How to segment traffic in a DMZ scenario

Similar Messages

• Possible to segment traffic between 2 interfaces? And other questions...

  I would like to set my G5 up as a server utilizing a second connection and to keep traffic seperated between this server connection and my regular internet connection (would be wireless). I'm pretty sure this alone is fairly straightforward and can be accomplished by setting up the new interface and moving it down to the bottom of the connection list with wireless at the top. That should keep all non-specific traffic from flowing out the ethernet/server connection - I think.
  If the above works the way I stated then I would also want to firewall ONLY the ethernet/server connection (the wireless has it's own hardware firewall). AND - this is the tricky part - I also want to add a fake interface that has a fake IP and bind that to the "real" ethernet/server connection. The reason for that is because I need a static IP to bind the service to. I know if the connection list thing works to flow the traffic that if I had an external router on the server connection, this wouldn't be needed. I'd already have a fake IP to bind to and I wouldn't have to run the firewall on the Mac. But I don't and I'd rather not have to buy one.
  So can this be done through the network/sharing preferance panes? If so, are there any "gotchas" I should be aware of? If not, is there any software tool out there that would make setting this up easier/faster? I'm not opposed to doing it all via command line, but I'm a bit rusty with my linux/unix admin knowledge. Plus I'm not 100% certain how to set all that up command line wise without screwing up OS X!
  Thanks.

  I'm not sure I fully understand what you are attempting to accomplish. Lets see if I have the general idea.
  You have a single G5, that you want to use as both your desktop machine and also to provided specific services, such as web, email, etc.
  You have some type of hardware firewall/security appliance.
  You have some type of wireless access point.
  You don't seem to have any type of router or switch in your configuration.
  You want all of your server based traffic to be sent and received on it's own Ethernet port. You want your personal Internet traffic to be sent and received on your wireless connection.
  So my questions are:
  Where is the server traffic going to, coming from? Who is accessing the server, is it users on the Internet, or just computers on your own LAN (which you didn't mention).
  If your server is to allow data from or send to the Internet, then you need to have a way to route the traffic there. Do you have more then one method to access the Internet, or will all traffic, both personal and server being going though the same Internet access pipe?
  If it is all going through the same pipe, and you only have the single computer, I don't understand why you wish to segment the traffic.
  If on the other hand you have multiple computers on your LAN. then segmenting traffic may make sense. This would allow access to your server and keep your LAN well secure.
  Anyway, to get to specifics, you'll need to use the terminal app to bind specific services to specific IP's and ports on your Mac. You will also need to manually configure the firewall to be able to select specific connection ports and bindings. However, while I think it can be done, I'm not sure it makes a great deal of sense.
  I would be more inclined to suggest a router or switch that can provide VLAN support, or a router that provides true DMZ support, would be a good way to go.
  Anyway, a little more info would be helpful.
  Oh and if I have this totally worng in what I think your doing.. My mistake.
  Tom N.

• How to route traffic across subnets when one NIC is a hyper-V virtual switch?

  Having a bit of a problem with a hyper-V environment which does not seem to route network traffic on two different subnets between each other.
  If it were a purely physical server with two NICs and a gateway set traffic would automatically be forwarded between the two different subnets.
  However when one of those NICs is a hyper-V virtual switch this simple routing no-longer seems to work and no traffic gets forwarded between subnets?
  Situation is:
  Hyper-V server with two NICs
  NIC 1 = 192.168.0/24 - main Internal company network.
  NIC 2 (hyper-V virtual switch.) = 192.168.1/24 - connects to ADSL internet router
  Virtualized Domain Controller.
  One or two virtualiszed NICs as necessary
  How then does traffic get routed between these two subnets?  If RRAS has to be configured to do this where is the best place to do it, on the hyper-V host or on the virtualized domain controller?
  Thanks,

  Hi ,
  You can create an internal virtual switch and configure an IP for it (I assume it is 192.168.1.2/24) .
  After you enable RRAS in hyper-v host  there will be two gateways for different subnets  .
  " NIC 2 (hyper-V virtual switch.) = 192.168.1/24 - connects to ADSL internet router "
  The problem is here ,if  these VMs need to access internet .
  So , these VMs can not configure their gateway same as the IP of internal virtual switch , you may set VM's gateway as the ADSL internet router's IP meanwhile add a static route entry for every VM .
  Please refer to the Syntax :
  route add -p 192.168.0.0 mask 255.255.255.0 192.168.1.2
  Hope this helps
  Best Regards
  Elton Ji
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• How to print traffic lights in ALV reports

