How to enable source routing on outgoing packets?

Similar Messages

• How to enable vibration when an Outgoing call is a...

  How to enable vibration when an Outgoing call is answered.
  Any chance Nokia can update the device with such feature i used to have it on my HTC HD7 really good 

  Hi Bakkal,
  Welcome to the forum!
  May we know the model of your device? We appreciate your feedback; however, this feature is not present on Nokia devices. If you're using a Nokia Lumia phone, you can post your suggestion here: 
  http://windowsphone.uservoice.com/forums/101801-feature-suggestions
  Let us know if you have another concern. Hope this helps.

• How to Enable IP Accounting or capture packets in Cisco ASA 5510 (8.2)

  Hi All,
  How to Enable IP Accounting or capture packets in Cisco ASA 5510 (8.2)
  Thanks
  Roopesh

  Hi Roopesh,
  Please go through this document for detailed documentation on captures:
  https://supportforums.cisco.com/docs/DOC-17814
  Hope that helps.
  Thanks,
  Varun Rao
  Security Team,
  Cisco TAC

• RRAS - Server 2012 Core - How to enable 'LAN Routing'

  Hi,
  how can i enable 'LAN Routing' on a Server core with RRAS Role installed via command line?
  In GUI it's just 'Enable' -> Custom -> LAN-Routing. How can i do the same via command line (powershell or cmd)?
  Thank you!

  Ok, solved it myself. (Don't know why i always solve a Problem as soon as i make a post in Forums ;D)
  Set-NetIPInterface -Forwarding Enabled
  so for enable Forwarding on all Adapters:
  Get-NetAdapter | Set-NetIPInterface -Forwarding Enabled

• How to enable ospf routing protocol using onePK API

  hi,
  I am new to CIsco routers. I want to enable a routing protocol using OnePk API. is it possible to do so?
  Thanks in advance

  Hey @ajeni0001,
  So far, there is not any document related to enabing OSPF using onePK. 
  As soon as I get something in the web I'll let you know.
  Rgrds,
  Martin, IT Specialist

• What is IP source Route ?

  Please let me know what is IP source Route and why is it disable for security purpose.
  Thanks in advance

  Hello Nitin,
  Cisco routers normally accept and process source routes. Unless a network depends on it, source routing should be disabled.
  Source routing is a technique whereby the sender of a packet can specify the route that a packet should take through the network. As a packet travels through the network, each router will examine the destination IP address and choose the next hop to forward the packet to. In source routing, the "source" (i.e., the sender) makes some or all of these decisions.
  Reason for disabling: Attackers can use source routing to probe the network by forcing packets into specific parts of the network. Using source routing, an attacker can collect information about a network's topology, or other information that could be useful in performing an attack. During an attack, an attacker could use source routing to direct packets to bypass existing security restrictions.
  Remedy:
  Use the 'no ip source-route' command to disable IP source routing on the router. Refer to your router documentation for specific instructions.
  Regards,
  Mohit 

• Source Routing and Sendmail

  Hi all
  This is probably not directly related to IronPort, but I'm sure you guys might be able to help.
  We installed an IronPort applicane a few months ago and everything works great. Unfortunately, we forward the mails to our internal sendmail server which has to be reachable from the Internet for some legacy stuff. The sendmail box in conjunction with IronPort (smarthost) seems to enable source routing of email addresses, rendering the box an open relay.
  Is there a way to drop all source routed e-mails at sendmail? Based on what I read, IronPort does drop source routed e-mails anyway.
  thx
  reto

  You will need to disable the loose_relay_check option in Sendmail. This option turns off the default behavior of rechecking recipients using the % addressing. For example, if the recipient address is user%site@othersite, the default behavior without the loose_relay_check option is that Sendmail will check if any @othersite is an allowed relay host specified in either class R macro or the access db file. If a site is an allowed relay host, the check_rcpt ruleset strips @othersite and checks user@site for relaying. Sendmail does not recheck user@site if loose_relay_check option is set to ON.

• Routing outgoing packets over multiple interfaces?

  I have two network interfaces (eth0 and eth1) with separate IP addresses on the same subnet.  All outgoing traffic uses eth0 regardless of the interface the incoming traffic came in on.
  I assume the outgoing packets still have the correct source IP address (not always eth0's), and I'd like the packets to go out on the interface with the corresponding IP address.
  I think I have half the solution to my problem:
  http://www.novell.com/support/viewConte … Id=7000318
  The other half is that my IPs are dynamic, so ddclient could change my IPs and then the routing would be invalid.
  Last edited by MindlessXD (2009-02-10 07:06:16)

  Setup custom route tables to be used depending on the iptables conntrack marks below
  ip route flush table 1
  ip rule del fwmark 101 table 1
  ip route add table 1 default via <ETH0 IP ADDRESS>
  ip rule add fwmark 101 table 1
  ip route flush table 2
  ip rule del fwmark 102 table 2
  ip route add table 2 default via <ETH1 IP ADDRESS>
  ip rule add fwmark 102 table 2
  I'm not 100% sure if you can add a route via the interfaces IP address. This code has been modified from a box using 2 different ISP's so they have different upstream routers. You might need to replace the 'via' parts with 'src'
  # Ensure traffic in one interface goes back out the same interface
  iptables -t mangle -F PREROUTING
  iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
  iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT
  iptables -t mangle -A PREROUTING -i eth0 -m state --state NEW -j MARK --set-mark 101
  iptables -t mangle -A PREROUTING -i eth1 -m state --state NEW -j MARK --set-mark 102

• Magic Packet - How to get my router to send one

  I have the Quantum Gateway 1100 router.  I have a NAS Server on my home network.  The NAS server has the capability to Wake on LAN if the router can send that packet.  Can anyone tell me how to get the router to send the Wake-on-Lan packet to the server.  FIOS Tech Support is completely and totally useless.

