via' parts with 'src'
# Ensure traffic in one interface goes back out the same interface
iptables -t mangle -F PREROUTING
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT
iptables -t mangle -A PREROUTING -i eth0 -m state --state NEW -j MARK --set-mark 101
iptables -t mangle -A PREROUTING -i eth1 -m state --state NEW -j MARK --set-mark 102 -
Magic Packet - How to get my router to send one
I have the Quantum Gateway 1100 router. I have a NAS Server on my home network. The NAS server has the capability to Wake on LAN if the router can send that packet. Can anyone tell me how to get the router to send the Wake-on-Lan packet to the server. FIOS Tech Support is completely and totally useless.
Hi,
You can do a fresh installation using the installer bits available at the following link/location Download CS5.5 products
For suites, you need to download and copy both .7z and .exe in the same folder. Clicking .exe will extract all relevant installer files. You can then install the suite. Use your existing Serial number when prompted.
regards
Aj -
How to obtain source code of weka and enable to modify it
hello,
how to obtain source code of weka and enable to modify it such i want to extract code of some process that I makeHi ENG,
Since the issue regards to Weka. It is out of the support boundaries of our forum, I suggesT you post the question in the following forum:http://forums.pentaho.com/forumdisplay.php?81-Pentaho-Data-Mining-WEKA.
It is appropriate and more experts will assist you.
Regards,
Katherine Xiong
Katherine Xiong
TechNet Community Support -
Update to kichat: FAQ 2 - How to get my router to work with iChat?
kichat: FAQ 2 - How to get my router to work with iChat? December 2008 version 3
(Note to Hosts. to be removed on acceptance. Please use this to replace http://discussions.apple.com/thread.jspa?threadID=121775 )
Getting your router started with iChat.
Appropriate for using iChatAV 2 upwards. Edits have been made for iChat 4
Glossary for this FAQ
Routers: Any configurable device that sits between your computer and the internet link you have. This includes Modems that Route as well as "routers"
Routers seem to fall into two categories
Those that work straight from the box. See Apple Article HT1787
NOTE :This Article has not been updated in content since Jan 04 Only being changed to an Article from the Previous Doc listing
Even then some list that they need tweaks.
and those that do not.
This post will deal with what you may need to look at.
First off make sure your device is acting as a DHCP server. (if you are already on the internet you may not have to bother with this.)
Check in the Tiger System Preferences > Network Preference Pane, in the "Built in Ethernet" option from the "Show" drop down list.
In Leopard the Networks are listed on the left with icons. The Airport Option will need you to access the Advance Button for the Next bit.
Make sure the TCP/IP tab is the 'front' one. You should be able to see Configure IPv4 and it most likely reads Using DCHP. Make a note of your IP address. It will start 10.xxx.xxx.xxx or 192.168.xxx.xxx (the 'x' s will stand for any number between 1 and 255). The range 172.16.xxx.xxx is also a possible value at this point. Rarely used, but it is part of the RFC for Address Allocation for Private Internets.
Your router is most likely to be configurable from your browser. You will need to find the IP address to type into the browser from any Readme or PDF files that came on the install disk or visit the makers website and download a manual.
The Port Forward.com site lists many devices and clicking on one will take you to a list of Applications. This iChat will open an page that will start by telling you the defaults to access the device
Opening or Allowing ports. Several Methods not all devices have all of them.
DMZ (Demilitarised Zone)
This is a less secure setting that basically opens all ports and points the incoming data to your computer. (not helpful if you have more than one computer on your LAN). It can be considered as an extreme form of Port Forwarding
Port Forwarding (also Virtual Server or Pin Holes)
These settings are usually found in an Advanced setting.
You may need to set an incoming IP address (Usually 0.0.0.0 to any outside server), a port that data will arrive on, the Inside computer's IP address (your computer) and the port it will deal with the data on and the protocol it will use.
See this pic for an example of the description above.
