Inbound ACL for public VPN router

Hi all,
I have configured our VPN router for access for all our mobile clients. Our private VPN range is going to be 172.16.10.x/24. Do I need to add ACL permit rules for this range on our inbound ACL to all the inside LANs to facilitate access for the VPN users?
eg int S0/0/0
     ip address 85.x.x.x
     ip access-group 100 in
access-list 100 permit ip 172.16.10.0 0.0.0.255 192.168.1.0 0.0.0.255
If I understand things correctly, once the user connects, the VPN is tunnelled as far as the inside of the interface, so traffic passing through the VPN is encapsulated and hence wouldnt appear as a private IP?
All comments are greatly appreciated.
Paul

Sorry  I mean to say you should not edit outside acl for vpn traffic for rest of the things you can do it.
Thanks
Ajay

Similar Messages

  • Two external interfaces; one to be used for outboud; second to be used for incoming VPN\Web traffic.

    I'm configuring our ASA and we have two AT&T circuits which we're only using one with our current Juniper firewall. I know the ASA doesn't support policy based routing so I'm wondering if the following hypothetical "config" is possible.
    External Interfaces:
    OUT_01 - 12.133.X.X
    OUT_02 - 201.61.X.X
    I would route all internal traffic to go out through OUT_01.
    We have over 5 site-to-site VPN and 30 external facing servers.  Could I use OUT_2 to configure all the inbound connections for the VPN and NAT rules?

    You can configure the ASA to allow asynchronous routing, as you are describing, by configuring TCP bypass.
    http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html
    What this will do is you will still need to send traffic out one interface but the ASA will accept return traffic on either of the outside interfaces.  Configuring this can be a security risk as the ASA will ignor the state table.
    Or you could wait until ASA version 9.4 which will have support for PBR.  Ofcourse this is the first version that will support it, so don't be suprised if it has a few bugs.
    Please remember to select a correct answer and rate helpful posts

  • Which wireless router do I need for multiple VPN tunnels?

    I work at home and I connect to my office VPN (SSH Extranet Client) thru cable broadband. I need to have 2 VPN tunnels open as I frequently have my laptop & desktop connected to my work VPN. I've had a BEFSX41 for the past 3 years and it's worked good as it allowed for 2 VPN tunnels. It just died on me a few days ago and I would like to go wireless now. What wireless router(s) would meet my needs? Thanks in advance for any input.Message Edited by nolesworld on 11-27-200606:24 PM
    Message Edited by nolesworld on 11-27-200606:38 PM

    hi , the WRV200 will be a good choice....supports upto 50 tunnels and has wireless capabilities....

  • Mac Mini Server for VPN routing

    Hi,
    my local internet provider does not provide static IP addresses. To nevertheless make the Server available in the internet I found a service that provides a vpn tunnel with a fixed ip address. To connect to this tunnel I shall use "tunnelblick". A pptp configuration is not possible due to some incompatibility on the VPN provider's side.
    The Server is connected to an airport extreme, which provides the internet access. I understand that the server has only one network card, however the VPN program uses a virtual network card to connect to the VPN and hence there should be two IP addresses for the server: one for the internal LAN and one for the VPN. How do I figure out the Server's VPN address on my side - or is it the fixed IP address from the VPN provider? 
    This IP address can be set as the address for all network devices to go to the internet. How?
    I understand there are two ways: the router to the internet is telling all devices on how to go to the internet. Therefore this should be configurable in the airport extreme - how?
    Otherwise: How to configure the computers to use this VPN instead of the normal connection?
    If it seems to be a simple question however I don't know from where to grab the right answers. I am a newbe in servers ...
    Thanks ...
    Philippus

    The VPN service provides your computer with a private IP address which may or may not be fixed. This gets you to their network... and from there back out to the internet if they haven't blocked that particular IP range. To find out your VPN IP address you only need to open up and take a look at the network preferences status entry for it... Your problem is not there. Your problem is that the Private network ou want to use will be firewalled.. and the ports you need to run a server will not be open to your IP address.
    You can share the internet connection of one mac to others in System Preferences I think... can't check atm.. not on my mac.
    In any case I suggest, since you do not have a fixed IP.. that you use a DDNS service.. like www.no-ip.com provide and leave the VPN network for what it was intended...

