I guess my question is just too difficult for everyone
I am trying to modify my configuration to be more robust and cover some scenarios I have not previously thought about. My device is a cisco pix 525 with ios 8 on it.
I have a basic configuration, the cable box comes into the house and the pix outside interface is plugged into that. The inside interface plugs into a ethernet switch, and the rest of the network plugs into the switch.under this current setup, I have 3 remote access groups. the first one is a full tunnel group, the second is a split tunnel, and the third one is web only traffic for secure browsng when I am not home.
DHCP is setup and all inside hosts can talk to the outside hosts passing full traffic both ways and vice versa, the outside hosts on the full and split tunnel can talk to the inside hosts with full traffic.
The IP layout is as follows: 10.1.1.x is for the inside hosts, 10.1.2 is for full tunnel, 10.1.3 is for split tunnel, 10.1.1.4 is for web only.
Here is my goal with questions:
The goal is to setup a second network(a small lab) which will allow guests etc to connect to my network but not hit anything outside of that subnet, while the inside hosts can still talk to all hosts on the 10.1.5. subnet
I can plug a switch into the ethernet2 nic, and have everything on ethernet2 get an ip range of 10.1.5.x?
Can I configure a new vpn group that also allows anyone connected to it to only see hosts in 10.1.5.x?
Can I set it up so that anything on 10.1.1.x, 10.1.2.x and 10.1.3.x can have access to the hosts in 10.1.5.x but not allow it the other way around?
The outside VPN access is working fine. it leases a 10.1.5.x address to remote hosts connecting in. what I can not seem to get at this point is the second network DHCP part working. The interface is on and turned up. When I plug anything into the NIC card it just sits there trying to get an IP and then ultimately fails.
The config script I ran before this has the following:
configure terminal
interface ethernet0
nameif outside
ip address dhcp setroute
no shutdown
exit
dns domain-lookup inside
dns domain-lookup outside
dns name-server 8.8.8.8
dns name-server 8.8.4.4
dhcpd address 10.1.1.50-10.1.1.254 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
nat-control
global (outside) 101 interface
nat (inside) 101 10.0.0.0 255.0.0.0
access-list ThcInside-nat0 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list ThcInside-nat0 extended permit ip 10.1.1.0 255.255.255.0 10.1.3.0 255.255.255.0
nat (inside) 0 access-list ThcInside-nat0
same-security-traffic permit intra-interface
object-group icmp-type ICMPObject
icmp-object echo-reply
icmp-object source-quench
icmp-object time-exceeded
icmp-object unreachable
access-list outside_access_in extended permit icmp any any object-group ICMPObject
access-group outside_access_in in interface outside
http server enable
http 10.0.0.0 255.0.0.0 inside
logging asdm informational
no asdm history enable
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-256
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp enable outside
crypto isakmp nat-traversal 30
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
exit
exit
username blahblah password blahblah
crypto ipsec transform THCTransformSet esp-aes-256 esp-sha-hmac
My additions to try to get my objective working are as follows:
interface ethernet2
nameif lab
ip address 10.1.5.1 255.255.255.0
no shutdown
exit
dns domain-lookup lab
nat (lab) 0 access-list ThcInside-nat0
nat (lab) 101 10.0.0.0 255.0.0.0
dhcpd address 10.1.5.2-10.1.5.254 lab
dhcpd dns 8.8.8.8 10.1.1.1 interface lab
dhcpd enable lab
http 10.0.0.0 255.0.0.0 lab
access-list ThcInside-nat0 extended permit ip 10.1.1.0 255.255.255.0 10.1.5.0 255.255.255.0
nat (outside) 101 10.1.5.0 255.255.255.0
ip local pool ThcIPLabOnlyTunnelPool 10.1.5.1-10.1.5.254 mask 255.255.255.0
group-policy THCLabOnlyTunnel internal
group-policy THCLabOnlyTunnel attributes
dns-server value 8.8.8.8 8.8.4.4
wins-server value 10.1.1.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelall
tunnel-group THCLabOnlyTunnel type ipsec-ra
tunnel-group THCLabOnlyTunnel general-attributes
address-pool ThcIPLAbOnlyTunnelPool
default-group-policy THCLabOnlyTunnel
tunnel-group THCLabOnlyTunnel ipsec-attributes
pre-shared-key blahblah
crypto dynamic-map THCDynamicMap 1 set transform-set THCTransformSet
crypto dynamic-map THCDynamicMap 1 set reverse-route
crypto map THCCryptoMap 1 ipsec-isakmp dynamic THCDynamicMap
crypto map THCCryptoMap interface lab
Thanks,
Jeff
I think you're saying you're having trouble with getting DHCP to work on the lab interface.