In this example shows that on some Port AND Protocols need to be listed.
iChat uses TCP and UDP so some devices will need the ports listed one by one and some settings done twice, once for each protocol. The example above has a "Both" setting
See Apple Article HT1507 Previously Doc 93208 for more information. This is the Tiger iChat 3 list. The same ports are needed for Leopard except for these changes
My Note 2:
On the first link Note 1 under tables in that link would be better if it read:
" 1. All iChat AV traffic is UDP -
except for ports 5190 and 5298, which need to be open for both TCP as well;
and 5220, 5222, which need to be open for TCP only. "
Note 2
GoggleTalk needs port 5223 on TCP. Also note the Server name for iChat 3 set ups
UPnP Universal Plug n Play.
This is a simple Plug and Play type of setting. iChat can find it's own way through a router if the device has this capability.
By Not doing Port Forwarding, Triggering or DMZ and enabling UPnP the application is allowed to control the modem and the ports that are open.
They close after the application has finished with them on a timed basis.
On some devices the number of "hops" (how far away the UPnP can be "seen") can be reduced from a default of 4)
Trigger Ports
Some devices offer a security measure that works by a first or trigger port receiving a data packet and then opening further ports when accepted.
The first port for incoming Video or Audio invites is port 5678.
Pre iChat 4
When you click on the invite window the process moves in to port 5060 (so these will need to be opened by the trigger port) for negotiating the final group of ports from the group of 20 (16384-16403 These will need to open when the trigger says so as well). Therefore port 5678 triggers ports 5678, 5060, 16384-16403. All on UDP. Port 5190 neeeds to trigger port 5190 for both TCP and UDP.
See this variation where only the ports listed above are completed.
The other single ports need to be set one by one in addition. (5220,5222, 5223 5297, 5298, 5353)Replace
iChat 4
The port used in IChat 4 is port 16402 instead of port 5060. The group of 20 ports is reduced to 10 (16393-16402). This is because all the In and Out Audio and Video data is on one port. Other that than the settings are the same.
At this time there is no Info on the ports the Screen Sharing in iChat 4 uses.
Wireless
Here you will have to read around but this Apple Article TA25949 Previously Doc 58514 might be a good starting place.
Essentially whether you are wireless or Ethernet to your routing device makes very little difference to the way you do things.
Your computer will get two IPs from a DHCP server if you are connected by both methods. (iChat does not like this)
Multiple devices
Make sure only one is acting as a DHCP server. Make sure wireless devices are bridged properly.
Further Help
I have found that this site (ADSLGuide) to be helpful.
It is British based but I have linked you to the Apple Related Discussions Forum.
Eliminating Problems on my Personal web pages.
The ports and their function within iChat. (my personal Web pages again)
This is not a step by step approach. You will have to read around the information about your device.
Collected FAQs and Expansions: Index Page Based on FAQs here by EZ Jim and myself
Also http://www.portforward.com/routers.htm for instructions with Pics on Port Forwarding and access info as mentioned earlier.
Click on your device.
Select iChat on the next page.
Follow the info on the next.
This site is godd for finding out the Default IP to use in a web browser and the default User ID and Passwords needed to do so.
Gives you a chance to look at at pics to give clues to where some of these other things are.
With thanks to Macmuse for comment on the Original (Aug 23rd 2004)
and to EZ Jim for his work on iSights on my web pages.
I may receive some form of compensation, financial or otherwise, from my recommendation or link.
9:51 PM Saturday; December 6, 2008kichat: FAQ 2 - How to get my router to work with iChat? December 2008 version 3
(Note to Hosts. to be removed on acceptance. Please use this to replace http://discussions.apple.com/thread.jspa?threadID=121775 )
Getting your router started with iChat.
Appropriate for using iChatAV 2 upwards. Edits have been made for iChat 4
Glossary for this FAQ
Routers: Any configurable device that sits between your computer and the internet link you have. This includes Modems that Route as well as "routers"
Routers seem to fall into two categories
Those that work straight from the box. See Apple Article HT1787
NOTE :This Article has not been updated in content since Jan 04 Only being changed to an Article from the Previous Doc listing
Even then some list that they need tweaks.
and those that do not.
This post will deal with what you may need to look at.