  Hi,
  You can do a fresh installation using the installer bits available at the following link/location Download CS5.5 products
  For suites, you need to download and copy both .7z and .exe in the same folder. Clicking .exe will extract all relevant installer files. You can then install the suite. Use your existing Serial number when prompted.
  regards
  Aj

• How to obtain source code of weka and enable to modify it

  hello,
  how to obtain source code of weka and enable to modify it such i want to extract code of some process that I make

  Hi ENG,
  Since the issue regards to Weka. It is out of the support boundaries of our forum, I suggesT you post the question in the following forum:http://forums.pentaho.com/forumdisplay.php?81-Pentaho-Data-Mining-WEKA.
  It is appropriate and more experts will assist you.
  Regards,
  Katherine Xiong
  Katherine Xiong
  TechNet Community Support

• Update to kichat: FAQ 2 - How to get my router to work with iChat?

  kichat: FAQ 2 - How to get my router to work with iChat? December 2008 version 3
  (Note to Hosts. to be removed on acceptance. Please use this to replace http://discussions.apple.com/thread.jspa?threadID=121775 )
  Getting your router started with iChat.
  Appropriate for using iChatAV 2 upwards. Edits have been made for iChat 4
  Glossary for this FAQ
  Routers: Any configurable device that sits between your computer and the internet link you have. This includes Modems that Route as well as "routers"
  Routers seem to fall into two categories
  Those that work straight from the box. See Apple Article HT1787
  NOTE :This Article has not been updated in content since Jan 04 Only being changed to an Article from the Previous Doc listing
  Even then some list that they need tweaks.
  and those that do not.
  This post will deal with what you may need to look at.
  First off make sure your device is acting as a DHCP server. (if you are already on the internet you may not have to bother with this.)
  Check in the Tiger System Preferences > Network Preference Pane, in the "Built in Ethernet" option from the "Show" drop down list.
  In Leopard the Networks are listed on the left with icons. The Airport Option will need you to access the Advance Button for the Next bit.
  Make sure the TCP/IP tab is the 'front' one. You should be able to see Configure IPv4 and it most likely reads Using DCHP. Make a note of your IP address. It will start 10.xxx.xxx.xxx or 192.168.xxx.xxx (the 'x' s will stand for any number between 1 and 255). The range 172.16.xxx.xxx is also a possible value at this point. Rarely used, but it is part of the RFC for Address Allocation for Private Internets.
  Your router is most likely to be configurable from your browser. You will need to find the IP address to type into the browser from any Readme or PDF files that came on the install disk or visit the makers website and download a manual.
  The Port Forward.com site lists many devices and clicking on one will take you to a list of Applications. This iChat will open an page that will start by telling you the defaults to access the device
  Opening or Allowing ports. Several Methods not all devices have all of them.
  DMZ (Demilitarised Zone)
  This is a less secure setting that basically opens all ports and points the incoming data to your computer. (not helpful if you have more than one computer on your LAN). It can be considered as an extreme form of Port Forwarding
  Port Forwarding (also Virtual Server or Pin Holes)
  These settings are usually found in an Advanced setting.
  You may need to set an incoming IP address (Usually 0.0.0.0 to any outside server), a port that data will arrive on, the Inside computer's IP address (your computer) and the port it will deal with the data on and the protocol it will use.
  See this pic for an example of the description above.
  In this example shows that on some Port AND Protocols need to be listed.
  iChat uses TCP and UDP so some devices will need the ports listed one by one and some settings done twice, once for each protocol. The example above has a "Both" setting
  See Apple Article HT1507 Previously Doc 93208 for more information. This is the Tiger iChat 3 list. The same ports are needed for Leopard except for these changes
  My Note 2:
  On the first link Note 1 under tables in that link would be better if it read:
  " 1. All iChat AV traffic is UDP -
  except for ports 5190 and 5298, which need to be open for both TCP as well;
  and 5220, 5222, which need to be open for TCP only. "
  Note 2
  GoggleTalk needs port 5223 on TCP. Also note the Server name for iChat 3 set ups
  UPnP Universal Plug n Play.
  This is a simple Plug and Play type of setting. iChat can find it's own way through a router if the device has this capability.
  By Not doing Port Forwarding, Triggering or DMZ and enabling UPnP the application is allowed to control the modem and the ports that are open.
  They close after the application has finished with them on a timed basis.
  On some devices the number of "hops" (how far away the UPnP can be "seen") can be reduced from a default of 4)
  Trigger Ports
  Some devices offer a security measure that works by a first or trigger port receiving a data packet and then opening further ports when accepted.
  The first port for incoming Video or Audio invites is port 5678.
  Pre iChat 4
  When you click on the invite window the process moves in to port 5060 (so these will need to be opened by the trigger port) for negotiating the final group of ports from the group of 20 (16384-16403 These will need to open when the trigger says so as well). Therefore port 5678 triggers ports 5678, 5060, 16384-16403. All on UDP. Port 5190 neeeds to trigger port 5190 for both TCP and UDP.
  See this variation where only the ports listed above are completed.
  The other single ports need to be set one by one in addition. (5220,5222, 5223 5297, 5298, 5353)Replace
  iChat 4
  The port used in IChat 4 is port 16402 instead of port 5060. The group of 20 ports is reduced to 10 (16393-16402). This is because all the In and Out Audio and Video data is on one port. Other that than the settings are the same.
  At this time there is no Info on the ports the Screen Sharing in iChat 4 uses.
  Wireless
  Here you will have to read around but this Apple Article TA25949 Previously Doc 58514 might be a good starting place.
  Essentially whether you are wireless or Ethernet to your routing device makes very little difference to the way you do things.
  Your computer will get two IPs from a DHCP server if you are connected by both methods. (iChat does not like this)
  Multiple devices
  Make sure only one is acting as a DHCP server. Make sure wireless devices are bridged properly.
  Further Help
  I have found that this site (ADSLGuide) to be helpful.
  It is British based but I have linked you to the Apple Related Discussions Forum.
  Eliminating Problems on my Personal web pages.
  The ports and their function within iChat. (my personal Web pages again)
  This is not a step by step approach. You will have to read around the information about your device.
  Collected FAQs and Expansions: Index Page Based on FAQs here by EZ Jim and myself
  Also http://www.portforward.com/routers.htm for instructions with Pics on Port Forwarding and access info as mentioned earlier.
  Click on your device.
  Select iChat on the next page.
  Follow the info on the next.
  This site is godd for finding out the Default IP to use in a web browser and the default User ID and Passwords needed to do so.
  Gives you a chance to look at at pics to give clues to where some of these other things are.
  With thanks to Macmuse for comment on the Original (Aug 23rd 2004)
  and to EZ Jim for his work on iSights on my web pages.
  I may receive some form of compensation, financial or otherwise, from my recommendation or link.
  9:51 PM Saturday; December 6, 2008