  • Router WCCP redirect ACLs for WAAS

    Since WAAS accelerates TCP connections only, would it be more efficient to code my router WCCP redirect ACLS for protocol TCP instead of all IP traffic between my source and dest subnets I want redirected?

    Greg,
    The protocol (TCP) is an attribute of the WCCP service group, so using IP in your ACL is fine.
    Regards,
    Zach

  • IPv6 ACLs for ZBFW with changing IPv6 prefix?

    Hi all
    Is there a trick to keep IPv6 ACLs for ZBFW working when the IPv6 prefix will change ?
    Background:
    6RD based residential internet access.
    Provider has a /28 6RD-Prefix, and will append the whole 32bits of the DHCP assigned public IPv4 address, leaving a /60 to use at home. Inside should be subnet 0, DMZ should be subnet 1 from that /60.
    A few of my DMZ IPv6 hosts should be reachable from the outside world on specific udp/tcp ports, without having to open the whole DMZ subnet towards the IPv6 internet.
    No big deal, one would think...
    zone security Z-INTERNET
     description * the outside world *
    zone security Z-DMZ
    zone security Z-OUTSIDE
    zone-pair security ZP-OUTSIDE-TO-DMZ source Z-OUTSIDE destination Z-DMZ
     service-policy type inspect PMAP-INBOUND-TRAFFIC
    policy-map type inspect PMAP-INBOUND-TRAFFIC
     class type inspect CMAP-IN-TRACE-TRAFFIC
      pass
     class type inspect CMAP-IN-INSPECT-TRAFFIC
      inspect 
     class class-default
      drop log
    class-map type inspect match-any CMAP-IN-TRACE-TRAFFIC
     match access-group name ACLv6-ICMP-UNREACH   <-- some ICMP listed in this ACL, irrelevant here
    class-map type inspect match-any CMAP-IN-INSPECT-TRAFFIC
     match access-group name ACLv6-INBOUND-TRAFFIC 
    Now.. what would I put into ACLv6-INBOUND-TRAFFIC? Manually setting...
    ipv6 access-list ACLv6-INBOUND-TRAFFIC
     sequence 10 permit tcp any host <MYcurrent6RDPREFIX>1::<$MYHOSTID> eq http
    ... works well, until MY6currentRDPREFIX becomes MYnew6RDPREFIX. It does so seldomly, but it does, especially after outages.
    For adressing (and re-adressing) the DMZ interface, "ipv6 general prefix MY6RDPREFIX 6rd tunnel6" helps a lot and it works pretty well.
    However, one cannot seem to make use of "ipv6 general prefix" in an ipv6 ACL, neither as source nor destination (and neither when defining a stateful DHCPv6 server, for that matter).
    router6rd(config-ipv6-acl)#permit ip any ?
      X:X:X:X::X/<0-128>  IPv6 destination prefix x:x::y/<z>
      any                 Any destination prefix
      host                A single destination host
    router6rd(config-ipv6-acl)#
    D'oh. What now?
    I do know that scanning the whole /64 would take aeons to complete, but I would like to use predetermined addresses with SLAAC and stateless DHCPv6 (with the help of http://man7.org/linux/man-pages/man8/ip-token.8.html).
    Opening the entire subnet makes me cringe, even more since these hosts are bound to be in some public DNS as well. For that matter, it becomes largely irrelevant if the Host-ID comes from ip-token, EUI-64, RFC7217 or privacy extensions (allright, the latter wouldn't quite apply here, I know.)
    Am I caught in the "IPv6 is like IPv4 but with longer addresses" trap? Should I just do away with my wish to have only the given DMZ servers reachable, and open up the entire subnet? 
    Or: Is there a completely different way of doing ZBFW things in IPv6 that I didn't think of?
    thanks for your thoughts and ideas.
    Marc