First off make sure your device is acting as a DHCP server. (if you are already on the internet you may not have to bother with this.)
Check in the Tiger System Preferences > Network Preference Pane, in the "Built in Ethernet" option from the "Show" drop down list.
In Leopard the Networks are listed on the left with icons. The Airport Option will need you to access the Advance Button for the Next bit.
Make sure the TCP/IP tab is the 'front' one. You should be able to see Configure IPv4 and it most likely reads Using DCHP. Make a note of your IP address. It will start 10.xxx.xxx.xxx or 192.168.xxx.xxx (the 'x' s will stand for any number between 1 and 255). The range 172.16.xxx.xxx is also a possible value at this point. Rarely used, but it is part of the RFC for Address Allocation for Private Internets.
Your router is most likely to be configurable from your browser. You will need to find the IP address to type into the browser from any Readme or PDF files that came on the install disk or visit the makers website and download a manual.
The Port Forward.com site lists many devices and clicking on one will take you to a list of Applications. This iChat will open an page that will start by telling you the defaults to access the device
Opening or Allowing ports. Several Methods not all devices have all of them.
DMZ (Demilitarised Zone)
This is a less secure setting that basically opens all ports and points the incoming data to your computer. (not helpful if you have more than one computer on your LAN). It can be considered as an extreme form of Port Forwarding
Port Forwarding (also Virtual Server or Pin Holes)
These settings are usually found in an Advanced setting.
You may need to set an incoming IP address (Usually 0.0.0.0 to any outside server), a port that data will arrive on, the Inside computer's IP address (your computer) and the port it will deal with the data on and the protocol it will use.
See this pic for an example of the description above.
In this example shows that on some Port AND Protocols need to be listed.
iChat uses TCP and UDP so some devices will need the ports listed one by one and some settings done twice, once for each protocol. The example above has a "Both" setting
See Apple Article HT1507 Previously Doc 93208 for more information. This is the Tiger iChat 3 list. The same ports are needed for Leopard except for these changes
My Note 2:
On the first link Note 1 under tables in that link would be better if it read:
" 1. All iChat AV traffic is UDP -
except for ports 5190 and 5298, which need to be open for both TCP as well;
and 5220, 5222, which need to be open for TCP only. "
Note 2
GoggleTalk needs port 5223 on TCP. Also note the Server name for iChat 3 set ups
UPnP Universal Plug n Play.
This is a simple Plug and Play type of setting. iChat can find it's own way through a router if the device has this capability.
By Not doing Port Forwarding, Triggering or DMZ and enabling UPnP the application is allowed to control the modem and the ports that are open.
They close after the application has finished with them on a timed basis.
On some devices the number of "hops" (how far away the UPnP can be "seen") can be reduced from a default of 4)
Trigger Ports
Some devices offer a security measure that works by a first or trigger port receiving a data packet and then opening further ports when accepted.
The first port for incoming Video or Audio invites is port 5678.
Pre iChat 4
When you click on the invite window the process moves in to port 5060 (so these will need to be opened by the trigger port) for negotiating the final group of ports from the group of 20 (16384-16403 These will need to open when the trigger says so as well). Therefore port 5678 triggers ports 5678, 5060, 16384-16403. All on UDP. Port 5190 neeeds to trigger port 5190 for both TCP and UDP.
See this variation where only the ports listed above are completed.
The other single ports need to be set one by one in addition. (5220,5222, 5223 5297, 5298, 5353)Replace
iChat 4
The port used in IChat 4 is port 16402 instead of port 5060. The group of 20 ports is reduced to 10 (16393-16402). This is because all the In and Out Audio and Video data is on one port. Other that than the settings are the same.
At this time there is no Info on the ports the Screen Sharing in iChat 4 uses.
Wireless
Here you will have to read around but this Apple Article TA25949 Previously Doc 58514 might be a good starting place.
Essentially whether you are wireless or Ethernet to your routing device makes very little difference to the way you do things.
Your computer will get two IPs from a DHCP server if you are connected by both methods. (iChat does not like this)
Multiple devices
Make sure only one is acting as a DHCP server. Make sure wireless devices are bridged properly.
