How to prevent non VPN traffic?

Similar Messages

• How to prevent packet forwarding over non-MPLS connection.

  I'm wondering if it is possible to configure Cisco ESR to not forward packet over non-MPLS connection(VPI/VCI=0/32) when an LSP for its destination has not been established, while allowing control packets(BGP, LDP, OSPF) to be sent over non-MPLS connection. The reason why I ask about is as follows.
  Referring to the following network configuration,
  R1 --- Cisco_ESR --- ATM_LSR --- LER --- R2
  <--> non-MPLS connection
  ----------------------->
  LSPs
  ----------------------->
  In the ordinary operation, when a packet arrives at Cisco_LER from R1, it gets forwarded over an LSP if available, while getting forwarded over non-MPLS connection(VPI/VCI=0/32) if the corresponding LSP is not available. In the configuration mentioned above,ATM_LSR does software-based packet processing for incoming packet through non-MPLS channel, while doing cell-switching for LSP traffic. Thus if ESR sends packet over non-MPLS connection, e.g, STM-1c, the ATM_LSR could get crashed or time-critical control traffic could be delayed or lost, thereby resulting in BGP/LDP session failure between ESR and ATM_LSR or LER.
  In summary, my question is how to prevent Cisco_ESR from forwarding packets over non-MPLS connection when LSPs for their destinations are not available due to LSP failures.
  Thanks.
  Yongjun.

  It already is, except for Aliens, they have access to everything on your phone(they always have had this access) .

• How do I get rid of and prevent non-content mails dated 1970-01-01?

  How do I get rid of and prevent non-content mails dated 1970-01-01? They come by the hundreds!!

  CSS:
  #navigation {margin-top: -3px;}
  Nancy O.
  Alt-Web Design & Publishing
  Web | Graphics | Print | Media  Specialists 
  http://alt-web.com/
  http://twitter.com/altweb

• ASA5520 v7.2 - How disable VPN traffic?

  Hi to all,
  I have an ASA5520 with v7.2. I have read in the command reference that, by default, the security appliance allows VPN traffic to terminate on a security appliance interface. And here is my question:
  How can I disable that to filter the VPN traffic with my own access-list?
  Regards, Fernando.

  Hi Shadi,
  Thanks for your answer but it is not correct. If you go to "Usage Guidelines" of "sysopt connection permit-vpn" you can read:
  "You can require an interface access list to apply to the local IP addresses by entering the no sysopt connection permit-vpn command. See the the access-list and access-group commands to create an access list and apply it to an interface. IMPORTANT!!! --> The access list applies to the local IP address, and not to the original client IP address used before the VPN packet was decrypted."
  So that if I disabled "sysopt connection permit-vpn" I will be able to filter the local IP assigned by the vpn_pool but not the real public IP of the client.
  Regards, Fernando.

• How to prevent error message for material description in MDG material detail screen, when user click on check action

  Dear Experts,
  I have a requirement for making material description as non mandetory in change request view of mdg material screen.
  I have done that using field usage in get data method of feeder classes, but still message is displaying.
  This message 'Material description is mandatory is displaying with check action only, but not with save or submit after i anhance field property as not mandetory.
  How to prevent error message for material description in MDG material detail screen, when user click on check action.
  Thanks
  Sukumar

  Hello Sukumar
  In IMG activity "Configure Properties of Change Request Step", you can completely deactivate the reuse area checks (but will then loose all other checks of the backend business logic as well).
  You can also set the error severity of the checks from Error to Warning (per CR type, not per check).
  Or you provide a default value for the material description, e.g. by implementing the BAdI USMD_RULE_SERVICE.
  Regards, Ingo Bruß

• How to prevent BGP code 6 (Cease) subcode 6 (Other Configuration Change)

  Can anyone tell How to prevent BGP code 6 (Cease) subcode 6 (Other Configuration Change) ?
  We are facing frequent problem with this error. Please suggest how to stop this.... 
  Note :- We are using BGP VPN between this peers.
  Logs :
  Date/Time     : 2015-04-30 00:49:40+05:30
   State         : Up
   Date/Time     : 2015-04-30 00:39:05+05:30
   State         : Down
   Error Code    : 6(CEASE)
   Error Subcode : 6(Other Configuration Change)
   Notification  : Send Notification
   Date/Time     : 2015-04-29 18:22:11+05:30
   State         : Up
   Date/Time     : 2015-04-29 18:21:39+05:30
   State         : Down
   Error Code    : 6(CEASE)
   Error Subcode : 6(Other Configuration Change)
   Notification  : Send Notification