    Hi all
    Is there a trick to keep IPv6 ACLs for ZBFW working when the IPv6 prefix will change ?
    Background:
    6RD based residential internet access.
    Provider has a /28 6RD-Prefix, and will append the whole 32bits of the DHCP assigned public IPv4 address, leaving a /60 to use at home. Inside should be subnet 0, DMZ should be subnet 1 from that /60.
    A few of my DMZ IPv6 hosts should be reachable from the outside world on specific udp/tcp ports, without having to open the whole DMZ subnet towards the IPv6 internet.
    No big deal, one would think...
    zone security Z-INTERNET
     description * the outside world *
    zone security Z-DMZ
    zone security Z-OUTSIDE
    zone-pair security ZP-OUTSIDE-TO-DMZ source Z-OUTSIDE destination Z-DMZ
     service-policy type inspect PMAP-INBOUND-TRAFFIC
    policy-map type inspect PMAP-INBOUND-TRAFFIC
     class type inspect CMAP-IN-TRACE-TRAFFIC
      pass
     class type inspect CMAP-IN-INSPECT-TRAFFIC
      inspect 
     class class-default
      drop log
    class-map type inspect match-any CMAP-IN-TRACE-TRAFFIC
     match access-group name ACLv6-ICMP-UNREACH   <-- some ICMP listed in this ACL, irrelevant here
    class-map type inspect match-any CMAP-IN-INSPECT-TRAFFIC
     match access-group name ACLv6-INBOUND-TRAFFIC 
    Now.. what would I put into ACLv6-INBOUND-TRAFFIC? Manually setting...
    ipv6 access-list ACLv6-INBOUND-TRAFFIC
     sequence 10 permit tcp any host <MYcurrent6RDPREFIX>1::<$MYHOSTID> eq http
    ... works well, until MY6currentRDPREFIX becomes MYnew6RDPREFIX. It does so seldomly, but it does, especially after outages.
    For adressing (and re-adressing) the DMZ interface, "ipv6 general prefix MY6RDPREFIX 6rd tunnel6" helps a lot and it works pretty well.
    However, one cannot seem to make use of "ipv6 general prefix" in an ipv6 ACL, neither as source nor destination (and neither when defining a stateful DHCPv6 server, for that matter).
    router6rd(config-ipv6-acl)#permit ip any ?
      X:X:X:X::X/<0-128>  IPv6 destination prefix x:x::y/<z>
      any                 Any destination prefix
      host                A single destination host
    router6rd(config-ipv6-acl)#
    D'oh. What now?
    I do know that scanning the whole /64 would take aeons to complete, but I would like to use predetermined addresses with SLAAC and stateless DHCPv6 (with the help of http://man7.org/linux/man-pages/man8/ip-token.8.html).
    Opening the entire subnet makes me cringe, even more since these hosts are bound to be in some public DNS as well. For that matter, it becomes largely irrelevant if the Host-ID comes from ip-token, EUI-64, RFC7217 or privacy extensions (allright, the latter wouldn't quite apply here, I know.)
    Am I caught in the "IPv6 is like IPv4 but with longer addresses" trap? Should I just do away with my wish to have only the given DMZ servers reachable, and open up the entire subnet? 
    Or: Is there a completely different way of doing ZBFW things in IPv6 that I didn't think of?
    thanks for your thoughts and ideas.
    Marc

  • AAA static IP address for RA VPN Client

    Hi,
    my vpn group and VPN POOL  is locally created in Cisco VPN router but users are authenticated through ACS, AAA server via TACACS. Now I want to assign the static ip address to VPN Client. Everything is fine but due to the application problem I want to give them the static Ip address from the VPN Pool. I have greated one pool in AAA server and also configure the client in AAA to get the static ip address but unable to do this. Please help me out how to do this.
    My router is configured for TACACS+. I have checked the user configuration in AAA server to get the static ip address but it is not working. Please help me out how to do this. I cant change Router to Radius but this is my main router which is configured for 160 sites through ISDN and these sites also configured for TACACS+.
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2 
    crypto isakmp client configuration group Aviation-VPN
    key egntosc
    pool aviation-pool
    acl avi-tunnel
    save-password
    netmask 255.255.255.0
    crypto isakmp profile vpnclient
       match identity group Aviation-VPN
       client authentication list default
       isakmp authorization list Aviation-authorization
       client configuration address respond
    crypto ipsec transform-set aviset esp-3des esp-sha-hmac
    crypto dynamic-map avi 10
    set transform-set aviset
    set isakmp-profile vpnclient
    reverse-route