  hi how to print traffic lights on selection screen in alv reports

  HI,
  check below code
  TYPE-POOLS : icon.
  types:  BEGIN OF ty_display,
          status     TYPE icon-id,
          bukrs      TYPE bseg-bukrs,
          gjahr      TYPE bseg-gjahr,
          monat      TYPE monat,
          work_order TYPE z_work_order,
          glaccount  TYPE saknr,
          message    TYPE string,
        END OF ty_display.
  data : it_display     TYPE TABLE OF ty_display,
           wa_display TYPE ty_display.
  WRITE icon_led_green AS ICON TO wa_display-status.
          wa_display-gjahr = p_year.
          wa_display-bukrs = p_cc.
          wa_display-monat = p_period.
          wa_display-work_order = v_aufnr.
          wa_display-glaccount = wa_bseg-hkont.
      APPEND wa_display TO it_display.
  WRITE icon_led_red AS ICON TO wa_display-status.
            wa_display-gjahr      = p_year.
            wa_display-bukrs      = p_cc.
            wa_display-monat      = p_period.
            wa_display-work_order = v_aufnr.
            wa_display-glaccount  = wa_bseg-hkont.
            wa_display-message    = text-010.
            APPEND wa_display TO it_display.
  change the icon color based on your requirement and append it to the internal table which you have to display in ALV.
  reward points if it is helpful.
  Regards,
  Srilatha

• How to do Mapping for the following Scenario

  Hi All,
  I am doing File 2 File Multimapping Scenario with out using BPM Concept but, My result was Struck at Message Mapping.
  Source                          Target
  Message                       Message1     Details                                Details
           Name                            Name
           ID                                  ID                                                                               
  Message2        
                                                  Details
                                                      Name
                                                      ID
  I am getting Runtime Exception at Message Transfermation error if i do the one 2 one direct mapping....
  so, How to do the Mapping for thei Scenario?
  WIth Regards,
  Mahesh

  Hi Farooq,
  I am using Split and Merge.
  Source XML
  <?xml version="1.0" encoding="ISO-8859-1"?>
  <xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://sap.com/xi/XI/SplitAndMerge" targetNamespace="http://sap.com/xi/XI/SplitAndMerge">
  <xsd:import namespace="http://tcs.com/Demo" />
  <xsd:element xmlns:p0="http://tcs.com/Demo" name="Messages">
  <xsd:complexType>
  <xsd:sequence>
  <xsd:element name="Message1" form="qualified">
  <xsd:complexType>
  <xsd:sequence>
  <xsd:element ref="p0:BPM_In_MT" />
  </xsd:sequence>
  </xsd:complexType>
  </xsd:element>
  </xsd:sequence>
  </xsd:complexType>
  </xsd:element>
  </xsd:schema>
  Target XML
  <?xml version="1.0" encoding="ISO-8859-1"?>
  <xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://sap.com/xi/XI/SplitAndMerge" targetNamespace="http://sap.com/xi/XI/SplitAndMerge">
  <xsd:import namespace="http://tcs.com/Demo" />
  <xsd:element xmlns:p0="http://tcs.com/Demo" name="Messages">
  <xsd:complexType>
  <xsd:sequence>
  <xsd:element name="Message1" form="qualified">
  <xsd:complexType>
  <xsd:sequence>
  <xsd:element ref="p0:BPM_Out_MT" minOccurs="0" maxOccurs="unbounded" />
  </xsd:sequence>
  </xsd:complexType>
  </xsd:element>
  <xsd:element name="Message2" form="qualified">
  <xsd:complexType>
  <xsd:sequence>
  <xsd:element ref="p0:BPM_Out1_MT" minOccurs="0" maxOccurs="unbounded" />
  </xsd:sequence>
  </xsd:complexType>
  </xsd:element>
  </xsd:sequence>
  </xsd:complexType>
  </xsd:element>
  </xsd:schema>
  Thanks
  Mahesh

• How to use traffic lights concept in alv in webdynpro abap

  Hai ,
            How to use traffic lights concept for alv in webdynpro abap. If possible give me some code.

  Hi Ravi,
  You can create ICON  to get traffic light.
  Go through this step by step.. in this example
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/1190424a-0801-0010-84b5-ef03fd2d33d9?quicklink=index&overridelayout=true
  Please go through this...
  Re: Display ICON in the ALV table column
  Re: Image in ALV
  cheers,
  Kris.

• How do I log onto airport, how do I get to the DMZ on the router?