  on the same dates you mean the same request are posted in IT2001? ie both full days?
  Please clarify
  usually the Time collision checks are followed only via posting using report rptarqpost and not while applying through portal in ESS
  This is very strange you indicate
  SO you need to check the basic tables first
  You may need to check the collision.
  Collisions Tables V_T554Y and V_554Y_B reaction indicators.
  and V_T508A
  able T582A set to time constraint of "Z
  In backend Pa30 collision works like this
  1) the logical collision, checks if there is an overlap in the validity
  interval of the IT´s (begda, endda).
  2) the physical collision, checks if there is an overlap in the time
  interval of the IT's.
  In the logical collision it is checked if there is an overlap in the
  validity interval if at least one of the records is a full-day
  ( that is the case when you enter a Daily Work Schedule (DWS) )
  So when one of the records has a DWS it is considered to be a full day
  record and the logical collision is taken into consideration.
  If instead you enter the only the time interval manually the records
  are considered to be partial-day and the physical collision is
  performed. In that case only the time interval is important.
  So if the clock times are not entered the physical collision can not
  take place.
  The collision functionality is always based on clock times and dates,
  never on the total nr of hours.
  Edited by: Siddharth Rajora on Sep 21, 2011 4:57 PM

• Hello , FMS is how to prevent the client into a large number of bytes?

  Hello , FMS how to prevent the client to pass a large number of bytes , such as one person put a 1G file in the argument , I also silly to receive ?Although there Client.setBandwidthLimit ( ) limit his maximum traffic per second , but is there a way , one more than the maximum amount of bytes to disconnect his.I assume that methods to determine the length is also obtained all of his transfer is finished , in order to determine out of it .

  How to limit the size of the parameters of the method.I wrote a method in the main.asc then the client NetConnection.call assignment, but if the client is malicious to upload very large data, how to limit it, I view the document did not find the clues, I hope that those parameters up to100KB.

• How to prevent users from creating new folders in share folder directory?

  Hello guys
  I'd like to know How to prevent users from creating new folders in share folder directory but still keep their power of creating new folders in their personal 'my folder'?
  I tried changing the 'manage privilage ---- create folder' to deny certain user accounts, but by doing so, it also stops the user from creating new folders in their 'my folder', which is not good..
  I also tried going into these share folders and tried different access types such as 'change/delete', 'read', 'traverse folder' etc, but none of it work ideally. The 'change/delete' access still allows them to create new folders, 'read' access prevents creating new folders but also take away their power of saving reports..
  Any thoughts on how to take away their ability to ONLY create new folders in share folder areas without affecting their other privileges?
  Please advise
  Thank you

  Easy, on the shared folders root folder only give them 'read' or 'traverse folder' but on the the folder inside the shared folders root folder give them 'change/delete'. That means they can change anything inside those folders but not create any folders at the shared folders root level.

• Server 2003 routing and remote access not passing VPN traffic

  I've inherited a network that has two IP scopes that are routed through a Windows 2003 server with Routing and Remote Access.  I can ping both sides (we'll call them HQ and Plant) internally.  My firewall has an IP from the HQ IP scope and when
  I connect via VPN, I can see all the devices on the HQ network including the network card that is in the routing server for that "side".  However, if I'm connected via VPN, I cannot get to any of the IPs on the Plant side, not even the card
  in the routing server.  The buck stops on the server.
  I should mention, that the firewall assigns IP addresses that are on the HQ scope, so all VPN connections will have an address from that side.
  I'm lost on how to get this set up so my VPN traffic coming in from the HQ side can be routed to the Plant devices. 

  Hi,
  To be honest, your statement confused me a bit.
  VPN is used for external client get access to internal resource. When we setup VPN server, we usually have two NICs. We need choose a NIC that will be used when client initiate
  a connection request. I prefer to call it external NIC card. The internal one will work as DHCP relay agent. So this is a single way connection. You cannot dial from internal to external.
  If I misunderstood you, please elaborate what you are trying to do.
  Hope this helps.

• How to check "show vpn status in menubar" by .mobileConfig-file

  HI,
  I've created a .mobileConfig (or .networkConnect) file to automatically setup the VPN-connection for our users. Is there a way to also check the box "Show VPN status in menu bar" by this configuration? According to me it should be possible, I only can't find the right xml-tag to add to the config-file.