Further Help
I have found that this site (ADSLGuide) to be helpful.
It is British based but I have linked you to the Apple Related Discussions Forum.
Eliminating Problems on my Personal web pages.
The ports and their function within iChat. (my personal Web pages again)
This is not a step by step approach. You will have to read around the information about your device.
Collected FAQs and Expansions: Index Page Based on FAQs here by EZ Jim and myself
Also http://www.portforward.com/routers.htm for instructions with Pics on Port Forwarding and access info as mentioned earlier.
Click on your device.
Select iChat on the next page.
Follow the info on the next.
This site is godd for finding out the Default IP to use in a web browser and the default User ID and Passwords needed to do so.
Gives you a chance to look at at pics to give clues to where some of these other things are.
With thanks to Macmuse for comment on the Original (Aug 23rd 2004)
and to EZ Jim for his work on iSights on my web pages.
I may receive some form of compensation, financial or otherwise, from my recommendation or link.
9:51 PM Saturday; December 6, 2008 -
ISR router cannot receive packets addressed to itself?
Hello, Support Team and All Members,
I have a C881G router connected to 2 different ISP networks with a failover function configured and running properly. The following is a simple network diagram:
The main WAN traffic goes through the ISP 1 LTE network and the router, provided by that ISP. The DMS Host on that router points to our C881G router Fa4 WAN interface (192.168.1.10), so the ISP 1 NAT Router is practically transparent to our traffic. Our C881G tracks the DNS server within the ISP 1 network (194.dns.isp.1) and in case of it's inaccessibility the traffic is switched to the backup link, served by the on-board HSPA+ modem (interface Dialer0 of our C881G), connected to the ISP 2 HSPA network. It works fine, but the problem is with the PPTP connections from outside to the C881G router. The PPTP calls work always from the PPTP Client 2 PC (directly connected to the Fa4 subnet), but from PPTP Client 1 PC it works only in the failover mode - when all traffic goes through the ISP 2. The incoming path via ISP 1 does not work. The problem is rather not connected to the PPTP VPN, GRE, authentication or encryption, because just the first TCP 1723 SYN packets are dropped at Fa4 much earlier by the C881G router. The debug ip packet detail shows the following routing decision:
IP: s=194.xxx.yyy.80 (FastEthernet4), d=192.168.1.10, len 40, input feature
TCP src=4241, dst=1723, seq=791503628, ack=4111924253, win=0 ACK RST, MCI Check(94), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
FIBipv4-packet-proc: route packet from FastEthernet4 src 194.xxx.yyy.80 dst 192.168.1.10
FIBfwd-proc: Default:192.168.1.10/32 receive entry
FIBipv4-packet-proc: packet routing failed
All other packets addressed from outside networks to the router itself and received via the Fa4 are also dropped in this way. All packets sent to Fa4 from the local subnet 192.168.1.0 are accepted. The routing table shows only standard connected interfaces and 1 static route to the 194.dns.isp.1 via 192.168.1.1, which is also the tracked gateway of last resort.
Router runs the CEF.
I cannot locate in the following configuration file any statement preventing the packets addressed to the router itself:
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
hostname C881_xyz
boot-start-marker
boot-end-marker
logging buffered 8192
no logging console
no logging monitor
no aaa new-model
clock timezone PCTime 1 0
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
crypto ...
... <removed for sanity>
crypto pki ...