  kichat: FAQ 2 - How to get my router to work with iChat? December 2008 version 3
  (Note to Hosts. to be removed on acceptance. Please use this to replace http://discussions.apple.com/thread.jspa?threadID=121775 )
  Getting your router started with iChat.
  Appropriate for using iChatAV 2 upwards. Edits have been made for iChat 4
  Glossary for this FAQ
  Routers: Any configurable device that sits between your computer and the internet link you have. This includes Modems that Route as well as "routers"
  Routers seem to fall into two categories
  Those that work straight from the box. See Apple Article HT1787
  NOTE :This Article has not been updated in content since Jan 04 Only being changed to an Article from the Previous Doc listing
  Even then some list that they need tweaks.
  and those that do not.
  This post will deal with what you may need to look at.
  First off make sure your device is acting as a DHCP server. (if you are already on the internet you may not have to bother with this.)
  Check in the Tiger System Preferences > Network Preference Pane, in the "Built in Ethernet" option from the "Show" drop down list.
  In Leopard the Networks are listed on the left with icons. The Airport Option will need you to access the Advance Button for the Next bit.
  Make sure the TCP/IP tab is the 'front' one. You should be able to see Configure IPv4 and it most likely reads Using DCHP. Make a note of your IP address. It will start 10.xxx.xxx.xxx or 192.168.xxx.xxx (the 'x' s will stand for any number between 1 and 255). The range 172.16.xxx.xxx is also a possible value at this point. Rarely used, but it is part of the RFC for Address Allocation for Private Internets.
  Your router is most likely to be configurable from your browser. You will need to find the IP address to type into the browser from any Readme or PDF files that came on the install disk or visit the makers website and download a manual.
  The Port Forward.com site lists many devices and clicking on one will take you to a list of Applications. This iChat will open an page that will start by telling you the defaults to access the device
  Opening or Allowing ports. Several Methods not all devices have all of them.
  DMZ (Demilitarised Zone)
  This is a less secure setting that basically opens all ports and points the incoming data to your computer. (not helpful if you have more than one computer on your LAN). It can be considered as an extreme form of Port Forwarding
  Port Forwarding (also Virtual Server or Pin Holes)
  These settings are usually found in an Advanced setting.
  You may need to set an incoming IP address (Usually 0.0.0.0 to any outside server), a port that data will arrive on, the Inside computer's IP address (your computer) and the port it will deal with the data on and the protocol it will use.
  See this pic for an example of the description above.
  In this example shows that on some Port AND Protocols need to be listed.
  iChat uses TCP and UDP so some devices will need the ports listed one by one and some settings done twice, once for each protocol. The example above has a "Both" setting
  See Apple Article HT1507 Previously Doc 93208 for more information. This is the Tiger iChat 3 list. The same ports are needed for Leopard except for these changes
  My Note 2:
  On the first link Note 1 under tables in that link would be better if it read:
  " 1. All iChat AV traffic is UDP -
  except for ports 5190 and 5298, which need to be open for both TCP as well;
  and 5220, 5222, which need to be open for TCP only. "
  Note 2
  GoggleTalk needs port 5223 on TCP. Also note the Server name for iChat 3 set ups
  UPnP Universal Plug n Play.
  This is a simple Plug and Play type of setting. iChat can find it's own way through a router if the device has this capability.
  By Not doing Port Forwarding, Triggering or DMZ and enabling UPnP the application is allowed to control the modem and the ports that are open.
  They close after the application has finished with them on a timed basis.
  On some devices the number of "hops" (how far away the UPnP can be "seen") can be reduced from a default of 4)
  Trigger Ports
  Some devices offer a security measure that works by a first or trigger port receiving a data packet and then opening further ports when accepted.
  The first port for incoming Video or Audio invites is port 5678.
  Pre iChat 4
  When you click on the invite window the process moves in to port 5060 (so these will need to be opened by the trigger port) for negotiating the final group of ports from the group of 20 (16384-16403 These will need to open when the trigger says so as well). Therefore port 5678 triggers ports 5678, 5060, 16384-16403. All on UDP. Port 5190 neeeds to trigger port 5190 for both TCP and UDP.
  See this variation where only the ports listed above are completed.
  The other single ports need to be set one by one in addition. (5220,5222, 5223 5297, 5298, 5353)Replace
  iChat 4
  The port used in IChat 4 is port 16402 instead of port 5060. The group of 20 ports is reduced to 10 (16393-16402). This is because all the In and Out Audio and Video data is on one port. Other that than the settings are the same.
  At this time there is no Info on the ports the Screen Sharing in iChat 4 uses.
  Wireless
  Here you will have to read around but this Apple Article TA25949 Previously Doc 58514 might be a good starting place.
  Essentially whether you are wireless or Ethernet to your routing device makes very little difference to the way you do things.
  Your computer will get two IPs from a DHCP server if you are connected by both methods. (iChat does not like this)
  Multiple devices
  Make sure only one is acting as a DHCP server. Make sure wireless devices are bridged properly.
  Further Help
  I have found that this site (ADSLGuide) to be helpful.
  It is British based but I have linked you to the Apple Related Discussions Forum.
  Eliminating Problems on my Personal web pages.
  The ports and their function within iChat. (my personal Web pages again)
  This is not a step by step approach. You will have to read around the information about your device.
  Collected FAQs and Expansions: Index Page Based on FAQs here by EZ Jim and myself
  Also http://www.portforward.com/routers.htm for instructions with Pics on Port Forwarding and access info as mentioned earlier.
  Click on your device.
  Select iChat on the next page.
  Follow the info on the next.
  This site is godd for finding out the Default IP to use in a web browser and the default User ID and Passwords needed to do so.
  Gives you a chance to look at at pics to give clues to where some of these other things are.
  With thanks to Macmuse for comment on the Original (Aug 23rd 2004)
  and to EZ Jim for his work on iSights on my web pages.
  I may receive some form of compensation, financial or otherwise, from my recommendation or link.
  9:51 PM Saturday; December 6, 2008