    Since you're using ACS, I believe the way to do this is to
    go into ACS, and select the username of the user that you want
    to get the static IP. Under that user's setup, there is an option to
    always assign the same IP. Just select that and enter the IP you
    want them to get. - chris

  • Internet stops with PPTP VPN connections to ASUS RT-N66U VPN Router

    I have a client with a small office network that has a few people working remotely from Windows 7 and 8 PCs. As an inexpensive solution the client opted to use a VPN router (ASUS RT-N66U) that supports PPTP so remote users could access the shared
    files and SQL DB server. 
    The VPN connectivity for one client was working fine and then stopped working altogether so when the VPN connection is established all Internet and VPN access is stopped. This was especially troubling for me since I work remotely and cannot test or debug after
    the VPN session has been connected. I checked the error logs and found nothing. Also there had been no new programs installed. And finally, I ran a full system antivirus scan with no issues found.
    In case you are facing a similar issue, before trying something remotely that may not work, use the shutdown with reboot command in a COMMAND window and set a timer for something like 3 minutes to reboot in case you get stuck. (e.g. shutdown -r -t 180). 
    Problem: The two symptoms of the VPN connection failure are:
    1) All Internet browsing stops working locally 
    2) No data can pass through the VPN tunnel
    I created a virtual machine on my local network and replicated the client's environment. I experimented with nearly every setting in the VPN dialogue until and came to the final solution. 
    Solution: For the VPN adapter on the remote machines I configured DNS settings and used the remote as the default gateway.
    * VPN adapter Networking IPV4 Properties for:
    - DNS server 1: Main Office VPN Router IP Address
    - DNS server 2: A public DNS server (Google is 8.8.8.8)
    - I also checked the box to "register this connection addresses in DNS"
    Note: Perhaps the local router would also have worked and DNS2 but I didn't test it.
    I have documented this because after reading and searching among many Technical articles and the Microsoft support website, I was unable to find the solution that I came up with so I hope to help someone else. 
    Question1: - Can anyone tell me why the connectivity only works when 'use default gateway on remote network' is checked?
    - I have disabled this option with some business class VPN routers and the connectivity still worked to the remote network but it does not work to the Asus router.
    Question2: From the information provided can I determine where the problem lies?
    Is it the:
    1) Remote client PC
    2) Remote client router
    3) Home office VPN router (Asus RT-N66U)
    If the true culprit cannot be determined yet, what steps do you recommend so I can isolate the true cause of the failure.
    I appreciate any help so that I can be sure my solution is valid and pass along the findings to ASUS if it is their issue.

    Thank you for the suggestion. I have successfully connected through the VPN router when the one client was unable to get VPN throughput working.
    I looked at the routing tables with and without the VPN connection established. The differences are that:
    1) when VPN is NOT active, there is a route from the local NIC IP to the Internet IP address of the local gateway
    destination 68.109.82.xx
    mask 255.255.255.0
    gateway 192.168.0.1
    interface 192.168.0.11
    metric 21
    2) when VPN IS active, the route to the Internet IP address of the local gateway is deleted and a persistent route to the VPN router local network has been added
    Persistent route:
    destination 192.168.21.0
    mask 255.255.255.0
    gateway 192.168.0.1
    interface 192.168.0.11
    metric 1

  • PIX 501 and Linksys VPN Router (WRV200)