ip dhcp excluded-address 192.168.70.1 192.168.70.99
ip dhcp excluded-address 192.168.70.180 192.168.70.254
ip dhcp excluded-address 192.168.71.1 192.168.71.99
ip dhcp excluded-address 192.168.71.180 192.168.71.254
ip dhcp pool ccp-pool
import all
network 192.168.70.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.70.1
lease 0 12
ip dhcp pool NVR
import all
network 192.168.71.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.71.1
lease 0 12
ip domain name mydomain.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect WAAS flush-timeout 10
ip cef
no ipv6 cef
multilink bundle-name authenticated
vpdn enable
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
chat-script gsm "" "AT!SCACT=1,1" TIMEOUT 60 "OK"
license udi pid C881G+7-K9 sn ***********
username admin privilege 15 secret 5 ******************************
controller Cellular 0
track 1 ip sla 1 reachability
delay down 1 up 30
interface FastEthernet0
description All VLANs Trunk
switchport mode trunk
no ip address
interface FastEthernet1
description VLAN 1 - LAN Main
no ip address
interface FastEthernet2
description VLAN 20 - LAN NVR
switchport access vlan 20
no ip address
interface FastEthernet3
description Traffic Monitoring only
no ip address
interface FastEthernet4
description WAN SP1$ETH-WAN$
ip address 192.168.1.10 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface Virtual-Template1
ip unnumbered FastEthernet4
peer default ip address pool vpn_pptp_pool
no keepalive
ppp encrypt mppe auto
ppp authentication ms-chap-v2
interface Cellular0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer pool-member 1
dialer-group 1
async mode interactive
interface Vlan1
description LAN Main
ip address 192.168.70.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Vlan20
description LAN NVR
ip address 192.168.71.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer pool 1
dialer idle-timeout 0
dialer string gsm
dialer persistent
dialer-group 1
ip local policy route-map track-primary-if
ip local pool vpn_pptp_pool 192.168.70.180 192.168.70.199
ip forward-protocol nd
no ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 32
sort-by bytes
cache-timeout 600000
ip nat inside source route-map ISP_1 interface FastEthernet4 overload
ip nat inside source route-map ISP_2 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 1
ip route 0.0.0.0 0.0.0.0 Dialer0 253
ip route 194.dns.isp.1 255.255.255.255 192.168.1.1
ip sla auto discovery
ip sla 1
icmp-echo 194.dns.isp.1 source-interface FastEthernet4
frequency 10
ip sla schedule 1 life forever start-time now
logging trap debugging
dialer-list 1 protocol ip permit
route-map track-primary-if permit 1
match ip address 100
set interface FastEthernet4
route-map Static_ISP_2 permit 10
match interface Dialer0
route-map Static_ISP_1 permit 10
match interface FastEthernet4
route-map ISP_2 permit 10
match ip address 1
match interface Dialer0
route-map ISP_1 permit 10
match ip address 1
match interface FastEthernet4
access-list 1 remark List for outside NATs
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.70.0 0.0.0.255
access-list 1 permit 192.168.71.0 0.0.0.255
access-list 100 remark CCP_ACL Category=0
access-list 100 permit icmp any host 194.dns.isp.1
access-list 105 remark List for debugging local ICMP tests
access-list 105 remark CCP_ACL Category=16
access-list 105 permit icmp any any
control-plane
line con 0
no modem enable
line aux 0
line 3
script dialer gsm
modem InOut
no exec
transport input all
rxspeed 21600000
txspeed 5760000
line vty 0 4
exec-timeout 0 0
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
ntp update-calendar
ntp server 195.time.srv.1
end
Do you have an idea what can be the reason of that behaviour?