• ISR router cannot receive packets addressed to itself?

  Hello, Support Team and All Members,
  I have a C881G router connected to 2 different ISP networks with a failover function configured and running properly. The following is a simple network diagram:
  The main WAN traffic goes through the ISP 1 LTE network and the router, provided by that ISP. The DMS Host on that router points to our C881G router Fa4 WAN interface (192.168.1.10), so the ISP 1 NAT Router is practically transparent to our traffic. Our C881G tracks the DNS server within the ISP 1 network (194.dns.isp.1) and in case of it's inaccessibility the traffic is switched to the backup link, served by the on-board HSPA+ modem (interface Dialer0 of our C881G), connected to the ISP 2 HSPA network. It works fine, but the problem is with the PPTP connections from outside to the C881G router. The PPTP calls work always from the PPTP Client 2 PC (directly connected to the Fa4 subnet), but from PPTP Client 1 PC it works only in the failover mode - when all traffic goes through the ISP 2. The incoming path via ISP 1 does not work. The problem is rather not connected to the PPTP VPN, GRE, authentication or encryption, because just the first TCP 1723 SYN packets are dropped at Fa4 much earlier by the C881G router. The debug ip packet detail shows the following routing decision:
  IP: s=194.xxx.yyy.80 (FastEthernet4), d=192.168.1.10, len 40, input feature
      TCP src=4241, dst=1723, seq=791503628, ack=4111924253, win=0 ACK RST, MCI Check(94), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
  FIBipv4-packet-proc: route packet from FastEthernet4 src 194.xxx.yyy.80 dst 192.168.1.10
  FIBfwd-proc: Default:192.168.1.10/32 receive entry
  FIBipv4-packet-proc: packet routing failed
  All other packets addressed from outside networks to the router itself and received via the Fa4 are also dropped in this way. All packets sent to Fa4 from the local subnet 192.168.1.0 are accepted. The routing table shows only standard connected interfaces and 1 static route to the 194.dns.isp.1 via 192.168.1.1, which is also the tracked gateway of last resort.
  Router runs the CEF.
  I cannot locate in the following configuration file any statement preventing the packets addressed to the router itself:
  version 15.3
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  service internal
  hostname C881_xyz
  boot-start-marker
  boot-end-marker
  logging buffered 8192
  no logging console
  no logging monitor
  no aaa new-model
  clock timezone PCTime 1 0
  clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
  crypto ...
  ... <removed for sanity>
  crypto pki ...
  ip dhcp excluded-address 192.168.70.1 192.168.70.99
  ip dhcp excluded-address 192.168.70.180 192.168.70.254
  ip dhcp excluded-address 192.168.71.1 192.168.71.99
  ip dhcp excluded-address 192.168.71.180 192.168.71.254
  ip dhcp pool ccp-pool
   import all
   network 192.168.70.0 255.255.255.0
   dns-server 8.8.8.8 8.8.4.4
   default-router 192.168.70.1
   lease 0 12
  ip dhcp pool NVR
   import all
   network 192.168.71.0 255.255.255.0
   dns-server 8.8.8.8 8.8.4.4
   default-router 192.168.71.1
   lease 0 12
  ip domain name mydomain.com
  ip name-server 8.8.8.8
  ip name-server 8.8.4.4
  ip inspect WAAS flush-timeout 10
  ip cef
  no ipv6 cef
  multilink bundle-name authenticated
  vpdn enable
  vpdn-group 1
   ! Default PPTP VPDN group
   accept-dialin
    protocol pptp
    virtual-template 1
  chat-script gsm "" "AT!SCACT=1,1" TIMEOUT 60 "OK"
  license udi pid C881G+7-K9 sn ***********
  username admin privilege 15 secret 5 ******************************
  controller Cellular 0