Have you tried shrinking your ThcIPLabOnlyTunnelPool and the DHCP address space so they don't overlap? I'm not an expert on PIX DHCP but I doubt the local pool and DHCP database are synching data so that they know not to assign addresses already in use.
Did you run wireshark on a client connected to the lab interface? Debug DHCP on the PIX?
Similar Messages
-
Is Mountain Lion just too much for my MAC?
I was running Snow Leopard and it was great everything ran smooth and everything. I needed to upgrade to iMovie 11 which I couldnt due unless I upgraded to Mountain Lion.
Now my computer just runs sluggish. Everything lags now, from internet browsing to itunes to everything. Ever since I upgraded its been like a downgrade.
My mac is a early 2008 model macbook pro. Is Mountain Lion just too much for my computer or is there anything I can do to fix this?RIPJDilla wrote:
For someone who has never put together a computer or anything of that nature, how hard or risky is installing it.
It's easy. Apple even provides instructions for you: http://support.apple.com/kb/HT1270
Crucial has a little app you can install that will examine your system and suggest upgrade options:
http://www.crucial.com/systemscanner/MacOS.aspx
You don't have to buy from them, though they are a good vendor, as is OWC / MacSales. -
Its not a question i just think that for ios 5 you shoud make facetime its own app
its not a question and i just think you should make facetime its own app for ios 5
You are not addressing Apple here at all.
We are all iphone users like you. -
My problems with Safari may be just too unique for Help, but . . .
Alright, let me try to describe confusion as best I can.
I've had a late `06 iMac since early 2007. Upgraded to Leopard when it was new, but since then really couldn't afford the rampant newness every few months.
While I applaud the digital evolution, I've also had enough of relearning every blessed thing over n' over instead of learning & using what I already have,
but let's cut that rant off and get to the current bug-a-boos.
For a few months recently my 27" desktop suffered escalating freeze-ups and hard restarts while it became clearer it was prob'ly the graphics card.
3 weeks ago we reached the point where it wouldn't get past a blue-screen unless I booted in safe-mode . . and with all those limitations, and the green-grids over everything of a darker color, that's no replacement for a functioning Mac !
Since then I've been running off an external clone of the HD.
A 3 TB Seagate, which oddly had no Firewire, but was the only model that I could find fitting my needs at the time.
USB has certainly been sufficient in the past, but now ? . . it's most likely not the core cause of my aneurism inducing situations anyway.
What I've got running off the external is a refurbished laptop I bought at an Apple store in late 2006 when the super-drive was gonna' have the Mac sitting with the geniuses for a week or more ( I had some money then . . sigh ).
Refurbished in `06 would prob'ly make it, what ? . . a 2003 maybe ?
I'm not gonna' reboot to it just to confirm that.
Anywhy . . . times in the past I ran the laptop from a clone did not produce what I'm dealing with now : Netflix thinks I've migrated settings to a new computer and there's a DRM problem, and other such stuff . . .
But Safari going into beachball constantly is what's tearing out my hair !
I often have to open and force-quit it 5 or 6 times till it works . . briefly !!
And kernel_task / root user is usually at the top of Activity Monitor's CPU usage nowadays as well.
I doubt emptying Safari's cache when it finally opens helps much, but it seemed to for awhile.
What can I try, or where should I look in my rather unique configuration, just so I can function for more then a few minutes, till I fix or replace the iMac ?2 hours later, and the joy with Console continues :
native on the MacBook -- crashes in seconds everytime
from the booted-to external -- dare to touch it and it's beachball time on & off forever.
At least Activity Monitor could take a sample.
Now how to fix the tool I needed when the tool is broken ??
Sampling process 3817 for 3 seconds with 1 millisecond of run time between samples
Sampling completed, processing symbols...