I really appreciate your suggestions,
MaciexHello Maciex,
I am afraid that the debug ip packet detailed has led you to a wrong conclusion. Whatever the "forus FALSE" means, it does not indicate that the router refuses to consider the packet as addressed to itself. I've just concocted a very quick test - two routers connected back to back, one is 10.0.1.1/24, the other is 10.0.1.2/24. I am pinging 10.0.1.2 from 10.0.1.1 and this is what 10.0.1.2 shows me:
*Aug 4 23:09:38.067: IP: s=10.0.1.1 (Ethernet2/1), d=10.0.1.2, len 100, input feature
*Aug 4 23:09:38.071: ICMP type=8, code=0, MCI Check(94), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Aug 4 23:09:38.079: FIBipv4-packet-proc: route packet from Ethernet2/1 src 10.0.1.1 dst 10.0.1.2
*Aug 4 23:09:38.083: FIBfwd-proc: Default:10.0.1.2/32 receive entry
*Aug 4 23:09:38.083: FIBipv4-packet-proc: packet routing failed
*Aug 4 23:09:38.087: IP: tableid=0, s=10.0.1.1 (Ethernet2/1), d=10.0.1.2 (Ethernet2/1), routed via RIB
*Aug 4 23:09:38.091: IP: s=10.0.1.1 (Ethernet2/1), d=10.0.1.2 (Ethernet2/1), len 100, rcvd 3
*Aug 4 23:09:38.095: ICMP type=8, code=0
*Aug 4 23:09:38.099: IP: s=10.0.1.1 (Ethernet2/1), d=10.0.1.2, len 100, stop process pak for forus packet
*Aug 4 23:09:38.103: ICMP type=8, code=0
*Aug 4 23:09:38.107: FIBipv4-packet-proc: route packet from (local) src 10.0.1.2 dst 10.0.1.1
*Aug 4 23:09:38.111: FIBfwd-proc: packet routed by adj to Ethernet2/1 10.0.1.1
*Aug 4 23:09:38.111: FIBipv4-packet-proc: packet routing succeeded
*Aug 4 23:09:38.115: IP: s=10.0.1.2 (local), d=10.0.1.1 (Ethernet2/1), len 100, sending
*Aug 4 23:09:38.119: ICMP type=0, code=0
*Aug 4 23:09:38.127: IP: s=10.0.1.2 (local), d=10.0.1.1 (Ethernet2/1), len 100, sending full packet
*Aug 4 23:09:38.131: ICMP type=0, code=0
Note that even here, the router said the same as yours - and yet it did respond successfully to the ping request.
There is, I am afraid, a more mundane problem. PPTP is generally incompatible with PAT. PPTP uses two data streams: one is the control channel run over TCP port 1723, the other is the actual tunneled traffic - however, that traffic is essentially GRE-encapsulated, put directly into IP packets with no port information (there is no TCP/UDP involved). Without special support on the ISP 1 NAT box, PPTP sessions will not be able to pass through it. You will have to negotiate this with your ISP 1 - ask him to configure its NAT box with PPTP Application Layer Gateway support and allow IP protocol 47 (GRE).
This would explain why the PPTP Client 2 can always connect to your router - it is because there is no NAT/PAT/FW between the client and the router. It would also explain why Client 1 is able to connect over ISP 2 - because on that path, there is no NAT/PAT/FW box apparently present and there is a direct connectivity to the public IP address of your router.
Try talking to your ISP 1 about this.
Best regards,
Peter -
Problem with Cisco 861W router and outgoing VPN
We have a Cisco 861W router that is blocking an outgoing PPTP on the internal access point only. The outgoing VPN works when the traffic is through a wired connection or the connection is on another access point. We fail to make a connection only when connection to the 861W's internal Access Point.
Here is the Access Point Configuration:
Current configuration : 2100 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname obap
enable secret 5 $1$.1RF$go1D7WITXUn3s8TUaw3tC.
no aaa new-model
dot11 syslog
dot11 ssid OLIVER
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 XXXXXXXXXXX
username XXXXXX privilege 15 secret 5 $1$Wc0K$OzcQDDQfjHP6La31eXMoG/
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm tkip
ssid OLIVER
antenna gain 0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecti
ng AP with the host router
no ip address
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 192.168.0.2 255.255.255.0
no ip route-cache
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
banner login ^CC
% Password change notice.
Default username/password setup on AP is cisco/cisco with priv¾ilege level 15.
It is strongly suggested that you create a new username with privilege level
15 using the following command for console security.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to
use. After you change your username/password you can turn off this message
by configuring "no banner login" and "no banner exec" in privileged mode.