  How do I log onto airport, how do I get to the DMZ on the router?

  Open the airport utility.
  Bobby Pearce wrote:
  How do I log onto airport, how do I get to the DMZ on the router?
  If you mean how to set the DMZ..
  Click on the Airport in airport utility.. click on the edit that shows on the summary..
  Go to the Network tab.. and go to network options on the bottom of that page.
  Enable Default Host.. is DMZ..
  Tick the box and type in the IP of the computer or device you are placing in the DMZ.

• How to segment red target in a image and caculate the L*a*b* value

  hello, 
  Anyone can tell me how to segment a color image? This image contains red、white and black background. 
  I want the red and white parts, and caculate each parts' L*a*b* value. 
  Thank you very much. 
  rex

  Sounds like maybe you don't have Image Toolbox?
  Attached is a VI to convert RGB to Lab.  IIRC, I think there is no one correct answer for conversion to Lab so check the formula.
  To do your segmentation without the toolbox, unflatten the image cluster and decompose the RGB array into separate 2D arrays (R, G, B).  Threshold your red areas by finding pixels with high R and low G and B.  Find white by finding pixels with R, G, and B values all high. 
  Attachments:
  RGB2Lab.vi ‏9 KB

• How is PR created in Extended Classic Scenario

  Hai friends
  How is PR created  in Extended classic Scenario
  Please let me know
  Regards
  Krishna

  Hi krishna,
                Shopping cart in SRM is equal to PR in R/3.If it is Classic scenario we can customise to create PR in backend for the shopping cart in EBP , but in ECS directly PO will be created against the shopping cart in EBP and it will replicate to R/3 system.
  Regards,
  Baparao.

• How to manage traffic of livestreams or youtube

  Hi all,
  at the moment we are discussing about how to control or limit traffic used by livestreams. At the moment there are many web pages with livestreams of the olympic winter games and customers facing very high traffic by hd videostreams.
  So we are now thinking about managing this videostreams by implementing some policies on the proxies.
  And we alternatively think about how to restrict traffic of videostreams or youtube video using asa.
  Did not find anything in the knowledgebase. Do you have any hints how to manage this?
  thank you in advance and best regards
  Vincent

  Just go trough Manage application and Modify application and use reindex and full process.
  This normally should fix your issue.
  Regards
  Sorin Radulescu

• How to snoop traffic on PGW 2200 with Wireshark

  How to snoop traffic between PGW 2200 & MGX 8880 with Wireshark?

  I hope to have understood correctly your question.
  1) enable the snoop on PGW using ./snoop_scrip in /opt/snoop/ path
  2) collect the trace of the call and so stop the snoop usinf CTRL C
  3) open wireshark
  4) drag and drop the files generated from the snoop in wireshark
  5) wireshark will ask to merge the file
  P.S. PGW uses RUDP to communicate with the media gateway. Set the wireshark RUDP port (in Edit - Preferences - Protocols menu) according to PGW configuration.
  Regards.

• How can I permit all traffic from inside-dmz-outside on asa5505

  Scenario :
  Servers are in DMZ, Internal LAN Users should access ports Specified (5000 & 2048). Router 2801 is facing Leased line; from there it’s connected to firewall.
  Router LAN IP: 83.111.X.X - 255.255.255.X
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password 2KFQnbNIdI.2KYOU encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.X.X 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 83.111.X.X 255.255.255.240
  interface Vlan3
  nameif dmz
  security-level 100
  ip address 192.168.100.1 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  switchport access vlan 3
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  switchport access vlan 3
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0
  route outside 0.0.0.0 0.0.0.0 83.111.x.x
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 192.168.1.2-192.168.1.254 inside
  dhcpd enable inside
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:5663409d6ba3ad0bcd163e691f032f76
  : end

  Hi Ben,
  Thank you for the response. I followed the link and tried reading everything you posted on AEs but I'm afraid that I didn't understand it all. It seems that each AE example had a single input and a single output (e.g. a double). Is this the case? 
  What I have is a couple of front panel clusters containing (approximately) 18 control doubles, 8 indicator doubles, 5 boolean radio button constructs and 26 boolean control discretes. I clusterized it to make it readable. In addition I'll eventually have a cluster of task references for hardware handles.
  All I want to do is update the front panel values like I would do in a C, VB or any other language. I've tried referencing the cluster and using the reference from inside the loops. I've tied using local variables. Neither works. I'm experimenting with globals but it seems that I have to construct the front panel in the gloabal and then I wouldn't know how to repoduce that on the front panel of the main VI.  Sometimes it seems that more time is spent getting around Labview constructs than benefitting from them.
  I hope the 'Add Attachment' function actuals puts a copy of the VI here and not a link to it.
  Thanks again for the suggestion,
  Frank 
  Attachments:
  Front Panel Reference.vi ‏33 KB