Analysis of sampling Console (pid 3817) every 1 millisecond
Call graph:
1654 Thread_2507
1654 0x2b42
1654 NSApplicationMain
1654 -[NSApplication run]
1654 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:]
1654 _DPSNextEvent
1654 BlockUntilNextEventMatchingListInMode
1654 ReceiveNextEventCommon
1654 RunCurrentEventLoopInMode
1654 CFRunLoopRunInMode
1654 CFRunLoopRunSpecific
1654 _performFileHandleSource
1654 -[NSNotificationCenter postNotificationName:object:userInfo:]
1654 _CFXNotificationPostNotification
1654 __CFXNotificationPost
1654 _nsnote_callback
1654 0x196c0
1654 0x19875
1654 0xcba2
1654 0xc2a1
1654 asl_store_match
1654 asl_store_match_timeout
1654 asl_file_list_match_timeout
1653 asl_file_match_start
1648 asl_file_read_set_position
1635 asl_file_read_uint64
1397 fseeko
1267 _fseeko
1034 __srefill
1030 read
1030 read
3 _sread
2 _sread
1 read
1 read
1 __srefill
136 __bzero
136 __bzero
39 lseek
39 lseek
27 _fseeko
24 _ftello
18 _ftello
6 __sflush
6 __sflush
5 _sseek
3 _sseek
1 __error
1 __error
1 __sseek
1 __sseek
1 dyld_stub___error
1 dyld_stub___error
1 dyld_stub___sflush
1 dyld_stub___sflush
45 flockfile
19 pthread_mutex_lock
18 pthread_mutex_lock
1 spin_unlock
1 spin_unlock
18 __spin_lock
18 __spin_lock
7 flockfile
1 dyld_stub__spin_unlock
1 dyld_stub__spin_unlock
18 fseeko
17 __spin_lock
17 __spin_lock
15 funlockfile
15 funlockfile
15 pthread_mutex_unlock
15 pthread_mutex_unlock
5 __error
5 __error
4 dyld_stub_memset
4 dyld_stub_memset
3 dyld_stub_pthread_self
3 dyld_stub_pthread_self
2 OSSpinLockLock
2 OSSpinLockLock
2 dyld_stub_pthread_mutex_lock
2 dyld_stub_pthread_mutex_lock
2 memset
2 memset
1 dyld_stub__ftello
1 dyld_stub__ftello
1 pthread_self
1 pthread_self
203 fread
77 __srefill
77 read
77 read
46 flockfile
25 pthread_mutex_lock
25 pthread_mutex_lock
13 __spin_lock
13 __spin_lock
6 flockfile
1 OSSpinLockLock
1 OSSpinLockLock
1 dyld_stub__spin_unlock
1 dyld_stub__spin_unlock
25 pthread_mutex_unlock
23 pthread_mutex_unlock
2 spin_unlock
2 spin_unlock
18 __memcpy
18 __memcpy
16 fread
11 __spin_lock
11 __spin_lock
5 funlockfile
5 funlockfile
2 dyld_stub_pthread_mutex_lock
2 dyld_stub_pthread_mutex_lock
1 OSSpinLockLock
1 OSSpinLockLock
1 dyld_stub__spin_lock
1 dyld_stub__spin_lock
1 pthread_self
1 pthread_self
23 asl_file_read_uint64
3 asl_core_ntohq
3 asl_core_ntohq
2 dyld_stub___error
2 dyld_stub___error
2 dyld_stub__fseeko
2 dyld_stub__fseeko
2 dyld_stub_flockfile
2 dyld_stub_flockfile
1 __error
1 __error
1 dyld_stub_pthread_mutex_unlock
1 dyld_stub_pthread_mutex_unlock
1 memcpy
1 memcpy
12 asl_file_read_set_position
1 asl_core_ntohq
1 asl_core_ntohq
5 asl_file_match_start
1 dyld_stub_asl_file_read_set_position
1 dyld_stub_asl_file_read_set_position
1654 Thread_2603
1654 thread_start
1654 _pthread_start
1654 __NSThread__main__
1654 -[NSThread main]
1654 0x4da7
1654 -[NSObject(NSThreadPerformAdditions) performSelectorOnMainThread:withObject:waitUntilDone:]
1654 -[NSObject(NSThreadPerformAdditions) performSelector:onThread:withObject:waitUntilDone:modes:]
1654 -[NSCondition wait]
1654 pthread_cond_wait$UNIX2003
1654 __semwait_signal
1654 __semwait_signal
1654 Thread_2703
1654 thread_start
1654 _pthread_start
1654 fe_fragment_thread
1654 pthread_cond_wait$UNIX2003
1654 __semwait_signal
1654 __semwait_signal
Total number in stack (recursive counted multiple, when >=5):
Sort by top of stack, same collapsed (when >= 5):
__semwait_signal 3308
read 1108
__bzero 136
__spin_lock 59
pthread_mutex_lock 43
lseek 39
pthread_mutex_unlock 38
_fseeko 27
asl_file_read_uint64 23
funlockfile 20
__memcpy 18
_ftello 18
fseeko 18
fread 16
flockfile 13
asl_file_read_set_position 12
__error 7
__sflush 6
asl_file_match_start 5
Sample analysis of process 3817 written to file /dev/stdout -
Regarding Pages charts, when I try to 'build' a 3D chart all I get is little dots but not graphics. No problems with 2D charts though. Guess my question is "Help?"