  track 1 ip sla 1 reachability
   delay down 1 up 30
  interface FastEthernet0
   description All VLANs Trunk
   switchport mode trunk
   no ip address
  interface FastEthernet1
   description VLAN 1 - LAN Main
   no ip address
  interface FastEthernet2
   description VLAN 20 - LAN NVR
   switchport access vlan 20
   no ip address
  interface FastEthernet3
   description Traffic Monitoring only
   no ip address
  interface FastEthernet4
   description WAN SP1$ETH-WAN$
   ip address 192.168.1.10 255.255.255.0
   ip nat outside
   ip virtual-reassembly in
   duplex auto
   speed auto
  interface Virtual-Template1
   ip unnumbered FastEthernet4
   peer default ip address pool vpn_pptp_pool
   no keepalive
   ppp encrypt mppe auto
   ppp authentication ms-chap-v2
  interface Cellular0
   ip address negotiated
   ip nat outside
   ip virtual-reassembly in
   encapsulation slip
   dialer in-band
   dialer pool-member 1
   dialer-group 1
   async mode interactive
  interface Vlan1
   description LAN Main
   ip address 192.168.70.1 255.255.255.0
   ip flow ingress
   ip flow egress
   ip nat inside
   ip virtual-reassembly in
  interface Vlan20
   description LAN NVR
   ip address 192.168.71.1 255.255.255.0
   ip flow ingress
   ip flow egress
   ip nat inside
   ip virtual-reassembly in
  interface Dialer0
   ip address negotiated
   ip nat outside
   ip virtual-reassembly in
   encapsulation slip
   dialer pool 1
   dialer idle-timeout 0
   dialer string gsm
   dialer persistent
   dialer-group 1
  ip local policy route-map track-primary-if
  ip local pool vpn_pptp_pool 192.168.70.180 192.168.70.199
  ip forward-protocol nd
  no ip http server
  ip http access-class 1
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip flow-top-talkers
   top 32
   sort-by bytes
   cache-timeout 600000
  ip nat inside source route-map ISP_1 interface FastEthernet4 overload
  ip nat inside source route-map ISP_2 interface Dialer0 overload
  ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 1
  ip route 0.0.0.0 0.0.0.0 Dialer0 253
  ip route 194.dns.isp.1 255.255.255.255 192.168.1.1
  ip sla auto discovery
  ip sla 1
   icmp-echo 194.dns.isp.1 source-interface FastEthernet4
   frequency 10
  ip sla schedule 1 life forever start-time now
  logging trap debugging
  dialer-list 1 protocol ip permit
  route-map track-primary-if permit 1
   match ip address 100
   set interface FastEthernet4
  route-map Static_ISP_2 permit 10
   match interface Dialer0
  route-map Static_ISP_1 permit 10
   match interface FastEthernet4
  route-map ISP_2 permit 10
   match ip address 1
   match interface Dialer0
  route-map ISP_1 permit 10
   match ip address 1
   match interface FastEthernet4
  access-list 1 remark List for outside NATs
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 192.168.70.0 0.0.0.255
  access-list 1 permit 192.168.71.0 0.0.0.255
  access-list 100 remark CCP_ACL Category=0
  access-list 100 permit icmp any host 194.dns.isp.1
  access-list 105 remark List for debugging local ICMP tests
  access-list 105 remark CCP_ACL Category=16
  access-list 105 permit icmp any any
  control-plane
  line con 0
   no modem enable
  line aux 0
  line 3
   script dialer gsm
   modem InOut
   no exec
   transport input all
   rxspeed 21600000
   txspeed 5760000
  line vty 0 4
   exec-timeout 0 0
   privilege level 15
   login local
   transport input telnet ssh
  line vty 5 15
   access-class 23 in
   privilege level 15
   login local
   transport input telnet ssh
  ntp update-calendar
  ntp server 195.time.srv.1
  end
  Do you have an idea what can be the reason of that behaviour?
  I really appreciate your suggestions,
  Maciex