    I have inherited a job where we have a Cisco PIX 501 firewall at one site, and Linksys WRV200 VPN Router on two other
    sites. I have been asked to connect these Linksys routers to the PIX firewall via VPN.
    I believe the Linksys vpn routers can only connect via IPSec VPN, so i am looking for help on configuring the PIX 501 to allow the linksys to connect with the following parameters, if possible.
    Key Exchange Method: Auto (IKE)
    Encryption: Auto, 3DES, AES128, AES192, AES256
    Authentication: MD5
    Pre-Shared Key: xxx
    PFS: Enabled/Disabled
    ISAKMP Key Lifetime: 28800
    IPSec Key Lifetime: 3600
    On the PIX i have the PDM installed and i have tried using the VPN Wizard to no avail.
    I chose the following settings when doing the VPN Wizard:
    Type of VPN: Remote Access VPN
    Interface: Outside
    Type of VPN Client Device used: Cisco VPN Client
    (can choose Cisco VPN 3000 Client, MS Windows Client using PPTP, MS Windows client using L2TP)
    VPN Client Group
    Group Name: RabyEstates
    Pre Shared Key: rabytest
    Extended Client Authentication: Disabled
    Address Pool
    Pool Name: VPN-LAN
    Range Start: 192.168.2.200
    Range End: 192.168.2.250
    DNS/WINS/Default Domain: None
    IKE Policy
    Encryption: 3DES
    Authentication: MD5
    DH Group: Group 2 (1024-bit)
    Transform Set
    Encryption: 3DES
    Authentication: MD5
    I have attached the VPN log from the Linksys VPN Router.
    This is the first time i've ever worked with PIX so i'm still trying to figure the thing out, but i'm confident with CCNA level networking.
    Thanks for your help!

    Hi again,
    I believe the pix has a 3des license because of the following parts of the "show version"
    Licensed Features:
    Failover: Disabled
    VPN-DES: Enabled
    VPN-3DES-AES: Enabled
    This PIX has a Restricted (R) license.
    I've tried reconnecting the VPN tunnel with debugging on the PIX and get the output as shown in the attached file "vpndebug.txt"
    As for the other show commands they give:
    pixfirewall# show crypto isakmp sa
    Total : 0
    Embryonic : 0
    dst src state pending created
    pixfirewall# show crypto ipsec sa
    interface: outside
    Crypto map tag: transam, local addr. 10.0.0.1
    local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
    current_peer: 10.0.0.2:0
    PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
    local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
    path mtu 1500, ipsec overhead 0, media mtu 1500
    current outbound spi: 0
    inbound esp sas:
    inbound ah sas:
    inbound pcp sas:
    outbound esp sas:
    outbound ah sas:
    outbound pcp sas:
    pixfirewall#
    Thanks again Daniel, i really appreciate your help on this matter.

  • First time vpn router

                       First time with a vpn router and need advice getting everything running with my current vpn provider.
    router: 887vag vdsl2/adsl2+ POTS with 3g.
    question: Do i need to flash the router with dd-wrt?
    Are there any step by step guides you can give for this
    thnx

    Hi again,
    I believe the pix has a 3des license because of the following parts of the "show version"
    Licensed Features:
    Failover: Disabled
    VPN-DES: Enabled
    VPN-3DES-AES: Enabled
    This PIX has a Restricted (R) license.
    I've tried reconnecting the VPN tunnel with debugging on the PIX and get the output as shown in the attached file "vpndebug.txt"
    As for the other show commands they give:
    pixfirewall# show crypto isakmp sa
    Total : 0
    Embryonic : 0
    dst src state pending created
    pixfirewall# show crypto ipsec sa
    interface: outside
    Crypto map tag: transam, local addr. 10.0.0.1
    local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
    current_peer: 10.0.0.2:0
    PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
    local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
    path mtu 1500, ipsec overhead 0, media mtu 1500
    current outbound spi: 0
    inbound esp sas:
    inbound ah sas:
    inbound pcp sas:
    outbound esp sas:
    outbound ah sas:
    outbound pcp sas:
    pixfirewall#
    Thanks again Daniel, i really appreciate your help on this matter.