Sorry for the delay getting back to this.
Thanks to Fruhulda and Peter for their comments regarding the refusal of Pages to let me make 3D charts.
In answer to the questions put to me in this regard :
1. Pages version : Pages '09 v.4.1 (923)
2. Mac O/S : v.10.6.8
3. 3D chart : Can't find a 'name', but upright bars with rounded corners ???
4. Moved apps : Not that I'm aware of! All should be as installed off the disc.
5. A note : I have been able to create these in the past - related to a SW update?
and ... can create these charts perfectly in Keynote (go figure).
Thanks to all.
CM -
Latest Leopard Update just too large
The latest Leopard update is over 500 MB. This is just too large for those of us who connect via satellite. The update is so large that it throws me into Fair Access restrictions. In addition it doesn't install. It gets hung up for hours in "Configuring Software"
It must be broken up into smaller pieces. There is just no excuse for an update being so large.
Someone from Apple needs t read this forum and fix this. If the update contains something critical for an application or system stability, then I am hosed.This forum is for troubleshooting Apple Software Update for Windows, a software package for Windows designed to update Apple products that run on Windows, and not related to Mac OS updates.
Try your local library or nearest apple authorized service provider to get the update. -
All icons, such as refresh page, back, forward, stop and home etc; are just too small for comfortable use. For now I am uninstalling Firefox 4 and going back to 3.x. even the zoom page icons are too small.
"I had read that GarageBand or the Musical Typing there can sometimes not display properly when the resolution is changed."
Well, did you checked GB after you changed your resolution?
Which setting did you change to?
You & I have the same size iMac screen. My resolution setting is 1280x800. Everything fits perfectly in the windows & on desktop including the menu bar.
All info in my windows are showing. I did not need to adjust my browser font size settings. I am sure you are aware of the browser font size settings. I use FF & the settings are in Preferences>Content.
In the Finder window you can enlarge the icons & fonts also.
Finder>View>Show View Options. -
How can I make the background one solid color? It is too difficult and noticeable when I use the retouch button and try to erase all the creases in my backdrop. So, how can I have just a solid white background?
When talking about a specific image posting the image may be useful.
One can use a Layer Mask and add a white Layer underneath. -
Automatic answer? or just too lazy to read question?
I came across this post in ABAP Dictionary:
How to make custom append search help tab default for all users?
The poster was asking a question about search help defaults, but did mention the word "Append" in the title.
The first response posted to the question started with:
<i>hi
Enhancement using Append structures
Append structures allow you to attach fields to a table ...</i>
which was completely off topic for the question asked.
I wonder, Is the responder using some form of automated code that finds a key word and then pastes an answer? or did they just fail to read the question in any kind of detail?
I have seen similar cases where the reason for the mis-answer could be language translation, or where the question was very poorly phrased, but this one stood out as an answer you would never give if you read and even partly understood the question.
AndrewHi Andrew,
He probably didn't read the question. Just read the title (half) and searched his database. It happens a lot. I also see answers for questions where people didn't bother to read the other replies, so they give an answer which is already given or ask a question which is already answered.
It seems some users just post as quickly as possible to make sure they get the points.
Regards,
Martin -
User Management in SRM too Difficult
Hi Guys,
I'm in SRM Add-on component in ECC 6.0.
I've some doubt regarding how the user management has to be handled.
Our Scenario:
1> We are not going to generate users from the Web. So there is no question of users requesting for ID from SRM screen.
2> All user id has to be maintained in SAP.
3> Roles and assignment of authorization has to be done in SAP
4> SRM will be just for procurement, not for user management
I know SAP has a transaction USERS_GEN, which takes care of most of these processes. But unfortunately we don't have USERS_GEN transaction. Its not supported in out system.
So we are following a big loop to get the users correctly attached to Org Structure. I'm describing below the whole process and can anybody tell me an alternative to this loop.