  Thanks Marvin,
  How could I capture the traffic from initiating peer so that I can figure out that UDP port 500 is blocked or not, with the help of wireshark...
  In my network ONT/Modem (having four ethernet port) is installed at both the end and from one of its port the router is connected at each side and IPSec VPN is configured between the router. to check the UDP port status, my question is, should i connect my laptop (running with wireshark) with one of the port of ONT and capture the traffice or is there any other way and how that traffice will tell me that port 500 is blocked or not?

• FTP dictionary attack - how to prevent ?

  I'm already searched the board but haven't found a solution for our problem:
  During the last weeks the server was being hit by attacks looking like a dictionary attack. Someone tries to log in by ftp thousands of times. This made the server to reboot and finally destroying its mail database, which I rebuilt.
  My biggest problem however is how to prevent this in the future ? Unfortunately the server is used by a nonprofit organization, so we can't spend thousands for intrusion prevention firewall hardware.
  But isn't there a way to configure something like "Each IP is allowed to try logging in via ftp only X number of times per hour" for the ftp service ? I think this would help us.
  I already set to close connections after one wrong password try using Server Admin. By default it was set to "3". But guess that this doesn't really help.
  Any idea would be appreciated.

  No, the people here are used to access the server by ftp and I can't do much. Unfortunately.
  There are alternatives that are (usually) easier to use than ftp. (In my experience, most end-users aren't running a shell-level ftp command, they're running some sort of a front-end or GUI-based ftp client. Finder, perhaps. Which means most don't know they're even running ftp, in any real sense.)
  Also aren't most CMS more vulnerable to DoS attacks and intrusion attempts ? It's complex software with lots of security holes.
  Valid concerns, certainly.
  You do realize that ftp transmits the username and password credentials in cleartext, right?
  Anybody that peeves somebody else sufficiently can end up getting hit with a DoS or (worse) a DDoS or a dictionary attack. Sometimes, you don't even need to peeve somebody. I've dealt with a case of a user launching a DoS to get a tactical advantage over another user in an online game, too.
  Yes, CMS installations can be vulnerable; pick wisely, and stay current. An administrator need do the same thing with a CMS as with most anything else web-facing; evaluate security carefully, track updates and security notices and generally keep a lid on the riff-raff.
  But if you have a situation where you can use, for instance, certificate-based access, you can block most of the trouble and you can block typical open access.
  I find http://www.aczoom.com/cms/blockhosts being an interesting thing. However it's from 2005 - is it still actual or outdated ?
  I tend to either run fairly locked down with the web server and fairly defensive around, or (where applicable) use mod_security, or both.
  And a typical recommendation is to use an out-board firewall, and to house your address-based defenses and blacklists out there. Having users "loose" on the firewall (and I include myself in that) means that a mistake or a configuration change on the server can potentially open up an exposure. I much prefer to have the extra step of connecting to the firewall.
  A VPN server can also be housed out on a firewall (or host-based, if you're so inclined), which can allow you to run ftp and other protocols more securely.
  I do block some IP subnets. But the attacks I (still) see are from all over the IPv4 address space.

• Signature for non-protocol traffic on standard port

  I've found signature to detect SSH traffic on a non-standard port (not port 22), but is there a signature that detects non-ssh traffic on port 22? Alternatively, is there any suggestions on how to create a custom signature to do this? We are also looking for non-ftp on port 21 or 20

  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Intrusion%20Prevention%20Systems/IDS&topicID=.ee6e1fc&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.2cbedd97/3#selected_message
  sorry, that link explains how to detect SSH tunneling over HTTP ports, which isn't what you asked for. I'll have to think about it.

• How to prevent iCloudDrive from waking computer from sleep?