  Hello Maciex,
  I am afraid that the debug ip packet detailed has led you to a wrong conclusion. Whatever the "forus FALSE" means, it does not indicate that the router refuses to consider the packet as addressed to itself. I've just concocted a very quick test - two routers connected back to back, one is 10.0.1.1/24, the other is 10.0.1.2/24. I am pinging 10.0.1.2 from 10.0.1.1 and this is what 10.0.1.2 shows me:
  *Aug 4 23:09:38.067: IP: s=10.0.1.1 (Ethernet2/1), d=10.0.1.2, len 100, input feature
  *Aug 4 23:09:38.071: ICMP type=8, code=0, MCI Check(94), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
  *Aug 4 23:09:38.079: FIBipv4-packet-proc: route packet from Ethernet2/1 src 10.0.1.1 dst 10.0.1.2
  *Aug 4 23:09:38.083: FIBfwd-proc: Default:10.0.1.2/32 receive entry
  *Aug 4 23:09:38.083: FIBipv4-packet-proc: packet routing failed
  *Aug 4 23:09:38.087: IP: tableid=0, s=10.0.1.1 (Ethernet2/1), d=10.0.1.2 (Ethernet2/1), routed via RIB
  *Aug 4 23:09:38.091: IP: s=10.0.1.1 (Ethernet2/1), d=10.0.1.2 (Ethernet2/1), len 100, rcvd 3
  *Aug 4 23:09:38.095: ICMP type=8, code=0
  *Aug 4 23:09:38.099: IP: s=10.0.1.1 (Ethernet2/1), d=10.0.1.2, len 100, stop process pak for forus packet
  *Aug 4 23:09:38.103: ICMP type=8, code=0
  *Aug 4 23:09:38.107: FIBipv4-packet-proc: route packet from (local) src 10.0.1.2 dst 10.0.1.1
  *Aug 4 23:09:38.111: FIBfwd-proc: packet routed by adj to Ethernet2/1 10.0.1.1
  *Aug 4 23:09:38.111: FIBipv4-packet-proc: packet routing succeeded
  *Aug 4 23:09:38.115: IP: s=10.0.1.2 (local), d=10.0.1.1 (Ethernet2/1), len 100, sending
  *Aug 4 23:09:38.119: ICMP type=0, code=0
  *Aug 4 23:09:38.127: IP: s=10.0.1.2 (local), d=10.0.1.1 (Ethernet2/1), len 100, sending full packet
  *Aug 4 23:09:38.131: ICMP type=0, code=0
  Note that even here, the router said the same as yours - and yet it did respond successfully to the ping request.
  There is, I am afraid, a more mundane problem. PPTP is generally incompatible with PAT. PPTP uses two data streams: one is the control channel run over TCP port 1723, the other is the actual tunneled traffic - however, that traffic is essentially GRE-encapsulated, put directly into IP packets with no port information (there is no TCP/UDP involved). Without special support on the ISP 1 NAT box, PPTP sessions will not be able to pass through it. You will have to negotiate this with your ISP 1 - ask him to configure its NAT box with PPTP Application Layer Gateway support and allow IP protocol 47 (GRE).
  This would explain why the PPTP Client 2 can always connect to your router - it is because there is no NAT/PAT/FW between the client and the router. It would also explain why Client 1 is able to connect over ISP 2 - because on that path, there is no NAT/PAT/FW box apparently present and there is a direct connectivity to the public IP address of your router.
  Try talking to your ISP 1 about this.
  Best regards,
  Peter