1. Creation of Personnel number by PA30 transaction
2. Creation of User id by SU01
3. Assignment of User ID to Personnel number
4. Assign users to the Org structure
5. Now I run the consistency check for Business Partner. It gives an error that 'CP number XYZ has not been attached to S PQR. So here I know the CP number.
6. By transaction PSO3, I key in the attributes to the CP in above step.
7. By transaction PO13, I create a releationship between CP and the Org unit
8. By transaction PRAA, I create employee vendor. It is necessary as I've to maintain Contact person for employee. In the vendor master I maintain the contact person.
9. In SRM user management I maintain the Goods Recepient for every user.
After I've done all these 9 steps, I can create SC. This seems to be too difficult. Anybody has any idea how to manage all these? I'm sure there is some alternative to automate these processes. Can anybody tell me how to go about it.
Thanks
DebashishHi Deb,
" We are not going to generate users from the Web "
so you can not use the link "manage user data" in the administrator log in ??
that was one alternative to users_gen!
BR
Dinesh -
Hello I just made a playlist and it was too long for a CD so I burned it to a DVD. When I went to check it the song order was totally changed, is this something I can fix?
Thank you SO much. Sorry. I am flustered and didn't even notice. LOL
Have a good night. I have posted my question in the correct forum now. Thanks for your help. -
Why is asking a question to Firefox so difficult, and limited to a limited number of 'characters'?
Why is asking a question to Firefox so difficult, and limited to a limited number of 'characters'?
Sorry for the confusion; it seems as though I am the one confused--after jumping through several hoops, I thought I was sending a question to the Firefox help support...my question was about 7 characters too long to send, apparently.
-
Creative Cloud is taking too much time to load and is not downloading the one month trial for Photoshop I just paid money for.
stop the download if it's stalled, and restart your download.
-
I'm new using Logic, i've been using garageband for quite awhile now though but my question is just basic. When i want to record electric guitar while clicking the software option it brings me to alot of guitar sounds that i want to chose. I chose the twangy electric or the distorted strat but i only hear clean sounds. No matter what kind of guitar sound i chose in the library it only produces clean guitar. How can i make it sound like it supposed to? Did i miss something i should do?
This definitely has me stumped as I'm unsure as to why your guitar can be heard, but with none of the channel strips plugins applied to the sound.
On the record enabled channel strip that contains your guitar input, is the "I" button located near the "R" active? Also, if you record your guitar, can you hear the FX applied to it when you play back the recorded track? -
I have my iTunes library on an external HD because it is too big for my iMAC 500GB HD. However, it is not backed up, so I need a solution to backup my external HD. Can I do this with any Apple cloud product or should I look elsewhere for cloud products? Will it be cheaper/easier just to buy another external HD to back up my existing external HD? Thanks
I don't know if this is me adding files to iTunes when the external wasn't connected
it is.
is it OK to just keep deleting that library on the Air?
i wouldn't - at least not until i
mount the external
point iTunes media folder location back to the external via preferences > advanced
consolidate my library via file > library > organize library
The ntfs hasn't seem to be causing any problems, but I've always wanted to know.
in order for your Mac to write to NTFS drives, it needs some help by installing e.g. the NTFS 3G driver. apparently that or something similar is installed on your Mac already. preferably, it would be formatted for Mac but then windows machines would need to have e.g. MacDrive installed to recognize the drive.
Maybe you are looking for
-
Hi, We have upgraded our office to the Adobe Creative Cloud offerings - specifically, Acrobat, InDesign, PhotoShop, and Illustrator. We previoulsy had CS3. We have several templates that were created in CS3 and have had some difficulty with them afte
-
Hi Experts, We have following Business Case:- One of our clients have brought PA Licences along Financials and Distribution modules, hardly used the PA module. Unfortunately Invoiced (AP) and made Project related Payments, now client wants to capture
-
How would I go about adding a program to Bridge's Open With command. I find that my workflow goes better with Photoshop 7 on the majority of my projects. This has to do with what I do so please don't ask why I don't use PS CS4. <grin><br /><br />If
-
Screen exit example step by step
screen exit example step by step need.
-
Add text view using floor Plan Manager
I have a very basic knowledeg of web dynpro ABAP. I'm working with the Floor Plan Manager for the first time. I have a requirement to add the 2 text view in the Sales order so that the user can maintain the comments and those will get saved along wit