  • RV042 not annoucing vpn routes over rip v2

    Problem: RV042 is not announcing a class C VPN route via RIP to other routers. It announces the gateway public address via rip, but not the VPN route.
    I am attempting to use a pair of RV042 as a redundant links between our home office and a branch. The home office and branch is already connected via a T1. Each location also has an additional cable internet connection with public IP address and a cisco 1921 router controlling the traffic.
    The 1921 routers are using OSPF to route traffic over the T1 and have RIPv2 enabled to talk to their local respective RV042s. Here is a description of how the network is set up.
    MainRouter - cisco 1921
       Eth0 - Network is 192.168.41.0/24
                 IP address is 192.168.41.20
       Eth0/1 - Network 10.1.1.1 255.255.255.254
                T1 connection to branch router
    MainRV - RV042 v3 with fw 4.2.1.02
       Wan1 - Public IP A X.X.X.X
        LAN- Network 192.168.41.0/24
                  IP 192.168.41.11 255.255.255.0
    BranchRouter - cisco 1921
      Eth0/0 - Network is 192.168.46.0/24
                   IP address is 192.168.46.10
      Eth0/1 - Network 10.1.1.2 255.255.255.254
                T1 connection to main router
    BranchRV - RV042 v3 with fw 4.2.1.02
      Wan1 - Public IP B Y.Y.Y.Y
        LAN - Network 192.168.46.0/24
                  IP 192.168.46.11 255.255.255.0
    I have established a VPN from BranchRV to MainRV and it passes traffic correctly. My "MainRouter "
    rip database looks like this....
    192.168.41.0/24    auto-summary
    192.168.41.0/24    directly connected, GigabitEthernet0/0
    X.X.X.X/24    auto-summary
    X.X.X.Z/30
        [1] via 192.168.46.11, 00:00:01, GigabitEthernet0/0
    Notice that there is no route to 192.168.46.0/24 in there....
    Now here is the kicker, just messing around, I changed the VPN settings to use subnets 10.0.10.0/24 on MainRV and 10.0.11.0/24 on BranchRV instead of 192.168.41.0/24 and 192.168.46.0/24 respectivly. After I tried that the routes for the 10.0.3.0 were announced via RIP
    Here is what the MainRouter's rip database looked like after I tried that
    10.0.0.0/8    auto-summary
    10.0.11.0/24
        [2] via 192.168.41.11, 00:00:18, GigabitEthernet0/0
    192.168.41.0/24    auto-summary
    192.168.41.0/24    directly connected, GigabitEthernet0/0
    X.X.X.X/24    auto-summary
    X.X.X.Y/30
        [1] via 192.168.41.11, 00:00:18, GigabitEthernet0/0
    What gives? This really looks like a bug to me...
    Anyhow I'm thinking a workaround might be to set up a GRE tunnel across those 10.0.X.X subnets to the other side so I can at least dynamically route traffic accross.... Without the RIP routes being announced I don't have automatic failover!
    Thanks for your help,
       Curtis

    Yes as was explained to me previously.... by Jason Nickle multicast does not cross a site-to-site tunnel.
    That is not what I want to have happen. What I want is for my RV042 to announce it's VPN routes to other routers on the same physical network. Which it currently is not doing.
    Site 1
        Cisco IOS Router X - main router, local network traffic runs across this
         RVO42 X - has VPN link to RVO42 Y at Site 2
    Site 2
      Cisco IOS Router Y - main router, local newtok traffic runs acress this
       RVO42 Y - has VPN link to RVO42 X at Site 1
    The problem is that RV042 Y doesn't tell Router Y that it has a route to Site 1. And RV042 X doesn't tell Router X that it has a route to Site 2. So they are not locally announcing via RIP, the routes they have TO the respective remote sites.
    What I was trying to say in my original post, is that the router will announce VPN routes if the vpn subnets are a class A 10.X.X.X subnet, but it doesn't announce them if they are a class C 192.168.X.X subnet. So what I am doing should be working, however it is not.

  • How do you Redistribution EIGRP into OSPF and maintain a distance of 250 for a static route?