• Problem with Cisco 861W router and outgoing VPN

  We have a Cisco 861W router that is blocking an outgoing PPTP on the internal access point only. The outgoing VPN works when the traffic is through a wired connection or the connection is on another access point. We fail to make a connection only when connection to the 861W's internal Access Point.
  Here is the Access Point Configuration:
  Current configuration : 2100 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname obap
  enable secret 5 $1$.1RF$go1D7WITXUn3s8TUaw3tC.
  no aaa new-model
  dot11 syslog
  dot11 ssid OLIVER
     authentication open
     authentication key-management wpa
     guest-mode
     wpa-psk ascii 0 XXXXXXXXXXX
  username XXXXXX privilege 15 secret 5 $1$Wc0K$OzcQDDQfjHP6La31eXMoG/
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption mode ciphers aes-ccm tkip
  ssid OLIVER
  antenna gain 0
  station-role root
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface GigabitEthernet0
  description the embedded AP GigabitEthernet 0 is an internal interface connecti
  ng AP with the host router
  no ip address
  no ip route-cache
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address 192.168.0.2 255.255.255.0
  no ip route-cache
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  bridge 1 route ip
  banner login ^CC
  % Password change notice.
  Default username/password setup on AP is cisco/cisco with priv¾ilege level 15.
  It is strongly suggested that you create a new username with privilege level
  15 using the following command for console security.
  username <myuser> privilege 15 secret 0 <mypassword>
  no username cisco
  Replace <myuser> and <mypassword> with the username and password you want to
  use. After you change your username/password you can turn off this message
  by configuring  "no banner login" and "no banner exec" in privileged mode.
  ^C
  line con 0
  privilege level 15
  login local
  no activation-character
  line vty 0 4
  login local
  cns dhcp
  end
  obap#
  Here is the Router's Configuration:
  Current configuration : 5908 bytes
  ! No configuration change since last restart
  version 15.0
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname obrouter
  boot-start-marker
  boot-end-marker
  logging buffered 51200
  logging console critical
  enable secret 5 $1$i9XE$DjxFVAEC9nC4/r6EQKCd6/
  no aaa new-model
  memory-size iomem 10
  clock timezone PCTime -5
  clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
  crypto pki trustpoint TP-self-signed-1856757619
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-1856757619
  revocation-check none
  rsakeypair TP-self-signed-1856757619
  crypto pki certificate chain TP-self-signed-1856757619
  certificate self-signed 01
    3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 31383536 37353736 3139301E 170D3036 30313032 31323030
    34345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38353637
    35373631 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100B1A4 FB786547 3D582260 03DB768D 116BDE9A 309FBA04 B53F77B0 BFE32344
    7C3439B3 97192B36 760A9411 1D5C7549 8D86F532 ABA44F53 0D08B7F4 A9A747D5
    071330C3 65BF25A8 927F3596 29BB5A80 90C8D169 22268476 3B8DDE1E FDB7170D
    B4820D03 5580A849 A92C7E76 9AC10867 505A2FEE 64360741 7F9DBDBF 3D79982C
    F81D0203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
    551D1104 19301782 156F6272 6F757465 722E6272 75736868 6F672E63 6F6D301F
    0603551D 23041830 168014D8 5BC2FFB2 967A4C7B 11B44122 5C8D31F7 749B9230
    1D060355 1D0E0416 0414D85B C2FFB296 7A4C7B11 B441225C 8D31F774 9B92300D
    06092A86 4886F70D 01010405 00038181 005901F1 C239074B B8213567 CF7B65BF
    DAFE4557 69B2A3B1 5F2593C7 A54B9598 23FD5E7A 563AA6E0 AFB25801 FA0061E8
    F9545372 DB600B3A BE68AE65 1EDA593E 6A0C96B8 5A4136AF 393F9AAC 651E1C36
    B8B7C6C0 47936C24 D2ECE9A5 9446EE32 FC7461FA AD8CF1CE A7FBF341 07E9C3C6
    505AB88D 0E7FCAFC 5792298A E5E4D1FE CC
          quit
  no ip source-route
  ip dhcp excluded-address 192.168.0.1 192.168.0.99
  ip dhcp pool ccp-pool1
     import all
     network 192.168.0.0 255.255.255.0
     dns-server 216.49.160.10 216.49.160.66
     default-router 192.168.0.1
  ip cef
  no ip bootp server
  ip domain name brushhog.com
  ip name-server 216.49.160.10
  ip name-server 216.49.160.66
  license udi pid CISCO861W-GN-A-K9 sn FTX155281FY
  username tech38 privilege 15 secret 5 $1$d/4Z$n/23EsXbzfHF5XfJ8Nv.y0
  ip tcp synwait-time 10
  ip ssh time-out 60
  ip ssh authentication-retries 2
  interface FastEthernet0
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface FastEthernet4
  description $ES_WAN$$FW_OUTSIDE$
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  duplex auto
  speed auto
  pppoe-client dial-pool-number 1
  interface wlan-ap0
  description Service module interface to manage the embedded AP
  ip unnumbered Vlan1
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  arp timeout 0
  interface Wlan-GigabitEthernet0
  description Internal switch interface connecting to the embedded AP
  interface Vlan1
  description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
  ip address 192.168.0.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat inside
  ip virtual-reassembly
  ip tcp adjust-mss 1412
  interface Dialer0
  ip address negotiated
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip mtu 1452
  ip flow ingress
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication chap pap callin
  ppp chap hostname XXXXXXXXXXXXX
  ppp chap password 7 XXXXXXXXXXXXXXXX
  ppp pap sent-username XXXXXXXXXXXXXX password 7 XXXXXXXXXXX
  no cdp enable
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip nat inside source static tcp 192.168.0.25 80 interface Dialer0 80
  ip nat inside source list 1 interface Dialer0 overload
  ip route 0.0.0.0 0.0.0.0 Dialer0
  logging trap debugging
  access-list 1 remark INSIDE_IF=Vlan1
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 192.168.0.0 0.0.0.255
  dialer-list 1 protocol ip permit
  no cdp run
  control-plane
  banner exec ^C
  % Password expiration warning.
  Cisco Configuration Professional (Cisco CP) is installed on this device
  and it provides the default username "cisco" for  one-time use. If you have
  already used the username "cisco" to login to the router and your IOS image
  supports the "one-time" user option, then this username has already expired.
  You will not be able to login to the router with this username after you exit
  this session.
  It is strongly suggested that you create a new username with a privilege level
  of 15 using the following command.
  username <myuser> privilege 15 secret 0 <mypassword>
  Replace <myuser> and <mypassword> with the username and password you
  want to use.
  ^C
  banner login ^CAuthorized access only!
  Disconnect IMMEDIATELY if you are not an authorized user!^C
  line con 0
  login local
  no modem enable
  transport output telnet
  line aux 0
  login local
  transport output telnet
  line 2
  no activation-character
  no exec
  transport preferred none
  transport input all
  line vty 0 4
  privilege level 15
  login local
  transport input telnet ssh
  scheduler max-task-time 5000
  scheduler allocate 4000 1000
  scheduler interval 500
  end
  Any help would be appreciated