^C
line con 0
privilege level 15
login local
no activation-character
line vty 0 4
login local
cns dhcp
end
obap#
Here is the Router's Configuration:
Current configuration : 5908 bytes
! No configuration change since last restart
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname obrouter
boot-start-marker
boot-end-marker
logging buffered 51200
logging console critical
enable secret 5 $1$i9XE$DjxFVAEC9nC4/r6EQKCd6/
no aaa new-model
memory-size iomem 10
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
crypto pki trustpoint TP-self-signed-1856757619
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1856757619
revocation-check none
rsakeypair TP-self-signed-1856757619
crypto pki certificate chain TP-self-signed-1856757619
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383536 37353736 3139301E 170D3036 30313032 31323030
34345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38353637
35373631 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B1A4 FB786547 3D582260 03DB768D 116BDE9A 309FBA04 B53F77B0 BFE32344
7C3439B3 97192B36 760A9411 1D5C7549 8D86F532 ABA44F53 0D08B7F4 A9A747D5
071330C3 65BF25A8 927F3596 29BB5A80 90C8D169 22268476 3B8DDE1E FDB7170D
B4820D03 5580A849 A92C7E76 9AC10867 505A2FEE 64360741 7F9DBDBF 3D79982C
F81D0203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 156F6272 6F757465 722E6272 75736868 6F672E63 6F6D301F
0603551D 23041830 168014D8 5BC2FFB2 967A4C7B 11B44122 5C8D31F7 749B9230
1D060355 1D0E0416 0414D85B C2FFB296 7A4C7B11 B441225C 8D31F774 9B92300D
06092A86 4886F70D 01010405 00038181 005901F1 C239074B B8213567 CF7B65BF
DAFE4557 69B2A3B1 5F2593C7 A54B9598 23FD5E7A 563AA6E0 AFB25801 FA0061E8
F9545372 DB600B3A BE68AE65 1EDA593E 6A0C96B8 5A4136AF 393F9AAC 651E1C36
B8B7C6C0 47936C24 D2ECE9A5 9446EE32 FC7461FA AD8CF1CE A7FBF341 07E9C3C6
505AB88D 0E7FCAFC 5792298A E5E4D1FE CC
quit
no ip source-route
ip dhcp excluded-address 192.168.0.1 192.168.0.99
ip dhcp pool ccp-pool1
import all
network 192.168.0.0 255.255.255.0
dns-server 216.49.160.10 216.49.160.66
default-router 192.168.0.1
ip cef
no ip bootp server
ip domain name brushhog.com
ip name-server 216.49.160.10
ip name-server 216.49.160.66
license udi pid CISCO861W-GN-A-K9 sn FTX155281FY
username tech38 privilege 15 secret 5 $1$d/4Z$n/23EsXbzfHF5XfJ8Nv.y0
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
pppoe-client dial-pool-number 1
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname XXXXXXXXXXXXX
ppp chap password 7 XXXXXXXXXXXXXXXX
ppp pap sent-username XXXXXXXXXXXXXX password 7 XXXXXXXXXXX
no cdp enable
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.0.25 80 interface Dialer0 80
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
control-plane
banner exec ^C
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
privilege level 15
login local
transport input telnet ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
Any help would be appreciatedHello,
i have the same problem with router CISCO861W-GN-E-K9. Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
Can someone help?
Thank you.
Here is my config for internal AP and router. -
How to configure static route on RHEL 3 A/S
I have a (very) large amount of data to move through a Gigabit connection
shortly. I want to use a newly-configured gigabit PCI-X card in a Dell
server to accomplish this. The other interfaces are 100 Mbps.
If I want to add a route (static route) to force outgoing packets that
are destined for a particular host to use that interface (eth3 on this host)
then how do I do that? System is RedHat Enterprise Linux 3AS.
I suspect this involved the "add route default" command or whatever
the syntax is -- I did it for Solaris years ago but don't remember
exactly.
$ Linux host1.localdomain 2.4.21-57.ELhugemem #1 SMP Fri Jun 13 00:09:04 EDT 2008 i686 i686 i386 GNU/Linux
$ ifconfig eth3
eth3 Link encap:Ethernet HWaddr 00:0A:5E:7A:E7:33
inet addr:10.156.30.176 Bcast:10.156.30.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:619971 errors:0 dropped:0 overruns:0 frame:0
TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:44019924 (41.9 Mb) TX bytes:256 (256.0 b)
Interrupt:24
Thanks in advance.I agree. Using the /binroute command is not recommended for newbies, or even oldies. There is more infrastructure behind the scenes than just the routing table and using the "redhat-config-network" or "system-config-network" tool does the right thing, so you don't have to.