    Ok, I have scoured the forums long enough and have to post. The design is below. I moved a firewall to our new data center, which required adding some static routes for VPN connections and broadband backups. To minimize the amount of static routes I redistribute static into EIGRP with a route-map and prefix-list.
    My problem is the next part of my network. When the data leaves my 56128's it hits an edge device connecting to our dark fiber. On this edge device I am running OSPF onto the dark fiber, then redistribute some EIGRP subnets into OSPF and again all is well.
    Everything works up until the point the redistributed routes hit my RIB at my main data center where I am running IBGP. IBPG is run between our MPLS router and core for all our remote sites. When my backup route from the 56128's hits the cores, it supersedes the BGP route because the AD route O E2 [110/20] is lower than the BGP AD B [200/0]. Given the configuration below what can be done to remedy this? Oh when I redistribute I can only change the AD for the backup routes, all other routes should stay the same.
    56128's where my static routes are:
    ip route 192.168.101.0/24 192.168.30.77 name firewall 250
    router eigrp 65100
       redistribute static route-map Static-To-Eigrp
    route-map Static-To-Eigrp permit 10
       match ip address prefix-list Static2Eigrp
    ip prefix-list Static2Eigrp seq 2 permit 192.168.101.0/24
    Edge device:
    router eigrp 65100
     network 172.18.0.5 0.0.0.0
     network 172.18.0.32 0.0.0.3
     network 172.18.0.36 0.0.0.3
     redistribute ospf 65100 metric 2000000 0 255 1 1500
     redistribute static metric 200000 0 255 1 1500 route-map STATICS_INTO_EIGRP
     passive-interface default
     no passive-interface Port-channel11
     no passive-interface Port-channel12
     eigrp router-id 172.18.0.5
    router ospf 65100
     router-id 172.18.0.5
     log-adjacency-changes
     redistribute eigrp 65100 subnets route-map EIGRP_INTO_OSPF
     passive-interface default
     no passive-interface GigabitEthernet1/0/1
     no passive-interface GigabitEthernet1/0/2
     no passive-interface GigabitEthernet2/0/1
     no passive-interface GigabitEthernet2/0/2
     network 172.18.0.0 0.0.255.255 area 0
    ip prefix-list EIGRP_INTO_OSPF seq 5 permit 172.18.0.0/16 le 32
    ip prefix-list EIGRP_INTO_OSPF seq 10 permit 192.168.94.0/29 le 32
    ip prefix-list EIGRP_INTO_OSPF seq 15 permit 192.168.26.32/29 le 32
    ip prefix-list EIGRP_INTO_OSPF seq 20 permit 192.168.30.72/29 le 32
    ip prefix-list EIGRP_INTO_OSPF seq 25 permit 192.168.20.128/25 le 32
    ip prefix-list EIGRP_INTO_OSPF seq 26 permit 192.168.101.0/24 le 32 <- Backup Route for MPLS Remote Office
    route-map EIGRP_INTO_OSPF permit 10
     match ip address prefix-list EIGRP_INTO_OSPF

    So in the case of a /24. If it were say broken up into /25's? From our remote sites we are using aggregate-address summary-only. Not sure how I would advertise a more specific route via BGP, sorry.
    I didnt have this problem until I moved my firewalls. They plugged into the cores where IBGP was running and the static never kicked in unless the bgp route disappeared. I guess I could use my static redistribution for my VPN sites and use statics across the cores for the handful of backup links I have.

  • Ist possible to havea ASN(Inbound Del) for schedule line?

    Dear Gurus,
    I am not having much knowledge about the inbound delivery... ist possible to have a inbound delivery for a Schedule line?
    Regards,
    Kumar

    HI,
    YES.. It is possible. check the below link and the pictorial representation
    http://help.sap.com/saphelp_47x200/helpdata/en/75/ee13e855c811d189900000e8322d00/frameset.htm
    in this check vendor confirmations -- Procurement Using Vendor Confirmations -
    Confirmations from Materials Planning Viewpoint -
    Influence of Confirmations on Materials Planning
    Inbound Data contains
    Document Header
    The general data relevant for the inbound delivery is stored in the document header. This data is valid for the entire document. This data may include:
    Goods receiving point
    Scheduling data (goods receipt date or delivery date, for example)
    Weights and volumes for the entire inbound delivery
    Vendor number
    Route
    Document Items
    In the items, you find data that applies to one particular item. This data may include:
    Material number
    Delivery quantity
    Plant and storage location specifications
    Putaway date
    Weights and volumes of the individual items
    Thanks & Regards,
    Kiran