  Hello,
  i have the same problem with router CISCO861W-GN-E-K9. Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
  Can someone help?
  Thank you.
  Here is my config for internal AP and router.

• How to configure static route on RHEL 3 A/S

  I have a (very) large amount of data to move through a Gigabit connection
  shortly. I want to use a newly-configured gigabit PCI-X card in a Dell
  server to accomplish this. The other interfaces are 100 Mbps.
  If I want to add a route (static route) to force outgoing packets that
  are destined for a particular host to use that interface (eth3 on this host)
  then how do I do that? System is RedHat Enterprise Linux 3AS.
  I suspect this involved the "add route default" command or whatever
  the syntax is -- I did it for Solaris years ago but don't remember
  exactly.
  $ Linux host1.localdomain 2.4.21-57.ELhugemem #1 SMP Fri Jun 13 00:09:04 EDT 2008 i686 i686 i386 GNU/Linux
  $ ifconfig eth3
  eth3 Link encap:Ethernet HWaddr 00:0A:5E:7A:E7:33
  inet addr:10.156.30.176 Bcast:10.156.30.255 Mask:255.255.255.0
  UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
  RX packets:619971 errors:0 dropped:0 overruns:0 frame:0
  TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:44019924 (41.9 Mb) TX bytes:256 (256.0 b)
  Interrupt:24
  Thanks in advance.

  I agree. Using the /binroute command is not recommended for newbies, or even oldies. There is more infrastructure behind the scenes than just the routing table and using the "redhat-config-network" or "system-config-network" tool does the right thing, so you don't have to.
  I mentioned it only for completeness.

• Source Routing - Connection Manager

  Hi,
  I need some help understanding the following source routing function of Connection Manager. The book says:
  "Source routing is used with Connection Manager. CM servers as a proxy server for Oracle Net traffic, enabling Oracle Net traffic to be routed securely though a firewall. Oracle Net treats the addresses as a list of relays, connecting to the first address that then requesting to be passed from the first to the second until the destination is reached. It differs from failover and load balancing in that all addresses are used each time a connection is made".
  I do understand it is possible to configure CM in such a way that it can act as a firewall, accepting and rejecting connections based on certain criteria. What I do not understand is the second part where the addresses are treated as a list of relays. Why would something like this be necessary and how could that be configured in CM.
  Any help would be greatly appreciated....
  Thanks in advance.

  Hi,
  Oracle connection manager enables greater resource utilization for increased scalability,
  multiprotocol connectivity and secure network acces control.
  Example tnsnames.ora:
       CMExample.world =
       (DESCRIPTION=
       (ADDRESS_LIST=
       (ADDRESS=
       (PROTOCOL=tcp)
            (PORT=1610)
                 (HOST=CM_SERVER)
       (ADDRESS=
            (PROTOCOL=tcp)
                 (PORT=1521)
                 (HOST=LSNR_SERVER)
  (CONNECT_DATA=
            (SID=ORCL)
  (SOURCE_ROUTE=yes)
  Example cman.ora:
       cman = (ADDRESS_LIST=
  (ADDRESS=(PROTOCOL=tcp)(HOST=h)(PORT=1610))
  (ADDRESS=(PROTOCOL=tcp)(HOST=h)(PORT=1620))
       cman_profile = (parameter_list=
  (MAXIMUM_RELAYS=1024)
  (LOG_LEVEL=1)               
  (TRACING=no)               
  (RELAY_STATISTICS=yes)     
  (SHOW_TNS_INFO=yes)          
  (USE_ASYNC_CALL=yes)      
  (AUTHENTICATION_LEVEL=1)
  Configuring CM for Network Acces Control(Firewall support):
  Example:
  cman = (ADDRESS_LIST=
  (ADDRESS=(PROTOCOL=tcp)(HOST=h)(PORT=1610))
  (ADDRESS=(PROTOCOL=tcp)(HOST=h)(PORT=1620))
  cman_rules = (rule_list=
  (rule=(src=spcstn)(dst=x)(srv=x)(act=accept))
  "For more information Note:126079.1"