I mentioned it only for completeness. -
Source Routing - Connection Manager
Hi,
I need some help understanding the following source routing function of Connection Manager. The book says:
"Source routing is used with Connection Manager. CM servers as a proxy server for Oracle Net traffic, enabling Oracle Net traffic to be routed securely though a firewall. Oracle Net treats the addresses as a list of relays, connecting to the first address that then requesting to be passed from the first to the second until the destination is reached. It differs from failover and load balancing in that all addresses are used each time a connection is made".
I do understand it is possible to configure CM in such a way that it can act as a firewall, accepting and rejecting connections based on certain criteria. What I do not understand is the second part where the addresses are treated as a list of relays. Why would something like this be necessary and how could that be configured in CM.
Any help would be greatly appreciated....
Thanks in advance.Hi,
Oracle connection manager enables greater resource utilization for increased scalability,
multiprotocol connectivity and secure network acces control.
Example tnsnames.ora:
CMExample.world =
(DESCRIPTION=
(ADDRESS_LIST=
(ADDRESS=
(PROTOCOL=tcp)
(PORT=1610)
(HOST=CM_SERVER)
(ADDRESS=
(PROTOCOL=tcp)
(PORT=1521)
(HOST=LSNR_SERVER)
(CONNECT_DATA=
(SID=ORCL)
(SOURCE_ROUTE=yes)
Example cman.ora:
cman = (ADDRESS_LIST=
(ADDRESS=(PROTOCOL=tcp)(HOST=h)(PORT=1610))
(ADDRESS=(PROTOCOL=tcp)(HOST=h)(PORT=1620))
cman_profile = (parameter_list=
(MAXIMUM_RELAYS=1024)
(LOG_LEVEL=1)
(TRACING=no)
(RELAY_STATISTICS=yes)
(SHOW_TNS_INFO=yes)
(USE_ASYNC_CALL=yes)
(AUTHENTICATION_LEVEL=1)
Configuring CM for Network Acces Control(Firewall support):
Example:
cman = (ADDRESS_LIST=
(ADDRESS=(PROTOCOL=tcp)(HOST=h)(PORT=1610))
(ADDRESS=(PROTOCOL=tcp)(HOST=h)(PORT=1620))
cman_rules = (rule_list=
(rule=(src=spcstn)(dst=x)(srv=x)(act=accept))
"For more information Note:126079.1"
Maybe you are looking for
-
What is the difference between HUI emulation and MMC?
This may help clear up my issues with dm24 & LE. I am trying to have channels 1-24 of the Tascam dm 24 control volume and pan..etc for tracks 1-24 of LE (AUDIO, Midi and or softsyths, inst), without having to use the mouse to select the LE tracks dir
-
Problem With Business Object and printing job
Hello, We are encountering a problem with the application "Business Objects FINANCE", and we would need your help quickly. In the application , itu2019s impossible to print Consolidated Subsidiaries nor the Securities Held. If we try so, the applicat
-
Missing 50GB's after installing Leopard on new HD-best way to re-install
I installed Leopard on a G5 tower with 2 new 750 GB's seagate drives. Disk Utility shows a total capacity of 698.6 GB's out of 750 GB's so I am missing 50 GB's. Also first aide hangs up on Verify/repair disk permissions. It looks like I am dealing wi
-
Hi Gurus, Need help, in finding user exit which is called once the shipment is saved. I found USER EXIT: V56UCHCO Checking of Shipments for Completeness FUNCTION MODULE: EXIT_SAPLV56U_002 But this doesn't called up and shipment is still in process. I
-
Oraclebinary and log raw datatypes
hi i have a table (oracle XE 10g) with a column LONG RAW data types, the column contains a XML file for XSLT tranformation. i want read th column and i write this code but it don't works!!! Private Sub leggiRiparto() Dim codiceProvincia As String Dim