• Client looking to segment traffic via SSID using 2504

  I have a client with a WLC 2504 that wants to route "guest" users through a gateway appliance "radiusgateway.com" and all others through the network. It appears to me this would require the use of two fa ports on the WLC. One directly connected to the radiusgateway (which is connected to a switchport) and the other fa interface connected directly to a switchport bypassing the proxy server.
  My issue is, "how do you segment the ssid traffic via the WLC". The interfaces cia the gui aren't that intelligent, there's an enable and logging drop down. Via the command line, I didn't see any methods of routing traffic.
  Please assist, Thanks in advance.

  The controller doesn't 'route' traffic, it will just send it out the VLAN/Port the interface is configured for.
  So if you tell interface 'guest' to be linked to port 4, any WLAN that uses guest will be sent out port 4.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• Multiple Public IP's on single ASA 5510 - "Segment Traffic"

  Hello,
  I was told this is not possible on Cisco ASA, just wondering if its true.
  Description:   We are setting up 2 new exchange servers, they need to go out the same ASA on different interfaces to seperate Public IP's. We also have a 3rd Public IP for our Staff.
  Basically we want our Staff to use the 10x5 slow internet connection (Public 3). We want Server 1 to use Public IP 1 and Server 2 Public IP 2.
  Server 1  -----> Public IP 1
  Server 2  -----> Public IP 2
  Staff       ------> Public IP 3
  I was told PBR (Policy Based Routing) is not supported on Cisco ASA, which I understand. But is there a work around with the ASA, or will I HAVE to implement a layer 3 device infront of the ASA?
  We also have a DMZ in the mix, I dont know if that changes anything.
  I hope this makes sense, if not I can try and explain more, but any advice would be greatly appreciated! I dont want to expense another layer 3 device if possible!

  Hi,
  Here is a link to another discussion where a user wanted to direct a certain DMZ network traffic through another ISP
  https://supportforums.cisco.com/thread/2209874
  Naturally the NAT setup doesnt exactly match with your need but essentially in your case it would just slightly modifying the NAT configurations.
  Naturally this is not something that is really suggestable for a production environment but it should work. Then again as Cisco doesnt officially support it there is no knowing what future updates might do to this or what would happen if you ran into problem with NAT related operation of the firewall.
  Because of this way of NAT configuration the configurations would naturally come more complex and the ordering of NAT rules might need more close look when modifying them.
  - Jouni

• How to force traffic though a chosen interface in Windows 8.1?

  Windows 8.1 seems to be able to detect dead routes and picks up the default gateway or next best route for routing.
  I have a requirement where I want traffic for specific destinations to "always" go through the Interface that I pick and if that interface is not providing a path from some reason then I want the communication to fail instead of switching to the
  next best interface.
  How do I achieve this? I already tried EnableICMPRedirect and DeadGWDetectDefault registry settings and disabling Auto Metric on the interface through which I want to route this traffic.
  Any clues would help.
  Thanks
  GW

  With PowerShell you should be able to view the applicable routes and modify them accordingly to alter this behavior:
  # you can determine your adapters with
  Get-NetAdapter
  -IncludeHidden
  # then you can see what routes are associated with what adapter interface (lets assume your wifi interface is 4 and your loopback is 1)
  Get-NetRoute
  -AddressFamily IPv4
  # you will get your specific interface index, destination prefix, nexthop and the routemetric
  # you can then set a specific route policy using:
  New-NetRoute
  -DestinationPrefix "200.200.200.200/32"
  -InterfaceIndex 1
  -RouteMetric 256
  New-NetRoute
  -DestinationPrefix "200.200.200.200/32"
  -InterfaceIndex 4
  -NextHop 10.1.1.1
  -RouteMetric 0
  # you can modify the configuration with:
  Set-NetRoute
  -DestinationPrefix "200.200.200.200/32"
  -InterfaceIndex 4
  -NextHop 192.168.10.1
  -RouteMetric 0
  # finally, you can remove the specific route or all the routes with:
  Remove-NetRoute
  -DestinationPrefix "200.200.200.200/32"
  -InterfaceIndex 1
  -Confirm:$false
  Remove-NetRoute
  -DestinationPrefix "200.200.200.200/32"
  -Confirm:$false