  My PC wakes up periodically from sleep. After the checking the event logs, the logs show that iCloudDrive.exe process is causing the computer to wake up from sleep. I do not want to disable all system wake timers, but I do not know how to prevent iCloudDrive from waking up the computer. The expiration date keeps changing forward.
  in Command Prompt (admin):
  C:\windows\system32>powercfg -waketimers
  Timer set by [PROCESS] \Device\HarddiskVolume3\Program Files (x86)\Common Files\
  Apple\Internet Services\iCloudDrive.exe expires at 5:26:25 PM on 4/21/2015.
  In Event Viewer:
  Log Name:      System
  Source:        Microsoft-Windows-Power-Troubleshooter
  Date:          4/12/2015 3:21:56 PM
  Event ID:      1
  Task Category: None
  Level:         Information
  Keywords:     
  User:          LOCAL SERVICE
  Computer:      WIN-CBF43TVLMNC
  Description:
  The system has returned from a low power state.
  Sleep Time: 2015-04-12T18:24:08.280458300Z
  Wake Time: 2015-04-12T19:21:44.326107700Z
  Wake Source: Timer - iCloudDrive.exe
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-Power-Troubleshooter" Guid="{CDC05E28-C449-49C6-B9D2-88CF761644DF}" />
      <EventID>1</EventID>
      <Version>2</Version>
      <Level>4</Level>
      <Task>0</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8000000000000000</Keywords>
      <TimeCreated SystemTime="2015-04-12T19:21:56.645016400Z" />
      <EventRecordID>2838</EventRecordID>
      <Correlation ActivityID="{0D44318C-F225-4D0E-AE0B-76736663674D}" />
      <Execution ProcessID="1888" ThreadID="848" />
      <Channel>System</Channel>
      <Computer>WIN-CBF43TVLMNC</Computer>
      <Security UserID="S-1-5-19" />
    </System>
    <EventData>
      <Data Name="SleepTime">2015-04-12T18:24:08.280458300Z</Data>
      <Data Name="WakeTime">2015-04-12T19:21:44.326107700Z</Data>
      <Data Name="SleepDuration">100</Data>
      <Data Name="WakeDuration">826</Data>
      <Data Name="DriverInitDuration">601</Data>
      <Data Name="BiosInitDuration">909</Data>
      <Data Name="HiberWriteDuration">0</Data>
      <Data Name="HiberReadDuration">0</Data>
      <Data Name="HiberPagesWritten">0</Data>
      <Data Name="Attributes">25612</Data>
      <Data Name="TargetState">4</Data>
      <Data Name="EffectiveState">4</Data>
      <Data Name="WakeSourceType">5</Data>
      <Data Name="WakeSourceTextLength">15</Data>
      <Data Name="WakeSourceText">iCloudDrive.exe</Data>
      <Data Name="WakeTimerOwnerLength">96</Data>
      <Data Name="WakeTimerContextLength">0</Data>
      <Data Name="NoMultiStageResumeReason">0</Data>
      <Data Name="WakeTimerOwner">\Device\HarddiskVolume3\Program Files (x86)\Common Files\Apple\Internet Services\iCloudDrive.exe</Data>
      <Data Name="WakeTimerContext">
      </Data>
    </EventData>
  </Event>

  In the Bluetooth System Preferences click the Advanced button, then uncheck the Allow Bluetooth Devices To Wake This Computer checkbox.

• How to prevent computers to logon remote site's domain controllers

  Hi,
  We have 3 sites (HQ, remote site A and remote site B) in a Windows 2008 r2 domain, the clients are win XP and win 7, if remote site A's DC and HQ's DC are offline, we don't want remote site B's DC to authenticate
  remote site A and HQ client, how to prevent remote site B's DC to authenticate remote site A and HQ client except remote site B local client?
  Regards,
  Ray NG.

  You might consider configuring ACLs on your firewalls and network equipment to filter this traffic. However, the idea of having multiple DCs is to have HA while in this case you are trying to avoid having benefit of this feature. For Windows clients, they
  will keep using cached credentials as long as they cannot reach a DC for authentication.
  If you would like to configure ACLs to achieve that, please do not restrict the communication between the DCs themselves.
  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Get Active Directory User Last Logon
  Create an Active Directory test domain similar to the production one
  Management of test accounts in an Active Directory production domain - Part I
  Management of test accounts in an Active Directory production domain - Part II
  Management of test accounts in an Active Directory production domain - Part III
  Reset Active Directory user password

• Packet Capture for VPN traffic

  Hi Team,
  Please help me to set ACL and capture for Remote Access VPN traffic.
  Requirement is to see how much traffic is flowing from that Source IP.
  Source : Remote Access VPN IP(Tunneled) 10.10.10.10
  Destination : any
  This is what I did which is not working
  access-list VPN extended permit tcp host 10.10.10.10 any
  capture CAP_VPN type raw-data access-list VPN interface OUTSIDE

  Hello,
  If you set up the capture with that access list, you are filtering just TCP traffic, therefore you won't be able to see UDP or ICMP traffic too, I would recommend you using the same ACL, though using IP:
  access-list VPN extended permit ip host 10.10.10.10 any 
  Capture CAP_VPN access-list VPN interface outside 
  Then with:
  show capture CAP_VPN
  You will be able to see the packet capture on the ASA, though you can export the capture to a packet sniffer as follow:
    https://<ip address of asa>/capture/<capname>/pcap   capname-->CAP
  For further details of captures you can find it on this link
  Let me know if you could get the information you were trying to reach.
  Please don´t forget to rate and mark as correct the helpful Post!
  David Castro,
  Regards,