  • Change public share access to read only for public and full access to selected users

    Hi, new to the community just purchased a recertified WDMyCloud 2TB after my 2 years old MyBookLive 2TB HD died due to accidental power cable unplugging. I've got everything setup including MiniDLNA by following instructions on this forum and everything is working  exactly as I want it to except public share. I want public share to be set to read only access for public and full access to certain users (just myself at the moment) and having a "upload" folder within this share with full public access to everything in this folder would be a bonus. I tried login in to ftp with root user and removing write permission for public but that blocks me out as well. I'm sure it's possible by doing some majic on SSH but I wouldn't have a clue so hoping someone here would be able to help me out.

    Mr_Khan wrote:
    What i want is public to have read only access to file server. Public as in users who do not have a user account on mycloud. E.g someone who connects to to my home network for the first time and is able to browse and download content from public share. I'm aware of being able to set indivual access to shares for users like full access, read only and no access but public users won't have a user account.Through the My Cloud UI interface what you seek to do is not possible. The public share like all other share folders are an all or nothing affair when using the adminstration UI. When using the administration UI you do not have granular control on shared folders to limit non users to read only access or set permission levels for subfolders. The workaround to do what you seek and have the public folder set for read only is to change the folder settings via SSH. It may take some work to set the folder security so that users can read/write to the public folder while the guests only have read access. However, if you reboot the WD My Cloud or update the WD My Cloud firmware those settings may be reset back to the default settings where the entire public folder is read/write for all. There are way to prevent this but again it will take a bit of coding to do so via SSH. See this link (even though its for the WD My Book Live) for a starting point on how to use SSH to change the permission levels on the public folder. Another option if one doesn't go the SSH route is to turn off public sharing for the public folder then create a "guest" user account and give that "guest" account read only access to the public folder while all other user accounts have full read/write access.

  • Switchport module within 1800 VPN router

    Hi Folks,
    I have a Cisco 1801 VPN router (using PPPoA) which I currently have one PC attached to the Fe0 port which in turn picks up a DHCP address from the local pool within the router.
    I am now planning to add a few more PC?s to the site and I was looking to use the extra 8 switchports available on the router.
    Up until now I have been using a 2950 switch and hanging it off the Fe0 port so that I can also extend the subnet.
    When I try to plug a PC into the extra switchports no DHCP address is obtained. From what I can tell I will have to create a VLAN on the router to assign the switchports too. However when I do this I am unable to extend the subnet from the Fe0 port onto the switch module as I receive a ?Subnet already in use? message from the CLI.
    Thanks for your help
    Kris

    I think your are connecting to the wrong switch.
    This URL should help you:
    http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca75c.html

Maybe you are looking for

  • Error when try to install exchange Server 2013 in windows server 2008 R2 Sp1

    Hi I'm getting these errors while trying to install Microsoft Exchange Server 2013 on my Windows Server 2008 R2 SP1 the user i'm using is the Administrator and it is already a member of "Enterprise Admins" and "Schema Admins" in my organization there

  • "Automatic" Photo Gallery

    Hi everyone! I'm trying to make an "automatic" photo gallery: when you upload the photo in the source folder, it automatically gets uploaded in the gallery. Is there a chance to make this? I have this file that calls Word files, and as I update the s

  • Does the JDBC driver need to changin when moving Oracle 9i to Oracle 11g??

    Hi All, I have two cases Case 1: Application is deployed on WebLogic 10 (JDK 5) and connects to Oracle 9i database using the thin driver. Now the database is now moving from ORacle 9i to Oracle 11g. I have the following question: 1. Does the driver j

  • Connecting to OS X file shares from Linux

    I need to connect to file shares on an OS X computer and mount them on a Linux server. Every resource I've seen seems to try to do this the other way around. I can ping the OS X computer so I know it can see it. I have enable SMB under sharing and se

  • Business connector help

    Guy's i am new to business connector and need some help file which are easy to understand ,pls forward such file to my mail-id [email protected] ,point's will be rewarded